03-15-2007 03:33 AM
Hi,
I am trying to set up an ESP tunnel with a Cisco 871 and another device but can't seem to get it working. The peers start negotiating an IKE SA but only the first three or four (depending on which peer is the initiator) messages of ISAKMP are sent. The Key Exchange does not succeed and so no tunnel is set up. If anyone could provide a hint as to what could be the problem then I would greatly appreciate it.
I attach part of the log and the running config from the 871 and a Wireshark capture of the exchanged ISAKMP messages.
Thanks in advance,
Kristin
03-15-2007 03:38 AM
03-15-2007 06:51 AM
Hi,
Couple of misconfigurations I noticed :
1: If the remote device is a non cisco device, disable PFS on both the devices.
2: The crypto ACL on the router should have only this statement :
access-list 100 permit ip host 10.0.0.10 host 10.0.0.2
Let us know if this helps.
-Kanishka
03-15-2007 08:21 AM
Hi,
Thanks for your reply.
I changed the settings you suggested but as far as I can see it doesn't solve the problem. Still no IKE SA is set up and the log doesn't tell me anything new. Any other suggestions would be most welcome!
Regarding PFS: I will need PFS later but if I can get a tunnel up at all that would be a first step at least. Is it your experience that PFS will not work with a non Cisco device?
/Kristin
03-16-2007 02:34 AM
Please post the latest config and logs. And, yes, PFS usually has issues with non Cisco devices.
-Kanishka
03-16-2007 02:54 AM
03-17-2007 09:06 AM
We find the pre-shared key for the peer and then we get a response from the peer and that response contains NONE which is ZERO
2007-03-16 10:42:43 Local7.Debug 10.0.0.10 30136: 024910: Mar 16 10:43:31.280 PCTime: ISAKMP:received payload type 0
You should receive something back from the third party for key negotiation, but we don't.
Thats the problem.
Thanks
Gilbert
Rate this post, if it helps!
03-19-2007 01:55 AM
I agree that that line in the log doesn't look good. But it seems to me that we get both a KE and a NONCE payload just like we should. The log says that the KE payload and then the NONCE payload are processed, before the payload type 0 is received. If this processing was OK then shouldn't the message be accepted and the initator identity etc be sent?
It was my understanding that a payload type 0 just marks the end of the ISAKMP packet so what I don't understand is why it is not treated as such. Can I see from the log if something is going wrong in the processing of the KE and/or NONCE payloads?
Thanks again,
Kristin
03-22-2007 01:47 AM
The problem was with NAT-T. When I turned that off on the third party device it worked fine. PFS was not a problem.
However, I would like to use NAT-T so now my question is why the Cisco 871 neither sends nor understands the proper vendor id for RFC 3947 Negotiation of NAT-Traversal in the IKE? It seems to me that it sends vendor ids for three drafts preceding this RFC but not for the final version. Does it not support this RFC?
/Kristin
03-22-2007 07:34 AM
Kristin,
What version of code are you running on your 871?
NAT-T is RFC compliant.
Thanks
Gilbert
03-23-2007 12:54 AM
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)
/Kristin
03-27-2007 04:26 AM
I have received confirmation from Cisco that this is a bug which should be fixed in version 12.4(11.4)T.
/Kristin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide