ā05-23-2023 09:15 AM
I'm working in a lab to set up a connection from an ARM processor that has to use strongswan to connect to my Catylist C8000V router. In the configuration I have an IP address pool I have specified "ip local pool isakmp-pool 192.168.200.21 192.168.200.30", I have called the pool in my "group vpnclient" and applied that the rest of the way up the command chain. However, when initiating connection and I get hundreds of ISAKMP SA' and they all error out, which according to the Cisco debug is: ISAKMP-ERROR: (44657):No IP address pool defined for ISAKMP!
I would appreciate whatever direction or advice you might be able to point me as to why it thinks there is not ISAKMP pool assigned.
DEBUG LOG:
*May 22 18:30:05.269: ISAKMP-PAK: (44657):received packet from 192.168.122.149 dport 500 sport 500 Global (R) CONF_XAUTH
*May 22 18:30:05.269: ISAKMP: (44657):processing transaction payload from 192.168.122.149. message ID = 1503233085
*May 22 18:30:05.269: ISAKMP: (44657):Config payload ACK
*May 22 18:30:05.269: ISAKMP: (44657): XAUTH ACK Processed
*May 22 18:30:05.269: ISAKMP: (44657):deleting node 1503233085 error FALSE reason "Transaction mode done"
*May 22 18:30:05.269: ISAKMP: (44657):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*May 22 18:30:05.269: ISAKMP: (44657):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
*May 22 18:30:05.270: ISAKMP-PAK: (44657):received packet from 192.168.122.149 dport 500 sport 500 Global (R) QM_IDLE
*May 22 18:30:05.270: ISAKMP: (44657):set new node 1918093799 to QM_IDLE
*May 22 18:30:05.270: ISAKMP: (44657):processing transaction payload from 192.168.122.149. message ID = 1918093799
*May 22 18:30:05.270: ISAKMP: (44657):Config payload REQUEST
*May 22 18:30:05.270: ISAKMP: (44657):checking request:
*May 22 18:30:05.270: ISAKMP: (44657): IP4_ADDRESS
*May 22 18:30:05.270: ISAKMP: (44657): IP4_DNS
*May 22 18:30:05.270: ISAKMP: (44657): SPLIT_INCLUDE
*May 22 18:30:05.270: ISAKMP: (44657): INCLUDE_LOCAL_LAN
*May 22 18:30:05.270: ISAKMP: (44657):attributes sent in message:
*May 22 18:30:05.270: ISAKMP: (44657): Address: 192.168.200.25
*May 22 18:30:05.270: ISAKMP-ERROR: (44657):No IP address pool defined for ISAKMP!
*May 22 18:30:05.270: ISAKMP: (44657):peer does not do paranoid keepalives.
*May 22 18:30:05.270: ISAKMP-ERROR: (44657):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 192.168.122.149)
CISCO C8000V RUNNING CONFIGURATION
crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
crypto isakmp key password address 192.168.122.149
crypto isakmp keepalive 10
!
crypto isakmp client configuration group vpnclient
key cisco
domain cisco.com
pool isakmp-pool
crypto isakmp profile vpnclient
match identity group vpnclient
client authentication list userauthen
client configuration address respond
client configuration group vpnclient
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
mode tunnel
!
crypto dynamic-map dynmap 1
set transform-set test
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
interface GigabitEthernet1
ip dhcp client client-id ascii 9WS3M1KP3US
ip address dhcp
negotiation auto
no mop enabled
no mop sysid
crypto map clientmap
!
interface GigabitEthernet3
ip address dhcp
negotiation auto
no mop enabled
no mop sysid
!
ip local pool isakmp-pool 192.168.200.21 192.168.200.30
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1
!
ip ssh version 2
!
ip access-list extended cryptoacl
10 permit ip 192.168.122.0 0.0.0.255 192.168.122.0 0.0.0.255
ip access-list extended split
10 permit ip host 192.168.200.1 any
20 permit ip host 192.168.122.8 any
ā05-23-2023 09:33 AM
crypto isakmp profile vpnclient
match identity group vpnclient
client authentication list userauthen
client configuration address respond
client configuration group vpnclient
first try remove the ISAKMP profile
ā05-23-2023 11:21 AM
Still receive the same error somehow, despite removing the isakmp profile "no crypto isakmp profile vpnclient"
*May 23 17:29:59.644: ISAKMP-PAK: (1185):received packet from 192.168.122.149 dport 500 sport 500 Global (R) QM_IDLE
*May 23 17:29:59.644: ISAKMP: (1185):set new node 1809489794 to QM_IDLE
*May 23 17:29:59.644: ISAKMP: (1185):processing transaction payload from 192.168.122.149. message ID = 1809489794
*May 23 17:29:59.644: ISAKMP: (1185):Config payload REQUEST
*May 23 17:29:59.644: ISAKMP: (1185):checking request:
*May 23 17:29:59.644: ISAKMP: (1185): IP4_ADDRESS
*May 23 17:29:59.644: ISAKMP: (0):IPV6 not support config mode
*May 23 17:29:59.644: ISAKMP: (1185): IP4_ADDRESS
*May 23 17:29:59.644: ISAKMP-ERROR: (1185): Unknown Attr: 0x8
*May 23 17:29:59.644: ISAKMP: (1185): IP4_DNS
*May 23 17:29:59.644: ISAKMP: (0):IPV6 not support config mode
*May 23 17:29:59.644: ISAKMP: (1185): IP4_DNS
*May 23 17:29:59.644: ISAKMP-ERROR: (1185): Unknown Attr: 0xA
*May 23 17:29:59.644: ISAKMP: (1185): SPLIT_INCLUDE
*May 23 17:29:59.644: ISAKMP: (1185): INCLUDE_LOCAL_LAN
*May 23 17:29:59.644: ISAKMP: (1185):attributes sent in message:
*May 23 17:29:59.644: ISAKMP: (1185): Address: 0.8.0.0
*May 23 17:29:59.644: ISAKMP-ERROR: (1185):No IP address pool defined for ISAKMP!
*May 23 17:29:59.645: ISAKMP: (1185):peer does not do paranoid keepalives.
*May 23 17:29:59.645: ISAKMP-ERROR: (1185):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 192.168.122.149)
ā05-23-2023 12:25 PM
sorry I have little about the client config in IPSec
I check my notes
the AAA must config
aaa new model
aaa authorization network local <<-
and keep isakmp profil dont remove it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide