Problem setting up ESP tunnel, can't negotiate IKE SA

AKAnderson · ‎03-15-2007

Hi,

I am trying to set up an ESP tunnel with a Cisco 871 and another device but can't seem to get it working. The peers start negotiating an IKE SA but only the first three or four (depending on which peer is the initiator) messages of ISAKMP are sent. The Key Exchange does not succeed and so no tunnel is set up. If anyone could provide a hint as to what could be the problem then I would greatly appreciate it.

I attach part of the log and the running config from the 871 and a Wireshark capture of the exchanged ISAKMP messages.

Thanks in advance,

Kristin

AKAnderson · ‎03-15-2007

Attachments that should have been in the first message.

kaachary · ‎03-15-2007

Hi,

Couple of misconfigurations I noticed :

1: If the remote device is a non cisco device, disable PFS on both the devices.

2: The crypto ACL on the router should have only this statement :

access-list 100 permit ip host 10.0.0.10 host 10.0.0.2

Let us know if this helps.

-Kanishka

AKAnderson · ‎03-15-2007

Hi,

Thanks for your reply.

I changed the settings you suggested but as far as I can see it doesn't solve the problem. Still no IKE SA is set up and the log doesn't tell me anything new. Any other suggestions would be most welcome!

Regarding PFS: I will need PFS later but if I can get a tunnel up at all that would be a first step at least. Is it your experience that PFS will not work with a non Cisco device?

/Kristin

kaachary · ‎03-16-2007

Please post the latest config and logs. And, yes, PFS usually has issues with non Cisco devices.

-Kanishka

AKAnderson · ‎03-16-2007

Here is the current config and the log. PFS now disabled. Let me know if there is any other data you need.

Thanks for taking a look at this!

/Kristin

ggilbert · ‎03-17-2007

We find the pre-shared key for the peer and then we get a response from the peer and that response contains NONE which is ZERO

2007-03-16 10:42:43 Local7.Debug 10.0.0.10 30136: 024910: Mar 16 10:43:31.280 PCTime: ISAKMP:received payload type 0

You should receive something back from the third party for key negotiation, but we don't.

Thats the problem.

Thanks

Gilbert

Rate this post, if it helps!

AKAnderson · ‎03-19-2007

I agree that that line in the log doesn't look good. But it seems to me that we get both a KE and a NONCE payload just like we should. The log says that the KE payload and then the NONCE payload are processed, before the payload type 0 is received. If this processing was OK then shouldn't the message be accepted and the initator identity etc be sent?

It was my understanding that a payload type 0 just marks the end of the ISAKMP packet so what I don't understand is why it is not treated as such. Can I see from the log if something is going wrong in the processing of the KE and/or NONCE payloads?

Thanks again,

Kristin

AKAnderson · ‎03-22-2007

The problem was with NAT-T. When I turned that off on the third party device it worked fine. PFS was not a problem.

However, I would like to use NAT-T so now my question is why the Cisco 871 neither sends nor understands the proper vendor id for RFC 3947 Negotiation of NAT-Traversal in the IKE? It seems to me that it sends vendor ids for three drafts preceding this RFC but not for the final version. Does it not support this RFC?

/Kristin

ggilbert · ‎03-22-2007

Kristin,

What version of code are you running on your 871?

NAT-T is RFC compliant.

Thanks

Gilbert

AKAnderson · ‎03-23-2007

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)

/Kristin

AKAnderson · ‎03-27-2007

I have received confirmation from Cisco that this is a bug which should be fixed in version 12.4(11.4)T.

/Kristin