Problem setting up ESP tunnel, can't negotiate IKE SA

Unanswered Question
Mar 15th, 2007
User Badges:

Hi,


I am trying to set up an ESP tunnel with a Cisco 871 and another device but can't seem to get it working. The peers start negotiating an IKE SA but only the first three or four (depending on which peer is the initiator) messages of ISAKMP are sent. The Key Exchange does not succeed and so no tunnel is set up. If anyone could provide a hint as to what could be the problem then I would greatly appreciate it.


I attach part of the log and the running config from the 871 and a Wireshark capture of the exchanged ISAKMP messages.


Thanks in advance,

Kristin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
kaachary Thu, 03/15/2007 - 06:51
User Badges:
  • Cisco Employee,

Hi,


Couple of misconfigurations I noticed :


1: If the remote device is a non cisco device, disable PFS on both the devices.


2: The crypto ACL on the router should have only this statement :


access-list 100 permit ip host 10.0.0.10 host 10.0.0.2


Let us know if this helps.


-Kanishka

AKAnderson Thu, 03/15/2007 - 08:21
User Badges:

Hi,


Thanks for your reply.


I changed the settings you suggested but as far as I can see it doesn't solve the problem. Still no IKE SA is set up and the log doesn't tell me anything new. Any other suggestions would be most welcome!


Regarding PFS: I will need PFS later but if I can get a tunnel up at all that would be a first step at least. Is it your experience that PFS will not work with a non Cisco device?


/Kristin

kaachary Fri, 03/16/2007 - 02:34
User Badges:
  • Cisco Employee,

Please post the latest config and logs. And, yes, PFS usually has issues with non Cisco devices.


-Kanishka

AKAnderson Fri, 03/16/2007 - 02:54
User Badges:

Here is the current config and the log. PFS now disabled. Let me know if there is any other data you need.


Thanks for taking a look at this!

/Kristin



ggilbert Sat, 03/17/2007 - 09:06
User Badges:
  • Cisco Employee,

We find the pre-shared key for the peer and then we get a response from the peer and that response contains NONE which is ZERO


2007-03-16 10:42:43 Local7.Debug 10.0.0.10 30136: 024910: Mar 16 10:43:31.280 PCTime: ISAKMP:received payload type 0


You should receive something back from the third party for key negotiation, but we don't.

Thats the problem.


Thanks

Gilbert


Rate this post, if it helps!



AKAnderson Mon, 03/19/2007 - 01:55
User Badges:

I agree that that line in the log doesn't look good. But it seems to me that we get both a KE and a NONCE payload just like we should. The log says that the KE payload and then the NONCE payload are processed, before the payload type 0 is received. If this processing was OK then shouldn't the message be accepted and the initator identity etc be sent?


It was my understanding that a payload type 0 just marks the end of the ISAKMP packet so what I don't understand is why it is not treated as such. Can I see from the log if something is going wrong in the processing of the KE and/or NONCE payloads?


Thanks again,

Kristin

AKAnderson Thu, 03/22/2007 - 01:47
User Badges:

The problem was with NAT-T. When I turned that off on the third party device it worked fine. PFS was not a problem.


However, I would like to use NAT-T so now my question is why the Cisco 871 neither sends nor understands the proper vendor id for RFC 3947 Negotiation of NAT-Traversal in the IKE? It seems to me that it sends vendor ids for three drafts preceding this RFC but not for the final version. Does it not support this RFC?


/Kristin

ggilbert Thu, 03/22/2007 - 07:34
User Badges:
  • Cisco Employee,

Kristin,


What version of code are you running on your 871?


NAT-T is RFC compliant.


Thanks

Gilbert

AKAnderson Fri, 03/23/2007 - 00:54
User Badges:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)


/Kristin


AKAnderson Tue, 03/27/2007 - 04:26
User Badges:

I have received confirmation from Cisco that this is a bug which should be fixed in version 12.4(11.4)T.


/Kristin

Actions

This Discussion