08-02-2012 11:23 AM - edited 02-21-2020 06:14 PM
I im doing a site to site vpn for the first time on a 891 to a rv 120 (gui) but it doesnt connect. I thinking it might be my access list on the 891. the error that i get in the rv120 is
012-08-02 18:15:35: [rv120w][IKE] ERROR: Phase 1 negotiation failed due to time up for xx.xx.xx.xx[500]. ea65b6c91b9e73de:0000000000000000
2012-08-02 18:16:11: [rv120w][IKE] INFO: Configuration found for xx.xx.xx.xx.
2012-08-02 18:16:11: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]
2012-08-02 18:16:11: [rv120w][IKE] INFO: Beginning Identity Protection mode.
2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2012-08-02 18:16:11: [rv120w][IKE] ERROR: Ignore information because the message has no hash payload.
2012-08-02 18:16:42: [rv120w][IKE] ERROR: Invalid SA protocol type: 0
2012-08-02 18:16:42: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2012-08-02 18:17:00: [rv120w][IKE] INFO: accept a request to establish IKE-SA: 71.32.110.24
2012-08-02 18:17:00: [rv120w][IKE] WARNING: schedular is already scheduled for SA creation for remote: "xx.xx.xx.xx"2012-08-02 18:17:00: [rv120w][IKE] ERROR: Failed to attach schedSaCreate in IKE configuraion
891 config
=====================================================
ip dhcp pool test
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28800
crypto isakmp key Testingkey address xx.xx.xx.xxx
!
!
crypto ipsec transform-set test1 ah-md5-hmac esp-3des
!
crypto map maptest1 2 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set test1
match address 100
!
!
interface FastEthernet8
description qwest connection
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map maptest1
!
!
interface Vlan1
description quest
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark maptest1 category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 100 protocol ip permit
=======================================================================
Solved! Go to Solution.
08-08-2012 09:57 AM
Hi Manny,
You'll need to issue the 'terminal monitor' command in privilege exec if you're connected via Telnet. Do test again and post the requested show and debug output.
Sent from Cisco Technical Support iPhone App
08-08-2012 10:50 AM
*Aug 8 17:56:28.646: ISAKMP:(2063):purging node -457497600
*Aug 8 17:56:29.838: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE
*Aug 8 17:56:29.838: ISAKMP: set new node -589351332 to QM_IDLE
*Aug 8 17:56:29.838: ISAKMP:(2063): processing HASH payload. message ID = -589351332
*Aug 8 17:56:29.838: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -589351332, sa = 0x86E939E0
*Aug 8 17:56:29.838: ISAKMP:(2063):deleting node -589351332 error FALSE reason "Informational (in) state 1"
*Aug 8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 8 17:56:29.838: ISAKMP:(2063):DPD/R_U_THERE received from peer xx.xx.xx.134, sequence 0xAA2
*Aug 8 17:56:29.838: ISAKMP: set new node 681130243 to QM_IDLE
*Aug 8 17:56:29.838: ISAKMP:(2063):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2250945376, message ID = 681130243
*Aug 8 17:56:29.838: ISAKMP:(2063): seq. no 0xAA2
*Aug 8 17:56:29.838: ISAKMP:(2063): sending packet to xx.xx.xx.134 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 8 17:56:29.838: ISAKMP:(2063):Sending an IKE IPv4 Packet.
*Aug 8 17:56:29.838: ISAKMP:(2063):purging node 681130243
*Aug 8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Aug 8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 8 17:56:32.142: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE
*Aug 8 17:56:32.142: ISAKMP: set new node -1197739227 to QM_IDLE
*Aug 8 17:56:32.142: ISAKMP:(2063): processing HASH payload. message ID = -1197739227
*Aug 8 17:56:32.142: ISAKMP:(2063): processing SA payload. message ID = -1197739227
*Aug 8 17:56:32.142: ISAKMP:(2063):Checking IPSec proposal 1
*Aug 8 17:56:32.142: ISAKMP: transform 1, ESP_3DES
*Aug 8 17:56:32.142: ISAKMP: attributes in transform:
*Aug 8 17:56:32.142: ISAKMP: SA life type in seconds
*Aug 8 17:56:32.142: ISAKMP: SA life duration (basic) of 28800
*Aug 8 17:56:32.142: ISAKMP: encaps is 1 (Tunnel)
*Aug 8 17:56:32.142: ISAKMP: authenticator is HMAC-MD5
*Aug 8 17:56:32.142: ISAKMP: group is 2
*Aug 8 17:56:32.142: ISAKMP:(2063):atts are acceptable.
*Aug 8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1
*Aug 8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= xx.xx.xx.24:0, remote= xx.xx.xx.134:0,
local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24
*Aug 8 17:56:32.142: ISAKMP:(2063): IPSec policy invalidated proposal with error 8
*Aug 8 17:56:32.142: ISAKMP:(2063): phase 2 SA policy not acceptable! (local xx.xx.xx.24 remote xx.xx.xx.134)
*Aug 8 17:56:32.142: ISAKMP: set new node -1934182771 to QM_IDLE
*Aug 8 17:56:32.142: ISAKMP:(2063):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2250944296, message ID = -1934182771
*Aug 8 17:56:32.142: ISAKMP:(2063): sending packet to 97.77.166.134 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 8 17:56:32.142: ISAKMP:(2063):Sending an IKE IPv4 Packet.
*Aug 8 17:56:32.142: ISAKMP:(2063):purging node -1934182771
*Aug 8 17:56:32.142: ISAKMP:(2063):deleting node -1197739227 error TRUE reason "QM rejected"
*Aug 8 17:56:32.142: ISAKMP:(2063):Node -1197739227, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Aug 8 17:56:32.142: ISAKMP:(2063):Old State = IKE_QM_READY New State = IKE_QM_READY
*Aug 8 17:56:33.774: ISAKMP:(2063):purging node -1856223832
*Aug 8 17:56:35.322: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE
*Aug 8 17:56:35.322: ISAKMP: set new node -685236136 to QM_IDLE
*Aug 8 17:56:35.322: ISAKMP:(2063): processing HASH payload. message ID = -685236136
*Aug 8 17:56:35.322: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -685236136, sa = 0x86E939E0
*Aug 8 17:56:35.322: ISAKMP:(2063):deleting node -685236136 error FALSE reason "Informational (in) state 1"
*Aug 8 17:56:35.322: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 8 17:56:35.322: ISAKMP:(2063):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
08-08-2012 05:32 PM
Hi Manny,
Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?
int f8
no crypto map maptest1
int d1
crypto map maptest1
clear crypto sa
debug crypto isakmp
debug crypto ipsec
show crypto isakmp sa
show crypto ipsec sa
Sent from Cisco Technical Support iPhone App
08-09-2012 04:12 PM
Its working... I wonder why it didnt work the last time we did
int f8
no crypto map maptest1
int d1
crypto map maptest1
it worked with the pfs enable...maybe it was the
crypto isakmp policy 1
encryption 3des
Thanks everyone for the help... Thank you john
08-09-2012 04:40 PM
hi manny,
thanks for the update and nice rating! i'm glad it's finally resolved.
let me dissect on how your IPsec VPN connection was resolved. for IKE phase 1, your RV router is using MD5 hashing and we need to specify the same on the 891 since the default is SHA-1. i thought 3DES was the default but it's probably a different encryption type for the 891, so we need to hardcode that:
crypto isakmp policy 1
encryption 3des
hash md5
for IKE phase 2, both devices were using different encryption and hashing for the transform set so we've fixed also that. the 891 doesn't have PFS or additional DH key exchange enabled so we need to disable that on the RV router.
crypto ipsec transform-set test1 esp-3des esp-md5-hmac
crypto map maptest1 2 ipsec-isakmp
set peer xx.xx.xx.134
set transform-set test1
match address 100
lastly based from the 891 debug, the IPsec SA wasn't forming due a crypto map that was applied on the wrong WAN interface. it should be applied dialer interface.
*Aug 8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24
I would also give credit to jcarvaja for the initial amendment of the NAT and crypto ACL (+5 for him).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: