IPsec built-in NT VPN client to IOS router

paul · ‎05-06-2003

Hi,

Sorry for the long post.

I have a Cisco 831 router which I am trying to configure so that NT/2k/xp clients can VPN in using the built-in VPN client. The following config works using a pre-shared key but does not when using certificates. A 2000 server has been set-up as a CA and both the client and the router have certificates from this CA. No changes are made apart from crypto isakmp policy 1 having auth pre-share when it does work. Any ideas?

sh ver -

Cisco Internetwork Operating System Software

IOS (tm) C831 Software (C831-K9O3Y6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELE

ASE SOFTWARE (fc1)

Synched to technology version 12.2(11.2u)T

TAC Support: http://www.cisco.com/tac

Compiled Wed 30-Oct-02 15:18 by ealyon

Image text-base: 0x800131D8, data-base: 0x8085AEE4

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: C831 Software (C831-K9O3Y6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE

SOFTWARE (fc1)

sh run -

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Dro1-831

!

enable password 7 12090404011C03162E

!

username nordic password 7 140713181F13253920

clock timezone GMT 0

ip subnet-zero

no ip domain lookup

ip domain name nordic.local

ip host nordic-CA 10.0.46.26

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

crypto ca trustpoint nordic-CA

enrollment mode ra

enrollment url http://nordic-CA:80/certsrv/mscep/mscep.dll

crl optional

crypto ca certificate chain nordic-CA

certificate 150EF4C700000000000B

3082053F 308204E9 A0030201 02020A15 0EF4C700 00000000 0B300D06 092A8648

86F70D01 01050500 30818831 27302506 092A8648 86F70D01 09011618 74656368

6E696361 6C406E6F 72646963 64617461 2E636F6D 310B3009 06035504 06130247

<SNIP>

!

crypto isakmp policy 1

hash md5

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set VPN-3des ah-md5-hmac esp-3des esp-md5-hmac

mode transport

!

crypto dynamic-map VPN 10

set transform-set VPN-3des

!

crypto map l2tp 10 ipsec-isakmp dynamic VPN

!

interface Ethernet0

ip address 172.16.1.0 255.255.0.0

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

ip address 10.0.0.254 255.255.0.0

no cdp enable

crypto map l2tp

!

interface Virtual-Template1

ip unnumbered Ethernet0

peer default ip address pool default

compress mppc

ppp authentication ms-chap-v2

!

ip local pool default 172.16.1.25 172.16.1.50

ip classless

ip http server

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

password 7 095E4B04161112

login local

!

scheduler max-task-time 5000

end

sh debug of XP client using certificates trying to connect.

2:50:20: ISAKMP (0:0): received packet from 10.0.0.38 dport 500 sport 500 (N) N

EW SA

02:50:20: ISAKMP: local port 500, remote port 500

02:50:20: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

02:50:20: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1

02:50:20: ISAKMP (0:1): processing SA payload. message ID = 0

02:50:20: ISAKMP (0:1): processing vendor id payload

02:50:20: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

02:50:20: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

02:50:20: ISAKMP: encryption 3DES-CBC

02:50:20: ISAKMP: hash SHA

02:50:20: ISAKMP: default group 2

02:50:20: ISAKMP: auth RSA sig

02:50:20: ISAKMP: life type in seconds

02:50:20: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

02:50:20: ISAKMP (0:1): Encryption algorithm offered does not match policy!

02:50:20: ISAKMP (0:1): atts are not acceptable. Next payload is 3

02:50:20: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy

02:50:20: ISAKMP: encryption 3DES-CBC

02:50:20: ISAKMP: hash MD5

02:50:20: ISAKMP: default group 2

02:50:20: ISAKMP: auth RSA sig

02:50:20: ISAKMP: life type in seconds

02:50:20: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

02:50:20: ISAKMP (0:1): Encryption algorithm offered does not match policy!

02:50:20: ISAKMP (0:1): atts are not acceptable. Next payload is 3

02:50:20: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy

02:50:20: ISAKMP: encryption DES-CBC

02:50:20: ISAKMP: hash SHA

02:50:20: ISAKMP: default group 1

02:50:20: ISAKMP: auth RSA sig

02:50:20: ISAKMP: life type in seconds

02:50:20: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

02:50:20: ISAKMP (0:1): Hash algorithm offered does not match policy!

02:50:20: ISAKMP (0:1): atts are not acceptable. Next payload is 3

02:50:20: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy

02:50:20: ISAKMP: encryption DES-CBC

02:50:20: ISAKMP: hash MD5

02:50:20: ISAKMP: default group 1

02:50:20: ISAKMP: auth RSA sig

02:50:20: ISAKMP: life type in seconds

02:50:20: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

02:50:20: ISAKMP (0:1): atts are acceptable. Next payload is 0

02:50:20: ISAKMP (0:1): processing vendor id payload

02:50:20: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

02:50:20: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

02:50:20: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1

02:50:20: ISAKMP (0:1): sending packet to 10.0.0.38 my_port 500 peer_port 500 (R

) MM_SA_SETUP

02:50:20: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

02:50:20: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2

02:50:20: ISAKMP (0:1): received packet from 10.0.0.38 dport 500 sport 500 (R) M

M_SA_SETUP

02:50:20: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

02:50:20: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM3

02:50:20: ISAKMP (0:1): processing KE payload. message ID = 0

02:50:21: ISAKMP (0:1): processing NONCE payload. message ID = 0

02:50:21: ISAKMP (0:1): SKEYID state generated

02:50:21: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

02:50:21: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM3

02:50:21: ISAKMP (0:1): sending packet to 10.0.0.38 my_port 500 peer_port 500 (R

) MM_KEY_EXCH

02:50:21: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

02:50:21: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM4

02:50:21: ISAKMP (0:1): received packet from 10.0.0.38 dport 500 sport 500 (R) M

M_KEY_EXCH

02:50:21: %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x25, Hifn

79xx_PktEngReturn_InvalidArgument_SourceDataBufferExceedsMTU.

02:50:21: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1001)

02:50:21: chifn79xx_lopri_error: unknown error 0x1001

02:50:21: IPSECcard: an error coming back 1001

02:50:21: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 1) unable to decrypt

packet

02:50:21: ISAKMP (0:1): incrementing error counter on sa: ce_decrypt failed

02:50:22: ISAKMP (0:1): received packet from 10.0.0.38 dport 500 sport 500 (R) M

M_KEY_EXCH

02:50:22: %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x25, Hifn

79xx_PktEngReturn_InvalidArgument_SourceDataBufferExceedsMTU.

02:50:22: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1001)

02:50:22: chifn79xx_lopri_error: unknown error 0x1001

02:50:22: IPSECcard: an error coming back 1001

02:50:22: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 1) unable to decrypt

packet

02:50:22: ISAKMP (0:1): incrementing error counter on sa: ce_decrypt failed

02:50:24: ISAKMP (0:1): received packet from 10.0.0.38 dport 500 sport 500 (R) M

M_KEY_EXCH

02:50:24: %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x25, Hifn

79xx_PktEngReturn_InvalidArgument_SourceDataBufferExceedsMTU.

02:50:24: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1001)

02:50:24: chifn79xx_lopri_error: unknown error 0x1001

02:50:24: IPSECcard: an error coming back 1001

02:50:24: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 1) unable to decrypt

packet

02:50:24: ISAKMP (0:1): incrementing error counter on sa: ce_decrypt failed

02:50:27: ISAKMP (0:1): received packet from 10.0.0.38 dport 500 sport 500 (R) M

M_KEY_EXCH

02:50:27: ISAKMP: set new node -1984706613 to QM_IDLE

02:50:27: ISAKMP: reserved not zero on HASH payload!

02:50:27: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.0.0.38 failed it

s sanity check or is malformed

02:50:27: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission

02:50:28: ISAKMP (0:1): retransmitting phase 2 MM_KEY_EXCH -1984706613 ...

02:50:28: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

02:50:28: ISAKMP (0:1): no outgoing phase 2 packet to retransmit. -1984706613 MM

gfullage · ‎05-06-2003

I did a search on those errors and didn'tfind anything, so you might have found a new bug. Particularly the "Hifn

79xx_PktEngReturn_InvalidArgument_SourceDataBufferExceedsMTU" message doesn't seem to have been seen before, but looks to point to an MTU issue. What's probably happening is that the certificate is being sent it's bigger than the MTU and has to be fragmented which the router doesn't like (or is not doing properly). With pre-shared keys you wouldn't get this happening.

You could try lowering the MTU on the 831's interface and on the PC and see if that makes any difference. Set it to 1400 and then lower down gradually if it doesn't work. If you get to 1000 or so and it's still not working then there's probably something else going on, and I would suggest opening a TAC case so they can investigate it further.