02-07-2014 05:23 PM
Hi.
Can get the tunnel up, but no traffic.
Here is output:
Router#sh run
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ******** address 2.2.2.2
!
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address VPN-TRAFFIC
interface Vlan2
ip address 192.168.5.4 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1414
!
interface Dialer1
description $RT_OUTSIDE$
ip address negotiated
ip access-group 100 in
no ip unreachables
ip mtu 1454
ip nat outside
ip inspect outside out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
crypto map CMAP
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark -=[VPN NO NAT]=-
access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit udp any any eq isakmp
access-list 100 permit esp any any
access-list 100 remark
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 180 permit ip 192.168.5.0 0.0.0.255 any
end
Router#
Router#sh access-list
Extended IP access list 100
10 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255 (104 matches)
20 permit ip 192.168.5.0 0.0.0.255 any (23401 matches)
21 permit udp any any eq non500-isakmp
22 permit udp any any eq isakmp (1436 matches)
23 permit esp any any (36 matches)
30 permit icmp any any echo-reply (41 matches)
40 permit icmp any any time-exceeded (123 matches)
50 permit icmp any any packet-too-big
60 permit icmp any any traceroute
70 permit icmp any any unreachable (633 matches)
Extended IP access list 180
10 permit ip 192.168.5.0 0.0.0.255 any
Extended IP access list VPN-TRAFFIC
10 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255 (136 matches)
Router#
Router#show crypto ipsec sa
interface: Dialer1
Crypto map tag: CMAP, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 52, #pkts encrypt: 52, #pkts digest: 52
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 48, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
02-08-2014 01:17 AM
Can you please share the config of Phase 1 and Phase 2 parameters of both the devices or better running config of both side.
02-10-2014 07:01 AM
Sorry.
I don't have access to the other side, and the other side's equipment is not cisco.
After some effort, we were able to get the tunnel to connect somewhat, but always in a QM_IDLE state.
(Possibly not connecting on Phase2)
Here are some changes we made so far (see original config above):
ip nat inside source route-map nonat interface Dialer1 overload (removed old nat overload statement)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 4.2.2.2 255.255.255.255 Dialer1
ip route 192.168.0.0 255.255.255.0 2.2.2.2
route-map nonat permit 10
match ip address 100
What I noticed is that even though we have the deny statements (see config above), when we ping from the router to the internal subnet on the other end, it still tries to send the traffic to the Dialer1 gateway and out to the internet, instead of into the tunnel.
Why is that?
02-10-2014 10:51 AM
Hello.
Per my understanding, your ACL for NAT route-map should be of 2 lines:
deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
Don't use ACL100 for NAT, as it's already applied as inbound ACL on Dialer interface.
Btw, ACL 100 (as inbound ACL) needs clean up.
You don't need "ip route 192.168.0.0 255.255.255.0 2.2.2.2"
when you ping remove subnet from the router, you need to use "source vlan2" keyword,to make router to source traffic from VLAN2 and not from Dialer IP-address.
02-10-2014 06:33 PM
I removed those extra lines from access-list 100.
Now all it contains is:
deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
Deleted "ip route 192.168.0.0 255.255.255.0 2.2.2.2"
I also removed "ip access-group 100 in" from the Dialer.
Still can't get the tunnel to come up properly or traffic to go across.
Here is the output from debug:
Feb 11 02:22:04.281: ISAKMP: local port 500, remote port 500
Feb 11 02:22:04.281: ISAKMP: set new node 0 to QM_IDLE
Feb 11 02:22:04.281: ISAKMP:(0):insert sa successfully sa = 8772BD00
Feb 11 02:22:04.281: ISAKMP:(0):Can not start Aggressive mode, trying Main
ACL-JAPAN-R1# mode.
Feb 11 02:22:04.281: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 11 02:22:04.281: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 11 02:22:04.281: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Feb 11 02:22:04.281: ISAKMP:(0): beginning Main Mode exchange
Feb 11 02:22:04.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 11 02:22:04.281: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 11 02:22:14.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 11 02:22:14.281: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 11 02:22:14.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 11 02:22:14.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 11 02:22:14.281: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 11 02:22:24.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 11 02:22:24.281: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 11 02:22:24.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 11 02:22:24.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 11 02:22:24.281: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 11 02:22:34.281: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 1.1.1.1:0, remote= 2.2.2.2.:0,
local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
Feb 11 02:22:34.281: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Feb 11 02:22:34.281: ISAKMP: set new node 0 to QM_IDLE
Feb 11 02:22:34.281: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1.1.1.1, remote 2.2.2.2)
Feb 11 02:22:34.281: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 11 02:22:34.281: ISAKMP: Error while processing KMI message 0, error 2.
Feb 11 02:22:34.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 11 02:22:34.281: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Feb 11 02:22:34.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 11 02:22:34.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 11 02:22:34.281: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 11 02:22:44.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 11 02:22:44.281: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Feb 11 02:22:44.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 11 02:22:44.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 11 02:22:44.281: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 11 02:22:54.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 11 02:22:54.281: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Feb 11 02:22:54.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 11 02:22:54.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 11 02:22:54.281: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 11 02:23:04.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 11 02:23:04.281: ISAKMP:(0):peer does not do paranoid keepalives.
Feb 11 02:23:04.281: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2.2.2.2)
Feb 11 02:23:04.281: ISAKMP: Unlocking peer struct 0x877ABF10 for isadb_mark_sa_deleted(), count 0
Feb 11 02:23:04.281: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 877ABF10
Feb 11 02:23:04.281: ISAKMP:(0):deleting node 1375737432 error FALSE reason "IKE deleted"
Feb 11 02:23:04.281: ISAKMP:(0):deleting node -1417271534 error FALSE reason "IKE deleted"
Feb 11 02:23:04.281: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 11 02:23:04.281: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Feb 11 02:23:04.281: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 11 02:23:54.281: ISAKMP:(0):purging node 1375737432
Feb 11 02:23:54.281: ISAKMP:(0):purging node -1417271534
Feb 11 02:24:04.281: ISAKMP:(0):purging SA., sa=8772BD00, delme=8772BD00
02-10-2014 11:49 PM
Hello.
From your debug I see remote side is not responding to isakmp requests.
So, this exact debug tells us that either communication with remote peer is broken, or it's not accepting IPSec.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide