Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
1
Replies

Cisco ipsec tunnel to linux

TradeMarkX5
Level 1
Level 1

‎10-07-2019 12:31 PM - edited ‎02-21-2020 09:45 PM

I'm trying to connect to my cisco router as ipsec client to libreswan running in AWS cloud on a linux vm. but it isn't working. cisco debug below :

 

 

Oct  7 17:14:21.111: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:14:21.111: ISAKMP:(0): SA request profile is (NULL)
Oct  7 17:14:21.111: ISAKMP: Created a peer struct for 8.8.8.8, peer port 500
Oct  7 17:14:21.111: ISAKMP: New peer created peer = 0x11BC8440 peer_handle = 0x80001410
Oct  7 17:14:21.111: ISAKMP: Locking peer struct 0x11BC8440, refcount 1 for isakmp_initiator
Oct  7 17:14:21.111: ISAKMP: local port 500, remote port 500
Oct  7 17:14:21.111: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:14:21.111: ISAKMP:(0):insert sa successfully sa = 11DD1A74
Oct  7 17:14:21.111: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct  7 17:14:21.111: ISAKMP:(0):found peer pre-shared key matching 8.8.8.8
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct  7 17:14:21.111: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct  7 17:14:21.111: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Oct  7 17:14:21.111: ISAKMP:(0): beginning Main Mode exchange
Oct  7 17:14:21.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:21.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:31.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:14:31.111: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct  7 17:14:31.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:14:31.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:31.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:41.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:14:41.111: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct  7 17:14:41.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:14:41.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:41.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:51.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:14:51.111: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct  7 17:14:51.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:14:51.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:51.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:51.111: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
  (identity) local= 192.168.21.2:0, remote= 8.8.8.8:0,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701
Oct  7 17:14:51.111: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:14:51.111: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:14:51.111: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.21.2, remote 8.8.8.8)
Oct  7 17:14:51.111: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct  7 17:14:51.111: ISAKMP: Error while processing KMI message 0, error 2.
Oct  7 17:15:01.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:01.111: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct  7 17:15:01.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:15:01.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:01.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:15:11.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:11.111: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct  7 17:15:11.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:15:11.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:11.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:15:21.111: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
  (identity) local= 192.168.21.2:0, remote= 8.8.8.8:0,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701
Oct  7 17:15:21.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:21.111: ISAKMP:(0):peer does not do paranoid keepalives.

Oct  7 17:15:21.111: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 8.8.8.8)
Oct  7 17:15:21.111: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 8.8.8.8)
Oct  7 17:15:21.111: ISAKMP: Unlocking peer struct 0x11BC8440 for isadb_mark_sa_deleted(), count 0
Oct  7 17:15:21.111: ISAKMP: Deleting peer node by peer_reap for 8.8.8.8: 11BC8440
Oct  7 17:15:21.111: ISAKMP:(0):deleting node 1139952207 error FALSE reason "IKE deleted"
Oct  7 17:15:21.111: ISAKMP:(0):deleting node -254195246 error FALSE reason "IKE deleted"
Oct  7 17:15:21.111: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct  7 17:15:21.111: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Oct  7 17:15:21.111: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct  7 17:15:40.087: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:15:40.087: ISAKMP:(0): SA request profile is (NULL)
Oct  7 17:15:40.087: ISAKMP: Created a peer struct for 8.8.8.8, peer port 500
Oct  7 17:15:40.087: ISAKMP: New peer created peer = 0x11B902AC peer_handle = 0x80000087
Oct  7 17:15:40.087: ISAKMP: Locking peer struct 0x11B902AC, refcount 1 for isakmp_initiator
Oct  7 17:15:40.087: ISAKMP: local port 500, remote port 500
Oct  7 17:15:40.087: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:15:40.087: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 20B5EA4
Oct  7 17:15:40.087: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct  7 17:15:40.087: ISAKMP:(0):found peer pre-shared key matching 8.8.8.8
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct  7 17:15:40.087: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct  7 17:15:40.087: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Oct  7 17:15:40.087: ISAKMP:(0): beginning Main Mode exchange
Oct  7 17:15:40.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:40.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:15:50.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:50.087: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct  7 17:15:50.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:15:50.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:50.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:00.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:00.087: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct  7 17:16:00.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:00.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:00.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:10.087: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
  (identity) local= 192.168.21.2:0, remote= 8.8.8.8:0,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701
Oct  7 17:16:10.087: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:16:10.087: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:16:10.087: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.21.2, remote 8.8.8.8)
Oct  7 17:16:10.087: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct  7 17:16:10.087: ISAKMP: Error while processing KMI message 0, error 2.
Oct  7 17:16:10.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:10.087: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct  7 17:16:10.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:10.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:10.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:11.111: ISAKMP:(0):purging node 1139952207
Oct  7 17:16:11.111: ISAKMP:(0):purging node -254195246
Oct  7 17:16:20.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:20.087: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct  7 17:16:20.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:20.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:20.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:21.111: ISAKMP:(0):purging SA., sa=11DD1A74, delme=11DD1A74
Oct  7 17:16:30.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:30.087: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct  7 17:16:30.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:30.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:30.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:40.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:40.087: ISAKMP:(0):peer does not do paranoid keepalives.

 

Labels:
0 Helpful
1 Reply 1

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎10-07-2019 07:29 PM

"Death by retransmission P1" indicates UDP 500 connectivity issue between VPN termination devices.

You can run an EPC capture on IOS router to determine the UDP packets for remote peer going out and then perform packet capture on Azure side as well to confirm if the packets from Cisco router indeed reach AWS.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.
Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents