Site to Site VPN - 'Send errors'

Chrisb6122 · ‎05-03-2012

Hello,

I've recently been asked to configure a new site to site VPN between one of our offices and a remote customer site, They have an external IT provider so thought this would be a doddle but its proving troublesome

The equipment used at my end: Cisco 837 Their end: Cisco PIX (Don't know which model)

Without further hooha the configs

Cisco 837

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 presharedkeytexthere address customerip no-xauth

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map to_vpn 20 ipsec-isakmp

description Bemco VPN

set peer customerip

set transform-set ESP-3DES-MD5

match address 2008

access-list 2008 remark ************VPN to BEM************

access-list 2008 permit ip 1.1.0.0 0.0.255.255 10.29.0.0 0.0.255.255

access-list 2008 remark

access-list 151 remark ******* NAT source IP to 1.1.5.1 for BEM *******

access-list 151 permit ip 192.168.14.0 0.0.1.255 host 10.29.0.1

Customer PIX:

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

isakmp key presharedkeytexthere address mypublicipaddress netmask 255.255.255.255 no-xauth no-config-mode

crypto ipsec transform-set BEMCO3DES esp-3des esp-md5-hmac

crypto map bemcomap 20 ipsec-isakmp

crypto map bemcomap 20 match address mycompanyname

crypto map bemcomap 20 set peer mypublicipaddress

crypto map bemcomap 20 set transform-set BEMCO3DES

access-list Solarsoft permit ip 10.29.0.0 255.255.255.0 1.1.0.0 255.255.0.0

Once my side kicks off a ping we can see the vpn estbalishing but traffic not exchanging.

Cisco837#sh crypto isakmp sa

f_vrf/i_vrf dst src state conn-id slot

/ remoteIP localIP QM_IDLE 14 0

Cisco837#sh crypto ipsec sa

protected vrf:

local ident (addr/mask/prot/port): (1.1.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.29.0.0/255.255.0.0/0/0)

current_peer: 62.133.4.106:500

PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2696, #recv errors 0

local crypto endpt.: localIP, remote crypto endpt.: remoteIP

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

As always any help would be most greatfully recieved, I can provide debugging information this side if nothing obvious stands out.

Thanks

Chris

ajay chauhan · ‎05-03-2012

This simply mean phase 2 is failing and most prob ACL issue.

Looking at config-

to map bemcomap 20 ipsec-isakmp

crypto map bemcomap 20 match address mycompanyname

crypto map bemcomap 20 set peer mypublicipaddress

crypto map bemcomap 20 set transform-set BEMCO3DES

access-list Solarsoft permit ip 10.29.0.0 255.255.255.0 1.1.0.0 255.255.0.0

in crpto sq num 20 address is called mycompanyname but looks like acl is configured with name solarsoft. correct this and try .

Thanks

Ajay

Chrisb6122 · ‎05-03-2012

Thanks for the reply Ajay,

My company name is solarsoft I just missed changing that to mycompanyname.

Looking at that access list though it seems his network 10.29.0.0 is /24 not /16 as I have recorded in my access-list. I'll reload the access list and apply the policy again and see if that makes a difference.

Thanks

Chris

Chrisb6122 · ‎05-03-2012

This doesn't seem to have made a difference.

Here is the output debugging info this side:

000037: *Mar 1 00:48:17.779 GMT: ISAKMP (0:3): Can not start Aggressive mode, trying Main mode.

000038: *Mar 1 00:48:17.779 GMT: ISAKMP: Looking for a matching key for 62.133.4.106 in default : success

000039: *Mar 1 00:48:17.779 GMT: ISAKMP (0:3): found peer pre-shared key matching 62.133.4.106

000040: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): constructed NAT-T vendor-03 ID

000041: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): constructed NAT-T vendor-02 ID

000042: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

000043: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): Old State = IKE_READY New State = IKE_I_MM1

000044: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): beginning Main Mode exchange

000045: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) MM_NO_STATE

000046: *Mar 1 00:48:17.787 GMT: ISAKMP (0:2): deleting SA reason "" state (I) QM_IDLE (peer 62.133.4.106) input queue 0

000047: *Mar 1 00:48:17.787 GMT: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000048: *Mar 1 00:48:17.787 GMT: ISAKMP (0:2): Old State = IKE_DEST_SA New State = IKE_DEST_SA

000049: *Mar 1 00:48:17.879 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) MM_NO_STATE

000050: *Mar 1 00:48:17.879 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000051: *Mar 1 00:48:17.879 GMT: ISAKMP (0:3): Old State = IKE_I_MM1 New State = IKE_I_MM2

000052: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): processing SA payload. message ID = 0

000053: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): processing vendor id payload

000054: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch

000055: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID is NAT-T v3

000056: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): processing vendor id payload

000057: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch

000058: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID is NAT-T v2

000059: *Mar 1 00:48:17.887 GMT: ISAKMP: Looking for a matching key for 62.133.4.106 in default : success

000060: *Mar 1 00:48:17.887 GMT: ISAKMP (0:3): found peer pre-shared key matching 62.133.4.106

000061: *Mar 1 00:48:17.887 GMT: ISAKMP (0:3) local preshared key found

000062: *Mar 1 00:48:17.887 GMT: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy

000063: *Mar 1 00:48:17.887 GMT: ISAKMP: encryption 3DES-CBC

000064: *Mar 1 00:48:17.887 GMT: ISAKMP: hash MD5

000065: *Mar 1 00:48:17.887 GMT: ISAKMP: default group 2

000066: *Mar 1 00:48:17.887 GMT: ISAKMP: auth pre-share

000067: *Mar 1 00:48:17.887 GMT: ISAKMP: life type in seconds

000068: *Mar 1 00:48:17.887 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

000069: *Mar 1 00:48:17.891 GMT: ISAKMP (0:3): atts are acceptable. Next payload is 0

000070: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): processing vendor id payload

000071: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch

000072: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID is NAT-T v3

000073: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): processing vendor id payload

000074: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch

000075: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID is NAT-T v2

000076: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

000077: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM2

000078: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): constructed HIS NAT-D

000079: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): constructed MINE NAT-D

000080: *Mar 1 00:48:18.339 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) MM_SA_SETUP

000081: *Mar 1 00:48:18.339 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

000082: *Mar 1 00:48:18.339 GMT: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM3

000083: *Mar 1 00:48:18.427 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) MM_SA_SETUP

000084: *Mar 1 00:48:18.427 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000085: *Mar 1 00:48:18.431 GMT: ISAKMP (0:3): Old State = IKE_I_MM3 New State = IKE_I_MM4

000086: *Mar 1 00:48:18.431 GMT: ISAKMP (0:3): processing KE payload. message ID = 0

000087: *Mar 1 00:48:18.867 GMT: ISAKMP (0:3): processing NONCE payload. message ID = 0

000088: *Mar 1 00:48:18.867 GMT: ISAKMP: Looking for a matching key for 62.133.4.106 in default : success

000089: *Mar 1 00:48:18.867 GMT: ISAKMP (0:3): found peer pre-shared key matching 62.133.4.106

000090: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): SKEYID state generated

000091: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): processing vendor id payload

000092: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 215 mismatch

000093: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): vendor ID is XAUTH

000094: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): processing vendor id payload

000095: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): vendor ID is DPD

000096: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): processing vendor id payload

000097: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): vendor ID is Unity

000098: *Mar 1 00:48:18.875 GMT: ISAKMP:received payload type 17

000099: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): Detected NAT-D payload

000100: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): NAT match MINE hash

000101: *Mar 1 00:48:18.875 GMT: ISAKMP:received payload type 17

000102: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): Detected NAT-D payload

000103: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): NAT match HIS hash

000104: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

000105: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM4

000106: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): Send initial contact

000107: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

000108: *Mar 1 00:48:18.879 GMT: ISAKMP (3): ID payload

next-payload : 8

type : 1

addr : mypublicip

protocol : 17

port : 500

length : 8

000109: *Mar 1 00:48:18.883 GMT: ISAKMP (3): Total payload length: 12

000110: *Mar 1 00:48:18.887 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) MM_KEY_EXCH

000111: *Mar 1 00:48:18.887 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

000112: *Mar 1 00:48:18.887 GMT: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM5

000113: *Mar 1 00:48:18.919 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) MM_KEY_EXCH

000114: *Mar 1 00:48:18.923 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000115: *Mar 1 00:48:18.923 GMT: ISAKMP (0:3): Old State = IKE_I_MM5 New State = IKE_I_MM6

000116: *Mar 1 00:48:18.923 GMT: ISAKMP (0:3): processing ID payload. message ID = 0

000117: *Mar 1 00:48:18.923 GMT: ISAKMP (3): Process ID payload

type : 2

FQDN name : BemcoGW001.customer.co.uk

protocol : 17

port : 500

length : 22

000118: *Mar 1 00:48:18.927 GMT: ISAKMP (0:3): processing HASH payload. message ID = 0

000119: *Mar 1 00:48:18.927 GMT: ISAKMP (0:3): SA has been authenticated with 62.133.4.106

000120: *Mar 1 00:48:18.927 GMT: ISAKMP (0:3): peer matches *none* of the profiles

000121: *Mar 1 00:48:18.931 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

000122: *Mar 1 00:48:18.931 GMT: ISAKMP (0:3): Old State = IKE_I_MM6 New State = IKE_I_MM6

000123: *Mar 1 00:48:18.931 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

000124: *Mar 1 00:48:18.935 GMT: ISAKMP (0:3): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

000125: *Mar 1 00:48:18.935 GMT: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of 67383951

000126: *Mar 1 00:48:18.943 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) QM_IDLE

000127: *Mar 1 00:48:18.943 GMT: ISAKMP (0:3): Node 67383951, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

000128: *Mar 1 00:48:18.943 GMT: ISAKMP (0:3): Old State = IKE_QM_READY New State = IKE_QM_I_QM1

000129: *Mar 1 00:48:18.947 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000130: *Mar 1 00:48:18.947 GMT: ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

000131: *Mar 1 00:48:18.975 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) QM_IDLE

000132: *Mar 1 00:48:18.979 GMT: ISAKMP: set new node -1026484243 to QM_IDLE

000133: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): processing HASH payload. message ID = -1026484243

000134: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1853088444, message ID = -1026484243, sa = 814CB8BC

000135: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): deleting spi 1853088444 message ID = 67383951

000136: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): deleting node 67383951 error TRUE reason "delete_larval"

000137: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): deleting node -1026484243 error FALSE reason "informational (in) state 1"

000138: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

000139: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Thanks

Chris

Shone_Aleksey · ‎05-07-2012

try on PIX

"isakmp am-disable"

or look this closely

isakmp key presharedkeytexthere address mypublicipaddress netmask 255.255.255.255 no-xauth no-config-mode

Chrisb6122 · ‎06-25-2012

Thanks Shone.

we tried that and still was unable to get the tunnel up.

In the end I ended up removing the Nat on my end / altering the access lists which brought the tunnel up.

between myself and the other guy at the end we could still not find anything in our configs to suggest a reason for it not working.

Thanks for everyones help who did try though.