Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2989
Views
0
Helpful
4
Replies

Cisco IPSec VPN with StrongSwan across CGNAT-

chandu501
Level 1
Level 1

‎04-05-2016 07:55 AM - edited ‎02-21-2020 08:45 PM

We are working to setup an IPSec PSK VPN between the 4G router and StrongSwan which resides on a public server in road warrior configuration, with the 4G router being the road warrior clients.

Cisco 819 4G router ( Road warrior client) ---------------CGNAT -------------------------- StrongSwan server

We are able to establish an IPSec VPN between the Cisco 819 4G router and Strongswan, with a direct connection, wherein there is no CGNAT, this is over the gigabit interface and strongswan local server. The moment we introduce CGNAT with strongswan in the cloud, we are unable to get the IPSec VPN working.

We are getting an error, please help/guide us here:

*Apr 5 14:39:38.822: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.76.145.121:500, remote= 125.16.240.98:500,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 10.56.138.86/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 5 14:39:38.822: ISAKMP: (0):SA request profile is (NULL)
*Apr 5 14:39:38.822: ISAKMP: (0):Created a peer struct for 125.16.240.98, peer port 500
*Apr 5 14:39:38.822: ISAKMP: (0):New peer created peer = 0x1E10DE4 peer_handle = 0x80000012
*Apr 5 14:39:38.822: ISAKMP: (0):Locking peer struct 0x1E10DE4, refcount 1 for isakmp_initiator
*Apr 5 14:39:38.822: ISAKMP: (0):local port 500, remote port 500
*Apr 5 14:39:38.822: ISAKMP: (0):set new node 0 to QM_IDLE
*Apr 5 14:39:38.822: ISAKMP: (0):insert sa successfully sa = 10937C0
*Apr 5 14:39:38.822: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Apr 5 14:39:38.822: ISAKMP: (0):found peer pre-shared key matching 125.16.240.98
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Apr 5 14:39:38.822: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 5 14:39:38.822: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Apr 5 14:39:38.822: ISAKMP: (0):beginning Main Mode exchange
*Apr 5 14:39:38.822: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:38.822: ISAKMP: (0):Sending an IKE IPv4 Packet..
Success rate is 0 percent (0/1)
Router#
*Apr 5 14:39:42.626: ISAKMP-PAK: (0):received packet from 125.16.240.98 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 5 14:39:42.626: ISAKMP-ERROR: (0):Couldn't find node: message_id 2939252457
*Apr 5 14:39:42.626: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Apr 5 14:39:42.626: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 5 14:39:42.626: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Apr 5 14:39:42.626: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 125.16.240.98
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:39:48.826: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:39:48.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:48.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:39:50.286: ISAKMP-PAK: (0):received packet from 125.16.240.98 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 5 14:39:50.286: ISAKMP-ERROR: (0):Couldn't find node: message_id 702674192
*Apr 5 14:39:50.286: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Apr 5 14:39:50.286: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 5 14:39:50.286: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1

StrongSwan output:

06[CFG] received stroke: add connection 'ciscoios'
06[CFG] left nor right host is our side, assuming left=local
06[CFG] added configuration 'ciscoios'
11[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
11[ENC] parsed ID_PROT request 0 [ SA V V V V ]
11[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN
11[ENC] generating INFORMATIONAL_V1 request 2939252457 [ N(NO_PROP) ]
11[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418] (40 bytes)
04[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
04[ENC] parsed ID_PROT request 0 [ SA V V V V ]
04[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN
04[ENC] generating INFORMATIONAL_V1 request 702674192 [ N(NO_PROP) ]
04[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418] (40 bytes)

1 person had this problem
Labels:
ciscostrongswanipsecvpn.zip
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-05-2016 09:35 AM

It seems your CGNAT device is blocking UDP 500 packet.

As per the following logs the 4g router sends the UDP 500 ISAKMP packet but gets no response back:

*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:39:48.826: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

Please check on the intermediate device that if you can allow UDP 500 packet through it.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

chandu501
Level 1
Level 1
In response to Aditya Ganjoo

‎04-06-2016 03:23 AM

The packets are reaching the Strongswan server, please see logs below:

but we are getting the following error in Strongswan

11[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
11[ENC] parsed ID_PROT request 0 [ SA V V V V ]
11[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN

06[CFG] received stroke: add connection 'ciscoios'
06[CFG] left nor right host is our side, assuming left=local
06[CFG] added configuration 'ciscoios'
11[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
11[ENC] parsed ID_PROT request 0 [ SA V V V V ]
11[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN
11[ENC] generating INFORMATIONAL_V1 request 2939252457 [ N(NO_PROP) ]
11[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418] (40 bytes)
04[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
04[ENC] parsed ID_PROT request 0 [ SA V V V V ]
04[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN
04[ENC] generating INFORMATIONAL_V1 request 702674192 [ N(NO_PROP) ]
04[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418] (40 bytes

0 Helpful

r.bartels
Level 1
Level 1
In response to chandu501

‎05-19-2016 06:59 AM

Hi Chandu, 

I was wondering if you ever got this problem solved. I am experiencing exactly the same problem on a VPN connection between a Juniper SRX and a Cisco 819 4G router.

0 Helpful

chandu501
Level 1
Level 1
In response to r.bartels

‎05-19-2016 10:22 PM

I got this this error when i used IKEv1.. Later I moved to IKEv2, the problem is solved

0 Helpful
Customers Also Viewed These Support Documents