07-16-2012 04:53 PM - edited 03-04-2019 04:59 PM
Hi guys,
My router is Cisco 2811 with IOS version 12.4(22)T1. It had established IPSec with another peer (203.*.*.250 shown below) for long until recently we make it re-establish IPSec VPN with another peer (203.*.*.30 shown below). It showed that the new sa is active but the result still showed there were 4 deleted SAs. The 4 obsolete sa entries won't vanish no matter what I do i.e. reset the interface, re-create crypto map, clear all sa and etc.
From numerous testings we knew that the VPN doesn't work even the desired sa is there remaining active. I reckon it has something to do with those deleted sas ( i mean it is supposed to show only the last one if it is working fine ). I don't know how it would be come like this as we did pretty much the samething on other VPN routers with no problems.
The relevant configuration is here:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30
!
!
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 203.*.*.30
set transform-set ESP_3DES_SHA
match address 105
!
access-list 105 permit ip 192.168.21.0 0.0.0.255 any
Please help! Thanks!
Regards,
Alex
Solved! Go to Solution.
07-18-2012 01:06 AM
Alex,
Thanks for confirming back! Have you checked the FW rules if UDP port 500 is open in the fortigate for the peering IP on the 2811?
Sent from Cisco Technical Support iPhone App
07-16-2012 04:57 PM
By the way, on the other end, the peer (a firewall working as VPN concentrator) of this IPSec VPN indicates that this VPN is up and running.
07-16-2012 06:21 PM
hi alex,
kindly post the config of the remote FW/VPN device.
perform a 'clear crypto sa' on your 2811 and try to send a ping from a host on the192.168.21.0/24 subnet towards a LAN IP on the other remote side.
post both show crypto isakmp sa and show crypto ipsec sa commands from your 2811 afterwards.
07-16-2012 06:28 PM
Hi John,
Thanks for your reply, Firstly the FW/VPN device is a fortigate device which has set up another 3 similar IPSec with other routers at the other sites, only this one got a problem after peering with this firewall. I've done what you have instructed, please see the output:
router#clear crypto sa
router#ping 192.168.68.88 sour
router#ping 192.168.68.88 source 192.168.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.68.88, timeout is 2 seconds:
Packet sent with a source address of 192.168.21.1
.....
Success rate is 0 percent (0/5)
router#sh cryp
router#sh crypto isa
router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
123.209.169.23 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.169.23 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.169.23 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.169.23 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.169.23 203.*.*.30 QM_IDLE 1143 ACTIVE
IPv6 Crypto ISAKMP SA
router#sh cryp
router#sh crypto ipsec sa
PFS (Y/N): Y, DH group: group1
PFS (Y/N): Y, DH group: group1
interface: Dialer1
Crypto map tag: VPN, local addr 123.209.169.23
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 203.*.*.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 123.209.169.23, remote crypto endpt.: 203.*.*.30
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x8DDB100E(2379943950)
inbound esp sas:
spi: 0x3861CB(3695051)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3099, flow_id: NETGX:1099, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4424991/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8DDB100E(2379943950)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3100, flow_id: NETGX:1100, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4424990/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Cellular0/3/0
Crypto map tag: VPN, local addr 123.209.169.23
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 203.*.*.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 123.209.169.23, remote crypto endpt.: 203.*.*.30
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x8DDB100E(2379943950)
inbound esp sas:
spi: 0x3861CB(3695051)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3099, flow_id: NETGX:1099, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4424991/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8DDB100E(2379943950)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3100, flow_id: NETGX:1100, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4424990/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Cheers.
Regards,
Alex
07-16-2012 06:49 PM
hi alex,
thanks for the update! could you post the 2811 running-config (remove sensitive info)?
it would be helpful to see the remove device's VPN config (IKE policies) for troubleshooting. VPN errors are most of the time due to config issue. also, when you re-created the VPN on the router did you issue the command 'crypto isakmp enable' from global config mode?
2811(config)#crypto isakmp enable
07-16-2012 06:58 PM
Hi John,
I tried the command crypto isakmp enable but the result of show crypto isakmp sa is still the same. Anyway, I'll post the config here:
router#sh run
Building configuration...
Current configuration : 7439 bytes
!
! Last configuration change at 01:51:52 UTC Tue Jul 17 2012 by alexadmin
! NVRAM config last updated at 10:42:33 UTC Tue Jul 10 2012 by alexadmin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login console-auth local
aaa authorization exec default group radius local
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip host members.dyndns.org 204.*.*.112
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
ip ddns update method cheltddns
HTTP
add http://*:*@members.dyndns.org/nic/update?hostname=*&myip=*@members.dyndns.org/nic/update?hostname=*&myip=
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
chat-script internet "" "*" TIMEOUT 30 "CONNECT"
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-3295771654
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3295771654
revocation-check none
rsakeypair TP-self-signed-3295771654
!
!
crypto pki certificate chain TP-self-signed-3295771654
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323935 37373136 3534301E 170D3132 30353131 31313132
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393537
37313635 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B864 A0926D93 086AE410 F324E1E1 F299BD77 9CACE140 6DE62D06 F79691D6
19E81F19 3315E0AD 17293593 8626B56B 0EE7D3C8 D4168408 B38C8C60 40BBC6B0
EAE2115A CE01A332 5187122B 70166FA1 80542BA9 16E1F965 EC30C71C B9E487FE
9222FDF5 D537AAD2 7E96820C 2081AA73 CF208CC0 69380BE0 73C09F16 5F83A24E
AF510203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D4D454C 312D5352 2D52542D 3032301F 0603551D 23041830
16801413 C8890547 F3C80863 0DE8A451 BD1560EE 60B0FA30 1D060355 1D0E0416
041413C8 890547F3 C808630D E8A451BD 1560EE60 B0FA300D 06092A86 4886F70D
01010405 00038181 008D7ECC B2E9A6B8 5D99C38D E362350C C88A0870 B12ADAB2
EAA20D30 0F11D749 8338753F 4371858E D31AFC2C 25C51676 4E3C091A BBDB1E74
64D67D48 A6808E8D DF3CA7DD 7F66BDBD EE96B083 0EC8F92C 1B93F727 7C319A6F
F26AD911 8C58B3B0 60066AD9 1D24A594 FCC6B783 7CCCD52C B83E946B 7265EB71
AC00760D D94ED56E 87
quit
!
!
username root privilege 15 password 7 09601F0D0F55460219
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30
!
!
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 203.*.*.30
set transform-set ESP_3DES_SHA
match address 105
!
!
!
!
track 1 ip sla 1 reachability
delay down 180 up 60
!
track 2 ip sla 2 reachability
delay down 60 up 60
!
!
!
!
interface FastEthernet0/0
ip address 172.28.8.13 255.255.255.0
ip flow egress
duplex full
speed 100
!
interface FastEthernet0/1
bandwidth 2048
ip address 192.168.21.1 255.255.255.0
ip helper-address 192.168.20.3
ip flow egress
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl bitswap both
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Cellular0/3/0
no ip address
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
crypto map VPN
!
interface Dialer1
ip ddns update hostname *.dyndns.org
ip ddns update cheltddns
ip address negotiated
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string internet
dialer persistent
dialer-group 1
ppp chap hostname ""
ppp chap password 7 08630E
crypto map VPN
!
interface Dialer2
description ADSL2+
ip address negotiated
ip access-group 104 in
ip flow egress
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
ppp chap hostname *@dsl.*
ppp chap password 7 121B0816000A0A0F27
!
router ospf 100
router-id 13.13.13.13
log-adjacency-changes
redistribute connected subnets route-map OSPFRedi
network 172.28.8.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 192.168.68.33 255.255.255.255 Dialer1
ip route 192.168.68.88 255.255.255.255 Dialer1
ip route 203.*.*.30 255.255.255.255 Dialer1
ip route 203.*.*.250 255.255.255.255 Dialer1
ip route 204.13.248.112 255.255.255.255 Dialer1
ip http server
ip http authentication aaa login-authentication default
ip http secure-server
!
ip flow-cache timeout inactive 250
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.66.130 9996
!
ip nat inside source list 103 interface Dialer1 overload
!
ip radius source-interface FastEthernet0/1
ip sla 2
icmp-echo 8.8.8.8 source-interface Dialer2
timeout 1500
frequency 5
ip sla schedule 2 life forever start-time now
logging facility local5
access-list 5 permit 192.168.21.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 172.28.1.0 0.0.0.15
access-list 101 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 103 deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 103 deny ip 192.168.21.0 0.0.0.255 172.28.0.0 0.0.255.255
access-list 103 deny ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit ip 192.168.21.0 0.0.0.255 any
access-list 104 deny tcp any any
access-list 104 deny udp any any
access-list 104 permit icmp any any echo
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any packet-too-big
access-list 104 permit icmp any any traceroute
access-list 104 permit icmp any any unreachable
access-list 105 permit ip 192.168.21.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community GraysPriv RO 20
snmp-server ifindex persist
snmp-server host 192.168.66.130 version 2c GraysPriv
!
!
!
!
route-map OSPFRedi permit 10
match ip address 5
!
!
!
radius-server host 192.168.66.2 auth-port 1645 acct-port 1646 key 7 107A214A3743161E0551
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
login authentication console-auth
line aux 0
line 0/3/0
exec-timeout 0 0
script dialer internet
no exec
transport input all
rxspeed 3600000
txspeed 384000
line vty 0 4
exec-timeout 0 0
!
scheduler allocate 20000 1000
ntp server 192.168.66.2
end
router#sh run
Building configuration...
Current configuration : 7439 bytes
!
! Last configuration change at 01:51:52 UTC Tue Jul 17 2012 by alexadmin
! NVRAM config last updated at 10:42:33 UTC Tue Jul 10 2012 by alexadmin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login console-auth local
aaa authorization exec default group radius local
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip host members.dyndns.org 204.*.*.112
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
ip ddns update method cheltddns
HTTP
add http://*:*@members.dyndns.org/nic/update?hostname=*&myip=*@members.dyndns.org/nic/update?hostname=*&myip=
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
chat-script internet "" "*" TIMEOUT 30 "CONNECT"
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-3295771654
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3295771654
revocation-check none
rsakeypair TP-self-signed-3295771654
!
!
crypto pki certificate chain TP-self-signed-3295771654
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323935 37373136 3534301E 170D3132 30353131 31313132
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393537
37313635 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B864 A0926D93 086AE410 F324E1E1 F299BD77 9CACE140 6DE62D06 F79691D6
19E81F19 3315E0AD 17293593 8626B56B 0EE7D3C8 D4168408 B38C8C60 40BBC6B0
EAE2115A CE01A332 5187122B 70166FA1 80542BA9 16E1F965 EC30C71C B9E487FE
9222FDF5 D537AAD2 7E96820C 2081AA73 CF208CC0 69380BE0 73C09F16 5F83A24E
AF510203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D4D454C 312D5352 2D52542D 3032301F 0603551D 23041830
16801413 C8890547 F3C80863 0DE8A451 BD1560EE 60B0FA30 1D060355 1D0E0416
041413C8 890547F3 C808630D E8A451BD 1560EE60 B0FA300D 06092A86 4886F70D
01010405 00038181 008D7ECC B2E9A6B8 5D99C38D E362350C C88A0870 B12ADAB2
EAA20D30 0F11D749 8338753F 4371858E D31AFC2C 25C51676 4E3C091A BBDB1E74
64D67D48 A6808E8D DF3CA7DD 7F66BDBD EE96B083 0EC8F92C 1B93F727 7C319A6F
F26AD911 8C58B3B0 60066AD9 1D24A594 FCC6B783 7CCCD52C B83E946B 7265EB71
AC00760D D94ED56E 87
quit
!
!
username root privilege 15 password 7 09601F0D0F55460219
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30
!
!
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 203.*.*.30
set transform-set ESP_3DES_SHA
match address 105
!
!
!
!
track 1 ip sla 1 reachability
delay down 180 up 60
!
track 2 ip sla 2 reachability
delay down 60 up 60
!
!
!
!
interface FastEthernet0/0
ip address 172.28.8.13 255.255.255.0
ip flow egress
duplex full
speed 100
!
interface FastEthernet0/1
bandwidth 2048
ip address 192.168.21.1 255.255.255.0
ip helper-address 192.168.20.3
ip flow egress
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl bitswap both
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Cellular0/3/0
no ip address
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
crypto map VPN
!
interface Dialer1
ip ddns update hostname *.dyndns.org
ip ddns update cheltddns
ip address negotiated
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string internet
dialer persistent
dialer-group 1
ppp chap hostname ""
ppp chap password 7 08630E
crypto map VPN
!
interface Dialer2
description ADSL2+
ip address negotiated
ip access-group 104 in
ip flow egress
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
ppp chap hostname *@dsl.*
ppp chap password 7 121B0816000A0A0F27
!
router ospf 100
router-id 13.13.13.13
log-adjacency-changes
redistribute connected subnets route-map OSPFRedi
network 172.28.8.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 192.168.68.33 255.255.255.255 Dialer1
ip route 192.168.68.88 255.255.255.255 Dialer1
ip route 203.*.*.30 255.255.255.255 Dialer1
ip route 203.*.*.250 255.255.255.255 Dialer1
ip route 204.13.248.112 255.255.255.255 Dialer1
ip http server
ip http authentication aaa login-authentication default
ip http secure-server
!
ip flow-cache timeout inactive 250
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.66.130 9996
!
ip nat inside source list 103 interface Dialer1 overload
!
ip radius source-interface FastEthernet0/1
ip sla 2
icmp-echo 8.8.8.8 source-interface Dialer2
timeout 1500
frequency 5
ip sla schedule 2 life forever start-time now
logging facility local5
access-list 5 permit 192.168.21.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 172.28.1.0 0.0.0.15
access-list 101 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 103 deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 103 deny ip 192.168.21.0 0.0.0.255 172.28.0.0 0.0.255.255
access-list 103 deny ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit ip 192.168.21.0 0.0.0.255 any
access-list 104 deny tcp any any
access-list 104 deny udp any any
access-list 104 permit icmp any any echo
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any packet-too-big
access-list 104 permit icmp any any traceroute
access-list 104 permit icmp any any unreachable
access-list 105 permit ip 192.168.21.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community GraysPriv RO 20
snmp-server ifindex persist
snmp-server host 192.168.66.130 version 2c GraysPriv
!
!
!
!
route-map OSPFRedi permit 10
match ip address 5
!
!
!
radius-server host 192.168.66.2 auth-port 1645 acct-port 1646 key 7 107A214A3743161E0551
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
login authentication console-auth
line aux 0
line 0/3/0
exec-timeout 0 0
script dialer internet
no exec
transport input all
rxspeed 3600000
txspeed 384000
line vty 0 4
exec-timeout 0 0
!
scheduler allocate 20000 1000
ntp server 192.168.66.2
end
Thanks very much!
Regards,
Alex
07-16-2012 07:08 PM
And a portion of the debuging message of debug crypto isakmp is here:
641068: Jul 17 01:01:02.352: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
641069: Jul 17 01:01:02.352: ISAKMP: Unlocking peer struct 0x4A0A1934 for isadb_mark_sa_deleted(), count 0
641070: Jul 17 01:01:02.352: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 4A0A1934
641071: Jul 17 01:01:02.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
641072: Jul 17 01:01:02.356: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
641073: Jul 17 01:01:02.356: ISAKMP:(0):purging SA., sa=49CDF344, delme=49CDF344
641074: Jul 17 01:01:02.356: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250)
641075: Jul 17 01:01:02.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
641076: Jul 17 01:01:02.356: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
641077: Jul 17 01:01:05.920: ISAKMP:(1143):purging node 1283483346
641078: Jul 17 01:01:06.488: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
641079: Jul 17 01:01:06.488: ISAKMP: set new node -809730676 to QM_IDLE
641080: Jul 17 01:01:06.488: ISAKMP:(1143): processing HASH payload. message ID = -809730676
641081: Jul 17 01:01:06.488: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -809730676, sa = 4A10A708
641082: Jul 17 01:01:06.488: ISAKMP:(1143):deleting node -809730676 error FALSE reason "Informational (in) state 1"
641083: Jul 17 01:01:06.488: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
641084: Jul 17 01:01:06.488: ISAKMP:(1143):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
641085: Jul 17 01:01:06.492: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x1879E
641086: Jul 17 01:01:06.492: ISAKMP: set new node 640495429 to QM_IDLE
641087: Jul 17 01:01:06.492: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1211805536, message ID = 640495429
641088: Jul 17 01:01:06.492: ISAKMP:(1143): seq. no 0x1879E
641089: Jul 17 01:01:06.492: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
641090: Jul 17 01:01:06.492: ISAKMP:(1143):Sending an IKE IPv4 Packet.
641091: Jul 17 01:01:06.492: ISAKMP:(1143):purging node 640495429
641092: Jul 17 01:01:06.492: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
641093: Jul 17 01:01:06.492: ISAKMP:(1143):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
641094: Jul 17 01:01:08.380: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (R) MM_NO_STATE
641095: Jul 17 01:01:11.460: ISAKMP:(1143):purging node -1289646938
641096: Jul 17 01:01:12.181: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
641097: Jul 17 01:01:12.181: ISAKMP: set new node 438076132 to QM_IDLE
641098: Jul 17 01:01:12.181: ISAKMP:(1143): processing HASH payload. message ID = 438076132
641099: Jul 17 01:01:12.181: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 438076132, sa = 4A10A708
641100: Jul 17 01:01:12.181: ISAKMP:(1143):deleting node 438076132 error FALSE reason "Informational (in) state 1"
641101: Jul 17 01:01:12.181: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
641102: Jul 17 01:01:12.181: ISAKMP:(1143):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
641103: Jul 17 01:01:12.185: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x1879F
641104: Jul 17 01:01:12.185: ISAKMP: set new node -846002752 to QM_IDLE
641105: Jul 17 01:01:12.185: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1211805536, message ID = -846002752
641106: Jul 17 01:01:12.185: ISAKMP:(1143): seq. no 0x1879F
641107: Jul 17 01:01:12.185: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
641108: Jul 17 01:01:12.185: ISAKMP:(1143):Sending an IKE IPv4 Packet.
641109: Jul 17 01:01:12.185: ISAKMP:(1143):purging node -846002752
641110: Jul 17 01:01:12.189: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
641111: Jul 17 01:01:12.189: ISAKMP:(1143):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
no d
641112: Jul 17 01:01:17.013: ISAKMP:(1143):purging node -730203910
641113: Jul 17 01:01:17.357: ISAKMP:(0):purging SA., sa=4A2D442C, delme=4A2D442C
641114: Jul 17 01:01:17.409: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (N) NEW SA
641115: Jul 17 01:01:17.409: ISAKMP: Created a peer struct for 203.*.*.250, peer port 500
641116: Jul 17 01:01:17.409: ISAKMP: New peer created peer = 0x4A0AE4DC peer_handle = 0x80013F42
641117: Jul 17 01:01:17.409: ISAKMP: Locking peer struct 0x4A0AE4DC, refcount 1 for crypto_isakmp_process_block
641118: Jul 17 01:01:17.409: ISAKMP: local port 500, remote port 500
641119: Jul 17 01:01:17.409: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A2D442C
641120: Jul 17 01:01:17.409: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
641121: Jul 17 01:01:17.409: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
641122: Jul 17 01:01:17.413: ISAKMP:(0): processing SA payload. message ID = 0
641123: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641124: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
641125: Jul 17 01:01:17.413: ISAKMP (0): vendor ID is NAT-T RFC 3947
641126: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641127: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
641128: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is NAT-T v3
641129: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641130: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
641131: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641132: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
641133: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is NAT-T v2
641134: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641135: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch
641136: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641137: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
641138: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641139: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is DPD
641140: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload
641141: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch
641142: Jul 17 01:01:17.413: ISAKMP:(0):No pre-shared key with 203.*.*.250!
641143: Jul 17 01:01:17.413: ISAKMP : Scanning profiles for xauth ...
641144: Jul 17 01:01:17.413: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
641145: Jul 17 01:01:17.413: ISAKMP: life type in seconds
641146: Jul 17 01:01:17.413: ISAKMP: life duration (basic) of 28800
641147: Jul 17 01:01:17.413: ISAKMP: encryption 3DES-CBC
641148: Jul 17 01:01:17.413: ISAKMP: auth pre-share
641149: Jul 17 01:01:17.413: ISAKMP: hash SHA
641150: Jul 17 01:01:17.413: ISAKMP: default group 5
641151: Jul 17 01:01:17.413: ISAKMP:(0):Preshared authentication offered but does not match policy!
641152: Jul 17 01:01:17.417: ISAKMP:(0):atts are not acceptable. Next payload is 0
641153: Jul 17 01:01:17.417: ISAKMP:(0):no offers accepted!
641154: Jul 17 01:01:17.417: ISAKMP:(0): phase 1 SA policy not acceptable! (local 123.209.169.23 remote 203.*.*.250)
641155: Jul 17 01:01:17.417: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
641156: Jul 17 01:01:17.417: ISAKMP:(0): Failed to construct AG informational message.
641157: Jul 17 01:01:17.417: ISAKMP:(0): sending packet to 203.*.*.250 my_port 500 peer_port 500 (R) MM_NO_STATE
641158: Jul 17 01:01:17.417: ISAKMP:(0):Sending an IKE IPv4 Packet.
641159: Jul 17 01:01:17.417: ISAKMP:(0):peer does not do paranoid keepalives.
641160: Jul 17 01:01:17.417: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
641161: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload
641162: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
641163: Jul 17 01:01:17.417: ISAKMP (0): vendor ID is NAT-T RFC 3947
641164: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload
641165: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
641166: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID is NAT-T v3
641167: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload
641168: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
641169: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload
641170: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
641171: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID is NAT-T v2
641172: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload
641173: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch
641174: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload
641175: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
641176: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload
641177: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID is DPD
641178: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload
641179: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch
641180: Jul 17 01:01:17.421: ISAKMP (0): FSM action returned error: 2
641181: Jul 17 01:01:17.421: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
641182: Jul 17 01:01:17.421: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
641183: Jul 17 01:01:17.421: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
641184: Jul 17 01:01:17.421: ISAKMP: Unlocking peer struct 0x4A0AE4DC for isadb_mark_sa_deleted(), count 0
641185: Jul 17 01:01:17.421: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 4A0AE4DC
641186: Jul 17 01:01:17.421: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
641187: Jul 17 01:01:17.421: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
641188: Jul 17 01:01:17.425: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250) ebug c
641189: Jul 17 01:01:17.425: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
641190: Jul 17 01:01:17.425: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
641191: Jul 17 01:01:17.829: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
641192: Jul 17 01:01:17.829: ISAKMP: set new node -2063194255 to QM_IDLE
641193: Jul 17 01:01:17.829: ISAKMP:(1143): processing HASH payload. message ID = -2063194255
641194: Jul 17 01:01:17.829: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -2063194255, sa = 4A10A708
641195: Jul 17 01:01:17.829: ISAKMP:(1143):deleting node -2063194255 error FALSE reason "Informational (in) state 1"
641196: Jul 17 01:01:17.829: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
641197: Jul 17 01:01:17.829: ISAKMP:(1143):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
641198: Jul 17 01:01:17.829: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x187A0
641199: Jul 17 01:01:17.833: ISAKMP: set new node -2050772453 to QM_IDLE
641200: Jul 17 01:01:17.833: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1211805536, message ID = -2050772453
641201: Jul 17 01:01:17.833: ISAKMP:(1143): seq. no 0x187A0ryp
Sandringham_VPLS#no debug crypto
641202: Jul 17 01:01:17.833: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
641203: Jul 17 01:01:17.833: ISAKMP:(1143):Sending an IKE IPv4 Packet.
641204: Jul 17 01:01:17.833: ISAKMP:(1143):purging node -2050772453
641205: Jul 17 01:01:17.833: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
641206: Jul 17 01:01:17.833: ISAKMP:(1143):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
07-16-2012 07:41 PM
hi alex,
based from your debugs, i noticed 203.*.*.250 is still trying to establish IKE phase 1 with the remote peer but was rejected.
641068: Jul 17 01:01:02.352: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
on the other hand, the new 203.*.*.30 has sucessfully established IKE phase 1.
IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
could you retest your VPN connectivity and issue a 'debug crypto ipsec' (for IKE phase 2) and post it here? i would appreciate if you could also post the relevant VPN config from your FW/VPN device as well.
07-16-2012 07:57 PM
Hi John,
Thanks for your reply. I've reset the interface and the debugging result is here:
router(config-if)#do debug crypto ipsec
Crypto IPSEC debugging is on
router(config-if)#no shut
router(config-if)#end
router#
641220: Jul 17 02:45:15.233: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
641221: Jul 17 02:45:16.381: %SYS-5-CONFIG_I: Configured from console by alexadmin on vty0 (192.168.66.233)
641222: Jul 17 02:45:16.481: %LINK-3-UPDOWN: Interface Cellular0/3/0, changed state to up
641223: Jul 17 02:45:16.481: %DIALER-6-BIND: Interface Ce0/3/0 bound to profile Di1
641224: Jul 17 02:45:17.497: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/3/0, changed state to up
641225: Jul 17 02:45:19.265: IPSEC(recalculate_mtu): reset sadb_root 49B5E178 mtu to 1500
641226: Jul 17 02:46:32.099: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641227: Jul 17 02:46:34.247: IPSEC(validate_proposal_request): proposal part #1
641228: Jul 17 02:46:34.247: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,
local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
641229: Jul 17 02:46:34.247: IPSEC(ipsec_process_proposal): proxy identities not supported
641230: Jul 17 02:46:34.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641231: Jul 17 02:46:36.159: IPSEC(validate_proposal_request): proposal part #1
641232: Jul 17 02:46:36.159: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,
local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
641233: Jul 17 02:46:36.159: IPSEC(ipsec_process_proposal): proxy identities not supported
641234: Jul 17 02:47:36.868: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641235: Jul 17 02:47:38.172: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641236: Jul 17 02:47:38.860: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641237: Jul 17 02:47:39.196: IPSEC(validate_proposal_request): proposal part #1
641238: Jul 17 02:47:39.196: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,
local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
641239: Jul 17 02:47:39.196: IPSEC(ipsec_process_proposal): proxy identities not supported
641240: Jul 17 02:47:41.168: IPSEC(validate_proposal_request): proposal part #1
641241: Jul 17 02:47:41.168: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,
local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
641242: Jul 17 02:47:41.168: IPSEC(ipsec_process_proposal): proxy identities not supported
641243: Jul 17 02:48:41.202: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641244: Jul 17 02:48:41.890: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641245: Jul 17 02:48:43.170: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641246: Jul 17 02:48:43.858: IPSEC(key_engine): got a queue event with 1 KMI message(s)
641247: Jul 17 02:48:44.210: IPSEC(validate_proposal_request): proposal part #1
641248: Jul 17 02:48:44.210: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,
local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
641249: Jul 17 02:48:44.210: IPSEC(ipsec_process_proposal): proxy identities not supported
641250: Jul 17 02:48:46.170: IPSEC(validate_proposal_request): proposal part #1
641251: Jul 17 02:48:46.170: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,
local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
641252: Jul 17 02:48:46.170: IPSEC(ipsec_process_proposal): proxy identities not supported
On the other hand, I'll post the screenhshot of the VPN config in the next reply
07-16-2012 08:02 PM
on the firewall configuration of phase 1
phase 2
regards,
Alex
07-16-2012 08:41 PM
alex,
thanks for the debug output and fortigate config screenshot. observing the debug output, it appears an ACL (for IPSEC traffic) could be your issue.
641242: Jul 17 02:47:41.168: IPSEC(ipsec_process_proposal): proxy identities not supported
could you re-configure your device ACLs as below:
2811:
no access-list 105
access-list 105 permit ip 192.168.21.0 0.0.0.255 192.168.68.0 0.0.0.255
FORTIGATE:
edit phase 2 > source address: 192.168.68.0/24
07-16-2012 09:09 PM
Hi John,
I'll try your suggestion and see how it goes. However I have to let you know that the ACL setup is the same way we setup for the other VPN routers to this firewall. Anyway, I'll see how it goes to narrow down the possibilities.
Regards,
Alex
07-16-2012 11:10 PM
Hi John,
I tried your suggestion but with no luck:
crypto map VPN 10 ipsec-isakmp
set peer 203.176.96.30
set transform-set ESP_3DES_SHA
match address 106
I created a new ACL 106 and its definition followed yours:
access-list 106 permit ip 192.168.21.0 0.0.0.255 192.168.68.0 0.0.0.255
and I change the phase 2 configuration on firewall to suit the ACL change as well. The VPN is up but I just can't use ping to justify that!
#ping 192.168.68.33 source 192.168.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.68.33, timeout is 2 seconds:
Packet sent with a source address of 192.168.21.1
.
642975: Jul 17 06:08:35.517: IPSEC(key_engine): got a queue event with 1 KMI message(s)....
Success rate is 0 percent (0/5)
Sandringham_VPLS#
Cheers.
Regards,
Alex
07-16-2012 11:27 PM
hi alex,
could you perform a ping test from host or a PC from the 192.168.21.0/24? post again the output of:
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp
debug crypto ipsec
07-16-2012 11:40 PM
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
123.209.60.106 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.60.106 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.60.106 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.60.106 203.*.*.250 MM_NO_STATE 0 ACTIVE (deleted)
123.209.60.106 203.*.*.30 QM_IDLE 1473 ACTIVE
#sh crypto ipsec sa
PFS (Y/N): Y, DH group: group1
PFS (Y/N): N, DH group: none
interface: Dialer1
Crypto map tag: VPN, local addr 123.209.60.106
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
current_peer 203.*.*.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 123.209.60.106, remote crypto endpt.: 203.*.*.30
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x8DDB10D2(2379944146)
inbound esp sas:
spi: 0xED59B319(3982078745)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3113, flow_id: NETGX:1113, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4571804/258)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8DDB10D2(2379944146)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3114, flow_id: NETGX:1114, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4571800/258)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Cellular0/3/0
Crypto map tag: VPN, local addr 0.0.0.0
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
current_peer 203.*.*.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: 203.*.*.30
path mtu 1500, ip mtu 1500, ip mtu idb Cellular0/3/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
I'll post the debugging informationo in another reply. Thanks!
Regards,
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide