Ipsec not working after password recovery

telo.erttoi · ‎05-20-2010

Hello,

I have used the password recovery procedure on a Cisco 831, with success (password changed), however the ipsec vpn is not working anymore.

I have the folloqwing message : %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer xxx

I haven't modified the configuration during the process (apart shutdown / no shutdown on interfaces).

Any hint ?

Thanks.

Jennifer Halim · ‎05-20-2010

Please try to clear the SA on both sides of the tunnels:

- clear cry isa

- clear cry ipsec

Try to establish the VPN tunnel again, and if it still doesn't work, you might want to grab the debug output to further investigate the issue:

- debug cry isa

- debug cry ipsec

Hope that helps.

telo.erttoi · ‎05-21-2010

I've tried to clear on the both sides, still not working, here is the debug

debug ipsec :

IPSEC(validate_transform_proposal): invalid local address xxx

debug isakmp :

ISAKMP (0:4): IPSec policy invalidated proposal
00:22:14: ISAKMP (0:4): phase 2 SA policy not acceptable! (local xxx remote xxx)

Marcin Latosiewicz · ‎05-21-2010

Can we see configs from both sides for crypto?

Who's initiating the tunnel?

Looks to me like PFS/ transform set mismatch, obviously :-)

telo.erttoi · ‎05-21-2010

crypto on site A :

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ***** address ipsiteC
crypto isakmp key ***** address ipsiteB
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
!
crypto map sites-distants local-address Loopback0
crypto map sites-distants 1 ipsec-isakmp
set peer ipsiteC
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-tarare-comcom
crypto map sites-distants 2 ipsec-isakmp
set peer ipsiteB
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-siteA-siteB

crypto on site B (the one that display error messages)

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 ***** address ipsiteA
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
!
crypto map sites-distants 1 ipsec-isakmp
set peer ipsiteA
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-siteB-siteA

I'm not sure wich one initiate the tunnel, i haven't modify the crypto and it was working before

Marcin Latosiewicz · ‎05-21-2010

Christian,

What are the versions?

I very much doubt that password recovery was the trigger, but just in case did you put the config register back the way it was?

Can you also attach full debugs from both sides at the same time? (IP addresses changed/ommited if needed).

Marcin

telo.erttoi · ‎05-21-2010

I put the conf register to 0x2102, not sure it was this way before

I'll provide you full conf and debug soon, how can i show you the debug more easely than copy/paste ?

Marcin Latosiewicz · ‎05-21-2010

The way we do it is we enable logging of putty/secure CRT session to a file and enable debugs.

(you might need to do "debug crypto condition peer ipv4 $IP_ADDRESS_OF_OTHER_SIDE")

Marcin

telo.erttoi · ‎05-21-2010

Here is what i've got after debug on ipsec and isakmp, only the site B (the one that have trouble) is displaying something, site A doesn't display anything after debug

I hope this will help

Marcin Latosiewicz · ‎05-21-2010

00:23:48: ISAKMP (0:2): atts are acceptable.
00:23:48: ISAKMP (0:2): IPSec policy invalidated proposal
00:23:48: ISAKMP (0:2): phase 2 SA policy not acceptable! (local ipsiteB remote ipsiteA)

Is interesting. Normally there should be an ipsec error thrown but you collected isakmp and ipsec debugs separately and from one side only so it's hard to judge :-)

Can I suggest this procedure:

1. Remove and add crypto map.

2. Reload.

3. Upgrade to latest image in your current train.

(Break at any point if the situation is resolved :-] )

Unless you're using isakmp profile or specyfiuing local-address somwhere that is out of whack

Helpful outputs:

--------

sh run | s crypto

sh crypto map

--------

One maybe useful debug:

--------

debug crypto kmi

-------

telo.erttoi · ‎05-21-2010

Here is the debug with isakmp and ipsec together.

Remove and add crypto map : no result :/

debug crypto kmi is not recognized

Marcin Latosiewicz · ‎05-25-2010

00:33:45: ISAKMP (0:14): atts are acceptable.
00:33:45: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.22.44.1, remote= 172.22.255.247, 
    local_proxy= 172.22.44.16/255.255.255.240/0/0 (type=4), 
    remote_proxy= 126.71.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12
00:33:45: IPSEC(validate_transform_proposal): invalid local address 172.22.44.1
00:33:45: ISAKMP (0:14): IPSec policy invalidated proposal
00:33:45: ISAKMP (0:14): phase 2 SA policy not acceptable! (local 172.22.44.1 remote 172.22.255.247)

Many possiblities :-)

Hard to say without knowning exact configs - could be also buggy. What's the version?