cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
856
Views
0
Helpful
7
Replies

IOS VPN with Verizon using a netscreen

mdrake007
Level 1
Level 1

I am connecting a VPN using a 3825 IOS version 12.4(15)T14 with Verizon using a netscreen (below is my config).

1st - is I have never set up a VPN that may Peer address and the host allowed address is the same.  Is that allowed?

2nd - I do not have access to Verizons netscreen so I can only assume they have the config correct.  The VPN tunnels are not comming up.  Here is the output to my "debug cry isa".

Any input would be appreciated. thanks Mark

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ***** address 63.110.103.238
crypto isakmp key ***** address 65.211.121.238
crypto isakmp key ***** address 63.77.77.238
crypto isakmp key ***** address 65.243.173.238
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac
!
crypto map sip 10 ipsec-isakmp
description RTO
set peer 63.110.103.238
set transform-set ipcom
set pfs group2
match address 120
crypto map sip 20 ipsec-isakmp
description ELB
set peer 65.211.121.238
set transform-set ipcom
set pfs group2
match address 121
crypto map sip 30 ipsec-isakmp
description DNG
set peer 63.77.77.238
set transform-set ipcom
set pfs group2
match address 122
crypto map sip 40 ipsec-isakmp
description HSJ
set peer 65.243.173.238
set transform-set ipcom
set pfs group2
match address 123
!
interface GigabitEthernet0/0
ip address 65.196.179.17 255.255.255.240
duplex auto
speed auto
media-type rj45

!

interface Serial1/0
mtu 1476
ip address 157.130.81.18 255.255.255.252
encapsulation ppp
dsu bandwidth 44210
crypto map sip

access-list 120 permit ip host 157.130.81.18 65.210.178.0 0.0.0.127
access-list 121 permit ip host 157.130.81.18 63.118.90.0 0.0.0.127
access-list 122 permit ip host 157.130.81.18 63.87.16.0 0.0.0.127
access-list 123 permit ip host 157.130.81.18 63.97.104.0 0.0.0.127

*****************************************************************************************************

GA181DR-SIPGW#ping 63.97.104.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 63.97.104.1, timeout is 2 seconds:

*Oct 26 17:48:41.747: ISAKMP:(0): SA request profile is (NULL)
*Oct 26 17:48:41.747: ISAKMP: Created a peer struct for 65.243.173.238, peer port 500
*Oct 26 17:48:41.747: ISAKMP: New peer created peer = 0x6858276C peer_handle = 0x80000010
*Oct 26 17:48:41.747: ISAKMP: Locking peer struct 0x6858276C, refcount 1 for isakmp_initiator
*Oct 26 17:48:41.747: ISAKMP: local port 500, remote port 500
*Oct 26 17:48:41.747: ISAKMP: set new node 0 to QM_IDLE     
*Oct 26 17:48:41.747: insert sa successfully sa = 685ACE80
*Oct 26 17:48:41.747: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 26 17:48:41.747: ISAKMP:(0):found peer pre-shared key matching 65.243.173.238
*Oct 26 17:48:41.747: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 26 17:48:41.747: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 26 17:48:41.747: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 26 17:48:41.747: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 26 17:48:41.747: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 26 17:48:41.747: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Oct 26 17:48:41.747: ISAKMP:(0): beginning Main Mode exchange
*Oct 26 17:48:41.747: ISAKMP:(0): sending packet to 65.243.173.238 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 26 17:48:41.747: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 26 17:48:41.771: ISAKMP (0:0): received packet from 65.243.173.238 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 26 17:48:41.771: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 26 17:48:41.771: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Oct 26 17:48:41.771: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 26 17:48:41.771: ISAKMP:(0): processing vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0): vendor ID seems Unity/DPD but major 116 mismatch
*Oct 26 17:48:41.771: ISAKMP:(0): processing vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0): vendor ID is DPD
*Oct 26 17:48:41.771: ISAKMP:(0): processing vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 26 17:48:41.771: ISAKMP:(0):found peer pre-shared key matching 65.243.173.238
*Oct 26 17:48:41.771: ISAKMP:(0): local preshared key found
*Oct 26 17:48:41.771: ISAKMP : Scanning profiles for xauth ...
*Oct 26 17:48:41.771: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 26 17:48:41.771: ISAKMP:      encryption 3DES-CBC
*Oct 26 17:48:41.771: ISAKMP:      hash MD5
*Oct 26 17:48:41.771: ISAKMP:      default group 2
*Oct 26 17:48:41.771: ISAKMP:      auth pre-share
*Oct 26 17:48:41.771: ISAKMP:      life type in seconds
*Oct 26 17:48:41.771: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Oct 26 17:48:41.771: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct 26 17:48:41.771: ISAKMP:(0):Acceptable atts:actual life: 0
*Oct 26 17:48:41.771: ISAKMP:(0):Acceptable atts:life: 0
*Oct 26 17:48:41.771: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 26 17:48:41.771: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Oct 26 17:48:41.771: ISAKMP:(0):Returning Actual lifetime: 86400
*Oct 26 17:48:41.771: ISAKMP:(0)::Started lifetime timer: 86400.

*Oct 26 17:48:41.771: ISAKMP:(0): processing vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0): vendor ID seems Unity/DPD but major 116 mismatch
*Oct 26 17:48:41.771: ISAKMP:(0): processing vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0): vendor ID is DPD
*Oct 26 17:48:41.771: ISAKMP:(0): processing vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 26 17:48:41.771: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 26 17:48:41.771: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 26 17:48:41.771: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Oct 26 17:48:41.771: ISAKMP:(0): sending packet to 65.243.173.238 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Oct 26 17:48:41.771: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 26 17:48:41.775: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 26 17:48:41.775: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Oct 26 17:48:41.799: ISAKMP (0:0): received packet from 65.243.173.238 dport 500 sport 500 Global (I) MM_SA_SETUP
*Oct 26 17:48:41.799: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 26 17:48:41.799: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Oct 26 17:48:41.799: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 26 17:48:41.815: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 26 17:48:41.815: ISAKMP:(0):found peer pre-shared key matching 65.243.173.238
*Oct 26 17:48:41.815: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 26 17:48:41.815: ISAKMP:(1019):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Oct 26 17:48:41.815: ISAKMP:(1019):Send initial contact
*Oct 26 17:48:41.815: ISAKMP:(1019):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 26 17:48:41.815: ISAKMP (0:1019): ID payload
next-payload : 8
type         : 1
address      : 157.130.81.18
protocol     : 17
port         : 500
length       : 12
*Oct 26 17:48:41.815: ISAKMP:(1019):Total payload length: 12
*Oct 26 17:48:41.815: ISAKMP:(1019): sending packet to 65.243.173.238 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Oct 26 17:48:41.815: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Oct 26 17:48:41.819: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 26 17:48:41.819: ISAKMP:(1019):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Oct 26 17:48:41.843: ISAKMP (0:1019): received packet from 65.243.173.238 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 26 17:48:41.843: ISAKMP:(1019): processing ID payload. message ID = 0
*Oct 26 17:48:41.843: ISAKMP (0:1019): ID payload
next-payload : 8
type         : 1
address      : 65.243.173.238
protocol     : 17
port         : 500
length       : 12
*Oct 26 17:48:41.843: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 26 17:48:41.843: ISAKMP:(1019): processing HASH payload. message ID = 0
*Oct 26 17:48:41.843: ISAKMP:(1019):SA authentication status:
authenticated
*Oct 26 17:48:41.843: ISAKMP:(1019):SA has been authenticated with 65.243.173.238
*Oct 26 17:48:41.843: ISAKMP: Trying to insert a peer 157.130.81.18/65.243.173.238/500/,  and inserted successfully 6858276C.
*Oct 26 17:48:41.843: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 26 17:48:41.843: ISAKMP:(1019):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Oct 26 17:48:41.843: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 26 17:48:41.843: ISAKMP:(1019):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Oct 26 17:48:41.843: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 26 17:48:41.843: ISAKMP:(1019):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Oct 26 17:48:41.843: ISAKMP:(1019):beginning Quick Mode exchange, M-ID of -1963830852
*Oct 26 17:48:41.859: ISAKMP:(1019):QM Initiator gets spi
*Oct 26 17:48:41.859: ISAKMP:(1019): sending packet to 65.243.173.238 my_port 500 peer_port 500 (I) QM_IDLE     
*Oct 26 17:48:41.859: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Oct 26 17:48:41.859: ISAKMP:(1019):Node -1963830852, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 26 17:48:41.859: ISAKMP:(1019):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Oct 26 17:48:41.859: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 26 17:48:41.859: ISAKMP:(1019):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Oct 26 17:48:41.883: ISAKMP (0:1019): received packet from 65.243.173.238 dport 500 sport 500 Global (I) QM_IDLE     
*Oct 26 17:48:41.883: ISAKMP: set new node -935422199 to QM_IDLE     
*Oct 26 17:48:41.883: ISAKMP:(1019): processing HASH payload. message ID = -935422199
*Oct 26 17:48:41.883: ISAKMP:(1019): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
spi 0, message ID = -935422199, sa = 685ACE80
*Oct 26 17:48:41.883: ISAKMP:(1019):peer does not do paranoid keepalives.

*Oct 26 17:48:41.883: ISAKMP:(1019):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 65.243.173.238)
*Oct 26 17:48:41.883: ISAKMP:(1019):deleting node -935422199 error FALSE reason "Informational (in) state 1"
*Oct 26 17:48:41.883: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 26 17:48:41.883: ISAKMP:(1019):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Oct 26 17:48:41.883: ISAKMP: set new node 1290736624 to QM_IDLE     
*Oct 26 17:48:41.883: ISAKMP:(1019): sending packet to 65.243.173.238 my_port 500 peer_port 500 (I) QM_IDLE     
*Oct 26 17:48:41.883: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Oct 26 17:48:41.883: ISAKMP:(1019):purging node 1290736624
*Oct 26 17:48:41.883: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 26 17:48:41.883: ISAKMP:(1019):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Oct 26 17:48:41.883: ISAKMP:(1019):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 65.243.173.238)
*Oct 26 17:48:41.883: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Oct 26 17:48:41.883: ISAKMP: Unlocking peer struct 0x6858276C for isadb_mark_sa_deleted(), count 0
*Oct 26 17:48:41.883: ISAKMP: Deleting peer node by peer_reap for 65.243.173.238: 6858276C
*Oct 26 17:48:41.887: ISAKMP:(1019):deleting node -1963830852 error FALSE reason "IKE deleted"
*Oct 26 17:48:41.887: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 26 17:48:41.887: ISAKMP:(1019):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
.....
Success rate is 0 percent (0/5)
GA181DR-SIPGW#sh cry ses     
Crypto session current status

Interface: Serial1/0
Session status: DOWN-NEGOTIATING
Peer: 65.243.173.238 port 500
  IKE SA: local 157.130.81.18/500 remote 65.243.173.238/500 Inactive
  IPSEC FLOW: permit ip host 157.130.81.18 63.97.104.0/255.255.255.128
        Active SAs: 0, origin: crypto map

Interface: Serial1/0
Session status: DOWN
Peer: 65.211.121.238 port 500
  IPSEC FLOW: permit ip host 157.130.81.18 63.118.90.0/255.255.255.128
        Active SAs: 0, origin: crypto map

Interface: Serial1/0
Session status: DOWN
Peer: 63.77.77.238 port 500
  IPSEC FLOW: permit ip host 157.130.81.18 63.87.16.0/255.255.255.128
        Active SAs: 0, origin: crypto map

Interface: Serial1/0
Session status: DOWN
Peer: 63.110.103.238 port 500
  IPSEC FLOW: permit ip host 157.130.81.18 65.210.178.0/255.255.255.128
        Active SAs: 0, origin: crypto map

GA181DR-SIPGW#

7 Replies 7

Yudong Wu
Level 7
Level 7

Based on log, Phase1 came up fine. You need check with VZ to see why netscreen box rejected your phase 2 proposal.

Yea, I can see the phase 1 come up.  I know the config is good, I just wondering if ther was something special that would ned to be done to connect to netscreen.  Also, do you know the answer to my 1st question, is it ok to have the peer IP address and the "host allowed" to be the same IP?

I think it's ok to use the same IP but I am not sure what the design is here. Are all vpn traffic will be initiated from this router with the source IP as "157.130.81.18"?

by the way, you might enable "debug cry ipsec" as well to see what error you got.

This is used for SIP terminating on this router and being converted to TDM out T1s.  So all the traffic will originate from this router out the Serial interface.

Ok, thanks. That makes sence. Using the same IP should be OK.

Can you run a "deb cry ipsec" to see what phase 2 error is.

Here it is

GA181DR-SIPGW#ping 63.118.90.1 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 63.118.90.1, timeout is 2 seconds:

*Oct 26 19:54:54.911: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 157.130.81.18, remote= 65.211.121.238,
    local_proxy= 157.130.81.18/255.255.255.255/0/0 (type=1),
    remote_proxy= 63.118.90.0/255.255.255.128/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 26 19:54:55.051: IPSEC(key_engine): got a queue event with 1 KMI message(s).....
Success rate is 0 percent (0/5)
GA181DR-SIPGW#
*Oct 26 19:55:09.483: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 157.130.81.18, remote= 65.243.173.238,
    local_proxy= 157.130.81.18/255.255.255.255/0/0 (type=1),
    remote_proxy= 63.97.104.0/255.255.255.128/0/0 (type=4)
*Oct 26 19:55:24.911: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 157.130.81.18, remote= 65.211.121.238,
    local_proxy= 157.130.81.18/255.255.255.255/0/0 (type=1),
    remote_proxy= 63.118.90.0/255.255.255.128/0/0 (type=4)
*Oct 26 19:55:24.911: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 157.130.81.18, remote= 65.211.121.238,
    local_proxy= 157.130.81.18/255.255.255.255/0/0 (type=1),
    remote_proxy= 63.118.90.0/255.255.255.128/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 26 19:55:25.051: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*******************************************************************************************************

Here is the "debug cry eng" as well.

GA181DR-SIPGW#ping 63.97.104.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 63.97.104.1, timeout is 2 seconds:

*Oct 26 19:56:23.859: crypto_engine: Create DH shared secret
*Oct 26 19:56:23.875: crypto_engine: Create IKE SA
*Oct 26 19:56:23.875: crypto engine: deleting DH phase 2 SW:94
*Oct 26 19:56:23.875: crypto_engine: Delete DH shared secret
*Oct 26 19:56:23.875: crypto_engine: Generate IKE hash
*Oct 26 19:56:23.875: crypto_engine: Encrypt IKE packet
*Oct 26 19:56:23.903: crypto_engine: Decrypt IKE packet
*Oct 26 19:56:23.903: crypto_engine: Generate IKE hash
*Oct 26 19:56:23.903: crypto_engine: Create DH
*Oct 26 19:56:23.919: crypto_engine: Generate IKE hash
*Oct 26 19:56:23.919: crypto_engine: Encrypt IKE packet
*Oct 26 19:56:23.943: crypto_engine: Decrypt IKE packet
*Oct 26 19:56:23.943: crypto_engine: Generate IKE hash
*Oct 26 19:56:23.943: crypto_engine: Generate IKE hash
*Oct 26 19:56:23.943: crypto_engine: Encrypt IKE packet
*Oct 26 19:56:23.943: crypto engine: deleting IKE SA SW:47
*Oct 26 19:56:23.943: crypto_engine: Delete IKE SA .....
Success rate is 0 percent (0/5)
GA181DR-SIPGW#
*Oct 26 19:56:53.855: crypto_engine: Create DH shared secret
*Oct 26 19:56:53.875: crypto_engine: Create IKE SA
*Oct 26 19:56:53.875: crypto engine: deleting DH phase 2 SW:96
*Oct 26 19:56:53.875: crypto_engine: Delete DH shared secret
*Oct 26 19:56:53.875: crypto_engine: Generate IKE hash
*Oct 26 19:56:53.875: crypto_engine: Encrypt IKE packet
*Oct 26 19:56:53.899: crypto_engine: Decrypt IKE packet
*Oct 26 19:56:53.899: crypto_engine: Generate IKE hash
*Oct 26 19:56:53.903: crypto_engine: Create DH
*Oct 26 19:56:53.915: crypto_engine: Generate IKE hash
*Oct 26 19:56:53.915: crypto_engine: Encrypt IKE packet
*Oct 26 19:56:53.939: crypto_engine: Decrypt IKE packet
*Oct 26 19:56:53.939: crypto_engine: Generate IKE hash
*Oct 26 19:56:53.939: crypto_engine: Generate IKE hash
*Oct 26 19:56:53.943: crypto_engine: Encrypt IKE packet
*Oct 26 19:56:53.943: crypto engine: deleting IKE SA SW:48
*Oct 26 19:56:53.943: crypto_engine: Delete IKE SA

Sorry, can not tell the reason from the debug on your side. You have to check it on netscreen side.

The router sent SA_request but not got any response.