Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
2
Replies

DVTI VPN phase2 doesn't come up.

Go to solution
TERRY GRACE
Level 1
Level 1

‎05-14-2018 12:32 PM - edited ‎03-12-2019 05:17 AM

Hi guys.

 

I have created following testing schema like:

 

router1(fa 0/0) <> emulated INTERNET <> (fa 0/0) router2 (fa 0/1) <> (fa 0/0) router3

where:

router1 fa 0/0 public IP 1.1.1.1/8

router2 fa 0/0 public IP 1.1.1.2/8

router2 fa 0/0 private IP 192.168.1.1/24

router3 fa 0/0 private IP 192.168.1.2/24

I'm configuring DVTI VPN from router3 towards to router1

 

configurations:

 

++++++++++++++++++
router1 (HUB)
++++++++++++++++++

crypto keyring HUB-VPN-KEYS
description -= DVTI-L2L HUB VPN KEYS =-
pre-shared-key address 1.1.1.2 key 1234567
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 30 periodic
!
crypto isakmp profile HUB-IKE-PROFILE
keyring HUB-VPN-KEYS
match identity address 1.1.1.2 255.255.255.255
virtual-template 2
!
crypto ipsec transform-set HUB-TS esp-aes esp-sha-hmac
!
crypto ipsec profile HUB-VPN-PROFILE
set security-association lifetime seconds 28800
set transform-set HUB-TS
set isakmp-profile HUB-IKE-PROFILE
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 1.1.1.1 255.0.0.0
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile HUB-VPN-PROFILE
!
router ospf 17
log-adjacency-changes
network 172.16.1.1 0.0.0.0 area 0

++++++++++++++++++
router3 (SPOKE)
++++++++++++++++++

crypto keyring HOME-VPN-DVTI-KEYRING
pre-shared-key address 1.1.1.1 key 1234567
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 30 periodic
!
crypto isakmp profile HOME-VPN-DVTI-ISAKMP-PROF
keyring HOME-VPN-DVTI-KEYRING
match identity address 1.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set CLIENT-TS esp-aes esp-sha-hmac
!
crypto ipsec profile HOME-VPN-PROFILE
set security-association lifetime seconds 28800
set transform-set CLIENT-TS
set isakmp-profile HOME-VPN-DVTI-ISAKMP-PROF
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
!
interface Tunnel0
ip unnumbered Loopback0
ip tcp adjust-mss 1370
tunnel source FastEthernet0/0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile HOME-VPN-PROFILE
!
router ospf 18
log-adjacency-changes
network 10.0.0.2 0.0.0.0 area 0


phase1 completed successfully:

+++++++++
router3:
+++++++++

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 192.168.1.2 QM_IDLE 1002 0 ACTIVE HOME-VPN-DVTI-ISAKMP-PROF

IPv6 Crypto ISAKMP SA

router3#

 

+++++++++
router1:
+++++++++

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 1.1.1.2 QM_IDLE 1002 0 ACTIVE

IPv6 Crypto ISAKMP SA

router1(config-router)#

+++++++++

 

but from router1 I see phase2 failed because of marked red:

*Mar 1 16:12:08.639: ISAKMP (0:1002): received packet from 1.1.1.2 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 1 16:12:08.639: ISAKMP: set new node 426859778 to QM_IDLE
*Mar 1 16:12:08.643: ISAKMP:(1002): processing HASH payload. message ID = 426859778
*Mar 1 16:12:08.643: ISAKMP:(1002): processing SA payload. message ID = 426859778
*Mar 1 16:12:08.643: ISAKMP:(1002):Checking IPSec proposal 1
*Mar 1 16:12:08.643: ISAKMP: transform 1, ESP_AES
*Mar 1 16:12:08.647: ISAKMP: attributes in transform:
*Mar 1 16:12:08.647: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 1 16:12:08.647: ISAKMP: SA life type in seconds
*Mar 1 16:12:08.647: ISAKMP: SA life duration (basic) of 28800
*Mar 1 16:12:08.647: ISAKMP: SA life type in kilobytes
*Mar 1 16:12:08.647: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 16:12:08.647: ISAKMP: authenticator is HMAC-SHA
*Mar 1 16:12:08.647: ISAKMP: key length is 128
*Mar 1 16:12:08.647: ISAKMP:(1002):atts are acceptable.
*Mar 1 16:12:08.647: ISAKMP:(1002): IPSec policy invalidated proposal with error 32
*Mar 1 16:12:08.647: ISAKMP:(1002): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 1.1.1.2)
*Mar 1 16:12:08.647: ISAKMP: set new node 1098450434 to QM_IDLE
*Mar 1 16:12:08.647: ISAKMP:(1002):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1722263696, message ID = 1098450434
*Mar 1 16:12:08.647: ISAKMP:(1002): sending packet to 1.1.1.2 my_port 4500 peer_port 4500 (R) QM_IDLE

 

Could you point me at why?

 

Thank you!

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-14-2018 01:10 PM

Hi Terry,
R2 would nat the traffic from R3 to R1 as 1.1.1.2, but R3 would never identify itself to R1 from the address of 1.1.1.2. Use a configurable value such as the hostname for R3 to identify itself to R1. E.g.

R3 -
crypto isakmp profile HOME-VPN-DVTI-ISAKMP-PROF
self-identity fqdn R3.lab.net

R1 -
crypto isakmp profile HUB-IKE-PROFILE
match identity user-fqdn R3.lab.net

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-14-2018 01:10 PM

Hi Terry,
R2 would nat the traffic from R3 to R1 as 1.1.1.2, but R3 would never identify itself to R1 from the address of 1.1.1.2. Use a configurable value such as the hostname for R3 to identify itself to R1. E.g.

R3 -
crypto isakmp profile HOME-VPN-DVTI-ISAKMP-PROF
self-identity fqdn R3.lab.net

R1 -
crypto isakmp profile HUB-IKE-PROFILE
match identity user-fqdn R3.lab.net

HTH
0 Helpful

Go to solution
TERRY GRACE
Level 1
Level 1
In response to Rob Ingram

‎05-14-2018 08:18 PM

Hi RJI.

 

Your explanation make sense. Thank you for help.

0 Helpful
Customers Also Viewed These Support Documents