07-23-2012 12:59 AM - edited 02-21-2020 06:13 PM
Hey Folks,
I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.
I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.
I look at debug results and it appears as though the policies do not match between the devices:
Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
broute1#
Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
broute1#
Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF
Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block
Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500
Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!
Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...
Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
Jul 23 05:45:17.035: ISAKMP: life type in seconds
Jul 23 05:45:17.035: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x53
Jul 23 05:45:17.035: ISAKMP: encryption DES-CBC
Jul 23 05:45:17.035: ISAKMP: hash SHA
Jul 23 05:45:17.035: ISAKMP: auth pre-share
Jul 23 05:45:17.035: ISAKMP: default group 1
Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!
Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.
Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w
version 15.1
hostname broute1
!
logging buffered 65535
logging console informational
!
no aaa new-model
!
memory-size iomem 10
clock timezone ESTime 10 0
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
controller VDSL 0
operating mode adsl2 annex A
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST
!
!
crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
!
!
!
crypto map JWRE_BW-1 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set JWRE_BW-1
match address 101
!
interface Loopback0
no ip address
!
interface ATM0
description --- Internode ADSL ----
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip route-cache
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Vlan1
description Management Interface
ip address AAA.AAA.AAA.AAA 255.255.255.0
ip mtu 1452
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
ip tcp adjust-mss 1420
!
interface Dialer1
description -----INTERNODE ADSL------
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname ADSL_USERNAME
ppp chap password 7 ADSL_PASSWORD
ppp ipcp dns request accept
no cdp enable
crypto map JWRE_BW-1
!
logging trap debugging
access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
dialer-list 1 protocol ip permit
Some specific questions:
1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
3) I notice when I perform this command in the(config-crypto-map)#:
set peer FQDN
It is converted to:
set peer XXX.XXX.XXX.XXX
Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.
Thanks in advance for your time and assistance folks.
B
Solved! Go to Solution.
07-23-2012 09:27 AM
The IKE policy does not seem to match, you would need to configure the matching IKE policy on the router as follows:
crypto isakmp policy 10
encr des
hash sha
authentication pre-share
group 1
lifetime 28800
For the preshared key, use the address instead of host name:
crypto isakmp key
07-23-2012 09:27 AM
The IKE policy does not seem to match, you would need to configure the matching IKE policy on the router as follows:
crypto isakmp policy 10
encr des
hash sha
authentication pre-share
group 1
lifetime 28800
For the preshared key, use the address instead of host name:
crypto isakmp key
07-25-2012 05:10 AM
YAY! Hey Jennifer thank you so much!
So I pulled my hair out awhile. Seems I did have the policy details above in my config, it just doesnt show the algorithm, hash or DH group in the conf.
When I did then reread and see the last bit (facepalm) I changed to using a host address and all of a sudden it worked.
Does this mean that you cannot use the FQDN to make ISAKMP work? The documentation seems to indicate it does but the config it makes is not consistent with that. I have a few sites that use DDNS and I would prefer not to upgrade the access plans for those remote sites to include static addresses.
Thanks again, back on track
B
07-25-2012 09:03 AM
If you use Main Mode, you can't use hostname on the isakmp key.
You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:
crypto isakmp identity hostname
Plus your router needs to point to a dns server that can resolve the hostname.
Here is more information on:
- crypto isakmp key:
- crypto isakmp identity:
07-25-2012 06:05 PM
Thank you again Jennifer. I cannot believe how much time I've spent on this, you are a life saver!
cheers
Bruno
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide