Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10969
Views
0
Helpful
2
Replies

Trouble bringing up VPN tunnel

smolz
Level 4
Level 4

‎01-11-2010 10:48 AM

I am trying to create a tunnel between a 2811 and a 7206. The 7200 is the headend with multiple circuits connected in the same broadcast domain.  The 7200 is 10.49.163.1 with at the moment 2 other circuits, 10.49.163.2 amd 10.49.163.3.  I need to encrypt certain traffic over this link, i have created a crypto map with multiple instances on the head end:

crypto map CRYPTOMAP 5 ipsec-isakmp
set peer 10.49.163.2
set transform-set CRYPTOSET
match address 101
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 10.49.163.3
set transform-set CRYPTOSET
match address 105

On the 10.49.163.2 router everything is working and passing traffic, on the .3 side is another story.  When doing a sh crypto ip sa  i get:

interface: FastEthernet0/1
    Crypto map tag: CRYPTOMAP, local addr 10.49.163.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.49.32.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   current_peer 10.49.163.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 53, #recv errors 0

Here is the debug from a "debug crypto ip and isa"

Jan 11 13:37:57.237: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xCA4CDD31(3394034993), conn_id= 0, keysize= 0, flags= 0x400A
Jan 11 13:37:57.241: ISAKMP: received ke message (1/1)
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jan 11 13:37:57.241: ISAKMP: Created a peer struct for 10.49.163.1, peer port 500
Jan 11 13:37:57.241: ISAKMP: New peer created peer = 0x470157B8 peer_handle = 0x80000010
Jan 11 13:37:57.241: ISAKMP: Locking peer struct 0x470157B8, IKE refcount 1 for isakmp_initiator
Jan 11 13:37:57.241: ISAKMP: local port 500, remote port 500
Jan 11 13:37:57.241: ISAKMP: set new node 0 to QM_IDLE
Jan 11 13:37:57.241: insert sa successfully sa = 4682CA58
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 11 13:37:57.269: ISAKMP (0:0): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 11 13:37:57.273: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): local preshared key found
Jan 11 13:37:57.273: ISAKMP : Scanning profiles for xauth ...
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jan 11 13:37:57.273: ISAKMP:      encryption 3DES-CBC
Jan 11 13:37:57.273: ISAKMP:      hash MD5
Jan 11 13:37:57.273: ISAKMP:      default group 1
Jan 11 13:37:57.273: ISAKMP:      auth pre-share
Jan 11 13:37:57.273: ISAKMP:      life type in seconds
Jan 11 13:37:57.273: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Jan 11 13:37:57.297: ISAKMP (0:134217729): vendor ID is NAT-T v7
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Jan 11 13:37:57.341: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):SKEYID state generated
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): vendor ID is Unity
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): vendor ID is DPD
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): speaking to another IOS box!
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Send initial contact
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jan 11 13:37:57.377: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 10.49.163.3
        protocol     : 17
        port         : 500
        length       : 12
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Total payload length: 12
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Jan 11 13:37:57.409: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
Jan 11 13:37:57.413: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 10.49.163.1
        protocol     : 17
        port         : 500
        length       : 12
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):SA has been authenticated with 10.49.163.1
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):IKE_DPD is enabled, initializing timers
Jan 11 13:37:57.413: ISAKMP: Trying to insert a peer 10.49.163.3/10.49.163.1/500/,  and inserted successfully 470157B8.
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 5768661
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Node 5768661, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 11 13:37:57.453: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) QM_IDLE
Jan 11 13:37:57.453: ISAKMP: set new node 334635566 to QM_IDLE
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 334635566
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 3394034993, message ID = 334635566, sa = 4682CA58
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): deleting spi 3394034993 message ID = 5768661
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):deleting node 5768661 error TRUE reason "Delete Larval"
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):deleting node 334635566 error FALSE reason "Informational (in) state 1"
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jan 11 13:38:27.238: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
Jan 11 13:38:27.238: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x390CCAED(957139693), conn_id= 0, keysize= 0, flags= 0x400A
Jan 11 13:38:27.238: ISAKMP: received ke message (1/1)
Jan 11 13:38:27.238: ISAKMP: set new node 0 to QM_IDLE
Jan 11 13:38:27.238: ISAKMP:(0:1:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )
Jan 11 13:38:27.238: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -1471990271
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1):Node -1471990271, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jan 11 13:38:27.298: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) QM_IDLE
Jan 11 13:38:27.298: ISAKMP: set new node -1557550641 to QM_IDLE
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1557550641
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 957139693, message ID = -1557550641, sa = 4682CA58
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): deleting spi 957139693 message ID = -1471990271
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):deleting node -1471990271 error TRUE reason "Delete Larval"
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):deleting node -1557550641 error FALSE reason "Informational (in) state 1"
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 11 13:38:47.454: ISAKMP:(0:1:SW:1):purging node 5768661
Jan 11 13:38:47.454: ISAKMP:(0:1:SW:1):purging node 334635566
Jan 11 13:38:57.239: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
Jan 11 13:38:57.239: ISAKMP: received ke message (3/1)
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 10.49.163.1)
Jan 11 13:38:57.239: ISAKMP: set new node 1934363591 to QM_IDLE
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):purging node 1934363591
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 10.49.163.1)
Jan 11 13:38:57.243: ISAKMP: Unlocking IKE struct 0x470157B8 for isadb_mark_sa_deleted(), count 0
Jan 11 13:38:57.243: ISAKMP: Deleting peer node by peer_reap for 10.49.163.1: 470157B8
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting node -1471990271 error FALSE reason "IKE deleted"
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting node -1557550641 error FALSE reason "IKE deleted"
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Jan 11 13:38:57.243: IPSEC(key_engine): got a queue event with 1 kei messages

Labels:
0 Helpful
2 Replies 2

smolz
Level 4
Level 4

‎01-12-2010 05:27 AM

As an update if I take off the first tunnel the 2nd tunnel comes up and passes traffic????  Is there something wrong with the router?  Or maybe the interface, it is a 4 port ethernet card.

0 Helpful

smolz
Level 4
Level 4

‎01-12-2010 07:10 AM

FIXED!  Add the command on the head-end 7206 interface: no ip route-cache

Tunnel came up and is now working, I would still like to know why I have to add this?

0 Helpful
Customers Also Viewed These Support Documents