Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5461
Views
5
Helpful
11
Replies

got in stuck in phase1 negotiation while set-upping DVTI VPN between two IOS routers

Andriy Sidko
Level 1
Level 1

‎05-23-2018 10:54 AM - edited ‎03-12-2019 05:19 AM

Hi guys.

 

I have created following testing schema like:

 

gate(fa 0/0) <> emulated INTERNET <> (fa 0/0) inet provider (fa 0/1) <> (fa 0/0) gate-spoke

where:

gate fa 0/0 public IP y.y.188.59

inet-provider fa 0/0 public IP x.x.151.130

inet-provider fa 0/1 private IP 192.168.1.1/24

gate-spoke fa 0/0 private IP 192.168.1.2/24

I'm configuring DVTI VPN from gate-spoke (spoke) towards to gate (hub)

 

configurations:

 

++++++++++++++++++

gate (HUB)

++++++++++++++++++

hostname gate

ip domain name st.org

aaa new-model
aaa authorization network SPOKE-VPN-GROUP none

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto keyring SPOKE-VPN-KEYS
pre-shared-key address x.x.151.130 key 675Dx7ytzx70N2a-Nx3XU=QjP2biY+vja_aF7

crypto isakmp profile SPOKE-IKE-PROFILE
keyring SPOKE-VPN-KEYS
match identity user-fqdn gate-spoke.st.org
match identity address x.x.151.130 255.255.255.255
isakmp authorization list SPOKE-VPN-GROUP
virtual-template 2

crypto ipsec transform-set SPOKE-TS esp-aes esp-sha-hmac
mode tunnel

crypto ipsec profile SPOKE-VPN-PROFILE
set transform-set SPOKE-TS
set isakmp-profile SPOKE-IKE-PROFILE

interface Virtual-Template2 type tunnel
ip unnumbered fa 0/0
ip ospf 17 area 2
tunnel source fa 0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile SPOKE-VPN-PROFILE

interface fa 0/0
description -= outside interface =-
ip address y.y.188.59 255.255.255.255
crypto map vpn-cryptomap

router ospf 17
router-id 192.168.172.1
log-adjacency-changes detail
area 2 stub
passive-interface default
no passive-interface Virtual-Template2
network 192.168.172.0 0.0.0.15 area 0
network 192.168.172.16 0.0.0.15 area 0
network 192.168.172.32 0.0.0.7 area 0
network 192.168.172.252 0.0.0.3 area 0
distance ospf external 115

 

ip access-list extended DI_IN
permit udp host 192.206.151.130 any eq isakmp
permit udp host 192.206.151.130 any eq non500-isakmp


++++++++++++++++++

gate-SPOKE (spoke)

++++++++++++++++++

hostname gate-cottage

ip domain name st.org

crypto keyring SPOKE-VPN-DVTI-KEYRING
pre-shared-key address y.y.188.59 key 675Dx7ytzx70N2a-Nx3XU=QjP2biY+vja_aF7

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp profile SPOKE-VPN-DVTI-ISAKMP-PROF
keyring SPOKE-VPN-DVTI-KEYRING
self-identity fqdn
match identity address y.y.188.59 255.255.255.255

crypto ipsec transform-set SPOKE-TS esp-aes esp-sha-hmac

crypto ipsec profile SPOKE-VPN-PROFILE
set transform-set SPOKE-TS
set isakmp-profile SPOKE-VPN-DVTI-ISAKMP-PROF


interface Tunnel0
description -= DVTI VPN to HUB =-
ip unnumbered Vlan10
ip tcp adjust-mss 1370
ip ospf 18 area 2
tunnel source FastEthernet0
tunnel destination y.y.188.59
tunnel mode ipsec ipv4
tunnel protection ipsec profile SPOKE-VPN-PROFILE

router ospf 28
router-id 192.168.174.1
area 2 stub
passive-interface default
no passive-interface Tunnel0
network 192.168.174.0 0.0.0.15 area 2
network 192.168.174.32 0.0.0.7 area 2

 

I'm initiating traffic:

 

gate-cottage(config)#do ping 192.168.172.1 so 192.168.174.1 re 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.172.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.174.1
..
Success rate is 0 percent (0/2)
gate-cottage(config)#

 

debug cry isa + debug cry ips + deb crypto isa aaa from spoke side:

============

ISAKMP:(0): SA request profile is SPOKE-VPN-DVTI-ISAKMP-PROF
ISAKMP: Created a peer struct for y.y.188.59, peer port 500
ISAKMP: New peer created peer = 0x832AEA68 peer_handle = 0x80000009
ISAKMP: Locking peer struct 0x832AEA68, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 832AF02000007
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):Found ADDRESS key in keyring SPOKE-VPN-DVTI-KEYRING
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to y.y.188.59 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):purging SA., sa=8470D720, delme=8470D720
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to y.y.188.59 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to y.y.188.59 my_port 500 peer_port 500 (I) MM_NO_STATE

============

 

debug cry isa + debug cry ips + deb crypto isa aaa from hub side:

============

ISAKMP:(0):found peer pre-shared key matching x.x.151.130
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer x.x.151.130)
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer x.x.151.130)
%CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:x.x.151.130 local_id:x.x.151.130 remote:y.y.188.59 remote_id:y.y.188.59 IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:1

============

 

Could you help me guys?

 

Thank you. 

 

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Andriy Sidko
Level 1
Level 1

‎05-23-2018 10:58 AM

one typo in initial post:

please consider code bellow as right one.

++++++++++++++++++

gate-SPOKE (spoke)

++++++++++++++++++

hostname gate-spoke

 

 

Thank you.

0 Helpful

Rob Ingram
VIP
VIP
In response to Andriy Sidko

‎05-23-2018 12:42 PM

Hi,
Is there any NATTING going on? If not you will need to allow "esp" on your ACL.
You do not need "tunnel destination dynamic" on your virtual template

Is there another firewall in place between the hub and the spokes?
The debug is from the spoke? Do you see anything in the debug on the hub?
0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Rob Ingram

‎05-23-2018 05:37 PM

I disabled dynamic destination at virtual-templeate interface. It looks like this now:

+++++++

interface Virtual-Template2 type tunnel
ip unnumbered fa 0/0
ip ospf 17 area 2
tunnel source fa 0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SPOKE-VPN-PROFILE
end

+++++++

- unfortunately disabling "destination dynamic "under int virtual template didn't help.

- There is NAT fro spoke router:

gate-spoke#sh runn | i nat
crypto ipsec nat-transparency spi-matching

int fa 0/0

ip nat outside

int fa 0/1

ip nat inside
ip nat inside source route-map NONAT interface FastEthernet0/0 overload
route-map NONAT permit 10
match ip address ACL4PAT

gate-spoke#

gate-spoke#sh runn | s ACL4PAT
ip access-list extended ACL4PAT
deny ip 192.168.174.32 0.0.0.7 192.168.172.0 0.0.0.15
deny ip 192.168.174.32 0.0.0.7 192.168.172.16 0.0.0.15
deny ip 192.168.174.0 0.0.0.15 192.168.172.0 0.0.0.15
deny ip 192.168.174.0 0.0.0.15 192.168.172.16 0.0.0.15
deny ip host 192.168.172.254 host 192.168.172.253
permit ip 192.168.174.0 0.0.0.15 any
permit ip 192.168.174.32 0.0.0.7 any
deny ip any any
gate-spoke#

 

- nothing filtering packets between them.

 

 - crypto isakmp & ipsec debug from HUB router:
==================

ISAKMP: Created a peer struct for y.y.151.130, peer port 445
ISAKMP: New peer created peer = 0x23F93D68 peer_handle = 0x80001A
ISAKMP: Locking peer struct 0x23F93D68, refcount 1 for crypto_isa_process_block
ISAKMP: local port 500, remote port 445
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert = 240E2A2C
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching y.y.151.130
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ... SPOKE-IKE-PROFILE
ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):Proposed key length does not match policy
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 5 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 3
ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0): sending packet to y.y.151.130 my_port 500 peer_po
ISAKMP:(2408):purging node 679405431
ISAKMP:(2408):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
ISAKMP:(2408):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMLITE
ISAKMP (2408): received packet from y.y.151.177 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -313538349 to QM_IDLE
ISAKMP:(2408): processing HASH payload. message ID = 3981428947
ISAKMP:(2408): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
ISAKMP:(2408):deleting node -313538349 error FALSE reason "Informonal (in) state 1"
ISAKMP:(2408):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2408):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMTE
ISAKMP:(0):purging SA., sa=240E39C0, delme=240E39C0
ISAKMP (0): received packet from y.y.151.130 dport 500 sport Global (R) MM_SA_SETUP
ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(0): retransmitting due to retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retsmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0): sending packet to y.y.151.130 my_port 500 peer_po 445 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from y.y.151.130 dport 500 sport Global (R) MM_SA_SETUP
ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(0): retransmitting due to retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retsmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0): sending packet to y.y.151.130 my_port 500 peer_po445 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from y.y.151.130 dport 500 sport Global (R) MM_SA_SETUP
ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(0): retransmitting due to retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retsmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0): sending packet to y.y.151.130 my_port 500 peer_po445 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.

=====================

0 Helpful

Rob Ingram
VIP
VIP
In response to Andriy Sidko

‎05-24-2018 01:15 AM

I was referring to nat between the routers (as in a firewall natting public IP to private IP). If you are then you only need to permit udp 500/4500, but if not you need to permit esp.

Can you permit esp in the ACL DI_IN.
0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Rob Ingram

‎05-24-2018 06:34 AM

gate outside interface ACL DI_IN already permits espbut there is no hitcounts:

+++++++

gate(config-ext-nacl)#do sh ip access-l DI_IN | i 151.130
252 permit esp host 192.206.151.130 any
254 permit udp host 192.206.151.130 any eq isakmp (3580 matches)
256 permit udp host 192.206.151.130 any eq non500-isakmp (3864 matches)
gate(config-ext-nacl)#do sh ip access-l DI_IN | i 151.130
252 permit esp host 192.206.151.130 any
254 permit udp host 192.206.151.130 any eq isakmp (3586 matches)
256 permit udp host 192.206.151.130 any eq non500-isakmp (3864 matches)
gate(config-ext-nacl)#

+++++++

Another thing bug me out. Why as per gate-spoke behind NAT and nat-traversal is on gate-spoke still using 500/udp instead of 4500/udp with NAT transparency enabled to encapsulate all ESP packets to UDP? HUB (gate) router non500-isakmp ACE hit counts are not growing.

0 Helpful

Rob Ingram
VIP
VIP
In response to Andriy Sidko

‎05-24-2018 08:03 AM

Change the transform set on both ends to use transport mode.

crypto ipsec transform-set SPOKE-TS esp-aes esp-sha-hmac
mode transport

On the spoke shutdown the tunnel interface, clear crypto session on both routers and then no shut the interface on the spoke.

Once the tunnel is up and functioning you should hopefully see the udp4500 ace hit counters increasing.
0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Rob Ingram

‎05-24-2018 08:46 AM

Thank you for your notice. Unfortunately it did not help.

I implemented all changes you suggested but pashe 1 still unsuccessful. Bellow logs from HUB:

================

ISAKMP: local port 500, remote port 445
ISAKMP:(0):insert sa successfully sa = 202CB2DC
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching x.x.151.130
ISAKMP:(0): local preshared key found
ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 21600
ISAKMP:(0):Proposed key length does not match policy
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 5 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 21600
ISAKMP:(0):atts are acceptable. Next payload is 3
ISAKMP:(0):Acceptable atts:actual life: 21600
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Basic life_in_seconds:21600
ISAKMP:(0):Returning Actual lifetime: 21600
ISAKMP:(0)::Started lifetime timer: 21600.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(0): retransmitting due to retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
ISAKMP:(0): retransmitting due to retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(0): retransmitting due to retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

-= 2,3,4 of 5 retransmission sessions ommited =-

ISAKMP:(0):peer does not do paranoid keepalives.
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer x.x.151.130)
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer x.x.151.130)
ISAKMP:(0):Deleting the unauthenticated sa
ISAKMP:(0):Unlocking peer struct 0x24217E0C for isadb_mark_sa_deleted(), count 0
ISAKMP:(0):Deleting the peer struct for unauthenticated sa
%CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:x.x.151.130 local_id:x.x.151.130 remote:198.48.188.59 remote_id:198.48.188.59 IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:1
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

================

 

also still 500/udp from hub side:

 

================

gate#sh cry sess 


Interface: (unknown)
Session status: DOWN-NEGOTIATING
Peer: x.x.151.130 port 445
Session ID: 0
IKEv1 SA: local y.y.188.59/500 remote x.x.151.130/445 Inactive

gate#

 

do you know addition debugs can shed some light on this issue?

0 Helpful

Rob Ingram
VIP
VIP
In response to Andriy Sidko

‎05-24-2018 12:53 PM

Try modifying the ISAKMP Profile to specify exactly the self identity being sent from both routers and the match identity value of what each router is expecting to receive. Example below:-

 

\\ gate

crypto isakmp profile SPOKE-IKE-PROFILE
 self-identity fqdn GATE.st.org
 match identity user-fqdn GATE-COTTAGE.st.org
 
\\ gate-cottage
crypto isakmp profile SPOKE-IKE-PROFILE
 self-identity fqdn GATE-COTTAGE.st.org
 match identity user-fqdn GATE.st.org

 

I've labbed this (although not an exact replica of your scenario) and I can establish a tunnel correctly.

0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Rob Ingram

‎05-26-2018 03:06 PM

Thank you very much RJI.

 

Unfortunately it didn't help.

 

I implemented all your parameters but still phase1 fails:

debu cry ike from spoke:

+++++++++++

ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP:(0):peer does not do paranoid keepalives.
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer y.y.188.59)
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer y.y.188.59)
ISAKMP: Unlocking peer struct 0x83EAD278 for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for y.y.188.59: 83EAD278
ISAKMP:(0):deleting node 832723402 error FALSE reason "IKE deleted"
ISAKMP:(0):deleting node -334978417 error FALSE reason "IKE deleted"
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
IPSEC(key_engine): got a queue event with 1 KMI message(s)

0 Helpful

Rob Ingram
VIP
VIP
In response to Andriy Sidko

‎05-26-2018 03:38 PM

I've had a look at your previous error logs.

 

From SPOKE your source port is 500 and peer port 500

 

ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to y.y.188.59 my_port 500 peer_port 500 (I) MM_NO_STATE

 

but from the HUB's debug logs it identifies the peer port as 445

 

ISAKMP:(0):found peer pre-shared key matching x.x.151.130
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP
ISAKMP:(0): sending packet to x.x.151.130 my_port 500 peer_port 445 (R) MM_SA_SETUP
ISAKMP (0): received packet from x.x.151.130 dport 500 sport 445 Global (R) MM_SA_SETUP

 

Some device in the path of traffic changing the port?

 

Can you take a packet capture from both hub and spoke at the same time. Use the feature "monitor capture..." on the router, filter on the source public ip address, clear crypto session and run this capture whilst it attempts to establish a VPN. Then upload the packet capture files so I can have a look.

0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Rob Ingram

‎05-28-2018 10:55 AM

Hi RJI.

 

I've fount solution. I just disable xauth i.e. "no crypto xauth Virtual-Template2" from HUB router and crypto session immediately went up.

 

Thank you for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents