Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
3
Replies

VPN IPSec CIsco 2911 and SBC 6300

Nedeljko Scepanovic
Level 1
Level 1

‎03-22-2016 01:34 PM - edited ‎02-21-2020 08:44 PM

Hello,

I am trying to start IPSEC tunnel between 2 location. My location use Router 2911, and second location, uses SBC 6300. I do not have any experince with SBC 6300. For now, we did not get Phase 1 UP.

VPN_Gand#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
217.xxx.xxx.250 88.xxx.xxxx239  MM_SA_SETUP          0 ACTIVE
217.xxx.xxxx.250 88.xxx.xxx.239  MM_NO_STATE          0 ACTIVE (deleted)

Router 2911 config:

crypto isakmp policy 80
 encr 3des
 authentication pre-share
 group 2
 
 
 crypto isakmp key 0xxxxxxxxxxc address 88.xxx.xxx.239
 crypto ipsec transform-set TSet esp-3des esp-sha-hmac
 
 
  Extended IP access list ACL_VPN
    10 permit ip host 77.xxx.xxx.66 host 88.xxx.xxx.239


 crypto map VPN 80 ipsec-isakmp
 set peer 88.xxx.xxx.239
 set transform-set TSet
 match address ACL_VPN


SBC 6300 config:
ike-interface
        address                                 88.xxx.xxx.239
        realm-id                                p_orion
        ike-mode                                initiator
        local-address-pool-id-list
        dpd-params-name                         dpd-params-test
        v2-ike-life-secs
        v2-ipsec-life-secs
        shared-password                         ********
        options
        eap-protocol                            eap-radius-passthru
        addr-assignment
        sd-authentication-method                none
        certificate-profile-id-list
        tunnel-orig-name-list
        last-modified-by                        admin@198.xx.xx.136
        last-modified-date                      2016-03-04 12:20:14
ike-sainfo
        name                                    ike-sa-orion
        security-protocol                       esp-auth
        auth-algo                               sha1
        encryption-algo                         3des
        ipsec-mode                              tunnel
        tunnel-local-addr                       88.xx.xxx.x39
        tunnel-remote-addr                      217.xx.xxx.250
        last-modified-by                        admin@1xx.xxx.x36
        last-modified-date                      2016-03-01 08:48:59

security-policy
        name                                    sp-orion-ike
        network-interface                       ext:3000
        priority                                111
        local-ip-addr-match                     88.xxx.xxx.239
        remote-ip-addr-match                    217.xxx.xxx.250
        local-port-match                        500
        remote-port-match                       500
        trans-protocol-match                    ALL
        direction                               both
        local-ip-mask                           255.255.255.255
        remote-ip-mask                          255.255.255.255
        action                                  allow
        outbound-sa-fine-grained-mask
                local-ip-mask                           255.255.255.255
                remote-ip-mask                          255.255.255.255
                local-port-mask                         0
                remote-port-mask                        0
                trans-protocol-mask                     0
                valid                                   enabled
                vlan-mask                               0xFFF
        ike-sainfo-name
        last-modified-by                        admin@198.xxx.xxx.136
        last-modified-date                      2016-03-01 08:50:08
security-policy
        name                                    sp-orion-ike-ipsec
        network-interface                       ext:3000
        priority                                112
        local-ip-addr-match                     88.xxx.xxx.239
        remote-ip-addr-match                    77.xxx.xxx.66
        local-port-match                        0
        remote-port-match                       0
        trans-protocol-match                    ALL
        direction                               both
        local-ip-mask                           255.255.255.255
        remote-ip-mask                          255.255.255.255
        action                                  ipsec
        outbound-sa-fine-grained-mask
                local-ip-mask                           255.255.255.255
                remote-ip-mask                          255.255.255.255
                local-port-mask                         0
                remote-port-mask                        0
                trans-protocol-mask                     0
                valid                                   enabled
                vlan-mask                               0xFFF
        ike-sainfo-name                         ike-sa-orion
        last-modified-by                        admin@198.xxx.xxx.136
        last-modified-date                      2016-03-01 08:50:18

CCNA R&S, CCNA Security
Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-22-2016 02:46 PM

Your side looks ok to me.

I can't see anything about the Diffe Helman group configuration on the SBC, so perhaps try removing the "group 2" on your side.

0 Helpful

Nedeljko Scepanovic
Level 1
Level 1
In response to Philip D'Ath

‎03-23-2016 02:09 AM

Now I got and second part of configuration.


ike-config
        state                                   enabled
        ike-version                             1
        log-level                               INFO
        udp-port                                500
        negotiation-timeout                     15
        event-timeout                           60
        phase1-mode                             main
        phase1-dh-mode                          dh-group2
        v2-ike-life-secs                        86400
        v2-ipsec-life-secs                      28800
        phase1-life-seconds                     3600
        phase1-life-secs-max                    86400
        phase2-life-seconds                     28800
        phase2-life-secs-max                    86400
        phase2-exchange-mode                    dh-group2
        shared-password                         ********
        options
        eap-protocol                            eap-radius-passthru
        addr-assignment                         local
        eap-bypass-identity                     disabled
        red-port                                0
        red-max-trans                           10000
        red-sync-start-time                     5000
        red-sync-comp-time                      1000
        dpd-time-interval                       60
        overload-threshold                      100
        overload-interval                       1
        overload-action                         none
        overload-critical-threshold             100
        overload-critical-interval              1
        sd-authentication-method                shared-password

CCNA R&S, CCNA Security
0 Helpful

Nedeljko Scepanovic
Level 1
Level 1
In response to Nedeljko Scepanovic

‎03-23-2016 04:14 AM

I do not understand this lines... why two lines for the same peer ? One active but with 0 id_Conn, and secound, Active, but deleted....

VPN_Gand#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
217.xxx.xxx.250 88.xxx.xxxx239  MM_SA_SETUP          0 ACTIVE
217.xxx.xxxx.250 88.xxx.xxx.239  MM_NO_STATE          0 ACTIVE (deleted)

CCNA R&S, CCNA Security
0 Helpful
Customers Also Viewed These Support Documents