site-site vpn ( pix to 2621 router ) failing - Cisco Community

584

Views

0

Helpful

10

Replies

Hi--

trying to get a pix and 2621 ( IOS 12.3(12) ) connected via site-site vpn.

here are some of the debug messages:

Mar 26 22:14:55.871: ISAKMP (0:38): Old State = IKE_I_MM1 New State = IKE_DEST_

SA

Mar 26 22:14:55.955: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,

local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xD3C88362(3553133410), conn_id= 0, keysize= 0, flags= 0x400A

Mar 26 22:14:55.959: ISAKMP: received ke message (1/1)

Mar 26 22:14:55.959: ISAKMP (0:0): SA request profile is (NULL)

Mar 26 22:14:55.959: ISAKMP: local port 500, remote port 500

Mar 26 22:14:55.959: ISAKMP: set new node 0 to QM_IDLE

Mar 26 22:14:55.959: ISAKMP: Find a dup sa in the avl tree during calling isadb_

insert sa = 832B0E80

Mar 26 22:14:55.959: ISAKMP (0:39): Can not start Aggressive mode, trying Main m

ode.

Mar 26 22:14:55.959: ISAKMP: Looking for a matching key for xxx.xxx.xxx.xxx in de

fault : success

Mar 26 22:14:55.963: ISAKMP (0:39): found peer pre-shared key matching 219.146.5

9.201

Mar 26 22:14:55.963: ISAKMP (0:39): constructed NAT-T vendor-07 ID

Mar 26 22:14:55.963: ISAKMP (0:39): constructed NAT-T vendor-03 ID

Mar 26 22:14:55.963: ISAKMP (0:39): constructed NAT-T vendor-02 ID

Mar 26 22:14:55.963: ISAKMP (0:39): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Mar 26 22:14:55.963: ISAKMP (0:39): Old State = IKE_READY New State = IKE_I_MM1

Mar 26 22:14:55.963: ISAKMP (0:39): beginning Main Mode exchange

Mar 26 22:14:55.963: ISAKMP (0:39): sending packet to xxx.xxx.xxx.xxx my_port 500

peer_port 500 (I) MM_NO_STATE

Mar 26 22:14:56.819: ISAKMP (0:39): received packet from xxx.xxx.xxx.xxx dport 50

0 sport 500 Global (I) MM_NO_STATE

Mar 26 22:14:56.819: ISAKMP (0:39): Notify has no hash. Rejected.

Mar 26 22:14:56.823: ISAKMP (0:39): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_N

OTIFY: state = IKE_I_MM1

Mar 26 22:14:56.823: ISAKMP (0:39): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Mar 26 22:14:56.823: ISAKMP (0:39): Old State = IKE_I_MM1 New State = IKE_I_MM1

Mar 26 22:14:56.823: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mo

de failed with peer at xxx.xxx.xxx.xxx

any ideas?

thx!

10 Replies 10

Double check that both ends are using the same IPSec encryption settings (e,g. 3DES=MD5).

If you could just just the crypto and isakmp lines from both configs it would be helpfull.

Hi-- thanks for the help

from the router:

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key yadayadal0808 address xxx.xxx.xxx.xxx

!

crypto ipsec transform-set blahblah10808 esp-3des esp-md5-hmac

!

crypto map nahnah0808 11 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set blahblahl0808

match address 120

From the PIX:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 30 ipsec-isakmp

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set peer xxx.xxx.xxx.xxx

crypto map outside_map 30 set transform-set ESP-3DES-MD5

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption aes-256

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 60 authentication pre-share

isakmp policy 60 encryption aes-256

isakmp policy 60 hash sha

isakmp policy 60 group 5

isakmp policy 60 lifetime 86400

isakmp policy 80 authentication pre-share

isakmp policy 80 encryption 3des

isakmp policy 80 hash md5

isakmp policy 80 group 2

isakmp policy 80 lifetime 86400

Hi,

Configs seem ok, only thing missing is group 2 under the router's "crypto isakmp policy 11" to match the PIX's "isakmp policy 80". Note that, in IOS, the default group is 1.

Please let us know if that helped

Regards,

Mustafa

hi-- no luck, same results. debug below. I added the group 2 under the crypto isakmp policy11 on the reouter to match the pix policy.

(identity) local= x.x.x.x, remote= x.x.x.x,

local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)

Mar 30 13:59:44.682: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= x.x.x.x, remote= x.x.x.x,

local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xB4D680C7(3033956551), conn_id= 0, keysize= 0, flags= 0x400A

Mar 30 13:59:44.682: ISAKMP: received ke message (1/1)

Mar 30 13:59:44.686: ISAKMP: set new node 0 to QM_IDLE

Mar 30 13:59:44.686: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local x.x.x.x, remote x.x.x.x)

Mar 30 14:00:14.682: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= x.x.x.x,

local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)

Mar 30 14:00:14.682: ISAKMP: received ke message (3/1)

Mar 30 14:00:14.682: ISAKMP (0:1): peer does not do paranoid keepalives.

Mar 30 14:00:14.682: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer x.x.x.x) input queue 0

Mar 30 14:00:14.682: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer x.x.x.x) input queue 0

Mar 30 14:00:14.686: ISAKMP (0:1): deleting node 1755557025 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

Mar 30 14:00:14.686: ISAKMP (0:1): deleting node 1298562963 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

Mar 30 14:00:14.686: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 30 14:00:14.686: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA

Mar 30 14:00:15.214: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= x.x.x.x, remote= x.x.x.x,

local_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xB57E82D2(3044967122), conn_id= 0, keysize= 0, flags= 0x400A

Mar 30 14:00:15.214: ISAKMP: received ke message (1/1)

Mar 30 14:00:15.214: ISAKMP (0:0): SA request profile is (NULL)

Mar 30 14:00:15.218: ISAKMP: local port 500, remote port 500

Mar 30 14:00:15.218: ISAKMP: set new node 0 to QM_IDLE

Mar 30 14:00:15.218: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 832B0E08

Mar 30 14:00:15.218: ISAKMP (0:2): Can not start Aggressive mode, trying Main mode.

Mar 30 14:00:15.218: ISAKMP: Looking for a matching key for x.x.x.x in default : success

Mar 30 14:00:15.218: ISAKMP (0:2): found peer pre-shared key matching x.x.x.x

Mar 30 14:00:15.218: ISAKMP (0:2): constructed NAT-T vendor-07 ID

Mar 30 14:00:15.218: ISAKMP (0:2): constructed NAT-T vendor-03 ID

Mar 30 14:00:15.222: ISAKMP (0:2): constructed NAT-T vendor-02 ID

Mar 30 14:00:15.222: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Mar 30 14:00:15.222: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1

Mar 30 14:00:15.222: ISAKMP (0:2): beginning Main Mode exchange

Mar 30 14:00:15.222: ISAKMP (0:2): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 30 14:00:15.986: ISAKMP (0:2): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE

Mar 30 14:00:15.986: ISAKMP (0:2): Notify has no hash. Rejected.

Mar 30 14:00:15.986: ISAKMP (0:2): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Mar 30 14:00:15.986: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Mar 30 14:00:15.986: ISAKMP (0:2): Old State = IKE_I_MM1 New State = IKE_I_MM1

note: this one shows using des, we swapped it back to 3des with the exact same results.

thx again!

Hi,

Not sure what to make this. Is there any other nat devices between the pix and the router? is isakmp blocked? are the acl's mirrors of each other? is the router's interface configured with "no ip route-cache"? What is the debug output on the pix?

Does the ISAKMP policy # have to match on both the router and the PIX?

In other words, if the router had ISAKMP policy 11, there should be an ISAKMP policy 11 on the PIX as well?

thx

No, the policies names or numbers don't have to match. The policy parameters have to match: encryption/hash/group/pfs/lifetime.

Ken,

Was this problem resolved ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

yes, turns out IOS defaults to DES and Group1, so if you dont specify (all) the following in your policy, the policies will not match. Worked perfect after adding group2. We were so close!!!! Wish that was documented somewhere......

encr 3des

hash md5

authentication pre-share

group 2

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community