Re: DMVPN ISAKMP SA doesn't stablish create

gustavo-salazar · ‎10-23-2009

Hi everyone,

I'm having toruble with a basic configuration DMVPN. The debug ISAKMp shows:

06:42:44: ISAKMP (0:61): beginning Main Mode exchange

06:42:44: ISAKMP (0:61): sending packet to 64.116.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

06:42:54: ISAKMP (0:61): retransmitting phase 1 MM_NO_STATE...

06:42:54: ISAKMP (0:61): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

06:42:54: ISAKMP (0:61): retransmitting phase 1 MM_NO_STATE

06:42:54: ISAKMP (0:61): sending packet to 64.116.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

06:43:04: ISAKMP (0:61): retransmitting phase 1 MM_NO_STATE...

07:25:44: ISAKMP (0:102): SA is still budding. Attached new ipsec request to it. (local 190.201.x.x, remote 64.116.x.x)

07:25:44: ISAKMP (0:102): retransmitting phase 1 MM_NO_STATE...

07:25:44: ISAKMP (0:102): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

07:25:44: ISAKMP (0:102): retransmitting phase 1 MM_NO_STATE

07:25:44: ISAKMP (0:102): sending packet to 64.116.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

07:25:54: ISAKMP (0:102): retransmitting phase 1 MM_NO_STATE...

07:25:54: ISAKMP (0:102): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

07:25:54: ISAKMP (0:102): retransmitting phase 1 MM_NO_STATE

07:25:54: ISAKMP (0:102): sending packet to 64.116.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

07:26:03: ISAKMP (0:101): purging node -217235525

07:26:03: ISAKMP (0:101): purging node 980938630

07:26:04: ISAKMP (0:102): retransmitting phase 1 MM_NO_STATE...

07:26:04: ISAKMP (0:102): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

07:26:04: ISAKMP (0:102): retransmitting phase 1 MM_NO_STATE

07:26:04: ISAKMP (0:102): sending packet to 64.116.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

07:26:13: ISAKMP (0:101): purging SA., sa=82F535C4, delme=82F535C4

07:26:14: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 190.201.x.x, remote= 64.116.x.x,

local_proxy= 190.201.x.x/255.255.255.255/47/0 (type=1),

remote_proxy= 64.116.x.x/255.255.255.255/47/0 (type=1)

07:26:14: ISAKMP: received ke message (3/1)

07:26:14: IPSEC-IFC MGRE/Tu0: Socket error (OPEN_FAILED) received 190.201.x.x/64.116.x.x.

07:26:14: IPSEC-IFC MGRE/Tu0: tunnel_protection_socket_down 190.201.x.x/64.116.x.x

07:26:14: ISAKMP (0:102): peer does not do paranoid keepalives.

07:26:14: ISAKMP (0:102): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 64.116.x.x) input queue 0

07:26:14: ISAKMP (0:102): deleting node -476501863 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

07:26:14: ISAKMP (0:102): deleting node 1845637895 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

07:26:14: ISAKMP (0:102): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

07:26:14: ISAKMP (0:102): Old State = IKE_I_MM1 New State = IKE_DEST_SA

The configuration of both routers are attached. If you need any more info from the debugs just let me know.

Any ideas??

Gustavo

Herbert Baerten · ‎10-26-2009

The spoke is sending MM1 (the first packet of the Main Mode or Phase 1 exchange) to the hub, but it is not receiving anything back.

So either the packet is not reaching the hub (i.e. dropped in the path), or the hub drops it, or the response is sent but dropped in the path.

I see the hub is behind NAT so maybe that NAT device is dropping the packets... just a guess.

Getting "debug crypto isakmp" on the hub will show if it is receiving MM1 from the spoke, and if it is sending MM2.

gustavo-salazar · ‎10-27-2009

Ok, so I got debug crypto isakmp on the hub and it shows nothing. So it means that the MM1 messages are not getting to the hub. I forgot to mention that I have a Firewall just in front of the hub that is doing static NAT (it's a Watchguard firewall, not Cisco's). I think that the problem might be happening there, but I alredy configure the firebox to allow traffic of IP protocols ESP, GRE and TCP 23 and 80. So I'm not sure what else am I missing?

I was reading about what else would be necessary and they mention something about "The IPSec clients must use Aggressive mode to negotiate the tunnel". Is this really neccessary? Any other thoughts?

Herbert Baerten · ‎10-27-2009

You need to allow UDP 500 and UDP 4500 through your firewall, for ISAKMP to work. You do not need GRE, TCP23 and TCP80.

gustavo-salazar · ‎10-27-2009

I configured the router to allow those two: UDP 500 and UDP 4500. (I didn't know about the NAT-T, now I know...). But the problem still persists. So I'm looking at the log report of the matchs on the firewall and I can see some matches of the ping replies, and some telnet connections I did. But I couldn't find anywhere the MM1 messages or any packet matches UDP 500 or 4500 port. Now I 'm not sure if the firewall it's not recording anything because the MM1 packets are not getting there or is it because it can't log UDP port packets matches?

Any thoughts? On the Hub router I still see nothing.

Gustavo

Herbert Baerten · ‎10-28-2009

So either the MM1 packets are not reaching the firewall - is your ISP dropping UDP500 maybe? Or maybe the ISP on the spoke side is dropping outbound UDP500 ?

OR the FW is dropping them and not logging it - if it were a Cisco FW I would be glad to help :) but all I can say now is check your firewall documentation or contact the vendor's helpdesk...

If you can snif the outside interface of the spoke, you can double check that it is sending MM1, just to be sure (debugs usually don't lie, but you never know).

gustavo-salazar · ‎10-28-2009

Perfect, I did the sniff with a switch in front of the router, and the packets are sent as you said.

I contacted my vendor and they told me that is not posible to do that the way in doing it: something about the NAT that is not allowing the traffic as I suppose a CISCO firewall would do it. So he recommended to place the router in fornt of the firewall: this is not right, but since these are just test, it won't be a problem. I will tell you if ti work that way, I assume it will. Thanks for the help.

Gustavo

gustavo-salazar · ‎10-30-2009

Ok, I actually solve the problem with the fireall, now the two routers are sending and receiving the messages. But the crypto siakmp in the hub router shows that only PHASE1 completes. There is an error during PHASE2 which I really don't understand:

*Oct 30 20:17:05.471: ISAKMP:(0:4:SW:1): sending packet to 190.201.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH

*Oct 30 20:17:05.471: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Oct 30 20:17:05.471: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Oct 30 20:17:05.471: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Oct 30 20:17:05.471: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 30 20:17:05.635: ISAKMP (0:134217732): received packet from 190.201.x.x dport 4500 sport 4500 Global (R) QM_IDLE

*Oct 30 20:17:05.635: ISAKMP: set new node 820676299 to QM_IDLE

*Oct 30 20:17:05.635: CryptoEngine0: generate hmac context for conn id 4

*Oct 30 20:17:05.635: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 820676299

*Oct 30 20:17:05.635: ISAKMP:(0:4:SW:1): processing SA payload. message ID = 820676299

*Oct 30 20:17:05.635: ISAKMP:(0:4:SW:1):Checking IPSec proposal 1

*Oct 30 20:17:05.635: ISAKMP: transform 1, ESP_3DES

*Oct 30 20:17:05.635: ISAKMP: attributes in transform:

*Oct 30 20:17:05.635: ISAKMP: encaps is 3 (Tunnel-UDP)

*Oct 30 20:17:05.635: ISAKMP: SA life type in seconds

*Oct 30 20:17:05.635: ISAKMP: SA life duration (basic) of 3600

*Oct 30 20:17:05.635: ISAKMP: SA life type in kilobytes

*Oct 30 20:17:05.635: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Oct 30 20:17:05.635: ISAKMP: authenticator is HMAC-MD5

*Oct 30 20:17:05.639: CryptoEngine0: validate proposal

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1):atts are acceptable.

*Oct 30 20:17:05.639: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.16.x.x, remote= 190.201.x.x,

local_proxy= 64.116.x.x/255.255.255.255/47/0 (type=1),

remote_proxy= 190.201.x.x/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

*Oct 30 20:17:05.639: CryptoEngine0: validate proposal request

*Oct 30 20:17:05.639: map_db_find_best did not find matching map

*Oct 30 20:17:05.639: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.16.x.x

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): IPSec policy invalidated proposal

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): phase 2 SA policy not acceptable! (local 172.16.x.x remote 190.201.x.x)

*Oct 30 20:17:05.639: ISAKMP: set new node 457288976 to QM_IDLE

*Oct 30 20:17:05.639: CryptoEngine0: generate hmac context for conn id 4

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1185137496, message ID = 457288976

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): sending packet to 190.201.x.x my_port 4500 peer_port 4500 (R) QM_IDLE

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1):purging node 457288976

*Oct 30 20:17:05.643: ISAKMP:(0:4:SW:1):deleting node 820676299 error TRUE reason "QM rejected"

*Oct 30 20:17:05.643: ISAKMP (0:134217732): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 820676299: state = IKE_QM_READY

*Oct 30 20:17:05.643: ISAKMP:(0:4:SW:1):Node 820676299, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Oct 30 20:17:05.643: ISAKMP:(0:4:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY

rprueba1#

*Oct 30 20:17:23.939: ISAKMP:(0:2:SW:1):purging node 605057579

*Oct 30 20:17:23.939: ISAKMP:(0:2:SW:1):purging node -52287620

*Oct 30 20:17:23.943: ISAKMP:(0:1:SW:1):purging node -2094129127no d

*Oct 30 20:17:25.651: ISAKMP:(0:3:SW:1):purging node -1382277058ebug cryp isa

There is an error refering to a crypto map which doesn't exists. Any thoughts?