- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN IPSec Hash mismatch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2017 01:31 PM - edited 02-21-2020 09:21 PM
Hi everyone,
I am trying to establish a VPN tunnel to another site but I am getting a hash mismatch when I debug. Please see below config and debug isakmp sa result.
Will there be a problem if I use esp-3des esp-sha-hmac and the remote site use ESP-3DES-SHA on Phase 2 IPsec rule?
Remote site using Cisco ASA:
Source: 10.0.0.0/20
Destination: 10.65.0.0/19
IKE using 3des MD5 DH group 2 lifetime 28800
also allowing 3des SHA group 2 lifetime 28800
Crypto Map
Using ESP-3DES-SHA for transform set
PEER: 116.xxx.xxx..242
SA Lifetime: 28800
IKE Negotiation mode MAIN
My Cisco router:
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address 64.xxx.xxx..130
crypto ipsec transform-set eq-ipsec esp-3des esp-sha-hmac
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic
crypto map eq-ipsec 4 ipsec-isakmp
description non-vti ipsec tunnels to Remote Site
set peer 64.xxx.xxx..130
set security-association lifetime seconds 28800
set transform-set eq-ipsec
match address eq-ipsec-4
reverse-route static
ip access-list extended eq-ipsec-4
permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255
show crypto isa sa:
64.132.78.130 116.214.96.242 MM_NO_STATE 1099 0 ACTIVE (deleted)
64.132.78.130 116.214.96.242 MM_NO_STATE 1098 0 ACTIVE (deleted)
show crypto session:
Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 64.xxx.xxx.130 port 500
IKE SA: local 116.xxx.xxx..242/500 remote 64.xxx.xxx.130/500 Inactive
IKE SA: local 116.xxx.xxx..242/500 remote 64.xxx.xxx.130/500 Inactive
IPSEC FLOW: permit ip 10.65.0.0/255.255.192.0 10.0.0.0/255.255.240.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.65.0.0/255.255.192.0 10.0.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
debug crypto isakmp sa:
Jun 29 20:23:52.390: ISAKMP: Created a peer struct for 64.xxx.xxx.130, peer port 500
Jun 29 20:23:52.390: ISAKMP: New peer created peer = 0x76108C0 peer_handle = 0x800031FE
Jun 29 20:23:52.390: ISAKMP: Locking peer struct 0x76108C0, refcount 1 for isakmp_initiator
Jun 29 20:23:52.390: ISAKMP: local port 500, remote port 500
Jun 29 20:23:52.390: ISAKMP: set new node 0 to QM_IDLE
Jun 29 20:23:52.390: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 750CB80
Jun 29 20:23:52.390: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 29 20:23:52.390: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jun 29 20:23:52.390: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jun 29 20:23:52.390: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 29 20:23:52.390: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jun 29 20:23:52.390: ISAKMP:(0): beginning Main Mode exchange
Jun 29 20:23:52.390: ISAKMP:(0): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 29 20:23:52.614: ISAKMP (0:0): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 29 20:23:52.614: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:52.614: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jun 29 20:23:52.614: ISAKMP:(0): processing SA payload. message ID = 0
Jun 29 20:23:52.614: ISAKMP:(0): processing vendor id payload
Jun 29 20:23:52.614: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 29 20:23:52.614: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.614: ISAKMP:(0): local preshared key found
Jun 29 20:23:52.614: ISAKMP : Scanning profiles for xauth ... isakmp-vpn-243c4476-0 isakmp-vpn-243c4476-1
Jun 29 20:23:52.614: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
Jun 29 20:23:52.614: ISAKMP: encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP: hash MD5
Jun 29 20:23:52.618: ISAKMP: default group 2
Jun 29 20:23:52.618: ISAKMP: auth pre-share
Jun 29 20:23:52.618: ISAKMP: life type in seconds
Jun 29 20:23:52.618: ISAKMP: life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 29 20:23:52.618: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
Jun 29 20:23:52.618: ISAKMP: encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP: hash MD5
Jun 29 20:23:52.618: ISAKMP: default group 2
Jun 29 20:23:52.618: ISAKMP: auth pre-share
Jun 29 20:23:52.618: ISAKMP: life type in seconds
Jun 29 20:23:52.618: ISAKMP: life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 29 20:23:52.618: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3 policy
Jun 29 20:23:52.618: ISAKMP: encryption 3DES-CBC
Jun 29 20:23:52.618: ISAKMP: hash MD5
Jun 29 20:23:52.618: ISAKMP: default group 2
Jun 29 20:23:52.618: ISAKMP: auth pre-share
Jun 29 20:23:52.618: ISAKMP: life type in seconds
Jun 29 20:23:52.618: ISAKMP: life duration (basic) of 28800
Jun 29 20:23:52.618: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 29 20:23:52.618: ISAKMP:(0): processing vendor id payload
Jun 29 20:23:52.618: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 29 20:23:52.618: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:52.618: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jun 29 20:23:52.618: ISAKMP:(0): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 29 20:23:52.618: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:52.618: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jun 29 20:23:52.842: ISAKMP (0:0): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 29 20:23:52.846: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:52.846: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jun 29 20:23:52.846: ISAKMP:(0): processing KE payload. message ID = 0
Jun 29 20:23:52.850: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 29 20:23:52.850: ISAKMP:(0):found peer pre-shared key matching 64.xxx.xxx.130
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID is Unity
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID seems Unity/DPD but major 134 mismatch
Jun 29 20:23:52.850: ISAKMP:(1103): vendor ID is XAUTH
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103): speaking to another IOS box!
Jun 29 20:23:52.850: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:52.850: ISAKMP:(1103):vendor ID seems Unity/DPD but hash mismatch
Jun 29 20:23:52.850: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:52.850: ISAKMP:(1103):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jun 29 20:23:52.850: ISAKMP:(1103):Send initial contact
Jun 29 20:23:52.850: ISAKMP:(1103):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 29 20:23:52.850: ISAKMP (0:1103): ID payload
next-payload : 8
type : 1
address : 116.xxx.xxx.242
protocol : 17
port : 500
length : 12
Jun 29 20:23:52.850: ISAKMP:(1103):Total payload length: 12
Jun 29 20:23:52.850: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 29 20:23:52.850: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:52.850: ISAKMP:(1103):Old State = IKE_I_MM4 New State = IKE_I_MM5
Jun 29 20:23:53.078: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 29 20:23:53.078: ISAKMP:(1103): processing ID payload. message ID = 0
Jun 29 20:23:53.078: ISAKMP (0:1103): ID payload
next-payload : 8
type : 1
address : 64.xxx.xxx.130
protocol : 17
port : 500
length : 12
Jun 29 20:23:53.078: ISAKMP:(1103):: peer matches *none* of the profiles
Jun 29 20:23:53.078: ISAKMP:(1103): processing HASH payload. message ID = 0
Jun 29 20:23:53.078: ISAKMP:received payload type 17
Jun 29 20:23:53.078: ISAKMP:(1103): processing keep alive: proposal=32767/32767 sec., actual=120/10 sec.
Jun 29 20:23:53.078: ISAKMP:(1103): processing vendor id payload
Jun 29 20:23:53.078: ISAKMP:(1103): vendor ID is DPD
Jun 29 20:23:53.078: ISAKMP:(1103):SA authentication status:
authenticated
Jun 29 20:23:53.078: ISAKMP:(1103):SA has been authenticated with 64.xxx.xxx.130
Jun 29 20:23:53.078: ISAKMP:(1103):IKE_DPD is enabled, initializing timers
Jun 29 20:23:53.078: ISAKMP: Trying to insert a peer 116.xxx.xxx.242/64.xxx.xxx.130/500/, and inserted successfully 76108C0.
Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM5 New State = IKE_I_MM6
Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM6 New State = IKE_I_MM6
Jun 29 20:23:53.078: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 29 20:23:53.078: ISAKMP:(1103):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Jun 29 20:23:53.078: ISAKMP:(1103):beginning Quick Mode exchange, M-ID of 1656295180
Jun 29 20:23:53.078: ISAKMP:(1103):QM Initiator gets spi
Jun 29 20:23:53.082: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) QM_IDLE
Jun 29 20:23:53.082: ISAKMP:(1103):Node 1656295180, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 29 20:23:53.082: ISAKMP:(1103):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 29 20:23:53.082: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 29 20:23:53.082: ISAKMP:(1103):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 29 20:23:53.294: ISAKMP:(1101):purging SA., sa=74CF0B8, delme=74CF0B8
Jun 29 20:23:53.310: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) QM_IDLE
Jun 29 20:23:53.310: ISAKMP: set new node 200480399 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): processing HASH payload. message ID = 200480399
Jun 29 20:23:53.310: ISAKMP:(1103): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = 200480399, sa = 750CB80
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 200480399 error FALSE reason "Informational (in) state 1"
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 29 20:23:53.310: ISAKMP (0:1103): received packet from 64.xxx.xxx.130 dport 500 sport 500 Global (I) QM_IDLE
Jun 29 20:23:53.310: ISAKMP: set new node 737465165 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): processing HASH payload. message ID = 737465165
Jun 29 20:23:53.310: ISAKMP:(1103): processing DELETE payload. message ID = 737465165
Jun 29 20:23:53.310: ISAKMP:(1103):peer does not do paranoid keepalives.
Jun 29 20:23:53.310: ISAKMP:(1103):deleting SA reason "No reason" state (I) QM_IDLE (peer 64.xxx.xxx.130)
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 737465165 error FALSE reason "Informational (in) state 1"
Jun 29 20:23:53.310: ISAKMP: set new node 305220440 to QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103): sending packet to 64.xxx.xxx.130 my_port 500 peer_port 500 (I) QM_IDLE
Jun 29 20:23:53.310: ISAKMP:(1103):purging node 305220440
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Jun 29 20:23:53.310: ISAKMP:(1103):deleting SA reason "No reason" state (I) QM_IDLE (peer 64.xxx.xxx.130)
Jun 29 20:23:53.310: ISAKMP: Unlocking peer struct 0x76108C0 for isadb_mark_sa_deleted(), count 0
Jun 29 20:23:53.310: ISAKMP: Deleting peer node by peer_reap for 64.xxx.xxx.130: 76108C0
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 1656295180 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 200480399 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):deleting node 737465165 error FALSE reason "IKE deleted"
Jun 29 20:23:53.310: ISAKMP:(1103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 29 20:23:53.310: ISAKMP:(1103):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Appreciate your help. Thank you in advance.
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2017 04:13 PM
I was checking the logs and seems like phase 1 is completed but you have a phase 2 mismatch, by checking the configuration i see the other end is using the following ACL:
Source: 10.0.0.0/20
Destination: 10.65.0.0/19
And you are using:
ip access-list extended eq-ipsec-4
permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255 --completely redundant
So can you please get in to the acl eq-ipsec and remove the second line, after that let me know how it goes.
Hope this info helps!!
Rate if helps you!!
-JP-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2017 04:25 PM
Hi JP,
I removed the second line on the acl but it did not resolve the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2017 04:41 PM
Forbes,
Try getting the full VPN config from the other end and making sure everything is matching, right now the tunnel is giving you a no proposal chosen on phase and that is on the crypto map configuration.
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide