Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4796
Views
0
Helpful
23
Replies

Issues with IPSec vpn no traffic

Alexandre41
Level 1
Level 1

‎02-16-2019 11:30 AM - edited ‎02-16-2019 12:49 PM

VPNHi everyone, and sorry for my poor English :) .

We try to connect our office to an IPSec vpn, but we encounter some issues with that. Phase 1 and Phase 2 seems to be OK, the tunnel looks UP, but there is no traffic nor ping between the remote ip hosts.

 

In our office we have a Cisco 1900 series with IOS 15.2, we use the GE0/0 for the internet with a fixed public ip, and the GE0/1 for our local network 10.213.16.0/24, we use tunnel1 with another company, all is good here.

 

The IPSec we try  to join needs these settings :

 

 

vpnc.jpg

 

 

So, we should connect to 3 remote hosts : 10.16.1.110-10.16.1.112.

 

The remote device is a Fortigate firewall.

 

This is our Cisco router configuration (with fake public ip for posting) :

 

Current configuration : 2843 bytes
!
! Last configuration change at 16:14:28 UTC Fri Feb 15 2019
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$RbXY$GWpKqBnyfMgEKQhZNg94T0
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ1822918F
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 14400
crypto isakmp key PSKKEYHIDDEN address 100.41.221.14
!
!
crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile HQBRANCH
set transform-set HQBRANCH
set pfs group5
!
!
!
crypto map HQMAP 10 ipsec-isakmp
set peer 100.41.221.14
set transform-set HQBRANCH
set pfs group5
match address 120
!
!
!
!
!
interface Tunnel1
description VOC-TH2
ip address 20.30.1.254 255.255.255.252
tunnel source 90.210.32.5
tunnel destination 36.155.151.98
!
interface Tunnel2
no ip address
ip virtual-reassembly in
tunnel source 90.210.32.5
tunnel mode ipsec ipv4
tunnel destination 100.41.221.14
tunnel protection ipsec profile HQBRANCH
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 90.210.32.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map HQMAP
!
interface GigabitEthernet0/1
ip address 10.213.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.213.16.18 25000 90.210.32.5 25000 extendable
ip route 0.0.0.0 0.0.0.0 90.210.32.6
ip route 10.16.1.0 255.255.255.0 Tunnel2
ip route 191.162.21.65 255.255.255.255 Tunnel1
!
access-list 1 permit 10.213.16.0 0.0.0.255
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
access-list 101 permit ahp host 100.41.221.14 host 90.210.32.5
access-list 101 permit esp host 100.41.221.14 host 90.210.32.5
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq isakmp
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq non500-isakmp
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
!
!
!
control-plane
!
!
line con 0
password 7 071E34421A0C39071B130807
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 15031E05198F0B2624323629
login
transport input all
!
scheduler allocate 20000 1000
!
end

 

 

And this is the crypto map :

 

Crypto Map IPv4 "HQMAP" 10 ipsec-isakmp
Peer = 100.41.221.14
Extended IP access list 120
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map HQMAP:
GigabitEthernet0/0


Crypto Map IPv4 "Tunnel2-head-0" 65536 ipsec-isakmp
Profile name: HQBRANCH
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}

Crypto Map IPv4 "Tunnel2-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 100.41.221.14
Extended IP access list
access-list permit ip any any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel2-head-0:
Tunnel2

 

 

If you need more information i will give them to you guys.

 

Thanks :).

 

 

 

 

Labels:
0 Helpful
23 Replies 23

Alexandre41
Level 1
Level 1
In response to Georg Pauwen

‎02-16-2019 02:18 PM

Hi,
@Rob Ingram : thank you i did this, but still nothing :( .
@Georg Pauwen : Once i removed the tunnel, the phase 2 failed again, i reconfigured the tunnel2 interface, the phase 2 is OK now...
i thought that SHA1 was also usable with ike?
I will as the other side if it's ikev1 or ikev2.

i have another question, why with the tunnel2 the phase 2 is ok? and what if the other side also create a tunnel (gre like tunnel if i am not mistaken), would it make it possible to go alive easier?.

Thank you.
0 Helpful

Rob Ingram
VIP
VIP
In response to Alexandre41

‎02-16-2019 03:04 PM

Hi,
If you establish Phase 2 only when using the VTI, then the other end is probably not configured as expected.

As you have established an IPSec SA (Phase 2) then you pretty much have a tunnel established, you probably just need to add the static route via Tunnel2.

Establish a tunnel again and then please provide the full output of "show crypto ipsec sa detailed" - this will confirm whether packets are being encrypted/decrypted. If not this will provide clues as to where the issue could be.

You have "tunnel mode ipsec ipv4" configured under Tunnel2, this means you are using ipsec encapsulation NOT gre.

HTH
0 Helpful

Alexandre41
Level 1
Level 1
In response to Rob Ingram

‎02-16-2019 03:19 PM

hi,

Thank you for the explanations !!

here is the output of show crypto ipsec sa detail :

Routeur-OGS#show crypto ipsec sa detail

interface: GigabitEthernet0/0
Crypto map tag: HQMAP, local addr 90.210.32.5

protected vrf: (none)
local ident (addr/mask/prot/port): (10.213.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.112/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.213.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.110/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 12, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.213.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.111/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 90.210.32.5

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (90.210.32.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (100.41.221.14/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1D52F636(491976246)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0xCD21378E(3441506190)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3445, flow_id: Onboard VPN:1445, sibling_flags 80000040, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3589)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x1D52F636(491976246)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3446, flow_id: Onboard VPN:1446, sibling_flags 80000040, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3589)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:


Thanks you !
0 Helpful

Alexandre41
Level 1
Level 1
In response to Alexandre41

‎02-16-2019 03:27 PM

I added the route : ip route 10.16.1.0 255.255.255.0 Tunnel2
here is again the output of 'show crypto ipsec sa detail' :



interface: GigabitEthernet0/0
Crypto map tag: HQMAP, local addr 90.210.32.5

protected vrf: (none)
local ident (addr/mask/prot/port): (10.213.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.112/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.213.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.110/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 12, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.213.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.111/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 90.210.32.5

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (90.210.32.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (100.41.221.14/255.255.255.255/0/0)
current_peer 100.41.221.14 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 90.210.32.5, remote crypto endpt.: 100.41.221.14
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1D52F656(491976278)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0x14D8D2DB(349754075)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3453, flow_id: Onboard VPN:1453, sibling_flags 80000040, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3486)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x1D52F656(491976278)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3454, flow_id: Onboard VPN:1454, sibling_flags 80000040, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3486)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
0 Helpful

Rob Ingram
VIP
VIP
In response to Alexandre41

‎02-16-2019 03:38 PM

Well you have partially established Phase 2 for both the crypto map and Tunnel 2 - but no inbound or outbound esp sas for either crypto map or VTI....so tunnel not fully established.

Tunnel2 does not have an IP address configured either, if you haven't agreed an IP address for the tunnel interface with the 3rd party I assume a VTI was not intended. I don't believe you can create a VTI without an ip address, whether specified either manually or using a loopback.

If you don't have an IP address for the tunnel, disable the tunnel interface and troubleshoot the crypto map. Bounce the tunnel and generate some debugs:-

debug crypto ipsec
debug crypto isakmp

Upload debug output here as attachments.

Also confirm with the 3rd party the configuration, especially the crypto map ACL and Phase 2 settings.

HTH
0 Helpful

Alexandre41
Level 1
Level 1
In response to Rob Ingram

‎02-16-2019 03:54 PM

Thank you RJI for the enlightenment's, i really appreciate !

I removed the tunnel2 and used the command : Clear crypto sa

this is the logs after that :

No Active Message Discriminator.



No Inactive Message Discriminator.


Console logging: level debugging, 228539 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 227082 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 1550 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (8192 bytes):
gs= 0x0
*Feb 15 23:56:58.772: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 15 23:56:58.772: ISAKMP:(1740): IPSec policy invalidated proposal with error 32
*Feb 15 23:56:58.772: ISAKMP:(1740): phase 2 SA policy not acceptable! (local 90.210.32.5 remote 100.41.221.14)
*Feb 15 23:56:58.772: ISAKMP: set new node -214386466 to QM_IDLE
*Feb 15 23:56:58.772: ISAKMP:(1740):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 710386592, message ID = 4080580830
*Feb 15 23:56:58.772: ISAKMP:(1740): sending packet to 100.41.221.14 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 15 23:56:58.772: ISAKMP:(1740):Sending an IKE IPv4 Packet.
*Feb 15 23:56:58.772: ISAKMP:(1740):purging node -214386466
*Feb 15 23:56:58.772: ISAKMP:(1740):deleting node 1766431136 error TRUE reason "QM rejected"
*Feb 15 23:56:58.772: ISAKMP:(1740):Node 1766431136, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 15 23:56:58.772: ISAKMP:(1740):Old State = IKE_QM_READY New State = IKE_QM_READY
*Feb 15 23:56:58.776: ISAKMP:(1740):purging node -1714400096
*Feb 15 23:57:03.768: ISAKMP (1740): received packet from 100.41.221.14 dport 500 sport 500 Global (R) QM_IDLE
*Feb 15 23:57:03.768: ISAKMP: set new node 709988256 to QM_IDLE
*Feb 15 23:57:03.768: ISAKMP:(1740): processing HASH payload. message ID = 709988256
*Feb 15 23:57:03.768: ISAKMP:(1740): processing SA payload. message ID = 709988256
*Feb 15 23:57:03.768: ISAKMP:(1740):Checking IPSec proposal 1
*Feb 15 23:57:03.768: ISAKMP: transform 1, ESP_3DES
*Feb 15 23:57:03.768: ISAKMP: attributes in transform:
*Feb 15 23:57:03.768: ISAKMP: SA life type in seconds
*Feb 15 23:57:03.768: ISAKMP: SA life duration (basic) of 3600
*Feb 15 23:57:03.768: ISAKMP: encaps is 1 (Tunnel)
*Feb 15 23:57:03.768: ISAKMP: authenticator is HMAC-SHA
*Feb 15 23:57:03.768: ISAKMP: group is 5
*Feb 15 23:57:03.768: ISAKMP:(1740):atts are acceptable.
*Feb 15 23:57:03.768: IPSEC(validate_proposal_request): proposal part #1
*Feb 15 23:57:03.768: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 90.210.32.5:0, remote= 100.41.221.14:0,
local_proxy= 90.210.32.5/255.255.255.255/256/0,
remote_proxy= 100.41.221.14/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 15 23:57:03.768: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 15 23:57:03.772: ISAKMP:(1740): IPSec policy invalidated proposal with error 32
*Feb 15 23:57:03.772: ISAKMP:(1740): phase 2 SA policy not acceptable! (local 90.210.32.5 remote 100.41.221.14)
*Feb 15 23:57:03.772: ISAKMP: set new node -1382229673 to QM_IDLE
*Feb 15 23:57:03.772: ISAKMP:(1740):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 710386592, message ID = 2912737623
*Feb 15 23:57:03.772: ISAKMP:(1740): sending packet to 100.41.221.14 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 15 23:57:03.772: ISAKMP:(1740):Sending an IKE IPv4 Packet.
*Feb 15 23:57:03.772: ISAKMP:(1740):purging node -1382229673
*Feb 15 23:57:03.772: ISAKMP:(1740):deleting node 709988256 error TRUE reason "QM rejected"
*Feb 15 23:57:03.772: ISAKMP:(1740):Node 709988256, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 15 23:57:03.772: ISAKMP:(1740):Old State = IKE_QM_READY New State = IKE_QM_READY
*Feb 15 23:57:03.780: ISAKMP:(1740):purging node -351403195
*Feb 15 23:57:08.768: ISAKMP (1740): received packet from 100.41.221.14 dport 500 sport 500 Global (R) QM_IDLE
*Feb 15 23:57:08.768: ISAKMP: set new node -1934117951 to QM_IDLE
*Feb 15 23:57:08.768: ISAKMP:(1740): processing HASH payload. message ID = 2360849345
*Feb 15 23:57:08.768: ISAKMP:(1740): processing SA payload. message ID = 2360849345
*Feb 15 23:57:08.768: ISAKMP:(1740):Checking IPSec proposal 1
*Feb 15 23:57:08.768: ISAKMP: transform 1, ESP_3DES
*Feb 15 23:57:08.768: ISAKMP: attributes in transform:
*Feb 15 23:57:08.768: ISAKMP: SA life type in seconds
*Feb 15 23:57:08.768: ISAKMP: SA life duration (basic) of 3600
*Feb 15 23:57:08.768: ISAKMP: encaps is 1 (Tunnel)
*Feb 15 23:57:08.768: ISAKMP: authenticator is HMAC-SHA
*Feb 15 23:57:08.768: ISAKMP: group is 5
*Feb 15 23:57:08.768: ISAKMP:(1740):atts are acceptable.
*Feb 15 23:57:08.768: IPSEC(validate_proposal_request): proposal part #1
*Feb 15 23:57:08.768: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 90.210.32.5:0, remote= 100.41.221.14:0,
local_proxy= 90.210.32.5/255.255.255.255/256/0,
remote_proxy= 100.41.221.14/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 15 23:57:08.768: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 15 23:57:08.768: ISAKMP:(1740): IPSec policy invalidated proposal with error 32
*Feb 15 23:57:08.772: ISAKMP:(1740): phase 2 SA policy not acceptable! (local 90.210.32.5 remote 100.41.221.14)
*Feb 15 23:57:08.772: ISAKMP: set new node 1418979367 to QM_IDLE
*Feb 15 23:57:08.772: ISAKMP:(1740):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 710386592, message ID = 1418979367
*Feb 15 23:57:08.772: ISAKMP:(1740): sending packet to 100.41.221.14 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 15 23:57:08.772: ISAKMP:(1740):Sending an IKE IPv4 Packet.
*Feb 15 23:57:08.772: ISAKMP:(1740):purging node 1418979367
*Feb 15 23:57:08.772: ISAKMP:(1740):deleting node -1934117951 error TRUE reason "QM rejected"
*Feb 15 23:57:08.772: ISAKMP:(1740):Node 2360849345, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 15 23:57:08.772: ISAKMP:(1740):Old State = IKE_QM_READY New State = IKE_QM_READY
*Feb 15 23:57:08.776: ISAKMP:(1740):purging node 637775636
*Feb 15 23:57:13.768: ISAKMP (1740): received packet from 100.41.221.14 dport 500 sport 500 Global (R) QM_IDLE
*Feb 15 23:57:13.768: ISAKMP: set new node -1573207649 to QM_IDLE
*Feb 15 23:57:13.768: ISAKMP:(1740): processing HASH payload. message ID = 2721759647
*Feb 15 23:57:13.768: ISAKMP:(1740): processing SA payload. message ID = 2721759647
*Feb 15 23:57:13.768: ISAKMP:(1740):Checking IPSec proposal 1
*Feb 15 23:57:13.768: ISAKMP: transform 1, ESP_3DES
*Feb 15 23:57:13.768: ISAKMP: attributes in transform:
*Feb 15 23:57:13.768: ISAKMP: SA life type in seconds
*Feb 15 23:57:13.768: ISAKMP: SA life duration (basic) of 3600
*Feb 15 23:57:13.768: ISAKMP: encaps is 1 (Tunnel)
*Feb 15 23:57:13.768: ISAKMP: authenticator is HMAC-SHA
*Feb 15 23:57:13.768: ISAKMP: group is 5
*Feb 15 23:57:13.768: ISAKMP:(1740):atts are acceptable.
*Feb 15 23:57:13.768: IPSEC(validate_proposal_request): proposal part #1
*Feb 15 23:57:13.768: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 90.210.32.5:0, remote= 100.41.221.14:0,
local_proxy= 90.210.32.5/255.255.255.255/256/0,
remote_proxy= 100.41.221.14/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 15 23:57:13.768: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 15 23:57:13.768: ISAKMP:(1740): IPSec policy invalidated proposal with error 32
*Feb 15 23:57:13.768: ISAKMP:(1740): phase 2 SA policy not acceptable! (local 90.210.32.5 remote 100.41.221.14)
*Feb 15 23:57:13.768: ISAKMP: set new node 1557685610 to QM_IDLE
*Feb 15 23:57:13.768: ISAKMP:(1740):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 710386592, message ID = 1557685610
*Feb 15 23:57:13.768: ISAKMP:(1740): sending packet to 100.41.221.14 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 15 23:57:13.772: ISAKMP:(1740):Sending an IKE IPv4 Packet.
*Feb 15 23:57:13.772: ISAKMP:(1740):purging node 1557685610
*Feb 15 23:57:13.772: ISAKMP:(1740):deleting node -1573207649 error TRUE reason "QM rejected"
*Feb 15 23:57:13.772: ISAKMP:(1740):Node 2721759647, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 15 23:57:13.772: ISAKMP:(1740):Old State = IKE_QM_READY New State = IKE_QM_READY
*Feb 15 23:57:13.776: ISAKMP:(1740):purging node 6437262

Thank you!
0 Helpful

Georg Pauwen
VIP
VIP
In response to Alexandre41

‎02-17-2019 11:31 AM

Hello,

 

try the below:

 

1. Remove the ipsec profile:

 

--> no crypto ipsec profile HQBRANCH

 

Add the lines marked in bold:

 

crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 14400
crypto isakmp key PSKKEYHIDDEN address 100.41.221.14
!
crypto keyring KEYRING_HQBRANCH
pre-shared-key address 100.41.221.14 key PSKKEYHIDDEN
!
crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
mode tunnel
!
crypto isakmp profile PROFILE_HQBRANCH
keyring KEYRING_HQBRANCH
match identity address 100.41.221.14 255.255.255.255
!
crypto map HQMAP 10 ipsec-isakmp
set peer 100.41.221.14
set transform-set HQBRANCH
set isakmp-profile PROFILE_HQBRANCH
set pfs group5
match address 120

0 Helpful

Georg Pauwen
VIP
VIP

‎02-16-2019 09:36 PM

Hello,

 

The thread is getting very long so I don't know if this has already been mentioned, but set the hash to sha1 under your crypto policy:

 

crypto isakmp policy 10

hash sha1

0 Helpful

Rob Ingram
VIP
VIP
In response to Georg Pauwen

‎02-17-2019 09:24 AM

SHA is the default hashing algorithm, it doesn't appear in the running config. Even if you manually define SHA as the hashing algorithm it would not be displayed in the runnning config, only an algorithm other than the default would be displayed in the running config. You can confirm the actual hashing algorithm by running "show crypto isakmp policy" it would appear as Secure Hash Standard.

The errors provided still look like Phase 2 issues, confirm with 3rd party exactly what they have configured.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card