02-13-2019 03:42 PM
Hello
I'm struggling on a site to site vpn with a third partner, i don't have access to the remote end. The State is MM_KEY_EXCH and i already double check to the PSK with my partner. Can you help me figure it out :
Thanks
######################## Config :
crypto isakmp policy 30
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address y.y.y.y no-xauth
crypto map VPN 30 ipsec-isakmp
set peer y.y.y.y
set security-association lifetime seconds 86400
set transform-set TRANSFORM1
match address Crypto_Map_VPN
ip access-list extended Crypto_Map_VPN
permit ip host 172.31.63.49 192.168.30.0 0.0.0.255
permit ip host 172.31.63.33 192.168.30.0 0.0.0.255
interface Loopback0
ip address 172.31.63.33 255.255.255.255
######################## Command test :
telnet 192.168.30.195 8000 /source-interface Loopback0
######################## Log :
3153697: Feb 13 16:37:49.392 PST: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.131.33.32:500, remote= y.y.y.y:500,
local_proxy= 172.31.63.33/255.255.255.255/256/0,
remote_proxy= 192.168.30.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
3153698: Feb 13 16:37:49.392 PST: ISAKMP: (0):SA request profile is (NULL)
3153699: Feb 13 16:37:49.393 PST: ISAKMP: (0):Created a peer struct for y.y.y.y, peer port 500
3153700: Feb 13 16:37:49.393 PST: ISAKMP: (0):New peer created peer = 0x7FC713C1D7B0 peer_handle = 0x800000EC
3153701: Feb 13 16:37:49.393 PST: ISAKMP: (0):Locking peer struct 0x7FC713C1D7B0, refcount 1 for isakmp_initiator
3153702: Feb 13 16:37:49.393 PST: ISAKMP: (0):local port 500, remote port 500
3153703: Feb 13 16:37:49.393 PST: ISAKMP: (0):set new node 0 to QM_IDLE
3153704: Feb 13 16:37:49.393 PST: ISAKMP: (0):insert sa successfully sa = 7FC714002258
3153705: Feb 13 16:37:49.393 PST: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
3153706: Feb 13 16:37:49.393 PST: ISAKMP: (0):found peer pre-shared key matching y.y.y.y
3153707: Feb 13 16:37:49.393 PST: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
3153708: Feb 13 16:37:49.393 PST: ISAKMP: (0):constructed NAT-T vendor-07 ID
3153709: Feb 13 16:37:49.393 PST: ISAKMP: (0):constructed NAT-T vendor-03 ID
3153710: Feb 13 16:37:49.393 PST: ISAKMP: (0):constructed NAT-T vendor-02 ID
3153711: Feb 13 16:37:49.393 PST: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
3153712: Feb 13 16:37:49.393 PST: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
3153713: Feb 13 16:37:49.393 PST: ISAKMP: (0):beginning Main Mode exchange
3153714: Feb 13 16:37:49.393 PST: ISAKMP-PAK: (0):sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
3153715: Feb 13 16:37:49.393 PST: ISAKMP: (0):Sending an IKE IPv4 Packet.
3153716: Feb 13 16:37:49.404 PST: ISAKMP-PAK: (0):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_NO_STATE
3153717: Feb 13 16:37:49.404 PST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
3153718: Feb 13 16:37:49.404 PST: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM2
3153719: Feb 13 16:37:49.404 PST: ISAKMP: (0):processing SA payload. message ID = 0
3153720: Feb 13 16:37:49.404 PST: ISAKMP: (0):processing vendor id payload
3153721: Feb 13 16:37:49.404 PST: ISAKMP: (0):vendor ID seems Unity/DPD but major 28 mismatch
3153722: Feb 13 16:37:49.404 PST: ISAKMP: (0):processing vendor id payload
3153723: Feb 13 16:37:49.404 PST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
3153724: Feb 13 16:37:49.404 PST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
3153725: Feb 13 16:37:49.404 PST: ISAKMP: (0):found peer pre-shared key matching y.y.y.y
3153726: Feb 13 16:37:49.404 PST: ISAKMP: (0):local preshared key found
3153727: Feb 13 16:37:49.404 PST: ISAKMP: (0):Scanning profiles for xauth ...
3153728: Feb 13 16:37:49.404 PST: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
3153729: Feb 13 16:37:49.404 PST: ISAKMP: (0): encryption AES-CBC
3153730: Feb 13 16:37:49.405 PST: ISAKMP: (0): keylength of 256
3153731: Feb 13 16:37:49.405 PST: ISAKMP: (0): hash SHA
3153732: Feb 13 16:37:49.405 PST: ISAKMP: (0): default group 5
3153733: Feb 13 16:37:49.405 PST: ISAKMP: (0): auth pre-share
3153734: Feb 13 16:37:49.405 PST: ISAKMP: (0): life type in seconds
3153735: Feb 13 16:37:49.405 PST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
3153736: Feb 13 16:37:49.405 PST: ISAKMP: (0):atts are acceptable. Next payload is 0
3153737: Feb 13 16:37:49.405 PST: ISAKMP: (0):Acceptable atts:actual life: 0
3153738: Feb 13 16:37:49.405 PST: ISAKMP: (0):Acceptable atts:life: 0
3153739: Feb 13 16:37:49.405 PST: ISAKMP: (0):Fill atts in sa vpi_length:4
3153740: Feb 13 16:37:49.405 PST: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
3153741: Feb 13 16:37:49.405 PST: ISAKMP: (0):Returning Actual lifetime: 86400
3153742: Feb 13 16:37:49.405 PST: ISAKMP: (0):Started lifetime timer: 86400.
3153743: Feb 13 16:37:49.405 PST: ISAKMP: (0):processing vendor id payload
3153744: Feb 13 16:37:49.405 PST: ISAKMP: (0):vendor ID seems Unity/DPD but major 28 mismatch
3153745: Feb 13 16:37:49.405 PST: ISAKMP: (0):processing vendor id payload
3153746: Feb 13 16:37:49.405 PST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
3153747: Feb 13 16:37:49.405 PST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
3153748: Feb 13 16:37:49.405 PST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
3153749: Feb 13 16:37:49.405 PST: ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM2
3153750: Feb 13 16:37:49.405 PST: ISAKMP-PAK: (0):sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_SA_SETUP
3153751: Feb 13 16:37:49.405 PST: ISAKMP: (0):Sending an IKE IPv4 Packet.
3153752: Feb 13 16:37:49.405 PST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
3153753: Feb 13 16:37:49.405 PST: ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM3
3153754: Feb 13 16:37:49.427 PST: ISAKMP-PAK: (0):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_SA_SETUP
3153755: Feb 13 16:37:49.427 PST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
3153756: Feb 13 16:37:49.427 PST: ISAKMP: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4
3153757: Feb 13 16:37:49.427 PST: ISAKMP: (0):processing KE payload. message ID = 0
3153758: Feb 13 16:37:49.439 PST: ISAKMP: (0):received payload type 20
3153759: Feb 13 16:37:49.439 PST: ISAKMP: (0):NAT found, both nodes inside NAT
3153760: Feb 13 16:37:49.439 PST: ISAKMP: (0):received payload type 20
3153761: Feb 13 16:37:49.439 PST: ISAKMP: (0):My hash no match - this node inside NAT
3153762: Feb 13 16:37:49.439 PST: ISAKMP: (0):processing NONCE payload. message ID = 0
3153763: Feb 13 16:37:49.439 PST: ISAKMP: (0):found peer pre-shared key matching y.y.y.y
3153764: Feb 13 16:37:49.439 PST: ISAKMP: (1072):processing vendor id payload
3153765: Feb 13 16:37:49.439 PST: ISAKMP: (1072):vendor ID seems Unity/DPD but major 38 mismatch
3153766: Feb 13 16:37:49.439 PST: ISAKMP: (1072):processing vendor id payload
3153767: Feb 13 16:37:49.439 PST: ISAKMP: (1072):vendor ID seems Unity/DPD but major 215 mismatch
3153768: Feb 13 16:37:49.439 PST: ISAKMP: (1072):vendor ID is XAUTH
