Hi guys,
We have setup a crypto IPSec VPN between my Cisco router in my office and another network device (non cisco) at a remote location.
The status of the VPN tunnel seems to be active, however, there is no packet flow between my office internal IP to the remote location internal IP.
Below is the output for debug crypto isakmp:
ISAKMP:(2065):purging node -1159828730
ISAKMP (0:2065): received packet from 103.6.12.129 dport 4500 sport 4500 Global (R) QM_IDLE
ISAKMP: set new node -476360627 to QM_IDLE
ISAKMP:(2065): processing HASH payload. message ID = -476360627
ISAKMP:(2065): processing SA payload. message ID = -476360627
ISAKMP:(2065):Checking IPSec proposal 0
ISAKMP: transform 0, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP:(2065):atts are acceptable.
ISAKMP:(2065):Checking IPSec proposal 0
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP:(2065):atts are acceptable.
ISAKMP:(2065):Checking IPSec proposal 0
ISAKMP: transform 2, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2065):atts are acceptable.
ISAKMP:(2065):Checking IPSec proposal 0
ISAKMP: transform 3, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2065):atts are acceptable.
ISAKMP:(2065): IPSec policy invalidated proposal with error 256
ISAKMP:(2065): IPSec policy invalidated proposal with error 256
ISAKMP:(2065): IPSec policy invalidated proposal with error 256
ISAKMP:(2065): IPSec policy invalidated proposal with error 256
ISAKMP:(2065): phase 2 SA policy not acceptable! (local 203.82.211.173 remote 103.6.12.129)
ISAKMP: set new node -1632701900 to QM_IDLE
ISAKMP:(2065):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2222142232, message ID = -1632701900
ISAKMP:(2065): sending packet to 103.6.12.129 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(2065):Sending an IKE IPv4 Packet.
ISAKMP:(2065):purging node -1632701900
ISAKMP:(2065):deleting node -476360627 error TRUE reason "QM rejected"
ISAKMP:(2065):Node -476360627, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2065):Old State = IKE_QM_READY New State = IKE_QM_READY
ISAKMP (0:2065): received packet from 103.6.12.129 dport 4500 sport 4500 Global (R) QM_IDLE
ISAKMP:(2065): phase 2 packet is a duplicate of a previous packet.
ISAKMP:(2065): retransmitting due to retransmit phase 2
ISAKMP:(2065): ignoring retransmission,because phase2 node marked dead -476360627
Below is the output for debug IPsec:
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.82.211.173, remote= 103.6.12.129,
local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Crypto mapdb : proxy_match
src addr : 192.168.200.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.82.211.173, remote= 103.6.12.129,
local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Crypto mapdb : proxy_match
src addr : 192.168.200.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac }
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.82.211.173, remote= 103.6.12.129,
local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 192.168.200.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.82.211.173, remote= 103.6.12.129,
local_proxy= 192.168.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 192.168.200.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
Also, please check out output for "Show crypto isakmp sa"
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
203.82.211.173 103.6.12.129 QM_IDLE 2066 0 ACTIVE
IPv6 Crypto ISAKMP SA
The VPN still doesn't seem to work. Is there anything that needs to be done on my router for the VPN to work?
Please let me know if you need my running config and I will post it here.
Kind Regards,
Vignesh.
Kind Regards,
Vignesh.
