03-26-2005 10:32 PM - edited 02-21-2020 01:41 PM
Hi--
trying to get a pix and 2621 ( IOS 12.3(12) ) connected via site-site vpn.
here are some of the debug messages:
Mar 26 22:14:55.871: ISAKMP (0:38): Old State = IKE_I_MM1 New State = IKE_DEST_
SA
Mar 26 22:14:55.955: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xD3C88362(3553133410), conn_id= 0, keysize= 0, flags= 0x400A
Mar 26 22:14:55.959: ISAKMP: received ke message (1/1)
Mar 26 22:14:55.959: ISAKMP (0:0): SA request profile is (NULL)
Mar 26 22:14:55.959: ISAKMP: local port 500, remote port 500
Mar 26 22:14:55.959: ISAKMP: set new node 0 to QM_IDLE
Mar 26 22:14:55.959: ISAKMP: Find a dup sa in the avl tree during calling isadb_
insert sa = 832B0E80
Mar 26 22:14:55.959: ISAKMP (0:39): Can not start Aggressive mode, trying Main m
ode.
Mar 26 22:14:55.959: ISAKMP: Looking for a matching key for xxx.xxx.xxx.xxx in de
fault : success
Mar 26 22:14:55.963: ISAKMP (0:39): found peer pre-shared key matching 219.146.5
9.201
Mar 26 22:14:55.963: ISAKMP (0:39): constructed NAT-T vendor-07 ID
Mar 26 22:14:55.963: ISAKMP (0:39): constructed NAT-T vendor-03 ID
Mar 26 22:14:55.963: ISAKMP (0:39): constructed NAT-T vendor-02 ID
Mar 26 22:14:55.963: ISAKMP (0:39): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 26 22:14:55.963: ISAKMP (0:39): Old State = IKE_READY New State = IKE_I_MM1
Mar 26 22:14:55.963: ISAKMP (0:39): beginning Main Mode exchange
Mar 26 22:14:55.963: ISAKMP (0:39): sending packet to xxx.xxx.xxx.xxx my_port 500
peer_port 500 (I) MM_NO_STATE
Mar 26 22:14:56.819: ISAKMP (0:39): received packet from xxx.xxx.xxx.xxx dport 50
0 sport 500 Global (I) MM_NO_STATE
Mar 26 22:14:56.819: ISAKMP (0:39): Notify has no hash. Rejected.
Mar 26 22:14:56.823: ISAKMP (0:39): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_N
OTIFY: state = IKE_I_MM1
Mar 26 22:14:56.823: ISAKMP (0:39): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar 26 22:14:56.823: ISAKMP (0:39): Old State = IKE_I_MM1 New State = IKE_I_MM1
Mar 26 22:14:56.823: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mo
de failed with peer at xxx.xxx.xxx.xxx
any ideas?
thx!
03-27-2005 12:36 AM
Double check that both ends are using the same IPSec encryption settings (e,g. 3DES=MD5).
If you could just just the crypto and isakmp lines from both configs it would be helpfull.
03-28-2005 11:16 PM
Hi-- thanks for the help
from the router:
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key yadayadal0808 address xxx.xxx.xxx.xxx
!
crypto ipsec transform-set blahblah10808 esp-3des esp-md5-hmac
!
crypto map nahnah0808 11 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set blahblahl0808
match address 120
From the PIX:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer xxx.xxx.xxx.xxx
crypto map outside_map 30 set transform-set ESP-3DES-MD5
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption aes-256
isakmp policy 60 hash sha
isakmp policy 60 group 5
isakmp policy 60 lifetime 86400
isakmp policy 80 authentication pre-share
isakmp policy 80 encryption 3des
isakmp policy 80 hash md5
isakmp policy 80 group 2
isakmp policy 80 lifetime 86400
03-29-2005 12:35 AM
Hi,
Configs seem ok, only thing missing is group 2 under the router's "crypto isakmp policy 11" to match the PIX's "isakmp policy 80". Note that, in IOS, the default group is 1.
Please let us know if that helped
Regards,
Mustafa
03-30-2005 02:15 PM
hi-- no luck, same results. debug below. I added the group 2 under the crypto isakmp policy11 on the reouter to match the pix policy.
(identity) local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
Mar 30 13:59:44.682: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xB4D680C7(3033956551), conn_id= 0, keysize= 0, flags= 0x400A
Mar 30 13:59:44.682: ISAKMP: received ke message (1/1)
Mar 30 13:59:44.686: ISAKMP: set new node 0 to QM_IDLE
Mar 30 13:59:44.686: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local x.x.x.x, remote x.x.x.x)
Mar 30 14:00:14.682: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
Mar 30 14:00:14.682: ISAKMP: received ke message (3/1)
Mar 30 14:00:14.682: ISAKMP (0:1): peer does not do paranoid keepalives.
Mar 30 14:00:14.682: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer x.x.x.x) input queue 0
Mar 30 14:00:14.682: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer x.x.x.x) input queue 0
Mar 30 14:00:14.686: ISAKMP (0:1): deleting node 1755557025 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
Mar 30 14:00:14.686: ISAKMP (0:1): deleting node 1298562963 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
Mar 30 14:00:14.686: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 30 14:00:14.686: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA
Mar 30 14:00:15.214: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xB57E82D2(3044967122), conn_id= 0, keysize= 0, flags= 0x400A
Mar 30 14:00:15.214: ISAKMP: received ke message (1/1)
Mar 30 14:00:15.214: ISAKMP (0:0): SA request profile is (NULL)
Mar 30 14:00:15.218: ISAKMP: local port 500, remote port 500
Mar 30 14:00:15.218: ISAKMP: set new node 0 to QM_IDLE
Mar 30 14:00:15.218: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 832B0E08
Mar 30 14:00:15.218: ISAKMP (0:2): Can not start Aggressive mode, trying Main mode.
Mar 30 14:00:15.218: ISAKMP: Looking for a matching key for x.x.x.x in default : success
Mar 30 14:00:15.218: ISAKMP (0:2): found peer pre-shared key matching x.x.x.x
Mar 30 14:00:15.218: ISAKMP (0:2): constructed NAT-T vendor-07 ID
Mar 30 14:00:15.218: ISAKMP (0:2): constructed NAT-T vendor-03 ID
Mar 30 14:00:15.222: ISAKMP (0:2): constructed NAT-T vendor-02 ID
Mar 30 14:00:15.222: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 30 14:00:15.222: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1
Mar 30 14:00:15.222: ISAKMP (0:2): beginning Main Mode exchange
Mar 30 14:00:15.222: ISAKMP (0:2): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 30 14:00:15.986: ISAKMP (0:2): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
Mar 30 14:00:15.986: ISAKMP (0:2): Notify has no hash. Rejected.
Mar 30 14:00:15.986: ISAKMP (0:2): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Mar 30 14:00:15.986: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar 30 14:00:15.986: ISAKMP (0:2): Old State = IKE_I_MM1 New State = IKE_I_MM1
03-30-2005 02:21 PM
note: this one shows using des, we swapped it back to 3des with the exact same results.
thx again!
03-30-2005 10:10 PM
Hi,
Not sure what to make this. Is there any other nat devices between the pix and the router? is isakmp blocked? are the acl's mirrors of each other? is the router's interface configured with "no ip route-cache"? What is the debug output on the pix?
04-01-2005 12:37 AM
Does the ISAKMP policy # have to match on both the router and the PIX?
In other words, if the router had ISAKMP policy 11, there should be an ISAKMP policy 11 on the PIX as well?
thx
04-01-2005 01:20 AM
No, the policies names or numbers don't have to match. The policy parameters have to match: encryption/hash/group/pfs/lifetime.
04-18-2005 09:52 PM
Ken,
Was this problem resolved ?
04-19-2005 11:18 AM
yes, turns out IOS defaults to DES and Group1, so if you dont specify (all) the following in your policy, the policies will not match. Worked perfect after adding group2. We were so close!!!! Wish that was documented somewhere......
encr 3des
hash md5
authentication pre-share
group 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide