cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11883
Views
5
Helpful
8
Replies

Unable to establish IPsec connections to remote VPN server

alanchia2000
Level 1
Level 1

Hi,

I have set up Cisco CSR 1000v on Amazon cloud (RouterA).
Another IPSec device, pfsense - 123.123.123, was also set up on Amazon cloud.
I am having issues connecting CSR to pfsense, mainly because pfsense is taking the peer identity as 10.2.0.132 instead of 122.122.122.122.
How do I configure CSR to send its identity as 122.122.122.122 instead of 10.2.0.132 ? This is the main blocker I have.
It seems that NAT-T isn't doing much here.

! 122.122.122.122 (Router A) - internal IP 10.2.0.132
! 123.123.123.123 (Router B)
! VPN configuration (RouterA)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key zNmpUki98qyv address 123.123.123.123
crypto isakmp keepalive 10 5
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set pre-aes-128-sha esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto map vpntunnel 20 ipsec-isakmp
set peer 123.123.123.123
set transform-set pre-aes-128-sha
match address 2000
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
crypto map vpntunnel

IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.2.0.132 123.123.123.123 MM_NO_STATE 1837 ACTIVE (deleted)
10.2.0.132 123.123.123.123 MM_NO_STATE 1836 ACTIVE (deleted)
123.123.123.123 10.2.0.132 MM_NO_STATE 1835 ACTIVE (deleted)


*Nov 30 11:00:27.450: ISAKMP:(1832):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 30 11:00:27.450: ISAKMP (1832): ID payload
next-payload : 8
type : 1
address : 10.2.0.132
protocol : 17
port : 0
length : 12
*Nov 30 11:00:27.450: ISAKMP:(1832):Total payload length: 12
*Nov 30 11:00:27.450: ISAKMP:(1832):Returning Actual lifetime: 86400
*Nov 30 11:00:27.450: ISAKMP:(1832): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Nov 30 11:00:27.450: ISAKMP:(1832):Sending an IKE IPv4 Packet.
*Nov 30 11:00:27.450: ISAKMP:(1832):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 30 11:00:27.450: ISAKMP:(1832):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Nov 30 11:00:27.450: ISAKMP:(1832):IKE_DPD is enabled, initializing timers
*Nov 30 11:00:27.450: ISAKMP:(1832):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov 30 11:00:27.450: ISAKMP:(1832):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Nov 30 11:00:27.525: ISAKMP:(1829):purging node 1121485288
*Nov 30 11:00:27.533: ISAKMP (1832): received packet from 123.123.123.123 dport 4500 sport 4500 Global (R) QM_IDLE
*Nov 30 11:00:27.533: ISAKMP: set new node 3065667901 to QM_IDLE
*Nov 30 11:00:27.533: ISAKMP:(1832): processing HASH payload. message ID = 3065667901
*Nov 30 11:00:27.533: ISAKMP:(1832): processing DELETE payload. message ID = 3065667901
*Nov 30 11:00:27.533: ISAKMP:(1832):peer does not do paranoid keepalives.

*Nov 30 11:00:27.533: ISAKMP:(1832):deleting SA reason "No reason" state (R) QM_IDLE (peer 123.123.123.123)
*Nov 30 11:00:27.533: ISAKMP:(1832):deleting node 3065667901 error FALSE reason "Informational (in) state 1"
*Nov 30 11:00:27.533: ISAKMP: set new node 2243284690 to QM_IDLE
*Nov 30 11:00:27.533: ISAKMP:(1832): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (R) QM_IDLE
*Nov 30 11:00:27.533: ISAKMP:(1832):Sending an IKE IPv4 Packet.
*Nov 30 11:00:27.533: ISAKMP:(1832):purging node 2243284690
*Nov 30 11:00:27.533: ISAKMP:(1832):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 30 11:00:27.533: ISAKMP:(1832):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Nov 30 11:00:27.533: ISAKMP:(1832):deleting SA reason "No reason" state (R) QM_IDLE (peer 123.123.123.123)
*Nov 30 11:00:27.535: ISAKMP:(1832):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 30 11:00:27.535: ISAKMP:(1832):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Nov 30 11:00:30.106: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH...
*Nov 30 11:00:30.106: ISAKMP (1830): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Nov 30 11:00:30.106: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH
*Nov 30 11:00:30.106: ISAKMP:(1830): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 30 11:00:30.106: ISAKMP:(1830):Sending an IKE IPv4 Packet.
*Nov 30 11:00:37.527: ISAKMP:(1829):purging SA., sa=7F595BE48CA0, delme=7F595BE48CA0
*Nov 30 11:00:40.105: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH...
*Nov 30 11:00:40.105: ISAKMP (1830): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Nov 30 11:00:40.105: ISAKMP:(1830): retransmitting phase 1 MM_KEY_EXCH
*Nov 30 11:00:40.105: ISAKMP:(1830): sending packet to 123.123.123.123 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 30 11:00:40.105: ISAKMP:(1830):Sending an IKE IPv4 Packet.

1 Accepted Solution

Accepted Solutions

rvarelac
Level 7
Level 7

Hi alanchia2000,

Have you tried the command " crypto isakmp identity addrress" ? 

Alternative , you can specify the source IP  of the crypto map to be the itnerface of the 122 IP., with the command: crypto map map-name local-address interface-id

Command reference:

www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp1755574933

Hope it helps

-Randy- 

View solution in original post

8 Replies 8

rvarelac
Level 7
Level 7

Hi alanchia2000,

Have you tried the command " crypto isakmp identity addrress" ? 

Alternative , you can specify the source IP  of the crypto map to be the itnerface of the 122 IP., with the command: crypto map map-name local-address interface-id

Command reference:

www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp1755574933

Hope it helps

-Randy- 

Hi Randy,

Nope, it didn't work..

Still getting this error on my pfsense device... It seems that the Cisco device is still sending 10.2.0.132.


Dec  1 04:50:55 pfSense charon: 08[ENC] <con4000|121> parsed ID_PROT response 0 [ ID HASH N((24576)) ]
Dec  1 04:50:55 pfSense charon: 08[IKE] <con4000|121> IDir '10.2.0.132' does not match to '122.122.122.122'
Dec  1 04:50:55 pfSense charon: 08[IKE] <con4000|121> IDir '10.2.0.132' does not match to '122.122.122.122'

HI, looking at the documentation of PfSense, in this link:

https://doc.pfsense.org/index.php/VPN_Capability_IPsec

they refer to a field in the Phase 1 configuration:

Peer Identifier: Identifies the router on the far side. It is best left at Peer IP Address and the firewall will fill it in as needed. In some cases an FQDN or similar may be entered so that the value is constant. So long as both sides agree on the Identifier it will work.

Configure the remote Peer ID with the private address of the Cisco device. Also, enable NAT-T in the PfSense:

NAT Traversal: Should nearly always be set to Disable unless it is certain that one firewall or the other has a WAN behind another NAT device.

I hope that helps

Julio

Hi 

It seems to give me different error messages when i change the remote peer ID to private address: 

! 122.122.122.122 (Router A) - internal IP 10.2.0.132
! 123.123.123.123 (Router B) - internal IP 10.4.0.241

pfsense logs

Dec 9 08:41:00 pfSense charon: 15[NET] <con2000|273> sending packet: from 10.4.0.241[4500] to 84.127.228.166[4500] (92 bytes)
Dec 9 08:41:02 pfSense charon: 15[KNL] creating acquire job for policy 10.4.0.241/32|/0 === 122.122.122.122/32|/0 with reqid {218}
Dec 9 08:41:02 pfSense charon: 14[CFG] ignoring acquire, connection attempt pending
Dec 9 08:41:07 pfSense charon: 14[IKE] <con3000|268> sending DPD request

cisco logs

*Dec 9 08:41:37.756: ISAKMP (0): received packet from 123.123.123.123 dport 500 sport 500 Global (N) NEW SA
*Dec 9 08:41:37.756: ISAKMP: Created a peer struct for 123.123.123.123, peer port 500
*Dec 9 08:41:37.756: ISAKMP: New peer created peer = 0x7F91ECEB7D18 peer_handle = 0x8000013A
*Dec 9 08:41:37.756: ISAKMP: Locking peer struct 0x7F91ECEB7D18, refcount 1 for crypto_isakmp_process_block
*Dec 9 08:41:37.756: ISAKMP: local port 500, remote port 500
*Dec 9 08:41:37.756: ISAKMP:(0):insert sa successfully sa = 7F91ECEB7008
*Dec 9 08:41:37.756: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 9 08:41:37.756: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Dec 9 08:41:37.756: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 9 08:41:37.756: ISAKMP:(0): processing vendor id payload
*Dec 9 08:41:37.756: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Dec 9 08:41:37.756: ISAKMP:(0): vendor ID is XAUTH
*Dec 9 08:41:37.756: ISAKMP:(0): processing vendor id payload
*Dec 9 08:41:37.756: ISAKMP:(0): vendor ID is DPD
*Dec 9 08:41:37.756: ISAKMP:(0): processing vendor id payload
*Dec 9 08:41:37.756: ISAKMP:(0): vendor ID is Unity
*Dec 9 08:41:37.756: ISAKMP:(0):found peer pre-shared key matching 123.123.123.123
*Dec 9 08:41:37.756: ISAKMP:(0): local preshared key found
*Dec 9 08:41:37.756: ISAKMP : Scanning profiles for xauth ...
*Dec 9 08:41:37.756: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Dec 9 08:41:37.756: ISAKMP: encryption 3DES-CBC
*Dec 9 08:41:37.756: ISAKMP: hash SHA
*Dec 9 08:41:37.756: ISAKMP: default group 2
*Dec 9 08:41:37.756: ISAKMP: auth pre-share
*Dec 9 08:41:37.756: ISAKMP: life type in seconds
*Dec 9 08:41:37.756: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Dec 9 08:41:37.756: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 9 08:41:37.756: ISAKMP:(0):Acceptable atts:actual life: 86400
*Dec 9 08:41:37.756: ISAKMP:(0):Acceptable atts:life: 0
*Dec 9 08:41:37.756: ISAKMP:(0):Fill atts in sa vpi_length:4
*Dec 9 08:41:37.756: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Dec 9 08:41:37.756: ISAKMP:(0):Returning Actual lifetime: 86400
*Dec 9 08:41:37.756: ISAKMP:(0)::Started lifetime timer: 86400.

*Dec 9 08:41:37.757: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Dec 9 08:41:37.757: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 9 08:41:37.757: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 9 08:41:37.757: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Dec 9 08:41:37.757: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Dec 9 08:41:37.757: ISAKMP:(0): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Dec 9 08:41:37.757: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Dec 9 08:41:37.757: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 9 08:41:37.757: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Dec 9 08:41:37.867: ISAKMP (0): received packet from 123.123.123.123 dport 500 sport 500 Global (R) MM_SA_SETUP
*Dec 9 08:41:37.867: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 9 08:41:37.867: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Dec 9 08:41:37.867: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 9 08:41:37.868: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 9 08:41:37.868: ISAKMP:(0):found peer pre-shared key matching 123.123.123.123
*Dec 9 08:41:37.868: ISAKMP:received payload type 20
*Dec 9 08:41:37.868: ISAKMP (1225): NAT found, both nodes inside NAT
*Dec 9 08:41:37.868: ISAKMP:received payload type 20
*Dec 9 08:41:37.868: ISAKMP (1225): NAT found, both nodes inside NAT
*Dec 9 08:41:37.868: ISAKMP:(1225):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 9 08:41:37.868: ISAKMP:(1225):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Dec 9 08:41:37.868: ISAKMP:(1225): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Dec 9 08:41:37.868: ISAKMP:(1225):Sending an IKE IPv4 Packet.
*Dec 9 08:41:37.868: ISAKMP:(1225):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 9 08:41:37.868: ISAKMP:(1225):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Dec 9 08:41:37.967: ISAKMP (1225): received packet from 123.123.123.123 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Dec 9 08:41:37.967: ISAKMP: reserved not zero on ID payload!
*Dec 9 08:41:37.967: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 123.123.123.123 failed its sanity check or is malformed
*Dec 9 08:41:37.967: ISAKMP (1225): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Dec 9 08:41:38.967: ISAKMP:(1225): retransmitting phase 1 MM_KEY_EXCH...

*Dec  9 08:54:12.440: %CRYPTO-4-IKMP_NO_SA: IKE message from 123.123.123.123 has no SA and is not an initialization offer
*Dec  9 08:55:32.159: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 123.123.123.123 failed its sanity check or is malformed

Alan

The answer didn't help. Accidentally click on the correct answer. ...

Hi, sorry to jump in.

may I ask? 
how can I change peer from port 500 to 4500 ?
Dec 9 08:41:37.756: ISAKMP: Created a peer struct for 123.123.123.123, peer port 

 

Hi, sorry to jump in.

may I ask? 
how can I change peer from port 500 to 4500 ?
Dec 9 08:41:37.756: ISAKMP: Created a peer struct for 123.123.123.123, peer port 

Hello,

 

what is the context of your question ? Which VPN client do you have, which VPN server are you trying to connect to ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: