Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
0
Helpful
7
Replies

need help with VPN connection

Go to solution
m.chandra2010
Level 1
Level 1

‎12-19-2013 06:47 PM

Hi Guys

can you help on this?

I have setup a VPN connection but the tunnel shows as status: up and protocol description: down.

debug is on and shows following-

SA has outstanding requests  (local xx.xx.xx.xx port 500, remote xx.xx.xx.xx port 500)

Dec 20 02:39:26.762: ISAKMP:(2142): sitting IDLE. Starting QM immediately (QM_IDLE      )

Dec 20 02:39:26.762: ISAKMP:(2142):beginning Quick Mode exchange, M-ID of 3357871564

Dec 20 02:39:26.762: ISAKMP:(2142):QM Initiator gets spi

Dec 20 02:39:26.762: ISAKMP:(2142): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (I) QM_IDLE

Dec 20 02:39:26.762: ISAKMP:(2142):Sending an IKE IPv4 Packet.

Dec 20 02:39:26.762: ISAKMP:(2142):Node 3357871564, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Dec 20 02:39:26.762: ISAKMP:(2142):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Dec 20 02:39:26.794: ISAKMP (2142): received packet from xx.xx.xx.xx dport 500 sport 500 Global (I) QM_IDLE

Dec 20 02:39:26.794: ISAKMP: set new node -419503660 to QM_IDLE

Dec 20 02:39:26.794: ISAKMP:(2142): processing HASH payload. message ID = 3875463636

Dec 20 02:39:26.794: ISAKMP:(2142): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 2561284360, message ID = 3875463636, sa = 0x87D0CFC8

Dec 20 02:39:26.794: ISAKMP:(2142): deleting spi 2561284360 message ID = 3357871564

Dec 20 02:39:26.794: ISAKMP:(2142):deleting node -937095732 error TRUE reason "Delete Larval"

Dec 20 02:39:26.794: ISAKMP:(2142):deleting node -419503660 error FALSE reason "Informational (in) state 1"

Dec 20 02:39:26.794: ISAKMP:(2142):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Dec 20 02:39:26.794: ISAKMP:(2142):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Dec 20 02:39:46.798: ISAKMP:(2142):purging node -1177810765

Dec 20 02:39:46.798: ISAKMP:(2142):purging node -138734109

Dec 20 02:39:56.763: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 2 packets

Dec 20 02:39:56.763: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= xx.xx.xx.xx:0, remote= xx.xx.xx.xx:0,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

the config is following-

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address xx.xx.xx.xx

!

!

crypto ipsec transform-set vpnset esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile tech

set transform-set vpnset

!

!

crypto map my-map 20 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set vpnset

match address 155

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zalkurdi
Cisco Employee
Cisco Employee
In response to m.chandra2010

‎12-23-2013 11:13 AM

Hello,

As to your question, you cant have more than 1 crypto map on the interface.

However, you can use the same crypto map for multiple policies. You can change the my-map to vpnmap.
This way both are enabled on the same interface, with one having a higher priority than the other.

So if a packet is coming from the inside interface, the first crypto ACL will be checked and then the next and so on. The first match it finds is chosen for the IPsec negotioation.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎12-20-2013 12:45 AM

You are not compatible with the other side. What's the config of the peer?

Do you also have an IPsec-Tunnel-Interface on this router that the other side does not have?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
zalkurdi
Cisco Employee
Cisco Employee

‎12-20-2013 03:41 PM

Hello,

I agree with Karsten. It seems that ISAKMP negotiations are fine. Phase 1 is coming up just fine but Phase 2 is not.

Make sure that the Crypto map settings on both sides match. Meaning they both should have the same encryption and hashing methods. Also the ACL must be the exactly the same on the peer only mirrored.

Also, make sure that the crypto map is enabled on the outside on both peers.

0 Helpful

Go to solution
m.chandra2010
Level 1
Level 1
In response to zalkurdi

‎12-22-2013 06:59 PM

Thanks for looking into it guys, I dont have control over the peer config but I am guessing that is correct as we have other VPN connections running to the same one.

now a question that Zaid's comment raises- "the crypto map is enabled on the outside on both peers".

can I put multiple crypto map on one interface? I have only one WAN IP and currently has a different crypto map.

see:

crypto map my-map 20 ipsec-isakmp

set peer 202.x.x.x

set transform-set vpnset

match address 155

!

crypto map vpnmap 10 ipsec-isakmp

set peer 202.x.x.x

set transform-set vpnset

match address 150

WAN interface:

interface Ethernet0.10

encapsulation ......

ip address 202..x.x.x 255.255.255.0

ip access-group 101 in

no ip proxy-arp

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

crypto map vpnmap

now do I have to have crypto map my-map on the interface Ethernet0.10? if yes then how do I assign two crypto maps on one single interface?

Thanks

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to m.chandra2010

‎12-23-2013 12:52 AM

What is this my-map for? It's not shownb in your first post. And what is the content of your crypto-ACLs (150 and 155).

And for the crypto-ACL: Does your ACL mirror the content of the other side?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
m.chandra2010
Level 1
Level 1
In response to Karsten Iwen

‎12-23-2013 12:04 PM

Hi Karsten

currently a VPN connection is already in place on the router, crypto map vpnmap. which is working without any problem. now I have setup a new VPN connection for another site which has no joy so far.

the access list contents are as following-

Extended IP access list 155

permit ip 10.0.0.0 0.0.0.255 10.1.1.32 0.0.0.31

permit ip host 202.x.x.x host 202.x.x.x

yes the ACL is mirrored on other side.

0 Helpful

Go to solution
zalkurdi
Cisco Employee
Cisco Employee
In response to m.chandra2010

‎12-23-2013 11:13 AM

Hello,

As to your question, you cant have more than 1 crypto map on the interface.

However, you can use the same crypto map for multiple policies. You can change the my-map to vpnmap.
This way both are enabled on the same interface, with one having a higher priority than the other.

So if a packet is coming from the inside interface, the first crypto ACL will be checked and then the next and so on. The first match it finds is chosen for the IPsec negotioation.

0 Helpful

Go to solution
m.chandra2010
Level 1
Level 1
In response to zalkurdi

‎12-23-2013 12:05 PM

Hi Zaid

I have configured it according to you suggestion, I will see if its working now.

Thanks

0 Helpful
Customers Also Viewed These Support Documents