cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2363
Views
0
Helpful
3
Replies
Highlighted

VPN IPSec Hash mismatch

Hi everyone,

I am trying to establish a VPN tunnel to another site but I am getting a hash mismatch when I debug. Please see below config and debug isakmp sa result.

Will there be a problem if I use esp-3des esp-sha-hmac and the remote site use ESP-3DES-SHA on Phase 2 IPsec rule?

Remote site using Cisco ASA:

Source: 10.0.0.0/20

Destination: 10.65.0.0/19

 

IKE using 3des MD5 DH group 2 lifetime 28800

also allowing 3des SHA group 2 lifetime 28800

 

Crypto Map

Using ESP-3DES-SHA for transform set

PEER: 116.xxx.xxx..242

SA Lifetime: 28800

IKE Negotiation mode MAIN

My Cisco router:

crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key ***** address 64.xxx.xxx..130

crypto ipsec transform-set eq-ipsec esp-3des esp-sha-hmac
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic

crypto map eq-ipsec 4 ipsec-isakmp
 description non-vti ipsec tunnels to Remote Site
 set peer 64.xxx.xxx..130
 set security-association lifetime seconds 28800
 set transform-set eq-ipsec
 match address eq-ipsec-4
 reverse-route static

ip access-list extended eq-ipsec-4
 permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
 permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255

show crypto isa sa:

64.132.78.130   116.214.96.242  MM_NO_STATE       1099    0 ACTIVE (deleted)
64.132.78.130   116.214.96.242  MM_NO_STATE       1098    0 ACTIVE (deleted)

show crypto session:

Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 64.xxx.xxx.130 port 500
  IKE SA: local 116.xxx.xxx..242/500 remote 64.xxx.xxx.130/500 Inactive
  IKE SA: local 116.xxx.xxx..242/500 remote 64.xxx.xxx.130/500 Inactive
  IPSEC FLOW: permit ip 10.65.0.0/255.255.192.0 10.0.0.0/255.255.240.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.65.0.0/255.255.192.0 10.0.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map

debug crypto isakmp sa:

Jun 29 20:23:52.390: ISAKMP: Created a peer struct for 64.xxx.xxx.130, peer port 500
Jun 29 20:23:52.390: ISAKMP: New peer created peer = 0x76108C0 peer_handle = 0x800031FE
Jun 29 20:23:52.390: ISAKMP: Locking peer struct 0x76108C0, refcount 1 for isakmp_initiator
Jun 29 20:23:52.390: ISAKMP: local port 500, remote port 500
Jun 29 20:23:52.390: ISAKMP: set new node 0 to QM_IDLE
Jun 29 20:23:52.390: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 750CB80
Jun 29 20:23:52.390: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 29 20:23:52.390: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jun 29 20:23:52.390: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 29 20:23:52.390: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Jun 29 20:23:52.390: ISAKMP:(0): beginning Main Mode exchange
Jun 29 20:23:52.390: ISAKMP:(0): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 29 20:23:52.614: ISAKMP (0:0): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 29 20:23:52.614: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:52.614: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Jun 29 20:23:52.614: ISAKMP:(0): processing SA payload. message ID = 0
Jun 29 20:23:52.614: ISAKMP:(0): processing vendor id payload
Jun 29 20:23:52.614: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 29 20:23:52.614: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.614: ISAKMP:(0): local preshared key found
Jun 29 20:23:52.614: ISAKMP : Scanning profiles for xauth ... isakmp-vpn-243c4476-0 isakmp-vpn-243c4476-1
Jun 29 20:23:52.614: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
Jun 29 20:23:52.614: ISAKMP:      encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP:      hash MD5
Jun 29 20:23:52.618: ISAKMP:      default group 2
Jun 29 20:23:52.618: ISAKMP:      auth pre-share
Jun 29 20:23:52.618: ISAKMP:      life type in seconds
Jun 29 20:23:52.618: ISAKMP:      life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 29 20:23:52.618: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
Jun 29 20:23:52.618: ISAKMP:      encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP:      hash MD5
Jun 29 20:23:52.618: ISAKMP:      default group 2
Jun 29 20:23:52.618: ISAKMP:      auth pre-share
Jun 29 20:23:52.618: ISAKMP:      life type in seconds
Jun 29 20:23:52.618: ISAKMP:      life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 29 20:23:52.618: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3 policy
Jun 29 20:23:52.618: ISAKMP:      encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP:      hash MD5
Jun 29 20:23:52.618: ISAKMP:      default group 2
Jun 29 20:23:52.618: ISAKMP:      auth pre-share
Jun 29 20:23:52.618: ISAKMP:      life type in seconds
Jun 29 20:23:52.618: ISAKMP:      life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0): processing vendor id payload
Jun 29 20:23:52.618: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 29 20:23:52.618: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:52.618: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Jun 29 20:23:52.618: ISAKMP:(0): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 29 20:23:52.618: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:52.618: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Jun 29 20:23:52.842: ISAKMP (0:0): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 29 20:23:52.846: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:52.846: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Jun 29 20:23:52.846: ISAKMP:(0): processing KE payload. message ID = 0
Jun 29 20:23:52.850: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 29 20:23:52.850: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID is Unity
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID seems Unity/DPD but major 134 mismatch
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID is XAUTH
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): speaking to another IOS box!
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103):vendor ID seems Unity/DPD but hash mismatch
Jun 29 20:23:52.850: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:52.850: ISAKMP:(1103):Old State = IKE_I_MM4  New State = IKE_I_MM4

Jun 29 20:23:52.850: ISAKMP:(1103):Send initial contact
Jun 29 20:23:52.850: ISAKMP:(1103):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 29 20:23:52.850: ISAKMP (0:1103): ID payload
        next-payload : 8
        type         : 1
        address      : 116.xxx.xxx.242
        protocol     : 17
        port         : 500
        length       : 12
Jun 29 20:23:52.850: ISAKMP:(1103):Total payload length: 12
Jun 29 20:23:52.850: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 29 20:23:52.850: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:52.850: ISAKMP:(1103):Old State = IKE_I_MM4  New State = IKE_I_MM5

Jun 29 20:23:53.078: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 29 20:23:53.078: ISAKMP:(1103): processing ID payload. message ID = 0
Jun 29 20:23:53.078: ISAKMP (0:1103): ID payload
        next-payload : 8
        type         : 1
        address      : 64.xxx.xxx.130
        protocol     : 17
        port         : 500
        length       : 12
Jun 29 20:23:53.078: ISAKMP:(1103):: peer matches *none* of the profiles
Jun 29 20:23:53.078: ISAKMP:(1103): processing HASH payload. message ID = 0
Jun 29 20:23:53.078: ISAKMP:received payload type 17
Jun 29 20:23:53.078: ISAKMP:(1103): processing keep alive: proposal=32767/32767 sec., actual=120/10 sec.
Jun 29 20:23:53.078: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:53.078: ISAKMP:(1103): vendor ID is DPD
Jun 29 20:23:53.078: ISAKMP:(1103):SA authentication status:
        authenticated
Jun 29 20:23:53.078: ISAKMP:(1103):SA has been authenticated with 64.xxx.xxx.130
Jun 29 20:23:53.078: ISAKMP:(1103):IKE_DPD is enabled, initializing timers
Jun 29 20:23:53.078: ISAKMP: Trying to insert a peer 116.xxx.xxx.242/64.xxx.xxx.130/500/,  and inserted successfully 76108C0.
Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM5  New State = IKE_I_MM6

Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM6  New State = IKE_I_MM6

Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Jun 29 20:23:53.078: ISAKMP:(1103):beginning Quick Mode exchange, M-ID of 1656295180
Jun 29 20:23:53.078: ISAKMP:(1103):QM Initiator gets spi
Jun 29 20:23:53.082: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) QM_IDLE
Jun 29 20:23:53.082: ISAKMP:(1103):Node 1656295180, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 29 20:23:53.082: ISAKMP:(1103):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jun 29 20:23:53.082: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 29 20:23:53.082: ISAKMP:(1103):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun 29 20:23:53.294: ISAKMP:(1101):purging SA., sa=74CF0B8, delme=74CF0B8
Jun 29 20:23:53.310: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) QM_IDLE   
Jun 29 20:23:53.310: ISAKMP: set new node 200480399 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): processing HASH payload. message ID = 200480399
Jun 29 20:23:53.310: ISAKMP:(1103): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 200480399, sa = 750CB80
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 200480399 error FALSE reason "Informational (in) state 1"
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun 29 20:23:53.310: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) QM_IDLE   
Jun 29 20:23:53.310: ISAKMP: set new node 737465165 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): processing HASH payload. message ID = 737465165
Jun 29 20:23:53.310: ISAKMP:(1103): processing DELETE payload. message ID = 737465165
Jun 29 20:23:53.310: ISAKMP:(1103):peer does not do paranoid keepalives.

Jun 29 20:23:53.310: ISAKMP:(1103):deleting SA reason "No reason" state (I) QM_IDLE       (peer 64.xxx.xxx.130)
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 737465165 error FALSE reason "Informational (in) state 1"
Jun 29 20:23:53.310: ISAKMP: set new node 305220440 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103):purging node 305220440
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jun 29 20:23:53.310: ISAKMP:(1103):deleting SA reason "No reason" state (I) QM_IDLE       (peer 64.xxx.xxx.130)
Jun 29 20:23:53.310: ISAKMP: Unlocking peer struct 0x76108C0 for isadb_mark_sa_deleted(), count 0
Jun 29 20:23:53.310: ISAKMP: Deleting peer node by peer_reap for 64.xxx.xxx.130: 76108C0
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 1656295180 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 200480399 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 737465165 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Appreciate your help. Thank you in advance.

3 REPLIES 3
Highlighted
Cisco Employee

Hi Forbes Jenalyn Rose,

I was checking the logs and seems like phase 1 is completed but you have a phase 2 mismatch, by checking the configuration i see the other end is using the following ACL:

Source: 10.0.0.0/20

Destination: 10.65.0.0/19

And you are using:

ip access-list extended eq-ipsec-4
 permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
 permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255 --completely redundant

So can you please get in to the acl eq-ipsec and remove the second line, after that let me know how it goes.

Hope this info helps!!

Rate if helps you!! 

-JP- 

Highlighted

Hi JP,

I removed the second line on the acl but it did not resolve the issue.

Highlighted

Forbes,

Try getting the full VPN config from the other end and making sure everything is matching, right now the tunnel is giving you a no proposal chosen on phase and that is on the crypto map configuration.

Hope this info helps!!

Rate if helps you!! 

-JP- 

Content for Community-Ad