06-08-2011 06:45 AM - edited 02-21-2020 05:23 PM
I have a 3650 router at HQ.
Several 877w routers at shops and office locations.
offices/shops build IPSEC VPN tunnel fine. Traffic works in both directions and we enjoy a solid network.
We require 3G backup.
We have purchased several SRP527W WITH VODAFONE 3G USB DONGLES.
When building IPSEC tunnel over 3G or ADSL the tunnel builds and looks like it is connected but I am unable to ping eitherway.
SRP527w has a standard IPSEC config (there doesnt look to be too much you can mess up on)
We have two installed, one with 3G card ONLY. NAT-T enable. Internet access works fine. IPSEC connects. No VPN traffic.
dyndns implemented and working.
Other config is ADSL only, but same issues as above. NAT-T not installed.
config for HQ
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map FSTILL01 10
description Tunnel to FSTILL01 roaming 3G
set transform-set ESP-3DES-SHA1
match address FSTILL01-vpn
!
crypto map VPN-TRAFFIC 6 ipsec-isakmp
set peer (EXTERNAL IP)
set transform-set ESP-3DES-SHA1
match address chobham-vpn
crypto map VPN-TRAFFIC 10 ipsec-isakmp dynamic FSTILL01
!
ip access-list extended FSTILL01-vpn
permit ip 192.168.2.0 0.0.0.255 192.168.253.0 0.0.0.255
permit ip host 82.68.139.230 host 10.180.226.227
permit ip host 82.68.139.230 host 10.162.80.164
************(this needs to be dynamic but we are updating manually for testing)***********
ip access-list extended chobham-vpn
permit ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip host (EXTERNAL IP - HQ) host (EXTERNAL IP - REMOTE)
SRP527w firmware has been updated on the 3G unit to allow NAT-T to .19 the former is .09
Any ideas?????
Matt
06-08-2011 08:32 AM
*Jun 8 15:47:09.060: ISAKMP (0:0): received packet from 212.183.128.0 dport 500 sport 38961 Global (N) NEW SA
*Jun 8 15:47:09.060: ISAKMP: Created a peer struct for 212.183.128.0, peer port 38961
*Jun 8 15:47:09.060: ISAKMP: New peer created peer = 0x49633FB8 peer_handle = 0x80000011
*Jun 8 15:47:09.060: ISAKMP: Locking peer struct 0x49633FB8, refcount 1 for crypto_isakmp_process_block
*Jun 8 15:47:09.060: ISAKMP: local port 500, remote port 38961
*Jun 8 15:47:09.060: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 494827D4
*Jun 8 15:47:09.060: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 15:47:09.060: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jun 8 15:47:09.060: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID is DPD
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 8 15:47:09.064: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jun 8 15:47:09.064: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.064: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jun 8 15:47:09.064: ISAKMP:(0):found peer pre-shared key matching 212.183.128.0
*Jun 8 15:47:09.064: ISAKMP:(0): local preshared key found
*Jun 8 15:47:09.064: ISAKMP : Scanning profiles for xauth ...
*Jun 8 15:47:09.064: ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
*Jun 8 15:47:09.064: ISAKMP: life type in seconds
*Jun 8 15:47:09.064: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x53
*Jun 8 15:47:09.064: ISAKMP: encryption 3DES-CBC
*Jun 8 15:47:09.064: ISAKMP: hash SHA
*Jun 8 15:47:09.064: ISAKMP: auth pre-share
*Jun 8 15:47:09.068: ISAKMP: default group 2
*Jun 8 15:47:09.068: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 8 15:47:09.068: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 8 15:47:09.068: ISAKMP:(0):Acceptable atts:life: 0
*Jun 8 15:47:09.068: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 8 15:47:09.068: ISAKMP:(0):Fill atts in sa life_in_seconds:86355
*Jun 8 15:47:09.068: ISAKMP:(0):Returning Actual lifetime: 86355
*Jun 8 15:47:09.068: ISAKMP:(0)::Started lifetime timer: 86355.
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID is DPD
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 8 15:47:09.068: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jun 8 15:47:09.068: ISAKMP:(0): processing vendor id payload
*Jun 8 15:47:09.068: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jun 8 15:47:09.068: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 8 15:47:09.072: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jun 8 15:47:09.072: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 8 15:47:09.072: ISAKMP:(0): sending packet to 212.183.128.0 my_port 500 peer_port 38961 (R) MM_SA_SETUP
*Jun 8 15:47:09.076: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 8 15:47:09.076: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 8 15:47:09.076: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jun 8 15:47:09.904: ISAKMP (0:0): received packet from 212.183.128.0 dport 500 sport 38961 Global (R) MM_SA_SETUP
*Jun 8 15:47:09.904: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 15:47:09.904: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jun 8 15:47:09.908: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 8 15:47:09.908: crypto_engine: Create DH shared secret
*Jun 8 15:47:09.968: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 8 15:47:09.968: ISAKMP:(0):found peer pre-shared key matching 212.183.128.0
*Jun 8 15:47:09.968: crypto_engine: Create IKE SA
*Jun 8 15:47:09.968: crypto engine: deleting DH phase 2 SW:13
*Jun 8 15:47:09.972: crypto_engine: Delete DH shared secret
*Jun 8 15:47:09.972: ISAKMP:received payload type 20
*Jun 8 15:47:09.972: ISAKMP (1009): His hash no match - this node outside NAT
*Jun 8 15:47:09.972: ISAKMP:received payload type 20
*Jun 8 15:47:09.972: ISAKMP (1009): His hash no match - this node outside NAT
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
*Jun 8 15:47:09.972: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 8 15:47:09.972: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jun 8 15:47:09.972: ISAKMP:(1009): sending packet to 212.183.128.0 my_port 500 peer_port 38961 (R) MM_KEY_EXCH
*Jun 8 15:47:09.972: ISAKMP:(1009):Sending an IKE IPv4 Packet.
*Jun 8 15:47:09.972: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 8 15:47:09.972: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jun 8 15:47:10.476: ISAKMP (0:1009): received packet from 212.183.128.0 dport 4500 sport 41556 Global (R) MM_KEY_EXCH
*Jun 8 15:47:10.476: crypto_engine: Decrypt IKE packet
*Jun 8 15:47:10.476: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 15:47:10.476: ISAKMP:(1009):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jun 8 15:47:10.480: ISAKMP:(1009): processing ID payload. message ID = 0
*Jun 8 15:47:10.480: ISAKMP (0:1009): ID payload
next-payload : 8
type : 1
address : 10.180.226.227
protocol : 0
port : 0
length : 12
*Jun 8 15:47:10.480: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 8 15:47:10.480: ISAKMP:(1009): processing HASH payload. message ID = 0
*Jun 8 15:47:10.480: crypto_engine: Generate IKE hash
*Jun 8 15:47:10.480: ISAKMP:(1009):SA authentication status:
authenticated
*Jun 8 15:47:10.480: ISAKMP:(1009):SA has been authenticated with 212.183.128.0
*Jun 8 15:47:10.480: ISAKMP:(1009):Detected port floating to port = 41556
*Jun 8 15:47:10.484: ISAKMP: Trying to insert a peer 82.68.139.230/212.183.128.0/41556/, and inserted successfully 49633FB8.
*Jun 8 15:47:10.484: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 8 15:47:10.484: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jun 8 15:47:10.484: ISAKMP:(1009):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 8 15:47:10.484: ISAKMP (0:1009): ID payload
next-payload : 8
type : 1
address : 82.68.139.230
protocol : 17
port : 0
length : 12
*Jun 8 15:47:10.484: ISAKMP:(1009):Total payload length: 12
*Jun 8 15:47:10.484: crypto_engine: Generate IKE hash
*Jun 8 15:47:10.484: crypto_engine: Encrypt IKE packet
*Jun 8 15:47:10.484: ISAKMP:(1009): sending packet to 212.183.128.0 my_port 4500 peer_port 41556 (R) MM_KEY_EXCH
*Jun 8 15:47:10.484: ISAKMP:(1009):Sending an IKE IPv4 Packet.
*Jun 8 15:47:10.488: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 8 15:47:10.488: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jun 8 15:47:10.488: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 8 15:47:10.488: ISAKMP:(1009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 8 15:47:11.028: ISAKMP (0:1009): received packet from 212.183.128.0 dport 4500 sport 41556 Global (R) QM_IDLE
*Jun 8 15:47:11.028: ISAKMP: set new node -82134713 to QM_IDLE
*Jun 8 15:47:11.028: crypto_engine: Decrypt IKE packet
*Jun 8 15:47:11.028: crypto_engine: Generate IKE hash
*Jun 8 15:47:11.028: ISAKMP:(1009): processing HASH payload. message ID = -82134713
*Jun 8 15:47:11.028: ISAKMP:(1009): processing SA payload. message ID = -82134713
*Jun 8 15:47:11.028: ISAKMP:(1009):Checking IPSec proposal 0
*Jun 8 15:47:11.028: ISAKMP: transform 0, ESP_3DES
*Jun 8 15:47:11.028: ISAKMP: attributes in transform:
*Jun 8 15:47:11.028: ISAKMP: encaps is 3 (Tunnel-UDP)
*Jun 8 15:47:11.028: ISAKMP: SA life type in seconds
*Jun 8 15:47:11.028: ISAKMP: SA life duration (basic) of 7800
*Jun 8 15:47:11.028: ISAKMP: authenticator is HMAC-SHA
*Jun 8 15:47:11.028: ISAKMP:(1009):atts are acceptable.
*Jun 8 15:47:11.028: IPSEC(validate_proposal_request): proposal part #1
*Jun 8 15:47:11.028: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 82.68.139.230, remote= 212.183.128.0,
local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.253.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 8 15:47:11.028: Crypto mapdb : proxy_match
src addr : 192.168.2.0
dst addr : 192.168.253.0
protocol : 0
src port : 0
dst port : 0
*Jun 8 15:47:11.032: ISAKMP:(1009): processing NONCE payload. message ID = -82134713
*Jun 8 15:47:11.032: ISAKMP:(1009): processing ID payload. message ID = -82134713
*Jun 8 15:47:11.032: ISAKMP:(1009): processing ID payload. message ID = -82134713
*Jun 8 15:47:11.032: ISAKMP:(1009):QM Responder gets spi
*Jun 8 15:47:11.032: ISAKMP:(1009):Node -82134713, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 8 15:47:11.032: ISAKMP:(1009):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jun 8 15:47:11.032: crypto_engine: Generate IKE hash
*Jun 8 15:47:11.032: crypto_engine: Generate IKE QM keys
*Jun 8 15:47:11.032: crypto_engine: Create IPSec SA (by keys)
*Jun 8 15:47:11.032: crypto_engine: Generate IKE QM keys
*Jun 8 15:47:11.032: crypto_engine: Create IPSec SA (by keys)
*Jun 8 15:47:11.032: ISAKMP:(1009): Creating IPSec SAs
*Jun 8 15:47:11.036: inbound SA from 212.183.128.0 to 82.68.139.230 (f/i) 0/ 0
(proxy 192.168.253.0 to 192.168.2.0)
*Jun 8 15:47:11.036: has spi 0x416A27D4 and conn_id 0
*Jun 8 15:47:11.036: lifetime of 7800 seconds
*Jun 8 15:47:11.036: outbound SA from 82.68.139.230 to 212.183.128.0 (f/i) 0/0
(proxy 192.168.2.0 to 192.168.253.0)
*Jun 8 15:47:11.036: has spi 0xAC050EA6 and conn_id 0
*Jun 8 15:47:11.036: lifetime of 7800 seconds
*Jun 8 15:47:11.036: crypto_engine: Encrypt IKE packet
*Jun 8 15:47:11.036: ISAKMP:(1009): sending packet to 212.183.128.0 my_port 4500 peer_port 41556 (R) QM_IDLE
*Jun 8 15:47:11.036: ISAKMP:(1009):Sending an IKE IPv4 Packet.
*Jun 8 15:47:11.040: ISAKMP:(1009):Node -82134713, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jun 8 15:47:11.040: ISAKMP:(1009):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jun 8 15:47:11.040: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 8 15:47:11.040: Crypto mapdb : proxy_match
src addr : 192.168.2.0
dst addr : 192.168.253.0
protocol : 0
src port : 0
dst port : 0
fsvpn01#
*Jun 8 15:47:11.040: IPSEC(policy_db_add_ident): src 192.168.2.0, dest 192.168.253.0, dest_port 0
*Jun 8 15:47:11.040: IPSEC(create_sa): sa created,
(sa) sa_dest= 82.68.139.230, sa_proto= 50,
sa_spi= 0x416A27D4(1097476052),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2025
*Jun 8 15:47:11.040: IPSEC(create_sa): sa created,
(sa) sa_dest= 212.183.128.0, sa_proto= 50,
sa_spi= 0xAC050EA6(2886012582),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2026
*Jun 8 15:47:11.040: crypto engine: updating MTU size of IPSec SA NETGX:26
*Jun 8 15:47:11.040: crypto_engine: Set IPSec MTU
*Jun 8 15:47:11.608: ISAKMP (0:1009): received packet from 212.183.128.0 dport 4500 sport 41556 Global (R) QM_IDLE
*Jun 8 15:47:11.612: crypto_engine: Decrypt IKE packet
*Jun 8 15:47:11.612: crypto_engine: Generate IKE hash
*Jun 8 15:47:11.612: ISAKMP:(1009):deleting node -82134713 error FALSE reason "QM done (await)"
*Jun 8 15:47:11.612: ISAKMP:(1009):Node -82134713, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 8 15:47:11.612: ISAKMP:(1009):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jun 8 15:47:11.612: IPSEC(key_engine): got a queue event with 1 KMI message(s)
fsvpn01#
*Jun 8 15:47:11.612: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jun 8 15:47:11.612: IPSEC(key_engine_enable_outbound): enable SA with spi 2886012582/50
*Jun 8 15:47:11.612: IPSEC(update_current_outbound_sa): updated peer 212.183.128.0 current outbound sa to SPI AC050EA6
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
fsvpn01#
*Jun 8 15:47:49.925: ISAKMP:(1008):purging node 1396678721
*Jun 8 15:47:49.969: ISAKMP:(1008):purging node 1743028462
fsvpn01#
*Jun 8 15:47:59.973: ISAKMP:(1008):purging SA., sa=495D42AC, delme=495D42AC
fsvpn01#
*Jun 8 15:48:01.613: ISAKMP:(1009):purging node -82134713
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: