05-03-2012 03:08 AM
Hello,
I've recently been asked to configure a new site to site VPN between one of our offices and a remote customer site, They have an external IT provider so thought this would be a doddle but its proving troublesome
The equipment used at my end: Cisco 837 Their end: Cisco PIX (Don't know which model)
Without further hooha the configs
Cisco 837
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 presharedkeytexthere address customerip no-xauth
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map to_vpn 20 ipsec-isakmp
description Bemco VPN
set peer customerip
set transform-set ESP-3DES-MD5
match address 2008
access-list 2008 remark ************VPN to BEM************
access-list 2008 permit ip 1.1.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 2008 remark
access-list 151 remark ******* NAT source IP to 1.1.5.1 for BEM *******
access-list 151 permit ip 192.168.14.0 0.0.1.255 host 10.29.0.1
Customer PIX:
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp key presharedkeytexthere address mypublicipaddress netmask 255.255.255.255 no-xauth no-config-mode
crypto ipsec transform-set BEMCO3DES esp-3des esp-md5-hmac
crypto map bemcomap 20 ipsec-isakmp
crypto map bemcomap 20 match address mycompanyname
crypto map bemcomap 20 set peer mypublicipaddress
crypto map bemcomap 20 set transform-set BEMCO3DES
access-list Solarsoft permit ip 10.29.0.0 255.255.255.0 1.1.0.0 255.255.0.0
Once my side kicks off a ping we can see the vpn estbalishing but traffic not exchanging.
Cisco837#sh crypto isakmp sa
f_vrf/i_vrf dst src state conn-id slot
/ remoteIP localIP QM_IDLE 14 0
Cisco837#sh crypto ipsec sa
protected vrf:
local ident (addr/mask/prot/port): (1.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.29.0.0/255.255.0.0/0/0)
current_peer: 62.133.4.106:500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2696, #recv errors 0
local crypto endpt.: localIP, remote crypto endpt.: remoteIP
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
As always any help would be most greatfully recieved, I can provide debugging information this side if nothing obvious stands out.
Thanks
Chris
05-03-2012 05:05 AM
This simply mean phase 2 is failing and most prob ACL issue.
Looking at config-
to map bemcomap 20 ipsec-isakmp
crypto map bemcomap 20 match address mycompanyname
crypto map bemcomap 20 set peer mypublicipaddress
crypto map bemcomap 20 set transform-set BEMCO3DES
access-list Solarsoft permit ip 10.29.0.0 255.255.255.0 1.1.0.0 255.255.0.0
in crpto sq num 20 address is called mycompanyname but looks like acl is configured with name solarsoft. correct this and try .
Thanks
Ajay
05-03-2012 06:08 AM
Thanks for the reply Ajay,
My company name is solarsoft I just missed changing that to mycompanyname.
Looking at that access list though it seems his network 10.29.0.0 is /24 not /16 as I have recorded in my access-list. I'll reload the access list and apply the policy again and see if that makes a difference.
Thanks
Chris
05-03-2012 07:02 AM
This doesn't seem to have made a difference.
Here is the output debugging info this side:
000037: *Mar 1 00:48:17.779 GMT: ISAKMP (0:3): Can not start Aggressive mode, trying Main mode.
000038: *Mar 1 00:48:17.779 GMT: ISAKMP: Looking for a matching key for 62.133.4.106 in default : success
000039: *Mar 1 00:48:17.779 GMT: ISAKMP (0:3): found peer pre-shared key matching 62.133.4.106
000040: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): constructed NAT-T vendor-03 ID
000041: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): constructed NAT-T vendor-02 ID
000042: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000043: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): Old State = IKE_READY New State = IKE_I_MM1
000044: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): beginning Main Mode exchange
000045: *Mar 1 00:48:17.783 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) MM_NO_STATE
000046: *Mar 1 00:48:17.787 GMT: ISAKMP (0:2): deleting SA reason "" state (I) QM_IDLE (peer 62.133.4.106) input queue 0
000047: *Mar 1 00:48:17.787 GMT: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000048: *Mar 1 00:48:17.787 GMT: ISAKMP (0:2): Old State = IKE_DEST_SA New State = IKE_DEST_SA
000049: *Mar 1 00:48:17.879 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) MM_NO_STATE
000050: *Mar 1 00:48:17.879 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000051: *Mar 1 00:48:17.879 GMT: ISAKMP (0:3): Old State = IKE_I_MM1 New State = IKE_I_MM2
000052: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): processing SA payload. message ID = 0
000053: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): processing vendor id payload
000054: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch
000055: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID is NAT-T v3
000056: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): processing vendor id payload
000057: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch
000058: *Mar 1 00:48:17.883 GMT: ISAKMP (0:3): vendor ID is NAT-T v2
000059: *Mar 1 00:48:17.887 GMT: ISAKMP: Looking for a matching key for 62.133.4.106 in default : success
000060: *Mar 1 00:48:17.887 GMT: ISAKMP (0:3): found peer pre-shared key matching 62.133.4.106
000061: *Mar 1 00:48:17.887 GMT: ISAKMP (0:3) local preshared key found
000062: *Mar 1 00:48:17.887 GMT: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy
000063: *Mar 1 00:48:17.887 GMT: ISAKMP: encryption 3DES-CBC
000064: *Mar 1 00:48:17.887 GMT: ISAKMP: hash MD5
000065: *Mar 1 00:48:17.887 GMT: ISAKMP: default group 2
000066: *Mar 1 00:48:17.887 GMT: ISAKMP: auth pre-share
000067: *Mar 1 00:48:17.887 GMT: ISAKMP: life type in seconds
000068: *Mar 1 00:48:17.887 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000069: *Mar 1 00:48:17.891 GMT: ISAKMP (0:3): atts are acceptable. Next payload is 0
000070: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): processing vendor id payload
000071: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch
000072: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID is NAT-T v3
000073: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): processing vendor id payload
000074: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch
000075: *Mar 1 00:48:18.331 GMT: ISAKMP (0:3): vendor ID is NAT-T v2
000076: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000077: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM2
000078: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): constructed HIS NAT-D
000079: *Mar 1 00:48:18.335 GMT: ISAKMP (0:3): constructed MINE NAT-D
000080: *Mar 1 00:48:18.339 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) MM_SA_SETUP
000081: *Mar 1 00:48:18.339 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000082: *Mar 1 00:48:18.339 GMT: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM3
000083: *Mar 1 00:48:18.427 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) MM_SA_SETUP
000084: *Mar 1 00:48:18.427 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000085: *Mar 1 00:48:18.431 GMT: ISAKMP (0:3): Old State = IKE_I_MM3 New State = IKE_I_MM4
000086: *Mar 1 00:48:18.431 GMT: ISAKMP (0:3): processing KE payload. message ID = 0
000087: *Mar 1 00:48:18.867 GMT: ISAKMP (0:3): processing NONCE payload. message ID = 0
000088: *Mar 1 00:48:18.867 GMT: ISAKMP: Looking for a matching key for 62.133.4.106 in default : success
000089: *Mar 1 00:48:18.867 GMT: ISAKMP (0:3): found peer pre-shared key matching 62.133.4.106
000090: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): SKEYID state generated
000091: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): processing vendor id payload
000092: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): vendor ID seems Unity/DPD but major 215 mismatch
000093: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): vendor ID is XAUTH
000094: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): processing vendor id payload
000095: *Mar 1 00:48:18.871 GMT: ISAKMP (0:3): vendor ID is DPD
000096: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): processing vendor id payload
000097: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): vendor ID is Unity
000098: *Mar 1 00:48:18.875 GMT: ISAKMP:received payload type 17
000099: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): Detected NAT-D payload
000100: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): NAT match MINE hash
000101: *Mar 1 00:48:18.875 GMT: ISAKMP:received payload type 17
000102: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): Detected NAT-D payload
000103: *Mar 1 00:48:18.875 GMT: ISAKMP (0:3): NAT match HIS hash
000104: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000105: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM4
000106: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): Send initial contact
000107: *Mar 1 00:48:18.879 GMT: ISAKMP (0:3): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000108: *Mar 1 00:48:18.879 GMT: ISAKMP (3): ID payload
next-payload : 8
type : 1
addr : mypublicip
protocol : 17
port : 500
length : 8
000109: *Mar 1 00:48:18.883 GMT: ISAKMP (3): Total payload length: 12
000110: *Mar 1 00:48:18.887 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000111: *Mar 1 00:48:18.887 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000112: *Mar 1 00:48:18.887 GMT: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM5
000113: *Mar 1 00:48:18.919 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) MM_KEY_EXCH
000114: *Mar 1 00:48:18.923 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000115: *Mar 1 00:48:18.923 GMT: ISAKMP (0:3): Old State = IKE_I_MM5 New State = IKE_I_MM6
000116: *Mar 1 00:48:18.923 GMT: ISAKMP (0:3): processing ID payload. message ID = 0
000117: *Mar 1 00:48:18.923 GMT: ISAKMP (3): Process ID payload
type : 2
FQDN name : BemcoGW001.customer.co.uk
protocol : 17
port : 500
length : 22
000118: *Mar 1 00:48:18.927 GMT: ISAKMP (0:3): processing HASH payload. message ID = 0
000119: *Mar 1 00:48:18.927 GMT: ISAKMP (0:3): SA has been authenticated with 62.133.4.106
000120: *Mar 1 00:48:18.927 GMT: ISAKMP (0:3): peer matches *none* of the profiles
000121: *Mar 1 00:48:18.931 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000122: *Mar 1 00:48:18.931 GMT: ISAKMP (0:3): Old State = IKE_I_MM6 New State = IKE_I_MM6
000123: *Mar 1 00:48:18.931 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000124: *Mar 1 00:48:18.935 GMT: ISAKMP (0:3): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
000125: *Mar 1 00:48:18.935 GMT: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of 67383951
000126: *Mar 1 00:48:18.943 GMT: ISAKMP (0:3): sending packet to 62.133.4.106 my_port 500 peer_port 500 (I) QM_IDLE
000127: *Mar 1 00:48:18.943 GMT: ISAKMP (0:3): Node 67383951, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000128: *Mar 1 00:48:18.943 GMT: ISAKMP (0:3): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
000129: *Mar 1 00:48:18.947 GMT: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000130: *Mar 1 00:48:18.947 GMT: ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000131: *Mar 1 00:48:18.975 GMT: ISAKMP (0:3): received packet from 62.133.4.106 dport 500 sport 500 Global (I) QM_IDLE
000132: *Mar 1 00:48:18.979 GMT: ISAKMP: set new node -1026484243 to QM_IDLE
000133: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): processing HASH payload. message ID = -1026484243
000134: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1853088444, message ID = -1026484243, sa = 814CB8BC
000135: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): deleting spi 1853088444 message ID = 67383951
000136: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): deleting node 67383951 error TRUE reason "delete_larval"
000137: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): deleting node -1026484243 error FALSE reason "informational (in) state 1"
000138: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
000139: *Mar 1 00:48:18.987 GMT: ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Thanks
Chris
05-07-2012 02:09 PM
try on PIX
"isakmp am-disable"
or look this closely
isakmp key presharedkeytexthere address mypublicipaddress netmask 255.255.255.255 no-xauth no-config-mode
06-25-2012 04:36 AM
Thanks Shone.
we tried that and still was unable to get the tunnel up.
In the end I ended up removing the Nat on my end / altering the access lists which brought the tunnel up.
between myself and the other guy at the end we could still not find anything in our configs to suggest a reason for it not working.
Thanks for everyones help who did try though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide