IPSec tunnel not coming up

brettcave · ‎12-17-2015

I'm trying to configure a VPN connection between an AWS VPC and a Cisco IOS router (2801).

I am unable to get the tunnel up, and there are errors during ISAKMP. I previously had a working IPSec tunnel between the device and AWS, but after some ISP / connection changes, am no longer able to. Here are the errors I get, connecting to the AWS gateway 54.1.1.1 (redacted).

*Dec 17 11:54:37.284: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Dec 17 11:54:37.284: ISAKMP:(0:0:N/A:0): sending packet to 54.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 17 11:54:37.608: ISAKMP (0:0): received packet from 54.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec 17 11:54:37.608: ISAKMP: Error: payload length of VENDOR 0 < 4
*Dec 17 11:54:37.608: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 54.1.1.1   failed its sanity check or is malformed
*Dec 17 11:54:37.024: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
*Dec 17 11:54:37.024: ISAKMP:(0:0:N/A:0): sending packet to 54.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 17 11:54:37.024: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Dec 17 11:54:38.024: ISAKMP:(0:0:N/A:0): no outgoing phase 1 packet to retransmit. MM_NO_STATE

I initially thought that the VENDOR 0 < 4 error might be related to https://quickview.cloudapps.cisco.com/quickview/bug/CSCee74283 - however, my firmware is not affected:

# sh ver
Cisco IOS Software, 2801 Software, Version 12.4(25c), RELEASE SOFTWARE (fc2)
...
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

My config (generated in AWS, the PSK is copied and pasted from generated config, so would assume there's no discrepancy there).

crypto keyring keyring-vpn-0
  local-address 196.1.1.1
  pre-shared-key address 54.1.1.1 key XXX
!
crypto isakmp policy 200
 encr aes 128
 authentication pre-share
 group 2
 lifetime 28800
 hash sha
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-0
   keyring keyring-vpn-0
   match identity address 54.1.1.1 255.255.255.255 
   local-address 196.1.1.1
!
crypto ipsec security-association replay window-size 128
crypto ipsec transform-set ipsec-prop-0 esp-aes 128 esp-sha-hmac
  mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-0
 set transform-set ipsec-prop-vpn-0 
 set security-association lifetime seconds 3600
 set pfs group2
!
crypto ipsec fragmentation before-encryption
!
interface Tunnel1
 ip address 169.1.1.1 255.255.255.252
 ip virtual-reassembly
 ip tcp adjust-mss 1387
 tunnel source 196.1.1.1
 tunnel destination 54.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vpn-0
!
interface FastEthernet0/0
 ip address 196.1.1.1 255.255.255.240
 ip access-group ExternalPublicToWAN in
 ip mtu 1492
 ip nat outside
 ip inspect INTERNET_OUT out
 ip virtual-reassembly
 duplex auto
 speed auto

Any ideas as to why these errors are occurring / why the tunnel isn't coming up, and how to fix it?

rvarelac · ‎12-17-2015

Hi brettcave,

Based on the debugs , looks like the other end is not replying or receiving this information, you mentioned you had some ISP/ connection changes.

I would check if the VPN ports UDP 500 and UDP 4500 is allowed and the routing is correct.

Hope it helps

-Randy-

brettcave · ‎12-17-2015

Turns out the issue was having NAT-T enabled. I noticed logs like this just priot to "beginning Main Mode exchange":

*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 54.1.1.1
*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 18 07:17:35.052: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

So then:

no crypto ipsec nat-transparency udp-encapsulation

Restarted the tunnel interface, and the tunnel came up.