Re: C8000V Not Recognizing IP Address Pool

masonob · ‎05-23-2023

I'm working in a lab to set up a connection from an ARM processor that has to use strongswan to connect to my Catylist C8000V router. In the configuration I have an IP address pool I have specified "ip local pool isakmp-pool 192.168.200.21 192.168.200.30", I have called the pool in my "group vpnclient" and applied that the rest of the way up the command chain. However, when initiating connection and I get hundreds of ISAKMP SA' and they all error out, which according to the Cisco debug is: ISAKMP-ERROR: (44657):No IP address pool defined for ISAKMP!

I would appreciate whatever direction or advice you might be able to point me as to why it thinks there is not ISAKMP pool assigned.

DEBUG LOG:

*May 22 18:30:05.269: ISAKMP-PAK: (44657):received packet from 192.168.122.149 dport 500 sport 500 Global (R) CONF_XAUTH  
*May 22 18:30:05.269: ISAKMP: (44657):processing transaction payload from 192.168.122.149. message ID = 1503233085
*May 22 18:30:05.269: ISAKMP: (44657):Config payload ACK
*May 22 18:30:05.269: ISAKMP: (44657):       XAUTH ACK Processed
*May 22 18:30:05.269: ISAKMP: (44657):deleting node 1503233085 error FALSE reason "Transaction mode done"
*May 22 18:30:05.269: ISAKMP: (44657):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*May 22 18:30:05.269: ISAKMP: (44657):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

*May 22 18:30:05.270: ISAKMP-PAK: (44657):received packet from 192.168.122.149 dport 500 sport 500 Global (R) QM_IDLE     
*May 22 18:30:05.270: ISAKMP: (44657):set new node 1918093799 to QM_IDLE     
*May 22 18:30:05.270: ISAKMP: (44657):processing transaction payload from 192.168.122.149. message ID = 1918093799
*May 22 18:30:05.270: ISAKMP: (44657):Config payload REQUEST
*May 22 18:30:05.270: ISAKMP: (44657):checking request:
*May 22 18:30:05.270: ISAKMP: (44657):    IP4_ADDRESS
*May 22 18:30:05.270: ISAKMP: (44657):    IP4_DNS
*May 22 18:30:05.270: ISAKMP: (44657):    SPLIT_INCLUDE
*May 22 18:30:05.270: ISAKMP: (44657):    INCLUDE_LOCAL_LAN
*May 22 18:30:05.270: ISAKMP: (44657):attributes sent in message:
*May 22 18:30:05.270: ISAKMP: (44657):        Address: 192.168.200.25
*May 22 18:30:05.270: ISAKMP-ERROR: (44657):No IP address pool defined for ISAKMP!
*May 22 18:30:05.270: ISAKMP: (44657):peer does not do paranoid keepalives.
*May 22 18:30:05.270: ISAKMP-ERROR: (44657):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer 192.168.122.149)

CISCO C8000V RUNNING CONFIGURATION

crypto isakmp policy 1
 encryption aes
 authentication pre-share
 group 2
crypto isakmp key password address 192.168.122.149
crypto isakmp keepalive 10
!
crypto isakmp client configuration group vpnclient
 key cisco
 domain cisco.com
 pool isakmp-pool
crypto isakmp profile vpnclient
   match identity group vpnclient
   client authentication list userauthen
   client configuration address respond
   client configuration group vpnclient
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set test esp-aes esp-sha-hmac 
 mode tunnel
!
crypto dynamic-map dynmap 1
 set transform-set test 
 reverse-route
! 
crypto map clientmap client authentication list userauthen
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap 
!
interface GigabitEthernet1
 ip dhcp client client-id ascii 9WS3M1KP3US
 ip address dhcp
 negotiation auto
 no mop enabled
 no mop sysid
 crypto map clientmap
!
interface GigabitEthernet3
 ip address dhcp
 negotiation auto
 no mop enabled
 no mop sysid
!
ip local pool isakmp-pool 192.168.200.21 192.168.200.30
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1
!
ip ssh version 2
!
ip access-list extended cryptoacl
 10 permit ip 192.168.122.0 0.0.0.255 192.168.122.0 0.0.0.255
ip access-list extended split
 10 permit ip host 192.168.200.1 any
 20 permit ip host 192.168.122.8 any

MHM Cisco World · ‎05-23-2023

crypto isakmp profile vpnclient
   match identity group vpnclient
   client authentication list userauthen
   client configuration address respond
   client configuration group vpnclient

first try remove the ISAKMP profile

masonob · ‎05-23-2023

Still receive the same error somehow, despite removing the isakmp profile "no crypto isakmp profile vpnclient"

*May 23 17:29:59.644: ISAKMP-PAK: (1185):received packet from 192.168.122.149 dport 500 sport 500 Global (R) QM_IDLE      
*May 23 17:29:59.644: ISAKMP: (1185):set new node 1809489794 to QM_IDLE      
*May 23 17:29:59.644: ISAKMP: (1185):processing transaction payload from 192.168.122.149. message ID = 1809489794
*May 23 17:29:59.644: ISAKMP: (1185):Config payload REQUEST
*May 23 17:29:59.644: ISAKMP: (1185):checking request:
*May 23 17:29:59.644: ISAKMP: (1185):    IP4_ADDRESS
*May 23 17:29:59.644: ISAKMP: (0):IPV6 not support config mode
*May 23 17:29:59.644: ISAKMP: (1185):    IP4_ADDRESS
*May 23 17:29:59.644: ISAKMP-ERROR: (1185): Unknown Attr: 0x8
*May 23 17:29:59.644: ISAKMP: (1185):    IP4_DNS
*May 23 17:29:59.644: ISAKMP: (0):IPV6 not support config mode
*May 23 17:29:59.644: ISAKMP: (1185):    IP4_DNS
*May 23 17:29:59.644: ISAKMP-ERROR: (1185): Unknown Attr: 0xA
*May 23 17:29:59.644: ISAKMP: (1185):    SPLIT_INCLUDE
*May 23 17:29:59.644: ISAKMP: (1185):    INCLUDE_LOCAL_LAN
*May 23 17:29:59.644: ISAKMP: (1185):attributes sent in message:
*May 23 17:29:59.644: ISAKMP: (1185):        Address: 0.8.0.0
*May 23 17:29:59.644: ISAKMP-ERROR: (1185):No IP address pool defined for ISAKMP!
*May 23 17:29:59.645: ISAKMP: (1185):peer does not do paranoid keepalives.
*May 23 17:29:59.645: ISAKMP-ERROR: (1185):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer 192.168.122.149)

MHM Cisco World · ‎05-23-2023

sorry I have little about the client config in IPSec
I check my notes
the AAA must config
aaa new model
aaa authorization network local <<-
and keep isakmp profil dont remove it