Solved: site to site vpn ikev1, cant get it right.

ct7928 · ‎05-15-2023

I am trying to configure a router for site2site vpn to a sophos router using ikev1. Attached are the protocols along with my cisco cli configs. I feel like I have everything right, but won't pass phase 1. I have Hashed out ip addresses and pre-shared key, but those are set correctly. any help?

crypto isakmp policy 1
hash sha256
authentication pre-share
group 5
lifetime 28800

crypto isakmp key (redacted) address (redacted)

crypto ipsec transform-set compulink esp-aes 256 esp-sha256-hmac
mode tunnel

crypto map vpnmap 1 ipsec-isakmp
set peer (redacted)
set transform-set compulink
match address 164

access-list 164 permit ip host 192.168.7.6 host 10.36.14.225

interface GigabitEthernet0/1
description TWC Primary
ip address (redacted) 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
crypto map vpnmap

mecgol1921#show crypto isakmp sa
IPv4 Crypto ISAKMP SA

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.7.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.36.14.225/255.255.255.255/0/0)
current_peer (redacted) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: (redacted), remote crypto endpt.: (redacted)
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Interface: GigabitEthernet0/1 #this verifies that the tunnel is down.
Session status: DOWN
Peer: (redacted) port 500
IPSEC FLOW: permit ip host 192.168.7.6 host 10.36.14.225
Active SAs: 0, origin: crypto map

Sheraz.Salim · ‎06-05-2023

If you doing NAT translation in that case put a nat exemption (no nat) for your interesting traffic on access-list which is married to nat overload.

ip access-list extended 888 
 10 deny host 192.168.7.6 host 10.36.14.255 
 20 permit ip any any
!
ip nat inside source list 888 interface GigabitEthernet0/1 overload
!
access-list 164 permit ip host 192.168.7.6 host 10.36.14.225
!
crypto map CMAP 1 ipsec-isakmp 
set peer (redacted)
set transform-set compulink
match address 164
!
interface GigabitEthernet0/1 
description TWC Primary
ip address (redacted) 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
crypto map CMAP

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎05-17-2023

what is the output of "show crypto isakmp sa detail" as output you showed earlier the vpn is down it could be you might failing on MM_5 means could be pre-shared key either wrong on your end or on remote end. but we not sure. show the output of the command as mentioned above then we can take lead from it.

please do not forget to rate.

ct7928 · ‎05-22-2023

thanks for you help. Attached is the results of the command "show crypto isakmp sa detail". As you can see below, the only thing it shows is an already exisiting vpn to a different ip address. The vpn im attempting to set up does not even show at all. Any ideas? Could this vpn being active be the issue of why I can't the new one running?

cgol1921#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1018 70.63.158.114 174.99.226.133 ACTIVE 3des sha512 psk 2 17:16:33
Engine-id:Conn-id = SW:18

IPv6 Crypto ISAKMP SA

mecgol1921#$e I-VRF Status Encr Hash Auth DH Lifetime Cap.
dfasC-id Local Remote I-VRF Status Encr Hash Auth DH Life ^time Cap.

Sheraz.Salim · ‎05-23-2023

have to try to sent the ping to remote side.

ping 192.168.7.6 source gigx/x 10.36.14.225

whats the cisco router model? basically, we need to see the debug to see whats happening on this.

debug cry condition peer <>
debug crypto isakmp
debug crypt engine
debug crypto ipsec

please do not forget to rate.

Sheraz.Salim · ‎06-05-2023

If you doing NAT translation in that case put a nat exemption (no nat) for your interesting traffic on access-list which is married to nat overload.

ip access-list extended 888 
 10 deny host 192.168.7.6 host 10.36.14.255 
 20 permit ip any any
!
ip nat inside source list 888 interface GigabitEthernet0/1 overload
!
access-list 164 permit ip host 192.168.7.6 host 10.36.14.225
!
crypto map CMAP 1 ipsec-isakmp 
set peer (redacted)
set transform-set compulink
match address 164
!
interface GigabitEthernet0/1 
description TWC Primary
ip address (redacted) 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
crypto map CMAP

please do not forget to rate.

Flavio Miranda · ‎05-23-2023

Hello

It seems the match on the traffic of interest is failing. Try to add the access list like this

access-list 164 permit ip 192.168.7.0 255.255.255.0 10.36.14.0 255.255.255.0

And make sure both ends match the exactly same traffic.

The other end should be

access-list 164 permit ip 10.36.14.0 255.255.255.0 192.168.7.0 255.255.255.0