Cisco 1800 VPN

Unanswered Question
Jan 12th, 2014
User Badges:

I am trying to create an ipsec vpn to Amazon VPC for the first time but I can't get it to work. Debug crypto isaksmp shows the following;



*Jan 13 05:17:52.915: ISAKMP:(0):No pre-shared key with x.x.x.x


*Jan 13 05:17:52.915: ISAKMP:(0):Preshared authentication offered but does not match policy!


*Jan 13 05:17:52.919: ISAKMP:(0):Encryption algorithm offered does not match policy


*Jan 13 05:17:52.919: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer x.x.x.x)








But I've checked the config and it looks right. Can anyone shed some light on it for me please?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 01/13/2014 - 09:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


It looks like the phase 1 policies are not matching. Each device will run through all the phase 1 policies until it either finds a match or runs out of policies.


That's about all that can be said from what you have posted. What settings did they send you for phase 1 ?


Perhaps you can post the settings they sent plus your router config. I'm assuming you have set the pre-shared key and that it matches the one they sent.


Don't post the key in plaintext on this forum.


Jon

chrisgerke Mon, 01/13/2014 - 14:10
User Badges:

The config for the 1800 is...I simply copied the settings from the wizard provided by the Amazon VPC setup. However there was one line in it that will not apply to my router.

track 100 ip sla 100 reachability



Current configuration : 3741 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxxxxxxxxxxxxxxxxxxxxxxxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

!

resource policy

!

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool LAN

   import all

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server xxxxxxxxxxxxxxxxxxxxxxxxxx

   lease 5

!

!

ip name-server xxxxxxxxxxxxxxxxxxxxxxxxxx

ip sla 100

icmp-echo 169.254.247.17 source-interface Tunnel1

timeout 1000

frequency 5

ip sla schedule 100 life forever start-time now

ip sla 200

icmp-echo 169.254.247.21 source-interface Tunnel2

timeout 1000

frequency 5

ip sla schedule 200 life forever start-time now

!

!

!

!

crypto keyring keyring-vpn-amazon_vpc_1

  local-address MY_ADSL_EXTERNAL_STATIC_IP

  pre-shared-key address AMAZON_PROVIDED_PEER_1 key xxxxxxxxxxxxxxxxxxxxxxxxxx

crypto keyring keyring-vpn-amazon_vpc_2

  local-address MY_ADSL_EXTERNAL_STATIC_IP

  pre-shared-key address AMAZON_PROVIDED_PEER_2 key xxxxxxxxxxxxxxxxxxxxxxxxxx

!

crypto isakmp policy 200

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 201

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp keepalive 10 10

crypto isakmp profile isakmp-vpn-amazon_vpc_1

   keyring keyring-vpn-amazon_vpc_1

   match identity address AMAZON_PROVIDED_PEER_1 255.255.255.255

   local-address MY_ADSL_EXTERNAL_STATIC_IP

crypto isakmp profile isakmp-vpn-amazon_vpc_2

   keyring keyring-vpn-amazon_vpc_2

   match identity address AMAZON_PROVIDED_PEER_2 255.255.255.255

   local-address MY_ADSL_EXTERNAL_STATIC_IP

!

crypto ipsec security-association replay window-size 128

!

crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_1 esp-aes esp-sha-hmac

crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_2 esp-aes esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile ipsec-vpn-amazon_vpc_1

set transform-set ipsec-prop-vpn-amazon_vpc_1

set pfs group2

!

crypto ipsec profile ipsec-vpn-amazon_vpc_2

set transform-set ipsec-prop-vpn-amazon_vpc_2

set pfs group2

!

!

!

!

!

interface Tunnel1

ip address 169.254.247.18 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1387

tunnel source MY_ADSL_EXTERNAL_STATIC_IP

tunnel destination AMAZON_PROVIDED_PEER_1

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-amazon_vpc_1

!

interface Tunnel2

ip address 169.254.247.22 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1387

tunnel source MY_ADSL_EXTERNAL_STATIC_IP

tunnel destination AMAZON_PROVIDED_PEER_2

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-amazon_vpc_2

!

interface FastEthernet0

description ISP

ip address 192.168.1.26 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

switchport access vlan 13

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

!

interface Vlan13

ip address 10.10.10.1 255.255.255.0

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

router eigrp 1

no auto-summary

!

ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100

ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

control-plane

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

































































auVPC01 con0 is now available











Press RETURN to get started.

Jon Marshall Mon, 01/13/2014 - 14:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


Is there meant to be a link or diagram in the last bit of your post ?


Jon

Jon Marshall Mon, 01/13/2014 - 14:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


Not sure what to tell you then. Can you try removing the key and retyping it in as i have made that sort of mistake myself before.


Also can you post all of the configuration settings for the other end. 


Jon

chrisgerke Mon, 01/13/2014 - 14:55
User Badges:

Unfortunately I already tried that and it didn't help. The following are the settings from the other end (note though I do not have direct console access), the other end is Amazon VPC. The following is the txt file that the VPC wizard produces.


The only thing i can think is that the port forwarding on my asdl modem to the cisco 1800 isn't setup correctly or isn't working. Maybe I need to put that modem in bridged mode and set the ISP external ip an the 1800 interface.


! Amazon Web Services

! Virtual Private Cloud



! AWS utilizes unique identifiers to manipulate the configuration of

! a VPN Connection. Each VPN Connection is assigned an identifier and is

! associated with two other identifiers, namely the

! Customer Gateway Identifier and Virtual Private Gateway Identifier.

!

! Your VPN Connection ID                       : xxxxxxxxxxxxxxxxxxxxxxxxxx

! Your Virtual Private Gateway ID         : xxxxxxxxxxxxxxxxxxxxxxxxxx

! Your Customer Gateway ID                      : xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

! This configuration consists of two tunnels. Both tunnels must be

! configured on your Customer Gateway.

!

! --------------------------------------------------------------------------------

! IPSec Tunnel #1

! --------------------------------------------------------------------------------

! #1: Internet Key Exchange (IKE) Configuration

!

! A policy is established for the supported ISAKMP encryption,

! authentication, Diffie-Hellman, lifetime, and key parameters.

!

! Note that there are a global list of ISAKMP policies, each identified by

! sequence number. This policy is defined as #200, which may conflict with

! an existing policy using the same number. If so, we recommend changing

! the sequence number to avoid conflicts.

!

crypto isakmp policy 200

  encryption aes 128

  authentication pre-share

  group 2

  lifetime 28800

  hash sha

exit



! The ISAKMP keyring stores the Pre Shared Key used to authenticate the

! tunnel endpoints.

!

crypto keyring keyring-vpn-amazon_vpc_1

  local-address MY_ADSL_EXTERNAL_STATIC_IP

  pre-shared-key address AMAZON_PROVIDED_PEER_1 key xxxxxxxxxxxxxxxxxxxxxxxxxx

exit



! An ISAKMP profile is used to associate the keyring with the particular

! endpoint.

!

crypto isakmp profile isakmp-vpn-amazon_vpc_1

  local-address MY_ADSL_EXTERNAL_STATIC_IP

  match identity address AMAZON_PROVIDED_PEER_1

  keyring keyring-vpn-amazon_vpc_1

exit



! #2: IPSec Configuration

!

! The IPSec transform set defines the encryption, authentication, and IPSec

! mode parameters.

!

crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_1 esp-aes 128 esp-sha-hmac

  mode tunnel

exit



! The IPSec profile references the IPSec transform set and further defines

! the Diffie-Hellman group and security association lifetime.

!

crypto ipsec profile ipsec-vpn-amazon_vpc_1

  set pfs group2

  set security-association lifetime seconds 3600

  set transform-set ipsec-prop-vpn-amazon_vpc_1

exit



! Additional parameters of the IPSec configuration are set here. Note that

! these parameters are global and therefore impact other IPSec

! associations.

! This option instructs the router to clear the "Don't Fragment"

! bit from packets that carry this bit and yet must be fragmented, enabling

! them to be fragmented.

!

crypto ipsec df-bit clear



! This option enables IPSec Dead Peer Detection, which causes periodic

! messages to be sent to ensure a Security Association remains operational.

!

crypto isakmp keepalive 10 10 on-demand



! This configures the gateway's window for accepting out of order

! IPSec packets. A larger window can be helpful if too many packets

! are dropped due to reordering while in transit between gateways.

!

crypto ipsec security-association replay window-size 128



! This option instructs the router to fragment the unencrypted packets

! (prior to encryption).

!

crypto ipsec fragmentation before-encryption




! --------------------------------------------------------------------------------

! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated 

! with the tunnel. All traffic routed to the tunnel interface will be

! encrypted and transmitted to the VPC. Similarly, traffic from the VPC

! will be logically received on this interface.

!

! Association with the IPSec security association is done through the

! "tunnel protection" command.

!

! The address of the interface is configured with the setup for your

! Customer Gateway.  If the address changes, the Customer Gateway and VPN

! Connection must be recreated with Amazon VPC.

!

interface Tunnel1

  ip address 169.254.247.18 255.255.255.252

  ip virtual-reassembly

  tunnel source MY_ADSL_EXTERNAL_STATIC_IP

  tunnel destination AMAZON_PROVIDED_PEER_1

  tunnel mode ipsec ipv4

  tunnel protection ipsec profile ipsec-vpn-amazon_vpc_1

  ! This option causes the router to reduce the Maximum Segment Size of

  ! TCP packets to prevent packet fragmentation.

  ip tcp adjust-mss 1387

  no shutdown

exit



! ----------------------------------------------------------------------------

! #4 Static Route Configuration

!

! Your Customer Gateway needs to set a static route for the prefix corresponding to your

! VPC to send traffic over the tunnel interface.

! An example for a VPC with the prefix 10.0.0.0/16 is provided below:

! ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100

!

! SLA Monitor is used to provide a failover between the two tunnels. If the primary tunnel fails, the redundant tunnel will automatically be used

! This sla is defined as #100, which may conflict with an existing sla using same number.

! If so, we recommend changing the sequence number to avoid conflicts.

!

ip sla 100

   icmp-echo 169.254.247.17 source-interface Tunnel1

   timeout 1000

   frequency 5

exit

ip sla schedule 100  life forever start-time now

track 100 ip sla 100 reachability

! --------------------------------------------------------------------------------

! --------------------------------------------------------------------------------

! IPSec Tunnel #2

! --------------------------------------------------------------------------------

! #1: Internet Key Exchange (IKE) Configuration

!

! A policy is established for the supported ISAKMP encryption,

! authentication, Diffie-Hellman, lifetime, and key parameters.

!

! Note that there are a global list of ISAKMP policies, each identified by

! sequence number. This policy is defined as #201, which may conflict with

! an existing policy using the same number. If so, we recommend changing

! the sequence number to avoid conflicts.

!

crypto isakmp policy 201

  encryption aes 128

  authentication pre-share

  group 2

  lifetime 28800

  hash sha

exit



! The ISAKMP keyring stores the Pre Shared Key used to authenticate the

! tunnel endpoints.

!

crypto keyring keyring-vpn-amazon_vpc_2

  local-address MY_ADSL_EXTERNAL_STATIC_IP

  pre-shared-key address AMAZON_PROVIDED_PEER_2 key xxxxxxxxxxxxxxxxxxxxxxxxxx

exit



! An ISAKMP profile is used to associate the keyring with the particular

! endpoint.

!

crypto isakmp profile isakmp-vpn-amazon_vpc_2

  local-address MY_ADSL_EXTERNAL_STATIC_IP

  match identity address AMAZON_PROVIDED_PEER_2

  keyring keyring-vpn-amazon_vpc_2

exit



! #2: IPSec Configuration

!

! The IPSec transform set defines the encryption, authentication, and IPSec

! mode parameters.

!

crypto ipsec transform-set ipsec-prop-vpn-amazon_vpc_2 esp-aes 128 esp-sha-hmac

  mode tunnel

exit



! The IPSec profile references the IPSec transform set and further defines

! the Diffie-Hellman group and security association lifetime.

!

crypto ipsec profile ipsec-vpn-amazon_vpc_2

  set pfs group2

  set security-association lifetime seconds 3600

  set transform-set ipsec-prop-vpn-amazon_vpc_2

exit



! Additional parameters of the IPSec configuration are set here. Note that

! these parameters are global and therefore impact other IPSec

! associations.

! This option instructs the router to clear the "Don't Fragment"

! bit from packets that carry this bit and yet must be fragmented, enabling

! them to be fragmented.

!

crypto ipsec df-bit clear



! This option enables IPSec Dead Peer Detection, which causes periodic

! messages to be sent to ensure a Security Association remains operational.

!

crypto isakmp keepalive 10 10 on-demand



! This configures the gateway's window for accepting out of order

! IPSec packets. A larger window can be helpful if too many packets

! are dropped due to reordering while in transit between gateways.

!

crypto ipsec security-association replay window-size 128



! This option instructs the router to fragment the unencrypted packets

! (prior to encryption).

!

crypto ipsec fragmentation before-encryption




! --------------------------------------------------------------------------------

! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated 

! with the tunnel. All traffic routed to the tunnel interface will be

! encrypted and transmitted to the VPC. Similarly, traffic from the VPC

! will be logically received on this interface.

!

! Association with the IPSec security association is done through the

! "tunnel protection" command.

!

! The address of the interface is configured with the setup for your

! Customer Gateway.  If the address changes, the Customer Gateway and VPN

! Connection must be recreated with Amazon VPC.

!

interface Tunnel2

  ip address 169.254.247.22 255.255.255.252

  ip virtual-reassembly

  tunnel source MY_ADSL_EXTERNAL_STATIC_IP

  tunnel destination AMAZON_PROVIDED_PEER_2

  tunnel mode ipsec ipv4

  tunnel protection ipsec profile ipsec-vpn-amazon_vpc_2

  ! This option causes the router to reduce the Maximum Segment Size of

  ! TCP packets to prevent packet fragmentation.

  ip tcp adjust-mss 1387

  no shutdown

exit



! ----------------------------------------------------------------------------

! #4 Static Route Configuration

!

! Your Customer Gateway needs to set a static route for the prefix corresponding to your

! VPC to send traffic over the tunnel interface.

! An example for a VPC with the prefix 10.0.0.0/16 is provided below:

! ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200

!

! SLA Monitor is used to provide a failover between the two tunnels. If the primary tunnel fails, the redundant tunnel will automatically be used

! This sla is defined as #200, which may conflict with an existing sla using same number.

! If so, we recommend changing the sequence number to avoid conflicts.

!

ip sla 200

   icmp-echo 169.254.247.21 source-interface Tunnel2

   timeout 1000

   frequency 5

exit

ip sla schedule 200  life forever start-time now

track 200 ip sla 200 reachability

! --------------------------------------------------------------------------------





! Additional Notes and Questions

!  - Amazon Virtual Private Cloud Getting Started Guide:

!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide

!  - Amazon Virtual Private Cloud Network Administrator Guide:

!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide

Actions

This Discussion