03-26-2013 08:15 AM
I am having a strange problem. I am trying to establish a site-to-site VPN between two Cisco routers (2951s). I am using the below config on both routers. One router has an interface with a public IP assigned to it, the other uses a private IP and is natted by our ASA outbound.
If i remove the tunnel protection ipsec profile command from the tunnel interface, the tunnel comes up no problem and I can ping both ends of the tunnel. But as soon as I apply the tunnel protection on the tunnel interface, it dies. Both sides of the tunnel show up but no pings are allowed and I see in the debugs that for some reason the routers don't think the Pre-Shared keys are configured properly. I have gone as far as making the ISAKMP keys very simple and I know there is something I'm missing here.
On the ASA i'm allowing ESP (protocol 50) and ISAKMP (UDP 500) both directions (in and out of the firewall). I am also allowing UDP NAT-T (4500) just in case. I don't see anything on the firewall being blocked but I can't be certain that isn't causing the problem. What could I be missing here?
*****Router Config*****
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 1800
crypto isakmp key cisco123 address PUBLICIPHERE
!
crypto ipsec transform-set TRANSFORMSET_ASA_FFX esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile BACKUP_S2S
description USED TO ENCRYPT TRAFFIC BETWEEN QCC AND FFX
set transform-set TRANSFORMSET_ASA_FFX
!
interface tunnel 0
ip address 10.254.10.10 255.255.255.0
tunnel source gi0/0
tunnel destination PUBLICIPHERE
tunnel protection ipsec profile BACKUP_S2S
******DEBUG OUTPUT*****
Mar 26 11:04:02: ISAKMP:(0): SA request profile is (NULL)
Mar 26 11:04:02: ISAKMP: Created a peer struct for PUBLICIPHERE, peer port 500
Mar 26 11:04:02: ISAKMP: New peer created peer = 0x181758AC peer_handle = 0x80000036
Mar 26 11:04:02: ISAKMP: Locking peer struct 0x181758AC, refcount 1 for isakmp_initiator
Mar 26 11:04:02: ISAKMP: local port 500, remote port 500
Mar 26 11:04:02: ISAKMP: set new node 0 to QM_IDLE
Mar 26 11:04:02: ISAKMP:(0):insert sa successfully sa = 19616798
Mar 26 11:04:02: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 26 11:04:02: ISAKMP:(0):No pre-shared key with PUBLICIPHERE!
Mar 26 11:04:02: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at PUBLICIPHERE is missing
Mar 26 11:04:02: ISAKMP:(0): No Cert or pre-shared address key.
Mar 26 11:04:02: ISAKMP:(0): construct_initial_message: Can not start Main mode
Mar 26 11:04:02: ISAKMP: Unlocking peer struct 0x181758AC for isadb_unlock_peer_delete_sa(), count 0
Mar 26 11:04:02: ISAKMP: Deleting peer node by peer_reap for PUBLICIPHERE: 181758AC
Mar 26 11:04:02: ISAKMP:(0):purging SA., sa=19616798, delme=19616798
Mar 26 11:04:02: ISAKMP:(0):purging node -2065852085
Mar 26 11:04:02: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 26 11:04:02: ISAKMP: Error while processing KMI message 0, error 2
03-26-2013 08:33 AM
Oh and one more thing, I forgot to mention the tunnel interface on the side using a Private IP address is also in a VRF. The source and destination of the tunnel are also in a vrf so the tunnel vrf command is issued on the tunnel.
interface tunnel 0
ip vrf forwarding COMCAST
ip address 10.254.10.10 255.255.255.0
tunnel source gi0/0
tunnel destination PUBLICIPHERE
tunnel vrf COMCAST
tunnel protection ipsec profile BACKUP_S2S
So if I remove the tunnel vrf COMCAST command I see the tunnel go into up-IDLE but I can't ping anything on the other side? Is there any special crypto configuration needed for vrf?
03-26-2013 08:56 AM
So I added this command which seems to have fixed the initial problem but I still can't ping between the two sides.
crypto keyring COMCAST vrf COMCAST
pre-shared-key address PUBLICIPHERE key cisco123
!
Mar 26 11:55:04: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.11.1.17:500, remote= PUBLICIPHERE:500,
local_proxy= 10.11.1.17/255.255.255.255/47/0 (type=1),
remote_proxy= PUBLICIPHERE/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Mar 26 11:55:04: ISAKMP: set new node 0 to QM_IDLE
Mar 26 11:55:04: SA has outstanding requests (local 25.89.90.68 port 4500, remote 25.89.90.40 port 4500)
Mar 26 11:55:04: ISAKMP:(9006): sitting IDLE. Starting QM immediately (QM_IDLE )
Mar 26 11:55:04: ISAKMP:(9006):beginning Quick Mode exchange, M-ID of -1654812753
Mar 26 11:55:04: ISAKMP:(9006):QM Initiator gets spi
Mar 26 11:55:04: crypto_engine: Generate IKE hash
Mar 26 11:55:04: crypto_engine: Encrypt IKE packet
Mar 26 11:55:04: ISAKMP:(9006): sending packet to PUBLICIPHERE my_port 4500 peer_port 4500 (I) QM_IDLE
Mar 26 11:55:04: ISAKMP:(9006):Sending an IKE IPv4 Packet.
Mar 26 11:55:04: ISAKMP:(9006):Node -1654812753, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 26 11:55:04: ISAKMP:(9006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 26 11:55:04: ISAKMP (9006): received packet from PUBLICIPHERE dport 4500 sport 4500 COMCAST (I) QM_IDLE
Mar 26 11:55:04: ISAKMP: set new node 921804095 to QM_IDLE
Mar 26 11:55:04: crypto_engine: Decrypt IKE packet
Mar 26 11:55:04: crypto_engine: Generate IKE hash
Mar 26 11:55:04: ISAKMP:(9006): processing HASH payload. message ID = 921804095
Mar 26 11:55:04: ISAKMP:(9006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3017918981, message ID = 921804095, sa = 0x195958C0
Mar 26 11:55:04: ISAKMP:(9006): deleting spi 3017918981 message ID = -1654812753
Mar 26 11:55:04: ISAKMP:(9006):deleting node -1654812753 error TRUE reason "Delete Larval"
Mar 26 11:55:04: ISAKMP:(9006):deleting node 921804095 error FALSE reason "Informational (in) state 1"
Mar 26 11:55:04: ISAKMP:(9006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar 26 11:55:04: ISAKMP:(9006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
03-26-2013 01:01 PM
Ok so I actually figured it out myself and it is up and working now. The first thing I was missing was the vrf aware crypto key commands:
crypto keyring COMCAST vrf COMCAST
pre-shared-key address PUBLICIPHERE key cisco123
The second thing I was missing was to enable the mode transport on the transform-set:
crypto ipsec transform-set TRANSFORMSET_ASA_FFX esp-3des esp-sha-hmac
mode transport
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: