Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2627
Views
6
Helpful
4
Replies

Point to Point IPSEC, NAT-T, and PSK failing phase 2

David Williams
Level 1
Level 1

‎07-25-2011 01:57 PM - edited ‎02-21-2020 05:28 PM

I've looked and looked for the scenario I'm working with and haven't found much of anything.  Perhaps that's a hint to not do this but I thought I'd throw it out there.

Phase 1 comes up fine but phase 2 always fails with phase 2 SA policy not acceptable! I've tried every debug and show command I could think of.  I've done a stare and compare on the configs, tore it all down and rebuilt it.  I always get the same result.  The one thing that caught my eye was in the show crypto isakmp peers on the 7613.. Phase 1 id was the real IP address of the remote peer.  Now in the world of Nat-T I'm not sure what that means.  It seems like it could make sense that that info is exchanged during phase 1.  It did make me think though, that perhaps I need to be referencing that IP address somewhere in my 7613 config.  Agressive mode is disabled on both ends in case that matters.

Anyone?  I'm stumped....

Peer: 5.5.5.5 Port: 4500 Local: 4.4.4.4 fvrf: testfvrf

Phase1 id: 10.250.250.9

Cisco 881

interface Loopback15

ip address 172.18.10.109 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

interface FastEthernet4

description Outside interface

ip address 10.250.250.9 255.255.255.252

ip access-group IP-ACCESS-IN in

no ip redirects

no ip proxy-arp

ip mtu 1400

ip virtual-reassembly

duplex auto

speed auto

crypto map IPSEC-test

ip access-list extended IPSEC-test

permit ip 192.168.4.0 0.0.0.255 any

permit ip host 172.18.10.109 any

crypto keyring IPSEC-test

  pre-shared-key address 4.4.4.4 key pass123

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp aggressive-mode disable

crypto isakmp profile IPSEC-test

   keyring IPSEC-test

   match identity address 4.4.4.4 255.255.255.255

!

!

crypto ipsec transform-set TUNNEL-ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set TRANSPORT-ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode transport

!

crypto map IPSEC-test 10 ipsec-isakmp

set peer 4.4.4.4

set transform-set TUNNEL-ESP-AES256-SHA

set pfs group2

set isakmp-profile IPSEC-test

match address IPSEC-test

!

Cisco 7613

crypto keyring IPSEC-test vrf testfvrf

  pre-shared-key address 5.5.5.5 key pass123

  crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp profile IPSEC-test

   vrf test

   keyring IPSEC-test

   match identity address 5.5.5.5 255.255.255.255 IPSEC

crypto ipsec transform-set TUNNEL-ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set TRANSPORT-ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode transport

crypto map IPSEC-test local-address Loopback0

crypto map IPSEC-test

set peer 5.5.5.5

set transform-set TUNNEL-ESP-AES256-SHA

set pfs group2

set isakmp-profile IPSEC-test

match address IPSEC-test

ip access-list extended IPSEC-test

permit ip 192.168.4.0 0.0.0.255 any

permit ip host 172.18.10.109 any

ip access-list extended IPSEC-test

permit ip any 192.168.4.0 0.0.0.255

permit ip any host 172.18.10.109

interface Vlan671

description IPSEC-test

ip vrf forwarding test

ip address 10.254.1.254 255.255.255.0

crypto map IPSEC-test

crypto engine slot 4/0 inside

end


Labels:
Preview file
22 KB
0 Helpful
4 Replies 4

connect2world
Level 1
Level 1

‎07-25-2011 11:25 PM

Hi

Did you include allowing all the ipsec port your access-list IP-ACCESS-IN? Similar to the below:

10 permit udp host source_peer_ip host destination_peer_ip eq isakmp

20 permit udp host source_peer_ip host destination_peer_ip eq non500-isakmp

30 permit ahp host source_peer_ip host destination_peer_ip

40 permit esp host source_peer_ip host destination_peer_ip

50 permit pcp host source_peer_ip host destination_peer_ip

David Williams
Level 1
Level 1
In response to connect2world

‎07-26-2011 06:54 AM

Hello,

Yes I am actually permitting IP from the tunnel peer.  I see Phase 1 start negotiation on UDP 500 and then move to UDP 4500 as I would expect with NAT T but Phase 2 keeps getting rejected from the IPSEC module end. 

0 Helpful

Atul Singh
Level 1
Level 1
In response to David Williams

‎08-03-2011 03:37 PM

Hi David,

Is "crypto map IPSEC-test local-address" command there on 881?

-Atul

David Williams
Level 1
Level 1

‎08-10-2011 06:35 AM

I ended up opening a TAC case to get some config help.  It turns out we had to modify the isakmp profile to reflect the real private IP address of the 881 prior to NAT.  I did not know this until now.  Thank you all for your help!  I guess I have more reading to do on IPSEC.  Weeeee!!

0 Helpful
Customers Also Viewed These Support Documents