Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6767
Views
20
Helpful
3
Replies

Pre-Shared key for remote peer missing

Justin Westover
Level 1
Level 1

‎03-26-2013 08:15 AM

I am having a strange problem. I am trying to establish a site-to-site VPN between two Cisco routers (2951s). I am using the below config on both routers. One router has an interface with a public IP assigned to it, the other uses a private IP and is natted by our ASA outbound.

If i remove the tunnel protection ipsec profile command from the tunnel interface, the tunnel comes up no problem and I can ping both ends of the tunnel. But as soon as I apply the tunnel protection on the tunnel interface, it dies. Both sides of the tunnel show up but no pings are allowed and I see in the debugs that for some reason the routers don't think the Pre-Shared keys are configured properly. I have gone as far as making the ISAKMP keys very simple and I know there is something I'm missing here.

On the ASA i'm allowing ESP (protocol 50) and ISAKMP (UDP 500) both directions (in and out of the firewall). I am also allowing UDP NAT-T (4500) just in case. I don't see anything on the firewall being blocked but I can't be certain that isn't causing the problem. What could I be missing here?

*****Router Config*****

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

lifetime 1800

crypto isakmp key cisco123 address PUBLICIPHERE

!

crypto ipsec transform-set TRANSFORMSET_ASA_FFX esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile BACKUP_S2S

description USED TO ENCRYPT TRAFFIC BETWEEN QCC AND FFX

set transform-set TRANSFORMSET_ASA_FFX

!

interface tunnel 0

ip address 10.254.10.10 255.255.255.0

tunnel source gi0/0

tunnel destination PUBLICIPHERE

tunnel protection ipsec profile BACKUP_S2S

******DEBUG OUTPUT*****

Mar 26 11:04:02: ISAKMP:(0): SA request profile is (NULL)

Mar 26 11:04:02: ISAKMP: Created a peer struct for PUBLICIPHERE, peer port 500

Mar 26 11:04:02: ISAKMP: New peer created peer = 0x181758AC peer_handle = 0x80000036

Mar 26 11:04:02: ISAKMP: Locking peer struct 0x181758AC, refcount 1 for isakmp_initiator

Mar 26 11:04:02: ISAKMP: local port 500, remote port 500

Mar 26 11:04:02: ISAKMP: set new node 0 to QM_IDLE     

Mar 26 11:04:02: ISAKMP:(0):insert sa successfully sa = 19616798

Mar 26 11:04:02: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Mar 26 11:04:02: ISAKMP:(0):No pre-shared key with PUBLICIPHERE!

Mar 26 11:04:02: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at PUBLICIPHERE is missing

Mar 26 11:04:02: ISAKMP:(0): No Cert or pre-shared address key.

Mar 26 11:04:02: ISAKMP:(0): construct_initial_message: Can not start Main mode

Mar 26 11:04:02: ISAKMP: Unlocking peer struct 0x181758AC for isadb_unlock_peer_delete_sa(), count 0

Mar 26 11:04:02: ISAKMP: Deleting peer node by peer_reap for PUBLICIPHERE: 181758AC

Mar 26 11:04:02: ISAKMP:(0):purging SA., sa=19616798, delme=19616798

Mar 26 11:04:02: ISAKMP:(0):purging node -2065852085

Mar 26 11:04:02: ISAKMP: Error while processing SA request: Failed to initialize SA

Mar 26 11:04:02: ISAKMP: Error while processing KMI message 0, error 2

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Justin Westover
Level 1
Level 1

‎03-26-2013 08:33 AM

Oh and one more thing, I forgot to mention the tunnel interface on the side using a Private IP address is also in a VRF. The source and destination of the tunnel are also in a vrf so the tunnel vrf command is issued on the tunnel.

interface tunnel 0

ip vrf forwarding COMCAST

ip address 10.254.10.10 255.255.255.0

tunnel source gi0/0

tunnel destination PUBLICIPHERE

tunnel vrf COMCAST

tunnel protection ipsec profile BACKUP_S2S

So if I remove the tunnel vrf COMCAST command I see the tunnel go into up-IDLE but I can't ping anything on the other side? Is there any special crypto configuration needed for vrf?

0 Helpful

Justin Westover
Level 1
Level 1
In response to Justin Westover

‎03-26-2013 08:56 AM

So I added this command which seems to have fixed the initial problem but I still can't ping between the two sides.

crypto keyring COMCAST vrf COMCAST

  pre-shared-key address PUBLICIPHERE key cisco123

!

Mar 26 11:55:04: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 10.11.1.17:500, remote= PUBLICIPHERE:500,

    local_proxy= 10.11.1.17/255.255.255.255/47/0 (type=1),

    remote_proxy= PUBLICIPHERE/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Mar 26 11:55:04: ISAKMP: set new node 0 to QM_IDLE     

Mar 26 11:55:04: SA has outstanding requests  (local 25.89.90.68 port 4500, remote 25.89.90.40 port 4500)

Mar 26 11:55:04: ISAKMP:(9006): sitting IDLE. Starting QM immediately (QM_IDLE      )

Mar 26 11:55:04: ISAKMP:(9006):beginning Quick Mode exchange, M-ID of -1654812753

Mar 26 11:55:04: ISAKMP:(9006):QM Initiator gets spi

Mar 26 11:55:04: crypto_engine: Generate IKE hash

Mar 26 11:55:04: crypto_engine: Encrypt IKE packet

Mar 26 11:55:04: ISAKMP:(9006): sending packet to PUBLICIPHERE my_port 4500 peer_port 4500 (I) QM_IDLE     

Mar 26 11:55:04: ISAKMP:(9006):Sending an IKE IPv4 Packet.

Mar 26 11:55:04: ISAKMP:(9006):Node -1654812753, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Mar 26 11:55:04: ISAKMP:(9006):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Mar 26 11:55:04: ISAKMP (9006): received packet from PUBLICIPHERE dport 4500 sport 4500 COMCAST (I) QM_IDLE     

Mar 26 11:55:04: ISAKMP: set new node 921804095 to QM_IDLE     

Mar 26 11:55:04: crypto_engine: Decrypt IKE packet

Mar 26 11:55:04: crypto_engine: Generate IKE hash

Mar 26 11:55:04: ISAKMP:(9006): processing HASH payload. message ID = 921804095

Mar 26 11:55:04: ISAKMP:(9006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 3017918981, message ID = 921804095, sa = 0x195958C0

Mar 26 11:55:04: ISAKMP:(9006): deleting spi 3017918981 message ID = -1654812753

Mar 26 11:55:04: ISAKMP:(9006):deleting node -1654812753 error TRUE reason "Delete Larval"

Mar 26 11:55:04: ISAKMP:(9006):deleting node 921804095 error FALSE reason "Informational (in) state 1"

Mar 26 11:55:04: ISAKMP:(9006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Mar 26 11:55:04: ISAKMP:(9006):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

0 Helpful

Justin Westover
Level 1
Level 1
In response to Justin Westover

‎03-26-2013 01:01 PM

Ok so I actually figured it out myself and it is up and working now.  The first thing I was missing was the vrf aware crypto key commands:

crypto keyring COMCAST vrf COMCAST

  pre-shared-key address PUBLICIPHERE key cisco123

The second thing I was missing was to enable the mode transport on the transform-set:

crypto ipsec transform-set TRANSFORMSET_ASA_FFX esp-3des esp-sha-hmac

mode transport

Customers Also Viewed These Support Documents