lan-to-lan tunnel - Cisco router - Concentrator 3000

Eliufoo.Mahinda · ‎05-18-2008

I have a been having problems setting up a LAN-to-LAN IPSec tunnel between Cisco Router 181X and a Cisco VPN Concentrator 300. All configuration are correct but, the tunnels fails to pass IKE Phase 1. IKE status remains at MM_NO_STATE.

Viewing my debug (Cisco Router), it shows IKE phase 1 completing with QM_IDLE status, then keys gets deleted shortly after.

Partial debug out (see attachment for cisco181 & VPN Concentrator300)

*May 12 09:04:27.063: ISAKMP:(0:32:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May 12 09:04:27.063: ISAKMP:(0:32:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 12 09:04:28.235: ISAKMP (0:268435488): received packet from 1.2.3.4 dport 500 sport 500 Global (I) QM_IDLE

*May 12 09:04:28.235: ISAKMP: set new node -585097 to QM_IDLE

*May 12 09:04:28.235: ISAKMP:(0:32:HW:2): processing HASH payload. message ID = -585097

Any ideas what exactly is going on here and what might be wrong?

andrew.prince · ‎05-19-2008

In your concentrator logs:-

61588 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5668

Phase 1 failure against global IKE proposal # 4:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 2

Cfg'd: Oakley Group 1

61591 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5669

Phase 1 failure against global IKE proposal # 5:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 2

Cfg'd: Oakley Group 7

61594 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5670

Phase 1 failure against global IKE proposal # 6:

Mismatched attr types for class Hash Alg:

Rcv'd: SHA

Cfg'd: MD5

61596 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5671

Phase 1 failure against global IKE proposal # 7:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 2

Cfg'd: Oakley Group 5

in your 181x:-

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2): processing vendor id payload

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2): vendor ID seems Unity/DPD but major 4 mismatch

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM4

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Send initial contact

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*May 12 09:04:55.771: ISAKMP (0:268435489): ID payload

next-payload : 8

type : 1

address : 4.5.6.7

protocol : 17

port : 500

length : 12

*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Total payload length: 12

*May 12 09:04:55.775: ISAKMP:(0:33:HW:2): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*May 12 09:04:55.775: ISAKMP:(0:33:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 12 09:04:55.775: ISAKMP:(0:33:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5

*May 12 09:04:57.063: ISAKMP (0:268435489): received packet from 1.2.3.4 dport 500 sport 500 Global (I) MM_KEY_EXCH

*May 12 09:04:57.067: ISAKMP:(0:33:HW:2): processing ID payload. message ID = 0

*May 12 09:04:57.067: ISAKMP (0:268435489): ID payload

next-payload : 8

type : 1

address : 1.2.3.4

protocol : 17

port : 500

length : 12

*May 12 09:04:57.067: ISAKMP:(0:33:HW:2):: peer matches *none* of the profiles

I would double all IKE & IPSEC configurations, you appear to have a settings mis-match.

HTH.

andrew.prince · ‎05-19-2008

.

Eliufoo.Mahinda · ‎05-21-2008

From the debug, it does show that the is a mismatch but doesn't exactly tell you what it is. Further investigation, you can see {ISAKMP:(0:33:HW:2): processing DELETE_WITH_REASON payload, message ID = 613874337, reason: Unknown delete reason!} IKE deleting the establish SA

I found a similar post on commercial forum but, the solution are not provided for free.

Could it be a hardware/software (IOS) problem? between Cisco VPN concentrator 3000 and Cisco Router 181x?

Regards,

Elly

srue · ‎05-21-2008

compare the configured ipsec trransform set on the router with the IPSec SA configured on the concentrator.