Re: Cisco 2801 - IPSEC/L2TP client behind NATting Router

jeff.mcluckie45 · ‎01-09-2014

Good Evening,

I am trying to setup the following:

Cisco 2801 Fa0/0(10.10.1.251) ---> (10.10.1.253) VDSL Router (NAT to External IP) ---> StrongVPN VPN Provider

I am wanting the 2801 to initiate L2TP over IPSEC to STRONGVPN, which will then allow clients to route through it. I currently have a Cisco 857 performing this role that I want the 2801 to replace.

The 857 brings up IPSEC and Virtual-PPP1 and routes fine.The 2801 fails. Config is almost identical.

The 857 shows this in the Debug Log (success)

000424: *Oct 26 07:40:15.142 NZDT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.1.252, remote= 216.131.96.21,

local_proxy= 125.236.208.59/255.255.255.255/17/1701 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= NONE (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

000425: *Oct 26 07:40:15.142 NZDT: Crypto mapdb : proxy_match

src addr : 10.10.1.252

dst addr : 216.131.96.21

protocol : 17

src port : 1701

dst port : 1701

000426: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing NONCE payload. message ID = -356551661

000427: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing ID payload. message ID = -356551661

000428: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing ID payload. message ID = -356551661

000429: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing NOTIFY RESPONDER_LIFETIME protocol 3

spi 856781567, message ID = -356551661, sa = 82632054

000430: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002):SA authentication status:

authenticated

The 2801 Shows This (FAILURE)

*Jan 8 20:59:35.183 NZDT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,

local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x800

*Jan 8 20:59:35.183 NZDT: Crypto mapdb : proxy_match

src addr : VDSL External IP

dst addr : 216.131.96.21

protocol : 17

src port : 0

dst port : 1701

*Jan 8 20:59:35.183 NZDT: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x800

*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1): IPSec policy invalidated proposal

sh version

Cisco IOS Software, 2801 Software (C2801-ADVIPSERVICESK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

Full Debug Log below:

*Jan 8 20:59:05.839 NZDT: ISAKMP:(0:18:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE

*Jan 8 20:59:05.843 NZDT: ISAKMP:(0:18:SW:1):purging node 1561655526

*Jan 8 20:59:05.843 NZDT: ISAKMP (0:134217746): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1084852379: state = IKE_QM_I_QM1

*Jan 8 20:59:05.843 NZDT: ISAKMP:(0:18:SW:1):Node 1084852379, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jan 8 20:59:05.843 NZDT: ISAKMP:(0:18:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1

*Jan 8 20:59:11.191 NZDT: %ENVMON-4-FAN_LOW_RPM: Fan 1 service recommended

*Jan 8 20:59:11.195 NZDT: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended

*Jan 8 20:59:25.843 NZDT: ISAKMP: sending nat keepalive packet to 216.131.96.21(4500)

*Jan 8 20:59:35.023 NZDT: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.1.251, remote= 216.131.96.21,

local_proxy= 10.10.1.251/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1)

*Jan 8 20:59:35.023 NZDT: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.1.251, remote= 216.131.96.21,

local_proxy= 10.10.1.251/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),

lifedur= 3600s and 4608000kb,

spi= 0x95736ED8(2507370200), conn_id= 0, keysize= 256, flags= 0x400C

*Jan 8 20:59:35.023 NZDT: ISAKMP: received ke message (1/1)

*Jan 8 20:59:35.023 NZDT: ISAKMP: set new node 0 to QM_IDLE

*Jan 8 20:59:35.023 NZDT: SA has outstanding requests (local 10.10.1.251 port 4500, remote 216.131.96.21 port 4500)

*Jan 8 20:59:35.023 NZDT: ISAKMP:(0:18:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )

*Jan 8 20:59:35.023 NZDT: ISAKMP:(0:18:SW:1):beginning Quick Mode exchange, M-ID of -512527663

*Jan 8 20:59:35.023 NZDT: ISAKMP:(0:18:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE

*Jan 8 20:59:35.027 NZDT: ISAKMP:(0:18:SW:1):Node -512527663, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jan 8 20:59:35.027 NZDT: ISAKMP:(0:18:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*Jan 8 20:59:35.179 NZDT: ISAKMP (0:134217746): received packet from 216.131.96.21 dport 4500 sport 4500 Global (I) QM_IDLE

*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1): processing HASH payload. message ID = -512527663

*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1): processing SA payload. message ID = -512527663

*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1):Checking IPSec proposal 1

*Jan 8 20:59:35.179 NZDT: ISAKMP: transform 1, ESP_AES

*Jan 8 20:59:35.179 NZDT: ISAKMP: attributes in transform:

*Jan 8 20:59:35.179 NZDT: ISAKMP: encaps is 61444 (Transport-UDP)

*Jan 8 20:59:35.179 NZDT: ISAKMP: key length is 256

*Jan 8 20:59:35.179 NZDT: ISAKMP: authenticator is HMAC-SHA

*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life type in seconds

*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life type in kilobytes

*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1):atts are acceptable.

*Jan 8 20:59:35.183 NZDT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,

local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x800

*Jan 8 20:59:35.183 NZDT: Crypto mapdb : proxy_match

src addr : 125.236.208.59

dst addr : 216.131.96.21

protocol : 17

src port : 0

dst port : 1701

*Jan 8 20:59:35.183 NZDT: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x800

*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1): IPSec policy invalidated proposal

*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1): phase 2 SA policy not acceptable! (local 10.10.1.251 remote 216.131.96.21)

*Jan 8 20:59:35.183 NZDT: ISAKMP: set new node -18096953 to QM_IDLE

*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1687629576, message ID = -18096953

Config

Config Below, I have removed the NAT between Fa0/0 and Virtual-PPP1 to test.

I have also added the L2TP-SA-P2 access list and crypto map - if I don't have it I get an error that there is no crypto map for 10.10.1.251.

!

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname wasabi2k-2801

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret bananas

enable password bananas

!

no aaa new-model

clock timezone NZDT -12

clock summer-time PCTime date Mar 15 2003 3:00 Oct 4 2003 2:00

ip cef

!

no ip bootp server

ip domain name wasabi2k-2801.wasabi2k.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

voice-card 0

!

username user privilege 15 password bananas

!

ip ssh time-out 60

ip ssh authentication-retries 2

pseudowire-class pwclass1

encapsulation l2tpv2

ip local interface FastEthernet0/0

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key key address 216.131.96.21

crypto isakmp nat keepalive 20

!

crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

mode transport

crypto ipsec transform-set STRONGVPN esp-aes 256 esp-sha-hmac

mode transport

!

crypto map L2TP-IPSEC 10 ipsec-isakmp

set peer 216.131.96.21

set transform-set ESP-AES256-SHA1

match address L2TP-SA

crypto map L2TP-IPSEC 20 ipsec-isakmp

set peer 216.131.96.21

set transform-set STRONGVPN

match address L2TP-SA-P2

!

interface FastEthernet0/0

ip address 10.10.1.251 255.255.255.0

speed auto

full-duplex

no mop enabled

crypto map L2TP-IPSEC

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1/0

shutdown

!

interface FastEthernet0/1/1

shutdown

!

interface FastEthernet0/1/2

shutdown

!

interface FastEthernet0/1/3

shutdown

!

interface Serial0/2/0

no ip address

shutdown

clock rate 2000000

!

interface Virtual-PPP1

description StrongVPN

ip address negotiated

ip tcp adjust-mss 1350

no cdp enable

ppp chap hostname username

ppp chap password password

pseudowire 216.131.96.21 1 pw-class pwclass1

!

interface Vlan1

no ip address

shutdown

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 216.131.96.21 255.255.255.255 10.10.1.253

!

no ip http server

no ip http secure-server

!

ip access-list extended L2TP-SA

permit udp host 10.10.1.251 host 216.131.96.21 eq 1701

ip access-list extended L2TP-SA-P2

permit udp host VDSL External IP host 216.131.96.21 eq 1701

ip access-list extended clear-df-bit

permit ip any any

!

logging trap debugging

access-list 1 permit 10.10.0.0 0.0.255.255

access-list 100 deny ip any any

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

!

route-map clear-df-bit permit 10

match ip address clear-df-bit

set ip df 0

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login local

transport input ssh

!

scheduler allocate 20000 1000

sntp logging

sntp server 121.0.0.41

sntp broadcast client

end

m.kafka · ‎01-09-2014

Well that's interesting!

this is the first time I couldn't identify the relevant part of the RFC from the Cisco debug. I didn't find any "Flag" associated with proposal transforms. But I think that wouldn't be the main issue here.

Besides of that, according to RFCs and acording to Cisco's NAT-T implementation you should not need the second crypto map entry, even for transport mode through NAT-T.

Do you see any confirmation of successfully detecting NAT-T during Phase 1 on the 2801? Did you compare Phase 1 debugs between your 857 and 2801?

Anyhow, you should remove the second crypto map entry.

jeff.mcluckie45 · ‎01-09-2014

Thanks for the reply, I didn't think so - without the second crypto map entry I get the below:

no IPSEC cryptomap exists for local address 10.10.1.251

Despite the fact that the crypto map for 10.10.1.251 -> StrongVPN exists.

Soryr I don't have the debug logs in front of me but I think it did show NAT-T - or at least it said something to the effect of this Node is INSIDE NAT.

I am not in front of it now will compare the Phase 1 and remove the second crypto map entries and go from there.

jeff.mcluckie45 · ‎01-10-2014

Evening,

I have removed the second crypto map and compared the Phase 1 between routers. Phase 1 is the same between both:

*Jan 9 20:32:31.055 NZDT: ISAKMP: received ke message (1/1)

*Jan 9 20:32:31.055 NZDT: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

*Jan 9 20:32:31.055 NZDT: ISAKMP: Created a peer struct for 216.131.96.21, peer port 500

*Jan 9 20:32:31.055 NZDT: ISAKMP: New peer created peer = 0x643207F8 peer_handle = 0x80000006

*Jan 9 20:32:31.055 NZDT: ISAKMP: Locking peer struct 0x643207F8, IKE refcount 1 for isakmp_initiator

*Jan 9 20:32:31.055 NZDT: ISAKMP: local port 500, remote port 500

*Jan 9 20:32:31.059 NZDT: ISAKMP: set new node 0 to QM_IDLE

*Jan 9 20:32:31.059 NZDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 643F5B34

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 216.131.96.21

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): sending packet to 216.131.96.21 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jan 9 20:32:31.215 NZDT: ISAKMP (0:0): received packet from 216.131.96.21 dport 500 sport 500 Global (I) MM_NO_STATE

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 228 mismatch

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 241 mismatch

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 134 mismatch

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 216.131.96.21

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): local preshared key found

*Jan 9 20:32:31.215 NZDT: ISAKMP : Scanning profiles for xauth ...

*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

*Jan 9 20:32:31.219 NZDT: ISAKMP: encryption 3DES-CBC

*Jan 9 20:32:31.219 NZDT: ISAKMP: hash SHA

*Jan 9 20:32:31.219 NZDT: ISAKMP: default group 2

*Jan 9 20:32:31.219 NZDT: ISAKMP: auth pre-share

*Jan 9 20:32:31.219 NZDT: ISAKMP: life type in seconds

*Jan 9 20:32:31.219 NZDT: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10

*Jan 9 20:32:31.219 NZDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 228 mismatch

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 69 mismatch

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID is NAT-T v2

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 194 mismatch

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 241 mismatch

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 134 mismatch

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Jan 9 20:32:31.275 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Jan 9 20:32:31.275 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jan 9 20:32:31.275 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Jan 9 20:32:31.435 NZDT: ISAKMP (0:134217733): received packet from 216.131.96.21 dport 500 sport 500 Global (I) MM_SA_SETUP

*Jan 9 20:32:31.435 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan 9 20:32:31.435 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Jan 9 20:32:31.439 NZDT: ISAKMP:(0:5:SW:1): processing KE payload. message ID = 0

*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1): processing NONCE payload. message ID = 0

*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):found peer pre-shared key matching 216.131.96.21

*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):SKEYID state generated

*Jan 9 20:32:31.503 NZDT: ISAKMP:received payload type 20

*Jan 9 20:32:31.503 NZDT: ISAKMP (0:134217733): NAT found, the node inside NAT

*Jan 9 20:32:31.503 NZDT: ISAKMP:received payload type 20

*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Send initial contact

*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jan 9 20:32:31.507 NZDT: ISAKMP (0:134217733): ID payload

next-payload : 8

type : 1

address : 10.10.1.251

protocol : 17

port : 0

length : 12

*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Total payload length: 12

*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Jan 9 20:32:31.663 NZDT: ISAKMP (0:134217733): received packet from 216.131.96.21 dport 4500 sport 4500 Global (I) MM_KEY_EXCH

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1): processing ID payload. message ID = 0

*Jan 9 20:32:31.663 NZDT: ISAKMP (0:134217733): ID payload

next-payload : 8

type : 1

address : 216.131.96.21

protocol : 0

port : 0

length : 12

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):: peer matches *none* of the profiles

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1): processing HASH payload. message ID = 0

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):SA authentication status:

authenticated

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):SA has been authenticated with 216.131.96.21

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):Setting UDP ENC peer struct 0x64C2FFA0 sa= 0x643F5B34

*Jan 9 20:32:31.663 NZDT: ISAKMP: Trying to insert a peer 10.10.1.251/216.131.96.21/4500/, and inserted successfully 643207F8.

*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):beginning Quick Mode exchange, M-ID of -1192846914

*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE

*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Node -1192846914, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

However Phase 2 doesn't complete - now complains about missing crypto map:

*Jan 9 20:32:31.827 NZDT: ISAKMP (0:134217733): received packet from 216.131.96.21 dport 4500 sport 4500 Global (I) QM_IDLE

*Jan 9 20:32:31.827 NZDT: ISAKMP:(0:5:SW:1): processing HASH payload. message ID = -1192846914

*Jan 9 20:32:31.827 NZDT: ISAKMP:(0:5:SW:1): processing SA payload. message ID = -1192846914

*Jan 9 20:32:31.827 NZDT: ISAKMP:(0:5:SW:1):Checking IPSec proposal 1

*Jan 9 20:32:31.827 NZDT: ISAKMP: transform 1, ESP_AES

*Jan 9 20:32:31.827 NZDT: ISAKMP: attributes in transform:

*Jan 9 20:32:31.827 NZDT: ISAKMP: encaps is 61444 (Transport-UDP)

*Jan 9 20:32:31.827 NZDT: ISAKMP: key length is 256

*Jan 9 20:32:31.827 NZDT: ISAKMP: authenticator is HMAC-SHA

*Jan 9 20:32:31.827 NZDT: ISAKMP: SA life type in seconds

*Jan 9 20:32:31.831 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

*Jan 9 20:32:31.831 NZDT: ISAKMP: SA life type in kilobytes

*Jan 9 20:32:31.831 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1):atts are acceptable.

*Jan 9 20:32:31.831 NZDT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,

local_proxy= external IP/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x800

*Jan 9 20:32:31.831 NZDT: Crypto mapdb : proxy_match

src addr : external IP

dst addr : 216.131.96.21

protocol : 17

src port : 0

dst port : 1701

*Jan 9 20:32:31.831 NZDT: Crypto mapdb : proxy_match

src addr : external IP

dst addr : 216.131.96.21

protocol : 17

src port : 0

dst port : 1701

*Jan 9 20:32:31.831 NZDT: map_db_find_best did not find matching map

*Jan 9 20:32:31.831 NZDT: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.10.1.251

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): IPSec policy invalidated proposal

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): phase 2 SA policy not acceptable! (local 10.10.1.251 remote 216.131.96.21)

*Jan 9 20:32:31.831 NZDT: ISAKMP: set new node -1015423321 to QM_IDLE

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1687174920, message ID = -1015423321

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1):purging node -1015423321

*Jan 9 20:32:31.835 NZDT: ISAKMP (0:134217733): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1192846914: state = IKE_QM_I_QM1

*Jan 9 20:32:31.835 NZDT: ISAKMP:(0:5:SW:1):Node -1192846914, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jan 9 20:32:31.835 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1

m.kafka · ‎01-11-2014

There are a couple of error messages in the debug of the 2801 which point to a deeper problem: "Unknown input..." and "Invalid transform proposal flags..:". If the 857 understands the IKE messages, why would a 2801 throw error messages?

Can you compare the versions? Maybe the 2801 is running an outdated IOS.

jeff.mcluckie45 · ‎01-12-2014

I will try the latest 15.x image this evening and see if it makes any difference.

Mark Graham · ‎01-14-2014

here is what i dont like seeing in the debugs though

*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): phase 2 SA policy not acceptable! (local 10.10.1.251 remote 216.131.96.21)

shouldnt it use your external iP?

are your ACL's correct? is 1701 the port you need? i thought ISAKMP should run through port 500?

i also see your virtual interface does not have a crypto map, shouldnt the crypto map be on that vs the interface of the ethernet adapter?

right now it is trying to use your 10.10.1.251 address to negociate, does your VDSL present an external IP address to your router?

jeff.mcluckie45 · ‎01-14-2014

Yes, it should - however as far as I understand NAT-T should resolve this - which doesn't appear to be happening.

The 2801 is single interface - FastEthernet0/0 is the interface to the local LAN and the path to the internet through a NATting router out.

The crypto map is on this interface - which is correct as far as I understand. The Virtual Interface is only used for routing once the IPSEC sa is established and L2TP tunnel is authenticated - long after the crypto map is needed.

I am attempting to do L2TP over IPSEC - hence port 1701 in the ACL.

ISAKMP is through port 500, but it isn't encrypted through IPSEC as ISAKMP is used to negotiate the IPSEC connection. UDP4500 is also used in establishing the connection.

As I have stated the exact config works on an 857, NAT-T takes care of the internal/external IP and negotiates the SA. The 2801 doesn't.

I can manually add another entry to the crypto map for the External IP, but this then results in invalid transform flags (0x800).

I have setup the router to do PPTP using VPDN and service internal - works fine, but I would love to understand why on earth this doesn't work.

Mark Graham · ‎01-14-2014

What about your transform set? I can't remember what phase that is initiated at.

Just throwing ideas out.

jeff.mcluckie45 · ‎01-14-2014

transform set is configured the same as the 857, I don't have it in front of me currently.

Appreciate the assistance.

Mark Graham · ‎01-15-2014

try removing the crypto transform set off of the P1 map

looking at the debugs closer

800 router

The 857 shows this in the Debug Log (success)

000424: *Oct 26 07:40:15.142 NZDT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.1.252, remote= 216.131.96.21,

local_proxy= 125.236.208.59/255.255.255.255/17/1701 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= NONE (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

and the 2801

The 2801 Shows This (FAILURE)

*Jan 8 20:59:35.183 NZDT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,

local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),

lifedur= 0s and 0kb,

for whatever reason phase 1 is not using the transform set.

which makes sense, because you're not using crypto over isakmp as you stated.

jeff.mcluckie45 · ‎01-15-2014

So this is the ACL applied to the Crypto Map

ip access-list extended L2TP-SA

permit udp host 10.10.1.251 host 216.131.96.21 eq 1701

As I understand it 1701 is used by L2TP - but that should be passed over IPSEC.

So in my case I need the crypto map to attempt to encrypt the L2TP - otherwise it will never initiate IPSEC?

So what I am thinking based on your comment is REMOVE the transform set entry from The first entry in the crypto map, then have it included in the second part and see if that works? So:

crypto map L2TP-IPSEC 10 ipsec-isakmp

set peer 216.131.96.21

match address L2TP-SA

crypto map L2TP-IPSEC 20 ipsec-isakmp

set peer 216.131.96.21

set transform-set STRONGVPN

match address L2TP-SA

Looking at those logs the source port is different too, 1701 on the 857 and 0 on the 2801, not sure if that makes a difference.

local_proxy= 125.236.208.59/255.255.255.255/17/1701 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= NONE (Transport-UDP),

local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),

remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),

jeff.mcluckie45 · ‎01-15-2014

Crypto Maps REQUIRE a transform set to work.

I modified my access list to be:

host eq 1701 to host eq 1701 which resulted in the ports being the same as the 857, but still have the same issue.

doing my head in.

On the plus side I got the router to initiate L2TP using vpdn and Dialer interfaces, but my IPSEC/ISAKMP is still broken.

As I understand it my Phase 1 is fine - it is Phase 2 that is failing.