3153769: Feb 13 16:37:49.439 PST: ISAKMP: (1072):processing vendor id payload
3153770: Feb 13 16:37:49.439 PST: ISAKMP: (1072):vendor ID is DPD
3153771: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
3153772: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Old State = IKE_I_MM4 New State = IKE_I_MM4
3153773: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Send initial contact
3153774: Feb 13 16:37:49.440 PST: ISAKMP: (1072):SA is doing
3153775: Feb 13 16:37:49.440 PST: ISAKMP: (1072):pre-shared key authentication using id type ID_FQDN
3153776: Feb 13 16:37:49.440 PST: ISAKMP: (1072):ID payload
next-payload : 8
type : 2
3153777: Feb 13 16:37:49.440 PST: ISAKMP: (1072): FQDN name : MyRouter.mydomain.com
3153778: Feb 13 16:37:49.440 PST: ISAKMP: (1072): protocol : 17
port : 0
length : 31
3153779: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Total payload length: 31
3153780: Feb 13 16:37:49.440 PST: ISAKMP-PAK: (1072):sending packet to y.y.y.y my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
3153781: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Sending an IKE IPv4 Packet.
3153782: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
3153783: Feb 13 16:37:49.440 PST: ISAKMP: (1072):Old State = IKE_I_MM4 New State = IKE_I_MM5
3153784: Feb 13 16:37:49.449 PST: ISAKMP-PAK: (1072):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_KEY_EXCH
3153785: Feb 13 16:37:49.449 PST: ISAKMP: (1072):set new node 646160545 to QM_IDLE
3153786: Feb 13 16:37:49.451 PST: ISAKMP-PAK: (1072):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_KEY_EXCH
3153787: Feb 13 16:37:49.453 PST: ISAKMP-PAK: (1072):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_KEY_EXCH
3153788: Feb 13 16:37:49.454 PST: ISAKMP-PAK: (1072):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_KEY_EXCH
3153789: Feb 13 16:37:49.456 PST: ISAKMP-PAK: (1072):received packet from y.y.y.y dport 500 sport 500 Global (I) MM_KEY_EXCH
3153790: Feb 13 16:37:49.456 PST: ISAKMP: (1072):Info Notify message requeue retry counter exceeded sa request from y.y.y.y to 10.131.33.32.
3153791: Feb 13 16:37:59.441 PST: ISAKMP: (1072):retransmitting phase 1 MM_KEY_EXCH...
3153792: Feb 13 16:37:59.441 PST: ISAKMP: (1072):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
3153793: Feb 13 16:37:59.441 PST: ISAKMP: (1072):retransmitting phase 1 MM_KEY_EXCH
3153794: Feb 13 16:37:59.441 PST: ISAKMP-PAK: (1072):sending packet to y.y.y.y my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
3153795: Feb 13 16:37:59.441 PST: ISAKMP: (1072):Sending an IKE IPv4 Packet.
3153796: Feb 13 16:37:59.449 PST: ISAKMP-PAK: (1072):received packet from y.y.y.y dport 4500 sport 4500 Global (I) MM_KEY_EXCH
3153797: Feb 13 16:37:59.449 PST: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from y.y.y.y was not encrypted and it should've been.
MyRouter#
MyRouter#
MyRouter#
MyRouter#
MyRouter#
MyRouter#
MyRouter#
MyRouter#
MyRouter#sh
MyRouter#show cry
MyRouter#show crypto is
MyRouter#show crypto isakmp s
MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
y.y.y.y 10.131.33.32 MM_KEY_EXCH 1072 ACTIVE
IPv6 Crypto ISAKMP SA
Solved! Go to Solution.
02-15-2019 11:32 AM
I found the issue it works
On Sonicwall, you need to specify the private IP used by the crypto identiy to identify correctly the router on top of the PSK.
If one is not working it show a KEY mismatch
Thanks Gentlemen and hope that it can help someone else who want to build a site to site between cisco and sonicwall
02-13-2019 03:55 PM
Hello,
under the crypto map, try and configure:
set pfs group5
Also, what does the transform set look like ?
02-13-2019 04:19 PM
Thanks for your note. We agreed to not using pfs but i tried just in case and without luck
And sorry i missed the trasnform set sharing :
crypto ipsec transform-set TRANSFORM1 esp-aes 256 esp-sha-hmac
mode tunnel
02-13-2019 06:43 PM
Confirm that your ACL statements match on both sides.
EX.
local
permit ip host 172.31.63.49 192.168.30.0 0.0.0.255
permit ip host 172.31.63.33 192.168.30.0 0.0.0.255
remote
permit ip 192.168.30.0 0.0.0.255 host 172.31.63.49
permit ip 192.168.30.0 0.0.0.255 host 172.31.63.33
02-14-2019 11:38 AM
Hello Scott
Thanks, the ACL has been confirmed
I'm waiting on some logs from the remote ends, knowing that it's a sonicwall.
02-14-2019 03:55 PM
So basically we both have a log highlighting a key mismatch and we checked again we have the same
Is there any restriction on the key (length and character to not use) or is there any known bug.
I did reboot my router and same issue...
Any idea , thanks
02-15-2019 05:09 AM
02-15-2019 10:14 AM
Hello mwood000111
I think that you point me on the right direction. My partner show on his logs a IKE ID mismatch. I changed the crypto isakmp identity hostname to address.
It didn't work but i think that it's due to the fact that by default, identity is based on the private IP.
My partner doesn't know this private IP as i'm nating this private ip.
I don't know Sonicwall, is there a way to avoid this identification. My setting is working well when it's a ISR or a ASA on the other end. Maybe i should ask in a Sonicwall forum :)
02-15-2019 10:28 AM
02-15-2019 11:15 AM
Sorry i was not clear enough
My Cisco router is establishing the tunnel vpn from it's private IP. I have a firewall that is natted this private ip to a public IP.
This public IP is used by my partner to build the VPN between us, so meaning that my partner doesn't know the private IP of my router
From what i understand, when you configure crypto isakmp identity address on the Cisco router, it pick up automatically the private address (see logs below )which is unknown on the other end.
000607: *Feb 15 10:53:41.368 PST: ISAKMP: (1004):Send initial contact
000608: *Feb 15 10:53:41.368 PST: ISAKMP: (1004):SA is doing
000609: *Feb 15 10:53:41.368 PST: ISAKMP: (1004):pre-shared key authentication using id type ID_IPV4_ADDR
000610: *Feb 15 10:53:41.368 PST: ISAKMP: (1004):ID payload
next-payload : 8
type : 1
000611: *Feb 15 10:53:41.368 PST: ISAKMP: (1004): address : 10.131.33.32
000612: *Feb 15 10:53:41.368 PST: ISAKMP: (1004): protocol : 17
port : 0
length : 12
000613: *Feb 15 10:53:41.368 PST: ISAKMP: (1004):Total payload length: 12
000614: *Feb 15 10:53:41.368 PST: ISAKMP-PAK: (1004):sending packet to 216.38.155.50 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
000615: *Feb 15 10:53:41.368 PST: ISAKMP: (1004):Sending an IKE IPv4 Packet.
02-15-2019 11:32 AM
I found the issue it works
On Sonicwall, you need to specify the private IP used by the crypto identiy to identify correctly the router on top of the PSK.
If one is not working it show a KEY mismatch
Thanks Gentlemen and hope that it can help someone else who want to build a site to site between cisco and sonicwall
02-15-2019 12:38 PM
Hello,
does the SonicWalll have a CLI output similar to the Cisco IOS router ? If so, can you post that, for future reference ?
02-15-2019 04:09 PM
Unfortunately, i was not handling the sonicwall side , so not sure about the exact command he did. And i think he did that through a GUI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide