08-22-2015 08:11 PM - edited 03-05-2019 02:08 AM
From what I can tell phase 1 complete but, phase 2 doesn't seem to be working.
10.0.100.0/23 <==> Mikrotik Router (aa.bbb.cc.ddd) <==Internet==> Cisco 2821 (ww.xxx.yy.zz) <==> 10.0.50.0/24
*Aug 23 03:37:14.497: ISAKMP: local port 500, remote port 500 *Aug 23 03:37:14.497: ISAKMP: set new node 0 to QM_IDLE *Aug 23 03:37:14.497: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 513D19EC *Aug 23 03:37:14.497: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled *Aug 23 03:37:14.497: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Aug 23 03:37:14.497: ISAKMP:(0):found peer pre-shared key matching aa.bbb.cc.ddd *Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-07 ID *Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-03 ID *Aug 23 03:37:14.497: ISAKMP:(0): constructed NAT-T vendor-02 ID *Aug 23 03:37:14.497: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Aug 23 03:37:14.497: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Aug 23 03:37:14.497: ISAKMP:(0): beginning Main Mode exchange *Aug 23 03:37:14.497: ISAKMP:(0): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) MM_NO_STATE *Aug 23 03:37:14.497: ISAKMP:(0):Sending an IKE IPv4 Packet. *Aug 23 03:37:14.541: ISAKMP (0): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) MM_NO_STATE *Aug 23 03:37:14.541: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 23 03:37:14.541: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Aug 23 03:37:14.541: ISAKMP:(0): processing SA payload. message ID = 0 *Aug 23 03:37:14.541: ISAKMP:(0): processing vendor id payload *Aug 23 03:37:14.541: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Aug 23 03:37:14.541: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Aug 23 03:37:14.541: ISAKMP:(0): processing vendor id payload *Aug 23 03:37:14.541: ISAKMP:(0): vendor ID is DPD *Aug 23 03:37:14.541: ISAKMP:(0):found peer pre-shared key matching aa.bbb.cc.ddd *Aug 23 03:37:14.541: ISAKMP:(0): local preshared key found *Aug 23 03:37:14.541: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy *Aug 23 03:37:14.541: ISAKMP: encryption AES-CBC *Aug 23 03:37:14.541: ISAKMP: keylength of 256 *Aug 23 03:37:14.541: ISAKMP: hash SHA512 *Aug 23 03:37:14.541: ISAKMP: default group 14 *Aug 23 03:37:14.541: ISAKMP: auth pre-share *Aug 23 03:37:14.541: ISAKMP: life type in seconds *Aug 23 03:37:14.541: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Aug 23 03:37:14.541: ISAKMP:(0):atts are acceptable. Next payload is 0 *Aug 23 03:37:14.545: ISAKMP:(0):Acceptable atts:actual life: 0 *Aug 23 03:37:14.545: ISAKMP:(0):Acceptable atts:life: 0 *Aug 23 03:37:14.545: ISAKMP:(0):Fill atts in sa vpi_length:4 *Aug 23 03:37:14.545: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Aug 23 03:37:14.545: ISAKMP:(0):Returning Actual lifetime: 86400 *Aug 23 03:37:14.545: ISAKMP:(0)::Started lifetime timer: 86400. *Aug 23 03:37:14.545: ISAKMP:(0): processing vendor id payload *Aug 23 03:37:14.545: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Aug 23 03:37:14.545: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Aug 23 03:37:14.545: ISAKMP:(0): processing vendor id payload *Aug 23 03:37:14.545: ISAKMP:(0): vendor ID is DPD *Aug 23 03:37:14.545: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 23 03:37:14.545: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Aug 23 03:37:14.545: ISAKMP:(0): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) MM_SA_SETUP *Aug 23 03:37:14.545: ISAKMP:(0):Sending an IKE IPv4 Packet. *Aug 23 03:37:14.545: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 23 03:37:14.545: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Aug 23 03:37:14.717: ISAKMP (0): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) MM_SA_SETUP *Aug 23 03:37:14.717: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 23 03:37:14.717: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Aug 23 03:37:14.717: ISAKMP:(0): processing KE payload. message ID = 0 *Aug 23 03:37:14.781: ISAKMP:(0): processing NONCE payload. message ID = 0 *Aug 23 03:37:14.781: ISAKMP:(0):found peer pre-shared key matching aa.bbb.cc.ddd *Aug 23 03:37:14.781: ISAKMP:received payload type 20 *Aug 23 03:37:14.781: ISAKMP (16444): His hash no match - this node outside NAT *Aug 23 03:37:14.781: ISAKMP:received payload type 20 *Aug 23 03:37:14.781: ISAKMP (16444): No NAT Found for self or peer *Aug 23 03:37:14.781: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 23 03:37:14.781: ISAKMP:(16444):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Aug 23 03:37:14.781: ISAKMP:(16444):Send initial contact *Aug 23 03:37:14.781: ISAKMP:(16444):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Aug 23 03:37:14.781: ISAKMP (16444): ID payload next-payload : 8 type : 1 address : ww.xxx.yy.zz protocol : 17 port : 500 length : 12 *Aug 23 03:37:14.781: ISAKMP:(16444):Total payload length: 12 *Aug 23 03:37:14.785: ISAKMP:(16444): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) MM_KEY_EXCH *Aug 23 03:37:14.785: ISAKMP:(16444):Sending an IKE IPv4 Packet. *Aug 23 03:37:14.785: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 23 03:37:14.785: ISAKMP:(16444):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Aug 23 03:37:14.849: ISAKMP (16444): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) MM_KEY_EXCH *Aug 23 03:37:14.849: ISAKMP:(16444): processing ID payload. message ID = 0 *Aug 23 03:37:14.849: ISAKMP (16444): ID payload next-payload : 8 type : 1 address : aa.bbb.cc.ddd protocol : 17 port : 500 length : 12 *Aug 23 03:37:14.849: ISAKMP:(16444): processing HASH payload. message ID = 0 *Aug 23 03:37:14.849: ISAKMP:(16444):SA authentication status: authenticated *Aug 23 03:37:14.849: ISAKMP:(16444):SA has been authenticated with aa.bbb.cc.ddd *Aug 23 03:37:14.849: ISAKMP:(16444):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 23 03:37:14.849: ISAKMP:(16444):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Aug 23 03:37:14.849: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 23 03:37:14.849: ISAKMP:(16444):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Aug 23 03:37:14.849: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 23 03:37:14.849: ISAKMP:(16444):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE *Aug 23 03:37:14.853: ISAKMP:(16444):beginning Quick Mode exchange, M-ID of 1235091029 *Aug 23 03:37:14.853: ISAKMP:(16444):QM Initiator gets spi *Aug 23 03:37:14.853: ISAKMP:(16444): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) QM_IDLE *Aug 23 03:37:14.853: ISAKMP:(16444):Sending an IKE IPv4 Packet. *Aug 23 03:37:14.853: ISAKMP:(16444):Node 1235091029, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Aug 23 03:37:14.853: ISAKMP:(16444):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Aug 23 03:37:14.853: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Aug 23 03:37:14.853: ISAKMP:(16444):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Aug 23 03:37:14.901: ISAKMP (16444): received packet from aa.bbb.cc.ddd dport 500 sport 500 Global (I) QM_IDLE *Aug 23 03:37:14.901: ISAKMP: set new node -1530625518 to QM_IDLE *Aug 23 03:37:14.901: ISAKMP:(16444): processing HASH payload. message ID = 2764341778 *Aug 23 03:37:14.901: ISAKMP:(16444): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1 spi 0, message ID = 2764341778, sa = 0x513D19EC *Aug 23 03:37:14.901: ISAKMP:(16444):peer does not do paranoid keepalives. *Aug 23 03:37:14.901: ISAKMP:(16444):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer aa.bbb.cc.ddd) *Aug 23 03:37:14.901: ISAKMP:(16444):deleting node -1530625518 error FALSE reason "Informational (in) state 1" *Aug 23 03:37:14.901: ISAKMP:(16444):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Aug 23 03:37:14.901: ISAKMP:(16444):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Aug 23 03:37:14.901: ISAKMP: set new node 1793199253 to QM_IDLE *Aug 23 03:37:14.901: ISAKMP:(16444): sending packet to aa.bbb.cc.ddd my_port 500 peer_port 500 (I) QM_IDLE *Aug 23 03:37:14.901: ISAKMP:(16444):Sending an IKE IPv4 Packet. *Aug 23 03:37:14.901: ISAKMP:(16444):purging node 1793199253 *Aug 23 03:37:14.901: ISAKMP:(16444):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Aug 23 03:37:14.901: ISAKMP:(16444):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA *Aug 23 03:37:14.905: ISAKMP:(16444):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer aa.bbb.cc.ddd) *Aug 23 03:37:14.905: ISAKMP:(16444):deleting node 1235091029 error FALSE reason "IKE deleted" *Aug 23 03:37:14.905: ISAKMP:(16444):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 23 03:37:14.905: ISAKMP:(16444):Old State = IKE_DEST_SA New State = IKE_DEST_SA
crypto isakmp policy 1 encr aes 256 hash sha512 authentication pre-share group 14 crypto isakmp key 6 XXXXXXXXXX address aa.bbb.cc.ddd no-xauth crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set strong esp-aes 256 esp-sha-hmac ! crypto map s2s-name 1 ipsec-isakmp set peer aa.bbb.cc.ddd set transform-set strong set pfs group16 match address interesting reverse-route static ! ! ! interface GigabitEthernet0/0 description PrimaryWANDesc_ ip ddns update namecheap ip address dhcp ip nat outside ip ips sdm_ips_rule in ip virtual-reassembly in duplex auto speed auto ipv6 address autoconfig default ipv6 enable ipv6 dhcp client pd prefix-from-provider crypto map s2s-name ! interface GigabitEthernet0/1 ip address 10.0.50.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ipv6 address prefix-from-provider ::1/64 ipv6 enable no mop enabled ! ip nat inside source list NAT interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! ip access-list standard LAN-Addresses permit 10.0.50.0 0.0.0.255 ip access-list extended interesting permit ip 10.0.50.0 0.0.0.255 10.0.100.0 0.0.1.255
router#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status ww.xxx.yy.zz aa.bbb.cc.ddd QM_IDLE 16445 ACTIVE
router#show crypto session Crypto session current status Interface: GigabitEthernet0/0 Session status: UP-IDLE Peer: aa.bbb.cc.ddd port 500 IKEv1 SA: local ww.xxx.yy.zz/500 remote aa.bbb.cc.ddd/500 Active IPSEC FLOW: permit ip 10.0.50.0/255.255.255.0 10.0.100.0/255.255.254.0 Active SAs: 0, origin: crypto map
router#show crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: s2s-name, local addr ww.xxx.yy.zz protected vrf: (none) local ident (addr/mask/prot/port): (10.0.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.100.0/255.255.254.0/0/0) current_peer aa.bbb.cc.ddd port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: ww.xxx.yy.zz, remote crypto endpt.: aa.bbb.cc.ddd path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:
09-04-2015 05:52 AM
I solved the problem, the phase 2 hash algorithm didn't match on the other side. Now all I have left is a routing issue on the other end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide