Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4421
Views
0
Helpful
5
Replies

SA520 esp-3des esp-md5-hmac

thomas.neil
Level 1
Level 1

‎06-14-2011 03:10 AM

We need to create a site-to-site VPN with a very large customer. They provided the following list of pre-requisites on our side (they will only use pre-defined configurations)

•PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE

•3DES Encryption for ISAKMP/IKE

•MD5 Encryption for IPSec

•3DES Encryption for IPSec

I am new to VPNs and we don't have a large budget for this project (since it is only a test and will never enter production). Using their list of pre-requisites I purchased an SA520-K9. Unfortunately they have since informed us their IPSec requirements are actually:

• ESP-3DES for encryption and data integrity

• a hash algorithm of ESP-MD5 for data integrity

Looking at their configuration file (which they sent us) it appears they are using esp-3des esp-md5-hmac.

I have configured the SA520 according to their initial specification and I get past Phase 1 ok, but get an error on Phase 2 (items in Bold obviously sanitised):

2011-06-14 10:59:34: INFO:  accept a request to establish IKE-SA: xxx.xxx.xxx.xxx

2011-06-14 10:59:34: INFO:  Configuration found for xxx.xxx.xxx.xxx.

2011-06-14 10:59:34: INFO:  Initiating new phase 2 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[0]

2011-06-14 10:59:34: INFO:  Adjusting encryption mode to use UDP encapsulation

2011-06-14 11:00:34: ERROR:  Phase 2 negotiation failed due to time up. <16digitHexNumber>:<25digitHexNumber>

2011-06-14 11:00:34: INFO:  an undead schedule has been deleted: 'quick_i1prep'.

My questions are:

- can the SA520-K9 support this configuration?

- if so how do i configure it?

- does anyone have a view on whether the requirement of esp-3des esp-md5-hmac is what is causing the problem?

- if i need a different device can anyone recommend an affordable Cisco device?

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

thomas.neil
Level 1
Level 1

‎06-14-2011 07:36 AM

I have upgraded the firmware on the SA520 (now 2.1.18), deleted and rebuilt the IKE and VPN policies. I now get the following in the VPN log:

2000-01-01 00:39:16: [Cisco] [IKE] INFO:  Using IPsec SA configuration: anonymous

2000-01-01 00:39:16: [Cisco] [IKE] INFO:  Configuration found for xxx.xxx.xxx.xxx.

2000-01-01 00:39:16: [Cisco] [IKE] INFO:  Initiating new phase 2 negotiation: yyy.yyy.yyy.yyy[0]<=>xxx.xxx.xxx.xxx[0]

2000-01-01 00:39:16: [Cisco] [IKE] INFO:  Adjusting encryption mode to use UDP encapsulation

2000-01-01 00:39:16: [Cisco] [IKE] ERROR:  Unknown notify message from xxx.xxx.xxx.xxx[4500].No phase2 handle found.

I could really use some help, I have been struggling with this on and off for a couple of weeks.

0 Helpful

fgasimzade
Level 4
Level 4
In response to thomas.neil

‎06-14-2011 07:54 AM

Can you post configs please

0 Helpful

thomas.neil
Level 1
Level 1
In response to fgasimzade

‎06-14-2011 09:24 AM

@fgasimzade

I am not quite sure which configs you are looking for (as I say I am a bit new to VPNs). I have included the SA520.txt from a Backup of the device (with some sanitising) and also the config our customer sent us, i.e. how they have configured their end on a Cisco 7206 VXR .

Cheers

Hope this helps.

101466-SA520.txt.zip
0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to thomas.neil

‎06-29-2011 03:10 PM

Hi neil,

Posting this question in the Small Business comunity might give you better responses since SA 520 is a small business product.

At the same time, there seems to be some incompatibility here, either in the config or in the operation. COuld you get the output of debug cry isa and debug cry ipsec from the 7206 router?

Regards,

Prapanch

0 Helpful

jeevan.koganti
Level 1
Level 1
In response to praprama

‎08-25-2012 08:04 AM

Hi Thomas,

May be i can answer this question..

Firstly ur router should support VPN connectivity..

Secondly check the sample config below and do accordingly..

1. crypto ipsec transform-set (password/or keyword) esp-3des esp-md5-hmac

2. create a policy for vpn as below

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

3. create authentication to publi ip site

crypto isakmp key lagosho address xxx.xxx.xxx.xxx(public ip of far end router) no-xauth

4. create ipsec

crypto map (Password/or keyword)_map 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx(public ip of far end router)

set transform-set mumscm

match address 103

5. create access-list for the above ipsec

access-list 103 permit ip Local ipof your router(xxx.xxx.xxx.xxx) wildcard mask(xxx.xxx.xxx.xxx) far end router local ip (xxx.xxx.xxx.xxx) wild card mas(xxx.xxx.xxx.xxx)

Now the VPN conncetivity for site to site is ready..reply if u face any issues.

Thanks,

Jeevan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents