Site to 2 Sites VPN Problem - Resolved

vcapeci46 · ‎09-22-2015

I want to set up 2 tunnels
From Site A to Site B
From Site A to Site C

Config Router site A

pseudowire-class PW_2
encapsulation l2tpv3
protocol l2tpv3 tunel
ip local interface GigabitEthernet0
!

crypto keyring key_tunel_UNION_T2370
pre-shared-key address {Ip address site B} key {key1}

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
encryption 3des

crypto isakmp profile profile_tunel_UNION_T2370
keyring key_tunel_UNION_T2370
match identity address {ip address site B}{mask site B}
!
!

crypto ipsec transform-set strong ah-sha-hmac esp-3des
mode tunnel
!

!
crypto map ipsec-maps 10 ipsec-isakmp
set peer {ip address site B}
set transform-set strong
set isakmp-profile profile_tunel_UNION_T2370
match address acl_tunel_UNION_T2370
crypto map ipsec-maps 20 ipsec-isakmp
description ** tunel_ALU_T2371 **
set peer {ip address site C}
set transform-set strong
set isakmp-profile profile_tunel_ALU_T2371
match address acl_tunel_ALU_T2371
!
!
!

interface FastEthernet5
switchport access vlan 4
no ip address
!
interface FastEthernet6
switchport access vlan 3
no ip address
!

interface GigabitEthernet0
ip address {ip address site A} {mask site B}
ip access-group 1 in
duplex auto
speed auto
dot1q tunneling ethertype 0x9100
vlan-id dot1q 3
exit-vlan-config
!
vlan-id dot1q 4
exit-vlan-config
!
crypto map ipsec-maps
!

interface Vlan3
no ip address
xconnect {ip address site B} 3 encapsulation l2tpv3 pw-class PW_2
!
interface Vlan4
no ip address
xconnect {ip address site C} 4 encapsulation l2tpv3 pw-class PW_2

ip access-list extended acl_tunel_ALU_T2371
permit ip any any
ip access-list extended acl_tunel_UNION_T2370
permit ip any any

On router B I have the same configuration except the crypto map of site C because I do not need connection between Site B and site C
When I execute debug isakmp I get the following messages

*Sep 21 15:20:27.548: ISAKMP (0): received packet from {IP Site B} dport 500 sport 500 Global (N) NEW SA
*Sep 21 15:20:27.548: ISAKMP: Created a peer struct for {IP Site B}, peer port 500
*Sep 21 15:20:27.548: ISAKMP: New peer created peer = 0x8C0EDDB4 peer_handle = 0x800000A4
*Sep 21 15:20:27.548: ISAKMP: Locking peer struct 0x8C0EDDB4, refcount 1 for crypto_isakmp_process_block
*Sep 21 15:20:27.548: ISAKMP: local port 500, remote port 500
*Sep 21 15:20:27.548: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8C1EF404
*Sep 21 15:20:27.548: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 21 15:20:27.548: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Sep 21 15:20:27.548: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 21 15:20:27.548: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Sep 21 15:20:27.548: ISAKMP (0): vendor ID is NAT-T v7
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID is NAT-T v3
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 21 15:20:27.548: ISAKMP:(0):found peer pre-shared key matching {IP Site B}
*Sep 21 15:20:27.548: ISAKMP:(0): local preshared key found
*Sep 21 15:20:27.548: ISAKMP : Scanning profiles for xauth ... profile_tunel_ALU_T2371 profile_tunel_UNION_T2370
*Sep 21 15:20:27.548: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 21 15:20:27.548: ISAKMP: encryption 3DES-CBC
*Sep 21 15:20:27.548: ISAKMP: hash SHA
*Sep 21 15:20:27.548: ISAKMP: default group 2
*Sep 21 15:20:27.548: ISAKMP: auth pre-share
*Sep 21 15:20:27.548: ISAKMP: life type in seconds
*Sep 21 15:20:27.548: ISAKMP: life duration (basic) of 3600
*Sep 21 15:20:27.552: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 21 15:20:27.552: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 21 15:20:27.552: ISAKMP:(0):Acceptable atts:life: 0
*Sep 21 15:20:27.552: ISAKMP:(0):Basic life_in_seconds:3600
*Sep 21 15:20:27.552: ISAKMP:(0):Returning Actual lifetime: 3600
*Sep 21 15:20:27.552: ISAKMP:(0)::Started lifetime timer: 3600.
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 21 15:20:27.552: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Sep 21 15:20:27.552: ISAKMP (0): vendor ID is NAT-T v7
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID is NAT-T v3
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 21 15:20:27.552: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 21 15:20:27.552: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Sep 21 15:20:27.552: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Sep 21 15:20:27.552: ISAKMP:(0): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_SA_SETUP
*Sep 21 15:20:27.552: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 21 15:20:27.552: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 21 15:20:27.552: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Sep 21 15:20:27.560: ISAKMP (0): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_SA_SETUP
*Sep 21 15:20:27.560: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 21 15:20:27.560: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Sep 21 15:20:27.560: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 21 15:20:27.576: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 21 15:20:27.576: ISAKMP:(0):found peer pre-shared key matching {IP Site B}
*Sep 21 15:20:27.576: ISAKMP:(2083): processing vendor id payload
*Sep 21 15:20:27.576: ISAKMP:(2083): vendor ID is DPD
*Sep 21 15:20:27.576: ISAKMP:(2083): processing vendor id payload
*Sep 21 15:20:27.576: ISAKMP:(2083): speaking to another IOS box!
*Sep 21 15:20:27.576: ISAKMP:(2083): processing vendor id payload
*Sep 21 15:20:27.576: ISAKMP:(2083): vendor ID seems Unity/DPD but major 213 mismatch
*Sep 21 15:20:27.576: ISAKMP:(2083): vendor ID is XAUTH
*Sep 21 15:20:27.576: ISAKMP:received payload type 20
*Sep 21 15:20:27.576: ISAKMP (2083): His hash no match - this node outside NAT
*Sep 21 15:20:27.576: ISAKMP:received payload type 20
*Sep 21 15:20:27.576: ISAKMP (2083): No NAT Found for self or peer
*Sep 21 15:20:27.576: ISAKMP:(2083):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 21 15:20:27.576: ISAKMP:(2083):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Sep 21 15:20:27.580: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:27.580: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:27.580: ISAKMP:(2083):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 21 15:20:27.580: ISAKMP:(2083):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Sep 21 15:20:27.604: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:27.604: ISAKMP: reserved not zero on ID payload!
*Sep 21 15:20:27.604: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from {IP Site B} failed its sanity check or is malformed
*Sep 21 15:20:27.604: ISAKMP (2083): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Sep 21 15:20:28.604: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:28.604: ISAKMP (2083): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 21 15:20:28.604: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:28.604: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:28.604: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:29.108: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:29.108: ISAKMP:(2083): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:29.108: ISAKMP:(2083): retransmission skipped for phase 1 (time since last transmission 504)
*Sep 21 15:20:31.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:31.436: ISAKMP (2082): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 21 15:20:31.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:31.436: ISAKMP:(2082): sending packet to {IP Site B} my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 21 15:20:31.436: ISAKMP:(2082):Sending an IKE IPv4 Packet.
*Sep 21 15:20:31.440: ISAKMP (2082): received packet from {IP Site B} dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 21 15:20:31.440: ISAKMP:(2082): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:31.440: ISAKMP:(2082): retransmission skipped for phase 1 (time since last transmission 4)
*Sep 21 15:20:39.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:39.108: ISAKMP (2083): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 21 15:20:39.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:39.108: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:39.108: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:39.108: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:39.108: ISAKMP:(2083): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:39.108: ISAKMP:(2083): retransmission skipped for phase 1 (time since last transmission 0)
*Sep 21 15:20:41.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:41.436: ISAKMP (2082): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 21 15:20:41.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:41.436: ISAKMP:(2082): sending packet to {IP Site B} my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 21 15:20:41.436: ISAKMP:(2082):Sending an IKE IPv4 Packet.
*Sep 21 15:20:41.440: ISAKMP (2082): received packet from {IP Site B} dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 21 15:20:41.440: ISAKMP:(2082): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:41.440: ISAKMP:(2082): retransmission skipped for phase 1 (time since last transmission 4)
*Sep 21 15:20:49.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:49.108: ISAKMP (2083): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 21 15:20:49.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:49.108: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:49.108: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:49.108: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:49.108: ISAKMP:(2083): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:49.108: ISAKMP:(2083): retransmission skipped for phase 1 (time since last transmission 0)
*Sep 21 15:20:49.876: ISAKMP: set new node 0 to QM_IDLE
*Sep 21 15:20:49.876: ISAKMP:(2082):SA is still budding. Attached new ipsec request to it. (local 190.64.91.235, remote {IP Site B})
*Sep 21 15:20:49.876: ISAKMP: Error while processing SA request: Failed to initialize SA
*Sep 21 15:20:49.876: ISAKMP: Error while processing KMI message 0, error 2.
*Sep 21 15:20:51.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:51.436: ISAKMP (2082): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 21 15:20:51.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:51.436: ISAKMP:(2082): sending packet to {IP Site B} my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 21 15:20:51.436: ISAKMP:(2082):Sending an IKE IPv4 Packet.
*Sep 21 15:20:51.440: ISAKMP (2082): received packet from {IP Site B} dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 21 15:20:51.440: ISAKMP:(2082): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:51.440: ISAKMP:(2082): retransmission skipped for phase 1 (time since last transmission 4)
Router_GC2#no debug crypto isakmp
Crypto ISAKMP debugging is off

Do you guys have an idea of what I´m doing wrong? Thanks in advance for your repplies

Richard Bradfield · ‎09-22-2015

Hi,

Although I am not familiar with this sort of vpn configuration, the one thing I notice in your config is

ip access-list extended acl_tunel_ALU_T2371
permit ip any any
ip access-list extended acl_tunel_UNION_T2370
permit ip any any

So how do you know which tunnel to send the traffic to for the remote sites?

vcapeci46 · ‎09-23-2015

Hello,

Thanks you for your reply. That is made on the vlan interface with the xconnect command. I think that the problem is an authentication issue but I still could not resolved it. I will try to be more specific on the access list and I post the results. Regards,

Valentin

vcapeci46 · ‎09-30-2015

Hello,

I manage to set up the 2 tunnels the problem was on the definition of the pre shared key. I was missing the mask. So the correct script is:

crypto keyring key_tunel_UNION_T2370
pre-shared-key address {Ip address site B} {Mask} key {key1} on both sites