03-03-2006 02:47 PM - edited 02-21-2020 02:17 PM
Hi,
I'm trying to setup a 2811 v12.4(5) router with site-to-site IpSec tunnels
to Windows Server 2003 servers at a data centre. Each tunnel is to a
single 2003 server.
The config is based on the well advertised info at:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml
and...
http://support.microsoft.com/default.aspx?scid=kb;en-us;816514
The only difference is that there's clearly no network 'behind' the
2003 server - it just has a 192.168.202.1 private address that's used
from the network behind the cisco (192.168.100.0/255.255.255.0).
There's obviously a static route on the 2003 server for the
192.168.100.0 network pointing back to the cisco peer.
However, although both the 2811 and the 2003 server indicate that both
phase 1 & 2 SAs are successfully setup, no traffic can be routed over
the tunnel and it drops after 5 mins.
The 2811 indicates several packets encapsulated with some send errors
and none being decapsulated, which makes sense given the lack of
traffic across the tunnel.
The log excerpt below is from the 2003 server's oakley log shows the
successful completion of phase 2 and then the drop after 5 mins.
I'd appreciate any pointers from anyone who's had experience in getting
a cisco-ms IpSec tunnel up and running successfully.
Many thanks,
James
3-03: 20:03:19:192:1f28 Adding QMs: src = 192.168.202.1.0000, dst =
192.168.100.0.0000, proto = 00, context = 000002E5, my tunnel =
x.x.x.x, peer tunnel = y.y.y.y, SrcMask = 0.0.0.0, DestMask =
255.255.255.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags 1 Direction
1 EncapType 1
3-03: 20:03:19:192:1f28 Algo[0] Operation: ESP Algo: DES CBC HMAC:
MD5
3-03: 20:03:19:192:1f28 Algo[0] MySpi: 773182938 PeerSpi: 4012818715
3-03: 20:03:19:192:1f28 Encap Ports Src 500 Dst 500
3-03: 20:03:19:192:1f28 isadb_set_status sa:01C039B0 centry:01C83C60
status 0
3-03: 20:03:19:192:1f28 Constructing Commit Notify
3-03: 20:03:19:192:1f28 constructing ISAKMP Header
3-03: 20:03:19:192:1f28 constructing HASH (null)
3-03: 20:03:19:192:1f28 constructing NOTIFY 16384
3-03: 20:03:19:192:1f28 constructing HASH (QM)
3-03: 20:03:19:192:1f28
3-03: 20:03:19:192:1f28 Sending: SA = 0x01C039B0 to y.y.y.y:Type 4.500
3-03: 20:03:19:192:1f28 ISAKMP Header: (V1.0), len = 76
3-03: 20:03:19:192:1f28 I-COOKIE 2a798ab2edfdb903
3-03: 20:03:19:192:1f28 R-COOKIE f53edfad5d086eaf
3-03: 20:03:19:192:1f28 exchange: Oakley Quick Mode
3-03: 20:03:19:192:1f28 flags: 3 ( encrypted commit )
3-03: 20:03:19:192:1f28 next payload: HASH
3-03: 20:03:19:192:1f28 message ID: 72de9cce
3-03: 20:03:19:192:1f28 Ports S:f401 D:f401
3-03: 20:03:28:677:1f28 ClearFragList
3-03: 20:04:13:692:1f28 CE Dead. sa:01C039B0 ce:01C83C60 status:35f0
3-03: 20:08:18:255:24a0
3-03: 20:08:18:255:24a0 Receive: (get) SA = 0x01c039b0 from
y.y.y.y.500
3-03: 20:08:18:255:24a0 ISAKMP Header: (V1.0), len = 76
3-03: 20:08:18:255:24a0 I-COOKIE 2a798ab2edfdb903
3-03: 20:08:18:255:24a0 R-COOKIE f53edfad5d086eaf
3-03: 20:08:18:255:24a0 exchange: ISAKMP Informational Exchange
3-03: 20:08:18:255:24a0 flags: 1 ( encrypted )
3-03: 20:08:18:255:24a0 next payload: HASH
3-03: 20:08:18:255:24a0 message ID: b24f8b73
3-03: 20:08:18:255:24a0 processing HASH (Notify/Delete)
3-03: 20:08:18:255:24a0 processing payload DELETE
3-03: 20:08:18:255:24a0 Expiring SPI 773182938 src 1f8a0c54 dst
eccdabd5
3-03: 20:08:18:255:24a0 QM Deleted. Notify from driver: Src
192.168.202.1 Dest 192.168.100.0 InSPI 773182938 OutSpi 4012818715
Tunnel 1f8a0c54 TunnelFilter 0
3-03: 20:08:18:255:24a0 PrivatePeerAddr 0
03-09-2006 07:31 PM
I would say
-router needs transport mode configured, (its probably tunnel mode and win2k3 wants transport mode)
-remove the static route on win2k3 server.
Post your 2811 config.
03-11-2006 03:02 AM
The article at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816514
..dictates that it should be in tunnel mode and a static route configured in order for it to function!
03-29-2006 03:30 PM
James,
12.4.5 is very buggy on 2811's, without seeing your router config, I would say upgrade IOS as well.
Check the bug toolkit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide