ipsec site to site vpn help!!

Answered Question
Aug 2nd, 2012
User Badges:

I im doing a site to site vpn for the first time on a 891 to a rv 120 (gui) but it doesnt connect. I thinking it might be my access list on the 891. the error that i get in the rv120 is



012-08-02 18:15:35: [rv120w][IKE] ERROR:  Phase 1 negotiation failed due to time up for xx.xx.xx.xx[500]. ea65b6c91b9e73de:0000000000000000


2012-08-02 18:16:11: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.xx.


2012-08-02 18:16:11: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]


2012-08-02 18:16:11: [rv120w][IKE] INFO:  Beginning Identity Protection mode.


2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3


2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4


2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8


2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9


2012-08-02 18:16:11: [rv120w][IKE] ERROR:  Ignore information because the message has no hash payload.


2012-08-02 18:16:42: [rv120w][IKE] ERROR:  Invalid SA protocol type: 0


2012-08-02 18:16:42: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.


2012-08-02 18:17:00: [rv120w][IKE] INFO:  accept a request to establish IKE-SA: 71.32.110.24


2012-08-02 18:17:00: [rv120w][IKE] WARNING:  schedular is already scheduled for SA creation for remote: "xx.xx.xx.xx"2012-08-02 18:17:00: [rv120w][IKE] ERROR:  Failed to attach schedSaCreate in IKE configuraion





891 config

=====================================================


ip dhcp pool test


   network 10.10.10.0 255.255.255.0


   default-router 10.10.10.1


   dns-server 8.8.8.8 8.8.4.4


!


!


ip cef


ip name-server 8.8.8.8


ip name-server 8.8.4.4


no ipv6 cef


!


!


crypto isakmp policy 1


authentication pre-share


group 2


lifetime 28800


crypto isakmp key Testingkey address xx.xx.xx.xxx


!


!


crypto ipsec transform-set test1 ah-md5-hmac esp-3des


!


crypto map maptest1 2 ipsec-isakmp


set peer xx.xx.xx.xx


set transform-set test1


match address 100


!


!


interface FastEthernet8


description qwest connection


no ip address


ip nat outside


ip virtual-reassembly


duplex auto


speed auto


pppoe enable group global


pppoe-client dial-pool-number 1


crypto map maptest1


!


!


interface Vlan1


description quest


ip address 10.10.10.1 255.255.255.0


ip nat inside


ip virtual-reassembly


!


interface Dialer1


ip address negotiated


ip mtu 1492


ip nat outside


ip virtual-reassembly


encapsulation ppp


ip tcp adjust-mss 1452


dialer pool 1


dialer-group 1


ppp authentication chap pap callin


ppp chap hostname xxxxxxxxx


ppp chap password 0 xxxxxxxx


!


ip forward-protocol nd


no ip http server


no ip http secure-server


!


!


ip nat inside source list 1 interface Dialer1 overload


ip route 0.0.0.0 0.0.0.0 Dialer1


!


access-list 1 permit 10.10.10.0 0.0.0.255


access-list 100 remark maptest1 category=4


access-list 100 remark IPSec Rule


access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255


dialer-list 1 protocol ip permit


dialer-list 100 protocol ip permit


=======================================================================

Correct Answer by johnlloyd_13 about 5 years 1 week ago

Hi Manny,


Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?


int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto sa

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa


Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Julio Carvajal Thu, 08/02/2012 - 11:48
User Badges:
  • Purple, 4500 points or more

Hello Manny,


Can you change the nat configuration:


ip access-list extended nat

deny ip  10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any


no ip nat inside source list 1 interface Dialer1 overload

ip nat inside source list nat interface Dialer1 overload


Also can you do the following on the router after you generate traffic for the VPN

sh crypto isakmp sa

debug crypto isakmp

debug crypto ipsec


And provide us the results.



The configuration on the Remote site related to the VPN stuff will be a plus.


Regards,

edgsoccer Thu, 08/02/2012 - 13:30
User Badges:

nat configurations changed.....still not working.. thanks for the help




891 router

==============================================

crypto isakmp sa


IPv4 Crypto ISAKMP SA


dst             src             state          conn-id status


xx.xx.xx.24    xx.xx.xx.134   QM_IDLE           2057 ACTIVE




IPv6 Crypto ISAKMP SA




==================================================

johnlloyd_13 Fri, 08/03/2012 - 10:17
User Badges:
  • Blue, 1500 points or more

Hi Manny,


Could you re-configure your IKE phase 1 and 2 policies on the 891 as below?


crypto isakmp policy 1

hash md5


no crypto ipsec transform-set test1 ah-md5-hmac esp-3des

crypto ipsec transform-set test1 esp-md5-hmac esp-3des


Sent from Cisco Technical Support iPhone App

edgsoccer Fri, 08/03/2012 - 11:26
User Badges:

Changes made but still nothing...

=========================

Current running config 891


crypto isakmp policy 1


hash md5


authentication pre-share


group 2


lifetime 28800


crypto isakmp key Testingkey address xx.xx.xx.134


!


!


crypto ipsec transform-set test1 esp-3des esp-md5-hmac


!        


crypto map maptest1 2 ipsec-isakmp


set peer xx.xx.xx.134


set transform-set test1


match address 100


!


interface FastEthernet8


description qwest connection


no ip address


ip nat outside


ip virtual-reassembly


duplex auto


speed auto


pppoe enable group global


pppoe-client dial-pool-number 1


crypto map maptest1


!


interface Dialer1


ip address negotiated


ip mtu 1492


ip nat outside


ip virtual-reassembly


encapsulation ppp


ip tcp adjust-mss 1452


dialer pool 1


dialer-group 1


ppp authentication chap pap callin


ppp chap hostname xxxxxxx


ppp chap password 0 xxxxxxx


!


ip nat inside source list nat interface Dialer1 overload


ip route 0.0.0.0 0.0.0.0 Dialer1


!


ip access-list extended nat


deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255


permit ip 10.10.10.0 0.0.0.255 any


!


access-list 1 permit 10.10.10.0 0.0.0.255


access-list 100 remark maptest1 category=4


access-list 100 remark IPSec Rule


access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255


dialer-list 1 protocol ip permit


dialer-list 100 protocol ip permit

=============================



=========================================================




RV 120 log




2012-08-03 17:56:23: [rv120w][IKE] WARNING:  schedular is already scheduled for SA creation for remote: "xx.xx.xx.24"2012-08-03 17:56:23: [rv120w][IKE] ERROR:  Failed to attach schedSaCreate in IKE configuraion


2012-08-03 17:56:52: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.24.


2012-08-03 17:56:52: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: xx.xx.xx.134[500]<=>xx.xx.xx.24[500]


2012-08-03 17:56:52: [rv120w][IKE] INFO:  Beginning Identity Protection mode.


2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3


2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4


2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8


2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9


2012-08-03 17:56:52: [rv120w][IKE] ERROR:  Ignore information because the message has no hash payload.


2012-08-03 17:57:23: [rv120w][IKE] ERROR:  Invalid SA protocol type: 0


2012-08-03 17:57:23: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.


2012-08-03 17:57:37: [rv120w][IKE] INFO:  accept a request to establish IKE-SA: xx.xx.xx.24




===========================================================




ROUTER 891




sh crypto isakmp sa


IPv4 Crypto ISAKMP SA


dst             src             state          conn-id status


71.32.110.24    97.77.166.134   MM_NO_STATE          0 ACTIVE (deleted)




IPv6 Crypto ISAKMP SA




-------------------------------------------------------


debug crypto isakmp


Crypto ISAKMP debugging is on


-------------------------------------------------------


debug crypto ipsec


Crypto IPSEC debugging is on




But nothing else comes out and dont know how to see the log for 891 to see the errors

johnlloyd_13 Fri, 08/03/2012 - 17:55
User Badges:
  • Blue, 1500 points or more

Hi Manny,


Could you do:


int f8

no crypto map maptest1


int d1

crypto map maptest1


clear crypto isakmp sa


Ping from an internal host/PC behind the 891 and post your results.


Sent from Cisco Technical Support iPhone App

edgsoccer Sun, 08/05/2012 - 10:14
User Badges:

changes where made...


891 router


ping 192.168.1.1 



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-------------------------------------------------------------------

host


PING 192.168.1.1 (192.168.1.1): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

^C

--- 192.168.1.1 ping statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss


thanks you guys i apreciate the help....



--------------------

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status



IPv6 Crypto ISAKMP SA

--------------------


interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxx

crypto map maptest1

----------------------

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

johnlloyd_13 Sun, 08/05/2012 - 23:50
User Badges:
  • Blue, 1500 points or more

Hi Manny,


Thanks for the update! Could you roll back your config and put back the crypto map under FE8 and post again your complete show run (hide sensitive info)?


Sent from Cisco Technical Support iPhone App

edgsoccer Mon, 08/06/2012 - 16:11
User Badges:

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

!

ip source-route

!

!

!

ip dhcp pool test

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 8.8.8.8 8.8.4.4

!

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.134

!

!

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

interface GigabitEthernet0

description roadrunner connection

no ip address

shutdown

duplex auto

speed auto

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description quest

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description roadrunner

no ip address

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list nat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended nat

deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

!

!

control-plane



here is my current sh run...thanks john

johnlloyd_13 Mon, 08/06/2012 - 17:31
User Badges:
  • Blue, 1500 points or more

Hi Manny,


Thanks for the update! I'm suspecting the issue might be on the RV router which hinders IKE phase 1 from establishing.


Could check whether it has PFS (Perfect Forward Secrecy) enabled?


Sent from Cisco Technical Support iPhone App

johnlloyd_13 Mon, 08/06/2012 - 22:05
User Badges:
  • Blue, 1500 points or more

Could you disable/uncheck it on the RV router and try to generate VPN traffic from internal hosts?


Sent from Cisco Technical Support iPhone App

edgsoccer Tue, 08/07/2012 - 14:35
User Badges:

John


it didn't work. Do I need to do something additional to the cisco 891 router when i disable psf on the RV router?

johnlloyd_13 Tue, 08/07/2012 - 19:51
User Badges:
  • Blue, 1500 points or more

hi manny,


could you add this on the 891:


crypto isakmp policy 1

encryption 3des



kindly perform VPN testing this time from behind the RV router by pinging from a host on the 192.168.1.0/24 subnet and post the following results from the 891 router:


cleary crypto isakmp sa

show crypto isakmp sa

debug crypto isakmp

edgsoccer Wed, 08/08/2012 - 09:39
User Badges:

chages made...

---------------------------------------------------

RV router log




2012-08-08 16:12:33: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.24.


2012-08-08 16:12:33: [rv120w][IKE] INFO:  Initiating new phase 2 negotiation: xx.xx.xx.134[500]<=>xx.xx.xx.24[0]


2012-08-08 16:12:33: [rv120w][IKE] ERROR:  Unknown notify message from xx.xx.xx.24[500].No phase2 handle found.


2012-08-08 16:13:33: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up. 3ac11d27fb281bf1:6b11f2ee9470918b:e4bbd59c


2012-08-08 16:13:33: [rv120w][IKE] INFO:  an undead schedule has been deleted: 'quick_i1prep'.


-----------------------------------------------------------------------------


host 10.10.10.6




PING 192.168.1.100 (192.168.1.100): 56 data bytes


Request timeout for icmp_seq 0


Request timeout for icmp_seq 1


Request timeout for icmp_seq 2


Request timeout for icmp_seq 3


Request timeout for icmp_seq 4


Request timeout for icmp_seq 5


Request timeout for icmp_seq 6


----------------------------------------------------------------------------


cisco router




show crypto isakmp sa


IPv4 Crypto ISAKMP SA


dst             src             state          conn-id status


xx.xx.xx.24    xx.xx.xx.134   QM_IDLE           2059 ACTIVE




IPv6 Crypto ISAKMP SA




#ping 192.168.1.1     




Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:


.....


Success rate is 0 percent (0/5)


#ping 192.168.1.100




Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:


.....


Success rate is 0 percent (0/5)




-----------------------------------------------------------------------------


host 192.168.1.100




Pinging 10.10.10.6 with 32 bytes of data:


Request timed out.


Request timed out.


Request timed out.


Request timed out.




Ping statistics for 10.10.10.6:


Packets: Sent = 4, Received = 0, Lost = 4 (100% Loss),


-------------------------------------------------------------------------------




Crypto ISAKMP debugging is on




but nothing happen even if I ping while ISAKMP debugging is on… any suggestions on how can I see the debugging??

johnlloyd_13 Wed, 08/08/2012 - 09:57
User Badges:
  • Blue, 1500 points or more

Hi Manny,


You'll need to issue the 'terminal monitor' command in privilege exec if you're connected via Telnet. Do test again and post the requested show and debug output.


Sent from Cisco Technical Support iPhone App

edgsoccer Wed, 08/08/2012 - 10:50
User Badges:

*Aug  8 17:56:28.646: ISAKMP:(2063):purging node -457497600


*Aug  8 17:56:29.838: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     


*Aug  8 17:56:29.838: ISAKMP: set new node -589351332 to QM_IDLE     


*Aug  8 17:56:29.838: ISAKMP:(2063): processing HASH payload. message ID = -589351332


*Aug  8 17:56:29.838: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1


spi 0, message ID = -589351332, sa = 0x86E939E0


*Aug  8 17:56:29.838: ISAKMP:(2063):deleting node -589351332 error FALSE reason "Informational (in) state 1"


*Aug  8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY


*Aug  8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE




*Aug  8 17:56:29.838: ISAKMP:(2063):DPD/R_U_THERE received from peer xx.xx.xx.134, sequence 0xAA2


*Aug  8 17:56:29.838: ISAKMP: set new node 681130243 to QM_IDLE     


*Aug  8 17:56:29.838: ISAKMP:(2063):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1


spi 2250945376, message ID = 681130243


*Aug  8 17:56:29.838: ISAKMP:(2063): seq. no 0xAA2


*Aug  8 17:56:29.838: ISAKMP:(2063): sending packet to xx.xx.xx.134 my_port 500 peer_port 500 (R) QM_IDLE     


*Aug  8 17:56:29.838: ISAKMP:(2063):Sending an IKE IPv4 Packet.


*Aug  8 17:56:29.838: ISAKMP:(2063):purging node 681130243


*Aug  8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE


*Aug  8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE




*Aug  8 17:56:32.142: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     


*Aug  8 17:56:32.142: ISAKMP: set new node -1197739227 to QM_IDLE     


*Aug  8 17:56:32.142: ISAKMP:(2063): processing HASH payload. message ID = -1197739227


*Aug  8 17:56:32.142: ISAKMP:(2063): processing SA payload. message ID = -1197739227


*Aug  8 17:56:32.142: ISAKMP:(2063):Checking IPSec proposal 1


*Aug  8 17:56:32.142: ISAKMP: transform 1, ESP_3DES


*Aug  8 17:56:32.142: ISAKMP:   attributes in transform:


*Aug  8 17:56:32.142: ISAKMP:      SA life type in seconds


*Aug  8 17:56:32.142: ISAKMP:      SA life duration (basic) of 28800


*Aug  8 17:56:32.142: ISAKMP:      encaps is 1 (Tunnel)


*Aug  8 17:56:32.142: ISAKMP:      authenticator is HMAC-MD5


*Aug  8 17:56:32.142: ISAKMP:      group is 2


*Aug  8 17:56:32.142: ISAKMP:(2063):atts are acceptable.


*Aug  8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1


*Aug  8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1,


  (key eng. msg.) INBOUND local= xx.xx.xx.24:0, remote= xx.xx.xx.134:0,


    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),


    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),


    protocol= ESP, transform= NONE  (Tunnel),


    lifedur= 0s and 0kb,


    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0


*Aug  8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24


*Aug  8 17:56:32.142: ISAKMP:(2063): IPSec policy invalidated proposal with error 8


*Aug  8 17:56:32.142: ISAKMP:(2063): phase 2 SA policy not acceptable! (local xx.xx.xx.24 remote xx.xx.xx.134)


*Aug  8 17:56:32.142: ISAKMP: set new node -1934182771 to QM_IDLE     


*Aug  8 17:56:32.142: ISAKMP:(2063):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3


spi 2250944296, message ID = -1934182771


*Aug  8 17:56:32.142: ISAKMP:(2063): sending packet to 97.77.166.134 my_port 500 peer_port 500 (R) QM_IDLE     


*Aug  8 17:56:32.142: ISAKMP:(2063):Sending an IKE IPv4 Packet.


*Aug  8 17:56:32.142: ISAKMP:(2063):purging node -1934182771


*Aug  8 17:56:32.142: ISAKMP:(2063):deleting node -1197739227 error TRUE reason "QM rejected"


*Aug  8 17:56:32.142: ISAKMP:(2063):Node -1197739227, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH


*Aug  8 17:56:32.142: ISAKMP:(2063):Old State = IKE_QM_READY  New State = IKE_QM_READY


*Aug  8 17:56:33.774: ISAKMP:(2063):purging node -1856223832


*Aug  8 17:56:35.322: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     


*Aug  8 17:56:35.322: ISAKMP: set new node -685236136 to QM_IDLE     


*Aug  8 17:56:35.322: ISAKMP:(2063): processing HASH payload. message ID = -685236136


*Aug  8 17:56:35.322: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1


spi 0, message ID = -685236136, sa = 0x86E939E0


*Aug  8 17:56:35.322: ISAKMP:(2063):deleting node -685236136 error FALSE reason "Informational (in) state 1"


*Aug  8 17:56:35.322: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY


*Aug  8 17:56:35.322: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Correct Answer
johnlloyd_13 Wed, 08/08/2012 - 17:32
User Badges:
  • Blue, 1500 points or more

Hi Manny,


Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?


int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto sa

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa


Sent from Cisco Technical Support iPhone App

edgsoccer Thu, 08/09/2012 - 16:12
User Badges:

Its working... I wonder why it didnt work the last time we did


int f8

no crypto map maptest1


int d1

crypto map maptest1


it worked with the pfs enable...maybe it was the


crypto isakmp policy 1

encryption 3des




Thanks everyone for the help... Thank you john

johnlloyd_13 Thu, 08/09/2012 - 16:40
User Badges:
  • Blue, 1500 points or more

hi manny,


thanks for the update and nice rating! i'm glad it's finally resolved.


let me dissect on how your IPsec VPN connection was resolved. for IKE phase 1, your RV router is using MD5 hashing and we need to specify the same on the 891 since the default is SHA-1. i thought 3DES was the default but it's probably a different encryption type for the 891, so we need to hardcode that:


crypto isakmp policy 1

encryption 3des

hash md5



for IKE phase 2, both devices were using different encryption and hashing for the transform set so we've fixed also that. the 891 doesn't have PFS or additional DH key exchange enabled so we need to disable that on the RV router.


crypto ipsec transform-set test1 esp-3des esp-md5-hmac


crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100



lastly based from the 891 debug, the IPsec SA wasn't forming due a crypto map that was applied on the wrong WAN interface. it should be applied dialer interface.


*Aug 8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24


I would also give credit to jcarvaja for the initial amendment of the NAT and crypto ACL (+5 for him).

Actions

This Discussion

Related Content