Solved: ipsec site to site vpn help!!

edgsoccer · ‎08-02-2012

I im doing a site to site vpn for the first time on a 891 to a rv 120 (gui) but it doesnt connect. I thinking it might be my access list on the 891. the error that i get in the rv120 is

012-08-02 18:15:35: [rv120w][IKE] ERROR: Phase 1 negotiation failed due to time up for xx.xx.xx.xx[500]. ea65b6c91b9e73de:0000000000000000

2012-08-02 18:16:11: [rv120w][IKE] INFO: Configuration found for xx.xx.xx.xx.

2012-08-02 18:16:11: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

2012-08-02 18:16:11: [rv120w][IKE] INFO: Beginning Identity Protection mode.

2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4

2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8

2012-08-02 18:16:11: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9

2012-08-02 18:16:11: [rv120w][IKE] ERROR: Ignore information because the message has no hash payload.

2012-08-02 18:16:42: [rv120w][IKE] ERROR: Invalid SA protocol type: 0

2012-08-02 18:16:42: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.

2012-08-02 18:17:00: [rv120w][IKE] INFO: accept a request to establish IKE-SA: 71.32.110.24

2012-08-02 18:17:00: [rv120w][IKE] WARNING: schedular is already scheduled for SA creation for remote: "xx.xx.xx.xx"2012-08-02 18:17:00: [rv120w][IKE] ERROR: Failed to attach schedSaCreate in IKE configuraion

891 config

=====================================================

ip dhcp pool test

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8 8.8.4.4

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.xxx

!

crypto ipsec transform-set test1 ah-md5-hmac esp-3des

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set test1

match address 100

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

interface Vlan1

description quest

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

=======================================================================

johnlloyd_13 · ‎08-08-2012

Hi Manny,

Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?

int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto sa

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa

Sent from Cisco Technical Support iPhone App

View solution in original post

Julio Carvajal · ‎08-02-2012

Hello Manny,

Can you change the nat configuration:

ip access-list extended nat

deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

no ip nat inside source list 1 interface Dialer1 overload

ip nat inside source list nat interface Dialer1 overload

Also can you do the following on the router after you generate traffic for the VPN

sh crypto isakmp sa

debug crypto isakmp

debug crypto ipsec

And provide us the results.

The configuration on the Remote site related to the VPN stuff will be a plus.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

edgsoccer · ‎08-02-2012

nat configurations changed.....still not working.. thanks for the help

891 router

==============================================

crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

xx.xx.xx.24 xx.xx.xx.134 QM_IDLE 2057 ACTIVE

IPv6 Crypto ISAKMP SA

==================================================

johnlloyd_13 · ‎08-03-2012

Hi Manny,

Could you re-configure your IKE phase 1 and 2 policies on the 891 as below?

crypto isakmp policy 1

hash md5

no crypto ipsec transform-set test1 ah-md5-hmac esp-3des

crypto ipsec transform-set test1 esp-md5-hmac esp-3des

Sent from Cisco Technical Support iPhone App

edgsoccer · ‎08-03-2012

Changes made but still nothing...

=========================

Current running config 891

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.134

!

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxxx

!

ip nat inside source list nat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended nat

deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

=============================

=========================================================

RV 120 log

2012-08-03 17:56:23: [rv120w][IKE] WARNING: schedular is already scheduled for SA creation for remote: "xx.xx.xx.24"2012-08-03 17:56:23: [rv120w][IKE] ERROR: Failed to attach schedSaCreate in IKE configuraion

2012-08-03 17:56:52: [rv120w][IKE] INFO: Configuration found for xx.xx.xx.24.

2012-08-03 17:56:52: [rv120w][IKE] INFO: Initiating new phase 1 negotiation: xx.xx.xx.134[500]<=>xx.xx.xx.24[500]

2012-08-03 17:56:52: [rv120w][IKE] INFO: Beginning Identity Protection mode.

2012-08-03 17:56:52: [rv120w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2012-08-03 17:56:52: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4

2012-08-03 17:56:52: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8

2012-08-03 17:56:52: [rv120w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9

2012-08-03 17:56:52: [rv120w][IKE] ERROR: Ignore information because the message has no hash payload.

2012-08-03 17:57:23: [rv120w][IKE] ERROR: Invalid SA protocol type: 0

2012-08-03 17:57:23: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.

2012-08-03 17:57:37: [rv120w][IKE] INFO: accept a request to establish IKE-SA: xx.xx.xx.24

===========================================================

ROUTER 891

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

71.32.110.24 97.77.166.134 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

-------------------------------------------------------

debug crypto isakmp

Crypto ISAKMP debugging is on

-------------------------------------------------------

debug crypto ipsec

Crypto IPSEC debugging is on

But nothing else comes out and dont know how to see the log for 891 to see the errors

johnlloyd_13 · ‎08-03-2012

Hi Manny,

Could you do:

int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto isakmp sa

Ping from an internal host/PC behind the 891 and post your results.

Sent from Cisco Technical Support iPhone App

edgsoccer · ‎08-05-2012

changes where made...

891 router

ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-------------------------------------------------------------------

host

PING 192.168.1.1 (192.168.1.1): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

^C

--- 192.168.1.1 ping statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

thanks you guys i apreciate the help....

--------------------

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

--------------------

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxx

crypto map maptest1

----------------------

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

johnlloyd_13 · ‎08-05-2012

Hi Manny,

Thanks for the update! Could you roll back your config and put back the crypto map under FE8 and post again your complete show run (hide sensitive info)?

Sent from Cisco Technical Support iPhone App

edgsoccer · ‎08-06-2012

aaa new-model

!

aaa session-id common

!

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

ip source-route

!

ip dhcp pool test

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8 8.8.4.4

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.134

!

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

interface GigabitEthernet0

description roadrunner connection

no ip address

shutdown

duplex auto

speed auto

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description quest

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description roadrunner

no ip address

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list nat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended nat

deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

!

control-plane

here is my current sh run...thanks john

johnlloyd_13 · ‎08-06-2012

Hi Manny,

Thanks for the update! I'm suspecting the issue might be on the RV router which hinders IKE phase 1 from establishing.

Could check whether it has PFS (Perfect Forward Secrecy) enabled?

Sent from Cisco Technical Support iPhone App

edgsoccer · ‎08-06-2012

Yes it is enabled

johnlloyd_13 · ‎08-06-2012

Could you disable/uncheck it on the RV router and try to generate VPN traffic from internal hosts?

Sent from Cisco Technical Support iPhone App

edgsoccer · ‎08-07-2012

John

it didn't work. Do I need to do something additional to the cisco 891 router when i disable psf on the RV router?

johnlloyd_13 · ‎08-07-2012

hi manny,

could you add this on the 891:

crypto isakmp policy 1

encryption 3des

kindly perform VPN testing this time from behind the RV router by pinging from a host on the 192.168.1.0/24 subnet and post the following results from the 891 router:

cleary crypto isakmp sa

show crypto isakmp sa

debug crypto isakmp

edgsoccer · ‎08-08-2012

chages made...

---------------------------------------------------

RV router log

2012-08-08 16:12:33: [rv120w][IKE] INFO: Configuration found for xx.xx.xx.24.

2012-08-08 16:12:33: [rv120w][IKE] INFO: Initiating new phase 2 negotiation: xx.xx.xx.134[500]<=>xx.xx.xx.24[0]

2012-08-08 16:12:33: [rv120w][IKE] ERROR: Unknown notify message from xx.xx.xx.24[500].No phase2 handle found.

2012-08-08 16:13:33: [rv120w][IKE] ERROR: Phase 2 negotiation failed due to time up. 3ac11d27fb281bf1:6b11f2ee9470918b:e4bbd59c

2012-08-08 16:13:33: [rv120w][IKE] INFO: an undead schedule has been deleted: 'quick_i1prep'.

-----------------------------------------------------------------------------

host 10.10.10.6

PING 192.168.1.100 (192.168.1.100): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

Request timeout for icmp_seq 6

----------------------------------------------------------------------------

cisco router

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

xx.xx.xx.24 xx.xx.xx.134 QM_IDLE 2059 ACTIVE

IPv6 Crypto ISAKMP SA

#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

#ping 192.168.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-----------------------------------------------------------------------------

host 192.168.1.100

Pinging 10.10.10.6 with 32 bytes of data:

Request timed out.

Ping statistics for 10.10.10.6:

Packets: Sent = 4, Received = 0, Lost = 4 (100% Loss),

-------------------------------------------------------------------------------

Crypto ISAKMP debugging is on

but nothing happen even if I ping while ISAKMP debugging is on… any suggestions on how can I see the debugging??