Problem setting up ESP tunnel, can't negotiate IKE SA

Unanswered Question
Mar 15th, 2007

Hi,

I am trying to set up an ESP tunnel with a Cisco 871 and another device but can't seem to get it working. The peers start negotiating an IKE SA but only the first three or four (depending on which peer is the initiator) messages of ISAKMP are sent. The Key Exchange does not succeed and so no tunnel is set up. If anyone could provide a hint as to what could be the problem then I would greatly appreciate it.

I attach part of the log and the running config from the 871 and a Wireshark capture of the exchanged ISAKMP messages.

Thanks in advance,

Kristin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
kaachary Thu, 03/15/2007 - 06:51

Hi,

Couple of misconfigurations I noticed :

1: If the remote device is a non cisco device, disable PFS on both the devices.

2: The crypto ACL on the router should have only this statement :

access-list 100 permit ip host 10.0.0.10 host 10.0.0.2

Let us know if this helps.

-Kanishka

AKAnderson Thu, 03/15/2007 - 08:21

Hi,

Thanks for your reply.

I changed the settings you suggested but as far as I can see it doesn't solve the problem. Still no IKE SA is set up and the log doesn't tell me anything new. Any other suggestions would be most welcome!

Regarding PFS: I will need PFS later but if I can get a tunnel up at all that would be a first step at least. Is it your experience that PFS will not work with a non Cisco device?

/Kristin

kaachary Fri, 03/16/2007 - 02:34

Please post the latest config and logs. And, yes, PFS usually has issues with non Cisco devices.

-Kanishka

ggilbert Sat, 03/17/2007 - 09:06

We find the pre-shared key for the peer and then we get a response from the peer and that response contains NONE which is ZERO

2007-03-16 10:42:43 Local7.Debug 10.0.0.10 30136: 024910: Mar 16 10:43:31.280 PCTime: ISAKMP:received payload type 0

You should receive something back from the third party for key negotiation, but we don't.

Thats the problem.

Thanks

Gilbert

Rate this post, if it helps!

AKAnderson Mon, 03/19/2007 - 01:55

I agree that that line in the log doesn't look good. But it seems to me that we get both a KE and a NONCE payload just like we should. The log says that the KE payload and then the NONCE payload are processed, before the payload type 0 is received. If this processing was OK then shouldn't the message be accepted and the initator identity etc be sent?

It was my understanding that a payload type 0 just marks the end of the ISAKMP packet so what I don't understand is why it is not treated as such. Can I see from the log if something is going wrong in the processing of the KE and/or NONCE payloads?

Thanks again,

Kristin

AKAnderson Thu, 03/22/2007 - 01:47

The problem was with NAT-T. When I turned that off on the third party device it worked fine. PFS was not a problem.

However, I would like to use NAT-T so now my question is why the Cisco 871 neither sends nor understands the proper vendor id for RFC 3947 Negotiation of NAT-Traversal in the IKE? It seems to me that it sends vendor ids for three drafts preceding this RFC but not for the final version. Does it not support this RFC?

/Kristin

ggilbert Thu, 03/22/2007 - 07:34

Kristin,

What version of code are you running on your 871?

NAT-T is RFC compliant.

Thanks

Gilbert

AKAnderson Fri, 03/23/2007 - 00:54

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)

/Kristin

AKAnderson Tue, 03/27/2007 - 04:26

I have received confirmation from Cisco that this is a bug which should be fixed in version 12.4(11.4)T.

/Kristin

Actions

This Discussion