03-28-2020 09:00 PM
Good evening all -
This is a home lab. Expanding my knowledge base and exploring security. I thought that the task would be relatively simple: create a site to site VPN using a Cisco 2621XM router on one side and a Cisco 3000 VPN Concentrator on the other. I followed the instructions located here https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14102-ALTIGAR.html
My debug crypto isakmp shows that Phase 1 completes (time hack of 23:11:48.779) However, right after that it fails and destroys the SA based upon "Received payload type 18" (time hack of 23:11:48.811
As I said, this is a lab so I have complete access to the router and to the 3000. I can provide other information as requested.
I have searched Google, no hits for payload type 18 errors
03-29-2020 02:32 AM
could you post the output of debug crypto ipsec 127 as well as the configuration from both sides.
03-29-2020 09:01 AM
Sir - thank you for your time and reply - but unfortunately I am unable to do either task.
There is no such command as "debug crypto ipsec 127" and the other end of the site to site is a Cisco 3000 VPN concentrator, not another router
Attached is the configuration of the router side of the S2S tunnel. I can look at the VPN 3000 GUI and screenshot anything you would like to see
03-30-2020 10:47 AM
Hi,
You have not really followed the guide:
1. Configure ACL 101 with specific statements, not "permit ip any any"
2. Use another ACL for NAT and exclude from NAT (via deny statements) the VPN traffic
3. Follow the guide very closely, verify each of the steps
4. Ensure the PSK is orderly configured on both sides, no white spaces or something like that
If it still doesn't work, post the full router config and the output of "debug crypto isakmp" and "debug crypto ipsec".
Regards,
Cristian Matei.
03-30-2020 03:35 PM
Sir -
Thank you for taking the time to look and to respond.
I purposefully opened up the access list to any any as I was attempting to self troubleshoot and was attempting to ensure that I was not blocking traffic.
However, I went back and modifed my ACLs to conform to the guide.
My physical architecture is:
Cisco VPN 3000 -- switch -- 2621XM router -- laptop
Laptop is IP 1.1.1.1. I also added a loopback on the router as 2.2.2.2 so I could have something in the permit portion of the route map. The VPN interface is 173.45.176.39 and the FA 0/0 interface on the router is 173.45.176.40
I have included the full running config of the router as well as the debugs for crypto isakmp and crypto ipsec.
The error is still the same. When I run a ping from the router to the 173.45.176.39 IP, it completes Phase 1 and then fails right after. The debug indicates that it received a payload 18.
03-30-2020 11:55 PM
Hi,
1. What is the protected subnet behind the VPN concentrator? From what i see based on your crypto ACL, you're trying to secure with a remote gateway a directly connected subnet, change the 173.45.176.0/24 with a subnet behind VPN Concentrator
interface FastEthernet0/0
ip address 173.45.176.40 255.255.255.240
access-list 101 permit ip 1.1.1.0 0.0.0.255 173.45.176.0 0.0.0.255
2. The posted ipsec debug seems to be showing that your crypto ACL was still configured with "permit ip any any", based on the proxy ID's, and the debug is not complete; leave the debugs turned on and generate interesting traffic (that matches your crypto ACL):
(identity) local= 173.45.176.40, remote= 173.45.176.39,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
Regards,
Cristian Matei.
03-31-2020 06:52 AM
Sir -
I have included a network diagram to clear up any confusion.
I changed the access list destination as you indicated.
I then tried a constant ping from the laptop to the 10.255.255.253 IP (the next L3 device inside my lab nextwork beyond the VPN 3000).
I grabbed a new config file and new copies of both debugs and I let them run for several iterations
03-31-2020 06:53 AM
03-31-2020 06:54 AM
03-31-2020 06:59 AM
newest config
web site is not taking it as an attachment
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 173.45.176.39 no-xauth
!
!
crypto ipsec transform-set TO_VPN esp-3des esp-md5-hmac
!
crypto map TO_VPN 10 ipsec-isakmp
set peer 173.45.176.39
set transform-set TO_VPN
match address 101
!
!
!
!
--More-- !
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 173.45.176.40 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map TO_VPN
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.45.176.39
--More-- !
!
ip http server
no ip http secure-server
ip nat pool REMOTE_VPN 173.45.176.40 173.45.176.40 netmask 255.255.255.240
ip nat inside source route-map nonnat pool REMOTE_VPN overload
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 2.2.2.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 110
!
!
!
03-31-2020 07:50 AM
Hi,
What i can see from the post debugs is that the VPN concentrator does not reply to Phase2 negotiation; you sure Phase1 is up and running? Can you post the VPN concentrator configuration file? I think you can do that from the "File Management" section. Can you also trigger interesting traffic again and debug on the VPN concentrator, see here how and post the debugs?
Regards,
Cristian Matei.
03-31-2020 08:24 AM
03-31-2020 09:34 AM
Hi,
Post the debugs from the concentrator. If there is no output on debugs, it means you've misconfigured it on the Concentrator, looks loser to the document.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide