cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36610
Views
5
Helpful
19
Replies

ipsec site to site vpn help!!

edgsoccer
Level 1
Level 1

I im doing a site to site vpn for the first time on a 891 to a rv 120 (gui) but it doesnt connect. I thinking it might be my access list on the 891. the error that i get in the rv120 is

012-08-02 18:15:35: [rv120w][IKE] ERROR:  Phase 1 negotiation failed due to time up for xx.xx.xx.xx[500]. ea65b6c91b9e73de:0000000000000000

2012-08-02 18:16:11: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.xx.

2012-08-02 18:16:11: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

2012-08-02 18:16:11: [rv120w][IKE] INFO:  Beginning Identity Protection mode.

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9

2012-08-02 18:16:11: [rv120w][IKE] ERROR:  Ignore information because the message has no hash payload.

2012-08-02 18:16:42: [rv120w][IKE] ERROR:  Invalid SA protocol type: 0

2012-08-02 18:16:42: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.

2012-08-02 18:17:00: [rv120w][IKE] INFO:  accept a request to establish IKE-SA: 71.32.110.24

2012-08-02 18:17:00: [rv120w][IKE] WARNING:  schedular is already scheduled for SA creation for remote: "xx.xx.xx.xx"2012-08-02 18:17:00: [rv120w][IKE] ERROR:  Failed to attach schedSaCreate in IKE configuraion

891 config

=====================================================

ip dhcp pool test

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 8.8.8.8 8.8.4.4

!

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.xxx

!

!

crypto ipsec transform-set test1 ah-md5-hmac esp-3des

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set test1

match address 100

!

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

!

interface Vlan1

description quest

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

=======================================================================

19 Replies 19

Hi Manny,

You'll need to issue the 'terminal monitor' command in privilege exec if you're connected via Telnet. Do test again and post the requested show and debug output.

Sent from Cisco Technical Support iPhone App

*Aug  8 17:56:28.646: ISAKMP:(2063):purging node -457497600

*Aug  8 17:56:29.838: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP: set new node -589351332 to QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP:(2063): processing HASH payload. message ID = -589351332

*Aug  8 17:56:29.838: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = -589351332, sa = 0x86E939E0

*Aug  8 17:56:29.838: ISAKMP:(2063):deleting node -589351332 error FALSE reason "Informational (in) state 1"

*Aug  8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Aug  8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug  8 17:56:29.838: ISAKMP:(2063):DPD/R_U_THERE received from peer xx.xx.xx.134, sequence 0xAA2

*Aug  8 17:56:29.838: ISAKMP: set new node 681130243 to QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP:(2063):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2250945376, message ID = 681130243

*Aug  8 17:56:29.838: ISAKMP:(2063): seq. no 0xAA2

*Aug  8 17:56:29.838: ISAKMP:(2063): sending packet to xx.xx.xx.134 my_port 500 peer_port 500 (R) QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP:(2063):Sending an IKE IPv4 Packet.

*Aug  8 17:56:29.838: ISAKMP:(2063):purging node 681130243

*Aug  8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Aug  8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug  8 17:56:32.142: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP: set new node -1197739227 to QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP:(2063): processing HASH payload. message ID = -1197739227

*Aug  8 17:56:32.142: ISAKMP:(2063): processing SA payload. message ID = -1197739227

*Aug  8 17:56:32.142: ISAKMP:(2063):Checking IPSec proposal 1

*Aug  8 17:56:32.142: ISAKMP: transform 1, ESP_3DES

*Aug  8 17:56:32.142: ISAKMP:   attributes in transform:

*Aug  8 17:56:32.142: ISAKMP:      SA life type in seconds

*Aug  8 17:56:32.142: ISAKMP:      SA life duration (basic) of 28800

*Aug  8 17:56:32.142: ISAKMP:      encaps is 1 (Tunnel)

*Aug  8 17:56:32.142: ISAKMP:      authenticator is HMAC-MD5

*Aug  8 17:56:32.142: ISAKMP:      group is 2

*Aug  8 17:56:32.142: ISAKMP:(2063):atts are acceptable.

*Aug  8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1

*Aug  8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= xx.xx.xx.24:0, remote= xx.xx.xx.134:0,

    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Aug  8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24

*Aug  8 17:56:32.142: ISAKMP:(2063): IPSec policy invalidated proposal with error 8

*Aug  8 17:56:32.142: ISAKMP:(2063): phase 2 SA policy not acceptable! (local xx.xx.xx.24 remote xx.xx.xx.134)

*Aug  8 17:56:32.142: ISAKMP: set new node -1934182771 to QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP:(2063):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2250944296, message ID = -1934182771

*Aug  8 17:56:32.142: ISAKMP:(2063): sending packet to 97.77.166.134 my_port 500 peer_port 500 (R) QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP:(2063):Sending an IKE IPv4 Packet.

*Aug  8 17:56:32.142: ISAKMP:(2063):purging node -1934182771

*Aug  8 17:56:32.142: ISAKMP:(2063):deleting node -1197739227 error TRUE reason "QM rejected"

*Aug  8 17:56:32.142: ISAKMP:(2063):Node -1197739227, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Aug  8 17:56:32.142: ISAKMP:(2063):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Aug  8 17:56:33.774: ISAKMP:(2063):purging node -1856223832

*Aug  8 17:56:35.322: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     

*Aug  8 17:56:35.322: ISAKMP: set new node -685236136 to QM_IDLE     

*Aug  8 17:56:35.322: ISAKMP:(2063): processing HASH payload. message ID = -685236136

*Aug  8 17:56:35.322: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = -685236136, sa = 0x86E939E0

*Aug  8 17:56:35.322: ISAKMP:(2063):deleting node -685236136 error FALSE reason "Informational (in) state 1"

*Aug  8 17:56:35.322: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Aug  8 17:56:35.322: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Hi Manny,

Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?

int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto sa

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa

Sent from Cisco Technical Support iPhone App

Its working... I wonder why it didnt work the last time we did

int f8

no crypto map maptest1

int d1

crypto map maptest1

it worked with the pfs enable...maybe it was the

crypto isakmp policy 1

encryption 3des

Thanks everyone for the help... Thank you john

hi manny,

thanks for the update and nice rating! i'm glad it's finally resolved.

let me dissect on how your IPsec VPN connection was resolved. for IKE phase 1, your RV router is using MD5 hashing and we need to specify the same on the 891 since the default is SHA-1. i thought 3DES was the default but it's probably a different encryption type for the 891, so we need to hardcode that:

crypto isakmp policy 1

encryption 3des

hash md5

for IKE phase 2, both devices were using different encryption and hashing for the transform set so we've fixed also that. the 891 doesn't have PFS or additional DH key exchange enabled so we need to disable that on the RV router.

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

lastly based from the 891 debug, the IPsec SA wasn't forming due a crypto map that was applied on the wrong WAN interface. it should be applied dialer interface.

*Aug 8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24

I would also give credit to jcarvaja for the initial amendment of the NAT and crypto ACL (+5 for him).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: