L2L IPSEC VPN Issue

Crystal Computer · ‎02-13-2013

I'm having an issue with the Phase 1 and Phase 2 for a VPN connection for a customer. I've verified that the phase 1 and phase 2 settings are correct with the vendor at the other endpoint, but i'm still failing during phase 1. I've attached the config of my router at this end, along with the debug info below that I'm getting. I've searched hi and low, but haven't been able to come up with any answers. We are using a Cisco 1921, and they have a Watchguard at the other end. ANY help would be greatly appreciated.

Feb 13 18:00:13.642: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= x.x.x.26:500, remote= x.x.x.68:500,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.200.1.112/255.255.255.248/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Feb 13 18:00:13.642: ISAKMP:(0): SA request profile is (NULL)

Feb 13 18:00:13.642: ISAKMP: Created a peer struct for x.x.x.68, peer port 500

Feb 13 18:00:13.642: ISAKMP: New peer created peer = 0x290E0910 peer_handle = 0x80000029

Feb 13 18:00:13.642: ISAKMP: Locking peer struct 0x290E0910, refcount 1 for isakmp_initiator

Feb 13 18:00:13.642: ISAKMP: local port 500, remote port 500

Feb 13 18:00:13.642: ISAKMP: set new node 0 to QM_IDLE

Feb 13 18:00:13.642: ISAKMP:(0):insert sa successfully sa = 3183CCCC

Feb 13 18:00:13.642: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Feb 13 18:00:13.642: ISAKMP:(0):found peer pre-shared key matching x.x.x.68

Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-07 ID

Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-03 ID

Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-02 ID

Feb 13 18:00:13.642: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Feb 13 18:00:13.642: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Feb 13 18:00:13.642: ISAKMP:(0): beginning Main Mode exchange

Feb 13 18:00:13.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 13 18:00:13.642: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 13 18:00:13.714: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE

Feb 13 18:00:13.714: ISAKMP:(0):Notify has no hash. Rejected.

Feb 13 18:00:13.714: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Feb 13 18:00:13.714: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb 13 18:00:13.714: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

Feb 13 18:00:13.714: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at x.x.x.68

Feb 13 18:00:23.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 13 18:00:23.642: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Feb 13 18:00:23.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 13 18:00:23.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 13 18:00:23.642: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 13 18:00:23.710: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE

Feb 13 18:00:23.710: ISAKMP:(0):Notify has no hash. Rejected.

Feb 13 18:00:23.710: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Feb 13 18:00:23.710: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb 13 18:00:23.710: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

Feb 13 18:00:33.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 13 18:00:33.642: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Feb 13 18:00:33.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 13 18:00:33.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 13 18:00:33.642: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 13 18:00:33.710: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE

Feb 13 18:00:33.710: ISAKMP:(0):Notify has no hash. Rejected.

Feb 13 18:00:33.710: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Feb 13 18:00:33.710: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb 13 18:00:33.710: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

Feb 13 18:00:43.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 13 18:00:43.642: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Feb 13 18:00:43.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 13 18:00:43.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 13 18:00:43.642: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 13 18:00:43.642: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.26:0, remote= x.x.x.68:0,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.200.1.112/255.255.255.248/0/0 (type=4)

Feb 13 18:00:43.642: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= x.x.x.26:500, remote= x.x.x.68:500,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.200.1.112/255.255.255.248/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Feb 13 18:00:43.642: ISAKMP: set new node 0 to QM_IDLE

Feb 13 18:00:43.642: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local x.x.x.26, remote x.x.x.68)

Feb 13 18:00:43.642: ISAKMP: Error while processing SA request: Failed to initialize SA

Feb 13 18:00:43.642: ISAKMP: Error while processing KMI message 0, error 2.

Feb 13 18:00:43.714: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE

Feb 13 18:00:43.714: ISAKMP:(0):Notify has no hash. Rejected.

Feb 13 18:00:43.714: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Feb 13 18:00:43.714: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb 13 18:00:43.714: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

Feb 13 18:00:53.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 13 18:00:53.642: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Feb 13 18:00:53.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 13 18:00:53.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 13 18:00:53.642: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 13 18:00:53.710: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE

Feb 13 18:00:53.710: ISAKMP:(0):Notify has no hash. Rejected.

Feb 13 18:00:53.710: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Feb 13 18:00:53.710: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb 13 18:00:53.710: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

Gabriel Hill · ‎02-13-2013

Hello Crystal,

Doesn't seem that the devices are getting past phase 1.

Could you specify the hash in the ISAKMP policies you're using? I believe it defaults to MD5, but I would go ahead and add that to your configuration (matching whatever the Watchguard is set for).

-Gabriel

Crystal Computer · ‎02-13-2013

Here is the policy. The watchguard has phase 1 set to SHA1-3DES.

bfccrtr#sh crypto isakmp policy

Global IKE policy

Protection suite of priority 1

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 3600 seconds, no volume limit

This is why I'm so confused with this. It appears to me that everything is matched up. The watchguard has multiple other VPN tunnels configured on it, but none with a Cisco device on the other end, so I'm not getting much help from that vendor. Unfortunately, I'm not familiar with the watchguard device.

Gabriel Hill · ‎02-13-2013

Hello Crystal,

Strange problem indeed. I still believe this is a phase 1 issue due to something being different between the two sides.

Please be sure to specifiy the hash in your configuration

crypto isakmp policy 1

encr 3des

hash sha

authentication pre-share

group 2

lifetime 3600

Also are you sure that watchguard is using group 2?

Crystal Computer · ‎02-14-2013

Yes, I've specifically added the command 'hash sha' under the policy. I also have screen shots from the vendor that show that they are using key group 2.

The router at my end is a 1921 with the security license upgrade. Is there a possibility there is an issue withe the firmware version on this router?

Gabriel Hill · ‎02-15-2013

Hello Crystal,

There is a bug for the issue you are having but it was in the 12.2 code. I doubt that's what you're having.

I would reach out to the guy using the watchguard device and ask them to switch the hash to MD5. Make a ISAKMP policy with md5 and test again.

Crystal Computer · ‎02-15-2013

Ok, I think we've tried that already, but I've requested that he changes it to MD5 so we can test that way. I will reply with the results as soon as I have them.

Crystal Computer · ‎02-15-2013

Ok, we've modified to MD5, and that's doing the exact same thing. Is there anything else I can check?