Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1739
Views
0
Helpful
12
Replies

Cisco Router to VPN Concentrator 3000 - Fails Phase 2 "Received payload type 18"

jeffrey.girard
Level 1
Level 1

‎03-28-2020 09:00 PM

Good evening all -

    This is a home lab.  Expanding my knowledge base and exploring security.  I thought that the task would be relatively simple:  create a site to site VPN using a Cisco 2621XM router on one side and a Cisco 3000 VPN Concentrator on the other.  I followed the instructions located here https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14102-ALTIGAR.html

     My debug crypto isakmp shows that Phase 1 completes (time hack of 23:11:48.779)  However, right after that it fails and destroys the SA based upon "Received payload type 18" (time hack of 23:11:48.811

      As I said, this is a lab so I have complete access to the router and to the 3000.  I can provide other information as requested.

       I have searched Google, no hits for payload type 18 errors

 

Labels:
Preview file
22 KB
0 Helpful
12 Replies 12

Marius Gunnerud
VIP
VIP

‎03-29-2020 02:32 AM

could you post the output of debug crypto ipsec 127 as well as the configuration from both sides.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jeffrey.girard
Level 1
Level 1
In response to Marius Gunnerud

‎03-29-2020 09:01 AM

Sir - thank you for your time and reply - but unfortunately I am unable to do either task.

There is no such command as "debug crypto ipsec 127" and the other end of the site to site is a Cisco 3000 VPN concentrator, not another router

Attached is the configuration of the router side of the S2S tunnel.  I can look at the VPN 3000 GUI and screenshot anything you would like to see

Preview file
1 KB
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to jeffrey.girard

‎03-30-2020 10:47 AM

Hi,

 

   You have not really followed the guide:

           1. Configure ACL 101 with specific statements, not "permit ip any any"

           2. Use another ACL for NAT and exclude from NAT (via deny statements) the VPN traffic

           3. Follow the guide very closely, verify each of the steps

           4. Ensure the PSK is orderly configured on both sides, no white spaces or something like that

 

If it still doesn't work, post the full router config and the output of "debug crypto isakmp" and "debug crypto ipsec".

 

Regards,

Cristian Matei.

0 Helpful

jeffrey.girard
Level 1
Level 1
In response to Cristian Matei

‎03-30-2020 03:35 PM

Sir -

    Thank you for taking the time to look and to respond.

     I purposefully opened up the access list to any any as I was attempting to self troubleshoot and was attempting to ensure that I was not blocking traffic.

      However, I went back and modifed my ACLs to conform to the guide.

     My physical architecture is:

     Cisco VPN 3000 -- switch --  2621XM router -- laptop

     Laptop is IP 1.1.1.1.  I also added a loopback on the router as 2.2.2.2 so I could have something in the permit portion of the route map.  The VPN interface is 173.45.176.39 and the FA 0/0 interface on the router is 173.45.176.40

      I have included the full running config of the router as well as the debugs for crypto isakmp and crypto ipsec.

      The error is still the same.  When I run a ping from the router to the 173.45.176.39 IP, it completes Phase 1 and then fails right after.  The debug indicates that it received a payload 18.

Preview file
2 KB
Preview file
2 KB
Preview file
22 KB
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to jeffrey.girard

‎03-30-2020 11:55 PM

Hi,

 

    1. What is the protected subnet behind the VPN concentrator? From what i see based on your crypto ACL, you're trying to secure with a remote gateway a directly connected subnet, change the 173.45.176.0/24 with a subnet behind VPN Concentrator

 

interface FastEthernet0/0
ip address 173.45.176.40 255.255.255.240

access-list 101 permit ip 1.1.1.0 0.0.0.255 173.45.176.0 0.0.0.255

 

 2. The posted ipsec debug seems to be showing that your crypto ACL was still configured with "permit ip any any", based on the proxy ID's, and the debug is not complete; leave the debugs turned on and generate interesting traffic (that matches your crypto ACL):

 

(identity) local= 173.45.176.40, remote= 173.45.176.39,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

 

 

Regards,
Cristian Matei.

 

0 Helpful

jeffrey.girard
Level 1
Level 1
In response to Cristian Matei

‎03-31-2020 06:52 AM

Sir -

       I have included a network diagram to clear up any confusion.

 

        I changed the access list destination as you indicated.

 

        I then tried a constant ping from the laptop to the 10.255.255.253 IP (the next L3 device inside my lab nextwork beyond the VPN 3000).

        I grabbed a new config file and new copies of both debugs and I let them run for several iterations

Preview file
33 KB
0 Helpful

jeffrey.girard
Level 1
Level 1
In response to jeffrey.girard

‎03-31-2020 06:53 AM

having to add files separately, it would not take them all at once

Preview file
3 KB
0 Helpful

jeffrey.girard
Level 1
Level 1
In response to jeffrey.girard

‎03-31-2020 06:54 AM

network diagram

Preview file
211 KB
0 Helpful

jeffrey.girard
Level 1
Level 1
In response to jeffrey.girard

‎03-31-2020 06:59 AM

newest config

web site is not taking it as an attachment

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 173.45.176.39 no-xauth
!
!
crypto ipsec transform-set TO_VPN esp-3des esp-md5-hmac
!
crypto map TO_VPN 10 ipsec-isakmp
set peer 173.45.176.39
set transform-set TO_VPN
match address 101
!
!
!
!
--More--  !
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 173.45.176.40 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map TO_VPN
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.45.176.39
--More--  !
!
ip http server
no ip http secure-server
ip nat pool REMOTE_VPN 173.45.176.40 173.45.176.40 netmask 255.255.255.240
ip nat inside source route-map nonnat pool REMOTE_VPN overload
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 2.2.2.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 110
!
!
!

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to jeffrey.girard

‎03-31-2020 07:50 AM

Hi,

 

   What i can see from the post debugs is that the VPN concentrator does not reply to Phase2 negotiation; you sure Phase1 is up and running? Can you post the VPN concentrator configuration file? I think you can do that from the "File Management" section. Can you also trigger interesting traffic again and debug on the VPN concentrator, see here how and post the debugs?

 

Regards,

Cristian Matei.

0 Helpful

jeffrey.girard
Level 1
Level 1
In response to Cristian Matei

‎03-31-2020 08:24 AM

Sir -

Full config of VPN 3000 is attached as requested.

I think that the Phase 1 is completing by looking at the isakmp debug

*Mar 31 09:40:58.213: ISAKMP:(1093):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Preview file
33 KB
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to jeffrey.girard

‎03-31-2020 09:34 AM

Hi,

 

   Post the debugs from the concentrator. If there is no output on debugs, it means you've misconfigured it on the Concentrator, looks loser to the document.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents