01-11-2010 10:48 AM
I am trying to create a tunnel between a 2811 and a 7206. The 7200 is the headend with multiple circuits connected in the same broadcast domain. The 7200 is 10.49.163.1 with at the moment 2 other circuits, 10.49.163.2 amd 10.49.163.3. I need to encrypt certain traffic over this link, i have created a crypto map with multiple instances on the head end:
crypto map CRYPTOMAP 5 ipsec-isakmp
set peer 10.49.163.2
set transform-set CRYPTOSET
match address 101
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 10.49.163.3
set transform-set CRYPTOSET
match address 105
On the 10.49.163.2 router everything is working and passing traffic, on the .3 side is another story. When doing a sh crypto ip sa i get:
interface: FastEthernet0/1
Crypto map tag: CRYPTOMAP, local addr 10.49.163.3
protected vrf: (none)
local ident (addr/mask/prot/port): (10.49.32.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer 10.49.163.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 53, #recv errors 0
Here is the debug from a "debug crypto ip and isa"
Jan 11 13:37:57.237: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.49.163.3, remote= 10.49.163.1,
local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xCA4CDD31(3394034993), conn_id= 0, keysize= 0, flags= 0x400A
Jan 11 13:37:57.241: ISAKMP: received ke message (1/1)
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jan 11 13:37:57.241: ISAKMP: Created a peer struct for 10.49.163.1, peer port 500
Jan 11 13:37:57.241: ISAKMP: New peer created peer = 0x470157B8 peer_handle = 0x80000010
Jan 11 13:37:57.241: ISAKMP: Locking peer struct 0x470157B8, IKE refcount 1 for isakmp_initiator
Jan 11 13:37:57.241: ISAKMP: local port 500, remote port 500
Jan 11 13:37:57.241: ISAKMP: set new node 0 to QM_IDLE
Jan 11 13:37:57.241: insert sa successfully sa = 4682CA58
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 11 13:37:57.269: ISAKMP (0:0): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 11 13:37:57.273: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): local preshared key found
Jan 11 13:37:57.273: ISAKMP : Scanning profiles for xauth ...
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jan 11 13:37:57.273: ISAKMP: encryption 3DES-CBC
Jan 11 13:37:57.273: ISAKMP: hash MD5
Jan 11 13:37:57.273: ISAKMP: default group 1
Jan 11 13:37:57.273: ISAKMP: auth pre-share
Jan 11 13:37:57.273: ISAKMP: life type in seconds
Jan 11 13:37:57.273: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Jan 11 13:37:57.297: ISAKMP (0:134217729): vendor ID is NAT-T v7
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jan 11 13:37:57.341: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):SKEYID state generated
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): vendor ID is Unity
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): vendor ID is DPD
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): speaking to another IOS box!
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Send initial contact
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jan 11 13:37:57.377: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 10.49.163.3
protocol : 17
port : 500
length : 12
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Total payload length: 12
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
Jan 11 13:37:57.409: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
Jan 11 13:37:57.413: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 10.49.163.1
protocol : 17
port : 500
length : 12
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):SA has been authenticated with 10.49.163.1
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):IKE_DPD is enabled, initializing timers
Jan 11 13:37:57.413: ISAKMP: Trying to insert a peer 10.49.163.3/10.49.163.1/500/, and inserted successfully 470157B8.
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 5768661
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Node 5768661, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jan 11 13:37:57.453: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) QM_IDLE
Jan 11 13:37:57.453: ISAKMP: set new node 334635566 to QM_IDLE
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 334635566
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3394034993, message ID = 334635566, sa = 4682CA58
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): deleting spi 3394034993 message ID = 5768661
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):deleting node 5768661 error TRUE reason "Delete Larval"
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):deleting node 334635566 error FALSE reason "Informational (in) state 1"
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jan 11 13:38:27.238: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.49.163.3, remote= 10.49.163.1,
local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
Jan 11 13:38:27.238: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.49.163.3, remote= 10.49.163.1,
local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x390CCAED(957139693), conn_id= 0, keysize= 0, flags= 0x400A
Jan 11 13:38:27.238: ISAKMP: received ke message (1/1)
Jan 11 13:38:27.238: ISAKMP: set new node 0 to QM_IDLE
Jan 11 13:38:27.238: ISAKMP:(0:1:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
Jan 11 13:38:27.238: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -1471990271
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1):Node -1471990271, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jan 11 13:38:27.298: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) QM_IDLE
Jan 11 13:38:27.298: ISAKMP: set new node -1557550641 to QM_IDLE
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1557550641
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 957139693, message ID = -1557550641, sa = 4682CA58
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): deleting spi 957139693 message ID = -1471990271
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):deleting node -1471990271 error TRUE reason "Delete Larval"
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):deleting node -1557550641 error FALSE reason "Informational (in) state 1"
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jan 11 13:38:47.454: ISAKMP:(0:1:SW:1):purging node 5768661
Jan 11 13:38:47.454: ISAKMP:(0:1:SW:1):purging node 334635566
Jan 11 13:38:57.239: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.49.163.3, remote= 10.49.163.1,
local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
Jan 11 13:38:57.239: ISAKMP: received ke message (3/1)
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 10.49.163.1)
Jan 11 13:38:57.239: ISAKMP: set new node 1934363591 to QM_IDLE
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):purging node 1934363591
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 10.49.163.1)
Jan 11 13:38:57.243: ISAKMP: Unlocking IKE struct 0x470157B8 for isadb_mark_sa_deleted(), count 0
Jan 11 13:38:57.243: ISAKMP: Deleting peer node by peer_reap for 10.49.163.1: 470157B8
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting node -1471990271 error FALSE reason "IKE deleted"
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting node -1557550641 error FALSE reason "IKE deleted"
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jan 11 13:38:57.243: IPSEC(key_engine): got a queue event with 1 kei messages
01-12-2010 05:27 AM
As an update if I take off the first tunnel the 2nd tunnel comes up and passes traffic???? Is there something wrong with the router? Or maybe the interface, it is a 4 port ethernet card.
01-12-2010 07:10 AM
FIXED! Add the command on the head-end 7206 interface: no ip route-cache
Tunnel came up and is now working, I would still like to know why I have to add this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide