IPSEC TUNNEL (Show IPSEC SA output issue)

ijlal.farooqi · ‎11-02-2013

Dear Fellows,

I am trying to establish a tunnel on my cisco router but seem to be making some mistake. please do review and let me know where i am going wrong. I have also appended the #sh crypto isakmp and #sh crypto ipsec sa output after trying to ping.

My configuration is as follows

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco address 198.X.X.X

crypto isakmp xauth timeout 80

!

crypto ipsec transform-set myset1 esp-3des esp-md5-hmac

!

crypto map MYMAP 10 ipsec-isakmp

set peer 198.X.X.X

set transform-set myset1

match address 100

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 125.X.X.X 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map MYMAP

!

interface GigabitEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/0

no ip

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list ISLC interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 125.209.X.X (gateway)

ip route 125.209.X.X 255.255.255.248 GigabitEthernet0/0

ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1

ip route 194.X.X.X 255.255.255.252 GigabitEthernet0/0

!

ip access-list standard ISLC

permit any

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 194.117.X.X 0.0.0.3

!

#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

194.39.131.178 125.209.123.172 QM_IDLE 1001 ACTIVE

#sh crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: MYMAP, local addr 125.209.123.172

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (194.117.106.128/255.255.255.252/0/0)

current_peer 194.39.131.178 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 125.209.123.172, remote crypto endpt.: 194.39.131.178

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

The below was the requirement by the remote end user

Mandatory IPSec Features (for the Internet VPN option)

• Encapsulating Security Protocol (ESP)

• Internet Key Exchange (IKE), with support of Diffie-Hellman Group 2 (1024 bits keys)

• Encryption Algorithm: Triples DES (3DES)

• Authentication Algorithm: HMAC-MD5 and HMAC-SHA1

• Support for authentication using shared secrets, RSA digital signatures, and X.509 certificates

• Support for Diffie-Hellman Group 2 (keys of 1024 bits)

• Key exchanges using Internet PKIs

Thanks

harshisi_2 · ‎11-02-2013

Hi,

The phase 1 seems to be up, but the phase 2 isn't. it could be a mismatch in configuration from the other end too, could you please turn on debugs (and log it) and try to bring the tunnel up. please share those debugs for analysis.

===

debug cry isa

===

Regards,

~Harry

ijlal.farooqi · ‎11-02-2013

Hi Harshit,

The debug output is somewhat like this

Nov 2 16:23:42.634: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_ID98: IPSEC(key_engine): request timer fired: count = 1,7.106.128 0.0.0.3/0/13des

LE )ac

QUICK

Nov 2 16:23:42.634: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 163556

Nov 2 16:23:42.638: ISAKMP:(1002):Node 1635562640, Input = IKE_MESG_INTERNAL, I

KE_INIT_QM

Nov 2 16:23:42.638: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_

I_QM1

Nov 2 16:23:42.798: ISAKMP (1002): received packet from 194.39.131.178 dport 45

00 sport 4500 Global (I) QM_IDLE

Nov 2 16:23:42.798: ISAKMP: set new node 507011038 to QM_IDLE

Nov 2 16:23:42.798: ISAKMP:(1002): processing HASH payload. message ID = 507011

038

Nov 2 16:23:42.798: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protoc

ol 3

spi 3749995589, message ID = 507011038, sa = 0x31A56D28

Nov 2 16:23:42.798: ISAKMP:(1002): deleting spi 3749995589 message ID = 1635562

640

Nov 2 16:23:42.798: ISAKMP:(1002):deleting node 1635562640 error TRUE reason "D

elete Larval"

Nov 2 16:23:42.798: ISAKMP:(1002):deleting node 507011038 error FALSE reason "I

nformational (in) state 1"

Nov 2 16:23:42.798: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 2 16:23:42.798: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_

P1_COMPLETE

0 peer_port 4500 (I) QM_IDLE

Nov 2 16:24:12.634: ISAKMP:(1002):Sending an IKE IPv4 Packet.

Nov 2 16:24:12.634: ISAKMP:(1002):Node 2305233083, Input = IKE_MESG_INTERNAL, I

KE_INIT_QM

Nov 2 16:24:12.634: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_

I_QM1

Nov 2 16:24:12.794: ISAKMP (1002): received packet from 194.39.131.178 dport 45

00 sport 4500 Global (I) QM_IDLE

Nov 2 16:24:12.794: ISAKMP: set new node 579471621 to QM_IDLE

Nov 2 16:24:12.798: ISAKMP:(1002): processing HASH payload. message ID = 579471

621

Nov 2 16:24:12.798: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protoc

ol 3

spi 1941906697, message ID = 579471621, sa = 0x31A56D28

Nov 2 16:24:12.798: ISAKMP:(1002): deleting spi 1941906697 message ID = 2305233

083

Nov 2 16:24:12.798: ISAKMP:(1002):deleting node -1989734213 error TRUE reason "

Delete Larval"

Nov 2 16:24:12.798: ISAKMP:(1002):deleting node 579471621 error FALSE reason "I

nformational (in) state 1"

Nov 2 16:24:12.798: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 2 16:24:12.798: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_

P1_COMPLETE

Nov 2 16:24:32.798: ISAKMP:(1002):purging node 1635562640

Nov 2 16:24:32.798: ISAKMP:(1002):purging node 507011038

#debug crypto ipsec

Nov 2 16:20:16.186: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.10.10:500, remote= 194.39.131.178:500,

local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 194.117.106.128/255.255.255.252/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Nov 2 16:20:46.186: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.10.10:0, remote= 194.39.131.178:0,

local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 194.117.106.128/255.255.255.252/0/0 (type=4)

Nov 2 16:20:46.186: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.10.10:500, remote= 194.39.131.178:500,

local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 194.117.106.128/255.255.255.252/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Nov 2 16:21:16.186: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.10.10:0, remote= 194.39.131.178:0,

local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 194.117.106.128/255.255.255.252/0/0 (type=4)

Nov 2 16:22:58.966: ISAKMP:(1002):deleting node -1323225912 error TRUE reason "

Delete Larval"

harshisi_2 · ‎11-04-2013

Hi,

there seems to be some mismatch at phase 2 config, could you please confirm with the other end about the settings.

if possible please post a config from there end as well.

Regards,

~Harry