11-03-2002 05:53 AM - edited 02-21-2020 12:09 PM
Hi,
I hope someone can help me with my problem. I can't seem to get a Windows 2000 client talking to a 3620 router over IPSec. I have cut and pasted the debug from the router below. When I ping the router's internal address the IPSec tried to establish but can't. I used the documents from Microsoft and Cisco to get this working with no luck. I also include the Router config below.
Version 12.1(17). Is there something blindingly obvious I'm missing?
Thanks!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp client configuration address-pool local vpn-pool
!
!
crypto ipsec transform-set vpn-transform ah-sha-hmac esp-des
crypto ipsec transform-set vpn-transform2 ah-sha-hmac esp-des esp-sha-hmac
!
crypto dynamic-map vpn-dynamic 1
set transform-set vpn-transform
crypto dynamic-map vpn-dynamic 2
set transform-set vpn-transform2
!
!
crypto map vpnclient client configuration address respond
crypto map vpnclient 1 ipsec-isakmp dynamic vpn-dynamic
interface Ethernet0/0
description Private LAN interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
ntp disable
no cdp enable
crypto map vpnclient
!
interface Serial0/0
ip address 212.38.84.182 255.255.255.252
no ip redirects
ip nat outside
encapsulation ppp
ntp disable
no fair-queue
no cdp enable
crypto map vpnclient
00:41:17: ISAKMP (0): received packet from y.y.y.y (N) NEW SA
00:41:17: ISAKMP: local port 500, remote port 500
00:41:17: ISAKMP (0:1): processing SA payload. message ID = 0
00:41:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:41:17: ISAKMP: encryption DES-CBC
00:41:17: ISAKMP: hash SHA
00:41:17: ISAKMP: default group 1
00:41:17: ISAKMP: auth pre-share
00:41:17: ISAKMP: life type in seconds
00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 3
00:41:17: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy
00:41:17: ISAKMP: encryption DES-CBC
00:41:17: ISAKMP: hash MD5
00:41:17: ISAKMP: default group 1
00:41:17: ISAKMP: auth pre-share
00:41:17: ISAKMP: life type in seconds
00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 3
00:41:17: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy
00:41:17: ISAKMP: encryption 3DES-CBC
00:41:17: ISAKMP: hash SHA
00:41:17: ISAKMP: default group 2
00:41:17: ISAKMP: auth pre-share
00:41:17: ISAKMP: life type in seconds
00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 3
00:41:17: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy
00:41:17: ISAKMP: encryption 3DES-CBC
00:41:17: ISAKMP: hash MD5
00:41:17: ISAKMP: default group 2
00:41:17: ISAKMP: auth pre-share
00:41:17: ISAKMP: life type in seconds
00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 0
00:41:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 2 policy
00:41:17: ISAKMP: encryption DES-CBC
00:41:17: ISAKMP: hash SHA
00:41:17: ISAKMP: default group 1
00:41:17: ISAKMP: auth pre-share
00:41:17: ISAKMP: life type in seconds
00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
00:41:17: ISAKMP (0:1): atts are acceptable. Next payload is 3
00:41:17: CryptoEngine0: generate alg parameter
00:41:17: CRYPTO_ENGINE: Dh phase 1 status: 0
00:41:17: CRYPTO_ENGINE: Dh phase 1 status: 0
00:41:17: ISAKMP (0:1): processing vendor id payload
00:41:17: ISAKMP (0:1): SA is doing pre-shared key authentication
00:41:17: ISAKMP (1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) MM_SA_SETUP
00:41:17: ISAKMP (1): received packet from y.y.y.y (R) MM_SA_SETUP
00:41:17: ISAKMP (0:1): processing KE payload. message ID = 0
00:41:17: CryptoEngine0: generate alg parameter
00:41:17: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:41:17: CryptoEngine0: create ISAKMP SKEYID for conn id 1
00:41:17: ISAKMP (0:1): SKEYID state generated
00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) MM_KEY_EXCH
00:41:17: ISAKMP (1): received packet from y.y.y.y (R) MM_KEY_EXCH
00:41:17: ISAKMP (0:1): processing ID payload. message ID = 0
00:41:17: ISAKMP (0:1): processing HASH payload. message ID = 0
00:41:17: CryptoEngine0: generate hmac context for conn id 1
00:41:17: ISAKMP (0:1): SA has been authenticated with y.y.y.y
00:41:17: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:41:17: ISAKMP (1): Total payload length: 12
00:41:17: CryptoEngine0: generate hmac context for conn id 1
00:41:17: CryptoEngine0: clear dh number for conn id 1
00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE
00:41:17: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE
00:41:17: ISAKMP: Created a peer node for y.y.y.y
00:41:17: ISAKMP (0:1): Locking struct 61C0C098 on allocation
00:41:17: ISAKMP (0:1): allocating address 192.168.2.2
00:41:17: CryptoEngine0: generate hmac context for conn id 1
00:41:17: ISAKMP (0:1): initiating peer config to y.y.y.y. message ID = -122730977
6
00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) CONF_ADDR
00:41:18: ISAKMP (1): received packet from y.y.y.y (R) CONF_ADDR
00:41:18: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
00:41:20: ISAKMP (1): received packet from y.y.y.y (R) CONF_ADDR
00:41:20: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
00:41:22: ISAKMP (0:1): src y.y.y.y dst x.x.x.x
00:41:22: ISAKMP (0:1): processing saved QM.
00:41:22: CryptoEngine0: generate hmac context for conn id 1
00:41:22: ISAKMP (0:1): processing SA payload. message ID = -154066718
00:41:22: ISAKMP (0:1): Checking IPSec proposal 1
00:41:22: ISAKMP: transform 1, AH_SHA
00:41:22: ISAKMP: attributes in transform:
00:41:22: ISAKMP: encaps is 1
00:41:22: ISAKMP: authenticator is HMAC-SHA
00:41:22: validate proposal 0
00:41:22: ISAKMP (0:1): atts are acceptable.
00:41:22: ISAKMP (0:1): Checking IPSec proposal 1
00:41:22: ISAKMP: transform 1, ESP_DES
00:41:22: ISAKMP: attributes in transform:
00:41:22: ISAKMP: encaps is 1
00:41:22: validate proposal 0
00:41:22: ISAKMP (0:1): atts are acceptable.
00:41:22: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= x.x.x.x, src= y.y.y.7,
dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:41:22: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) dest= x.x.x.x, src= y.y.y.y,
dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:41:22: validate proposal request 0
00:41:22: IPSEC(validate_transform_proposal): proxy identities not supported
00:41:22: ISAKMP: IPSec policy invalidated proposal
00:41:22: ISAKMP (0:1): SA not acceptable!
00:41:22: CryptoEngine0: generate hmac context for conn id 1
00:41:22: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE
00:41:22: ISAKMP (0:1): purging node -989732546
*Mar 1 00:41:22: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer a
t y.y.y.y
00:41:22: ISAKMP (0:1): returning IP addr to the address pool: 192.168.2.2
00:41:22: ISAKMP (0:1): returning address 192.168.2.2 to pool
00:41:22: ISAKMP (0:1): deleting node -1227309776 error FALSE reason ""
00:41:24: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE
00:41:24: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
00:41:24: ISAKMP (0:1): retransmitting due to retransmit phase 2
00:41:24: ISAKMP (0:1): time remaining never
00:41:24: ISAKMP (0:1): current time 00:00:00
00:41:24: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:25: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:25: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
00:41:25: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
00:41:25: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE
00:41:32: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE
00:41:32: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
00:41:32: ISAKMP (0:1): retransmitting due to retransmit phase 2
00:41:32: ISAKMP (0:1): time remaining never
00:41:32: ISAKMP (0:1): current time 00:00:00
00:41:32: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:33: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:33: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
00:41:33: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
00:41:33: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE
00:41:43: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:43: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
00:41:43: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
00:41:43: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE
00:41:49: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE
00:41:49: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
00:41:49: ISAKMP (0:1): retransmitting due to retransmit phase 2
00:41:49: ISAKMP (0:1): time remaining never
00:41:49: ISAKMP (0:1): current time 00:00:00
00:41:49: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:49: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...
00:41:49: ISAKMP (0:1): phase 1 going away; let's be paranoid.
00:41:49: ISAKMP (0:1): Bring down phase 2's
00:41:49: ISAKMP (0:1): That phase 1 was the last one of its kind. Taking phase 2's with u
s.
00:41:49: ISAKMP (0:1): peer does not do paranoid keepalives.
00:41:49: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (R) QM_IDLE
(peer y.y.y.y) input queue 0
00:41:49: ISAKMP (0:1): returning address 192.168.2.2 to pool
00:41:49: ISAKMP (0:1): Unlocking struct 61C0C098 on return of attributes
00:41:49: CryptoEngine0: generate hmac context for conn id 1
00:41:49: ISAKMP (0:1): phase 1 going away; let's be paranoid.
00:41:49: ISAKMP (0:1): Bring down phase 2's
00:41:49: ISAKMP (0:1): That phase 1 was the last one of its kind. Taking phase 2's with u
s.
00:41:49: ISAKMP (0:1): peer does not do paranoid keepalives.
00:41:49: ISAKMP (0:1): deleting node -154066718 error TRUE reason "death by retransmissio
n P2"
00:41:49: ISAKMP (0:1): deleting node 1293135644 error TRUE reason "death by retransmissio
n P2"
00:41:49: IPSEC(key_engine): got a queue event...
00:41:49: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
00:41:49: IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
00:41:49: IPSEC(key_engine): got a queue event...
00:41:49: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
00:41:49: IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
00:42:12: ISAKMP (0:1): purging node -1227309776
00:42:39: ISAKMP (0:1): purging node -154066718
00:42:39: ISAKMP (0:1): purging node 1293135644
00:42:49: ISAKMP (0:1): purging SA.
00:42:49: CryptoEngine0: delete connection 1
00:42:55: ISAKMP: Deleting peer node for y.y.y.y
11-04-2002 07:56 PM
Hi,
Based on the debugs (seems like non-cisco ipsec client for W2K):
00:41:22: IPSEC(validate_transform_proposal): proxy identities not supported
00:41:22: ISAKMP: IPSec policy invalidated proposal
00:41:22: ISAKMP (0:1): SA not acceptable!
it means that you *do not* have proper proxy IDs with masks, proxy ID is the Local subnet(s)/host(s) across the vpn connection, so make sure that you use 192.168.1.0/24 as the remote subnet, other things to be taken care of:
1 - Make sure that you bypass NAT (static and PAT) for IPSec data flow
2 - Remove crypto map from e0/0 interface, you only need on the outside (s0/0) interface.
Thanks,
Afaq
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide