cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
354
Views
5
Helpful
64
Replies
Beginner

Re: Vpn connection to lan no answer cisco 1100 series

/29 corresponds a la wan de isr 1100

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248 /29
ip nat outside
negotiation auto
crypto map CMAP

 

regarding your question richard from my router ping 181.52.244.105 does not answer but yes 181.52.244.1

I have 3 rgv042 connected to the vpn work correctly without problems but I could not do it with the isr 1100

It should be noted that the 3 cisco rgv042 do not ping the wan since its configuration is through the gateway to gateway but they work perfectly

 

Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

There have been a number of posts about the addressing used, especially for the rv042g. There have been a couple of screen shots that show clearly that the WAN interface is 181.52.244.105. That is the address that the 1100 should use as its peer address - and I believe that the last several posts with config information show that the 1100 is now using that address.

 

I believe that there has been some confusion about terminology - especially about gateway addresses and about how the rv042g refers to this vpn as gateway to gateway. I have tried to explain that gateway to gateway vpn is what many of of would call site to site vpn (as distinguished from Remote Access vpn or Client vpn). I hope this confusion has been clarified.

 

There have been several posts with debug output showing various problems. But the output of show crypto ipsec sa on the 1100 does show that a site to site vpn has been established.

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

note that the local address is 181.143.239.68 and the current_peer is 181.52.244.105. So I believe the peering addressing is correct. Also the local lan and remote lan are correctly identified.

local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)

 

So I do not know what the debug errors were about and I suggest that we do not care about them. They must relate to something other than the vpn between the 1100 and the rv042g. If the ipsec sa is established then the crypto negotiation has been successful. 

 

There is one part of the output that we should look at:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

If the encapsulated is zero and the decaps is zero then there is not any data passing through the vpn. If the only testing of the vpn has been ping to 192.168.13.1 then this might explain why there is not data passing through the vpn. I have also seen issues where encaps and decaps of zero were caused by issues with address translation or problems with routing. How can we investigate this issue?

 

HTH

 

Rick

 

 

 

Beginner

Re: Vpn connection to lan no answer cisco 1100 series


when connecting the rgv042g it does not establish any type of vpn connection with the 1100 although the cisco 1100 can be observed does not encapsulate any package

vrf protected: (none)
local identification (addr / mask / prot / port): (192.168.13.0/255.255.255.0/0/0)
remote identification (addr / mask / prot / port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags = {origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

I have tried to present the case that does not identify the connection of rgv042g to 1100, what I can assure is that rgv042g connection 181.143.239.68 if I get an answer but does not establish a vpn connection to the local

I wonder is it not compatible?

VIP Mentor

Re: Vpn connection to lan no answer cisco 1100 series

Hello,

 

I have been looking at a few videos on YouTube on how to set up the RV042 (in order to find a possible clue).

 

In the 'Remore Security Type' drop-down box:

 

VPN --> Remote Group Setup --> Remote Security Type

 

you have three options. Try 'IP Range' instead of 'Subnet'...

 

IP
Subnet
IP Range

Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

The original poster states that vpn is established on 1100 but not established on rv042g. I respond that ipsec negotiation is a 2 way process. If vpn is established on 1100 then it is also established on rv042g. It is not possible to have it established on one peer and not established on the other peer for an ipsec site to site vpn. 

 

@Georg Pauwen suggests changing the rv042g to specify ip range instead of subnet. Perhaps that is worth a try. But my guess is that the problem is not in how the vpn is negotiated but is in getting traffic through the vpn tunnel. I have seen this symptom when there was an issue with address translation translating traffic that should have gone through the vpn untranslated. I have see this symptom when there was an issue with routing the traffic through the vpn. And I wonder if the issue might be in how the testing is done. I would really like to see results when some device connected in 192.168.13.0 attempts to communicate with a device in 192.168.5.0.

 

HTH

 

Rick

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

annex connection by ip was also made by rank without successful connection in the same way I show connection between 2 cisco rgv0242g with successful connection to vpn

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

I tell you that the 0/0 interface is active I have pointed out some cases in red but at least the interface went up


Interface: GigabitEthernet0/0/0
Session status: UP-IDLE
Peer: 181.52.244.105 port 500
Session ID: 0
IKEv1 SA: local 181.143.239.68/500 remote 181.52.244.105/500 Active
Session ID: 0
IKEv1 SA: local 181.143.239.68/500 remote 181.52.244.105/500 Inactive
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map

ciscuso# debug crypto ipsec

(key eng. msg.) INBOUND local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 12 22:07:49.456: Crypto mapdb : proxy_match
src addr : 192.168.13.0
dst addr : 192.168.5.0
protocol : 0
src port : 0
dst port : 0
*Aug 12 22:07:49.456: IPSEC(ipsec_process_proposal): invalid transform proposa

 

Router#show access-lists
Extended IP access list 113
10 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
20 permit ip 192.168.13.0 0.0.0.255 any
Extended IP access list VPN
10 permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255

 

Aug 12 17:54:43.290: ISAKMP-ERROR: (1058):phase 2 SA policy not acceptable! (lo
cal 181.143.239.68 remote 181.52.244.105)
*Aug 12 17:54:43.290: ISAKMP: (1058):set new node 2215618288 to QM_IDLE
*Aug 12 17:54:43.290: ISAKMP: (1058):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
2
spi 547180791068, message ID = 2215618288
*Aug 12 17:54:43.291: ISAKMP-PAK: (1058):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 12 17:54:43.291: ISAKMP: (1058):Sending an IKE IPv4 Packet.
*Aug 12 17:54:43.291: ISAKMP: (1058):purging node 2215618288
*Aug 12 17:54:43.291: ISAKMP-ERROR: (1058):deleting node 795172206 error TRUE re
ason "QM rejected"
*Aug 12 17:54:43.291: ISAKMP: (1058):Node 795172206, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
*Aug 12 17:54:43.291: ISAKMP: (1058):Old State = IKE_QM_READY New State = IKE_Q
M_READY
*Aug 12 17:54:44.371: ISAKMP: (1058):purging node 2657721889
*Aug 12 17:54:53.210: ISAKMP-PAK: (1058):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:54:53.210: ISAKMP: (1058):phase 2 packet is a duplicate of a previous
packet.
*Aug 12 17:54:53.211: ISAKMP: (1058):retransmitting due to retransmit phase 2
*Aug 12 17:54:53.211: ISAKMP: (1058):Quick Mode is being processed. Ignoring ret
ransmission
Router#show crypto session
*Aug 12 17:55:04.300: ISAKMP-PAK: (0):received packet from 181.52.244.105 dport
500 sport 500 Global (N) NEW SA
*Aug 12 17:55:04.300: ISAKMP: (0):Found a peer struct for 181.52.244.105, peer p
ort 500
*Aug 12 17:55:04.300: ISAKMP: (0):Locking peer struct 0x7F59E0F188, refcount 2 f
or crypto_isakmp_process_block
*Aug 12 17:55:04.301: ISAKMP: (0):local port 500, remote port 500
*Aug 12 17:55:04.301: ISAKMP: (0):Find a dup sa in the avl tree during calling i
sadb_insert sa = 7F59E0D430
*Aug 12 17:55:04.301: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:04.301: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Aug 12 17:55:04.301: ISAKMP: (0):processing SA payload. message ID = 0
*Aug 12 17:55:04.301: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.301: ISAKMP: (0):vendor ID is DPD
*Aug 12 17:55:04.301: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.301: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatc
h
*Aug 12 17:55:04.301: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Aug 12 17:55:04.302: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.302: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismat
ch
*Aug 12 17:55:04.302: ISAKMP: (0):vendor ID is NAT-T v3
*Aug 12 17:55:04.302: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.302: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismat
ch
*Aug 12 17:55:04.302: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.302: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismat
ch
*Aug 12 17:55:04.302: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 12 17:55:04.302: ISAKMP: (0):local preshared key found
*Aug 12 17:55:04.302: ISAKMP: (0):Scanning profiles for xauth ...
*Aug 12 17:55:04.302: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1
0 policy
*Aug 12 17:55:04.302: ISAKMP: (0): life type in seconds
*Aug 12 17:55:04.302: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 12 17:55:04.303: ISAKMP: (0): encryption 3DES-CBC
*Aug 12 17:55:04.303: ISAKMP: (0): hash MD5
*Aug 12 17:55:04.303: ISAKMP: (0): auth pre-share
*Aug 12 17:55:04.303: ISAKMP: (0): default group 2
*Aug 12 17:55:04.303: ISAKMP: (0):atts are acceptable. Next payload is 0
*Aug 12 17:55:04.303: ISAKMP: (0):Acceptable atts:actual life: 86400
*Aug 12 17:55:04.303: ISAKMP: (0):Acceptable atts:life: 0
*Aug 12 17:55:04.303: ISAKMP: (0):Fill atts in sa vpi_length:4
*Aug 12 17:55:04.303: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Aug 12 17:55:04.303: ISAKMP: (0):Returning Actual lifetime: 86400
*Aug 12 17:55:04.303: ISAKMP: (0):Started lifetime timer: 86400.

*Aug 12 17:55:04.303: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.303: ISAKMP: (0):vendor ID is DPD
*Aug 12 17:55:04.303: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.303: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatc
h
*Aug 12 17:55:04.304: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Aug 12 17:55:04.304: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.304: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismat
ch
*Aug 12 17:55:04.304: ISAKMP: (0):vendor ID is NAT-T v3
*Aug 12 17:55:04.304: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.304: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismat
ch
*Aug 12 17:55:04.304: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:04.304: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismat
ch
*Aug 12 17:55:04.304: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MO
DE
*Aug 12 17:55:04.304: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Aug 12 17:55:04.304: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Aug 12 17:55:04.305: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (R) MM_SA_SETUP
*Aug 12 17:55:04.305: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 12 17:55:04.305: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLET
E
*Aug 12 17:55:04.305: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Aug 12 17:55:04.411: ISAKMP-PAK: (0):received packet from 181.52.244.105 dport
500 sport 500 Global (R) MM_SA_SETUP
*Aug 12 17:55:04.411: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:04.411: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Aug 12 17:55:04.411: ISAKMP: (0):processing KE payload. message ID = 0
*Aug 12 17:55:04.415: ISAKMP: (0):processing NONCE payload. message ID = 0
*Aug 12 17:55:04.415: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 12 17:55:04.415: ISAKMP: (1059):received payload type 20
*Aug 12 17:55:04.415: ISAKMP: (1059):His hash no match - this node outside NAT
*Aug 12 17:55:04.415: ISAKMP: (1059):received payload type 20
*Aug 12 17:55:04.415: ISAKMP: (1059):No NAT Found for self or peer
*Aug 12 17:55:04.415: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
*Aug 12 17:55:04.415: ISAKMP: (1059):Old State = IKE_R_MM3 New State = IKE_R_MM
3

*Aug 12 17:55:04.416: ISAKMP-PAK: (1059):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 12 17:55:04.416: ISAKMP: (1059):Sending an IKE IPv4 Packet.
*Aug 12 17:55:04.416: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP
LETE
*Aug 12 17:55:04.416: ISAKMP: (1059):Old State = IKE_R_MM3 New State = IKE_R_MM
4

*Aug 12 17:55:04.516: ISAKMP-PAK: (1059):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) MM_KEY_EXCH
*Aug 12 17:55:04.516: ISAKMP: (1059):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:04.516: ISAKMP: (1059):Old State = IKE_R_MM4 New State = IKE_R_MM
5

*Aug 12 17:55:04.516: ISAKMP: (1059):processing ID payload. message ID = 0
*Aug 12 17:55:04.516: ISAKMP: (1059):ID payload
next-payload : 8
type : 1
*Aug 12 17:55:04.517: ISAKMP: (1059): address : 181.52.244.105
*Aug 12 17:55:04.517: ISAKMP: (1059): protocol : 0
port : 0
length : 12
*Aug 12 17:55:04.517: ISAKMP: (0):peer matches *none* of the profiles
*Aug 12 17:55:04.517: ISAKMP: (1059):processing HASH payload. message ID = 0
*Aug 12 17:55:04.517: ISAKMP: (1059):SA authentication status:
authenticated
*Aug 12 17:55:04.517: ISAKMP: (1059):SA has been authenticated with 181.52.244.1
05
*Aug 12 17:55:04.517: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
*Aug 12 17:55:04.517: ISAKMP: (1059):Old State = IKE_R_MM5 New State = IKE_R_MM
5

*Aug 12 17:55:04.518: ISAKMP: (1059):SA is doing
*Aug 12 17:55:04.518: ISAKMP: (1059):pre-shared key authentication using id type
ID_IPV4_ADDR
*Aug 12 17:55:04.518: ISAKMP: (1059):ID payload
next-payload : 8
type : 1
*Aug 12 17:55:04.518: ISAKMP: (1059): address : 181.143.239.68
*Aug 12 17:55:04.518: ISAKMP: (1059): protocol : 17
port : 500
length : 12
*Aug 12 17:55:04.518: ISAKMP: (1059):Total payload length: 12
*Aug 12 17:55:04.518: ISAKMP-PAK: (1059):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 12 17:55:04.518: ISAKMP: (1059):Sending an IKE IPv4 Packet.
*Aug 12 17:55:04.519: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP
LETE
*Aug 12 17:55:04.519: ISAKMP: (1059):Old State = IKE_R_MM5 New State = IKE_R_MM
5

*Aug 12 17:55:04.519: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_A
TTR
*Aug 12 17:55:04.519: ISAKMP: (1059):Old State = IKE_R_MM5 New State = IKE_P1_C
OMPLETE

*Aug 12 17:55:04.519: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPL
ETE
*Aug 12 17:55:04.520: ISAKMP: (1059):Old State = IKE_P1_COMPLETE New State = IK
E_P1_COMPLETE

*Aug 12 17:55:04.615: ISAKMP-PAK: (1058):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:55:04.615: ISAKMP: (1058):set new node 593138352 to QM_IDLE
*Aug 12 17:55:04.615: ISAKMP: (1058):processing HASH payload. message ID = 59313
8352
*Aug 12 17:55:04.615: ISAKMP: (1058):processing DELETE payload. message ID = 593
138352
*Aug 12 17:55:04.615: ISAKMP: (1058):peer does not do paranoid keepalives.
*Aug 12 17:55:04.615: ISAKMP: (1058):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 12 17:55:04.615: ISAKMP: (1058):deleting node 593138352 error FALSE reason
"Informational (in) state 1"
*Aug 12 17:55:04.615: ISAKMP-PAK: (1059):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:55:04.615: ISAKMP: (1059):set new node 127803894 to QM_IDLE
*Aug 12 17:55:04.615: ISAKMP: (1059):processing HASH payload. message ID = 12780
3894
*Aug 12 17:55:04.616: ISAKMP: (1059):processing SA payload. message ID = 1278038
94
*Aug 12 17:55:04.616: ISAKMP: (1059):Checking IPSec proposal 0
*Aug 12 17:55:04.616: ISAKMP: (1059):transform 0, AH_MD5
*Aug 12 17:55:04.616: ISAKMP: (1059): attributes in transform:
*Aug 12 17:55:04.616: ISAKMP: (1059): group is 2
*Aug 12 17:55:04.616: ISAKMP: (1059): encaps is 1 (Tunnel)
*Aug 12 17:55:04.616: ISAKMP: (1059): SA life type in seconds
*Aug 12 17:55:04.616: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 12 17:55:04.616: ISAKMP: (1059): authenticator is HMAC-MD5
*Aug 12 17:55:04.616: ISAKMP: (1059):atts are acceptable.
*Aug 12 17:55:04.616: ISAKMP: (1059):Checking IPSec proposal 0
*Aug 12 17:55:04.616: ISAKMP: (1059):transform 0, ESP_3DES
*Aug 12 17:55:04.617: ISAKMP: (1059): attributes in transform:
*Aug 12 17:55:04.617: ISAKMP: (1059): group is 2
*Aug 12 17:55:04.617: ISAKMP: (1059): encaps is 1 (Tunnel)
*Aug 12 17:55:04.617: ISAKMP: (1059): SA life type in seconds
*Aug 12 17:55:04.617: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 12 17:55:04.617: ISAKMP: (1059): authenticator is HMAC-MD5
*Aug 12 17:55:04.617: ISAKMP: (1059):atts are acceptable.
*Aug 12 17:55:04.617: ISAKMP-ERROR: (1059):IPSec policy invalidated proposal wit
h error 256
*Aug 12 17:55:04.618: ISAKMP-ERROR: (1059):phase 2 SA policy not acceptable! (lo
cal 181.143.239.68 remote 181.52.244.105)
*Aug 12 17:55:04.618: ISAKMP: (1059):set new node 424657208 to QM_IDLE
*Aug 12 17:55:04.618: ISAKMP: (1059):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
2
spi 547180791068, message ID = 424657208
*Aug 12 17:55:04.618: ISAKMP-PAK: (1059):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 12 17:55:04.618: ISAKMP: (1059):Sending an IKE IPv4 Packet.
*Aug 12 17:55:04.618: ISAKMP: (1059):purging node 424657208
*Aug 12 17:55:04.618: ISAKMP-ERROR: (1059):deleting node 127803894 error TRUE re
ason "QM rejected"
*Aug 12 17:55:04.618: ISAKMP: (1059):Node 127803894, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
*Aug 12 17:55:04.619: ISAKMP: (1059):Old State = IKE_QM_READY New State = IKE_Q
M_READY
*Aug 12 17:55:04.619: ISAKMP: (1058):set new node 217453643 to QM_IDLE
*Aug 12 17:55:04.619: ISAKMP-PAK: (1058):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 12 17:55:04.619: ISAKMP: (1058):Sending an IKE IPv4 Packet.
*Aug 12 17:55:04.619: ISAKMP: (1058):purging node 217453643
*Aug 12 17:55:04.619: ISAKMP: (1058):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 12 17:55:04.620: ISAKMP: (1058):Old State = IKE_P1_COMPLETE New State = IK
E_DEST_SA

*Aug 12 17:55:04.620: ISAKMP: (1058):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 12 17:55:04.620: ISAKMP: (0):Unlocking peer struct 0x7F59E0F188 for isadb_m
ark_sa_deleted(), count 1
*Aug 12 17:55:04.620: ISAKMP: (1058):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:04.620: ISAKMP: (1058):Old State = IKE_DEST_SA New State = IKE_DE
ST_SA

*Aug 12 17:55:13.214: ISAKMP-PAK: (1058):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) MM_NO_STATE
*Aug 12 17:55:15.254: ISAKMP-PAK: (1059):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:55:15.254: ISAKMP: (1059):phase 2 packet is a duplicate of a previous
packet.
*Aug 12 17:55:15.254: ISAKMP: (1059):retransmitting due to retransmit phase 2
*Aug 12 17:55:15.254: ISAKMP: (1059):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 12 17:55:33.292: ISAKMP: (1058):purging node 795172206
*Aug 12 17:55:34.579: ISAKMP-PAK: (1059):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:55:34.580: ISAKMP: (1059):phase 2 packet is a duplicate of a previous
packet.
*Aug 12 17:55:34.580: ISAKMP: (1059):retransmitting due to retransmit phase 2
*Aug 12 17:55:34.580: ISAKMP: (1059):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 12 17:55:53.302: ISAKMP-PAK: (0):received packet from 181.52.244.105 dport
500 sport 500 Global (N) NEW SA
*Aug 12 17:55:53.302: ISAKMP: (0):Found a peer struct for 181.52.244.105, peer p
ort 500
*Aug 12 17:55:53.303: ISAKMP: (0):Locking peer struct 0x7F59E0F188, refcount 2 f
or crypto_isakmp_process_block
*Aug 12 17:55:53.303: ISAKMP: (0):local port 500, remote port 500
*Aug 12 17:55:53.303: ISAKMP: (0):Find a dup sa in the avl tree during calling i
sadb_insert sa = 7F59E09490
*Aug 12 17:55:53.303: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:53.303: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Aug 12 17:55:53.303: ISAKMP: (0):processing SA payload. message ID = 0
*Aug 12 17:55:53.303: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.303: ISAKMP: (0):vendor ID is DPD
*Aug 12 17:55:53.303: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.303: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatc
h
*Aug 12 17:55:53.303: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Aug 12 17:55:53.304: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.304: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismat
ch
*Aug 12 17:55:53.304: ISAKMP: (0):vendor ID is NAT-T v3
*Aug 12 17:55:53.304: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.304: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismat
ch
*Aug 12 17:55:53.304: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.304: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismat
ch
*Aug 12 17:55:53.304: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 12 17:55:53.304: ISAKMP: (0):local preshared key found
*Aug 12 17:55:53.304: ISAKMP: (0):Scanning profiles for xauth ...
*Aug 12 17:55:53.304: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1
0 policy
*Aug 12 17:55:53.304: ISAKMP: (0): life type in seconds
*Aug 12 17:55:53.304: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 12 17:55:53.305: ISAKMP: (0): encryption 3DES-CBC
*Aug 12 17:55:53.305: ISAKMP: (0): hash MD5
*Aug 12 17:55:53.305: ISAKMP: (0): auth pre-share
*Aug 12 17:55:53.305: ISAKMP: (0): default group 2
*Aug 12 17:55:53.305: ISAKMP: (0):atts are acceptable. Next payload is 0
*Aug 12 17:55:53.305: ISAKMP: (0):Acceptable atts:actual life: 86400
*Aug 12 17:55:53.305: ISAKMP: (0):Acceptable atts:life: 0
*Aug 12 17:55:53.305: ISAKMP: (0):Fill atts in sa vpi_length:4
*Aug 12 17:55:53.305: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Aug 12 17:55:53.305: ISAKMP: (0):Returning Actual lifetime: 86400
*Aug 12 17:55:53.305: ISAKMP: (0):Started lifetime timer: 86400.

*Aug 12 17:55:53.308: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.308: ISAKMP: (0):vendor ID is DPD
*Aug 12 17:55:53.308: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.308: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatc
h
*Aug 12 17:55:53.309: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Aug 12 17:55:53.309: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.309: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismat
ch
*Aug 12 17:55:53.309: ISAKMP: (0):vendor ID is NAT-T v3
*Aug 12 17:55:53.309: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.309: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismat
ch
*Aug 12 17:55:53.309: ISAKMP: (0):processing vendor id payload
*Aug 12 17:55:53.309: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismat
ch
*Aug 12 17:55:53.309: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MO
DE
*Aug 12 17:55:53.309: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Aug 12 17:55:53.310: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Aug 12 17:55:53.310: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (R) MM_SA_SETUP
*Aug 12 17:55:53.310: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 12 17:55:53.310: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLET
E
*Aug 12 17:55:53.310: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Aug 12 17:55:53.445: ISAKMP-PAK: (0):received packet from 181.52.244.105 dport
500 sport 500 Global (R) MM_SA_SETUP
*Aug 12 17:55:53.445: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:53.445: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Aug 12 17:55:53.445: ISAKMP: (0):processing KE payload. message ID = 0
*Aug 12 17:55:53.448: ISAKMP: (0):processing NONCE payload. message ID = 0
*Aug 12 17:55:53.449: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 12 17:55:53.449: ISAKMP: (1060):received payload type 20
*Aug 12 17:55:53.449: ISAKMP: (1060):His hash no match - this node outside NAT
*Aug 12 17:55:53.449: ISAKMP: (1060):received payload type 20
*Aug 12 17:55:53.449: ISAKMP: (1060):No NAT Found for self or peer
*Aug 12 17:55:53.449: ISAKMP: (1060):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
*Aug 12 17:55:53.449: ISAKMP: (1060):Old State = IKE_R_MM3 New State = IKE_R_MM
3

*Aug 12 17:55:53.449: ISAKMP-PAK: (1060):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 12 17:55:53.449: ISAKMP: (1060):Sending an IKE IPv4 Packet.
*Aug 12 17:55:53.449: ISAKMP: (1060):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP
LETE
*Aug 12 17:55:53.449: ISAKMP: (1060):Old State = IKE_R_MM3 New State = IKE_R_MM
4

*Aug 12 17:55:53.553: ISAKMP-PAK: (1060):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) MM_KEY_EXCH
*Aug 12 17:55:53.554: ISAKMP: (1060):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:53.554: ISAKMP: (1060):Old State = IKE_R_MM4 New State = IKE_R_MM
5

*Aug 12 17:55:53.554: ISAKMP: (1060):processing ID payload. message ID = 0
*Aug 12 17:55:53.554: ISAKMP: (1060):ID payload
next-payload : 8
type : 1
*Aug 12 17:55:53.554: ISAKMP: (1060): address : 181.52.244.105
*Aug 12 17:55:53.554: ISAKMP: (1060): protocol : 0
port : 0
length : 12
*Aug 12 17:55:53.554: ISAKMP: (0):peer matches *none* of the profiles
*Aug 12 17:55:53.554: ISAKMP: (1060):processing HASH payload. message ID = 0
*Aug 12 17:55:53.554: ISAKMP: (1060):SA authentication status:
authenticated
*Aug 12 17:55:53.554: ISAKMP: (1060):SA has been authenticated with 181.52.244.1
05
*Aug 12 17:55:53.555: ISAKMP: (1060):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
*Aug 12 17:55:53.555: ISAKMP: (1060):Old State = IKE_R_MM5 New State = IKE_R_MM
5

*Aug 12 17:55:53.555: ISAKMP: (1060):SA is doing
*Aug 12 17:55:53.555: ISAKMP: (1060):pre-shared key authentication using id type
ID_IPV4_ADDR
*Aug 12 17:55:53.555: ISAKMP: (1060):ID payload
next-payload : 8
type : 1
*Aug 12 17:55:53.555: ISAKMP: (1060): address : 181.143.239.68
*Aug 12 17:55:53.555: ISAKMP: (1060): protocol : 17
port : 500
length : 12
*Aug 12 17:55:53.555: ISAKMP: (1060):Total payload length: 12
*Aug 12 17:55:53.555: ISAKMP-PAK: (1060):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 12 17:55:53.555: ISAKMP: (1060):Sending an IKE IPv4 Packet.
*Aug 12 17:55:53.556: ISAKMP: (1060):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP
LETE
*Aug 12 17:55:53.556: ISAKMP: (1060):Old State = IKE_R_MM5 New State = IKE_R_MM
5

*Aug 12 17:55:53.556: ISAKMP: (1060):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_A
TTR
*Aug 12 17:55:53.556: ISAKMP: (1060):Old State = IKE_R_MM5 New State = IKE_P1_C
OMPLETE

*Aug 12 17:55:53.556: ISAKMP: (1060):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPL
ETE
*Aug 12 17:55:53.556: ISAKMP: (1060):Old State = IKE_P1_COMPLETE New State = IK
E_P1_COMPLETE

*Aug 12 17:55:53.649: ISAKMP-PAK: (1060):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:55:53.649: ISAKMP: (1060):set new node 3890023995 to QM_IDLE
*Aug 12 17:55:53.650: ISAKMP: (1060):processing HASH payload. message ID = 38900
23995
*Aug 12 17:55:53.650: ISAKMP: (1060):processing SA payload. message ID = 3890023
995
*Aug 12 17:55:53.650: ISAKMP: (1060):Checking IPSec proposal 0
*Aug 12 17:55:53.650: ISAKMP: (1060):transform 0, AH_MD5
*Aug 12 17:55:53.650: ISAKMP: (1060): attributes in transform:
*Aug 12 17:55:53.650: ISAKMP: (1060): group is 2
*Aug 12 17:55:53.650: ISAKMP: (1060): encaps is 1 (Tunnel)
*Aug 12 17:55:53.650: ISAKMP: (1060): SA life type in seconds
*Aug 12 17:55:53.650: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 12 17:55:53.650: ISAKMP: (1060): authenticator is HMAC-MD5
*Aug 12 17:55:53.650: ISAKMP: (1060):atts are acceptable.
*Aug 12 17:55:53.651: ISAKMP: (1060):Checking IPSec proposal 0
*Aug 12 17:55:53.651: ISAKMP: (1060):transform 0, ESP_3DES
*Aug 12 17:55:53.651: ISAKMP: (1060): attributes in transform:
*Aug 12 17:55:53.651: ISAKMP: (1060): group is 2
*Aug 12 17:55:53.651: ISAKMP: (1060): encaps is 1 (Tunnel)
*Aug 12 17:55:53.651: ISAKMP: (1060): SA life type in seconds
*Aug 12 17:55:53.651: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 12 17:55:53.651: ISAKMP: (1060): authenticator is HMAC-MD5
*Aug 12 17:55:53.651: ISAKMP: (1060):atts are acceptable.
*Aug 12 17:55:53.651: ISAKMP-ERROR: (1060):IPSec policy invalidated proposal wit
h error 256
*Aug 12 17:55:53.652: ISAKMP-ERROR: (1060):phase 2 SA policy not acceptable! (lo
cal 181.143.239.68 remote 181.52.244.105)
*Aug 12 17:55:53.652: ISAKMP: (1060):set new node 4127216927 to QM_IDLE
*Aug 12 17:55:53.652: ISAKMP: (1060):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
2
spi 547180791068, message ID = 4127216927
*Aug 12 17:55:53.652: ISAKMP-PAK: (1060):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 12 17:55:53.652: ISAKMP: (1060):Sending an IKE IPv4 Packet.
*Aug 12 17:55:53.652: ISAKMP: (1060):purging node 4127216927
*Aug 12 17:55:53.652: ISAKMP-ERROR: (1060):deleting node 3890023995 error TRUE r
eason "QM rejected"
*Aug 12 17:55:53.653: ISAKMP: (1060):Node 3890023995, Input = IKE_MESG_FROM_PEER
, IKE_QM_EXCH
*Aug 12 17:55:53.653: ISAKMP: (1060):Old State = IKE_QM_READY New State = IKE_Q
M_READY
*Aug 12 17:55:53.660: ISAKMP-PAK: (1059):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:55:53.660: ISAKMP: (1059):set new node 1153168976 to QM_IDLE
*Aug 12 17:55:53.660: ISAKMP: (1059):processing HASH payload. message ID = 11531
68976
*Aug 12 17:55:53.660: ISAKMP: (1059):processing DELETE payload. message ID = 115
3168976
*Aug 12 17:55:53.660: ISAKMP: (1059):peer does not do paranoid keepalives.
*Aug 12 17:55:53.660: ISAKMP: (1059):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 12 17:55:53.660: ISAKMP: (1059):deleting node 1153168976 error FALSE reason
"Informational (in) state 1"
*Aug 12 17:55:53.661: ISAKMP: (1059):set new node 1884835250 to QM_IDLE
*Aug 12 17:55:53.661: ISAKMP-PAK: (1059):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 12 17:55:53.661: ISAKMP: (1059):Sending an IKE IPv4 Packet.
*Aug 12 17:55:53.661: ISAKMP: (1059):purging node 1884835250
*Aug 12 17:55:53.661: ISAKMP: (1059):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 12 17:55:53.661: ISAKMP: (1059):Old State = IKE_P1_COMPLETE New State = IK
E_DEST_SA

*Aug 12 17:55:53.662: ISAKMP: (1059):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 12 17:55:53.662: ISAKMP: (0):Unlocking peer struct 0x7F59E0F188 for isadb_m
ark_sa_deleted(), count 1
*Aug 12 17:55:53.662: ISAKMP: (1059):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 12 17:55:53.662: ISAKMP: (1059):Old State = IKE_DEST_SA New State = IKE_DE
ST_SA

*Aug 12 17:55:54.615: ISAKMP: (1058):purging node 593138352
*Aug 12 17:55:54.620: ISAKMP: (1059):purging node 127803894
*Aug 12 17:56:04.205: ISAKMP-PAK: (1060):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:56:04.205: ISAKMP: (1060):phase 2 packet is a duplicate of a previous
packet.
*Aug 12 17:56:04.205: ISAKMP: (1060):retransmitting due to retransmit phase 2
*Aug 12 17:56:04.205: ISAKMP: (1060):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 12 17:56:04.619: ISAKMP: (1058):purging SA., sa=7F695EFF60, delme=7F695EFF6
0
*Aug 12 17:56:15.241: ISAKMP-PAK: (1060):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 12 17:56:15.242: ISAKMP: (1060):set new node 3973288500 to QM_IDLE
*Aug 12 17:56:15.242: ISAKMP: (1060):processing HASH payload. message ID = 39732
88500
*Aug 12 17:56:15.242: ISAKMP: (1060):processing SA payload. message ID = 3973288
500
*Aug 12 17:56:15.242: ISAKMP: (1060):Checking IPSec proposal 0
*Aug 12 17:56:15.242: ISAKMP: (1060):

 

Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

I am surprised about this debug output. There have been previous posts showing crypto ipsec sa which have indicated that a Security Association had been successfully negotiated. Now this debug output shows that phase 2 negotiation has an error and fails. Has anything changed on either configuration? Would you post a current output of show crypto ipsec sa?

 

HTH

 

Rick

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
Beginner

Re: Vpn connection to lan no answer cisco 1100 series


Could something be missing from the access list?

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

*Aug 13 10:50:57.907: ISAKMP: (1585): authenticator is HMAC-MD5
*Aug 13 10:50:57.907: ISAKMP: (1585):atts are acceptable.
*Aug 13 10:50:57.907: ISAKMP: (1585):Checking IPSec proposal 0
*Aug 13 10:50:57.907: ISAKMP: (1585):transform 0, ESP_3DES
*Aug 13 10:50:57.907: ISAKMP: (1585): attributes in transform:
*Aug 13 10:50:57.907: ISAKMP: (1585): group is 2
*Aug 13 10:50:57.907: ISAKMP: (1585): encaps is 1 (Tunnel)
*Aug 13 10:50:57.907: ISAKMP: (1585): SA life type in seconds
*Aug 13 10:50:57.907: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 13 10:50:57.907: ISAKMP: (1585): authenticator is HMAC-MD5
*Aug 13 10:50:57.907: ISAKMP: (1585):atts are acceptable.
*Aug 13 10:50:57.908: ISAKMP-ERROR: (1585):IPSec policy invalidated proposal wit
h error 256
*Aug 13 10:50:57.908: ISAKMP-ERROR: (1585):phase 2 SA policy not acceptable! (lo
cal 181.143.239.68 remote 181.52.244.105)
*Aug 13 10:50:57.908: ISAKMP: (1585):set new node 3895114166 to QM_IDLE
*Aug 13 10:50:57.908: ISAKMP: (1585):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
2
spi 547180791068, message ID = 3895114166
*Aug 13 10:50:57.908: ISAKMP-PAK: (1585):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 13 10:50:57.908: ISAKMP: (1585):Sending an IKE IPv4 Packet.
*Aug 13 10:50:57.909: ISAKMP: (1585):purging node 3895114166
*Aug 13 10:50:57.909: ISAKMP-ERROR: (1585):deleting node 2783271685 error TRUE r
eason "QM rejected"
*Aug 13 10:50:57.909: ISAKMP: (1585):Node 2783271685, Input = IKE_MESG_FROM_PEER
, IKE_QM_EXCH
*Aug 13 10:50:57.909: ISAKMP: (1585):Old State = IKE_QM_READY New State = IKE_Q
M_READY
*Aug 13 10:51:07.826: ISAKMP-PAK: (1585):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 13 10:51:07.826: ISAKMP: (1585):phase 2 packet is a duplicate of a previous
packet.
*Aug 13 10:51:07.826: ISAKMP: (1585):retransmitting due to retransmit phase 2
*Aug 13 10:51:07.826: ISAKMP: (1585):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 13 10:51:13.935: ISAKMP-PAK: (0):received packet from 181.52.244.105 dport
500 sport 500 Global (N) NEW SA
*Aug 13 10:51:13.936: ISAKMP: (0):Found a peer struct for 181.52.244.105, peer p
ort 500
*Aug 13 10:51:13.936: ISAKMP: (0):Locking peer struct 0x7F695D9DC0, refcount 2 f
or crypto_isakmp_process_block
*Aug 13 10:51:13.936: ISAKMP: (0):local port 500, remote port 500
*Aug 13 10:51:13.936: ISAKMP: (0):Find a dup sa in the avl tree during calling i
sadb_insert sa = 7F69BF4670
*Aug 13 10:51:13.936: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 13 10:51:13.936: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Aug 13 10:51:13.936: ISAKMP: (0):processing SA payload. message ID = 0
*Aug 13 10:51:13.936: ISAKMP: (0):processing vendor id payload
*Aug 13 10:51:13.937: ISAKMP: (0):vendor ID is DPD
*Aug 13 10:51:13.937: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 13 10:51:13.937: ISAKMP: (0):local preshared key found
*Aug 13 10:51:13.937: ISAKMP: (0):Scanning profiles for xauth ...
*Aug 13 10:51:13.937: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1
0 policy
*Aug 13 10:51:13.937: ISAKMP: (0): life type in seconds
*Aug 13 10:51:13.937: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 13 10:51:13.937: ISAKMP: (0): encryption 3DES-CBC
*Aug 13 10:51:13.937: ISAKMP: (0): hash MD5
*Aug 13 10:51:13.937: ISAKMP: (0): auth pre-share
*Aug 13 10:51:13.938: ISAKMP: (0): default group 2
*Aug 13 10:51:13.938: ISAKMP: (0):atts are acceptable. Next payload is 0
*Aug 13 10:51:13.938: ISAKMP: (0):Acceptable atts:actual life: 86400
*Aug 13 10:51:13.938: ISAKMP: (0):Acceptable atts:life: 0
*Aug 13 10:51:13.938: ISAKMP: (0):Fill atts in sa vpi_length:4
*Aug 13 10:51:13.938: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Aug 13 10:51:13.939: ISAKMP: (0):Returning Actual lifetime: 86400
*Aug 13 10:51:13.939: ISAKMP: (0):Started lifetime timer: 86400.

*Aug 13 10:51:13.939: ISAKMP: (0):processing vendor id payload
*Aug 13 10:51:13.939: ISAKMP: (0):vendor ID is DPD
*Aug 13 10:51:13.939: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MO
DE
*Aug 13 10:51:13.939: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Aug 13 10:51:13.939: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (R) MM_SA_SETUP
*Aug 13 10:51:13.939: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 13 10:51:13.939: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLET
E
*Aug 13 10:51:13.940: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Aug 13 10:51:14.034: ISAKMP-PAK: (0):received packet from 181.52.244.105 dport
500 sport 500 Global (R) MM_SA_SETUP
*Aug 13 10:51:14.034: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 13 10:51:14.034: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Aug 13 10:51:14.034: ISAKMP: (0):processing KE payload. message ID = 0
*Aug 13 10:51:14.037: ISAKMP: (0):processing NONCE payload. message ID = 0
*Aug 13 10:51:14.037: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 13 10:51:14.038: ISAKMP: (1586):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
*Aug 13 10:51:14.038: ISAKMP: (1586):Old State = IKE_R_MM3 New State = IKE_R_MM
3

*Aug 13 10:51:14.038: ISAKMP-PAK: (1586):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 13 10:51:14.038: ISAKMP: (1586):Sending an IKE IPv4 Packet.
*Aug 13 10:51:14.038: ISAKMP: (1586):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP
LETE
*Aug 13 10:51:14.038: ISAKMP: (1586):Old State = IKE_R_MM3 New State = IKE_R_MM
4

*Aug 13 10:51:14.172: ISAKMP-PAK: (1586):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) MM_KEY_EXCH
*Aug 13 10:51:14.173: ISAKMP: (1586):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 13 10:51:14.173: ISAKMP: (1586):Old State = IKE_R_MM4 New State = IKE_R_MM
5

*Aug 13 10:51:14.173: ISAKMP: (1586):processing ID payload. message ID = 0
*Aug 13 10:51:14.173: ISAKMP: (1586):ID payload
next-payload : 8
type : 1
*Aug 13 10:51:14.173: ISAKMP: (1586): address : 181.52.244.105
*Aug 13 10:51:14.173: ISAKMP: (1586): protocol : 0
port : 0
length : 12
*Aug 13 10:51:14.173: ISAKMP: (0):peer matches *none* of the profiles
*Aug 13 10:51:14.173: ISAKMP: (1586):processing HASH payload. message ID = 0
*Aug 13 10:51:14.173: ISAKMP: (1586):SA authentication status:
authenticated
*Aug 13 10:51:14.173: ISAKMP: (1586):SA has been authenticated with 181.52.244.1
05
*Aug 13 10:51:14.174: ISAKMP: (1586):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
*Aug 13 10:51:14.174: ISAKMP: (1586):Old State = IKE_R_MM5 New State = IKE_R_MM
5

*Aug 13 10:51:14.174: ISAKMP: (1586):SA is doing
*Aug 13 10:51:14.174: ISAKMP: (1586):pre-shared key authentication using id type
ID_IPV4_ADDR
*Aug 13 10:51:14.174: ISAKMP: (1586):ID payload
next-payload : 8
type : 1
*Aug 13 10:51:14.174: ISAKMP: (1586): address : 181.143.239.68
*Aug 13 10:51:14.174: ISAKMP: (1586): protocol : 17
port : 500
length : 12
*Aug 13 10:51:14.174: ISAKMP: (1586):Total payload length: 12
*Aug 13 10:51:14.174: ISAKMP-PAK: (1586):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 13 10:51:14.175: ISAKMP: (1586):Sending an IKE IPv4 Packet.
*Aug 13 10:51:14.175: ISAKMP: (1586):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMP
LETE
*Aug 13 10:51:14.175: ISAKMP: (1586):Old State = IKE_R_MM5 New State = IKE_R_MM
5

*Aug 13 10:51:14.175: ISAKMP: (1586):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_A
TTR
*Aug 13 10:51:14.175: ISAKMP: (1586):Old State = IKE_R_MM5 New State = IKE_P1_C
OMPLETE

*Aug 13 10:51:14.175: ISAKMP: (1586):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPL
ETE
*Aug 13 10:51:14.175: ISAKMP: (1586):Old State = IKE_P1_COMPLETE New State = IK
E_P1_COMPLETE

*Aug 13 10:51:14.263: ISAKMP-PAK: (1585):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 13 10:51:14.263: ISAKMP: (1585):set new node 592871308 to QM_IDLE
*Aug 13 10:51:14.263: ISAKMP: (1585):processing HASH payload. message ID = 59287
1308
*Aug 13 10:51:14.263: ISAKMP: (1585):processing DELETE payload. message ID = 592
871308
*Aug 13 10:51:14.263: ISAKMP: (1585):peer does not do paranoid keepalives.
*Aug 13 10:51:14.264: ISAKMP: (1585):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 13 10:51:14.264: ISAKMP: (1585):deleting node 592871308 error FALSE reason
"Informational (in) state 1"
*Aug 13 10:51:14.264: ISAKMP-PAK: (1586):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 13 10:51:14.264: ISAKMP: (1586):set new node 2093693402 to QM_IDLE
*Aug 13 10:51:14.264: ISAKMP: (1586):processing HASH payload. message ID = 20936
93402
*Aug 13 10:51:14.264: ISAKMP: (1586):processing SA payload. message ID = 2093693
402
*Aug 13 10:51:14.264: ISAKMP: (1586):Checking IPSec proposal 0
*Aug 13 10:51:14.264: ISAKMP: (1586):transform 0, AH_MD5
*Aug 13 10:51:14.264: ISAKMP: (1586): attributes in transform:
*Aug 13 10:51:14.264: ISAKMP: (1586): group is 2
*Aug 13 10:51:14.264: ISAKMP: (1586): encaps is 1 (Tunnel)
*Aug 13 10:51:14.264: ISAKMP: (1586): SA life type in seconds
*Aug 13 10:51:14.265: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 13 10:51:14.265: ISAKMP: (1586): authenticator is HMAC-MD5
*Aug 13 10:51:14.265: ISAKMP: (1586):atts are acceptable.
*Aug 13 10:51:14.265: ISAKMP: (1586):Checking IPSec proposal 0
*Aug 13 10:51:14.265: ISAKMP: (1586):transform 0, ESP_3DES
*Aug 13 10:51:14.265: ISAKMP: (1586): attributes in transform:
*Aug 13 10:51:14.265: ISAKMP: (1586): group is 2
*Aug 13 10:51:14.265: ISAKMP: (1586): encaps is 1 (Tunnel)
*Aug 13 10:51:14.265: ISAKMP: (1586): SA life type in seconds
*Aug 13 10:51:14.265: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Aug 13 10:51:14.266: ISAKMP: (1586): authenticator is HMAC-MD5
*Aug 13 10:51:14.266: ISAKMP: (1586):atts are acceptable.
*Aug 13 10:51:14.266: ISAKMP-ERROR: (1586):IPSec policy invalidated proposal wit
h error 256
*Aug 13 10:51:14.266: ISAKMP-ERROR: (1586):phase 2 SA policy not acceptable! (lo
cal 181.143.239.68 remote 181.52.244.105)
*Aug 13 10:51:14.266: ISAKMP: (1586):set new node 2677164827 to QM_IDLE
*Aug 13 10:51:14.266: ISAKMP: (1586):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
2
spi 547180791068, message ID = 2677164827
*Aug 13 10:51:14.266: ISAKMP-PAK: (1586):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 13 10:51:14.266: ISAKMP: (1586):Sending an IKE IPv4 Packet.
*Aug 13 10:51:14.267: ISAKMP: (1586):purging node 2677164827
*Aug 13 10:51:14.267: ISAKMP-ERROR: (1586):deleting node 2093693402 error TRUE r
eason "QM rejected"
*Aug 13 10:51:14.267: ISAKMP: (1586):Node 2093693402, Input = IKE_MESG_FROM_PEER
, IKE_QM_EXCH
*Aug 13 10:51:14.267: ISAKMP: (1586):Old State = IKE_QM_READY New State = IKE_Q
M_READY
*Aug 13 10:51:14.267: ISAKMP: (1585):set new node 3277942666 to QM_IDLE
*Aug 13 10:51:14.267: ISAKMP-PAK: (1585):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 13 10:51:14.268: ISAKMP: (1585):Sending an IKE IPv4 Packet.
*Aug 13 10:51:14.268: ISAKMP: (1585):purging node 3277942666
*Aug 13 10:51:14.268: ISAKMP: (1585):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 13 10:51:14.268: ISAKMP: (1585):Old State = IKE_P1_COMPLETE New State = IK
E_DEST_SA

*Aug 13 10:51:14.268: ISAKMP: (1585):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 13 10:51:14.268: ISAKMP: (0):Unlocking peer struct 0x7F695D9DC0 for isadb_m
ark_sa_deleted(), count 1
*Aug 13 10:51:14.268: ISAKMP: (1585):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 13 10:51:14.268: ISAKMP: (1585):Old State = IKE_DEST_SA New State = IKE_DE
ST_SA

*Aug 13 10:51:23.835: ISAKMP-PAK: (1586):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 13 10:51:23.835: ISAKMP: (1586):phase 2 packet is a duplicate of a previous
packet.
*Aug 13 10:51:23.835: ISAKMP: (1586):retransmitting due to retransmit phase 2
*Aug 13 10:51:23.835: ISAKMP: (1586):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 13 10:51:27.881: ISAKMP-PAK: (1585):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) MM_NO_STATE
Router#no debug crypto isakmp
Crypto ISAKMP debugging is off
Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

Thank you for the additional output. I find it very puzzling. It shows that an ipsec Security Association has been negotiated and that its parameters see correct

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

 

It has the correct local address and correct remote peer address. It has correct local lan and correct remote lan. But no packets are going through the vpn.

 

Then there is the debug output which seems to be coming from that remote peer. But its parameters do not match and the negotiation is not successful. Is it possible that there are 2 devices with IP of 181.52.244.105?

 

HTH

 

Rick

Beginner

Re: Vpn connection to lan no answer cisco 1100 series


there is only one device assigned to ip 105 who corresponds to the rgv042g with which I am trying to connect
Beginner

Re: Vpn connection to lan no answer cisco 1100 series

in short, I managed to establish the connection to the router rgv042g attached image where I deactivated ah hash I could make the connection but even the lan does not get any type of packet to the very strange thing that happens is that by mistake I made pin 192.16.5.1 and it effectively responds in both routers but at no time I have that ip set the same thing happens if I do the public ip ping 181.5.244.105 removing a number to the 2 octet responds attached to me underlined the ping

 

Router#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#ping 192.16.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.16.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 228/229/232 ms

Router#ping 181.5.244.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.16.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 228/229/232 ms

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x755EDD56(1969151318)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0xEE2CF831(3995924529)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2033, flow_id: ESG:33, sibling_flags FFFFFFFF80000048, crypto m
ap: CMAP
sa timing: remaining key lifetime (k/sec): (4608000/3366)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x755EDD56(1969151318)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2034, flow_id: ESG:34, sibling_flags FFFFFFFF80000048, crypto m
ap: CMAP
sa timing: remaining key lifetime (k/sec): (4608000/3366)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Beginner

Re: Vpn connection to lan no answer cisco 1100 series


I have managed to establish the successful connection from the rgv042g to the isr 1100 vpn connection making some changes to the rgv042g connection to the (lan) 192.168.13.1

As for ISR 1100, it is not communicated to LAN 192.168.5.1
connectivity has been progested only this device is missing to be able to communicate to the lan

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 228, #pkts encrypt: 228, #pkts digest: 228
#pkts decaps: 237, #pkts decrypt: 237, #pkts verify: 237
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0xAFEDA362(2951586658)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x2D52199B(760355227)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: ESG:5, sibling_flags FFFFFFFF80000048, crypto ma
p: CMAP
sa timing: remaining key lifetime (k/sec): (4607958/78796)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xAFEDA362(2951586658)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: ESG:6, sibling_flags FFFFFFFF80000048, crypto ma
p: CMAP
sa timing: remaining key lifetime (k/sec): (4607957/78796)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

Thanks for the update. Seeing the ipsec sa encaps and decaps greater than zero does demonstrate that the vpn is carrying traffic in both directions. What did you change on the rv042g?

 

HTH

 

Rick

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards