cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6682
Views
20
Helpful
3
Replies

Pre-Shared key for remote peer missing

Justin Westover
Level 1
Level 1

I am having a strange problem. I am trying to establish a site-to-site VPN between two Cisco routers (2951s). I am using the below config on both routers. One router has an interface with a public IP assigned to it, the other uses a private IP and is natted by our ASA outbound.

If i remove the tunnel protection ipsec profile command from the tunnel interface, the tunnel comes up no problem and I can ping both ends of the tunnel. But as soon as I apply the tunnel protection on the tunnel interface, it dies. Both sides of the tunnel show up but no pings are allowed and I see in the debugs that for some reason the routers don't think the Pre-Shared keys are configured properly. I have gone as far as making the ISAKMP keys very simple and I know there is something I'm missing here.

On the ASA i'm allowing ESP (protocol 50) and ISAKMP (UDP 500) both directions (in and out of the firewall). I am also allowing UDP NAT-T (4500) just in case. I don't see anything on the firewall being blocked but I can't be certain that isn't causing the problem. What could I be missing here?

*****Router Config*****

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

lifetime 1800

crypto isakmp key cisco123 address PUBLICIPHERE

!

crypto ipsec transform-set TRANSFORMSET_ASA_FFX esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile BACKUP_S2S

description USED TO ENCRYPT TRAFFIC BETWEEN QCC AND FFX

set transform-set TRANSFORMSET_ASA_FFX

!

interface tunnel 0

ip address 10.254.10.10 255.255.255.0

tunnel source gi0/0

tunnel destination PUBLICIPHERE

tunnel protection ipsec profile BACKUP_S2S

******DEBUG OUTPUT*****

Mar 26 11:04:02: ISAKMP:(0): SA request profile is (NULL)

Mar 26 11:04:02: ISAKMP: Created a peer struct for PUBLICIPHERE, peer port 500

Mar 26 11:04:02: ISAKMP: New peer created peer = 0x181758AC peer_handle = 0x80000036

Mar 26 11:04:02: ISAKMP: Locking peer struct 0x181758AC, refcount 1 for isakmp_initiator

Mar 26 11:04:02: ISAKMP: local port 500, remote port 500

Mar 26 11:04:02: ISAKMP: set new node 0 to QM_IDLE     

Mar 26 11:04:02: ISAKMP:(0):insert sa successfully sa = 19616798

Mar 26 11:04:02: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Mar 26 11:04:02: ISAKMP:(0):No pre-shared key with PUBLICIPHERE!

Mar 26 11:04:02: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at PUBLICIPHERE is missing

Mar 26 11:04:02: ISAKMP:(0): No Cert or pre-shared address key.

Mar 26 11:04:02: ISAKMP:(0): construct_initial_message: Can not start Main mode

Mar 26 11:04:02: ISAKMP: Unlocking peer struct 0x181758AC for isadb_unlock_peer_delete_sa(), count 0

Mar 26 11:04:02: ISAKMP: Deleting peer node by peer_reap for PUBLICIPHERE: 181758AC

Mar 26 11:04:02: ISAKMP:(0):purging SA., sa=19616798, delme=19616798

Mar 26 11:04:02: ISAKMP:(0):purging node -2065852085

Mar 26 11:04:02: ISAKMP: Error while processing SA request: Failed to initialize SA

Mar 26 11:04:02: ISAKMP: Error while processing KMI message 0, error 2

3 Replies 3

Justin Westover
Level 1
Level 1

Oh and one more thing, I forgot to mention the tunnel interface on the side using a Private IP address is also in a VRF. The source and destination of the tunnel are also in a vrf so the tunnel vrf command is issued on the tunnel.

interface tunnel 0

ip vrf forwarding COMCAST

ip address 10.254.10.10 255.255.255.0

tunnel source gi0/0

tunnel destination PUBLICIPHERE

tunnel vrf COMCAST

tunnel protection ipsec profile BACKUP_S2S

So if I remove the tunnel vrf COMCAST command I see the tunnel go into up-IDLE but I can't ping anything on the other side? Is there any special crypto configuration needed for vrf?

So I added this command which seems to have fixed the initial problem but I still can't ping between the two sides.

crypto keyring COMCAST vrf COMCAST

  pre-shared-key address PUBLICIPHERE key cisco123

!

Mar 26 11:55:04: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 10.11.1.17:500, remote= PUBLICIPHERE:500,

    local_proxy= 10.11.1.17/255.255.255.255/47/0 (type=1),

    remote_proxy= PUBLICIPHERE/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Mar 26 11:55:04: ISAKMP: set new node 0 to QM_IDLE     

Mar 26 11:55:04: SA has outstanding requests  (local 25.89.90.68 port 4500, remote 25.89.90.40 port 4500)

Mar 26 11:55:04: ISAKMP:(9006): sitting IDLE. Starting QM immediately (QM_IDLE      )

Mar 26 11:55:04: ISAKMP:(9006):beginning Quick Mode exchange, M-ID of -1654812753

Mar 26 11:55:04: ISAKMP:(9006):QM Initiator gets spi

Mar 26 11:55:04: crypto_engine: Generate IKE hash

Mar 26 11:55:04: crypto_engine: Encrypt IKE packet

Mar 26 11:55:04: ISAKMP:(9006): sending packet to PUBLICIPHERE my_port 4500 peer_port 4500 (I) QM_IDLE     

Mar 26 11:55:04: ISAKMP:(9006):Sending an IKE IPv4 Packet.

Mar 26 11:55:04: ISAKMP:(9006):Node -1654812753, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Mar 26 11:55:04: ISAKMP:(9006):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Mar 26 11:55:04: ISAKMP (9006): received packet from PUBLICIPHERE dport 4500 sport 4500 COMCAST (I) QM_IDLE     

Mar 26 11:55:04: ISAKMP: set new node 921804095 to QM_IDLE     

Mar 26 11:55:04: crypto_engine: Decrypt IKE packet

Mar 26 11:55:04: crypto_engine: Generate IKE hash

Mar 26 11:55:04: ISAKMP:(9006): processing HASH payload. message ID = 921804095

Mar 26 11:55:04: ISAKMP:(9006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 3017918981, message ID = 921804095, sa = 0x195958C0

Mar 26 11:55:04: ISAKMP:(9006): deleting spi 3017918981 message ID = -1654812753

Mar 26 11:55:04: ISAKMP:(9006):deleting node -1654812753 error TRUE reason "Delete Larval"

Mar 26 11:55:04: ISAKMP:(9006):deleting node 921804095 error FALSE reason "Informational (in) state 1"

Mar 26 11:55:04: ISAKMP:(9006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Mar 26 11:55:04: ISAKMP:(9006):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Ok so I actually figured it out myself and it is up and working now.  The first thing I was missing was the vrf aware crypto key commands:

crypto keyring COMCAST vrf COMCAST

  pre-shared-key address PUBLICIPHERE key cisco123

The second thing I was missing was to enable the mode transport on the transform-set:

crypto ipsec transform-set TRANSFORMSET_ASA_FFX esp-3des esp-sha-hmac

mode transport

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: