cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1375
Views
0
Helpful
3
Replies

Building a VPN Ipsec on a DSL link

habibnoubissi
Level 1
Level 1

Hi guys,

I am now having trouble to buil a vpn ipsec on an adsl link, my architecture is as follow:

LAN1==>CISCO ROUTER 1841==>ADSL MODEM ============  Internet  =============WIMAX MODE=====>CISCO ASA=====>LAN2

on my cisco router, when issuing sh cry is sa, I keep have :

dst                         src              state                   conn-id   slot

x.x.x.x                y.y.y.y           MM_NO_STATE        174     0        (deleted)

and when issuing debug crypto isakmp, I have:

Crypto ISAKMP debugging is on

whith this output, debbuging seems very difficult.

please help me to sove this problem, see attached my configuration on router 1841

3 Replies 3

Thank you Marcin,

but as I told below, debug crypto isakmp, doesn't display anything so it is nos possible to use debug to troubleshoot,

please how can enable the debug command to display thinks?

thank you in advance.

habibnoubissi
Level 1
Level 1

And Update,

please see below the debug output on my route. please help me decipher this.

Thanks a lot

peer does not do paranoid keepalives.

*May 30 02:22:03.455: ISAKMP:(0:101:HW:2):deleting SA reason "No reason" state (I) QM_IDLE       (peer 41.204.95.12)

*May 30 02:22:03.455: ISAKMP:(0:101:HW:2):deleting node -896953026 error FALSE reason "Informational (in) state 1"

*May 30 02:22:03.455: ISAKMP:(0:101:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*May 30 02:22:03.455: ISAKMP:(0:101:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*May 30 02:22:03.455: ISAKMP:(0:101:HW:2):deleting SA reason "No reason" state (I) QM_IDLE       (peer 41.204.95.12)

*May 30 02:22:03.459: ISAKMP: Unlocking IKE struct 0x6497DCF0 for isadb_mark_sa_deleted(), count 0

*May 30 02:22:03.459: ISAKMP: Deleting peer node by peer_reap for 41.204.95.12: 6497DCF0

*May 30 02:22:03.459: ISAKMP:(0:101:HW:2):deleting node -1257807848 error FALSE reason "IKE deleted"

*May 30 02:22:03.459: ISAKMP:(0:101:HW:2):deleting node -368082144 error FALSE reason "IKE deleted"

*May 30 02:22:03.459: ISAKMP:(0:101:HW:2):deleting node -896953026 error FALSE reason "IKE deleted"

*May 30 02:22:03.459: ISAKMP:(0:101:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 30 02:22:03.459: ISAKMP:(0:101:HW:2):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*May 30 02:22:23.459: ISAKMP:(0:100:HW:2):purging node 2040173126

*May 30 02:22:23.459: ISAKMP:(0:100:HW:2):purging node 48253279

*May 30 02:22:23.459: ISAKMP:(0:100:HW:2):purging node 397815462

*May 30 02:22:32.595: ISAKMP: received ke message (3/1)

*May 30 02:22:32.595: ISAKMP:(0:101:HW:2):peer does not do paranoid keepalives.

*May 30 02:22:32.595: ISAKMP:(0:100:HW:2):peer does not do paranoid keepalives.

*May 30 02:22:33.099: ISAKMP: received ke message (1/1)

*May 30 02:22:33.099: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

*May 30 02:22:33.099: ISAKMP: Created a peer struct for 41.204.95.12, peer port 500

*May 30 02:22:33.099: ISAKMP: Locking peer struct 0x6496B830, IKE refcount 1 for isakmp_initiator

*May 30 02:22:33.099: ISAKMP: local port 500, remote port 500

*May 30 02:22:33.099: ISAKMP: set new node 0 to QM_IDLE

*May 30 02:22:33.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6496207C

*May 30 02:22:33.099: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

*May 30 02:22:33.099: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*May 30 02:22:33.099: ISAKMP: Looking for a matching key for 41.204.95.12 in default : success

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 41.204.95.12

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*May 30 02:22:33.103: ISAKMP:(0:0:N/A:0): sending packet to 41.204.95.12 my_port 500 peer_port 500 (I) MM_NO_STATE

*May 30 02:22:33.303: ISAKMP (0:0): received packet from 41.204.95.12 dport 500 sport 500 Global (I) MM_NO_STATE

*May 30 02:22:33.303: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 30 02:22:33.303: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch

*May 30 02:22:33.307: ISAKMP: Looking for a matching key for 41.204.95.12 in default : success

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 41.204.95.12

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0): local preshared key found

*May 30 02:22:33.307: ISAKMP : Scanning profiles for xauth ...

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*May 30 02:22:33.307: ISAKMP:      encryption DES-CBC

*May 30 02:22:33.307: ISAKMP:      hash SHA

*May 30 02:22:33.307: ISAKMP:      default group 2

*May 30 02:22:33.307: ISAKMP:      auth pre-share

*May 30 02:22:33.307: ISAKMP:      life type in seconds

*May 30 02:22:33.307: ISAKMP:      life duration (basic) of 28800

*May 30 02:22:33.307: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2): vendor ID seems Unity/DPD but major 123 mismatch

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2): vendor ID is NAT-T v2

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2): vendor ID seems Unity/DPD but major 194 mismatch

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM2  New State = IKE_I_MM2

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2): sending packet to 41.204.95.12 my_port 500 peer_port 500 (I) MM_SA_SETUP

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 30 02:22:33.315: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM2  New State = IKE_I_MM3

*May 30 02:22:33.459: ISAKMP:(0:100:HW:2):purging SA., sa=64A7CA0C, delme=64A7CA0C

*May 30 02:22:33.523: ISAKMP (0:268435558): received packet from 41.204.95.12 dport 500 sport 500 Global (I) MM_SA_SETUP

*May 30 02:22:33.523: ISAKMP:(0:102:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 30 02:22:33.523: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM3  New State = IKE_I_MM4

*May 30 02:22:33.523: ISAKMP:(0:102:HW:2): processing KE payload. message ID = 0

*May 30 02:22:33.531: ISAKMP:(0:102:HW:2): processing NONCE payload. message ID = 0

*May 30 02:22:33.531: ISAKMP: Looking for a matching key for 41.204.95.12 in default : success

*May 30 02:22:33.531: ISAKMP:(0:102:HW:2):found peer pre-shared key matching 41.204.95.12

*May 30 02:22:33.531: ISAKMP: Looking for a matching key for 41.204.95.12 in default : success

*May 30 02:22:33.531: ISAKMP:(0:102:HW:2):found peer pre-shared key matching 41.204.95.12

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2):SKEYID state generated

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): vendor ID is Unity

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): vendor ID seems Unity/DPD but major 49 mismatch

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): vendor ID is XAUTH

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): speaking to another IOS box!

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2):vendor ID seems Unity/DPD but hash mismatch

*May 30 02:22:33.535: ISAKMP:received payload type 17

*May 30 02:22:33.535: ISAKMP:received payload type 17

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 30 02:22:33.535: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM4  New State = IKE_I_MM4

*May 30 02:22:33.539: ISAKMP:(0:102:HW:2):Send initial contact

*May 30 02:22:33.539: ISAKMP:(0:102:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*May 30 02:22:33.539: ISAKMP (0:268435558): ID payload

        next-payload : 8

        type         : 1

        address      : 80.15.109.174

        protocol     : 17

        port         : 500

        length       : 12

*May 30 02:22:33.539: ISAKMP:(0:102:HW:2):Total payload length: 12

*May 30 02:22:33.539: ISAKMP:(0:102:HW:2): sending packet to 41.204.95.12 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*May 30 02:22:33.539: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 30 02:22:33.539: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM4  New State = IKE_I_MM5

*May 30 02:22:33.743: ISAKMP (0:268435558): received packet from 41.204.95.12 dport 500 sport 500 Global (I) MM_KEY_EXCH

*May 30 02:22:33.743: ISAKMP:(0:102:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 30 02:22:33.743: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM5  New State = IKE_I_MM6

*May 30 02:22:33.743: ISAKMP:(0:102:HW:2): processing ID payload. message ID = 0

*May 30 02:22:33.743: ISAKMP (0:268435558): ID payload

        next-payload : 8

        type         : 1

        address      : 41.204.95.12

        protocol     : 17

        port         : 0

        length       : 12

*May 30 02:22:33.743: ISAKMP:(0:102:HW:2):: peer matches *none* of the profiles

*May 30 02:22:33.743: ISAKMP:(0:102:HW:2): processing HASH payload. message ID = 0

*May 30 02:22:33.743: ISAKMP:received payload type 14

*May 30 02:22:33.743: ISAKMP:(0:102:HW:2): processing vendor id payload

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2): vendor ID is DPD

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):SA authentication status:

        authenticated

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):SA has been authenticated with 41.204.95.12

*May 30 02:22:33.747: ISAKMP: Trying to insert a peer 80.15.109.174/41.204.95.12/500/,  and inserted successfully.

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM6  New State = IKE_I_MM6

*May 30 02:22:33.747: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat  outgoing_negotiating since it's already 0.

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*May 30 02:22:33.747: ISAKMP:(0:102:HW:2):beginning Quick Mode exchange, M-ID of 12771960

*May 30 02:22:33.751: ISAKMP:(0:102:HW:2): sending packet to 41.204.95.12 my_port 500 peer_port 500 (I) QM_IDLE

*May 30 02:22:33.751: ISAKMP:(0:102:HW:2):Node 12771960, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*May 30 02:22:33.751: ISAKMP:(0:102:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*May 30 02:22:33.751: ISAKMP:(0:102:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May 30 02:22:33.751: ISAKMP:(0:102:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 30 02:22:33.955: ISAKMP (0:268435558): received packet from 41.204.95.12 dport 500 sport 500 Global (I) QM_IDLE

*May 30 02:22:33.955: ISAKMP: set new node -579016046 to QM_IDLE

*May 30 02:22:33.959: ISAKMP:(0:102:HW:2): processing HASH payload. message ID = -579016046

*May 30 02:22:33.959: ISAKMP:(0:102:HW:2): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 0, message ID = -579016046, sa = 6496207C