IPSEC VPN wont connect to Remote peer

JMaartenW · ‎10-29-2013

hi

I am trying to set up a site to site IPSEC VPN between a cisco 887VA router and a Juniper device in a datacentre and am unable to get the connection to even get past 1st base. it doesnt even seem to even try to connect to the peer.

can anyone see any issues in my config?

the VPN details should be as follows

phase 1: 3des, SHA1, Group2 lifetime 1440 minutes, agressive mode off, Authentication: preshared key.

phase 2: 3des, sha1 PFS no, Lifetiime 1440 minutes

local Ip starts at 212.x.x.x

remote peer starts with 85.x.x.x

local internal IP is 172.17.205.254

here is my config any help would be greatly appreciated

HST********#sh conf
Using 14966 out of 262136 bytes
!
! Last configuration change at 23:47:15 PCTime Tue Oct 29 2013 by admin
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HST*********
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 52000
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3612796534
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3612796534
revocation-check none
rsakeypair TP-self-signed-3612796534
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1280197465
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1280197465
revocation-check none
rsakeypair TP-self-signed-1280197465
!
!
crypto pki certificate chain TP-self-signed-3612796534
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-1280197465
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
no ip bootp server
ip domain name uk.access-accounts.com
ip name-server 8.8.8.8
ip name-server 172.24.4.13
ip cef
login block-for 5 attempts 10 within 5
no ipv6 cef
vlan ifdescr detail
!
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

!
license udi pid CISCO887VA-SEC-K9 sn FCZ173691VC
license boot module c880-data level advsecurity
!
!
object-group service *ALL
description ALL traffic
icmp
tcp-udp gt 1
icmp echo-reply
!
object-group network Acloudnetwork
description *cloud subnets
192.168.102.0 255.255.255.0
!
object-group network Localnetworks
description * Main network subnets
172.17.205.0 255.255.255.0
!
object-group service webtraffic
description http and https and dns
tcp eq domain
tcp eq 443
tcp eq www
!
username Admin privilege 15 secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
username Backup-admin privilege 15 view root secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
!
!
!
!
!
controller VDSL 0
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol bittorrent signature
class-map type inspect match-any Adapt_ICMP
match protocol icmp
match protocol tcp
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any WEB_MGMT
match protocol https
match protocol login
match protocol ssh
match protocol cisco-net-mgmt
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any web_management
match protocol icmp
match protocol tcp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map web_management
match access-group name Web_management
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol icmp
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
policy-map type inspect ccp-pol-outToIn
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-app-nonascii
log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect ccp-cls-ccp-permit-1
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key PRESHAREKEY address 85.*.*.*
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
set peer 85.*.*.*
set transform-set ADAPTVPN
match address 120
!
!
!
!
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description TalkTalk VOIP
ip flow ingress
zone-member security out-zone
crypto map ADAPTVPN
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 172.17.205.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname 01424319870@officebb.co.uk
ppp chap password 7 133F403E5827530C7D1E7E
ppp pap sent-username 01424319870@officebb.co.uk password 7 0129512808205129777618
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended ADAPT_ICMP
remark CCP_ACL Category=128
permit ip host 85.*.*.* host 212.*.*.*
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended WEB_MGMT
remark CCP_ACL Category=128
permit ip host 85.*.*.* host 172.17.205.254
ip access-list extended Web_management
remark CCP_ACL Category=128
permit ip host 85.*.*.* host 212.*.*.*
!
ip sla auto discovery
logging trap errors
logging facility local2
logging host 172.24.4.51
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
snmp-server community SNMP-public RO
snmp-server community SNMP-Public RO
snmp-server community SNMP-Private RW
snmp-server location SSM App Server
snmp-server contact Maarten Westera
snmp-server host 172.24.4.57 P@ssw0rd
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.17.205.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit udp any any eq bootpc
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 85.*.*.* any
access-list 106 remark CCP_ACL Category=2
access-list 106 permit ip 172.17.205.0 0.0.0.255 any
access-list 120 remark CCP_ACL Category=20
access-list 120 remark VOIPVPNRule
access-list 120 permit ip 172.17.205.0 0.0.0.255 172.17.104.0 0.0.0.255
!
!
!
banner login ^C
#############################################
# This device is the property of ********* #
# #
# Unauthorised use is prohibited #
#############################################
^C
banner motd
This device is for sole use of **************, Unauthorised sessions are being monitored

!
line con 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
password 7 09554B1A
login authentication local_auth
transport input telnet ssh
!
!
end

Javier Portuguez · ‎10-29-2013

Hi Maarten,

Please share the "debug crypto isakmp" and "debug crypto ipsec" in order for us to determine the nature of the failure.

HTH.

JMaartenW · ‎10-30-2013

Hi

the debug crypto isakmp does not display any data at all and I do have a device plugged into the vlan which is pinging a remote ip on the other end of the VPN

for that reason the debug crypto ipsec also will not display any data either

thanks

JMaartenW · ‎10-30-2013

here is a few more sh commands

HSTCIS887VOIP1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 20
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit

HSTCIS887VOIP1#show crypto ipsec policy

HSTCIS887VOIP1#show crypto ipsec sa

interface: ATM0.1
Crypto map tag: ADAPTVPN, local addr 0.0.0.0

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.17.205.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.17.104.0/255.255.255.0/0/0)
   current_peer 85.*.*.* port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 85.*.*.*
     path mtu 1600, ip mtu 1600, ip mtu idb ATM0.1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

HSTCIS887VOIP1#show crypto ipsec profile
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default: { esp-aes esp-sha-hmac } ,
        }

HSTCIS887VOIP1#show crypto ipsec client
% Incomplete command.

HSTCIS887VOIP1#show crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/86400 seconds

HSTCIS887VOIP1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set ADAPTVPN: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },

HSTCIS887VOIP1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

HSTCIS887VOIP1#show crypto isakmp peers

HSTCIS887VOIP1#show crypto isakmp key
Keyring Hostname/Address Preshared Key

default 85.*.*.* mypresharedkey