01-12-2014 09:58 PM - edited 03-07-2019 05:31 PM
I am trying to create an ipsec vpn to Amazon VPC for the first time but I can't get it to work. Debug crypto isaksmp shows the following;
*Jan 13 05:17:52.915: ISAKMP:(0):No pre-shared key with x.x.x.x
*Jan 13 05:17:52.915: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Jan 13 05:17:52.919: ISAKMP:(0):Encryption algorithm offered does not match policy
*Jan 13 05:17:52.919: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer x.x.x.x)
But I've checked the config and it looks right. Can anyone shed some light on it for me please?
01-13-2014 09:48 AM
Chris
It looks like the phase 1 policies are not matching. Each device will run through all the phase 1 policies until it either finds a match or runs out of policies.
That's about all that can be said from what you have posted. What settings did they send you for phase 1 ?
Perhaps you can post the settings they sent plus your router config. I'm assuming you have set the pre-shared key and that it matches the one they sent.
Don't post the key in plaintext on this forum.
Jon
01-13-2014 02:10 PM
The config for the 1800 is...I simply copied the settings from the wizard provided by the Amazon VPC setup. However there was one line in it that will not apply to my router.
track 100 ip sla 100 reachability
Current configuration : 3741 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool LAN
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server xxxxxxxxxxxxxxxxxxxxxxxxxx
lease 5
!
!
ip name-server xxxxxxxxxxxxxxxxxxxxxxxxxx
ip sla 100
icmp-echo 169.254.247.17 source-interface Tunnel1
timeout 1000
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo 169.254.247.21 source-interface Tunnel2
timeout 1000
frequency 5
ip sla schedule 200 life forever start-time now
!
!
!
!
crypto keyring keyring-vpn-amazon_vpc_1
local-address MY_ADSL_EXTERNAL_STATIC_IP
pre-shared-key address AMAZON_PROVIDED_PEER_1 key xxxxxxxxxxxxxxxxxxxxxxxxxx
crypto keyring keyring-vpn-amazon_vpc_2
local-address MY_ADSL_EXTERNAL_STATIC_IP
pre-shared-key address AMAZON_PROVIDED_PEER_2 key xxxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-amazon_vpc_1
keyring keyring-vpn-amazon_vpc_1
match identity address AMAZON_PROVIDED_PEER_1 255.255.255.255
local-address MY_ADSL_EXTERNAL_STATIC_IP
crypto isakmp profile isakmp-vpn-amazon_vpc_2
keyring keyring-vpn-amazon_vpc_2
match identity address AMAZON_PROVIDED_PEER_2 255.255.255.255
local-address MY_ADSL_EXTERNAL_STATIC_IP
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_1 esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_2 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-amazon_vpc_1
set transform-set ipsec-prop-vpn-amazon_vpc_1
set pfs group2
!
crypto ipsec profile ipsec-vpn-amazon_vpc_2
set transform-set ipsec-prop-vpn-amazon_vpc_2
set pfs group2
!
!
!
!
!
interface Tunnel1
ip address 169.254.247.18 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1387
tunnel source MY_ADSL_EXTERNAL_STATIC_IP
tunnel destination AMAZON_PROVIDED_PEER_1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-amazon_vpc_1
!
interface Tunnel2
ip address 169.254.247.22 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1387
tunnel source MY_ADSL_EXTERNAL_STATIC_IP
tunnel destination AMAZON_PROVIDED_PEER_2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-amazon_vpc_2
!
interface FastEthernet0
description ISP
ip address 192.168.1.26 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 13
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan13
ip address 10.10.10.1 255.255.255.0
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 1
no auto-summary
!
ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100
ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
control-plane
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
auVPC01 con0 is now available
Press RETURN to get started.
01-13-2014 02:29 PM
Chris
Is there meant to be a link or diagram in the last bit of your post ?
Jon
01-13-2014 02:44 PM
No just a copy paste issue.
01-13-2014 02:46 PM
Chris
Not sure what to tell you then. Can you try removing the key and retyping it in as i have made that sort of mistake myself before.
Also can you post all of the configuration settings for the other end.
Jon
01-13-2014 02:55 PM
Unfortunately I already tried that and it didn't help. The following are the settings from the other end (note though I do not have direct console access), the other end is Amazon VPC. The following is the txt file that the VPC wizard produces.
The only thing i can think is that the port forwarding on my asdl modem to the cisco 1800 isn't setup correctly or isn't working. Maybe I need to put that modem in bridged mode and set the ISP external ip an the 1800 interface.
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID : xxxxxxxxxxxxxxxxxxxxxxxxxx
! Your Virtual Private Gateway ID : xxxxxxxxxxxxxxxxxxxxxxxxxx
! Your Customer Gateway ID : xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-amazon_vpc_1
local-address MY_ADSL_EXTERNAL_STATIC_IP
pre-shared-key address AMAZON_PROVIDED_PEER_1 key xxxxxxxxxxxxxxxxxxxxxxxxxx
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-amazon_vpc_1
local-address MY_ADSL_EXTERNAL_STATIC_IP
match identity address AMAZON_PROVIDED_PEER_1
keyring keyring-vpn-amazon_vpc_1
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_1 esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-amazon_vpc_1
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-amazon_vpc_1
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel1
ip address 169.254.247.18 255.255.255.252
ip virtual-reassembly
tunnel source MY_ADSL_EXTERNAL_STATIC_IP
tunnel destination AMAZON_PROVIDED_PEER_1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-amazon_vpc_1
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1387
no shutdown
exit
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
! ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100
!
! SLA Monitor is used to provide a failover between the two tunnels. If the primary tunnel fails, the redundant tunnel will automatically be used
! This sla is defined as #100, which may conflict with an existing sla using same number.
! If so, we recommend changing the sequence number to avoid conflicts.
!
ip sla 100
icmp-echo 169.254.247.17 source-interface Tunnel1
timeout 1000
frequency 5
exit
ip sla schedule 100 life forever start-time now
track 100 ip sla 100 reachability
! --------------------------------------------------------------------------------
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 201
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-amazon_vpc_2
local-address MY_ADSL_EXTERNAL_STATIC_IP
pre-shared-key address AMAZON_PROVIDED_PEER_2 key xxxxxxxxxxxxxxxxxxxxxxxxxx
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-amazon_vpc_2
local-address MY_ADSL_EXTERNAL_STATIC_IP
match identity address AMAZON_PROVIDED_PEER_2
keyring keyring-vpn-amazon_vpc_2
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_2 esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-amazon_vpc_2
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-amazon_vpc_2
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel2
ip address 169.254.247.22 255.255.255.252
ip virtual-reassembly
tunnel source MY_ADSL_EXTERNAL_STATIC_IP
tunnel destination AMAZON_PROVIDED_PEER_2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-amazon_vpc_2
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1387
no shutdown
exit
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
! ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200
!
! SLA Monitor is used to provide a failover between the two tunnels. If the primary tunnel fails, the redundant tunnel will automatically be used
! This sla is defined as #200, which may conflict with an existing sla using same number.
! If so, we recommend changing the sequence number to avoid conflicts.
!
ip sla 200
icmp-echo 169.254.247.21 source-interface Tunnel2
timeout 1000
frequency 5
exit
ip sla schedule 200 life forever start-time now
track 200 ip sla 200 reachability
! --------------------------------------------------------------------------------
! Additional Notes and Questions
! - Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
! - Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide