07-24-2003 06:11 AM
Hi
Can you from follwing VPN3015 debug output see what is the problem with the VPN LAN-to-LAN connection.
Thanks
Gert Schaarup
My VPN 3015 setup.
Digital Certificate:Preshared Keys
Authentication: ESP/SHA/HMAC-160
Encryption:3DES-168
IKE Proposal:IKE-3DES-SHA-DH2
Remote VPN box:
IPsec protocol/encryption: esp-3des
IPsec protocol/Authentication: esp-sha-hmac
ISAKMP authenticaion: pre-share
ISAKMP identity: address
ISAKMP Diffie-Hellman group: 2 (1024 bits)
---------------------------------------
NB When I compare the debug below with a debug of a VPN LAN-to-LAN that works I see that "Received Altiga GW VID" is missing, is this an issue?
Debug output:
-----------------------
SEV=4 IKE/41 RPT=3183 62.243.213.30 IKE Initiator: New Phase 1, Intf 2, IKE Peer 62.243.213.30 local Proxy Address 195.7.21.10, remote Proxy Address 192.168.141.0, SA (L2L: LokalForsikring)
SEV=9 IKEDBG/0 RPT=12001 62.243.213.30 constructing ISA_SA for isakmp
SEV=9 IKEDBG/46 RPT=181 62.243.213.30 constructing Fragmentation VID + extended capabilities payload
SEV=8 IKEDBG/0 RPT=12002 62.243.213.30 SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) total length : 104
SEV=8 IKEDECODE/0 RPT=6757 62.243.213.30 ISAKMP HEADER : ( Version 1.0 ) Initiator Cookie(8): C5 47 EA A5 A0 3A E4 6C Responder Cookie(8): BD 7B D7 00 48 F8 8A BE Next Payload : SA (1) Exchange Type : Oakley Main Mode Flags : 0 Message ID : 0 Length : 80
SEV=8 IKEDBG/0 RPT=12003 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
SEV=8 IKEDBG/0 RPT=12004 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
SEV=9 IKEDBG/0 RPT=12005 62.243.213.30 processing SA payload
SEV=8 IKEDECODE/0 RPT=6758 62.243.213.30 SA Payload Decode : DOI : IPSEC (1) Situation : Identity Only (1) Length : 52
SEV=8 IKEDECODE/0 RPT=6759 62.243.213.30 Proposal Decode: Proposal # : 1 Protocol ID : ISAKMP (1) #of Transforms: 1 Length : 40
SEV=8 IKEDECODE/0 RPT=6760 62.243.213.30 Transform # 1 Decode for Proposal # 1: Transform # : 1 Transform ID : IKE (1) Length : 32
IKEDECODE/0 RPT=6761 62.243.213.30 Phase 1 SA Attribute Decode for Transform # 1: Encryption Alg: Triple-DES (5) Hash Alg : SHA (2) DH Group : Oakley Group 2 (2) Auth Method : Preshared Key (1) Life Time : 28800 seconds
SEV=12 IKEDECODE/0 RPT=6762 IKE Decode of received SA attributes follows: 0000: 80010005 80020002 80040002 80030001 ................ 0010: 800B0001 800C7080 ......p.
SEV=7 IKEDBG/0 RPT=12006 62.243.213.30 Oakley proposal is acceptable
SEV=9 IKEDBG/0 RPT=12007 62.243.213.30 constructing ke payload
SEV=9 IKEDBG/1 RPT=604 62.243.213.30 constructing nonce payload
SEV=9 IKEDBG/46 RPT=182 62.243.213.30 constructing Cisco Unity VID payload
SEV=9 IKEDBG/46 RPT=183 62.243.213.30 constructing xauth V6 VID payload
SEV=9 IKEDBG/48 RPT=50 62.243.213.30 Send IOS VID
SEV=9 IKEDBG/38 RPT=26 62.243.213.30 Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
SEV=9 IKEDBG/46 RPT=184 62.243.213.30 constructing VID payload
SEV=9 IKEDBG/48 RPT=51 62.243.213.30 Send Altiga GW VID
SEV=8 IKEDBG/0 RPT=12008 62.243.213.30 SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) total length : 256
SEV=8 IKEDECODE/0 RPT=6763 62.243.213.30 ISAKMP HEADER : ( Version 1.0 ) Initiator Cookie(8): C5 47 EA A5 A0 3A E4 6C Responder Cookie(8): BD 7B D7 00 48 F8 8A BE Next Payload : KE (4) Exchange Type : Oakley Main Mode Flags : 0 Message ID : 0 Length : 256
SEV=8 IKEDBG/0 RPT=12009 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SEV=8 IKEDBG/0 RPT=12010 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SEV=9 IKEDBG/0 RPT=12011 62.243.213.30 processing ke payload
SEV=9 IKEDBG/0 RPT=12012 62.243.213.30 processing ISA_KE
SEV=9 IKEDBG/1 RPT=605 62.243.213.30 processing nonce payload
SEV=9 IKEDBG/47 RPT=119 62.243.213.30 processing VID payload
SEV=9 IKEDBG/49 RPT=106 62.243.213.30 Received xauth V6 VID
SEV=9 IKEDBG/47 RPT=120 62.243.213.30 processing VID payload
SEV=9 IKEDBG/49 RPT=107 62.243.213.30 Received DPD VID
SEV=9 IKEDBG/47 RPT=121 62.243.213.30 processing VID payload
SEV=9 IKEDBG/49 RPT=108 62.243.213.30 Received Cisco Unity client VID
SEV=9 IKEDBG/47 RPT=122 62.243.213.30 processing VID payload
SEV=9 IKEDBG/38 RPT=27 62.243.213.30 Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)
SEV=9 IKEDBG/0 RPT=12013 62.243.213.30 Generating keys for Initiator...
SEV=9 IKEDBG/1 RPT=606 62.243.213.30 Group [62.243.213.30] constructing ID
SEV=9 IKEDBG/0 RPT=12014 Group [62.243.213.30] construct hash payload
SEV=9 IKEDBG/0 RPT=12015 62.243.213.30 Group [62.243.213.30] computing hash
SEV=9 IKEDBG/34 RPT=13 62.243.213.30 Constructing IOS keep alive payload: proposal=32767/32767 sec.
SEV=9 IKEDBG/46 RPT=185 62.243.213.30 Group [62.243.213.30] constructing dpd vid payload
SEV=8 IKEDBG/0 RPT=12016 62.243.213.30 SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) total length : 96
SEV=7 IPSECDBG/10 RPT=20 IPSEC ipsec_output() can call key_acquire() because 1 seconds have elapsed since last IKE negotiation began (src 0xc307150a, dst 0x01beb224)
SEV=7 IPSECDBG/14 RPT=20 Sending KEY_ACQUIRE to IKE for src 195.7.21.10, dst 192.168.141.17
SEV=8 IKEDBG/0 RPT=12017 pitcher: received a key acquire message!
SEV=7 IKEDBG/13 RPT=22 Tunnel negotiation in progress for destination 62.243.213.30, discarding data
SEV=7 IPSECDBG/10 RPT=21 IPSEC ipsec_output() can call key_acquire() because 1 seconds have elapsed since last IKE negotiation began (src 0xc307150a, dst 0x01beb224)
SEV=7 IPSECDBG/14 RPT=21 Sending KEY_ACQUIRE to IKE for src 195.7.21.10, dst 192.168.141.17
SEV=8 IKEDBG/0 RPT=12018 pitcher: received a key acquire message!
SEV=7 IKEDBG/13 RPT=23 Tunnel negotiation in progress for destination 62.243.213.30, discarding data
07-24-2003 04:55 PM
The message you're not seeing shouldn't be an issue, probably just a difference between versions.
We can't see what the problem is from this output, things seem to be going along well and then it just stops. Looks like the traffic isn't getting through to the peer, or the peer isn't responding for some reason. Can you get the similar debug from the other side?
02-04-2004 12:55 PM
Along these lines, is the far end device behind a firewall or NAT/PAT device? If so and it doesn't support IPSec pass-thru that could break things. Even if it does, sometime when opening firewall policies to support IPSec people will allow TCP and/or UDP port 50 instead of IP protocol 50, so that's another thing to check.
02-04-2004 10:05 PM
Hi Dana
Thanks for the answer/comments. Unfortunately the "far" end never told me what they did to solve the problem. But it would have been nice if it from the debug output was possible to get some kind of clue what was wrong.
Regards.
Gert
02-03-2004 02:53 AM
Would you please tell me what command you entered to get such excellent debug from a VPN3000? I can't get past the menu system?
Many Thanks
02-03-2004 03:11 AM
Hi Ian
Sure. But not by commands, but by using the GUI.
On the VPN3015 http GUI "Concentrator Series Manager" click/goto "System" then "Event" and then "Classes" here you define/add the events you would like to see in the log, on the console, to a Syslog server, an e-mail, or even a trap.
The quick and easy way is to send it to the log, and the view it by clicking on the "Monitoring" and the either "Filterable Event Log" or "Live Event Log".
Good luck.
02-05-2004 01:15 AM
Thank you for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide