Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3849
Views
0
Helpful
3
Replies

VPN IPSec Hash mismatch

Forbes Jenalyn Rose
Level 1
Level 1

‎06-29-2017 01:31 PM - edited ‎02-21-2020 09:21 PM

Hi everyone,

I am trying to establish a VPN tunnel to another site but I am getting a hash mismatch when I debug. Please see below config and debug isakmp sa result.

Will there be a problem if I use esp-3des esp-sha-hmac and the remote site use ESP-3DES-SHA on Phase 2 IPsec rule?

Remote site using Cisco ASA:

Source: 10.0.0.0/20

Destination: 10.65.0.0/19

 

IKE using 3des MD5 DH group 2 lifetime 28800

also allowing 3des SHA group 2 lifetime 28800

 

Crypto Map

Using ESP-3DES-SHA for transform set

PEER: 116.xxx.xxx..242

SA Lifetime: 28800

IKE Negotiation mode MAIN

My Cisco router:

crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key ***** address 64.xxx.xxx..130

crypto ipsec transform-set eq-ipsec esp-3des esp-sha-hmac
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic

crypto map eq-ipsec 4 ipsec-isakmp
 description non-vti ipsec tunnels to Remote Site
 set peer 64.xxx.xxx..130
 set security-association lifetime seconds 28800
 set transform-set eq-ipsec
 match address eq-ipsec-4
 reverse-route static

ip access-list extended eq-ipsec-4
 permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
 permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255

show crypto isa sa:

64.132.78.130   116.214.96.242  MM_NO_STATE       1099    0 ACTIVE (deleted)
64.132.78.130   116.214.96.242  MM_NO_STATE       1098    0 ACTIVE (deleted)

show crypto session:

Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 64.xxx.xxx.130 port 500
  IKE SA: local 116.xxx.xxx..242/500 remote 64.xxx.xxx.130/500 Inactive
  IKE SA: local 116.xxx.xxx..242/500 remote 64.xxx.xxx.130/500 Inactive
  IPSEC FLOW: permit ip 10.65.0.0/255.255.192.0 10.0.0.0/255.255.240.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.65.0.0/255.255.192.0 10.0.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map

debug crypto isakmp sa:

Jun 29 20:23:52.390: ISAKMP: Created a peer struct for 64.xxx.xxx.130, peer port 500
Jun 29 20:23:52.390: ISAKMP: New peer created peer = 0x76108C0 peer_handle = 0x800031FE
Jun 29 20:23:52.390: ISAKMP: Locking peer struct 0x76108C0, refcount 1 for isakmp_initiator
Jun 29 20:23:52.390: ISAKMP: local port 500, remote port 500
Jun 29 20:23:52.390: ISAKMP: set new node 0 to QM_IDLE
Jun 29 20:23:52.390: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 750CB80
Jun 29 20:23:52.390: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 29 20:23:52.390: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jun 29 20:23:52.390: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 29 20:23:52.390: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Jun 29 20:23:52.390: ISAKMP:(0): beginning Main Mode exchange
Jun 29 20:23:52.390: ISAKMP:(0): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 29 20:23:52.614: ISAKMP (0:0): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 29 20:23:52.614: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:52.614: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Jun 29 20:23:52.614: ISAKMP:(0): processing SA payload. message ID = 0
Jun 29 20:23:52.614: ISAKMP:(0): processing vendor id payload
Jun 29 20:23:52.614: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 29 20:23:52.614: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.614: ISAKMP:(0): local preshared key found
Jun 29 20:23:52.614: ISAKMP : Scanning profiles for xauth ... isakmp-vpn-243c4476-0 isakmp-vpn-243c4476-1
Jun 29 20:23:52.614: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
Jun 29 20:23:52.614: ISAKMP:      encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP:      hash MD5
Jun 29 20:23:52.618: ISAKMP:      default group 2
Jun 29 20:23:52.618: ISAKMP:      auth pre-share
Jun 29 20:23:52.618: ISAKMP:      life type in seconds
Jun 29 20:23:52.618: ISAKMP:      life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 29 20:23:52.618: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
Jun 29 20:23:52.618: ISAKMP:      encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP:      hash MD5
Jun 29 20:23:52.618: ISAKMP:      default group 2
Jun 29 20:23:52.618: ISAKMP:      auth pre-share
Jun 29 20:23:52.618: ISAKMP:      life type in seconds
Jun 29 20:23:52.618: ISAKMP:      life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 29 20:23:52.618: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3 policy
Jun 29 20:23:52.618: ISAKMP:      encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP:      hash MD5
Jun 29 20:23:52.618: ISAKMP:      default group 2
Jun 29 20:23:52.618: ISAKMP:      auth pre-share
Jun 29 20:23:52.618: ISAKMP:      life type in seconds
Jun 29 20:23:52.618: ISAKMP:      life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0): processing vendor id payload
Jun 29 20:23:52.618: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 29 20:23:52.618: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:52.618: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Jun 29 20:23:52.618: ISAKMP:(0): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 29 20:23:52.618: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:52.618: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Jun 29 20:23:52.842: ISAKMP (0:0): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 29 20:23:52.846: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:52.846: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Jun 29 20:23:52.846: ISAKMP:(0): processing KE payload. message ID = 0
Jun 29 20:23:52.850: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 29 20:23:52.850: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID is Unity
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID seems Unity/DPD but major 134 mismatch
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID is XAUTH
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): speaking to another IOS box!
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103):vendor ID seems Unity/DPD but hash mismatch
Jun 29 20:23:52.850: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:52.850: ISAKMP:(1103):Old State = IKE_I_MM4  New State = IKE_I_MM4

Jun 29 20:23:52.850: ISAKMP:(1103):Send initial contact
Jun 29 20:23:52.850: ISAKMP:(1103):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 29 20:23:52.850: ISAKMP (0:1103): ID payload
        next-payload : 8
        type         : 1
        address      : 116.xxx.xxx.242
        protocol     : 17
        port         : 500
        length       : 12
Jun 29 20:23:52.850: ISAKMP:(1103):Total payload length: 12
Jun 29 20:23:52.850: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 29 20:23:52.850: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:52.850: ISAKMP:(1103):Old State = IKE_I_MM4  New State = IKE_I_MM5

Jun 29 20:23:53.078: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 29 20:23:53.078: ISAKMP:(1103): processing ID payload. message ID = 0
Jun 29 20:23:53.078: ISAKMP (0:1103): ID payload
        next-payload : 8
        type         : 1
        address      : 64.xxx.xxx.130
        protocol     : 17
        port         : 500
        length       : 12
Jun 29 20:23:53.078: ISAKMP:(1103):: peer matches *none* of the profiles
Jun 29 20:23:53.078: ISAKMP:(1103): processing HASH payload. message ID = 0
Jun 29 20:23:53.078: ISAKMP:received payload type 17
Jun 29 20:23:53.078: ISAKMP:(1103): processing keep alive: proposal=32767/32767 sec., actual=120/10 sec.
Jun 29 20:23:53.078: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:53.078: ISAKMP:(1103): vendor ID is DPD
Jun 29 20:23:53.078: ISAKMP:(1103):SA authentication status:
        authenticated
Jun 29 20:23:53.078: ISAKMP:(1103):SA has been authenticated with 64.xxx.xxx.130
Jun 29 20:23:53.078: ISAKMP:(1103):IKE_DPD is enabled, initializing timers
Jun 29 20:23:53.078: ISAKMP: Trying to insert a peer 116.xxx.xxx.242/64.xxx.xxx.130/500/,  and inserted successfully 76108C0.
Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM5  New State = IKE_I_MM6

Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM6  New State = IKE_I_MM6

Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Jun 29 20:23:53.078: ISAKMP:(1103):beginning Quick Mode exchange, M-ID of 1656295180
Jun 29 20:23:53.078: ISAKMP:(1103):QM Initiator gets spi
Jun 29 20:23:53.082: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) QM_IDLE
Jun 29 20:23:53.082: ISAKMP:(1103):Node 1656295180, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 29 20:23:53.082: ISAKMP:(1103):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jun 29 20:23:53.082: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 29 20:23:53.082: ISAKMP:(1103):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun 29 20:23:53.294: ISAKMP:(1101):purging SA., sa=74CF0B8, delme=74CF0B8
Jun 29 20:23:53.310: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) QM_IDLE   
Jun 29 20:23:53.310: ISAKMP: set new node 200480399 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): processing HASH payload. message ID = 200480399
Jun 29 20:23:53.310: ISAKMP:(1103): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 200480399, sa = 750CB80
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 200480399 error FALSE reason "Informational (in) state 1"
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun 29 20:23:53.310: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) QM_IDLE   
Jun 29 20:23:53.310: ISAKMP: set new node 737465165 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): processing HASH payload. message ID = 737465165
Jun 29 20:23:53.310: ISAKMP:(1103): processing DELETE payload. message ID = 737465165
Jun 29 20:23:53.310: ISAKMP:(1103):peer does not do paranoid keepalives.

Jun 29 20:23:53.310: ISAKMP:(1103):deleting SA reason "No reason" state (I) QM_IDLE       (peer 64.xxx.xxx.130)
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 737465165 error FALSE reason "Informational (in) state 1"
Jun 29 20:23:53.310: ISAKMP: set new node 305220440 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103):purging node 305220440
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jun 29 20:23:53.310: ISAKMP:(1103):deleting SA reason "No reason" state (I) QM_IDLE       (peer 64.xxx.xxx.130)
Jun 29 20:23:53.310: ISAKMP: Unlocking peer struct 0x76108C0 for isadb_mark_sa_deleted(), count 0
Jun 29 20:23:53.310: ISAKMP: Deleting peer node by peer_reap for 64.xxx.xxx.130: 76108C0
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 1656295180 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 200480399 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 737465165 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Appreciate your help. Thank you in advance.

Labels:
0 Helpful
3 Replies 3

JP Miranda Z
Cisco Employee
Cisco Employee

‎06-29-2017 04:13 PM

Hi Forbes Jenalyn Rose,

I was checking the logs and seems like phase 1 is completed but you have a phase 2 mismatch, by checking the configuration i see the other end is using the following ACL:

Source: 10.0.0.0/20

Destination: 10.65.0.0/19

And you are using:

ip access-list extended eq-ipsec-4
 permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
 permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255 --completely redundant

So can you please get in to the acl eq-ipsec and remove the second line, after that let me know how it goes.

Hope this info helps!!

Rate if helps you!! 

-JP- 

0 Helpful

Forbes Jenalyn Rose
Level 1
Level 1
In response to JP Miranda Z

‎06-29-2017 04:25 PM

Hi JP,

I removed the second line on the acl but it did not resolve the issue.

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to Forbes Jenalyn Rose

‎06-29-2017 04:41 PM

Forbes,

Try getting the full VPN config from the other end and making sure everything is matching, right now the tunnel is giving you a no proposal chosen on phase and that is on the crypto map configuration.

Hope this info helps!!

Rate if helps you!! 

-JP- 

0 Helpful
Customers Also Viewed These Support Documents