Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
1
Replies

ASR1001 simple IPSec tunnel over P2P fibre

Colin Myers
Level 1
Level 1

‎06-18-2013 07:00 AM - edited ‎02-21-2020 06:58 PM

Hi,

We have purchased a couple of asr1001 as we need the  throughput for a 1Gbps WAN link. Because these are connecting two "sensitive" sites the 1G WAN link needs to be encrypted. This link is  effectively a layer 2 link which I think is where my problem lies.

I have stripped back the configuration to make a simple VPN tunnel and it will not pass IKE_E_MM1.  The topology is:

172.20.26.5 ------ (192.168.255.2 -------1Gbps fibre VPN --------- 192.168.255.1) ------- 172.21.26.5

When I try to bring up the tunnel I just get repeated messages:

*Jun 18 06:34:28.833: ISAKMP (0): received packet from 192.168.255.1 dport 500 sport 500 GlobalE

*Jun 18 06:34:28.833: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 18 06:34:28.833: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jun 18 06:34:28.833: ISAKMP:(0): processing SA payload. message ID = 0

*Jun 18 06:34:28.835: ISAKMP:(0):found peer pre-shared key matching 192.168.255.1

*Jun 18 06:34:28.835: ISAKMP:(0): local preshared key found

*Jun 18 06:34:28.835: ISAKMP : Scanning profiles for xauth ...

*Jun 18 06:34:28.835: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jun 18 06:34:28.835: ISAKMP:      encryption AES-CBC

*Jun 18 06:34:28.835: ISAKMP:      keylength of 192

*Jun 18 06:34:28.835: ISAKMP:      hash SHA256

*Jun 18 06:34:28.835: ISAKMP:      default group 2

*Jun 18 06:34:28.835: ISAKMP:      auth pre-share

*Jun 18 06:34:28.835: ISAKMP:      life type in seconds

*Jun 18 06:34:28.835: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jun 18 06:34:28.835: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jun 18 06:34:28.835: ISAKMP:(0):Acceptable atts:actual life: 0

*Jun 18 06:34:28.835: ISAKMP:(0):Acceptable atts:life: 86400

*Jun 18 06:34:28.835: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jun 18 06:34:28.835: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jun 18 06:34:28.835: ISAKMP:(0):Returning Actual lifetime: 86400

*Jun 18 06:34:28.835: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 18 06:34:28.835: ISAKMP : Unable to allocate IKE SA

*Jun 18 06:34:28.835: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 18 06:34:28.835: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jun 18 06:34:28.835: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retran

*Jun 18 06:34:28.835: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*Jun 18 06:34:28.835: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_READY

*Jun 18 06:34:29.835: ISAKMP:(0): no outgoing phase 1 packet to retransmit. MM_NO_STATE

*Jun 18 06:34:38.836: ISAKMP (0): received packet from 192.168.255.1 dport 500 sport 500 GlobalE

*Jun 18 06:34:38.836: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 18 06:34:38.836: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jun 18 06:34:38.836: ISAKMP:(0): processing SA payload. message ID = 0

*Jun 18 06:34:38.839: ISAKMP:(0):found peer pre-shared key matching 192.168.255.1

*Jun 18 06:34:38.839: ISAKMP:(0): local preshared key found

*Jun 18 06:34:38.839: ISAKMP : Scanning profiles for xauth ...

*Jun 18 06:34:38.839: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jun 18 06:34:38.839: ISAKMP:      encryption AES-CBC

*Jun 18 06:34:38.839: ISAKMP:      keylength of 192

*Jun 18 06:34:38.839: ISAKMP:      hash SHA256

*Jun 18 06:34:38.839: ISAKMP:      default group 2

*Jun 18 06:34:38.839: ISAKMP:      auth pre-share

*Jun 18 06:34:38.839: ISAKMP:      life type in seconds

*Jun 18 06:34:38.839: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jun 18 06:34:38.839: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jun 18 06:34:38.839: ISAKMP:(0):Acceptable atts:actual life: 0

*Jun 18 06:34:38.839: ISAKMP:(0):Acceptable atts:life: 86400

*Jun 18 06:34:38.839: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jun 18 06:34:38.839: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jun 18 06:34:38.839: ISAKMP:(0):Returning Actual lifetime: 86400

*Jun 18 06:34:38.839: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 18 06:34:38.839: ISAKMP : Unable to allocate IKE SA

*Jun 18 06:34:38.839: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 18 06:34:38.839: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jun 18 06:34:38.839: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retran

*Jun 18 06:34:38.839: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*Jun 18 06:34:38.839: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_READY

*Jun 18 06:34:39.839: ISAKMP:(0): no outgoing phase 1 packet to retransmit. MM_NO_STATE

*Jun 18 06:34:48.837: ISAKMP (0): received packet from 192.168.255.1 dport 500 sport 500 GlobalE

*Jun 18 06:34:48.837: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 18 06:34:48.837: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jun 18 06:34:48.837: ISAKMP:(0): processing SA payload. message ID = 0

*Jun 18 06:34:48.839: ISAKMP:(0):found peer pre-shared key matching 192.168.255.1

*Jun 18 06:34:48.839: ISAKMP:(0): local preshared key found

*Jun 18 06:34:48.839: ISAKMP : Scanning profiles for xauth ...

*Jun 18 06:34:48.839: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jun 18 06:34:48.839: ISAKMP:      encryption AES-CBC

*Jun 18 06:34:48.839: ISAKMP:      keylength of 192

*Jun 18 06:34:48.839: ISAKMP:      hash SHA256

*Jun 18 06:34:48.839: ISAKMP:      default group 2

*Jun 18 06:34:48.839: ISAKMP:      auth pre-share

*Jun 18 06:34:48.839: ISAKMP:      life type in seconds

*Jun 18 06:34:48.839: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jun 18 06:34:48.840: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jun 18 06:34:48.840: ISAKMP:(0):Acceptable atts:actual life: 0

*Jun 18 06:34:48.840: ISAKMP:(0):Acceptable atts:life: 86400

*Jun 18 06:34:48.840: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jun 18 06:34:48.840: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jun 18 06:34:48.840: ISAKMP:(0):Returning Actual lifetime: 86400

*Jun 18 06:34:48.840: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 18 06:34:48.840: ISAKMP : Unable to allocate IKE SA

*Jun 18 06:34:48.840: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 18 06:34:48.840: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jun 18 06:34:48.840: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retran

*Jun 18 06:34:48.840: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*Jun 18 06:34:48.840: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_READY

*Jun 18 06:34:49.840: ISAKMP:(0): no outgoing phase 1 packet to retransmit. MM_NO_STATE

*Jun 18 06:34:58.838: ISAKMP (0): received packet from 192.168.255.1 dport 500 sport 500 GlobalE

*Jun 18 06:34:58.838: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jun 18 06:34:58.838: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jun 18 06:34:58.838: ISAKMP:(0): processing SA payload. message ID = 0

*Jun 18 06:34:58.841: ISAKMP:(0):found peer pre-shared key matching 192.168.255.1

*Jun 18 06:34:58.841: ISAKMP:(0): local preshared key found

*Jun 18 06:34:58.841: ISAKMP : Scanning profiles for xauth ...

*Jun 18 06:34:58.841: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jun 18 06:34:58.841: ISAKMP:      encryption AES-CBC

*Jun 18 06:34:58.841: ISAKMP:      keylength of 192

*Jun 18 06:34:58.841: ISAKMP:      hash SHA256

*Jun 18 06:34:58.841: ISAKMP:      default group 2

*Jun 18 06:34:58.841: ISAKMP:      auth pre-share

*Jun 18 06:34:58.841: ISAKMP:      life type in seconds

*Jun 18 06:34:58.841: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jun 18 06:34:58.841: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jun 18 06:34:58.841: ISAKMP:(0):Acceptable atts:actual life: 0

*Jun 18 06:34:58.841: ISAKMP:(0):Acceptable atts:life: 86400

*Jun 18 06:34:58.841: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jun 18 06:34:58.841: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jun 18 06:34:58.841: ISAKMP:(0):Returning Actual lifetime: 86400

*Jun 18 06:34:58.841: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 18 06:34:58.841: ISAKMP : Unable to allocate IKE SA

*Jun 18 06:34:58.841: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jun 18 06:34:58.841: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jun 18 06:34:58.841: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retran

*Jun 18 06:34:58.841: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*Jun 18 06:34:58.841: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_READY

*Jun 18 06:34:59.841: ISAKMP:(0): no outgoing phase 1 packet to retransmit. MM_NO_STATE

Simple config at each end:

Router 1:

crypto isakmp policy 1

encr aes 192

hash sha256

authentication pre-share

group 2

crypto isakmp key xxxxxx address 192.168.255.1   no-xauth

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set VPN ah-sha-hmac esp-3des

mode tunnel

no crypto ipsec nat-transparency udp-encapsulation

!

crypto map VPN 1 ipsec-isakmp

set peer 192.168.255.1

set transform-set VPN

match address 100

!

interface GigabitEthernet0/0/0

description Link to Core Switch

ip address 172.21.26.5 255.255.0.0

negotiation auto

!

interface GigabitEthernet0/0/3

ip address 192.168.255.2 255.255.255.0

negotiation auto

cdp enable

crypto map VPN

!

access-list 100 permit ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255

Router 2:

crypto isakmp policy 1

encr aes 192

hash sha256

authentication pre-share

group 2

crypto isakmp key xxxxxxx address 192.168.255.2   no-xauth

crypto isakmp aggressive-mode disable

!

crypto ipsec transform-set VPN ah-sha-hmac esp-3des

mode tunnel

no crypto ipsec nat-transparency udp-encapsulation

!

crypto map VPN 1 ipsec-isakmp

set peer 192.168.255.2

set transform-set VPN

match address 100

!

interface GigabitEthernet0/0/0

description Link to Core Switch

ip address 172.20.26.5 255.255.0.0

negotiation auto

!

interface GigabitEthernet0/0/3

ip address 192.168.255.1 255.255.255.0

negotiation auto

cdp enable

crypto map VPN

!

access-list 100 permit ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255

Any assistance would be appreciated.

Regards

Colin

Labels:
0 Helpful
1 Reply 1

Colin Myers
Level 1
Level 1

‎06-19-2013 01:04 AM

It would appear I chose incompatible encription types.  All sorted now.

0 Helpful
Customers Also Viewed These Support Documents