02-13-2003 06:36 AM - edited 02-21-2020 12:21 PM
hi I'm having trouble getting a cisco 2621 to talk to a netscreen 10 via ipsec. can anyone state if this pair combination will work ?
the relevant bits of my config are
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 14400
crypto isakmp key not-our-real-password address x.x.x.x
!
!
crypto ipsec transform-set netscreen ah-sha-hmac esp-des
!
crypto map netscreen 1 ipsec-isakmp
set peer x.x.x.x
set transform-set netscreen
set pfs group2
match address 115
interface FastEthernet0/0
description conn to web
ip address z.z.z.z
ip access-group external_in in #this list allows udp 500, ahp and esp
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
keepalive 2
speed 100
full-duplex
service-policy input http_attacks
crypto map netscreen #crypto map applied to this interface
#don't NAT my private network to their private network, NAT everything else
ip access-list extended nat_list
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.99.0 0.0.0.255 any
#encrypt this traffic
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
613: Feb 13 14:16:28.171: ISAKMP (0:1): processing ID payload. message ID = 0
614: Feb 13 14:16:28.171: ISAKMP (0:1): processing HASH payload. message ID = 0
615: Feb 13 14:16:28.171: CryptoEngine0: generate hmac context for conn id 1
616: Feb 13 14:16:28.171: ISAKMP (0:1): SA has been authenticated with x.x.x.x
617: Feb 13 14:16:28.175: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1407123716
618: Feb 13 14:16:28.175: CryptoEngine0: generate alg parameter
619: Feb 13 14:16:28.395: CRYPTO_ENGINE: Dh phase 1 status: 0
620: Feb 13 14:16:28.395: CRYPTO_ENGINE: Dh phase 1 status: 0
621: Feb 13 14:16:28.399: CryptoEngine0: generate hmac context for conn id 1
622: Feb 13 14:16:28.399: ISAKMP (0:1): sending packet to x.x.x.x (I) QM_IDLE
623: Feb 13 14:16:28.403: CryptoEngine0: clear dh number for conn id 1
624: Feb 13 14:16:38.403: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1407123716 ...
625: Feb 13 14:16:38.403: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
626: Feb 13 14:16:38.403: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
627: Feb 13 14:16:38.403: ISAKMP (0:1): retransmitting phase 2 1407123716 QM_IDLE
628: Feb 13 14:16:38.403: ISAKMP (0:1): sending packet to x.x.x.x (I) QM_IDLE
631: Feb 13 14:16:48.404: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1407123716 ...
632: Feb 13 14:16:48.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
633: Feb 13 14:16:48.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
634: Feb 13 14:16:48.404: ISAKMP (0:1): retransmitting phase 2 1407123716 QM_IDLE
635: Feb 13 14:16:48.404: ISAKMP (0:1): sending packet to x.x.x.x (I) QM_IDLE
636: Feb 13 14:16:57.384: IPSEC(key_engine): request timer fired: count = 1,
637: (identity) local= z.z.z.z, remote= x.x.x.x,
638: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
639: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)
640: Feb 13 14:16:57.384: IPSEC(sa_request): ,
641: (key eng. msg.) OUTBOUND local= z.z.z.z, remote= x.x.x.x,
642: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
643: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
644: protocol= AH, transform= ah-sha-hmac ,
645: lifedur= 3600s and 4608000kb,
646: spi= 0xCE51142F(3461420079), conn_id= 0, keysize= 0, flags= 0x400D
647: Feb 13 14:16:57.384: IPSEC(sa_request):
648: ,
649: (key eng. msg.) OUTBOUND local= z.z.z.z, remote= x.x.x.x,
650: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
651: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
652: protocol= ESP, transform= esp-des ,
653: lifedur= 3600s and 4608000kb,
654: spi= 0xAB72C88(179776648), conn_id= 0, keysize= 0, flags= 0x400D
655: Feb 13 14:16:57.388: ISAKMP: received ke message (1/2)
656: Feb 13 14:16:57.388: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE )
657: Feb 13 14:16:57.388: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 92910466
658: Feb 13 14:16:57.392: CryptoEngine0: generate alg parameter
659: Feb 13 14:16:57.608: CRYPTO_ENGINE: Dh phase 1 status: 0
660: Feb 13 14:16:57.608: CRYPTO_ENGINE: Dh phase 1 status: 0
661: Feb 13 14:16:57.612: CryptoEngine0: generate hmac context for conn id 1
662: Feb 13 14:16:57.616: ISAKMP (0:1): sending packet to 160.79.125.66 (I) QM_IDLE
663: Feb 13 14:16:58.404: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1407123716 ...
664: Feb 13 14:16:58.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
665: Feb 13 14:16:58.404: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
666: Feb 13 14:16:58.404: ISAKMP (0:1): retransmitting phase 2 1407123716 QM_IDLE
667: Feb 13 14:16:58.404: ISAKMP (0:1): sending packet to 160.79.125.66 (I) QM_IDLE
668: Feb 13 14:17:07.616: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 92910466 ...
669: Feb 13 14:17:07.616: ISAKMP (0:1): peer does not do paranoid keepalives.
670:
671: Feb 13 14:17:07.616: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (I) QM_IDLE (peer x.x.x.x) input queue 0
672: Feb 13 14:17:07.616: CryptoEngine0: generate hmac context for conn id 1
673: Feb 13 14:17:07.620: ISAKMP (0:1): sending packet to x.x.x.x (I) MM_NO_STATE
674: Feb 13 14:17:07.620: ISAKMP (0:1): purging node 2085085611
675: Feb 13 14:17:07.620: ISAKMP (0:1): deleting node 1407123716 error TRUE reason "death by retransmission P2"
676: Feb 13 14:17:07.620: ISAKMP (0:1): deleting node 92910466 error TRUE reason "death by retransmission P2"
677: Feb 13 14:17:27.385: IPSEC(key_engine): request timer fired: count = 2,
678: (identity) local= z.z.z.z, remote= x.x.x.x,
679: local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
680: remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)
681: Feb 13 14:17:27.385: ISAKMP: received ke message (3/1)
682: Feb 13 14:17:27.385: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src z.z.z.z dst x.x.x.x for SPI 0x0
684: Feb 13 14:17:57.622: ISAKMP (0:1): purging node 1407123716
685: Feb 13 14:17:57.622: CryptoEngine0: clear dh number for conn id 2
686: Feb 13 14:17:57.622: ISAKMP (0:1): purging node 92910466
687: Feb 13 14:17:57.622: CryptoEngine0: clear dh number for conn id 3
688: Feb 13 14:18:07.622: ISAKMP (0:1): purging SA., sa=826DA278, delme=826DA278
689: Feb 13 14:18:07.622: CryptoEngine0: delete connection 1
from this output, it looks like phase 1 (Main mode ??) is completing fine but Phase 2 (Quick mode ??) is failing ?
Any ideas ?
thanks
_scott
02-13-2003 09:08 PM
This should work. Can you initiate the tunnel from behind the Netscreen and capture those debugs on the router, we'll get more information that way about what's going wrong.
02-14-2003 04:18 AM
Looks similar problem like ipsec between cisco and d-link di-804v.
I got:
17:25:00: ISAKMP (0:1): SA is doing
pre-shared key authentication using id type ID_IPV4_ADDR
17:25:00: ISAKMP (1): ID payload
next-payload : 8
type : 1
addr : 1.1.1.1
protocol : 17
port : 0
length : 8
17:25:00: ISAKMP (1): Total payload length: 12
17:25:00: CryptoEngine0: generate hmac context for conn id 1
17:25:00: CryptoEngine0: clear dh number for conn id 1
17:25:00: ISAKMP (0:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
17:25:00: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
17:25:07: ISAKMP (0:1): received packet from 2.2.2.2 dport 500 sport 500 (R) QM_IDLE
17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...
17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE
and DI-804V:
IPsec[26]:Initiating Main Mode
IKE[27]:[estnet] Initializing IKE Main Mode
IKE[28]:[estnet] TX >> MM_I1 : 1.1.1.1
IPsec[29]:Packet retransmission, timeout in 10 seconds for #1
IPsec[30]:NO outbound SA found
IKE[31]:[estnet] RX << MM_R1 : 1.1.1.1
IKE[32]:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
IKE[33]:[estnet] TX >> MM_I2 : 1.1.1.1
IPsec[34]:Packet retransmission, timeout in 10 seconds for #1
IPsec[35]:Find_outsa() not found
IPsec[36]:NO outbound SA found
IKE[37]:[estnet] RX << MM_R2 : 1.1.1.1
IKE[38]:[estnet] TX >> MM_I3 : 1.1.1.1
IPsec[39]:Packet retransmission, timeout in 10 seconds for #1
IPsec[40]:Find_outsa() not found
IPsec[41]:NO outbound SA found
IKE[42]:[estnet] RX << MM_R3 : 1.1.1.1
IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
IPsec[44]:Find_outsa() not found
IPsec[45]:NO outbound SA found
IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64
IPSec[47]:DUMP ST: 1/64
IPSec[48]:DUMP MEM_ALLOC: 24/75
IPsec[49]:conn_list->estnet(0,0,0,0)->NULL
IPsec[50]:Packet retransmission, timeout in 20 seconds for #1
IPsec[51]:Packet retransmission, timeout in 40 seconds for #1
02-21-2003 03:20 PM
I am having the same problem with a netgear FVS318 connecting to a vpn router (ios).
Does anyone have an example config (Pix or IOS) to resolve this issue?
04-25-2003 04:55 PM
Hi,
i have the same Problem to configure a FVS318 to a Pix. Does anyone have a sample for this?
Sebastian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide