ipsec site to site vpn help

Elton-G · ‎11-21-2017

Hello,

I have a Cisco router 2900 on my branch office and need connectivity to my HQ.

After configuring it with site to site vpn Phase 1 is up an connected but Phase 2 isn't connected.

For the nat configuration I am using this config:

ip nat inside source list my list my-list interface gigabitethernet0/0 overload

ip access-list extended my list

deny ip 192.168.1.0 0.0.0.255 10.214.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 any

where the access list that matches the crypto map is:

ip access-list extended site-to-site

permit 192.168.1.0 0.0.0.255 10.214.3.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 10.214.4.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 10.214.6.0 0.0.0.255

But still my phase 2 isn't up. Phase 1 is QM_IDLE so it is OK.

Can anyone help me?

GioGonza · ‎11-21-2017

Hello @Elton-G,

If your problem is with Phase 2 not being build, you need to verify the configuration and check if everything is matching correctly. The NAT configuration will be after the VPN is up and you are going to send the traffic through the VPN tunnel.

Can you share the configuration for both sides in order to check further?

HTH

Gio

Elton-G · ‎11-22-2017

hello,

branch office site to site

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5

crypto isakmp key my key address hq_public_ip no-xauth

crypto ipsec transform-set MY-SET esp-aes esp-sha-hmac

crypto map VPNMAP 10 ipsec-isakmp
set peer hq_public_ip
set transform-set MY-SET
match address Acces-list

ip access-list extended access-list
permit ip host 192.168.x.x host 10.214.x.x

hq config:

crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5

crypto isakmp key my key address branch_public_ip no-xauth

crypto ipsec transform-set MY-SET esp-aes esp-sha-hmac

crypto map VPNMAP 200 ipsec-isakmp
set peer branch_public_ip
set transform-set MY-SET
match address access-list

ip access-list extended access-list
permit ip host 10.214.x.x host 192.168.x.x

GioGonza · ‎11-22-2017

Hello @Elton-G,

Thank you for the information and it seems everything is properly configured, we need to get then the debugs for the connection in order to see why the VPN tunnel is not coming, can you share this?

debug crypto condition peer ipv4 x.x.x.x

debug crypto isakmp

debug crypto ipsec

To remove the condition: debug crypto condition reset

I´ll wait for your information,

Gio

Elton-G · ‎11-22-2017

Hello,

From the debug crypto condition peer ipv4 don't get anything

fro debug of ipsec:

*Oct 6 12:17:07.593: IPSEC(validate_proposal_request): proposal part #1
*Oct 6 12:17:07.593: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x:0, remote= x.x.x.x:0,
local_proxy= 192.168.x.x/255.255.255.255/256/0,
remote_proxy= 10.214.x.x/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 6 12:17:07.593: Crypto mapdb : proxy_match
src addr : 192.168.x.x
dst addr : 10.214.x.x
protocol : 0
src port : 0
dst port : 0
*Oct 6 12:17:07.597: (ipsec_process_proposal)Map Accepted: VPNMAP, 20
*Oct 6 12:17:07.597: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 12:17:07.597: Crypto mapdb : proxy_match
src addr : 192.168.x.x
dst addr : 10.214.x.x
protocol : 256
src port : 0
dst port : 0
*Oct 6 12:17:07.597: IPSEC(crypto_ipsec_create_ipsec_sas): Map found VPNMAP, 20
*Oct 6 12:17:07.597: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 223FF30C
*Oct 6 12:17:07.597: IPSEC(create_sa): sa created,
(sa) sa_dest= x.x.x.x, sa_proto= 50,
sa_spi= 0xBC99137B(3164148603),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2925
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= x.x.x.x:0, remote= x.x.x.x:0,
local_proxy= 192.168.x.x/255.255.255.255/256/0,
remote_proxy= 10.214.x.x/255.255.255.255/256/0
*Oct 6 12:17:07.597: IPSEC(create_sa): sa created,
(sa) sa_dest= 80.78.78.56, sa_proto= 50,
sa_spi= 0xBF7176DB(3211884251),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2926
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= x.x.x.x:0, remote= x.x.x.x:0,
local_proxy= 192.168.x.x/255.255.255.255/256/0,
remote_proxy= 10.214.x.x/255.255.255.255/256/0
*Oct 6 12:17:07.601: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 12:17:07.601: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5386
*Oct 6 12:17:07.601: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Oct 6 12:17:07.601: IPSEC: delete incomplete sa: 0x23334954
*Oct 6 12:17:07.601: IPSEC(key_engine_delete_sas): delete SA with spi 0xBF7176DB proto 50 for x.x.x.x
*Oct 6 12:17:07.601: IPSEC(update_current_outbound_sa): updated peer 80.78.78.56 current outbound sa to SPI 0
*Oct 6 12:17:07.601: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= x.x.x.x, sa_proto= 50,
sa_spi= 0xBC99137B(3164148603),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2925
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= x.x.x.x:0, remote= x.x.x.x:0,
local_proxy= 192.168.x.x/255.255.255.255/256/0,
remote_proxy= 10.214.x.x/255.255.255.255/256/0
*Oct 6 12:17:07.605: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= x.x.x.x, sa_proto= 50,
sa_spi= 0xBF7176DB(3211884251),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2926
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= x.x.x.x:0, remote= x.x.x.x:0,
local_proxy= 192.168.x.x/255.255.255.255/256/0,
remote_proxy= 10.214.x.x/255.255.255.255/256/0
*Oct 6 12:17:07.605: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Oct 6 12:17:07.605: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
*Oct 6 12:17:07.605: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x223FF30C ikmp handle 0x8000000C
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x3400039D,peer index 0

from debug of isakmp:

*Oct 6 12:22:44.073: ISAKMP-PAK: (1011):received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
*Oct 6 12:22:44.073: ISAKMP: (1011):set new node 339932866 to QM_IDLE
*Oct 6 12:22:44.073: ISAKMP: (1011):processing HASH payload. message ID = 339932866
*Oct 6 12:22:44.073: ISAKMP: (1011):deleting node 339932866 error FALSE reason "Informational (in) state 1"
*Oct 6 12:22:44.073: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 6 12:22:44.073: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 6 12:22:44.073: ISAKMP: (1011):set new node 817723805 to QM_IDLE
*Oct 6 12:22:44.073: ISAKMP-PAK: (1011):sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Oct 6 12:22:44.073: ISAKMP: (1011):Sending an IKE IPv4 Packet.
*Oct 6 12:22:44.073: ISAKMP: (1011):purging node 817723805
*Oct 6 12:22:44.073: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Oct 6 12:22:44.073: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 6 12:22:45.493: ISAKMP: (1011):purging node -917992571
*Oct 6 12:22:52.533: ISAKMP-PAK: (1011):received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
*Oct 6 12:22:52.533: ISAKMP: (1011):set new node -976871774 to QM_IDLE
*Oct 6 12:22:52.533: ISAKMP: (1011):processing HASH payload. message ID = 3318095522
*Oct 6 12:22:52.533: ISAKMP: (1011):processing SA payload. message ID = 3318095522
*Oct 6 12:22:52.533: ISAKMP: (1011):Checking IPSec proposal 1
*Oct 6 12:22:52.533: ISAKMP: (1011):transform 1, ESP_AES
*Oct 6 12:22:52.533: ISAKMP: (1011): attributes in transform:
*Oct 6 12:22:52.533: ISAKMP: (1011): encaps is 1 (Tunnel)
*Oct 6 12:22:52.533: ISAKMP: (1011): SA life type in seconds
*Oct 6 12:22:52.533: ISAKMP: (1011): SA life duration (basic) of 3600
*Oct 6 12:22:52.533: ISAKMP: (1011): SA life type in kilobytes
*Oct 6 12:22:52.533: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Oct 6 12:22:52.533: ISAKMP: (1011): authenticator is HMAC-SHA
*Oct 6 12:22:52.533: ISAKMP: (1011): key length is 128
*Oct 6 12:22:52.533: ISAKMP: (1011):atts are acceptable.
*Oct 6 12:22:52.533: ISAKMP: (1011):processing NONCE payload. message ID = 3318095522
*Oct 6 12:22:52.533: ISAKMP: (1011):processing ID payload. message ID = 3318095522
*Oct 6 12:22:52.533: ISAKMP: (1011):processing ID payload. message ID = 3318095522
*Oct 6 12:22:52.533: ISAKMP: (1011):QM Responder gets spi
*Oct 6 12:22:52.533: ISAKMP: (1011):Node 3318095522, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 6 12:22:52.533: ISAKMP: (1011):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Oct 6 12:22:52.533: ISAKMP: (1011):Node 3318095522, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Oct 6 12:22:52.533: ISAKMP: (1011):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Oct 6 12:22:52.537: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Oct 6 12:22:52.537: ISAKMP: (1011):Received IPSec Install callback... proceeding with the negotiation
*Oct 6 12:22:52.537: ISAKMP: (1011):Successfully installed IPSEC SA (SPI:0xE70DFB05) on GigabitEthernet0/0
*Oct 6 12:22:52.537: ISAKMP-PAK: (1011):sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Oct 6 12:22:52.537: ISAKMP: (1011):Sending an IKE IPv4 Packet.
*Oct 6 12:22:52.537: ISAKMP: (1011):Node 3318095522, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Oct 6 12:22:52.537: ISAKMP: (1011):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Oct 6 12:22:52.541: ISAKMP-PAK: (1011):received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
*Oct 6 12:22:52.541: ISAKMP: (1011):set new node -1645313799 to QM_IDLE
*Oct 6 12:22:52.541: ISAKMP: (1011):processing HASH payload. message ID = 2649653497
*Oct 6 12:22:52.541: ISAKMP: (1011):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3876453125, message ID = 2649653497, sa = 0x234FE000
*Oct 6 12:22:52.541: ISAKMP: (1011):deleting spi 3876453125 message ID = 3318095522
*Oct 6 12:22:52.541: ISAKMP-ERROR: (1011):deleting node -976871774 error TRUE reason "Delete Larval"
*Oct 6 12:22:52.541: ISAKMP: (1011):peer does not do paranoid keepalives.
*Oct 6 12:22:52.541: ISAKMP: (1011):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x1352850C)
*Oct 6 12:22:52.541: ISAKMP: (1011):deleting node -1645313799 error FALSE reason "Informational (in) state 1"
*Oct 6 12:22:52.541: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 6 12:22:52.541: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 6 12:22:52.541: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Oct 6 12:22:53.813: ISAKMP-PAK: (1011):received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
*Oct 6 12:22:53.813: ISAKMP: (1011):set new node -66804309 to QM_IDLE
*Oct 6 12:22:53.813: ISAKMP: (1011):processing HASH payload. message ID = 4228162987
*Oct 6 12:22:53.813: ISAKMP: (1011):deleting node -66804309 error FALSE reason "Informational (in) state 1"
*Oct 6 12:22:53.813: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 6 12:22:53.813: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 6 12:22:53.813: ISAKMP: (1011):set new node 1945510630 to QM_IDLE
*Oct 6 12:22:53.813: ISAKMP-PAK: (1011):sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Oct 6 12:22:53.813: ISAKMP: (1011):Sending an IKE IPv4 Packet.
*Oct 6 12:22:53.813: ISAKMP: (1011):purging node 1945510630
*Oct 6 12:22:53.813: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Oct 6 12:22:53.813: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 6 12:22:55.145: ISAKMP: (1011):purging node 2909416
*Oct 6 12:23:02.049: ISAKMP: (1011):purging node -858477623
*Oct 6 12:23:02.049: ISAKMP: (1011):purging node 1213975711
*Oct 6 12:23:03.665: ISAKMP-PAK: (1011):received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
*Oct 6 12:23:03.665: ISAKMP: (1011):set new node -132190660 to QM_IDLE
*Oct 6 12:23:03.665: ISAKMP: (1011):processing HASH payload. message ID = 4162776636
*Oct 6 12:23:03.665: ISAKMP: (1011):deleting node -132190660 error FALSE reason "Informational (in) state 1"
*Oct 6 12:23:03.665: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 6 12:23:03.665: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Oct 6 12:23:03.665: ISAKMP: (1011):set new node 154291969 to QM_IDLE
*Oct 6 12:23:03.665: ISAKMP-PAK: (1011):sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Oct 6 12:23:03.665: ISAKMP: (1011):Sending an IKE IPv4 Packet.
*Oct 6 12:23:03.665: ISAKMP: (1011):purging node 154291969
*Oct 6 12:23:03.665: ISAKMP: (1011):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Oct 6 12:23:03.665: ISAKMP: (1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

GioGonza · ‎11-24-2017

Hello @Elton-G,

Based on the Log, this is the responder for the connection and it is receiving the DELETE meesage from the other site. In this log we are not going to be able to see the error unless we make this device the initiator.

It will be better to have the debugs for both sides in order to check them and see the reason why it is failing.

HTH

Gio

Elton-G · ‎11-25-2017

Hello,

I solved the problem and build phase 2 by changing the tranformset and set it in the head quarter esp-aes esp-sha-hmac and in the branch office set it to esp-3des esp-sha-hmac. I didn't understand how it build phase 2 because the transformset was not mirror in the two sites. I know that to be build it should be mirrored.

Thank you for helping.

suhasdachamp · ‎07-13-2018

The Phase 2 tunnel was not getting build as AH does not support NAT traversal.

Thanks Elton-G