Dear all,
I want to setup a LAN to LAN IPSEC secured connection using 2811 routers.
LAN 1: IP: 172.30.128.0/24
LAN 2: 172.30.129.0/24
ROUTERS VERSION:
faraday#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team
ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
System returned to ROM by power-on
System image file is "c2800nm-advipservicesk9-mz.124-15.T1.bin"
ROUTER1: FARADAY
LAN int fa0/1: 172.30.128.254/24
WAN int fa0/0: 192.168.128.254/24
Config:
faraday#sh running-config
Building configuration...
Current configuration : 1350 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname faraday
!
!
!
enable secret 5 $1$mERr$Rff1owNQdMUvylEoNMPHO1
!
!
!
!
!
!
username ayodeji privilege 0 secret 5 $1$mERr$kMTDoyBtdE/MEgmAcmJ4u/
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key zumabuja address 192.168.128.253
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 192.168.128.253
set transform-set myset
match address 101-103
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
description "WAN link"
ip address 192.168.128.254 255.255.255.0
duplex full
speed 100
crypto map myvpn
!
interface FastEthernet0/1
description "LAN link"
ip address 172.30.128.254 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.128.253
!
!
ip access-list extended 101-103
permit ip 172.30.128.0 0.0.0.255 172.30.129.0 0.0.0.255
permit ip 172.30.129.0 0.0.0.255 172.30.128.0 0.0.0.255
!
!
!
!
!
line con 0
login local
line vty 0 4
login
!
!
!
end
ROUTER2: ROBOCOP
LAN int fa0/1: 172.30.129.254/24
WAN int fa0/0: 192.168.128.253/24
Config:
robocop#sh runn
robocop#sh running-config
Building configuration...
Current configuration : 1362 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname robocop
!
!
!
enable secret 5 $1$mERr$Rff1owNQdMUvylEoNMPHO1
!
!
!
!
!
!
username ayodeji privilege 0 secret 5 $1$mERr$kMTDoyBtdE/MEgmAcmJ4u/
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key zumaabuja address 192.168.128.254
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 192.168.128.254
set transform-set myset
match address 101-103
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
description "WAN link to faraday"
ip address 192.168.128.253 255.255.255.0
duplex full
speed 100
crypto map myvpn
!
interface FastEthernet0/1
description "LAN link"
ip address 172.30.129.254 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.128.254
!
!
ip access-list extended 101-103
permit ip 172.30.128.0 0.0.0.255 172.30.129.0 0.0.0.255
permit ip 172.30.129.0 0.0.0.255 172.30.128.0 0.0.0.255
!
!
!
!
!
line con 0
login local
line vty 0 4
login
!
!
!
end
I have two laptops at both end, Laptop1: 172.30.129.100, while Laptop2: 172.30.128.100.
I can ping the WAN interfaces of both routers from any of the laptops, but the laptops are unable to ping each other.
I have turned on debugging and keep getting below error on FARADAY:
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):found peer pre-shared key matching192.168.128.253
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption ENC-3DES
ISAKMP: key length of 56
ISAKMP: hash MD5
ISAKMP: group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 86400
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Basic life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): sending packet to 192.168.128.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP (0:1073): received packet from 192.168.128.253 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.128.253 failed its sanity check or is malformed
ISAKMP (0:1073): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH...
ISAKMP (0:1073): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH
ISAKMP:(1073): sending packet to 192.168.128.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1073):Sending an IKE IPv4 Packet.
ISAKMP (0:1073): received packet from 192.168.128.253 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP:(1073): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(1073): retransmission skipped for phase 1 (time since last transmission 640)
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH...
ISAKMP (0:1073): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH
ISAKMP:(1073): sending packet to 192.168.128.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1073):Sending an IKE IPv4 Packet.
ISAKMP (0:1073): received packet from 192.168.128.253 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP:(1073): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(1073): retransmission skipped for phase 1 (time since last transmission 0)
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH...
ISAKMP (0:1073): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH
ISAKMP:(1073): sending packet to 192.168.128.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1073):Sending an IKE IPv4 Packet.
ISAKMP (0:1073): received packet from 192.168.128.253 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP:(1073): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(1073): retransmission skipped for phase 1 (time since last transmission 0)
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH...
ISAKMP (0:1073): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH
ISAKMP:(1073): sending packet to 192.168.128.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1073):Sending an IKE IPv4 Packet.
ISAKMP (0:1073): received packet from 192.168.128.253 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP:(1073): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(1073): retransmission skipped for phase 1 (time since last transmission 0)
ISAKMP:(1073): retransmitting phase 1 MM_KEY_EXCH...
ISAKMP:(1073):peer does not do paranoid keepalives.
ISAKMP:(1073):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 192.168.128.253)
ISAKMP:(1073):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 192.168.128.253)
ISAKMP: Unlocking peer struct 0x483E9800 for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for 192.168.128.253: 483E9800
ISAKMP:(1073):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(1073):Old State = IKE_R_MM4 New State = IKE_DEST_SA
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP (0:1073): received packet from 192.168.128.253 dport 500 sport 500 Global (R) MM_NO_STATE
ISAKMP:(1073):purging SA., sa=48CC3E60, delme=48CC3E60
When I do "sh crypto isakmp sa", I get:
faraday#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.128.253 192.168.128.254 MM_SA_SETUP 1073 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
Kindly assist!
