IPSec over GRE tunnel - PHASE 1 not comming up

raul.rico · ‎05-04-2018

Hello everybody,

I am facing some problems with an encrypted IPSec connection over a GRE tunnel.

Communication goes from R1 to R2, with a R-nat translating R2 private address.

( R1 ) ---------- INTERNET ----------( R-nat )------LAN------ ( R2 )
1.1.1.1 2.2.2.2

tun66: 172.16.1.1 tun66: 172.16.1.2

Can somebody help me finding where the problem is?

R1 Log messages:

May 4 08:33:22.314: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (N) NEW SA
May 4 08:33:22.314: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
May 4 08:33:22.314: ISAKMP: New peer created peer = 0x8CCC95B4 peer_handle = 0x80000218
May 4 08:33:22.314: ISAKMP: Locking peer struct 0x8CCC95B4, refcount 1 for crypto_isakmp_process_block
May 4 08:33:22.314: ISAKMP: local port 500, remote port 500
May 4 08:33:22.314: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8CE1C7FC
May 4 08:33:22.314: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 4 08:33:22.314: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
May 4 08:33:22.314: ISAKMP:(0): processing SA payload. message ID = 0
May 4 08:33:22.314: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.314: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 4 08:33:22.314: ISAKMP (0): vendor ID is NAT-T RFC 3947
May 4 08:33:22.314: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.314: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 4 08:33:22.314: ISAKMP (0): vendor ID is NAT-T v7
May 4 08:33:22.314: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.314: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 4 08:33:22.314: ISAKMP:(0): vendor ID is NAT-T v3
May 4 08:33:22.314: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.314: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 4 08:33:22.314: ISAKMP:(0): vendor ID is NAT-T v2
May 4 08:33:22.314: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
May 4 08:33:22.314: ISAKMP:(0): local preshared key found
May 4 08:33:22.314: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
May 4 08:33:22.314: ISAKMP:(0): Authentication by xauth preshared
May 4 08:33:22.314: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
May 4 08:33:22.314: ISAKMP: encryption 3DES-CBC
May 4 08:33:22.314: ISAKMP: hash SHA
May 4 08:33:22.314: ISAKMP: default group 2
May 4 08:33:22.314: ISAKMP: auth pre-share
May 4 08:33:22.314: ISAKMP: life type in seconds
May 4 08:33:22.314: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 4 08:33:22.314: ISAKMP:(0):atts are acceptable. Next payload is 3
May 4 08:33:22.314: ISAKMP:(0):Acceptable atts:actual life: 86400
May 4 08:33:22.314: ISAKMP:(0):Acceptable atts:life: 0
May 4 08:33:22.314: ISAKMP:(0):Fill atts in sa vpi_length:4
May 4 08:33:22.314: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
May 4 08:33:22.318: ISAKMP:(0):Returning Actual lifetime: 86400
May 4 08:33:22.318: ISAKMP:(0)::Started lifetime timer: 86400.
May 4 08:33:22.318: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.318: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 4 08:33:22.318: ISAKMP (0): vendor ID is NAT-T RFC 3947
May 4 08:33:22.318: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.318: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 4 08:33:22.318: ISAKMP (0): vendor ID is NAT-T v7
May 4 08:33:22.318: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.318: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 4 08:33:22.318: ISAKMP:(0): vendor ID is NAT-T v3
May 4 08:33:22.318: ISAKMP:(0): processing vendor id payload
May 4 08:33:22.318: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 4 08:33:22.318: ISAKMP:(0): vendor ID is NAT-T v2
May 4 08:33:22.318: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 4 08:33:22.318: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 4 08:33:22.318: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
May 4 08:33:22.318: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 4 08:33:22.318: ISAKMP:(0):Sending an IKE IPv4 Packet.
May 4 08:33:22.318: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 4 08:33:22.318: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 4 08:33:22.338: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
May 4 08:33:22.338: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 4 08:33:22.338: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 4 08:33:22.338: ISAKMP:(0): processing KE payload. message ID = 0
May 4 08:33:22.410: ISAKMP:(0): processing NONCE payload. message ID = 0
May 4 08:33:22.410: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
May 4 08:33:22.410: ISAKMP:(2076): processing vendor id payload
May 4 08:33:22.410: ISAKMP:(2076): vendor ID is DPD
May 4 08:33:22.410: ISAKMP:(2076): processing vendor id payload
May 4 08:33:22.410: ISAKMP:(2076): speaking to another IOS box!
May 4 08:33:22.410: ISAKMP:(2076): processing vendor id payload
May 4 08:33:22.410: ISAKMP:(2076): vendor ID seems Unity/DPD but major 57 mismatch
May 4 08:33:22.410: ISAKMP:(2076): vendor ID is XAUTH
May 4 08:33:22.410: ISAKMP:received payload type 20
May 4 08:33:22.410: ISAKMP (2076): His hash no match - this node outside NAT
May 4 08:33:22.410: ISAKMP:received payload type 20
May 4 08:33:22.410: ISAKMP (2076): His hash no match - this node outside NAT
May 4 08:33:22.410: ISAKMP:(2076):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 4 08:33:22.410: ISAKMP:(2076):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 4 08:33:22.414: ISAKMP:(2076): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 4 08:33:22.414: ISAKMP:(2076):Sending an IKE IPv4 Packet.
May 4 08:33:22.414: ISAKMP:(2076):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 4 08:33:22.414: ISAKMP:(2076):Old State = IKE_R_MM3 New State = IKE_R_MM4

R1 Configs:

crypto ipsec transform-set ipsec-prop-vpn-5963ee69-1 esp-aes esp-sha-hmac
mode tunnel

crypto keyring KR_1
pre-shared-key address 2.2.2.2 key testtest

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec profile Profile-1
set transform-set ipsec-prop-vpn-5963ee69-1
set pfs group2

interface Tunnel66
description TUNEL R37
ip address 172.16.1.1 255.255.255.252
ip mtu 1400
ip virtual-reassembly in
ip tcp adjust-mss 1360
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile Profile-1

R2 Configs:

crypto ipsec transform-set ipsec-prop-vpn-5963ee69-1 esp-aes esp-sha-hmac
mode tunnel

crypto keyring KR_1
pre-shared-key address 1.1.1.1 key testtest

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec profile Profile-1
set transform-set ipsec-prop-vpn-5963ee69-1
set pfs group2

interface Tunnel66
description TUNEL R37
ip address 172.16.1.2 255.255.255.252
ip mtu 1400
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile Profile-1

Rob Ingram · ‎05-04-2018

Hi Raul,

I think you have 2 options:

Remove your keyring and just specify the key and peer ip address

crypto isakmp key cisco123456 address 0.0.0.0 0.0.0.0

or create an ISAKMP profile and reference your keyring and add an identity to match.

crypto isakmp profile ISAKMP_PROFILE

keyring KR_1

match identity address 0.0.0.0

HTH