Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

when creating a second IPSEC tunnel the first one drops

Hi ,

here is my design:

VPN clients-----router -----------PIX

it is impossible for me to have two tunnels at the same time!

the message i get on the first client is "The remote peer has terminated your VPN connection".

the second client is connected!

Here is debug on PIX when the second client connects:

medibeg-Loos#

medibeg-Loos# sh isa sa

Total : 0

Embryonic : 0

dst src state pending created

medibeg-Loos#

ISAKMP: Deleting peer node for 213.118.68.208

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

VPN Peer: ISAKMP: Added new peer: ip:217.136.217.127 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:217.136.217.127 Ref cnt incremented to:1 Total VPN Peers:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

OAK_AG exchange

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

OAK_QM exchange

oakley_process_quick_mode:

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

VPN Peer: ISAKMP: Peer ip:217.136.217.127 Ref cnt incremented to:4 Total VPN Peers:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

OAK_AG exchange

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 217.136.217.127. message ID = 2158345932

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 217.136.217.127. message ID = 2158345932

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 217.136.217.127. message ID = 2158345932

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

OAK_QM exchange

crypto_isakmp_process_block: src 217.136.217.127, dest Outside-Address

OAK_QM exchange

ISADB: reaper checking SA 0x80a72928, conn_id = 0

ISADB: reaper checking SA 0x80a713a0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:217.136.217.127 Ref cnt decremented to:3 Total VPN Peers:1IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 217.136.217.127

VPN Peer: IPSEC: Peer ip:217.136.217.127 Decrementing Ref cnt to:2 Total VPN Peers:1

medibeg-Loos#

medibeg-Loos#

medibeg-Loos#

medibeg-Loos# sh isa sa

Total : 1

Embryonic : 0

dst src state pending created

Outside-Address 217.136.217.127 QM_IDLE 0 1

medibeg-Loos# sh isa sapsa sasa sa

interface: outside

Crypto map tag: cms-standard, local addr. Outside-Address

local ident (addr/mask/prot/port): (oXya-Medibeg/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (LAN-Medibeg_wvg/255.255.255.0/0/0)

current_peer: 194.242.184.73

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: Outside-Address, remote crypto endpt.: 194.242.184.73

path mtu 1492, ipsec overhead 0, media mtu 1492

current outbound spi: 0

inbound esp sas:

inbound ah sas:

<--- More --->

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

medibeg-Loos#

medibeg-Loos#

medibeg-Loos#

What's going on ?

  • Other Security Subjects
4 REPLIES
New Member

Re: when creating a second IPSEC tunnel the first one drops

If they both connect just fine, sounds like a NAT/PAT issue. You show client-router-pix as your design. Are you doing PAT for your clients on the router? You will need to have static 1-to1 NAT translations. If this is just in your lab, turn NAT/PAT off and use your default gateways for routing.

Kurtis Durrett

New Member

Re: when creating a second IPSEC tunnel the first one drops

we ran into the same thing. The client works best with tcp connection and make sure they have a cble/dsl router that can handle multiple tunnels. We have as much as 8 tunnels running through one link sys

New Member

Re: when creating a second IPSEC tunnel the first one drops

Hi Kurtis,

Do you agree with the following:

"

I am assuming that the local lan has a private subnet and the internet facing side of the router has one offical ip address.

Further assuming the router is configured to do source address pat/natting to its own internet facing ip address.

Now when a client initates a vpn connection and no SAs are in place in the first instance IKE/ISAKMP will be invoked.

As we know ISAKMP packets are designed to use UDP 500 as destination but unfortunaletly also as source port. How would a patting device be able to distinguish client A's UDP source port 500 from client B's? Well it can't.

Now the cisco guy suggests to do a natting for each client to one "internet address" as I understand, so you would have to provide additional "internet addresses".

Now the packet arrives at the pix and the pix needs to know who it is talking to in terms of identity to be able to look up keys. Now this identity is bound to an ip address so this is why we have to use static translation.

I think it should be possible to use dynamic translation and configure wildcard keys on the pix if pre-shared keys is used as authentication method, as an alternativ to static translation.

Alternatively you could have the router do the ipsec on behalf of the clients.

"

New Member

Re: when creating a second IPSEC tunnel the first one drops

The reason that PAT doesn't work with IPSEC is a OSI issue. PAT works at layer 4 of the OSI model whereas ESP, the protocol that ipsec uses, works at the network layer, layer 3. When connecting to a concentrator the clients have the ability to use layer 4, PAT, to connect with it as a feature which is negotiated. PIX and routers will be able to do this as well soon enough. You can configure wildcard keys on the pix, but when connecting your 3.x client to it you loose all the group features. But you still will NOT be able to connect to the pix unless you are being staticly translated or have some other feature on the PAT device such as nat traversal. If your running 12.2.8T(might be little bit earlier) on your router, you can staticly map the protocol ESP to a single address. This will alllow you to connect one client through the PAT device to the remote end.

Your other option is like you said, set up a L2L tunnel and its all good.

Kurtis Durrett

92
Views
0
Helpful
4
Replies