Solved: Re: Site-to-Site VPN | Cisco 3825-to-Fortigate

sgpn16 · ‎02-17-2022

Hello I am trying to connect to make a VPN connection over an MPLS link but I don´t seem to quite know if I have a mismatch on my side. Any help would be appreciated.

This are my configs:

!!!Ike v1 Phase 1
crypto isakmp policy 15
encr aes 256
hash sha
authentication pre-share
group 14
lifetime 86400

!!PSK
crypto isakmp key ********** address 10.8.16.18

!!!Ike v1 Phase 2
ip access-list extended VPN-to-ENA
permit ip 10.200.1.1 0.0.0.0 10.21.202.32 0.0.0.0

permit icmp.200.1.1 0.0.0.0 10.21.202.32 0.0.0.0

permit tcp 10.200.1.1 0.0.0.0 10.21.202.32 0.0.0.0

! Transform set
crypto ipsec transform-set ENA ESP-AES 256 esp-sha-hmac

!!Create Crypto Map
crypto map MAP-ENA 15 ipsec-isakmp
set peer 10.8.16.18
set transform-set ENA
set pfs group 14
match address VPN-to-ENA

!!apply to interface
int GigabitEthernet0/0.1674
crypto map MAP-ENA

This are the parameters on the Fortigate on the other side.

IKE	method	mode	Encryption	Authentication	Diffie-Hellman	Key lifetime (sec)	Encryption	Authentication	Diffie-Hellman	PFS	Key lifetime (sec)
Ike v1	PSK	main	AES256	SHA1	14	86400	AES256	SHA1	14	enable	3600

Rob Ingram · ‎02-17-2022

@sgpn16 well it looks like a communication issue.

Is there an inbound ACL on the router filtering traffic?

Any NAT configured?

Can the 2 peers ping each other?

View solution in original post

MHM Cisco World · ‎02-17-2022

crypto ipsec df-bit clear<- try this
the IPSec can fragment and other peer may refuse tunnel establish.
also if you can reduce the MTU of the interface to be pass through the MPLS "note the MPLS add at least 32 bytes".

View solution in original post

Rob Ingram · ‎02-17-2022

@sgpn16 what is the actual issue here?

Are you generating interesting traffic for the tunnel to come up?

Does the IKE and IPSec SA's establish? Provide the output of "show crypto isakmp sa" and "show crypto ipsec sa"

You should look at your crypto ACL, remove tcp and icmp and just match on IP - ensure the ACL is mirrored exactly on the remote peer.

sgpn16 · ‎02-17-2022

Interesting traffic is generated.

IKE and IPSEC SA don´t establish:

show crypto ipsec sa

RT.Inf_001#show crypto ipsec sa peer 10.8.16.18

interface: GigabitEthernet0/0.1674
Crypto map tag: MAP-ENA, local addr 10.9.81.114

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.21.202.32/255.255.255.255/0/0)
current_peer 10.8.16.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 13, #recv errors 0

local crypto endpt.: 10.9.81.114, remote crypto endpt.: 10.8.16.18
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1674
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (10.21.202.32/255.255.255.255/1/0)
current_peer 10.8.16.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.9.81.114, remote crypto endpt.: 10.8.16.18
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1674
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (10.21.202.32/255.255.255.255/6/0)
current_peer 10.8.16.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.9.81.114, remote crypto endpt.: 10.8.16.18
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1674
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.200.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.21.202.32/255.255.255.255/0/0)
current_peer 10.8.16.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 35, #recv errors 0

local crypto endpt.: 10.9.81.114, remote crypto endpt.: 10.8.16.18
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1674
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.200.1.1/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (10.21.202.32/255.255.255.255/1/0)
current_peer 10.8.16.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.9.81.114, remote crypto endpt.: 10.8.16.18
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1674
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.200.1.1/255.255.255.255/6/0)
remote ident (addr/mask/prot/port): (10.21.202.32/255.255.255.255/6/0)
current_peer 10.8.16.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.9.81.114, remote crypto endpt.: 10.8.16.18
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1674
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sgpn16 · ‎02-17-2022

This is what appeared in my debug when I sent interesting traffic.

*Feb 17 20:26:07.023: ISAKMP:(0): SA request profile is (NULL)
*Feb 17 20:26:07.023: ISAKMP: Created a peer struct for 10.8.16.18, peer port 500
*Feb 17 20:26:07.023: ISAKMP: New peer created peer = 0x70DE0000 peer_handle = 0x8000000C
*Feb 17 20:26:07.023: ISAKMP: Locking peer struct 0x70DE0000, refcount 1 for isakmp_initiator
*Feb 17 20:26:07.023: ISAKMP: local port 500, remote port 500
*Feb 17 20:26:07.023: ISAKMP: set new node 0 to QM_IDLE
*Feb 17 20:26:07.023: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6665D774
*Feb 17 20:26:07.023: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 17 20:26:07.023: ISAKMP:(0):found peer pre-shared key matching 10.8.16.18
*Feb 17 20:26:07.023: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb 17 20:26:07.023: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 17 20:26:07.023: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 17 20:26:07.023: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 17 20:26:07.023: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 17 20:26:07.023: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Feb 17 20:26:07.023: ISAKMP:(0): beginning Main Mode exchange
*Feb 17 20:26:07.023: ISAKMP:(0): sending packet to 10.8.16.18 my_port 500 peer_port 500 (I) MM_NO_STATE
RT.Inf_001#
*Feb 17 20:26:07.023: ISAKMP:(0):Sending an IKE IPv4 Packet.
RT.Inf_001#
*Feb 17 20:26:17.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 17 20:26:17.023: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 17 20:26:17.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 17 20:26:17.023: ISAKMP:(0): sending packet to 10.8.16.18 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 17 20:26:17.023: ISAKMP:(0):Sending an IKE IPv4 Packet.
RT.Inf_001#
*Feb 17 20:26:19.959: ISAKMP:(0):purging node -227245322
*Feb 17 20:26:19.959: ISAKMP:(0):purging node 952562800
RT.Inf_001#
*Feb 17 20:26:27.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 17 20:26:27.023: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Feb 17 20:26:27.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 17 20:26:27.023: ISAKMP:(0): sending packet to 10.8.16.18 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 17 20:26:27.023: ISAKMP:(0):Sending an IKE IPv4 Packet.
RT.Inf_001#
*Feb 17 20:26:29.959: ISAKMP:(0):purging SA., sa=70B54378, delme=70B54378
RT.Inf_001#
*Feb 17 20:26:37.023: ISAKMP: set new node 0 to QM_IDLE
*Feb 17 20:26:37.023: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.9.81.114, remote 10.8.16.18)
*Feb 17 20:26:37.023: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 17 20:26:37.023: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 17 20:26:37.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 17 20:26:37.023: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Feb 17 20:26:37.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
RT.Inf_001#
*Feb 17 20:26:37.023: ISAKMP:(0): sending packet to 10.8.16.18 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 17 20:26:37.023: ISAKMP:(0):Sending an IKE IPv4 Packet.
RT.Inf_001#
*Feb 17 20:26:47.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 17 20:26:47.023: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Feb 17 20:26:47.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 17 20:26:47.023: ISAKMP:(0): sending packet to 10.8.16.18 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 17 20:26:47.023: ISAKMP:(0):Sending an IKE IPv4 Packet.
RT.Inf_001#
*Feb 17 20:26:57.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 17 20:26:57.023: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Feb 17 20:26:57.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 17 20:26:57.023: ISAKMP:(0): sending packet to 10.8.16.18 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 17 20:26:57.023: ISAKMP:(0):Sending an IKE IPv4 Packet.
RT.Inf_001#
*Feb 17 20:27:07.023: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 17 20:27:07.023: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 17 20:27:07.023: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.8.16.18)*Feb 17 20:27:07.023: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.8.16.18)
*Feb 17 20:27:07.023: ISAKMP: Unlocking peer struct 0x70DE0000 for isadb_mark_sa_deleted(), count 0
*Feb 17 20:27:07.023: ISAKMP: Deleting peer node by peer_reap for 10.8.16.18: 70DE0000
*Feb 17 20:27:07.023: ISAKMP:(0):deleting node -2062373667 error FALSE reason "IKE deleted"
RT.Inf_001#
*Feb 17 20:27:07.023: ISAKMP:(0):deleting node -721698550 error FALSE reason "IKE deleted"
*Feb 17 20:27:07.023: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 17 20:27:07.023: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Rob Ingram · ‎02-17-2022

@sgpn16 Is there are firewall or ACL that could be filtering ESP protocol?

You've got multiple SAs, for other local networks 192.168.13.0/24 - you need to also add these the crypto ACL.

sgpn16 · ‎02-17-2022

Not any on the router that is trying to make the connection. This is over an MPLS link which shouldn´t have any restrictions.

Rob Ingram · ‎02-17-2022

@sgpn16 check out your ISAKMP SA screenshot the src address is 10.9.159.134 which is incorrect.

sgpn16 · ‎02-17-2022

That is for another tunnel that is going over the MPLS.

Rob Ingram · ‎02-17-2022

@sgpn16 well it looks like a communication issue.

Is there an inbound ACL on the router filtering traffic?

Any NAT configured?

Can the 2 peers ping each other?

sgpn16 · ‎02-17-2022

interface GigabitEthernet0/0.1674
encapsulation dot1Q 1674
ip address 10.9.81.114 255.255.255.252
ip virtual-reassembly
crypto map MAP-ENA

This is the config applied to the outgoing interface.

MHM Cisco World · ‎02-17-2022

crypto ipsec df-bit clear<- try this
the IPSec can fragment and other peer may refuse tunnel establish.
also if you can reduce the MTU of the interface to be pass through the MPLS "note the MPLS add at least 32 bytes".

sgpn16 · ‎02-22-2022

The actual issue was on the side of the client.

MHM Cisco World · ‎02-22-2022

what was it ?

sgpn16 · ‎02-22-2022

It was that they had a phase 2 parameter incorrectly configured.