01-09-2014 12:56 AM - edited 02-21-2020 07:26 PM
Good Evening,
I am trying to setup the following:
Cisco 2801 Fa0/0(10.10.1.251) ---> (10.10.1.253) VDSL Router (NAT to External IP) ---> StrongVPN VPN Provider
I am wanting the 2801 to initiate L2TP over IPSEC to STRONGVPN, which will then allow clients to route through it. I currently have a Cisco 857 performing this role that I want the 2801 to replace.
The 857 brings up IPSEC and Virtual-PPP1 and routes fine.The 2801 fails. Config is almost identical.
The 857 shows this in the Debug Log (success)
000424: *Oct 26 07:40:15.142 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.1.252, remote= 216.131.96.21,
local_proxy= 125.236.208.59/255.255.255.255/17/1701 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
000425: *Oct 26 07:40:15.142 NZDT: Crypto mapdb : proxy_match
src addr : 10.10.1.252
dst addr : 216.131.96.21
protocol : 17
src port : 1701
dst port : 1701
000426: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing NONCE payload. message ID = -356551661
000427: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing ID payload. message ID = -356551661
000428: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing ID payload. message ID = -356551661
000429: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002): processing NOTIFY RESPONDER_LIFETIME protocol 3
spi 856781567, message ID = -356551661, sa = 82632054
000430: *Oct 26 07:40:15.142 NZDT: ISAKMP:(2002):SA authentication status:
authenticated
The 2801 Shows This (FAILURE)
*Jan 8 20:59:35.183 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,
local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x800
*Jan 8 20:59:35.183 NZDT: Crypto mapdb : proxy_match
src addr : VDSL External IP
dst addr : 216.131.96.21
protocol : 17
src port : 0
dst port : 1701
*Jan 8 20:59:35.183 NZDT: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x800
*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1): IPSec policy invalidated proposal
sh version
Cisco IOS Software, 2801 Software (C2801-ADVIPSERVICESK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Full Debug Log below:
*Jan 8 20:59:05.839 NZDT: ISAKMP:(0:18:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE
*Jan 8 20:59:05.843 NZDT: ISAKMP:(0:18:SW:1):purging node 1561655526
*Jan 8 20:59:05.843 NZDT: ISAKMP (0:134217746): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1084852379: state = IKE_QM_I_QM1
*Jan 8 20:59:05.843 NZDT: ISAKMP:(0:18:SW:1):Node 1084852379, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 8 20:59:05.843 NZDT: ISAKMP:(0:18:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1
*Jan 8 20:59:11.191 NZDT: %ENVMON-4-FAN_LOW_RPM: Fan 1 service recommended
*Jan 8 20:59:11.195 NZDT: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended
*Jan 8 20:59:25.843 NZDT: ISAKMP: sending nat keepalive packet to 216.131.96.21(4500)
*Jan 8 20:59:35.023 NZDT: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.10.1.251, remote= 216.131.96.21,
local_proxy= 10.10.1.251/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1)
*Jan 8 20:59:35.023 NZDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.10.1.251, remote= 216.131.96.21,
local_proxy= 10.10.1.251/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x95736ED8(2507370200), conn_id= 0, keysize= 256, flags= 0x400C
*Jan 8 20:59:35.023 NZDT: ISAKMP: received ke message (1/1)
*Jan 8 20:59:35.023 NZDT: ISAKMP: set new node 0 to QM_IDLE
*Jan 8 20:59:35.023 NZDT: SA has outstanding requests (local 10.10.1.251 port 4500, remote 216.131.96.21 port 4500)
*Jan 8 20:59:35.023 NZDT: ISAKMP:(0:18:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jan 8 20:59:35.023 NZDT: ISAKMP:(0:18:SW:1):beginning Quick Mode exchange, M-ID of -512527663
*Jan 8 20:59:35.023 NZDT: ISAKMP:(0:18:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE
*Jan 8 20:59:35.027 NZDT: ISAKMP:(0:18:SW:1):Node -512527663, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jan 8 20:59:35.027 NZDT: ISAKMP:(0:18:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jan 8 20:59:35.179 NZDT: ISAKMP (0:134217746): received packet from 216.131.96.21 dport 4500 sport 4500 Global (I) QM_IDLE
*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1): processing HASH payload. message ID = -512527663
*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1): processing SA payload. message ID = -512527663
*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1):Checking IPSec proposal 1
*Jan 8 20:59:35.179 NZDT: ISAKMP: transform 1, ESP_AES
*Jan 8 20:59:35.179 NZDT: ISAKMP: attributes in transform:
*Jan 8 20:59:35.179 NZDT: ISAKMP: encaps is 61444 (Transport-UDP)
*Jan 8 20:59:35.179 NZDT: ISAKMP: key length is 256
*Jan 8 20:59:35.179 NZDT: ISAKMP: authenticator is HMAC-SHA
*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life type in seconds
*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life type in kilobytes
*Jan 8 20:59:35.179 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jan 8 20:59:35.179 NZDT: ISAKMP:(0:18:SW:1):atts are acceptable.
*Jan 8 20:59:35.183 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,
local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x800
*Jan 8 20:59:35.183 NZDT: Crypto mapdb : proxy_match
src addr : 125.236.208.59
dst addr : 216.131.96.21
protocol : 17
src port : 0
dst port : 1701
*Jan 8 20:59:35.183 NZDT: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x800
*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1): IPSec policy invalidated proposal
*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1): phase 2 SA policy not acceptable! (local 10.10.1.251 remote 216.131.96.21)
*Jan 8 20:59:35.183 NZDT: ISAKMP: set new node -18096953 to QM_IDLE
*Jan 8 20:59:35.183 NZDT: ISAKMP:(0:18:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1687629576, message ID = -18096953
Config
Config Below, I have removed the NAT between Fa0/0 and Virtual-PPP1 to test.
I have also added the L2TP-SA-P2 access list and crypto map - if I don't have it I get an error that there is no crypto map for 10.10.1.251.
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname wasabi2k-2801
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret bananas
enable password bananas
!
no aaa new-model
clock timezone NZDT -12
clock summer-time PCTime date Mar 15 2003 3:00 Oct 4 2003 2:00
ip cef
!
!
!
!
no ip bootp server
ip domain name wasabi2k-2801.wasabi2k.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
!
username user privilege 15 password bananas
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
pseudowire-class pwclass1
encapsulation l2tpv2
ip local interface FastEthernet0/0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key key address 216.131.96.21
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set STRONGVPN esp-aes 256 esp-sha-hmac
mode transport
!
crypto map L2TP-IPSEC 10 ipsec-isakmp
set peer 216.131.96.21
set transform-set ESP-AES256-SHA1
match address L2TP-SA
crypto map L2TP-IPSEC 20 ipsec-isakmp
set peer 216.131.96.21
set transform-set STRONGVPN
match address L2TP-SA-P2
!
!
!
!
interface FastEthernet0/0
ip address 10.10.1.251 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map L2TP-IPSEC
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
shutdown
!
interface FastEthernet0/1/1
shutdown
!
interface FastEthernet0/1/2
shutdown
!
interface FastEthernet0/1/3
shutdown
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
interface Virtual-PPP1
description StrongVPN
ip address negotiated
ip tcp adjust-mss 1350
no cdp enable
ppp chap hostname username
ppp chap password password
pseudowire 216.131.96.21 1 pw-class pwclass1
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 216.131.96.21 255.255.255.255 10.10.1.253
!
!
no ip http server
no ip http secure-server
!
ip access-list extended L2TP-SA
permit udp host 10.10.1.251 host 216.131.96.21 eq 1701
ip access-list extended L2TP-SA-P2
permit udp host VDSL External IP host 216.131.96.21 eq 1701
ip access-list extended clear-df-bit
permit ip any any
!
logging trap debugging
access-list 1 permit 10.10.0.0 0.0.255.255
access-list 100 deny ip any any
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
!
route-map clear-df-bit permit 10
match ip address clear-df-bit
set ip df 0
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
sntp logging
sntp server 121.0.0.41
sntp broadcast client
end
01-09-2014 06:32 AM
Well that's interesting!
this is the first time I couldn't identify the relevant part of the RFC from the Cisco debug. I didn't find any "Flag" associated with proposal transforms. But I think that wouldn't be the main issue here.
Besides of that, according to RFCs and acording to Cisco's NAT-T implementation you should not need the second crypto map entry, even for transport mode through NAT-T.
Do you see any confirmation of successfully detecting NAT-T during Phase 1 on the 2801? Did you compare Phase 1 debugs between your 857 and 2801?
Anyhow, you should remove the second crypto map entry.
01-09-2014 11:52 AM
Thanks for the reply, I didn't think so - without the second crypto map entry I get the below:
no IPSEC cryptomap exists for local address 10.10.1.251
Despite the fact that the crypto map for 10.10.1.251 -> StrongVPN exists.
Soryr I don't have the debug logs in front of me but I think it did show NAT-T - or at least it said something to the effect of this Node is INSIDE NAT.
I am not in front of it now will compare the Phase 1 and remove the second crypto map entries and go from there.
01-10-2014 12:26 AM
Evening,
I have removed the second crypto map and compared the Phase 1 between routers. Phase 1 is the same between both:
*Jan 9 20:32:31.055 NZDT: ISAKMP: received ke message (1/1)
*Jan 9 20:32:31.055 NZDT: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Jan 9 20:32:31.055 NZDT: ISAKMP: Created a peer struct for 216.131.96.21, peer port 500
*Jan 9 20:32:31.055 NZDT: ISAKMP: New peer created peer = 0x643207F8 peer_handle = 0x80000006
*Jan 9 20:32:31.055 NZDT: ISAKMP: Locking peer struct 0x643207F8, IKE refcount 1 for isakmp_initiator
*Jan 9 20:32:31.055 NZDT: ISAKMP: local port 500, remote port 500
*Jan 9 20:32:31.059 NZDT: ISAKMP: set new node 0 to QM_IDLE
*Jan 9 20:32:31.059 NZDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 643F5B34
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 216.131.96.21
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Jan 9 20:32:31.059 NZDT: ISAKMP:(0:0:N/A:0): sending packet to 216.131.96.21 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 9 20:32:31.215 NZDT: ISAKMP (0:0): received packet from 216.131.96.21 dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 228 mismatch
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 241 mismatch
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 134 mismatch
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 216.131.96.21
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0): local preshared key found
*Jan 9 20:32:31.215 NZDT: ISAKMP : Scanning profiles for xauth ...
*Jan 9 20:32:31.215 NZDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 9 20:32:31.219 NZDT: ISAKMP: encryption 3DES-CBC
*Jan 9 20:32:31.219 NZDT: ISAKMP: hash SHA
*Jan 9 20:32:31.219 NZDT: ISAKMP: default group 2
*Jan 9 20:32:31.219 NZDT: ISAKMP: auth pre-share
*Jan 9 20:32:31.219 NZDT: ISAKMP: life type in seconds
*Jan 9 20:32:31.219 NZDT: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10
*Jan 9 20:32:31.219 NZDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 228 mismatch
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID is NAT-T v2
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 241 mismatch
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): processing vendor id payload
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1): vendor ID seems Unity/DPD but major 134 mismatch
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 9 20:32:31.271 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jan 9 20:32:31.275 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 9 20:32:31.275 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 9 20:32:31.275 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jan 9 20:32:31.435 NZDT: ISAKMP (0:134217733): received packet from 216.131.96.21 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 9 20:32:31.435 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 9 20:32:31.435 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jan 9 20:32:31.439 NZDT: ISAKMP:(0:5:SW:1): processing KE payload. message ID = 0
*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1): processing NONCE payload. message ID = 0
*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):found peer pre-shared key matching 216.131.96.21
*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):SKEYID state generated
*Jan 9 20:32:31.503 NZDT: ISAKMP:received payload type 20
*Jan 9 20:32:31.503 NZDT: ISAKMP (0:134217733): NAT found, the node inside NAT
*Jan 9 20:32:31.503 NZDT: ISAKMP:received payload type 20
*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 9 20:32:31.503 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Send initial contact
*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 9 20:32:31.507 NZDT: ISAKMP (0:134217733): ID payload
next-payload : 8
type : 1
address : 10.10.1.251
protocol : 17
port : 0
length : 12
*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Total payload length: 12
*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 9 20:32:31.507 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jan 9 20:32:31.663 NZDT: ISAKMP (0:134217733): received packet from 216.131.96.21 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1): processing ID payload. message ID = 0
*Jan 9 20:32:31.663 NZDT: ISAKMP (0:134217733): ID payload
next-payload : 8
type : 1
address : 216.131.96.21
protocol : 0
port : 0
length : 12
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):: peer matches *none* of the profiles
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1): processing HASH payload. message ID = 0
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):SA authentication status:
authenticated
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):SA has been authenticated with 216.131.96.21
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):Setting UDP ENC peer struct 0x64C2FFA0 sa= 0x643F5B34
*Jan 9 20:32:31.663 NZDT: ISAKMP: Trying to insert a peer 10.10.1.251/216.131.96.21/4500/, and inserted successfully 643207F8.
*Jan 9 20:32:31.663 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jan 9 20:32:31.667 NZDT: ISAKMP:(0:5:SW:1):beginning Quick Mode exchange, M-ID of -1192846914
*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE
*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Node -1192846914, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 9 20:32:31.671 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
However Phase 2 doesn't complete - now complains about missing crypto map:
*Jan 9 20:32:31.827 NZDT: ISAKMP (0:134217733): received packet from 216.131.96.21 dport 4500 sport 4500 Global (I) QM_IDLE
*Jan 9 20:32:31.827 NZDT: ISAKMP:(0:5:SW:1): processing HASH payload. message ID = -1192846914
*Jan 9 20:32:31.827 NZDT: ISAKMP:(0:5:SW:1): processing SA payload. message ID = -1192846914
*Jan 9 20:32:31.827 NZDT: ISAKMP:(0:5:SW:1):Checking IPSec proposal 1
*Jan 9 20:32:31.827 NZDT: ISAKMP: transform 1, ESP_AES
*Jan 9 20:32:31.827 NZDT: ISAKMP: attributes in transform:
*Jan 9 20:32:31.827 NZDT: ISAKMP: encaps is 61444 (Transport-UDP)
*Jan 9 20:32:31.827 NZDT: ISAKMP: key length is 256
*Jan 9 20:32:31.827 NZDT: ISAKMP: authenticator is HMAC-SHA
*Jan 9 20:32:31.827 NZDT: ISAKMP: SA life type in seconds
*Jan 9 20:32:31.831 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jan 9 20:32:31.831 NZDT: ISAKMP: SA life type in kilobytes
*Jan 9 20:32:31.831 NZDT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1):atts are acceptable.
*Jan 9 20:32:31.831 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,
local_proxy= external IP/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x800
*Jan 9 20:32:31.831 NZDT: Crypto mapdb : proxy_match
src addr : external IP
dst addr : 216.131.96.21
protocol : 17
src port : 0
dst port : 1701
*Jan 9 20:32:31.831 NZDT: Crypto mapdb : proxy_match
src addr : external IP
dst addr : 216.131.96.21
protocol : 17
src port : 0
dst port : 1701
*Jan 9 20:32:31.831 NZDT: map_db_find_best did not find matching map
*Jan 9 20:32:31.831 NZDT: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.10.1.251
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): IPSec policy invalidated proposal
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): phase 2 SA policy not acceptable! (local 10.10.1.251 remote 216.131.96.21)
*Jan 9 20:32:31.831 NZDT: ISAKMP: set new node -1015423321 to QM_IDLE
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1687174920, message ID = -1015423321
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): sending packet to 216.131.96.21 my_port 4500 peer_port 4500 (I) QM_IDLE
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1):purging node -1015423321
*Jan 9 20:32:31.835 NZDT: ISAKMP (0:134217733): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1192846914: state = IKE_QM_I_QM1
*Jan 9 20:32:31.835 NZDT: ISAKMP:(0:5:SW:1):Node -1192846914, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 9 20:32:31.835 NZDT: ISAKMP:(0:5:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1
01-11-2014 04:47 AM
There are a couple of error messages in the debug of the 2801 which point to a deeper problem: "Unknown input..." and "Invalid transform proposal flags..:". If the 857 understands the IKE messages, why would a 2801 throw error messages?
Can you compare the versions? Maybe the 2801 is running an outdated IOS.
01-12-2014 04:52 PM
I will try the latest 15.x image this evening and see if it makes any difference.
01-14-2014 05:55 AM
here is what i dont like seeing in the debugs though
*Jan 9 20:32:31.831 NZDT: ISAKMP:(0:5:SW:1): phase 2 SA policy not acceptable! (local 10.10.1.251 remote 216.131.96.21)
shouldnt it use your external iP?
are your ACL's correct? is 1701 the port you need? i thought ISAKMP should run through port 500?
i also see your virtual interface does not have a crypto map, shouldnt the crypto map be on that vs the interface of the ethernet adapter?
right now it is trying to use your 10.10.1.251 address to negociate, does your VDSL present an external IP address to your router?
01-14-2014 01:30 PM
Yes, it should - however as far as I understand NAT-T should resolve this - which doesn't appear to be happening.
The 2801 is single interface - FastEthernet0/0 is the interface to the local LAN and the path to the internet through a NATting router out.
The crypto map is on this interface - which is correct as far as I understand. The Virtual Interface is only used for routing once the IPSEC sa is established and L2TP tunnel is authenticated - long after the crypto map is needed.
I am attempting to do L2TP over IPSEC - hence port 1701 in the ACL.
ISAKMP is through port 500, but it isn't encrypted through IPSEC as ISAKMP is used to negotiate the IPSEC connection. UDP4500 is also used in establishing the connection.
As I have stated the exact config works on an 857, NAT-T takes care of the internal/external IP and negotiates the SA. The 2801 doesn't.
I can manually add another entry to the crypto map for the External IP, but this then results in invalid transform flags (0x800).
I have setup the router to do PPTP using VPDN and service internal - works fine, but I would love to understand why on earth this doesn't work.
01-14-2014 03:28 PM
What about your transform set? I can't remember what phase that is initiated at.
Just throwing ideas out.
01-14-2014 05:08 PM
transform set is configured the same as the 857, I don't have it in front of me currently.
Appreciate the assistance.
01-15-2014 06:00 AM
try removing the crypto transform set off of the P1 map
looking at the debugs closer
800 router
The 857 shows this in the Debug Log (success)
000424: *Oct 26 07:40:15.142 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.1.252, remote= 216.131.96.21,
local_proxy= 125.236.208.59/255.255.255.255/17/1701 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
and the 2801
The 2801 Shows This (FAILURE)
*Jan 8 20:59:35.183 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.1.251, remote= 216.131.96.21,
local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
for whatever reason phase 1 is not using the transform set.
which makes sense, because you're not using crypto over isakmp as you stated.
01-15-2014 11:29 AM
So this is the ACL applied to the Crypto Map
ip access-list extended L2TP-SA
permit udp host 10.10.1.251 host 216.131.96.21 eq 1701
As I understand it 1701 is used by L2TP - but that should be passed over IPSEC.
So in my case I need the crypto map to attempt to encrypt the L2TP - otherwise it will never initiate IPSEC?
So what I am thinking based on your comment is REMOVE the transform set entry from The first entry in the crypto map, then have it included in the second part and see if that works? So:
crypto map L2TP-IPSEC 10 ipsec-isakmp
set peer 216.131.96.21
match address L2TP-SA
crypto map L2TP-IPSEC 20 ipsec-isakmp
set peer 216.131.96.21
set transform-set STRONGVPN
match address L2TP-SA
Looking at those logs the source port is different too, 1701 on the 857 and 0 on the 2801, not sure if that makes a difference.
local_proxy= 125.236.208.59/255.255.255.255/17/1701 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
local_proxy= 125.236.208.59/255.255.255.255/17/0 (type=1),
remote_proxy= 216.131.96.21/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
01-15-2014 11:33 PM
Crypto Maps REQUIRE a transform set to work.
I modified my access list to be:
host eq 1701 to host eq 1701 which resulted in the ports being the same as the 857, but still have the same issue.
doing my head in.
On the plus side I got the router to initiate L2TP using vpdn and Dialer interfaces, but my IPSEC/ISAKMP is still broken.
As I understand it my Phase 1 is fine - it is Phase 2 that is failing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide