Solved: Site2Site: ACL are not installed, IPSec SA are fine

udo · ‎11-03-2019

Hello Community.

I am not a native English speaker, so sorry for that.

I have a strange problem running a site2site IPSec tunnel which work well on a 2821 on a ASR1002X AES License.

First what i know, eg. have done.

The IOS-XE 16.9.4 dont work on dynamic remote vpn because crypto map CMAP isakmp authorization list GROUPAUTHOR dont work. There is a new way to configure ISAKMP groups via profiles which require an not documented "password" parameter. Okay i downgraded to 16.7.1 and the VPN part for dialin user (OSX, HO-Router etc.) is back in service. The above crypto statement is available. The site2site problem i am facing is pretty strange. The remote end, Verizon IPSec Tunnel runing since 7 years without problems. Config follow.

Behavior is easy to explain. I clear the sessions on the 2821 and shut the interface. I no shut the new interface on the ASR and i trigger the remote end to establish the tunnel wit a phone call (SIP Interconnect). The tunnel imediately start to come up on the ASR. IKE P1 complete IPSec P1 will use the ACL to insert the protected network in the routing database. That fails. Errormessages not really appear (deb cry isa, deb cry ips) will paste it later. After the tunnel is up and active i tried to ping remote end. No resonse because routing ends on the ASR.

My questions are, what went wrong in the IOS-XE with ACLs?

Why the config is ignored?

Do i miss some global configuration statements to activate the ACL route installation?

The config is far from a complicated one.

I have tried 16.7.1, 16.3.5 same config, also same main behaviour.

Here the config from the ASR (interesting part plus all globals. IPs are masked to 10.0.0.0/8 but consistent)

version 16.7

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput level 5000000

!

hostname ASR1002X

!

boot-start-marker

boot system bootflash:asr1002x-universalk9.16.07.01.SPA.bin

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 xxxxxxxxxxxxxxx

!

transport-map type persistent webui https-webui

secure-server

!

transport-map type persistent ssh sshhandler

authentication-retries 1

rsa keypair-name sshkeys

transport interface GigabitEthernet0

connection wait allow interruptible

!

aaa new-model

!

aaa authentication login userauthen local

aaa authentication ppp default local

aaa authorization network groupauthor local

!

aaa session-id common

!

ip nbar http-services

!

ip name-server x.x.x.x y.y.y.y

!

login on-success log

!

subscriber templating

!

multilink bundle-name authenticated

!

domain domain.net

!

ivr prompt buffers 2

license udi pid ASR1002-X sn ABC123456

no license smart enable

!

spanning-tree extend system-id

diagnostic bootup level minimal

!

username user .....!*Few Remote User

!

redundancy

mode none

!

no crypto isakmp default policy

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr aes 256

hash sha256

authentication pre-share

group 14

lifetime 3600

!

crypto isakmp policy 5

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 12

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 13

encr 3des

authentication pre-share

group 2

crypto isakmp key preshared-key-secret address 10.10.1.238

crypto isakmp key preshared-key-secret address 10.10.2.238

crypto isakmp key preshared-key-secret address 10.10.3.238

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 60 periodic

crypto isakmp nat keepalive 30

!

crypto isakmp client configuration group VPNGROUP

key xxxxx

dns x.x.x.x y.y.y.y

domain domain.net

pool IPPool

save-password

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association replay window-size 512

!

crypto ipsec transform-set ipcom esp-3des esp-md5-hmac

mode tunnel

!

crypto dynamic-map dynvpn 1

set nat demux

set transform-set ipcom

!

crypto map CRYMAP local-address GigabitEthernet0/0/1

crypto map CRYMAP 1 ipsec-isakmp

description VzB DTM

set peer 10.10.1.238

set transform-set ipcom

set pfs group2

match address 120

crypto map CRYMAP 2 ipsec-isakmp

description VzB AMS

set peer 10.10.2.238

set transform-set ipcom

set pfs group2

match address 121

crypto map CRYMAP 3 ipsec-isakmp

description VzB LND

set peer 10.10.3.238

set transform-set ipcom

set pfs group2

match address 122

!

crypto map VPN local-address GigabitEthernet0/0/2

crypto map VPN client authentication list userauthen

crypto map VPN isakmp authorization list groupauthor

crypto map VPN client configuration address respond

crypto map VPN 10 ipsec-isakmp dynamic dynmap

crypto map VPN 20 ipsec-isakmp dynamic dynvpn

!

interface GigabitEthernet0/0/0

ip address 10.1.1.10 255.255.255.192

no ip redirects

ip nbar protocol-discovery

shutdown

negotiation auto

!

interface GigabitEthernet0/0/1

ip address 10.1.2.219 255.255.255.192

no ip redirects

ip nbar protocol-discovery

ip tcp adjust-mss 1260

shutdown

negotiation auto

crypto map CRYMAP

!

interface GigabitEthernet0/0/2

ip address 10.1.3.10 255.255.255.240

no ip redirects

ip nbar protocol-discovery

ip tcp adjust-mss 1260

negotiation auto

ipv6 nd ra suppress

crypto map DUSVPN

!

interface GigabitEthernet0/0/3

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet0/0/4

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet0/0/5

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

ip address 10.10.10.251 255.255.255.0

negotiation auto

!

no ip forward-protocol nd

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 1

ip http session-idle-timeout 1200

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1

!

ip ssh server algorithm authentication password

!

access-list 10 permit 10.1.1.7 log

access-list 10 deny any log

access-list 11 permit 10.1.10.0 0.0.0.255

access-list 11 permit 10.1.1.0 0.0.0.16

access-list 11 permit 10.1.2.0 0.0.0.255

access-list 11 deny any log

access-list 120 permit ip 10.1.1.0 0.0.0.255 10.11.1.192 0.0.0.31

access-list 121 permit ip 10.1.1.0 0.0.0.255 10.11.2.192 0.0.0.31

access-list 122 permit ip 10.1.1.0 0.0.0.255 10.11.3.192 0.0.0.31

!

control-plane

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

!

transport type persistent webui input https-webui

!

end

So thats the router config.

Is there any missing in cause of the different systems between the C2821 and the ASR1002X?

Here a full establishing log, all is fine except traffic thru the tunnel. No routing is installed :( I marked intersting parts BOLD:

Nov 3 04:02:02 acr-xe-0-0-15 3984: Nov 3 03:02:02.541: ISAKMP-PAK: (0):received packet from 10.10.1.238 dport 500 sport 500 Global (N) NEW SA

Nov 3 04:02:02 acr-xe-0-0-15 3985: Nov 3 03:02:02.541: ISAKMP: (0):Created a peer struct for 10.10.1.238, peer port 500

Nov 3 04:02:02 acr-xe-0-0-15 3986: Nov 3 03:02:02.541: ISAKMP: (0):New peer created peer = 0x7F837B5F7060 peer_handle = 0x8000000A

Nov 3 04:02:02 acr-xe-0-0-15 3987: Nov 3 03:02:02.541: ISAKMP: (0):Locking peer struct 0x7F837B5F7060, refcount 1 for crypto_isakmp_process_block

Nov 3 04:02:02 acr-xe-0-0-15 3988: Nov 3 03:02:02.541: ISAKMP: (0):local port 500, remote port 500

Nov 3 04:02:02 acr-xe-0-0-15 3989: Nov 3 03:02:02.541: crypto_engine_select_crypto_engine: can't handle any more

Nov 3 04:02:02 acr-xe-0-0-15 3990: Nov 3 03:02:02.541: ISAKMP: (0):insert sa successfully sa = 7F837B6AE320

Nov 3 04:02:02 acr-xe-0-0-15 3991: Nov 3 03:02:02.541: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 3992: Nov 3 03:02:02.541: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

Nov 3 04:02:02 acr-xe-0-0-15 3993: crypto_isadb_stuff_vrf_instance, ike_fsm_proc_mm1: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x7F837B6AE320

Nov 3 04:02:02 acr-xe-0-0-15 3994: Nov 3 03:02:02.541: ISAKMP: (0):processing SA payload. message ID = 0

Nov 3 04:02:02 acr-xe-0-0-15 3995: Nov 3 03:02:02.541: ISAKMP: (0):processing vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 3996: Nov 3 03:02:02.541: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch

Nov 3 04:02:02 acr-xe-0-0-15 3997: Nov 3 03:02:02.541: ISAKMP: (0):processing vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 3998: Nov 3 03:02:02.541: ISAKMP: (0):vendor ID is DPD

Nov 3 04:02:02 acr-xe-0-0-15 3999: Nov 3 03:02:02.541: ISAKMP: (0):processing vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 4000: Nov 3 03:02:02.541: ISAKMP: (0):processing IKE frag vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 4001: Nov 3 03:02:02.541: ISAKMP: (0):Support for IKE Fragmentation not enabled

Nov 3 04:02:02 acr-xe-0-0-15 4002: Nov 3 03:02:02.541: ISAKMP: (0):found peer pre-shared key matching 10.10.1.238

Nov 3 04:02:02 acr-xe-0-0-15 4003: Nov 3 03:02:02.541: ISAKMP: (0):local preshared key found

Nov 3 04:02:02 acr-xe-0-0-15 4004: Nov 3 03:02:02.541: ISAKMP: (0):Scanning profiles for xauth ...

Nov 3 04:02:02 acr-xe-0-0-15 4005: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy

Nov 3 04:02:02 acr-xe-0-0-15 4006: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC

Nov 3 04:02:02 acr-xe-0-0-15 4007: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5

Nov 3 04:02:02 acr-xe-0-0-15 4008: Nov 3 03:02:02.541: ISAKMP: (0): default group 2

Nov 3 04:02:02 acr-xe-0-0-15 4009: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share

Nov 3 04:02:02 acr-xe-0-0-15 4010: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds

Nov 3 04:02:02 acr-xe-0-0-15 4011: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800

Nov 3 04:02:02 acr-xe-0-0-15 4012: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!

Nov 3 04:02:02 acr-xe-0-0-15 4013: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0

Nov 3 04:02:02 acr-xe-0-0-15 4014: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 2 policy

Nov 3 04:02:02 acr-xe-0-0-15 4015: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC

Nov 3 04:02:02 acr-xe-0-0-15 4016: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5

Nov 3 04:02:02 acr-xe-0-0-15 4017: Nov 3 03:02:02.541: ISAKMP: (0): default group 2

Nov 3 04:02:02 acr-xe-0-0-15 4018: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share

Nov 3 04:02:02 acr-xe-0-0-15 4019: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds

Nov 3 04:02:02 acr-xe-0-0-15 4020: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800

Nov 3 04:02:02 acr-xe-0-0-15 4021: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!

Nov 3 04:02:02 acr-xe-0-0-15 4022: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0

Nov 3 04:02:02 acr-xe-0-0-15 4023: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 3 policy

Nov 3 04:02:02 acr-xe-0-0-15 4024: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC

Nov 3 04:02:02 acr-xe-0-0-15 4025: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5

Nov 3 04:02:02 acr-xe-0-0-15 4026: Nov 3 03:02:02.541: ISAKMP: (0): default group 2

Nov 3 04:02:02 acr-xe-0-0-15 4027: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share

Nov 3 04:02:02 acr-xe-0-0-15 4028: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds

Nov 3 04:02:02 acr-xe-0-0-15 4029: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800

Nov 3 04:02:02 acr-xe-0-0-15 4030: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!

Nov 3 04:02:02 acr-xe-0-0-15 4031: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0

Nov 3 04:02:02 acr-xe-0-0-15 4032: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 5 policy

Nov 3 04:02:02 acr-xe-0-0-15 4033: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC

Nov 3 04:02:02 acr-xe-0-0-15 4034: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5

Nov 3 04:02:02 acr-xe-0-0-15 4035: Nov 3 03:02:02.541: ISAKMP: (0): default group 2

Nov 3 04:02:02 acr-xe-0-0-15 4036: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share

Nov 3 04:02:02 acr-xe-0-0-15 4037: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds

Nov 3 04:02:02 acr-xe-0-0-15 4038: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800

Nov 3 04:02:02 acr-xe-0-0-15 4039: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!

Nov 3 04:02:02 acr-xe-0-0-15 4040: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0

Nov 3 04:02:02 acr-xe-0-0-15 4041: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy

Nov 3 04:02:02 acr-xe-0-0-15 4042: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC

Nov 3 04:02:02 acr-xe-0-0-15 4043: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5

Nov 3 04:02:02 acr-xe-0-0-15 4044: Nov 3 03:02:02.541: ISAKMP: (0): default group 2

Nov 3 04:02:02 acr-xe-0-0-15 4045: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share

Nov 3 04:02:02 acr-xe-0-0-15 4046: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds

Nov 3 04:02:02 acr-xe-0-0-15 4047: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800

Nov 3 04:02:02 acr-xe-0-0-15 4048: Nov 3 03:02:02.541: ISAKMP: (0):atts are acceptable. Next payload is 0

Nov 3 04:02:02 acr-xe-0-0-15 4049: Nov 3 03:02:02.541: ISAKMP: (0):Acceptable atts:actual life: 86400

Nov 3 04:02:02 acr-xe-0-0-15 4050: Nov 3 03:02:02.541: ISAKMP: (0):Acceptable atts:life: 0

Nov 3 04:02:02 acr-xe-0-0-15 4051: Nov 3 03:02:02.541: ISAKMP: (0):Basic life_in_seconds:28800

Nov 3 04:02:02 acr-xe-0-0-15 4052: Nov 3 03:02:02.541: ISAKMP: (0):Returning Actual lifetime: 28800

Nov 3 04:02:02 acr-xe-0-0-15 4053: Nov 3 03:02:02.541: ISAKMP: (0):Started lifetime timer: 28800.

Nov 3 04:02:02 acr-xe-0-0-15 4054: Nov 3 03:02:02.541: crypto_engine_select_crypto_engine: can't handle any more

Nov 3 04:02:02 acr-xe-0-0-15 4055: Nov 3 03:02:02.541: crypto_engine: Create DH

Nov 3 04:02:02 acr-xe-0-0-15 4056: Nov 3 03:02:02.544: ISAKMP: (0):processing vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 4057: Nov 3 03:02:02.544: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch

Nov 3 04:02:02 acr-xe-0-0-15 4058: Nov 3 03:02:02.544: ISAKMP: (0):processing vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 4059: Nov 3 03:02:02.544: ISAKMP: (0):vendor ID is DPD

Nov 3 04:02:02 acr-xe-0-0-15 4060: Nov 3 03:02:02.544: ISAKMP: (0):processing vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 4061: Nov 3 03:02:02.544: ISAKMP: (0):processing IKE frag vendor id payload

Nov 3 04:02:02 acr-xe-0-0-15 4062: Nov 3 03:02:02.544: ISAKMP: (0):Support for IKE Fragmentation not enabled

Nov 3 04:02:02 acr-xe-0-0-15 4063: Nov 3 03:02:02.544: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 3 04:02:02 acr-xe-0-0-15 4064: Nov 3 03:02:02.544: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Nov 3 04:02:02 acr-xe-0-0-15 4065: Nov 3 03:02:02.544: ISAKMP-PAK: (0):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_SA_SETUP

Nov 3 04:02:02 acr-xe-0-0-15 4066: Nov 3 03:02:02.544: ISAKMP: (0):Sending an IKE IPv4 Packet.

Nov 3 04:02:02 acr-xe-0-0-15 4067: Nov 3 03:02:02.544: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 3 04:02:02 acr-xe-0-0-15 4068: Nov 3 03:02:02.544: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Nov 3 04:02:02 acr-xe-0-0-15 4069: Nov 3 03:02:02.554: ISAKMP-PAK: (0):received packet from 10.10.1.238 dport 500 sport 500 Global (R) MM_SA_SETUP

Nov 3 04:02:02 acr-xe-0-0-15 4070: Nov 3 03:02:02.554: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4071: Nov 3 03:02:02.554: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Nov 3 04:02:02 acr-xe-0-0-15 4072: Nov 3 03:02:02.554: ISAKMP: (0):processing KE payload. message ID = 0

Nov 3 04:02:02 acr-xe-0-0-15 4073: Nov 3 03:02:02.554: crypto_engine: Create DH shared secret

Nov 3 04:02:02 acr-xe-0-0-15 4074: Nov 3 03:02:02.556: ISAKMP: (0):processing NONCE payload. message ID = 0

Nov 3 04:02:02 acr-xe-0-0-15 4075: Nov 3 03:02:02.556: ISAKMP: (0):found peer pre-shared key matching 10.10.1.238

Nov 3 04:02:02 acr-xe-0-0-15 4076: Nov 3 03:02:02.556: crypto_engine: Create IKE SA

Nov 3 04:02:02 acr-xe-0-0-15 4077: Nov 3 03:02:02.556: crypto engine: deleting DH phase 2 SW:23

Nov 3 04:02:02 acr-xe-0-0-15 4078: Nov 3 03:02:02.556: crypto_engine: Delete DH shared secret

Nov 3 04:02:02 acr-xe-0-0-15 4079: Nov 3 03:02:02.556: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 3 04:02:02 acr-xe-0-0-15 4080: Nov 3 03:02:02.556: ISAKMP: (1013):Old State = IKE_R_MM3 New State = IKE_R_MM3

Nov 3 04:02:02 acr-xe-0-0-15 4081: Nov 3 03:02:02.556: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4082: Nov 3 03:02:02.556: ISAKMP: (1013):Sending an IKE IPv4 Packet.

Nov 3 04:02:02 acr-xe-0-0-15 4083: Nov 3 03:02:02.556: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 3 04:02:02 acr-xe-0-0-15 4084: Nov 3 03:02:02.556: ISAKMP: (1013):Old State = IKE_R_MM3 New State = IKE_R_MM4

Nov 3 04:02:02 acr-xe-0-0-15 4085: Nov 3 03:02:02.567: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) MM_KEY_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4086: Nov 3 03:02:02.567: crypto_engine: Decrypt IKE packet

Nov 3 04:02:02 acr-xe-0-0-15 4087: Nov 3 03:02:02.567: ISAKMP: (1013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4088: Nov 3 03:02:02.567: ISAKMP: (1013):Old State = IKE_R_MM4 New State = IKE_R_MM5

Nov 3 04:02:02 acr-xe-0-0-15 4089: Nov 3 03:02:02.567: ISAKMP: (1013):processing ID payload. message ID = 0

Nov 3 04:02:02 acr-xe-0-0-15 4090: Nov 3 03:02:02.567: ISAKMP: (1013):ID payload

Nov 3 04:02:02 acr-xe-0-0-15 4091: next-payload : 8

Nov 3 04:02:02 acr-xe-0-0-15 4092: type : 1

Nov 3 04:02:02 acr-xe-0-0-15 4093: Nov 3 03:02:02.567: ISAKMP: (1013): address : 10.10.1.238

Nov 3 04:02:02 acr-xe-0-0-15 4094: Nov 3 03:02:02.567: ISAKMP: (1013): protocol : 17

Nov 3 04:02:02 acr-xe-0-0-15 4095: port : 500

Nov 3 04:02:02 acr-xe-0-0-15 4096: length : 12

Nov 3 04:02:02 acr-xe-0-0-15 4097: Nov 3 03:02:02.567: ISAKMP: (0):peer matches *none* of the profilescrypto_isadb_stuff_vrf_instance, crypto_isakmp_assign_profile: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x7F837B6AE320

Nov 3 04:02:02 acr-xe-0-0-15 4098: Nov 3 03:02:02.567: ISAKMP: (1013):processing HASH payload. message ID = 0

Nov 3 04:02:02 acr-xe-0-0-15 4099: Nov 3 03:02:02.567: crypto_engine: Generate IKE hash

Nov 3 04:02:02 acr-xe-0-0-15 4100: Nov 3 03:02:02.567: ISAKMP: (1013):SA authentication status:

Nov 3 04:02:02 acr-xe-0-0-15 4101: authenticated

Nov 3 04:02:02 acr-xe-0-0-15 4102: Nov 3 03:02:02.567: ISAKMP: (1013):SA has been authenticated with 10.10.1.238

Nov 3 04:02:02 acr-xe-0-0-15 4103: Nov 3 03:02:02.567: ISAKMP: (0):Trying to insert a peer 10.1.2.219/10.10.1.238/500/,

Nov 3 04:02:02 acr-xe-0-0-15 4104: Nov 3 03:02:02.567: ISAKMP: (0): and inserted successfully 7F837B5F7060.

Nov 3 04:02:02 acr-xe-0-0-15 4105: Nov 3 03:02:02.567: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 3 04:02:02 acr-xe-0-0-15 4106: Nov 3 03:02:02.567: ISAKMP: (1013):Old State = IKE_R_MM5 New State = IKE_R_MM5

Nov 3 04:02:02 acr-xe-0-0-15 4107: Nov 3 03:02:02.567: ISAKMP: (1013):SA is doing

Nov 3 04:02:02 acr-xe-0-0-15 4108: Nov 3 03:02:02.568: ISAKMP: (1013):pre-shared key authentication using id type ID_IPV4_ADDR

Nov 3 04:02:02 acr-xe-0-0-15 4109: Nov 3 03:02:02.568: ISAKMP: (1013):ID payload

Nov 3 04:02:02 acr-xe-0-0-15 4110: next-payload : 8

Nov 3 04:02:02 acr-xe-0-0-15 4111: type : 1

Nov 3 04:02:02 acr-xe-0-0-15 4112: Nov 3 03:02:02.568: ISAKMP: (1013): address : 10.1.2.219

Nov 3 04:02:02 acr-xe-0-0-15 4113: Nov 3 03:02:02.568: ISAKMP: (1013): protocol : 17

Nov 3 04:02:02 acr-xe-0-0-15 4114: port : 500

Nov 3 04:02:02 acr-xe-0-0-15 4115: length : 12

Nov 3 04:02:02 acr-xe-0-0-15 4116: Nov 3 03:02:02.568: ISAKMP: (1013):Total payload length: 12

Nov 3 04:02:02 acr-xe-0-0-15 4117: Nov 3 03:02:02.568: crypto_engine: Generate IKE hash

Nov 3 04:02:02 acr-xe-0-0-15 4118: Nov 3 03:02:02.568: crypto_engine: Encrypt IKE packet

Nov 3 04:02:02 acr-xe-0-0-15 4119: Nov 3 03:02:02.568: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4120: Nov 3 03:02:02.568: ISAKMP: (1013):Sending an IKE IPv4 Packet.

Nov 3 04:02:02 acr-xe-0-0-15 4121: Nov 3 03:02:02.568: IKE active tunnels 4

Nov 3 04:02:02 acr-xe-0-0-15 4122: scmIkeTunnelCreate ikeidx:13

Nov 3 04:02:02 acr-xe-0-0-15 4123: Nov 3 03:02:02.568: scmIkeTunnelCreated: Default context, vdi_ptr=gdi_ptr=140202611746552/140202611746552

Nov 3 04:02:02 acr-xe-0-0-15 4124: Nov 3 03:02:02.568: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 3 04:02:02 acr-xe-0-0-15 4125: Nov 3 03:02:02.568: ISAKMP: (1013):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Nov 3 04:02:02 acr-xe-0-0-15 4126: Nov 3 03:02:02.568: ISAKMP: (1013):IKE_DPD is enabled, initializing timers

Nov 3 04:02:02 acr-xe-0-0-15 4127: Nov 3 03:02:02.568: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Nov 3 04:02:02 acr-xe-0-0-15 4128: Nov 3 03:02:02.568: ISAKMP: (1013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 3 04:02:02 acr-xe-0-0-15 4129: Nov 3 03:02:02.578: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) QM_IDLE

Nov 3 04:02:02 acr-xe-0-0-15 4130: Nov 3 03:02:02.578: ISAKMP: (1013):set new node 2448060722 to QM_IDLE

Nov 3 04:02:02 acr-xe-0-0-15 4131: Nov 3 03:02:02.578: crypto_engine: Decrypt IKE packet

Nov 3 04:02:02 acr-xe-0-0-15 4132: Nov 3 03:02:02.578: crypto_engine: Generate IKE hash

Nov 3 04:02:02 acr-xe-0-0-15 4133: Nov 3 03:02:02.578: ISAKMP: (1013):processing HASH payload. message ID = 2448060722

Nov 3 04:02:02 acr-xe-0-0-15 4134: Nov 3 03:02:02.578: ISAKMP: (1013):processing SA payload. message ID = 2448060722

Nov 3 04:02:02 acr-xe-0-0-15 4135: Nov 3 03:02:02.578: ISAKMP: (1013):Checking IPSec proposal 1

Nov 3 04:02:02 acr-xe-0-0-15 4136: Nov 3 03:02:02.578: ISAKMP: (1013):transform 1, ESP_3DES

Nov 3 04:02:02 acr-xe-0-0-15 4137: Nov 3 03:02:02.578: ISAKMP: (1013): attributes in transform:

Nov 3 04:02:02 acr-xe-0-0-15 4138: Nov 3 03:02:02.578: ISAKMP: (1013): SA life type in seconds

Nov 3 04:02:02 acr-xe-0-0-15 4139: Nov 3 03:02:02.578: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

Nov 3 04:02:02 acr-xe-0-0-15 4140: Nov 3 03:02:02.578: ISAKMP: (1013): encaps is 1 (Tunnel)

Nov 3 04:02:02 acr-xe-0-0-15 4141: Nov 3 03:02:02.578: ISAKMP: (1013): authenticator is HMAC-MD5

Nov 3 04:02:02 acr-xe-0-0-15 4142: Nov 3 03:02:02.578: ISAKMP: (1013): group is 2

Nov 3 04:02:02 acr-xe-0-0-15 4143: Nov 3 03:02:02.578: ISAKMP: (1013):atts are acceptable.

Nov 3 04:02:02 acr-xe-0-0-15 4144: Nov 3 03:02:02.578: IPSEC(validate_proposal_request): proposal part #1

Nov 3 04:02:02 acr-xe-0-0-15 4145: Nov 3 03:02:02.578: IPSEC(validate_proposal_request): proposal part #1,

Nov 3 04:02:02 acr-xe-0-0-15 4146: (key eng. msg.) INBOUND local= 10.1.2.219:0, remote= 10.10.1.238:0,

Nov 3 04:02:02 acr-xe-0-0-15 4147: local_proxy= 10.1.1.0/255.255.255.0/256/0,

Nov 3 04:02:02 acr-xe-0-0-15 4148: remote_proxy= 10.11.1.192/255.255.255.224/256/0,

Nov 3 04:02:02 acr-xe-0-0-15 4149: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

Nov 3 04:02:02 acr-xe-0-0-15 4150: lifedur= 0s and 0kb,

Nov 3 04:02:02 acr-xe-0-0-15 4151: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Nov 3 04:02:02 acr-xe-0-0-15 4152: Nov 3 03:02:02.578: Crypto mapdb : proxy_match

Nov 3 04:02:02 acr-xe-0-0-15 4153: src addr : 10.1.1.0

Nov 3 04:02:02 acr-xe-0-0-15 4154: dst addr : 10.11.1.192

Nov 3 04:02:02 acr-xe-0-0-15 4155: protocol : 0

Nov 3 04:02:02 acr-xe-0-0-15 4156: src port : 0

Nov 3 04:02:02 acr-xe-0-0-15 4157: dst port : 0

Nov 3 04:02:02 acr-xe-0-0-15 4158: Nov 3 03:02:02.578: (ipsec_process_proposal)Map Accepted: CRYMAP, 1

Nov 3 04:02:02 acr-xe-0-0-15 4159: Nov 3 03:02:02.578: crypto_engine: Create DH

Nov 3 04:02:02 acr-xe-0-0-15 4160: Nov 3 03:02:02.580: ISAKMP: (1013):processing NONCE payload. message ID = 2448060722

Nov 3 04:02:02 acr-xe-0-0-15 4161: Nov 3 03:02:02.580: ISAKMP: (1013):processing KE payload. message ID = 2448060722

Nov 3 04:02:02 acr-xe-0-0-15 4162: Nov 3 03:02:02.580: crypto_engine: Create DH shared secret

Nov 3 04:02:02 acr-xe-0-0-15 4163: Nov 3 03:02:02.582: ISAKMP: (1013):processing ID payload. message ID = 2448060722

Nov 3 04:02:02 acr-xe-0-0-15 4164: Nov 3 03:02:02.582: ISAKMP: (1013):processing ID payload. message ID = 2448060722

Nov 3 04:02:02 acr-xe-0-0-15 4165: Nov 3 03:02:02.582: ISAKMP: (1013):QM Responder gets spi

Nov 3 04:02:02 acr-xe-0-0-15 4166: Nov 3 03:02:02.582: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4167: Nov 3 03:02:02.582: ISAKMP: (1013):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

Nov 3 04:02:02 acr-xe-0-0-15 4168: Nov 3 03:02:02.582: crypto_engine: Generate IKE hash

Nov 3 04:02:02 acr-xe-0-0-15 4169: Nov 3 03:02:02.582: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

Nov 3 04:02:02 acr-xe-0-0-15 4170: Nov 3 03:02:02.582: ISAKMP: (1013):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT

Nov 3 04:02:02 acr-xe-0-0-15 4171: Nov 3 03:02:02.582: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Nov 3 04:02:02 acr-xe-0-0-15 4172: Nov 3 03:02:02.582: Crypto mapdb : proxy_match

Nov 3 04:02:02 acr-xe-0-0-15 4173: src addr : 10.1.1.0

Nov 3 04:02:02 acr-xe-0-0-15 4174: dst addr : 10.11.1.192

Nov 3 04:02:02 acr-xe-0-0-15 4175: protocol : 256

Nov 3 04:02:02 acr-xe-0-0-15 4176: src port : 0

Nov 3 04:02:02 acr-xe-0-0-15 4177: dst port : 0

Nov 3 04:02:02 acr-xe-0-0-15 4178: Nov 3 03:02:02.582: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYMAP, 1

Nov 3 04:02:02 acr-xe-0-0-15 4179: Nov 3 03:02:02.582: crypto_engine: Generate IKE QM keys

Nov 3 04:02:02 acr-xe-0-0-15 4180: Nov 3 03:02:02.582: crypto_engine: Create IPSec SA (by keys)

Nov 3 04:02:02 acr-xe-0-0-15 4181: Nov 3 03:02:02.582: crypto_engine: Generate IKE QM keys

Nov 3 04:02:02 acr-xe-0-0-15 4182: Nov 3 03:02:02.582: crypto_engine: Create IPSec SA (by keys)

Nov 3 04:02:02 acr-xe-0-0-15 4183: Nov 3 03:02:02.582: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F837699F4D8

Nov 3 04:02:02 acr-xe-0-0-15 4184: Nov 3 03:02:02.582: IPSEC(create_sa): sa created

Nov 3 04:02:02 acr-xe-0-0-15 4185: ,

Nov 3 04:02:02 acr-xe-0-0-15 4186: (sa) sa_dest= 10.1.2.219, sa_proto= 50,

Nov 3 04:02:02 acr-xe-0-0-15 4187: sa_spi= 0xA2641181(2724467073),

Nov 3 04:02:02 acr-xe-0-0-15 4188: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2013

Nov 3 04:02:02 acr-xe-0-0-15 4189: sa_lifetime(k/sec)= (4608000/3600),

Nov 3 04:02:02 acr-xe-0-0-15 4190: (identity) local= 10.1.2.219:0, remote= 10.10.1.238:0,

Nov 3 04:02:02 acr-xe-0-0-15 4191: local_proxy= 10.1.1.0/255.255.255.0/256/0,

Nov 3 04:02:02 acr-xe-0-0-15 4192: remote_proxy= 10.11.1.192/255.255.255.224/256/0

Nov 3 04:02:02 acr-xe-0-0-15 4193: Nov 3 03:02:02.582: IPSEC(create_sa): sa created,

Nov 3 04:02:02 acr-xe-0-0-15 4194: (sa) sa_dest= 10.10.1.238, sa_proto= 50,

Nov 3 04:02:02 acr-xe-0-0-15 4195: sa_spi= 0xF92C186B(4180416619),

Nov 3 04:02:02 acr-xe-0-0-15 4196: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2014

Nov 3 04:02:02 acr-xe-0-0-15 4197: sa_lifetime(k/sec)= (4608000/3600),

Nov 3 04:02:02 acr-xe-0-0-15 4198: (identity) local= 10.1.2.219:0, remote= 10.10.1.238:0

Nov 3 04:02:02 acr-xe-0-0-15 4199: ,

Nov 3 04:02:02 acr-xe-0-0-15 4200: local_proxy= 10.1.1.0/255.255.255.0/256/0,

Nov 3 04:02:02 acr-xe-0-0-15 4201: remote_proxy= 10.11.1.192/255.255.255.224/256/0

Nov 3 04:02:02 acr-xe-0-0-15 4202: Nov 3 03:02:02.586: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_listinc_ipsec_active_tunnels : IPSec active tunnels : 4

Nov 3 04:02:02 acr-xe-0-0-15 4203: notify_mib_ipsec_tunnel_activation: peer has vdi ptr set 0x7F8376DEA6F8

Nov 3 04:02:02 acr-xe-0-0-15 4204: scmIpSecTunnelCreated (IKE SA:13), (IPSEC SA:3)

Nov 3 04:02:02 acr-xe-0-0-15 4205: ...new ipsidx:6

Nov 3 04:02:02 acr-xe-0-0-15 4206: Nov 3 03:02:02.586: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=140202611746552/140202611746552

Nov 3 04:02:02 acr-xe-0-0-15 4207: Nov 3 03:02:02.586: ISAKMP: (1013):Received IPSec Install callback... proceeding with the negotiation

Nov 3 04:02:02 acr-xe-0-0-15 4208: Nov 3 03:02:02.586: ISAKMP: (1013):Successfully installed IPSEC SA (SPI:0xA2641181) on GigabitEthernet0/0/1

Nov 3 04:02:02 acr-xe-0-0-15 4209: Nov 3 03:02:02.586: crypto engine: deleting DH phase 2 SW:25

Nov 3 04:02:02 acr-xe-0-0-15 4210: Nov 3 03:02:02.586: crypto_engine: Delete DH shared secret

Nov 3 04:02:02 acr-xe-0-0-15 4211: Nov 3 03:02:02.586: crypto engine: deleting DH SW:24

Nov 3 04:02:02 acr-xe-0-0-15 4212: Nov 3 03:02:02.586: crypto_engine: Encrypt IKE packet

Nov 3 04:02:02 acr-xe-0-0-15 4213: Nov 3 03:02:02.586: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) QM_IDLE

Nov 3 04:02:02 acr-xe-0-0-15 4214: Nov 3 03:02:02.586: ISAKMP: (1013):Sending an IKE IPv4 Packet.

Nov 3 04:02:02 acr-xe-0-0-15 4215: Nov 3 03:02:02.586: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

Nov 3 04:02:02 acr-xe-0-0-15 4216: Nov 3 03:02:02.586: ISAKMP: (1013):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2

Nov 3 04:02:02 acr-xe-0-0-15 4217: Nov 3 03:02:02.586: crypto_engine: Delete DH

Nov 3 04:02:02 acr-xe-0-0-15 4218: Nov 3 03:02:02.598: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) QM_IDLE

Nov 3 04:02:02 acr-xe-0-0-15 4219: Nov 3 03:02:02.598: crypto_engine: Decrypt IKE packet

Nov 3 04:02:02 acr-xe-0-0-15 4220: Nov 3 03:02:02.598: crypto_engine: Generate IKE hash

Nov 3 04:02:02 acr-xe-0-0-15 4221: Nov 3 03:02:02.598: ISAKMP: (1013):deleting node 2448060722 error FALSE reason "QM done (await)"

Nov 3 04:02:02 acr-xe-0-0-15 4222: Nov 3 03:02:02.598: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov 3 04:02:02 acr-xe-0-0-15 4223: Nov 3 03:02:02.598: ISAKMP: (1013):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

So any tipp or hint what can resolve this isse would be appreciated.

Thanks in advance,

kind regards,

Udo

udo · ‎11-08-2019

Hi Georg.

Yes i can prost it here. I found the solution after days of reading issues and posts about "VRF-Aware IPSec VPN". But all was complicated and many things you don't need. I am a admin who love simple and clear configurations that do what i want, not more.

You don't need VTI. Because you need to change the remote side too because of lack of pre shared key, you need in a plain Crypto Map and ACL setup. You also dnt need such OSPF or BGP or RIP routing monsters to do the simple thing i am tried to achive.

I only use the VRF vzb as a route engine as it is. This mechanism still works on a ASR1002X to push the protected traffic thru the tunnel. Benefit is a separation of crypto traffic in a virtual instance you miss in pure ACL based routing (which definitively not work on a ASR1002X). Because i love simple but complete examples here my actual config. Stripped another VPN partner and the Dialup VPN.

The BOLD parts are statements i added in comparison to the original C2821 config without VRF. Keyring needs to changed to original crypto isakmp key <secretkey> address <peer-ip> for each peer.

aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
!
ip vrf vzb
!
ip name-server <nameserver ips>
!
crypto keyring vzb vrf vzb 
  pre-shared-key address <peerip-ldn> key <secretkey>
  pre-shared-key address <peerip-dtm> key <secretkey>
  pre-shared-key address <peerip-ams> key <secretkey>
!
no crypto isakmp default policy
!
crypto isakmp policy 3
 encr aes 256
 hash sha256
 authentication pre-share
 group 14 
 lifetime 3600
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 30
!
crypto isakmp profile vzb-ike-prof
   vrf vzb
   keyring vzb
   match identity address <peerip-ldn> 255.255.255.255 
   match identity address <peerip-dtm> 255.255.255.255 
   match identity address <peerip-ams> 255.255.255.255 
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 
 mode tunnel
!
crypto map CRYMAP local-address GigabitEthernet0/0/1
crypto map CRYMAP 1 ipsec-isakmp 
 description VzB DTM
 set peer <peerip-dtm>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-DTM
 reverse-route
crypto map CRYMAP 2 ipsec-isakmp 
 description VzB AMS
 set peer <peerip-ams>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-AMS
 reverse-route
crypto map CRYMAP 3 ipsec-isakmp 
 description VzB LND
 set peer <peerip-ldn>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-LDN
 reverse-route
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip vrf forwarding vzb
 ip address <our-peer-ip> 255.255.255.192
 no ip redirects
 negotiation auto
 crypto map CRYMAP
!
interface GigabitEthernet0/0/2
 ip address <defaultip-router> 255.255.255.240
 no ip redirects
 negotiation auto
 ipv6 nd ra suppress
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.10.10.251 255.255.255.0
 negotiation auto
!
ip forward-protocol nd
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1 
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 <uplink-gatewayip>
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1
ip route vrf vzb 0.0.0.0 0.0.0.0 <gw-ip-our-peer-net>
!
ip access-list extended VZB-AMS
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-net-ams> 0.0.0.31
ip access-list extended VZB-DTM
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-netdtm> 0.0.0.31
ip access-list extended VZB-LDN
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-net-ldn> 0.0.0.31
!
!
control-plane
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 35000 
!
transport type persistent webui input https-webui
!
ntp source GigabitEthernet0/0/2
ntp server <ntp-server-ip>
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

Hope this will help anybody who migrate an old IOS-VPN-Aggregator to an IOS-XE ASR and prevent Administrator-Suicide :).

Best,

Udo

View solution in original post

Georg Pauwen · ‎11-03-2019

Hello,

not sure what your topology looks like, but you have three interfaces:

interface GigabitEthernet0/0/0

ip address 10.1.1.10 255.255.255.192

no ip redirects

ip nbar protocol-discovery

shutdown

negotiation auto

!

interface GigabitEthernet0/0/1

ip address 10.1.2.219 255.255.255.192

no ip redirects

ip nbar protocol-discovery

ip tcp adjust-mss 1260

shutdown

negotiation auto

crypto map CRYMAP

!

interface GigabitEthernet0/0/2

ip address 10.1.3.10 255.255.255.240

no ip redirects

ip nbar protocol-discovery

ip tcp adjust-mss 1260

negotiation auto

ipv6 nd ra suppress

crypto map DUSVPN

and one default route:

ip route 0.0.0.0 0.0.0.0 10.1.1.1

The default route points to the other side of interface GigabitEthernet0/0/0, and that interface has no crypto map applied ?

That said, the crypto map applied to interface GigabitEthernet0/0/2 (DUSVPN) doesn't exist, or did you just not post it ?

Either way, check your routing. Actually, using VTI tunnels instead of crypto maps usually works better,so you might want to try and reconfigure your VPN with VTIs...

udo · ‎11-04-2019

Hi Georg,

sorry for the confusion. The default route is wrong "translated".

-ip route 0.0.0.0 0.0.0.0 10.1.1.1

+ip route 0.0.0.0 0.0.0.0 10.1.3.1

Interface gig 0/0/0 is shutdown. It's the next crypto Interface i want to bring in service. But fist i need to solve the problem. I will take a look in VTI. You mean Virtual Tunnel Interface right? Never use that virtual stuff in 25 years ;(

The routing is pretty well. On the Router 10.1.3.1 are following routes for the remote peers and net's

ip route 10.11.1.192 255.255.255.192 10.1.219

ip route 10.11.2.192 255.255.255.192 10.1.219

ip route 10.11.3.192 255.255.255.192 10.1.219

Its pretty simple. The ASR is on the same Switch as the C2801 is. I only shut the interfaces via serial console and clear the arp cache on the router with the routes above.

My config works on a 2901 and a 2821 perfectly. I can't believe that the ASR is not able to do that as an "Aggregated Service Router" it's able to handle 40k IPSec sessions.

Best,

Udo

Georg Pauwen · ‎11-04-2019

Hello Udo,

there was a recent case here on this forum where somebody had an almost identical problem, after configuring VTIs it worked right away. I guess crypto maps are considered outdated...

That's not to say that this will solve your problem, but it is definitely worth trying and will save you a lot of time and hassle if it does.

udo · ‎11-04-2019

Hi Georg.

I will search about the thread. The problem is, if the other side need to change anything i will stuck here. It's Verizon. They are not really fast an a challenge to get one on the other end to reconfigure the other side.

Best,
Udo

udo · ‎11-05-2019

I have made a new try and there is no success. No traffic goes thru the tunnel. ISAKMP and IPSec SA are installed. Very strange.

Here are the config, ch cry ips sa, and a debg log.

Any hints are welcome.

Spoiler

Current configuration : 9361 bytes
!
! Last configuration change at 01:25:46 UTC Wed Nov 6 2019 by admin
! NVRAM config last updated at 01:08:55 UTC Wed Nov 6 2019 by admin
!
version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 5000000
!
hostname ASR1002X
!
boot-start-marker
boot system bootflash:asr1002x-universalk9.16.07.01.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
transport-map type persistent webui https-webui
secure-server
!
transport-map type persistent ssh sshhandler
authentication-retries 1
rsa keypair-name sshkeys
transport interface GigabitEthernet0
connection wait allow interruptible
!
transport-map type persistent webui http-webui
server
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication login RADIATOR group radius
aaa authorization network groupauthor local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip name-server 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
ivr prompt buffers 2
license udi pid ASR1002-X sn xxxxxxxxx
no license smart enable
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp default policy
!
crypto isakmp policy 3
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 3600
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxx address 10.10.100.238
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 30
!
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay disable
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac
mode tunnel
!
!
crypto map CRYMAP local-address GigabitEthernet0/0/1
crypto map CRYMAP 1 ipsec-isakmp
description VzB DTM
set peer 10.10.100.238
set transform-set ipcom
set pfs group2
match address VZB-DTM
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 10.10.8.219 255.255.255.192
no ip redirects
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.10.9.219 255.255.255.192
no ip redirects
negotiation auto
crypto map CRYMAP
!
interface GigabitEthernet0/0/2
ip address 10.10.10.10 255.255.255.240
no ip redirects
negotiation auto
ipv6 nd ra suppress
crypto map DUSVPN
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.251 255.255.255.0
negotiation auto
!
no ip forward-protocol nd
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1
!
!
!
ip access-list extended VZB-DTM
permit ip 10.10.8.0 0.0.0.255 10.10.101.192 0.0.0.31
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 35000
!
transport type persistent webui input https-webui
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Current configuration : 9361 bytes!! Last configuration change at 01:25:46 UTC Wed Nov 6 2019 by admin! NVRAM config last updated at 01:08:55 UTC Wed Nov 6 2019 by admin!version 16.7service timestamps debug datetime msecservice timestamps log datetime msecplatform qfp utilization monitor load 80no platform punt-keepalive disable-kernel-coreplatform hardware throughput level 5000000!hostname ASR1002X!boot-start-markerboot system bootflash:asr1002x-universalk9.16.07.01.SPA.binboot-end-marker!!vrf definition Mgmt-intf!address-family ipv4exit-address-family!address-family ipv6exit-address-family!!transport-map type persistent webui https-webuisecure-server!transport-map type persistent ssh sshhandlerauthentication-retries 1rsa keypair-name sshkeystransport interface GigabitEthernet0connection wait allow interruptible!transport-map type persistent webui http-webuiserver!aaa new-model!!aaa authentication login userauthen localaaa authentication login RADIATOR group radiusaaa authorization network groupauthor local!!!!!!aaa session-id common!!!!!!!ip name-server 8.8.8.8!!!login on-success log!!!!!!!subscriber templating!!!!!!!multilink bundle-name authenticated!!!!!!!!!!!ivr prompt buffers 2license udi pid ASR1002-X sn xxxxxxxxxno license smart enable!spanning-tree extend system-iddiagnostic bootup level minimal!!!!redundancymode none!!!!!!!!!!!!!no crypto isakmp default policy!crypto isakmp policy 3encr aes 256hash sha256authentication pre-sharegroup 14lifetime 3600!crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key xxxxxxxxxxxxxxxxxxx address 10.10.100.238crypto isakmp keepalive 60 periodiccrypto isakmp nat keepalive 30!!crypto ipsec security-association lifetime seconds 86400crypto ipsec security-association replay disable!crypto ipsec transform-set ipcom esp-3des esp-md5-hmacmode tunnel!!crypto map CRYMAP local-address GigabitEthernet0/0/1crypto map CRYMAP 1 ipsec-isakmpdescription VzB DTMset peer 10.10.100.238set transform-set ipcomset pfs group2match address VZB-DTM!!!!!!!!interface GigabitEthernet0/0/0ip address 10.10.8.219 255.255.255.192no ip redirectsshutdownnegotiation auto!interface GigabitEthernet0/0/1ip address 10.10.9.219 255.255.255.192no ip redirectsnegotiation autocrypto map CRYMAP!interface GigabitEthernet0/0/2ip address 10.10.10.10 255.255.255.240no ip redirectsnegotiation autoipv6 nd ra suppresscrypto map DUSVPN!interface GigabitEthernet0/0/3no ip addressshutdownnegotiation auto!interface GigabitEthernet0/0/4no ip addressshutdownnegotiation auto!interface GigabitEthernet0/0/5no ip addressshutdownnegotiation auto!interface GigabitEthernet0vrf forwarding Mgmt-intfip address 10.10.10.251 255.255.255.0negotiation auto!no ip forward-protocol ndip http serverip http secure-serverip http timeout-policy idle 600 life 86400 requests 1ip tftp source-interface GigabitEthernet0ip route 0.0.0.0 0.0.0.0 10.10.10.1ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1!!!ip access-list extended VZB-DTMpermit ip 10.10.8.0 0.0.0.255 10.10.101.192 0.0.0.31!!control-plane!!!!!!line con 0stopbits 1line aux 0stopbits 1line vty 0 4session-timeout 35000!transport type persistent webui input https-webui!wsma agent exec!wsma agent config!wsma agent filesys!wsma agent notify!!end

Spoiler

ASR1002X(config-if)#do sh cry ipsec sa

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.101.192/255.255.255.224/0/0)
current_peer 10.10.100.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.10.9.219, remote crypto endpt.: 10.10.100.238
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xF92C3B96(4180425622)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x4C2C6162(1277976930)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2333, flow_id: HW:333, sibling_flags FFFFFFFF80000048, crypto map: CRYMAP
sa timing: remaining key lifetime (k/sec): (4607981/3498)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF92C3B96(4180425622)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2334, flow_id: HW:334, sibling_flags FFFFFFFF80000048, crypto map: CRYMAP
sa timing: remaining key lifetime (k/sec): (4608000/3498)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

ASR1002X(config-if)#do sh cry ipsec saprotected vrf: (none)local ident (addr/mask/prot/port): (10.10.8.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (10.10.101.192/255.255.255.224/0/0)current_peer 10.10.100.238 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 10.10.9.219, remote crypto endpt.: 10.10.100.238plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1current outbound spi: 0xF92C3B96(4180425622)PFS (Y/N): Y, DH group: group2inbound esp sas:spi: 0x4C2C6162(1277976930)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }conn id: 2333, flow_id: HW:333, sibling_flags FFFFFFFF80000048, crypto map: CRYMAPsa timing: remaining key lifetime (k/sec): (4607981/3498)IV size: 8 bytesreplay detection support: NStatus: ACTIVE(ACTIVE)inbound ah sas:inbound pcp sas:outbound esp sas:spi: 0xF92C3B96(4180425622)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }conn id: 2334, flow_id: HW:334, sibling_flags FFFFFFFF80000048, crypto map: CRYMAPsa timing: remaining key lifetime (k/sec): (4608000/3498)IV size: 8 bytesreplay detection support: NStatus: ACTIVE(ACTIVE)outbound ah sas:outbound pcp sas:

Spoiler

Nov 6 01:12:25.769: ISAKMP-PAK: (0):received packet from 10.10.100.238 dport 500 sport 500 Global (N) NEW SA

Nov 6 01:12:25.769: ISAKMP: (0):Created a peer struct for 10.10.100.238, peer port 500

Nov 6 01:12:25.769: ISAKMP: (0):New peer created peer = 0x80007F7B5D035958 peer_handle = 0x800000008000002E

Nov 6 01:12:25.769: ISAKMP: (0):Locking peer struct 0x80007F7B5D035958, refcount 1 for crypto_isakmp_process_block

Nov 6 01:12:25.769: ISAKMP: (0):local port 500, remote port 500

Nov 6 01:12:25.769: crypto_engine_select_crypto_engine: can't handle any more

Nov 6 01:12:25.769: ISAKMP: (0):insert sa successfully sa = 80007F7B567F2998

Nov 6 01:12:25.769: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 6 01:12:25.769: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

Nov 6 01:12:25.769: ISAKMP: (0):processing SA payload. message ID = 0

Nov 6 01:12:25.769: ISAKMP: (0):processing vendor id payload

Nov 6 01:12:25.769: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch

Nov 6 01:12:25.769: ISAKMP: (0):processing vendor id payload

Nov 6 01:12:25.769: ISAKMP: (0):vendor ID is DPD

Nov 6 01:12:25.770: ISAKMP: (0):processing vendor id payload

Nov 6 01:12:25.770: ISAKMP: (0):processing IKE frag vendor id payload

Nov 6 01:12:25.770: ISAKMP: (0):Support for IKE Fragmentation not enabled

Nov 6 01:12:25.770: ISAKMP: (0):found peer pre-shared key matching 10.10.100.238

Nov 6 01:12:25.770: ISAKMP: (0):local preshared key found

Nov 6 01:12:25.770: ISAKMP: (0):Scanning profiles for xauth ...

Nov 6 01:12:25.770: ISAKMP: (0):Checking ISAKMP transform 1 against priority 3 policy

Nov 6 01:12:25.770: ISAKMP: (0): encryption 3DES-CBC

Nov 6 01:12:25.770: ISAKMP: (0): hash MD5

Nov 6 01:12:25.770: ISAKMP: (0): default group 2

Nov 6 01:12:25.770: ISAKMP: (0): auth pre-share

Nov 6 01:12:25.770: ISAKMP: (0): life type in seconds

Nov 6 01:12:25.770: ISAKMP: (0): life duration (basic) of 28800

Nov 6 01:12:25.770: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!

Nov 6 01:12:25.770: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0

Nov 6 01:12:25.770: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy

Nov 6 01:12:25.770: ISAKMP: (0): encryption 3DES-CBC

Nov 6 01:12:25.770: ISAKMP: (0): hash MD5

Nov 6 01:12:25.770: ISAKMP: (0): default group 2

Nov 6 01:12:25.770: ISAKMP: (0): auth pre-share

Nov 6 01:12:25.770: ISAKMP: (0): life type in seconds

Nov 6 01:12:25.770: ISAKMP: (0): life duration (basic) of 28800

Nov 6 01:12:25.770: ISAKMP: (0):atts are acceptable. Next payload is 0

Nov 6 01:12:25.770: ISAKMP: (0):Acceptable atts:actual life: 86400

Nov 6 01:12:25.770: ISAKMP: (0):Acceptable atts:life: 0

Nov 6 01:12:25.770: ISAKMP: (0):Basic life_in_seconds:28800

Nov 6 01:12:25.770: ISAKMP: (0):Returning Actual lifetime: 28800

Nov 6 01:12:25.770: ISAKMP: (0):Started lifetime timer: 28800.

Nov 6 01:12:25.770: crypto_engine_select_crypto_engine: can't handle any more

Nov 6 01:12:25.770: ISAKMP: (0):processing vendor id payload

Nov 6 01:12:25.770: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch

Nov 6 01:12:25.770: ISAKMP: (0):processing vendor id payload

Nov 6 01:12:25.770: ISAKMP: (0):vendor ID is DPD

Nov 6 01:12:25.770: ISAKMP: (0):processing vendor id payload

Nov 6 01:12:25.770: ISAKMP: (0):processing IKE frag vendor id payload

Nov 6 01:12:25.770: ISAKMP: (0):Support for IKE Fragmentation not enabled

Nov 6 01:12:25.770: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 6 01:12:25.770: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Nov 6 01:12:25.770: ISAKMP-PAK: (0):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) MM_SA_SETUP

Nov 6 01:12:25.770: ISAKMP: (0):Sending an IKE IPv4 Packet.

Nov 6 01:12:25.770: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 6 01:12:25.770: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Nov 6 01:12:25.780: ISAKMP-PAK: (0):received packet from 10.10.100.238 dport 500 sport 500 Global (R) MM_SA_SETUP

Nov 6 01:12:25.780: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 6 01:12:25.780: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Nov 6 01:12:25.780: ISAKMP: (0):processing KE payload. message ID = 0

Nov 6 01:12:25.780: crypto_engine: Create DH shared secret

Nov 6 01:12:25.781: ISAKMP: (0):processing NONCE payload. message ID = 0

Nov 6 01:12:25.781: ISAKMP: (0):found peer pre-shared key matching 10.10.100.238

Nov 6 01:12:25.781: crypto_engine: Create IKE SA

Nov 6 01:12:25.782: crypto engine: deleting DH phase 2 SW:255

Nov 6 01:12:25.782: crypto_engine: Delete DH shared secret

Nov 6 01:12:25.782: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 6 01:12:25.782: ISAKMP: (1176):Old State = IKE_R_MM3 New State = IKE_R_MM3

Nov 6 01:12:25.782: ISAKMP-PAK: (1176):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH

Nov 6 01:12:25.782: ISAKMP: (1176):Sending an IKE IPv4 Packet.

Nov 6 01:12:25.782: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 6 01:12:25.782: ISAKMP: (1176):Old State = IKE_R_MM3 New State = IKE_R_MM4

Nov 6 01:12:25.793: ISAKMP-PAK: (1176):received packet from 10.10.100.238 dport 500 sport 500 Global (R) MM_KEY_EXCH

Nov 6 01:12:25.793: crypto_engine: Decrypt IKE packet

Nov 6 01:12:25.793: ISAKMP: (1176):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 6 01:12:25.793: ISAKMP: (1176):Old State = IKE_R_MM4 New State = IKE_R_MM5

Nov 6 01:12:25.793: ISAKMP: (1176):processing ID payload. message ID = 0

Nov 6 01:12:25.793: ISAKMP: (1176):ID payload

next-payload : 8

type : 1

Nov 6 01:12:25.793: ISAKMP: (1176): address : 10.10.100.238

Nov 6 01:12:25.793: ISAKMP: (1176): protocol : 17

port : 500

length : 12

Nov 6 01:12:25.793: ISAKMP: (0):peer matches *none* of the profiles

Nov 6 01:12:25.793: ISAKMP: (1176):processing HASH payload. message ID = 0

Nov 6 01:12:25.793: crypto_engine: Generate IKE hash

Nov 6 01:12:25.793: ISAKMP: (1176):SA authentication status:

authenticated

Nov 6 01:12:25.793: ISAKMP: (1176):SA has been authenticated with 10.10.100.238

Nov 6 01:12:25.793: ISAKMP: (0):Trying to insert a peer 10.10.9.219/10.10.100.238/500/,

Nov 6 01:12:25.793: ISAKMP: (0): and inserted successfully 80007F7B5D035958.

Nov 6 01:12:25.793: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 6 01:12:25.793: ISAKMP: (1176):Old State = IKE_R_MM5 New State = IKE_R_MM5

Nov 6 01:12:25.793: ISAKMP: (1176):SA is doing

Nov 6 01:12:25.793: ISAKMP: (1176):pre-shared key authentication using id type ID_IPV4_ADDR

Nov 6 01:12:25.793: ISAKMP: (1176):ID payload

next-payload : 8

type : 1

Nov 6 01:12:25.793: ISAKMP: (1176): address : 10.10.9.219

Nov 6 01:12:25.793: ISAKMP: (1176): protocol : 17

port : 500

length : 12

Nov 6 01:12:25.793: ISAKMP: (1176):Total payload length: 12

Nov 6 01:12:25.793: crypto_engine: Generate IKE hash

Nov 6 01:12:25.793: crypto_engine: Encrypt IKE packet

Nov 6 01:12:25.793: ISAKMP-PAK: (1176):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH

Nov 6 01:12:25.793: ISAKMP: (1176):Sending an IKE IPv4 Packet.

Nov 6 01:12:25.794: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 6 01:12:25.794: ISAKMP: (1176):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Nov 6 01:12:25.794: ISAKMP: (1176):IKE_DPD is enabled, initializing timers

Nov 6 01:12:25.794: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Nov 6 01:12:25.794: ISAKMP: (1176):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 6 01:12:25.805: ISAKMP-PAK: (1176):received packet from 10.10.100.238 dport 500 sport 500 Global (R) QM_IDLE

Nov 6 01:12:25.805: ISAKMP: (1176):set new node 1146948015 to QM_IDLE

Nov 6 01:12:25.805: crypto_engine: Decrypt IKE packet

Nov 6 01:12:25.805: crypto_engine: Generate IKE hash

Nov 6 01:12:25.805: ISAKMP: (1176):processing HASH payload. message ID = 1146948015

Nov 6 01:12:25.805: ISAKMP: (1176):processing SA payload. message ID = 1146948015

Nov 6 01:12:25.805: ISAKMP: (1176):Checking IPSec proposal 1

Nov 6 01:12:25.805: ISAKMP: (1176):transform 1, ESP_3DES

Nov 6 01:12:25.805: ISAKMP: (1176): attributes in transform:

Nov 6 01:12:25.805: ISAKMP: (1176): SA life type in seconds

Nov 6 01:12:25.805: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

Nov 6 01:12:25.806: ISAKMP: (1176): encaps is 1 (Tunnel)

Nov 6 01:12:25.806: ISAKMP: (1176): authenticator is HMAC-MD5

Nov 6 01:12:25.806: ISAKMP: (1176): group is 2

Nov 6 01:12:25.806: ISAKMP: (1176):atts are acceptable.

Nov 6 01:12:25.806: IPSEC(validate_proposal_request): proposal part #1

Nov 6 01:12:25.806: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.9.219:0, remote= 10.10.100.238:0,

local_proxy= 10.10.8.0/255.255.255.0/256/0,

remote_proxy= 10.10.101.192/255.255.255.224/256/0,

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Nov 6 01:12:25.806: Crypto mapdb : proxy_match

src addr : 10.10.8.0

dst addr : 10.10.101.192

protocol : 0

src port : 0

dst port : 0

Nov 6 01:12:25.806: (ipsec_process_proposal)Map Accepted: CRYMAP, 1

Nov 6 01:12:25.806: crypto_engine: Create DH

Nov 6 01:12:25.807: ISAKMP: (1176):processing NONCE payload. message ID = 1146948015

Nov 6 01:12:25.807: ISAKMP: (1176):processing KE payload. message ID = 1146948015

Nov 6 01:12:25.807: crypto_engine: Create DH shared secret

Nov 6 01:12:25.809: ISAKMP: (1176):processing ID payload. message ID = 1146948015

Nov 6 01:12:25.809: ISAKMP: (1176):QM Responder gets spi

Nov 6 01:12:25.809: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov 6 01:12:25.809: ISAKMP: (1176):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

Nov 6 01:12:25.809: crypto_engine: Generate IKE hash

Nov 6 01:12:25.809: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

Nov 6 01:12:25.809: ISAKMP: (1176):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT

Nov 6 01:12:25.809: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Nov 6 01:12:25.809: Crypto mapdb : proxy_match

src addr : 10.10.8.0

dst addr : 10.10.101.192

protocol : 256

src port : 0

dst port : 0

Nov 6 01:12:25.809: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYMAP, 1

Nov 6 01:12:25.809: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.10.100.238TBAR_DBG ident_prep_create_sa: after initilize settings for time-based antireplay: do_ipd3p=0, ipd3p_type=0, win-size=0, do_tbar=0

Nov 6 01:12:25.809: crypto_engine: Generate IKE QM keys

Nov 6 01:12:25.809: crypto_engine: Create IPSec SA (by keys)

Nov 6 01:12:25.809: crypto_engine: Generate IKE QM keys

Nov 6 01:12:25.809: crypto_engine: Create IPSec SA (by keys)

Nov 6 01:12:25.810: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F7B6AB2C3A8

Nov 6 01:12:25.810: IPSEC(create_sa): sa created

,

(sa) sa_dest= 10.10.9.219, sa_proto= 50,

sa_spi= 0x4C2C6162(1277976930),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2333

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= 10.10.9.219:0, remote= 10.10.100.238:0,

local_proxy= 10.10.8.0/255.255.255.0/256/0,

remote_proxy= 10.10.101.192/255.255.255.224/256/0

Nov 6 01:12:25.810: IPSEC(create_sa): sa created,

(sa) sa_dest= 10.10.100.238, sa_proto= 50,

sa_spi= 0xF92C3B96(4180425622),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2334

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= 10.10.9.219:0, remote= 10.10.100.238:0

,

local_proxy= 10.10.8.0/255.255.255.0/256/0,

remote_proxy= 10.10.101.192/255.255.255.224/256/0

Nov 6 01:12:25.811: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list

Nov 6 01:12:25.811: ISAKMP: (1176):Received IPSec Install callback... proceeding with the negotiation

Nov 6 01:12:25.811: ISAKMP: (1176):Successfully installed IPSEC SA (SPI:0x4C2C6162) on GigabitEthernet0/0/1

Nov 6 01:12:25.811: crypto engine: deleting DH phase 2 SW:257

Nov 6 01:12:25.811: crypto_engine: Delete DH shared secret

Nov 6 01:12:25.811: crypto engine: deleting DH SW:256

Nov 6 01:12:25.812: crypto_engine: Encrypt IKE packet

Nov 6 01:12:25.812: ISAKMP-PAK: (1176):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) QM_IDLE

Nov 6 01:12:25.812: ISAKMP: (1176):Sending an IKE IPv4 Packet.

Nov 6 01:12:25.812: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

Nov 6 01:12:25.812: ISAKMP: (1176):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2

Nov 6 01:12:25.813: crypto_engine: Delete DH

Nov 6 01:12:25.823: ISAKMP-PAK: (1176):received packet from 10.10.100.238 dport 500 sport 500 Global (R) QM_IDLE

Nov 6 01:12:25.823: crypto_engine: Decrypt IKE packet

Nov 6 01:12:25.823: crypto_engine: Generate IKE hash

Nov 6 01:12:25.823: ISAKMP: (1176):deleting node 1146948015 error FALSE reason "QM done (await)"

Nov 6 01:12:25.823: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov 6 01:12:25.823: ISAKMP: (1176):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

Nov 6 01:12:25.824: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Nov 6 01:12:25.824: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Nov 6 01:12:25.824: crypto engine: updating MTU size of IPSec SA HW:334 to 1500 (overhead=54)

Nov 6 01:12:25.824: crypto_engine: Set IPSec MTU

Nov 6 01:12:25.769: ISAKMP-PAK: (0):received packet from 10.10.100.238 dport 500 sport 500 Global (N) NEW SANov 6 01:12:25.769: ISAKMP: (0):Created a peer struct for 10.10.100.238, peer port 500Nov 6 01:12:25.769: ISAKMP: (0):New peer created peer = 0x80007F7B5D035958 peer_handle = 0x800000008000002ENov 6 01:12:25.769: ISAKMP: (0):Locking peer struct 0x80007F7B5D035958, refcount 1 for crypto_isakmp_process_blockNov 6 01:12:25.769: ISAKMP: (0):local port 500, remote port 500Nov 6 01:12:25.769: crypto_engine_select_crypto_engine: can't handle any more Nov 6 01:12:25.769: ISAKMP: (0):insert sa successfully sa = 80007F7B567F2998Nov 6 01:12:25.769: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHNov 6 01:12:25.769: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 Nov 6 01:12:25.769: ISAKMP: (0):processing SA payload. message ID = 0Nov 6 01:12:25.769: ISAKMP: (0):processing vendor id payloadNov 6 01:12:25.769: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatchNov 6 01:12:25.769: ISAKMP: (0):processing vendor id payloadNov 6 01:12:25.769: ISAKMP: (0):vendor ID is DPDNov 6 01:12:25.770: ISAKMP: (0):processing vendor id payloadNov 6 01:12:25.770: ISAKMP: (0):processing IKE frag vendor id payloadNov 6 01:12:25.770: ISAKMP: (0):Support for IKE Fragmentation not enabledNov 6 01:12:25.770: ISAKMP: (0):found peer pre-shared key matching 10.10.100.238Nov 6 01:12:25.770: ISAKMP: (0):local preshared key foundNov 6 01:12:25.770: ISAKMP: (0):Scanning profiles for xauth ...Nov 6 01:12:25.770: ISAKMP: (0):Checking ISAKMP transform 1 against priority 3 policyNov 6 01:12:25.770: ISAKMP: (0): encryption 3DES-CBCNov 6 01:12:25.770: ISAKMP: (0): hash MD5Nov 6 01:12:25.770: ISAKMP: (0): default group 2Nov 6 01:12:25.770: ISAKMP: (0): auth pre-shareNov 6 01:12:25.770: ISAKMP: (0): life type in secondsNov 6 01:12:25.770: ISAKMP: (0): life duration (basic) of 28800Nov 6 01:12:25.770: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!Nov 6 01:12:25.770: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0Nov 6 01:12:25.770: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policyNov 6 01:12:25.770: ISAKMP: (0): encryption 3DES-CBCNov 6 01:12:25.770: ISAKMP: (0): hash MD5Nov 6 01:12:25.770: ISAKMP: (0): default group 2Nov 6 01:12:25.770: ISAKMP: (0): auth pre-shareNov 6 01:12:25.770: ISAKMP: (0): life type in secondsNov 6 01:12:25.770: ISAKMP: (0): life duration (basic) of 28800Nov 6 01:12:25.770: ISAKMP: (0):atts are acceptable. Next payload is 0Nov 6 01:12:25.770: ISAKMP: (0):Acceptable atts:actual life: 86400Nov 6 01:12:25.770: ISAKMP: (0):Acceptable atts:life: 0Nov 6 01:12:25.770: ISAKMP: (0):Basic life_in_seconds:28800Nov 6 01:12:25.770: ISAKMP: (0):Returning Actual lifetime: 28800Nov 6 01:12:25.770: ISAKMP: (0):Started lifetime timer: 28800.Nov 6 01:12:25.770: crypto_engine_select_crypto_engine: can't handle any more Nov 6 01:12:25.770: ISAKMP: (0):processing vendor id payloadNov 6 01:12:25.770: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatchNov 6 01:12:25.770: ISAKMP: (0):processing vendor id payloadNov 6 01:12:25.770: ISAKMP: (0):vendor ID is DPDNov 6 01:12:25.770: ISAKMP: (0):processing vendor id payloadNov 6 01:12:25.770: ISAKMP: (0):processing IKE frag vendor id payloadNov 6 01:12:25.770: ISAKMP: (0):Support for IKE Fragmentation not enabledNov 6 01:12:25.770: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODENov 6 01:12:25.770: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Nov 6 01:12:25.770: ISAKMP-PAK: (0):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) MM_SA_SETUPNov 6 01:12:25.770: ISAKMP: (0):Sending an IKE IPv4 Packet.Nov 6 01:12:25.770: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETENov 6 01:12:25.770: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Nov 6 01:12:25.780: ISAKMP-PAK: (0):received packet from 10.10.100.238 dport 500 sport 500 Global (R) MM_SA_SETUPNov 6 01:12:25.780: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHNov 6 01:12:25.780: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Nov 6 01:12:25.780: ISAKMP: (0):processing KE payload. message ID = 0Nov 6 01:12:25.780: crypto_engine: Create DH shared secret Nov 6 01:12:25.781: ISAKMP: (0):processing NONCE payload. message ID = 0Nov 6 01:12:25.781: ISAKMP: (0):found peer pre-shared key matching 10.10.100.238Nov 6 01:12:25.781: crypto_engine: Create IKE SA Nov 6 01:12:25.782: crypto engine: deleting DH phase 2 SW:255 Nov 6 01:12:25.782: crypto_engine: Delete DH shared secret Nov 6 01:12:25.782: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODENov 6 01:12:25.782: ISAKMP: (1176):Old State = IKE_R_MM3 New State = IKE_R_MM3 Nov 6 01:12:25.782: ISAKMP-PAK: (1176):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) MM_KEY_EXCHNov 6 01:12:25.782: ISAKMP: (1176):Sending an IKE IPv4 Packet.Nov 6 01:12:25.782: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETENov 6 01:12:25.782: ISAKMP: (1176):Old State = IKE_R_MM3 New State = IKE_R_MM4 Nov 6 01:12:25.793: ISAKMP-PAK: (1176):received packet from 10.10.100.238 dport 500 sport 500 Global (R) MM_KEY_EXCHNov 6 01:12:25.793: crypto_engine: Decrypt IKE packet Nov 6 01:12:25.793: ISAKMP: (1176):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHNov 6 01:12:25.793: ISAKMP: (1176):Old State = IKE_R_MM4 New State = IKE_R_MM5 Nov 6 01:12:25.793: ISAKMP: (1176):processing ID payload. message ID = 0Nov 6 01:12:25.793: ISAKMP: (1176):ID payload next-payload : 8type : 1Nov 6 01:12:25.793: ISAKMP: (1176): address : 10.10.100.238Nov 6 01:12:25.793: ISAKMP: (1176): protocol : 17 port : 500 length : 12Nov 6 01:12:25.793: ISAKMP: (0):peer matches *none* of the profilesNov 6 01:12:25.793: ISAKMP: (1176):processing HASH payload. message ID = 0Nov 6 01:12:25.793: crypto_engine: Generate IKE hash Nov 6 01:12:25.793: ISAKMP: (1176):SA authentication status:authenticatedNov 6 01:12:25.793: ISAKMP: (1176):SA has been authenticated with 10.10.100.238Nov 6 01:12:25.793: ISAKMP: (0):Trying to insert a peer 10.10.9.219/10.10.100.238/500/, Nov 6 01:12:25.793: ISAKMP: (0): and inserted successfully 80007F7B5D035958.Nov 6 01:12:25.793: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODENov 6 01:12:25.793: ISAKMP: (1176):Old State = IKE_R_MM5 New State = IKE_R_MM5 Nov 6 01:12:25.793: ISAKMP: (1176):SA is doing Nov 6 01:12:25.793: ISAKMP: (1176):pre-shared key authentication using id type ID_IPV4_ADDRNov 6 01:12:25.793: ISAKMP: (1176):ID payload next-payload : 8type : 1Nov 6 01:12:25.793: ISAKMP: (1176): address : 10.10.9.219Nov 6 01:12:25.793: ISAKMP: (1176): protocol : 17 port : 500 length : 12Nov 6 01:12:25.793: ISAKMP: (1176):Total payload length: 12Nov 6 01:12:25.793: crypto_engine: Generate IKE hash Nov 6 01:12:25.793: crypto_engine: Encrypt IKE packet Nov 6 01:12:25.793: ISAKMP-PAK: (1176):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) MM_KEY_EXCHNov 6 01:12:25.793: ISAKMP: (1176):Sending an IKE IPv4 Packet.Nov 6 01:12:25.794: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETENov 6 01:12:25.794: ISAKMP: (1176):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE Nov 6 01:12:25.794: ISAKMP: (1176):IKE_DPD is enabled, initializing timersNov 6 01:12:25.794: ISAKMP: (1176):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETENov 6 01:12:25.794: ISAKMP: (1176):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Nov 6 01:12:25.805: ISAKMP-PAK: (1176):received packet from 10.10.100.238 dport 500 sport 500 Global (R) QM_IDLE Nov 6 01:12:25.805: ISAKMP: (1176):set new node 1146948015 to QM_IDLE Nov 6 01:12:25.805: crypto_engine: Decrypt IKE packet Nov 6 01:12:25.805: crypto_engine: Generate IKE hash Nov 6 01:12:25.805: ISAKMP: (1176):processing HASH payload. message ID = 1146948015Nov 6 01:12:25.805: ISAKMP: (1176):processing SA payload. message ID = 1146948015Nov 6 01:12:25.805: ISAKMP: (1176):Checking IPSec proposal 1Nov 6 01:12:25.805: ISAKMP: (1176):transform 1, ESP_3DESNov 6 01:12:25.805: ISAKMP: (1176): attributes in transform:Nov 6 01:12:25.805: ISAKMP: (1176): SA life type in secondsNov 6 01:12:25.805: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 Nov 6 01:12:25.806: ISAKMP: (1176): encaps is 1 (Tunnel)Nov 6 01:12:25.806: ISAKMP: (1176): authenticator is HMAC-MD5Nov 6 01:12:25.806: ISAKMP: (1176): group is 2Nov 6 01:12:25.806: ISAKMP: (1176):atts are acceptable.Nov 6 01:12:25.806: IPSEC(validate_proposal_request): proposal part #1Nov 6 01:12:25.806: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.10.9.219:0, remote= 10.10.100.238:0, local_proxy= 10.10.8.0/255.255.255.0/256/0, remote_proxy= 10.10.101.192/255.255.255.224/256/0, protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0Nov 6 01:12:25.806: Crypto mapdb : proxy_matchsrc addr : 10.10.8.0dst addr : 10.10.101.192protocol : 0src port : 0dst port : 0Nov 6 01:12:25.806: (ipsec_process_proposal)Map Accepted: CRYMAP, 1Nov 6 01:12:25.806: crypto_engine: Create DH Nov 6 01:12:25.807: ISAKMP: (1176):processing NONCE payload. message ID = 1146948015Nov 6 01:12:25.807: ISAKMP: (1176):processing KE payload. message ID = 1146948015Nov 6 01:12:25.807: crypto_engine: Create DH shared secret Nov 6 01:12:25.809: ISAKMP: (1176):processing ID payload. message ID = 1146948015Nov 6 01:12:25.809: ISAKMP: (1176):processing ID payload. message ID = 1146948015Nov 6 01:12:25.809: ISAKMP: (1176):QM Responder gets spiNov 6 01:12:25.809: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHNov 6 01:12:25.809: ISAKMP: (1176):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVENov 6 01:12:25.809: crypto_engine: Generate IKE hash Nov 6 01:12:25.809: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_INTERNAL, IKE_GOT_SPINov 6 01:12:25.809: ISAKMP: (1176):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAITNov 6 01:12:25.809: IPSEC(key_engine): got a queue event with 1 KMI message(s)Nov 6 01:12:25.809: Crypto mapdb : proxy_matchsrc addr : 10.10.8.0dst addr : 10.10.101.192protocol : 256src port : 0dst port : 0Nov 6 01:12:25.809: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYMAP, 1Nov 6 01:12:25.809: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.10.100.238TBAR_DBG ident_prep_create_sa: after initilize settings for time-based antireplay: do_ipd3p=0, ipd3p_type=0, win-size=0, do_tbar=0Nov 6 01:12:25.809: crypto_engine: Generate IKE QM keys Nov 6 01:12:25.809: crypto_engine: Create IPSec SA (by keys) Nov 6 01:12:25.809: crypto_engine: Generate IKE QM keys Nov 6 01:12:25.809: crypto_engine: Create IPSec SA (by keys) Nov 6 01:12:25.810: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F7B6AB2C3A8Nov 6 01:12:25.810: IPSEC(create_sa): sa created, (sa) sa_dest= 10.10.9.219, sa_proto= 50, sa_spi= 0x4C2C6162(1277976930), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2333 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.10.9.219:0, remote= 10.10.100.238:0, local_proxy= 10.10.8.0/255.255.255.0/256/0, remote_proxy= 10.10.101.192/255.255.255.224/256/0Nov 6 01:12:25.810: IPSEC(create_sa): sa created, (sa) sa_dest= 10.10.100.238, sa_proto= 50, sa_spi= 0xF92C3B96(4180425622), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2334 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.10.9.219:0, remote= 10.10.100.238:0, local_proxy= 10.10.8.0/255.255.255.0/256/0, remote_proxy= 10.10.101.192/255.255.255.224/256/0Nov 6 01:12:25.811: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_listNov 6 01:12:25.811: ISAKMP: (1176):Received IPSec Install callback... proceeding with the negotiationNov 6 01:12:25.811: ISAKMP: (1176):Successfully installed IPSEC SA (SPI:0x4C2C6162) on GigabitEthernet0/0/1Nov 6 01:12:25.811: crypto engine: deleting DH phase 2 SW:257 Nov 6 01:12:25.811: crypto_engine: Delete DH shared secret Nov 6 01:12:25.811: crypto engine: deleting DH SW:256 Nov 6 01:12:25.812: crypto_engine: Encrypt IKE packet Nov 6 01:12:25.812: ISAKMP-PAK: (1176):sending packet to 10.10.100.238 my_port 500 peer_port 500 (R) QM_IDLE Nov 6 01:12:25.812: ISAKMP: (1176):Sending an IKE IPv4 Packet.Nov 6 01:12:25.812: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONENov 6 01:12:25.812: ISAKMP: (1176):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2Nov 6 01:12:25.813: crypto_engine: Delete DH Nov 6 01:12:25.823: ISAKMP-PAK: (1176):received packet from 10.10.100.238 dport 500 sport 500 Global (R) QM_IDLE Nov 6 01:12:25.823: crypto_engine: Decrypt IKE packet Nov 6 01:12:25.823: crypto_engine: Generate IKE hash Nov 6 01:12:25.823: ISAKMP: (1176):deleting node 1146948015 error FALSE reason "QM done (await)"Nov 6 01:12:25.823: ISAKMP: (1176):Node 1146948015, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHNov 6 01:12:25.823: ISAKMP: (1176):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETENov 6 01:12:25.824: IPSEC(key_engine): got a queue event with 1 KMI message(s)Nov 6 01:12:25.824: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMPNov 6 01:12:25.824: crypto engine: updating MTU size of IPSec SA HW:334 to 1500 (overhead=54)Nov 6 01:12:25.824: crypto_engine: Set IPSec MTU

Georg Pauwen · ‎11-05-2019

Hello Udo,

I assume you are still testing with interfa ce GigabitEthernet0/0/1 ?

If that is the case, your access list VZB-DTM needs to match the subnet of that interface, 10.10.9.0 0.0.0.63.

Right now it matches the subnet of interface GigabitEthernet0/0/0...

Georg Pauwen · ‎11-05-2019

So the access list needs to look like this:

ip access-list extended VZB-DTM
permit ip 10.10.9.0 0.0.0.63 10.10.101.192 0.0.0.31

udo · ‎11-06-2019

Yes i use ge 0/0/1. But it don't need to match any interface Networks. Traffic runs thru the router and matches VZB-DTM should run thru the tunnel via ge 0/0/1. In the sh cry ipse sa you see that the ACLs are shown there. No errors in the config. On the 2821 the exact same config running fine.

Its weird. I think its a bug in the IOS-XE 16.x tested down to 16.3.1 and up to 16.7.1. 17.9.4 i cant use because crypto map listname authentication list listname is gone in 16.9.4. and therefore i dont tested it.

Best,

Udo

udo · ‎11-06-2019

I have created a lab router (C2821) against the ASR1002X with a site-to-site configurations same like the live system and the error is the same. Its repeatable and traffic from the C2821 > ASR1002X flow, ASR1002X > C2821 stuck.

Error is always :
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list

I cant find anything about this error. But i am pretty sure thats the cause.

I am wonder i am alone with this problem :(

Best,
Udo

Georg Pauwen · ‎11-06-2019

Hello Udo,

the transform set could be the problem. The thing is: you would have to change it on both sides:

Try:

crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac

udo · ‎11-06-2019

Hi Georg.

Done on booth sides in the LAB. No luck. Same behavior. C2821 > ASR1002X traffic flow. Vice versa not.

I cant belive it.

Is there a way to leave the C2821 in its config (Crypto Map wise) and configure the ASR1002X with VRF +. IPSec?

Georg Pauwen · ‎11-06-2019

Hello,

weird indeed. Can you post the config of the 2821 as well ? I want to lab it, too, maybe I can spot something...

udo · ‎11-06-2019

Hi Georg.

Yes its a bug i guess. The things i tried are countless. Nothing works. Here the Config from the 2821:

Current configuration : 1881 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cr4
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-24.T8.bin
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!         
!
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2  
crypto isakmp key xxxxxxxxxxx address 10.10.9.219
!
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac 
!
crypto map CRYMAP local-address GigabitEthernet0/0
crypto map CRYMAP 4 ipsec-isakmp 
 description VzB LND
 set peer 10.10.9.219
 set transform-set ipcom 
 set pfs group2
 match address VZB-OFFTST
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 10.10.100.238 255.255.255.240
 duplex auto
 speed auto
 crypto map CRYMAP
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.100.1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VZB-OFFTST
 permit ip 10.10.101.192 0.0.0.31 10.10.8.0 0.0.0.255 
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password e4r5t6z7
 login
!
scheduler allocate 20000 1000
end

udo · ‎11-07-2019

Final notice :)

I have sidestepped the, in my eyes, bug along crypto map and ACL routing. I have created VRF's for each tunnel partner. The crypto map has extended with an IPSec profile and a reverse-route statement. The default routes are in each of the VRF's and the keyrings also one for each VRF. Looks nice and work like a charme.

Now its possible to connect a pure crypto map based site2site tunnel with a so called "VRF-Aware" one.

Thanks for the interest and all the help!!!

Best,
Udo