RV320 to Cisco 4000 Series IPSEC VPN

JustinByrne1476 · ‎08-23-2019

Hi There

I am having an issue connecting our Cisco RV320 to a Cisco 4000 series router over IPSEC VPN

Both Sides have the following configs

RV320

PHASE1 DH: Group 5
PHASE1 Encryption: AES-256
PHASE1 Auth: SHA1
PHASE1 SA Lifetime: 86400
PHASE2 DH: Group 2
PHASE2 Encryption: AES-256
PHASE2 Auth: SHA1
PHASE2 SA Lifetime: 28800
AH Hash Algorithm: SHA1

CISCO 4000 Series

crypto isakmp policy 4
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 84600

crypto isakmp key ******************* address [BLOCKED]

crypto ipsec transform-set [BLOCKED] esp-aes 256 esp-sha-hmac

crypto map Gi1/0/2.1411 3 ipsec-isakmp
description [BLOCKED]
set peer [BLOCKED]
set security-association lifetime seconds 28800
set transform-set [BLOCKED]
set pfs group2
match address acl_[BLOCKED]

permit ip host [BLOCKED]
permit ip host [BLOCKED]
permit ip host [BLOCKED]

Unfortunately i DO NOT have access to the Cisco 4000 Series and am working through their Engineer.

PHASE 1 seems to work but PHASE 2 bombs out. I am asking him to DEBUG so we can see what the exact error is.

Rob Ingram · ‎08-23-2019

Hi,
You've got "AH Hash Algorithm: SHA1" under Phase 2 configuration, you need to ensure it's ESP and not AH. Also you should check to ensure the ACL on both side's are identical.

If you provide the output of "debug crypto ipsec" and "debug crypto isakmp" then we can hopefully assist further.

HTH

JustinByrne1476 · ‎08-23-2019

Thanks HTH

I'll get the debugs and ask the engineer to change the Phase 2.
The RV320 doesn't have ACL as its GUI based but as far as we can see the IPs do match.
Thanks so much for the quick response!

JustinByrne1476 · ‎08-26-2019

Our Phase 1 Establishes but our Phase 2 is showing the following error

DEBUG from Cisco 4000 series

Aug 26 15:33:00: ISAKMP-ERROR: (13730):IPSec policy invalidated proposal with error 256
Aug 26 15:33:00: ISAKMP-ERROR: (13730):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
Aug 26 15:33:00: ISAKMP-ERROR: (13730):deleting node 406028906 error TRUE reason "QM rejected"

Rob Ingram · ‎08-26-2019

This hasn't told us anything we didn't already know, the full output of the debugs might provide further clues.

As it's Phase 2 that is failing you will need to confirm the crypto settings match exactly and the networks defined in the ACL are identical (same mask) on both sides.

If you have defined multiple networks in the ACL, start off by simplifying the configuration by defining only 1 network on both ends (RV320 and 4K) and attempt to establish the VPN.

JustinByrne1476 · ‎08-27-2019

This is what he just sent me:

Although it says "Diffie-Hellman group offered does not match policy" they are def both the same.

I am assuming it is "phase 2 SA policy not acceptable! "

se 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:19:39: ISAKMP-ERROR: (14715):deleting node 422682112 error TRUE reason "QM rejected"
.Aug 27 11:19:55: ISAKMP-ERROR: (14715):IPSec policy invalidated proposal with error 256
.Aug 27 11:19:55: ISAKMP-ERROR: (14715):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:19:55: ISAKMP-ERROR: (14715):deleting node 2535162168 error TRUE reason "QM rejected"
.Aug 27 11:19:57: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:19:57: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:19:57: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
.Aug 27 11:19:57: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:19:57: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:19:57: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:19:58: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:19:58: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:19:58: ISAKMP-ERROR: (14716):deleting node 326629726 error TRUE reason "QM rejected"
.Aug 27 11:20:15: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:20:15: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:20:15: ISAKMP-ERROR: (14716):deleting node 651367447 error TRUE reason "QM rejected"
.Aug 27 11:20:33: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:20:33: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:20:33: ISAKMP-ERROR: (14716):deleting node 3302211429 error TRUE reason "QM rejected"
.Aug 27 11:20:51: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:20:51: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:20:51: ISAKMP-ERROR: (14716):deleting node 2716808824 error TRUE reason "QM rejected"
.Aug 27 11:21:07: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:07: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:07: ISAKMP-ERROR: (14716):deleting node 326629726 error TRUE reason "QM rejected"
.Aug 27 11:21:09: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:21:09: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:21:09: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
.Aug 27 11:21:09: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:21:09: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:21:09: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:21:10: ISAKMP-ERROR: (14717):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:10: ISAKMP-ERROR: (14717):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:10: ISAKMP-ERROR: (14717):deleting node 3755535469 error TRUE reason "QM rejected"
.Aug 27 11:21:27: ISAKMP-ERROR: (14717):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:27: ISAKMP-ERROR: (14717):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:27: ISAKMP-ERROR: (14717):deleting node 427917793 error TRUE reason "QM rejected"
.Aug 27 11:21:45: ISAKMP-ERROR: (14717):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:45: ISAKMP-ERROR: (14717):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:45: ISAKMP-ERROR: (14717):deleting node 2330581816 error TRUE reason "QM rejected"
.Aug 27 11:21:54: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.66.28.65:1812,1813 is not responding.
.Aug 27 11:21:54: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 83.

Config he sent me below:

crypto isakmp policy 4
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 84600

crypto isakmp key ******************* address *.*.*.*

crypto ipsec transform-set <NAME> ah-sha-hmac esp-aes 256 esp-sha-hmac

crypto map Gi1/0/2.1411 3 ipsec-isakmp
description <NAME>
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set <NAME TRANSFORM-SET>
set pfs group2
match address acl_<NAME>

permit ip host *.*.*.* *.*.*.* 0.0.0.1
permit ip host *.*.*.*.*.*.*.* 0.0.0.7
permit ip host *.*.*.* *.*.*.* 0.0.0.7
permit ip host *.*.*.* *.*.*.* 0.0.0.7

JustinByrne1476 · ‎09-10-2019

FINALLY got some more detailed logs!

We added [OUR PUBLIC IP] to their ACL for testing purposes and i am currently receiving the error below:

map_db_find_best did not find matching map on PHASE2

Sep 5 16:56:09: ISAKMP: (15455): SA life type in seconds

Sep 5 16:56:09: ISAKMP: (15455): SA life duration (basic) of 28800

Sep 5 16:56:09: ISAKMP: (15455): authenticator is HMAC-SHA

Sep 5 16:56:09: ISAKMP: (15455):atts are acceptable.

Sep 5 16:56:09: ISAKMP: (15455):Checking IPSec proposal 0

Sep 5 16:56:09: ISAKMP: (15455):transform 0, ESP_AES

Sep 5 16:56:09: ISAKMP: (15455): attributes in transform:

Sep 5 16:56:09: ISAKMP: (15455): group is 2

Sep 5 16:56:09: ISAKMP: (15455): encaps is 1 (Tunnel)

Sep 5 16:56:09: ISAKMP: (15455): SA life type in seconds

Sep 5 16:56:09: ISAKMP: (15455): SA life duration (basic) of 28800

Sep 5 16:56:09: ISAKMP: (15455): authenticator is HMAC-SHA

Sep 5 16:56:09: ISAKMP: (15455): key length is 256

Sep 5 16:56:09: ISAKMP: (15455):atts are acceptable.

Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #1

Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= x.x.x.x:0[THEIR PUBLIC IP], remote= x.x.x.x:0[OUR PUBLIC IP],

local_proxy= [THEIR PUBLIC IP]/255.255.255.255/256/0,

remote_proxy= [OUR PUBLIC IP]/255.255.255.255/256/0,

protocol= AH, transform= ah-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #2

Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= [THEIR PUBLIC IP]:0, remote= [OUR PUBLIC IP]:0,

local_proxy= [THEIR PUBLIC IP]/255.255.255.255/256/0,

remote_proxy= [OUR PUBLIC IP]/255.255.255.255/256/0,

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Sep 5 16:56:09: map_db_find_best did not find matching map

Sep 5 16:56:09: Crypto mapdb : proxy_match

src addr : [THEIR PUBLIC IP]

dst addr : [OUR PUBLIC IP]

protocol : 0

src port : 0

dst port : 0

Sep 5 16:56:09: Crypto mapdb : proxy_match

src addr : [THEIR PUBLIC IP]

dst addr : [OUR PUBLIC IP]

protocol : 0

src port : 0

dst port : 0

Sep 5 16:56:09: map_db_find_best did not find matching map

Sep 5 16:56:09: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

{ah-sha-hmac esp-aes 256 esp-sha-hmac }

Sep 5 16:56:09: ISAKMP-ERROR: (15455):IPSec policy invalidated proposal with error 256

Sep 5 16:56:09: ISAKMP-ERROR: (15455):phase 2 SA policy not acceptable! (local [THEIR PUBLIC IP] remote [OUR PUBLIC IP])

Sep 5 16:56:09: ISAKMP: (15455):set new node 3264005282 to QM_IDLE

Sep 5 16:56:09: ISAKMP: (15455):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2

spi 140143385793816, message ID = 3264005282

Sep 5 16:56:09: ISAKMP-PAK: (15455):sending packet to [OUR PUBLIC IP] my_port 500 peer_port 500 (R) QM_IDLE

Sep 5 16:56:09: ISAKMP: (15455):Sending an IKE IPv4 Packet.

Sep 5 16:56:09: ISAKMP: (15455):purging node 3264005282

Sep 5 16:56:09: ISAKMP-ERROR: (15455):deleting node 3079088992 error TRUE reason "QM rejected"

Sep 5 16:56:09: ISAKMP: (15455):Node 3079088992, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Sep 5 16:56:09: ISAKMP: (15455):Old State = IKE_QM_READY New State = IKE_QM_READY

Sep 5 16:56:15: ISAKMP: (15454):purging SA., sa=7F75B0129160, delme=7F75B0129160

Sep 5 16:56:19: ISAKMP-PAK: (15455):received packet from [OUR PUBLIC IP] dport 500 sport 500 Global (R) QM_IDLE

Sep 5 16:56:19: ISAKMP: (15455):phase 2 packet is a duplicate of a previous packet.

Sep 5 16:56:19: ISAKMP: (15455):retransmitting due to retransmit phase 2

Sep 5 16:56:19: ISAKMP: (15455):Quick Mode is being processed. Ignoring retransmission

Sep 5 16:56:21: ISAKMP-PAK: (15455):received packet from [OUR PUBLIC IP] dport 500 sport 500 Global (R) QM_IDLE

Sep 5 16:56:21: ISAKMP: (15455):phase 2 packet is a duplicate of a previous packet.

Sep 5 16:56:21: ISAKMP: (15455):retransmitting due to retransmit phase 2

Sep 5 16:56:21: ISAKMP: (15455):Quick Mode is being processed. Ignoring retransmission

Rob Ingram · ‎09-11-2019

AH is still in use on one side.

protocol= AH, transform= ah-sha-hmac  (Tunnel),

Don’t use AH, it only authenticates the header, whereas esp encrypts the entire packet.