Pix to Pix NEM Can't Ping **Will Pay For Working Configs**

Unanswered Question
Jun 18th, 2010
User Badges:

I am playing around with setting up pix to pix nem vpn link for a client for their voip system. I have a Pix 515E 8.0(3) running as the vpn server and a Pix 506E 6.3(5) as the ezyvpn client. i have tried the basic configuration cisco has on their website and i can't get the laptops i have connect to the inside interfaces to ping each other. I have logged on via asdm and pdm and they both tell me the vpn is connected. My cisco skills a pretty rusty and i need a little help. I have laptops plugged into the inside port of each pix and both outside ports plugged into a switch. Attached are the configs i have loaded into them


PIX515E - VPN Server

interface Ethernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
!
!--- Output Suppressed

!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive

!--- This access list is used for a nat zero command that prevents
!--- traffic, which matches the access list, so it does 
!--- not undergo network address translation (NAT).


access-list no-nat extended permit ip 172.22.1.0 255.255.255.0
!--- This access list is used to define the traffic
!--- that should pass through the tunnel.
!--- It is bound to the group policy, which defines
!--- a dynamic crypto map.

access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
http server enable
http 0.0.0.0 0.0.0.0 inside
no asdm history enable
arp timeout 14400


!--- Specify the NAT configuration. 
!--- NAT 0 prevents NAT for the ACL defined in this configuration.
!--- The nat 1 command specifies NAT for all other traffic.

global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart



!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here. 
!--- A single DES encryption with
!--- the md5 hash algorithm is used.

crypto ipsec transform-set mySET esp-des esp-md5-hmac

!--- This command defines a dynamic crypto map
!--- with the specified encryption settings.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

!--- This command binds the dynamic map to
!--- the IPsec/ISAKMP process.

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

!--- This command specifies the interface to be used 
!--- with the settings defined in this configuration.

crypto map myMAP interface outside

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp policy 1.  
!--- Policy 65535 is included in the default
!--- configuration. These configuration commands 
!--- define the Phase 1 policies that are used.

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global

!--- This defines the group policy you use with Easy VPN. 
!--- Specify the networks that should pass through
!--- the tunnel and that you want to
!--- use network extension mode.

group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable


!--- The username and password associated with
!--- this VPN connection are defined here.  You
!--- can also use AAA for this function.

username user password 1234
!--- The tunnel-group commands bind the configurations
!--- defined in this configuration to the tunnel that is
!--- used for Easy VPN.  This tunnel name is the one
!--- specified on the remote side.

tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
!--- The pre-shared-key used is "cisco".

pre-shared-key cisco


PIX506E - Pix Ezyvpn Client

interface ethernet0 auto
interface ethernet1 auto

!--- Assign the interface names.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname erky
domain-name phaseshift
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500

!--- Assign the interface IP addresses.

ip address outside 10.10.10.2 255.255.255.0
ip address inside 172.22.1.3 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

!--- Set the standard NAT configuration. 
!--- EasyVPN  provides the NAT exceptions needed.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- Specify the default route.

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0

!--- EasyVPN Client Configuration ---!
!--- Specify the IP address of the VPN server.

vpnclient server 10.10.10.1
!--- This example uses network extension mode.

vpnclient mode network-extension-mode
!--- Specify the group name and the pre-shared key.

vpnclient vpngroup mytunnel password cisco
!--- Specify the authentication username and password.

vpnclient username user password 1234
!---- After you issue this command, the tunnel is established.

vpnclient enable

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 06/18/2010 - 04:47
User Badges:
  • Cisco Employee,

The 2 LAN on client and server sites can't be in the same subnet. They need to be unique subnet, and the nonat ACL and the split tunnel ACL needs to be modified accordingly. Currently both LANs are configured in the same subnet of 172.22.1.0/24 subnet. Change either the server or the client LAN to some other unique subnet.


Split tunnel ACL (ezvpn1) also needs to be standard ACL instead of extended ACL.


To check if the VPN tunnel is actually connected, please share the output of:

show crypto isa sa

show crypto ipsec sa


from the server end after the above changes.


Hope that helps.

jaymaster2000 Sun, 06/20/2010 - 22:35
User Badges:

almost there, have got them working on the same network but now have issues getting both the server and the client working behind cisco adsl modems. Have tried connecting to the server using the cisco vpn client over the internet and cannot connect to the server. I am pretty sure it is related to port forwarding and tried to setup the server in the dmz but that didn't work. Any suggestions?

Jennifer Halim Mon, 06/21/2010 - 03:35
User Badges:
  • Cisco Employee,

Not sure how the ADSL is configured, is it forwarding everything to the PIX outside interface? Not sure if the ADSL modem is NATing the packet again, or it's just forwarding the traffic in bridge mode.

jaymaster2000 Mon, 06/21/2010 - 15:51
User Badges:

The modem isn't in bride mode.


my setup looks like this (clientlaptop)172.16.1.2<-->172.16.1.1(pix506enem)192.168.0.4<-->192.168.0.1(linksys modem)dyanmicip<---->(internetz)


(internetz)<-->150.XXX.XXX.XXX(adsl modem)192.168.0.1<--->192.168.0.3(pix515eserver)172.22.1.1<--->172.22.1.2(otherlaptop)


I have port forwarded on both routers 1701 udp, 4500 udp, 500 udp and 1723 tcp. I also tried putting them both in the dmz but didn't help much. I have used the vpn client on my laptop from the client network and get a password prompt when i try and connect remotely (thats obviously bypassing the pix506). Both of the linksys routers have vpn passtrhough enabled on them. I am fairly sure it's a nat issue as it works when plugged into the same switch. I have attached the configs i am now using


Pix 515E VPN Server


interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.3 255.255.255.0
no shut
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
no shut
!
!--- Output Suppressed


!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive


!--- This access list is used for a nat zero command that prevents
!--- traffic, which matches the access list, so it does 
!--- not undergo network address translation (NAT).



access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!--- This access list is used to define the traffic
!--- that should pass through the tunnel.
!--- It is bound to the group policy, which defines
!--- a dynamic crypto map.


access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0


pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
http server enable
http 0.0.0.0 0.0.0.0 inside
no asdm history enable
arp timeout 14400



!--- Specify the NAT configuration. 
!--- NAT 0 prevents NAT for the ACL defined in this configuration.
!--- The nat 1 command specifies NAT for all other traffic.


global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart




!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here. 
!--- A single DES encryption with
!--- the md5 hash algorithm is used.


crypto ipsec transform-set mySET esp-des esp-md5-hmac


!--- This command defines a dynamic crypto map
!--- with the specified encryption settings.


crypto dynamic-map myDYN-MAP 5 set transform-set mySET


!--- This command binds the dynamic map to
!--- the IPsec/ISAKMP process.


crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP


!--- This command specifies the interface to be used 
!--- with the settings defined in this configuration.


crypto map myMAP interface outside


!--- PHASE 1 CONFIGURATION ---!


!--- This configuration uses isakmp policy 1.  
!--- Policy 65535 is included in the default
!--- configuration. These configuration commands 
!--- define the Phase 1 policies that are used.


crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global


!--- This defines the group policy you use with Easy VPN. 
!--- Specify the networks that should pass through
!--- the tunnel and that you want to
!--- use network extension mode.


group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable



!--- The username and password associated with
!--- this VPN connection are defined here.  You
!--- can also use AAA for this function.


username user password 1234
!--- The tunnel-group commands bind the configurations
!--- defined in this configuration to the tunnel that is
!--- used for Easy VPN.  This tunnel name is the one
!--- specified on the remote side.


tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
!--- The pre-shared-key used is "cisco".


pre-shared-key cisco


PIX 506E Vpn Nem Client


interface ethernet0 auto
interface ethernet1 auto


!--- Assign the interface names.


nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500


!--- Assign the interface IP addresses.


ip address outside 192.168.0.4 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0


ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Set the standard NAT configuration. 
!--- EasyVPN  provides the NAT exceptions needed.


global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


!--- Specify the default route.


route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0


!--- EasyVPN Client Configuration ---!
!--- Specify the IP address of the VPN server.


vpnclient server 150.XXX.XXX.XXX
!--- This example uses network extension mode.


vpnclient mode network-extension-mode
!--- Specify the group name and the pre-shared key.


vpnclient vpngroup mytunnel password cisco
!--- Specify the authentication username and password.


vpnclient username user password 1234
!---- After you issue this command, the tunnel is established.


vpnclient enable

Jennifer Halim Tue, 06/22/2010 - 03:47
User Badges:
  • Cisco Employee,

IPSEC uses the following protocols:

1) UDP/500

2) ESP --> this is protocol, not UDP or TCP with port numbers.


Hence ESP is a protocol, port forwarding on the modem will not work.


You can enable NAT-T on the headend PIX so the ESP packet is encapsulated in UDP/4500:

crypto isakmp nat-traversal 15


Hope that helps.

jaymaster2000 Tue, 06/22/2010 - 04:03
User Badges:

i have tried crypto isakmp nat-traversal 20 but didn't seems to work.

Jennifer Halim Tue, 06/22/2010 - 04:05
User Badges:
  • Cisco Employee,

Please run the following debugs to see where it's actually failing:

debug crypto isa

debug crypto ipsec


Also, while it's trying to connect, please also get the following show output:

show crypto isa sa

show crypto ipsec sa

jaymaster2000 Tue, 06/22/2010 - 06:25
User Badges:

Here is the debug for the client, can't get to the server until tomorrow.

debug crypto isa


ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): DPD: peer not responding!
ISAKMP (0): deleting SA: src 192.168.0.4, dst 150.xxx.xxx.xxx
ISAKMP (0): ID payload
next-payload : 13
type         : 11
protocol     : 17
port         : 0
length       : 12
ISAKMP (0:0): Setting UDP ENC peer struct 0xf9e1c4 sa= 0xdfb6e4
ISAKMP (0): Total payload length: 16
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Aggressive Mode exchange
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0


ISAKMP (0): Checking ISAKMP transform 9 against priority 65001 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65002 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65003 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65004 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65005 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65006 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65007 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65008 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65009 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing KE payload. message ID = 0


ISAKMP (0): processing NONCE payload. message ID = 0


ISAKMP (0): processing ID payload. message ID = 0
ISAKMP: no pre-shared key for     192.168.0.3
ISADB: reaper checking SA 0xf08ef4, conn_id = 0  DELETE IT!


VPN Peer: ISAKMP: Peer ip:150.xxx.xxx.xxx/4500 Ref cnt decremented to:1 Total VPN Peers:1IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 150.xxx.xxx.xxx


ISAKMP: Unlocking UDP ENC struct 0xf9e1c4 from isadb_free_isakmp_sa, count 1
ISADB: reaper checking SA 0xdfb6e4, conn_id = 0
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
ISAKMP (0): sending NOTIFY message 36136 protocol 1



debug crypto ipsec


erky# IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 150.xxx.xxx.xxx

Jennifer Halim Tue, 06/22/2010 - 06:43
User Badges:
  • Cisco Employee,

Based on the debug outputs:

ISAKMP: no pre-shared key for     192.168.0.3


There is no preshared key for 192.168.0.3. You might want to double check if both end has preshared key configured (group password configured).


Here is a sample configuration to double confirm the config (it also includes debug and show command to check which phase it's breaking):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

jaymaster2000 Tue, 06/22/2010 - 21:29
User Badges:

after plugging them both into the same switch and issuing "vpnclient server 192.168.0.3" on the 506E they work fine, so that would rule out the issue for having the wrong shared key. I have attached the debug from the 506E whilst they are setup through the switch and have the vpn client server changed.


sh crypto ipsec sa




interface: outside


Crypto map tag: _vpnc_cm, local addr. 192.168.0.4



local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)


remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)


current_peer: 192.168.0.3:500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3


#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0


#send errors 1, #recv errors 0



local crypto endpt.: 192.168.0.4, remote crypto endpt.: 192.168.0.3


path mtu 1500, ipsec overhead 56, media mtu 1500


current outbound spi: c7f300af



inbound esp sas:


spi: 0xc5485093(3309850771)


transform: esp-des esp-md5-hmac ,


in use settings ={Tunnel, }


slot: 0, conn id: 3, crypto map: _vpnc_cm


<--- More --->

sa timing: remaining key lifetime (k/sec): (4607999/28768)


IV size: 8 bytes


replay detection support: Y




inbound ah sas:




inbound pcp sas:




outbound esp sas:


spi: 0xc7f300af(3354591407)


transform: esp-des esp-md5-hmac ,


in use settings ={Tunnel, }


slot: 0, conn id: 4, crypto map: _vpnc_cm


sa timing: remaining key lifetime (k/sec): (4607999/28768)


IV size: 8 bytes


replay detection support: Y




outbound ah sas:




<--- More --->

outbound pcp sas:





local  ident (addr/mask/prot/port): (192.168.0.4/255.255.255.255/0/0)


remote ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)


current_peer: 192.168.0.3:500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0


#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0


#send errors 0, #recv errors 0



local crypto endpt.: 192.168.0.4, remote crypto endpt.: 192.168.0.3


path mtu 1500, ipsec overhead 56, media mtu 1500


current outbound spi: ded6362b



inbound esp sas:


spi: 0x41f75ada(1106729690)


transform: esp-des esp-md5-hmac ,


in use settings ={Tunnel, }


slot: 0, conn id: 5, crypto map: _vpnc_cm


sa timing: remaining key lifetime (k/sec): (4608000/28750)


<--- More --->

IV size: 8 bytes


replay detection support: Y




inbound ah sas:




inbound pcp sas:




outbound esp sas:


spi: 0xded6362b(3738580523)


transform: esp-des esp-md5-hmac ,


in use settings ={Tunnel, }


slot: 0, conn id: 6, crypto map: _vpnc_cm


sa timing: remaining key lifetime (k/sec): (4608000/28741)


IV size: 8 bytes


replay detection support: Y




outbound ah sas:




outbound pcp sas:


<--- More --->




local  ident (addr/mask/prot/port): (192.168.0.4/255.255.255.255/0/0)


remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)


current_peer: 192.168.0.3:500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0


#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0


#send errors 0, #recv errors 0



local crypto endpt.: 192.168.0.4, remote crypto endpt.: 192.168.0.3


path mtu 1500, ipsec overhead 56, media mtu 1500


current outbound spi: 99770485



inbound esp sas:


spi: 0xcd35a70c(3442845452)


transform: esp-des esp-md5-hmac ,


in use settings ={Tunnel, }


slot: 0, conn id: 1, crypto map: _vpnc_cm


sa timing: remaining key lifetime (k/sec): (4608000/28719)


IV size: 8 bytes


<--- More --->

replay detection support: Y




inbound ah sas:




inbound pcp sas:




outbound esp sas:


spi: 0x99770485(2574713989)


transform: esp-des esp-md5-hmac ,


in use settings ={Tunnel, }


slot: 0, conn id: 2, crypto map: _vpnc_cm


sa timing: remaining key lifetime (k/sec): (4608000/28719)


IV size: 8 bytes


replay detection support: Y




outbound ah sas:




outbound pcp sas:



<--- More --->



erky(config)# debug crypto isa



erky(config)#
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 3276157040
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP: Deleting peer node for 150.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 1157973989
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 2549749615
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 2612143680
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 1405545498
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 971900628
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 4059649852n
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3

Jennifer Halim Wed, 06/23/2010 - 05:53
User Badges:
  • Cisco Employee,

Great, looks like it's working now.

Traffic is being encrypted and decrypted between 172.16.1.0/24 subnet and 172.22.1.0/24 subnet.

jaymaster2000 Mon, 07/05/2010 - 20:54
User Badges:

All fixed now, initial ping problem was due to not having the routes set up  properly on the local networks. I bypassed the adsl/nat issue by setting up the  515 as a pppoe client and putting the adsl modem in bridge mode. Thanks everyone  for your help.

Actions

This Discussion