cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11486
Views
15
Helpful
83
Replies

ASK THE EXPERTS - IP SECURITY VPN

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN  with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan.  Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security.  Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

 

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

 

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

83 Replies 83

Hi,

Thank you for the opportunity, I have two general questions...

1. Is there any plan for the ASA to support GRE? (if not, what are the reasons?)
2. I know that GETVPN can be implemented over a WAN, can it be implemented over the Internet? (if so, what are the conns?)

Thank you :-)

Federico.

Hi Federico,

The GRE termination is not supported on the ASA yet but its on the roadmap for ASA.

The GETVPN technology preserves the IP address therefore if your internal network is private IP then its not routable.however, if you make every IP as routable then it will be a security concern as your internal IP will be visible to the outside world.

hope this answers your question.

thanks

-Syed / Sundar

Paul Greenberg
Level 1
Level 1

Hi Syed,

I was trying to understand topic of EasyVPN and RADIUS.

Here is the problem.

Will appreciate your insight.

Thank you,

Paul

EasyVPN and RADIUS authentication and Authorization question:

R6 is an EzVPN server.

R4 is an EzVPN client.

When I use local authentication and authorization, everything is working perfect.

Unfortunately when I am enabling RADIUS authentication and authorization, it fails.

R6#

conf t
aaa new-model
aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH group radius

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
exit

crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
exit

ip local pool VPN_POOL1 44.44.100.1 44.44.100.100

access-list 150 permit ip 66.66.66.66 0.0.0.0 any


# R2 Client Mode VPN
crypto isakmp client configuration group VPN_GROUP2
acl 150
key cisco123
pool VPN_POOL1
save-password
exit


# ISAKMP Profile for R2 Client Mode VPN
crypto isakmp profile ISAKMP_PROF2
match identity group VPN_GROUP2
client authentication list TACAUTH
isakmp authorization list TACAUTH
client configuration address respond
virtual-template 3
exit

crypto ipsec profile IPSEC_PROF1
set transform-set TS1
exit

# Use this Template for R2 Client Mode VPN
interface Virtual-Template3 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit

end

wr mem

R4#

interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
exit

crypto ipsec client ezvpn CLIENT
connect auto
group VPN_GROUP2 key cisco123
mode client
peer 44.44.2.6
virtual-interface 1
username vpnuser2 password cisco123
xauth userid mode local
exit

interface Loopback4
crypto ipsec client ezvpn CLIENT inside
exit       
interface Loopback44
crypto ipsec client ezvpn CLIENT inside
exit
interface FastEthernet0/0
description Internet Connection
crypto ipsec client ezvpn CLIENT
exit
end
wr mem

On Cisco ACS I configured 2 users:

1) VPN_GROUP2 password cisco

ipsec:tunnel-type=ESP
ipsec:key-exchange=ike
ipsec:tunnel-password=cisco123
ipsec:addr-pool=VPN_POOL1
ipsec:inacl=150
ipsec:save-password=1

[6] Service-Type: Outbound

[064] Tunnel-Type: IP ESP

[069] Tunnel-Password: cisco123

2) vpnuser2 password cisco123

ipsec:user-vpn-group=VPN_GROUP2
ipsec:user-save-password=1

Scenario 1:

aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH local

username vpnser2 password cisco

*Feb 19 21:48:27.779: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=vpnuser2  Group=VPN_GROUP2  Server_public_addr=44.44.2.6 
*Feb 19 21:48:30.059: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=vpnuser2  Group=VPN_GROUP2  Server_public_addr=44.44.2.6  Assigned_client_addr=44.44.100.3 
*Feb 19 21:48:30.067: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Feb 19 21:48:31.951: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up
*Feb 19 21:48:32.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
*Feb 19 21:48:36.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

ACS Passed authentication log:

06/21/201021:31:41Authen OKvpnuser2Default Group44.44.4.4044.44.2.6(Default)................R6..
06/21/201021:06:19Authen OKvpnuser2Default Group44.44.4.4144.44.2.6(Default)................R6..

Scenario 2:

aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH group radius
no username vpnser2 password cisco

Debug:

R6#
*Jun 22 01:34:13.199: ISAKMP (1003): received packet from 44.44.4.4 dport 500 sport 500 Global (R) QM_IDLE     
*Jun 22 01:34:13.199: ISAKMP: set new node -351141363 to QM_IDLE     
*Jun 22 01:34:13.203: ISAKMP:(1003): processing HASH payload. message ID = -351141363
*Jun 22 01:34:13.203: ISAKMP:received payload type 18
*Jun 22 01:34:13.203: ISAKMP:(1003):Processing delete with reason payload
*Jun 22 01:34:13.203: ISAKMP:(1003):delete doi = 1
*Jun 22 01:34:13.203: ISAKMP:(1003):delete protocol id = 1
*Jun 22 01:34:13.203: ISAKMP:(1003):delete spi_size =  16
*Jun 22 01:34:13.203: ISAKMP:(1003):delete num spis = 1
*Jun 22 01:34:13.203: ISAKMP:(1003):delete_reason = 8
*Jun 22 01:34:13.203: ISAKMP:(1003): processing DELETE_WITH_REASON payload, message ID = -351141363, reason: Unknown delete reason!
*Jun 22 01:34:13.203: ISAKMP:(1003):peer does not do paranoid keepalives.

*Jun 22 01:34:13.203: ISAKMP:(1003):peer does not do paranoid keepalives.

*Jun 22 01:34:13.203: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer 44.44.4.4)
*Jun 22 01:34:13.203: ISAKMP:(1003):deleting node -351141363 error FALSE reason "Informational (in) state 1"
*Jun 22 01:34:13.203: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 01:34:13.203: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Jun 22 01:34:13.203: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 44.44.4.4
*Jun 22 01:34:13.203: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 44.44.2.6, sa_proto= 50,
    sa_spi= 0xFAC29DF0(4207058416),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2005
    sa_lifetime(k/sec)= (4378165/3600),
  (identity) local= 44.44.2.6, remote= 44.44.4.4,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jun 22 01:34:13.207: IPSEC(update_current_outbound_sa): updated peer 44.44.4.4 current outbound sa to SPI 0
*Jun 22 01:34:13.207: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 44.44.4.4, sa_proto= 50,
    sa_spi= 0xCE0E33BF(3457037247),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2006
    sa_lifetime(k/sec)= (4378165/3600),
  (identity) local= 44.44.2.6, remote= 44.44.4.4,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jun 22 01:34:13.207: IPSEC(rte_mgr): VPN Route Event rekey so decrement refcount for peer 44.44.4.4
*Jun 22 01:34:13.207: ISAKMP: set new node 1766126451 to QM_IDLE     
*Jun 22 01:34:13.211: ISAKMP:(1003): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) QM_IDLE     
*Jun 22 01:34:13.211: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 22 01:34:13.211: ISAKMP:(1003):purging node 1766126451
*Jun 22 01:34:13.211: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 22 01:34:13.211: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jun 22 01:34:13.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Jun 22 01:34:13.219: IPSEC(rte_mgr): VPN Route Event Deleting dynamic maps for peer 44.44.4.4
*Jun 22 01:34:13.219: IPSEC(rte_mgr): VPN Route Event Delete ident remove routes from static map for peer 44.44.4.4
*Jun 22 01:34:13.223: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer 44.44.4.4)
*Jun 22 01:34:13.223: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Jun 22 01:34:13.223: ISAKMP (1003): returning address 44.44.100.3 to pool
*Jun 22 01:34:13.223: ISAKMP: Unlocking peer struct 0x4930F5D4 for isadb_mark_sa_deleted(), count 0
*Jun 22 01:34:13.223: ISAKMP: returning address 44.44.100.3 to pool
*Jun 22 01:34:13.223: ISAKMP: Deleting peer node by peer_reap for 44.44.4.4: 4930F5D4
*Jun 22 01:34:13.223: ISAKMP: returning address 44.44.100.3 to pool
*Jun 22 01:34:13.223: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 01:34:13.223: ISAKMP:(1003):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Jun 22 01:34:13.227: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 01:34:15.099: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (N) NEW SA
*Jun 22 01:34:15.099: ISAKMP: Created a peer struct for 44.44.4.4, peer port 500
*Jun 22 01:34:15.099: ISAKMP: New peer created peer = 0x4930F5D4 peer_handle = 0x80000035
*Jun 22 01:34:15.099: ISAKMP: Locking peer struct 0x4930F5D4, refcount 1 for crypto_isakmp_process_block
*Jun 22 01:34:15.099: ISAKMP: local port 500, remote port 500
*Jun 22 01:34:15.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 49D71674
*Jun 22 01:34:15.099: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 22 01:34:15.099: ISAKMP:(0): processing ID payload. message ID = 0
*Jun 22 01:34:15.099: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : VPN_GROUP2
        protocol     : 17
        port         : 0
        length       : 18
*Jun 22 01:34:15.099: ISAKMP:(0):: peer matches ISAKMP_PROF2 profile
*Jun 22 01:34:15.099: ISAKMP:(0):Setting client config settings 49BC8A44
*Jun 22 01:34:15.103: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jun 22 01:34:15.103: ISAKMP/xauth: initializing AAA request
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 01:34:15.103: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 22 01:34:15.103: ISAKMP (0): vendor ID is NAT-T v7
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 22 01:34:15.103: ISAKMP:(0): Authentication by xauth preshared
*Jun 22 01:34:15.103: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 22 01:34:15.103: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.103: ISAKMP:      keylength of 128
*Jun 22 01:34:15.103: ISAKMP:      hash SHA
*Jun 22 01:34:15.103: ISAKMP:      default group 2
*Jun 22 01:34:15.103: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.103: ISAKMP:      life type in seconds
*Jun 22 01:34:15.103: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.103: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.103: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.103: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Jun 22 01:34:15.103: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.103: ISAKMP:      keylength of 128
*Jun 22 01:34:15.103: ISAKMP:      hash MD5
*Jun 22 01:34:15.103: ISAKMP:      default group 2
*Jun 22 01:34:15.103: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.103: ISAKMP:      life type in seconds
*Jun 22 01:34:15.103: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 192
*Jun 22 01:34:15.107: ISAKMP:      hash SHA
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 192
*Jun 22 01:34:15.107: ISAKMP:      hash MD5
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 256
*Jun 22 01:34:15.107: ISAKMP:      hash SHA
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 256
*Jun 22 01:34:15.107: ISAKMP:      hash MD5
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 128
*Jun 22 01:34:15.107: ISAKMP:      hash SHA
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth pre-share
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 128
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 192
*Jun 22 01:34:15.111: ISAKMP:      hash SHA
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 192
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 256
*Jun 22 01:34:15.111: ISAKMP:      hash SHA
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 256
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption 3DES-CBC
*Jun 22 01:34:15.111: ISAKMP:      hash SHA
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption 3DES-CBC
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jun 22 01:34:15.115: ISAKMP:(0):Acceptable atts:actual life: 86400
*Jun 22 01:34:15.115: ISAKMP:(0):Acceptable atts:life: 0
*Jun 22 01:34:15.115: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 22 01:34:15.115: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Jun 22 01:34:15.115: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 22 01:34:15.115: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 01:34:15.115: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 22 01:34:15.115: ISAKMP (0): vendor ID is NAT-T v7
*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 22 01:34:15.115: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 22 01:34:15.163: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID is DPD
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID seems Unity/DPD but major 204 mismatch
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID is XAUTH
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): claimed IOS but failed authentication
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID is Unity
*Jun 22 01:34:15.163: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 22 01:34:15.163: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Jun 22 01:34:15.167: RADIUS/ENCODE(00000039):Orig. component type = VPN_IPSEC
*Jun 22 01:34:15.167: RADIUS:  AAA Unsupported Attr: interface         [175] 9  
*Jun 22 01:34:15.167: RADIUS:   34 34 2E 34 34 2E 32                             [44.44.2]
*Jun 22 01:34:15.167: RADIUS(00000039): Config NAS IP: 0.0.0.0
*Jun 22 01:34:15.167: RADIUS/ENCODE(00000039): acct_session_id: 57
*Jun 22 01:34:15.167: RADIUS(00000039): sending
*Jun 22 01:34:15.167: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 22 01:34:15.167: RADIUS(00000039): Send Access-Request to 44.44.2.100:1645 id 1645/52, len 96
*Jun 22 01:34:15.167: RADIUS:  authenticator BA 5B AF 6B 3C 98 69 7C - 3E 66 3F 32 EE D5 1D DE
*Jun 22 01:34:15.167: RADIUS:  User-Name           [1]   12  "VPN_GROUP2"
*Jun 22 01:34:15.167: RADIUS:  User-Password       [2]   18  *
*Jun 22 01:34:15.167: RADIUS:  Calling-Station-Id  [31]  11  "44.44.4.4"
*Jun 22 01:34:15.167: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Jun 22 01:34:15.167: RADIUS:  NAS-Port            [5]   6   1                        
*Jun 22 01:34:15.167: RADIUS:  NAS-Port-Id         [87]  11  "44.44.2.6"
*Jun 22 01:34:15.171: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Jun 22 01:34:15.171: RADIUS:  NAS-IP-Address      [4]   6   44.44.2.6                
*Jun 22 01:34:15.175: RADIUS: Received from id 1645/52 44.44.2.100:1645, Access-Reject, len 32
*Jun 22 01:34:15.175: RADIUS:  authenticator 72 D6 E8 BA D4 D7 C7 3C - 37 10 37 DE 10 D8 C4 94
*Jun 22 01:34:15.175: RADIUS:  Reply-Message       [18]  12 
*Jun 22 01:34:15.175: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
*Jun 22 01:34:15.175: RADIUS(00000039): Received from id 1645/52
*Jun 22 01:34:15.179: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Jun 22 01:34:15.179: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 22 01:34:15.179: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jun 22 01:34:15.179: ISAKMP (0): ID payload
        next-payload : 10
        type         : 1
        address      : 44.44.2.6
        protocol     : 0
        port         : 0
        length       : 12
*Jun 22 01:34:15.179: ISAKMP:(0):Total payload length: 12
*Jun 22 01:34:15.179: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:15.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:15.179: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jun 22 01:34:15.179: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

*Jun 22 01:34:25.095: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:25.095: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:25.095: ISAKMP:(0): retransmitting due to retransmit phase 1
*Jun 22 01:34:25.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Jun 22 01:34:25.595: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 22 01:34:25.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Jun 22 01:34:25.595: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:25.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:26.595: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:26.595: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:26.595: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 1000)
*Jun 22 01:34:35.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Jun 22 01:34:35.595: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 22 01:34:35.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Jun 22 01:34:35.595: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:35.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:36.095: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:36.095: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:36.095: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 500)
*Jun 22 01:34:45.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Jun 22 01:34:45.595: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 22 01:34:45.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Jun 22 01:34:45.595: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:45.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:46.095: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:46.095: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:46.095: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 500)

ACS Server Failed authentication log:

06/21/201021:35:32Authen failedVPN_GROUP2Default Group44.44.4.4(Default)ACS password invalid....144.44.2.6..........R6..ACS....
06/21/201021:34:49Authen failedVPN_GROUP2Default Group44.44.4.4(Default)ACS password invalid....044.44.2.6..........R6..

Hi Paul,

thanks for posting the question with excellent details.

In your second scenario the router is actually contacting the ACS server with the username VPN_GROUP2 and the password for this username should be "cisco" (lowercase). Sundar (my colleague) actually replicated your config here in the lab and it worked fine. the only time he saw your issue was when the password was set to uppercase "CISCO". can you pls doublecheck the password on your ACS for the user VPN_GROUP2?

thanks

Syed / Sundar

Hi Syed,

Thank you for your help! Actually the main reason that it was failing was the password.

In my scenario I used cisco123 as a password everywhere, on ACS, R6, R4, R2. For some reason it works with cisco, but refuses to work with cisco123, which seems like a bug to me.

I put together an article with screenshots describing this setup. Thought it might be helpful for all of us studying for CCIE Security

http://www.isrcomputing.com/knowledge-base/46-ccie-security-pursuit/183-ccie-security-vpn-study-guide-dynamic-vti-radius-aaa

Good Luck,

Paul

Just in case you want to try replicate "cisco123" issue

CiscoSecure ACS
Release 4.1(4) Build 13 Patch 12

R6#show ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 19-Oct-09 17:38 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

R6 uptime is 6 hours, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
export@cisco.com. 2811 (revision 53.50) with 223232K/38912K bytes of memory.
Processor board ID FTX1123F068
2 FastEthernet interfaces
3 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
251904K bytes of ATA CompactFlash (Read/Write)

If

Cisco

Configuration register is 0x2142 (will be 0x2102 at next reload)

R6#

Hi Paul,

this restriction of using "cisco" as a password is well documented in the config guide. I dont have the link for the guide right now handy, i will send it to you tomorrow morning once i will be in the office.

thanks

-Syed

Syed,

That is good for a router that has the standard cli interface. Both the

RVS4000 and the SA520 have a web based interface only. The document you

reference is of no use.

Pete.

Hi, I am building an Ipsec vpn tunnel between two sites and the tunnel using an ADSL router and two Cisco 2921 ISR G2 routers (a redundant pair). I am using ipsec stateful failover to make the two routers redundant. The tunnel goes up and the failover works fine as well. I have one issue though, I cannot ping from one lan to another. Would you please have any suggestion as to what the issue might be ? Thanks in advance for your answer.

Hi Elkharraze,

Couple of things you need to check.

1. If your one side is going out after the PAT then make sure that NAT-T is enabled and udp port 4500 is allowed in your netwrk.

2. You need to check if the encryption domain include your lan segment as well as the remote lan segment.

3. check if the remote site is encrypting the traffic or not. if its encrypting the traffic then check on the headend if its decrypting the traffic or not. This will show us if the packets are getting dropped in the middle. Reverse the process to make sure if headend is also encrypting fine.

Hope this helps.

Thanks

-Syed

mbroberson1
Level 3
Level 3

Hi Syed / Sundar,

First off thank you for opening this discussion on IP Sec VPN, it is sure to serve the CSC community well.

I have a question(s) regarding the troubleshooting of Cisco VPN client connectivity issues on the ASA 5500 series.

If you have users connecting to a corporate network using either their Cisco VPN client or/ Anyconnect and maybe from time to time one or two of the users claim to  have an unstable VPN connection with their applications it can be quite challenging to locate the underlying issue. On the other hand If all RA VPN users could not establish a connection it would likely be for more obvious reasons.

Looking through the ASA's VPN monitoring features there seems to be few tools for troubleshooting RA VPN client established session(s). Usually you are either troubleshooting wheather the RA VPN client can connect or can not connect. Troubleshooting while a particular VPN client session may be experiencing application instabilities (slowness or applications hangs) over their tunnel session while (in most cases) not actually losing their VPN session can be very challenging indeed.

Are there any good tools/suggestions for focusing troubleshooting efforts on the type of issue(s) as described above?

Thanks,

Brandon

Hi Brandon,

i agree that troubleshooting such issues are challenging. here is how I approach this issue.

Assuming client is complaining about the application slowness:

i would first want to check the round trip time to the VPN server public IP address from the client PC to make sure there is no significant ISP delay.

then i will check the RTT for the ASA / VPN server's inside IP address.

depending on where we are seeing the delay we need to proceed accordingly on that front.

the other thing which is worth while to check is to do sniffer capture on the client side or the application server to see if there are retransmission. based on my experience retransmission is another important fact in slowing the application down. If there are lots of retransmission then the most likely cause is the packet loss somewhere in the path.

You may need to run sniffer capture on vpnserver outside interface and client interface simultaneously to identify if there is packet loss. ESP packets can be checked in the wireshark by using the sequence numbers.

hope this answers your question. if you have any followup question pls feel free to ask any time.

thanks

-Syed

gadholwi1
Level 1
Level 1

this means that an ASA is lieing in between DMVPN hub and spoke.

Does this scenario require as special configuration of the ASA? Up to now the setup is not working, we are facing the following problem:

The central DMVPN Hub shows a 'invalid SPI' error, because both spokes coming up with the same IP address (ASA hide-NAT) at the DMVPN hub.

thx

Holger