04-16-2009 01:08 AM - edited 02-21-2020 04:12 PM
Hello,
I have a problem with an IPSec tunnel between a 877W router and a 1812 router. Configuration on both routers seems to be OK as soon as the tunnel is going up but goes down after a while. I get those logs :
040687: *Apr 16 10:50:44.415 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X)
040688: *Apr 16 10:50:57.867 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)
The 1812 router is ending 2 IPSec tunnel and the second one is working fine. The 877W is behind another router which is performing NAT. Is there something special in this configuration?
Any tips or ideas?
Thanks for your help,
Vincent
04-16-2009 04:42 AM
The device that is performing NAT needs to forward the following:-
UDP 500
UDP 4500
Protocol 50
HTH>
04-16-2009 04:50 AM
The device that is performing is already redirecting every port to the 877W router.
04-16-2009 04:54 AM
The output of the logs indicate no reply from the remote end.
Debug the remote end when you try and initiate a VPN connection.
HTH>
04-17-2009 12:15 AM
Tunnel has been up during the night but just went down. I join the logs from "debug crypto isakmp".
It appears that the routeur is trying to establish an ISAKMP SA on UDP/500 port even if we're NATed and doesn't try to rebuild it on UDP/4500 port. Both isakmp and non500-isakmp are allowed in the ACL applied on both side's interfaces.
04-17-2009 12:20 AM
UDP4500 is NAT-T, this is negotiated for the IPSEC VPN operation after ISAKMP Phase 1 and IPSEC Phase 2 have been sucessfully negotiated.
Your logs indicate ISAKMP is not completing.
UDP500 is ISAKMP.
I suggest you double check all configuration.
04-17-2009 12:45 AM
I checked my configuration and there is a matching isakmp policy. Here is the result of "show crypto isakmp policy" on both routers :
prtratalys01#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 2
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 28800 seconds, no volume limit
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
--------------------------------------------------
877-StPathus#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
04-17-2009 12:49 AM
Looks OK - policy 10 on 877 device mactches priority 10 on other decvice.
Now I suggest you double check any devices "in front" of the VPN devices to makes sure all access is un-restricted for VPN's.
04-17-2009 01:35 AM
The 1812 router is in front of Internet and 877 router is passing through a business livebox (from french ISP Orange). I will check if there is any access limitation on this device.
04-22-2009 08:10 AM
The NAT enabled device between router and internet doesn't filter any kind of traffic. Actually there was another tunnel going through it before configuring this one.
04-22-2009 01:29 PM
Have you debugged the remote end to confirm the requests are reaching the remote end?
04-23-2009 07:03 AM
Yes, they are. The first logs I sent to this post was from the remote end :
040687: *Apr 16 10:50:44.415 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X)
040688: *Apr 16 10:50:57.867 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)
04-23-2009 07:07 AM
post your configs for review.
04-24-2009 04:41 AM
04-27-2009 12:55 AM
I just figured it out what the problem was. I added on both routers the global configuration command "crypto ipsec nat-transparency spi-matching". The VPN tunnel is now up since friday without any problem.
Thanks Andrew,
Vincent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide