Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec VPN establishment issues 887 -> srp527

Hey Folks,

I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.

I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.

I look at debug results and it appears as though the policies do not match between the devices:

Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE

broute1#

Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558

broute1#

Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA

Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500

Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF

Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block

Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500

Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664

Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0

Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload

Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch

Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload

Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD

Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!

Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...

Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy

Jul 23 05:45:17.035: ISAKMP:      life type in seconds

Jul 23 05:45:17.035: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53

Jul 23 05:45:17.035: ISAKMP:      encryption DES-CBC

Jul 23 05:45:17.035: ISAKMP:      hash SHA

Jul 23 05:45:17.035: ISAKMP:      auth pre-share

Jul 23 05:45:17.035: ISAKMP:      default group 1

Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!

Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote

XXX.XXX.XXX.XXX)

Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.

Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE

Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.

Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer

XXX.XXX.XXX.XXX)

Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload

Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch

Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload

Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD

Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2

Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer

XXX.XXX.XXX.XXX)

Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0

Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8

Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w

version 15.1

hostname broute1

!

logging buffered 65535

logging console informational

!

no aaa new-model

!

memory-size iomem 10

clock timezone ESTime 10 0

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

controller VDSL 0

operating mode adsl2 annex A

!

ip ssh version 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 28800

crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST

!

!

crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac

!

!

!

crypto map JWRE_BW-1 10 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set JWRE_BW-1

match address 101

!

interface Loopback0

no ip address

!

interface ATM0

description --- Internode ADSL ----

no ip address

no ip route-cache

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip route-cache

pvc 8/35

  tx-ring-limit 3

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

!

interface Vlan1

description Management Interface

ip address AAA.AAA.AAA.AAA 255.255.255.0

ip mtu 1452

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

ip tcp adjust-mss 1420

!

interface Dialer1

description -----INTERNODE ADSL------

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname ADSL_USERNAME

ppp chap password 7 ADSL_PASSWORD

ppp ipcp dns request accept

no cdp enable

crypto map JWRE_BW-1

!

logging trap debugging

access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255

dialer-list 1 protocol ip permit

Some specific questions:

1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|

2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?

3) I notice when I perform this command in the(config-crypto-map)#:

     set peer FQDN

It is converted to:

     set peer XXX.XXX.XXX.XXX

Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.

I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.

Thanks in advance for your time and assistance folks.

B

  • VPN
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

IPSec VPN establishment issues 887 -> srp527

The IKE policy does not seem to match, you would need to configure the matching IKE policy on the router as follows:

crypto isakmp policy 10

   encr des

  hash sha

   authentication pre-share

  group 1

   lifetime 28800

For the preshared key, use the address instead of host name:

crypto isakmp key address

4 REPLIES
Cisco Employee

IPSec VPN establishment issues 887 -> srp527

The IKE policy does not seem to match, you would need to configure the matching IKE policy on the router as follows:

crypto isakmp policy 10

   encr des

  hash sha

   authentication pre-share

  group 1

   lifetime 28800

For the preshared key, use the address instead of host name:

crypto isakmp key address

New Member

IPSec VPN establishment issues 887 -> srp527

YAY! Hey Jennifer thank you so much!

So I pulled my hair out awhile. Seems I did have the policy details above in my config, it just doesnt show the algorithm, hash or DH group in the conf.

When I did then reread and see the last bit (facepalm) I changed to using a host address and all of a sudden it worked.

Does this mean that you cannot use the FQDN to make ISAKMP work? The documentation seems to indicate it does but the config it makes is not consistent with that. I have a few sites that use DDNS and I would prefer not to upgrade the access plans for those remote sites to include static addresses.

Thanks again, back on track

B

Cisco Employee

IPSec VPN establishment issues 887 -> srp527

If you use Main Mode, you can't use hostname on the isakmp key.

You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:

crypto isakmp identity hostname

Plus your router needs to point to a dns server that can resolve the hostname.

Here is more information on:

- crypto isakmp key:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-E6AD0189-B773-4332-95F0-89AFE7A9E84F

- crypto isakmp identity:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567

New Member

IPSec VPN establishment issues 887 -> srp527

Thank you again Jennifer. I cannot believe how much time I've spent on this, you are a life saver!

cheers

Bruno

1966
Views
0
Helpful
4
Replies
This widget could not be displayed.