Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN not working

Hi all,

We are setting up a new VPN from an ASA to a cisco 2801 router (behind a third parties checkpoint firewall).  We seem to be almost there with the setup but the tunnel is not working correctly.  I have included a debug from the 2801 router and its config and a diagram of the setup.  Any ideas as we are tearing our hair out trying to get this working!!!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname #######

!

boot-start-marker

boot system flash c2801-adventerprisek9-mz.124-25f.bin

boot-end-marker

!

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.98.0.1 10.98.0.127

!

ip dhcp pool bruairport

   network 10.98.0.0 255.255.255.0

   default-router 10.98.0.1

   dns-server 128.200.1.101 128.200.1.103

!

!

no ip domain lookup

ip domain name #####.####.###

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username ###### privilege 15 password ##########

username ####### privilege 15 password ##########

archive

log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh version 2

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ########### address 212.24.93.25

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac

!

crypto map flybe 10 ipsec-isakmp

set peer 212.24.93.25

set transform-set ESP-AES-256-SHA

set pfs group5

match address 101

!

!

!

!

interface FastEthernet0/0

ip address 193.108.215.71 255.255.255.240

ip access-group 121 in

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

speed 100

full-duplex

crypto map flybe

hold-queue 100 out

!

interface FastEthernet0/1

ip address 10.98.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 212.24.93.25

!

!

no ip http server

no ip http secure-server

!

access-list 99 remark SSH Inbound

access-list 99 permit 128.200.9.71 log

access-list 99 permit 128.200.9.239 log

access-list 99 permit 10.98.0.129 log

access-list 101 remark VPN tunnel

access-list 101 permit ip 10.98.0.0 0.0.0.255 10.128.0.0 0.0.3.255

access-list 101 permit ip 10.98.0.0 0.0.0.255 128.200.0.0 0.0.255.255

access-list 111 remark noNAT

access-list 111 deny   ip 10.98.0.0 0.0.0.255 10.128.0.0 0.0.3.255

access-list 111 deny   ip 10.98.0.0 0.0.0.255 128.200.0.0 0.0.255.255

access-list 111 permit ip 10.98.0.0 0.0.0.255 any

access-list 121 remark Flybe in

access-list 121 deny   ip 127.0.0.0 0.255.255.255 any

access-list 121 deny   ip 224.0.0.0 31.255.255.255 any

access-list 121 permit udp host 212.24.93.25 eq isakmp any eq isakmp

access-list 121 permit esp host 212.24.93.25 any

access-list 121 permit ip 10.128.0.0 0.0.3.255 10.98.0.0 0.0.0.255

access-list 121 permit ip 128.200.0.0 0.0.255.255 10.98.0.0 0.0.0.255

access-list 121 permit ip host 193.108.215.65 any

access-list 121 permit ip host 193.108.215.66 any

snmp-server community flyberemote RO

!

route-map nonat permit 10

match ip address 111

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 15 0

login local

stopbits 1

line aux 0

exec-timeout 15 0

login local

stopbits 1

line vty 0 4

access-class 99 in

exec-timeout 5 0

privilege level 15

login local

transport input ssh

!

scheduler allocate 20000 1000

end

DEBUG:

*Mar 22 10:36:05.179: ISAKMP: New peer created peer = 0x652F5A44 peer_handle = 0x8000002D

*Mar 22 10:36:05.179: ISAKMP: Locking peer struct 0x652F5A44, IKE refcount 1 for isakmp_initiator

*Mar 22 10:36:05.179: ISAKMP: local port 500, remote port 500

*Mar 22 10:36:05.179: ISAKMP: set new node 0 to QM_IDLE

*Mar 22 10:36:05.179: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6486CED4

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 212.24.93.25

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Mar 22 10:36:05.179: ISAKMP:(0:0:N/A:0): sending packet to 212.24.93.25 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 22 10:36:05.211: ISAKMP (0:0): received packet from 212.24.93.25 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 212.24.93.25

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0): local preshared key found

*Mar 22 10:36:05.211: ISAKMP : Scanning profiles for xauth ...

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 22 10:36:05.211: ISAKMP:      encryption AES-CBC

*Mar 22 10:36:05.211: ISAKMP:      keylength of 256

*Mar 22 10:36:05.211: ISAKMP:      hash SHA

*Mar 22 10:36:05.211: ISAKMP:      default group 5

*Mar 22 10:36:05.211: ISAKMP:      auth pre-share

*Mar 22 10:36:05.211: ISAKMP:      life type in seconds

*Mar 22 10:36:05.211: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar 22 10:36:05.211: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Mar 22 10:36:05.327: ISAKMP:(0:44:SW:1): processing vendor id payload

*Mar 22 10:36:05.327: ISAKMP:(0:44:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 22 10:36:05.327: ISAKMP:(0:44:SW:1): vendor ID is NAT-T v2

*Mar 22 10:36:05.327: ISAKMP:(0:44:SW:1): processing vendor id payload

*Mar 22 10:36:05.327: ISAKMP:(0:44:SW:1): vendor ID seems Unity/DPD but major 194 mismatch

*Mar 22 10:36:05.327: ISAKMP:(0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 22 10:36:05.331: ISAKMP:(0:44:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar 22 10:36:05.331: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar 22 10:36:05.331: ISAKMP:(0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 22 10:36:05.331: ISAKMP:(0:44:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar 22 10:36:05.415: ISAKMP (0:134217772): received packet from 212.24.93.25 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar 22 10:36:05.415: ISAKMP:(0:44:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 22 10:36:05.415: ISAKMP:(0:44:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar 22 10:36:05.415: ISAKMP:(0:44:SW:1): processing KE payload. message ID = 0

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): processing NONCE payload. message ID = 0

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1):found peer pre-shared key matching 212.24.93.25

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1):SKEYID state generated

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): processing vendor id payload

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): vendor ID is Unity

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): processing vendor id payload

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): vendor ID is XAUTH

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): processing vendor id payload

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): speaking to another IOS box!

*Mar 22 10:36:05.563: ISAKMP:(0:44:SW:1): processing vendor id payload

*Mar 22 10:36:05.567: ISAKMP:(0:44:SW:1):vendor ID seems Unity/DPD but hash mismatch

*Mar 22 10:36:05.567: ISAKMP:received payload type 20

*Mar 22 10:36:05.567: ISAKMP (0:134217772): NAT found, the node inside NAT

*Mar 22 10:36:05.567: ISAKMP:received payload type 20

*Mar 22 10:36:05.567: ISAKMP:(0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 22 10:36:05.567: ISAKMP:(0:44:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar 22 10:36:05.575: ISAKMP:(0:44:SW:1):Send initial contact

*Mar 22 10:36:05.575: ISAKMP:(0:44:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 22 10:36:05.575: ISAKMP (0:134217772): ID payload

        next-payload : 8

        type         : 1

        address      : 193.108.215.71

        protocol     : 17

        port         : 0

        length       : 12

*Mar 22 10:36:05.575: ISAKMP:(0:44:SW:1):Total payload length: 12

*Mar 22 10:36:05.575: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:36:05.575: ISAKMP:(0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 22 10:36:05.575: ISAKMP:(0:44:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar 22 10:36:15.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Mar 22 10:36:15.575: ISAKMP (0:134217772): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar 22 10:36:15.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Mar 22 10:36:15.575: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:36:25.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Mar 22 10:36:25.575: ISAKMP (0:134217772): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 22 10:36:25.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Mar 22 10:36:25.575: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:36:35.175: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 193.108.215.71, remote= 212.24.93.25,

    local_proxy= 10.98.0.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 128.200.0.0/255.255.0.0/0/0 (type=4)

*Mar 22 10:36:35.175: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 193.108.215.71, remote= 212.24.93.25,

    local_proxy= 10.98.0.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 128.200.0.0/255.255.0.0/0/0 (type=4),

    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xFD4D579B(4249704347), conn_id= 0, keysize= 256, flags= 0x400B

*Mar 22 10:36:35.175: ISAKMP: received ke message (1/1)

*Mar 22 10:36:35.175: ISAKMP: set new node 0 to QM_IDLE

*Mar 22 10:36:35.175: ISAKMP:(0:44:SW:1):SA is still budding. Attached new ipsec request to it. (local 193.108.215.71, remote 212.24.93.25)

*Mar 22 10:36:35.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Mar 22 10:36:35.575: ISAKMP (0:134217772): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Mar 22 10:36:35.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Mar 22 10:36:35.575: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:36:45.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Mar 22 10:36:45.575: ISAKMP (0:134217772): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Mar 22 10:36:45.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Mar 22 10:36:45.575: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:36:54.915: ISAKMP:(0:43:SW:1):purging node 502080051

*Mar 22 10:36:54.915: ISAKMP:(0:43:SW:1):purging node 816384034

*Mar 22 10:36:55.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Mar 22 10:36:55.575: ISAKMP (0:134217772): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar 22 10:36:55.575: ISAKMP:(0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Mar 22 10:36:55.575: ISAKMP:(0:44:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:37:04.915: ISAKMP:(0:43:SW:1):purging SA., sa=653A6E34, delme=653A6E34

*Mar 22 10:37:05.175: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 193.108.215.71, remote= 212.24.93.25,

    local_proxy= 10.98.0.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 128.200.0.0/255.255.0.0/0/0 (type=4)

*Mar 22 10:37:05.175: ISAKMP: received ke message (3/1)

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):peer does not do paranoid keepalives.

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 212.24.93.25)

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 212.24.93.25)

*Mar 22 10:37:05.175: ISAKMP: Unlocking IKE struct 0x652F5A44 for isadb_mark_sa_deleted(), count 0

*Mar 22 10:37:05.175: ISAKMP: Deleting peer node by peer_reap for 212.24.93.25: 652F5A44

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):deleting node 732164713 error FALSE reason "IKE deleted"

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):deleting node 1158825605 error FALSE reason "IKE deleted"

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 22 10:37:05.175: ISAKMP:(0:44:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

*Mar 22 10:37:05.175: IPSEC(key_engine): got a queue event with 1 kei messages

*Mar 22 10:37:05.283: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 193.108.215.71, remote= 212.24.93.25,

    local_proxy= 10.98.0.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 128.200.0.0/255.255.0.0/0/0 (type=4),

    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x1BB0B7D9(464566233), conn_id= 0, keysize= 256, flags= 0x400B

*Mar 22 10:37:05.283: ISAKMP: received ke message (1/1)

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

*Mar 22 10:37:05.283: ISAKMP: Created a peer struct for 212.24.93.25, peer port 500

*Mar 22 10:37:05.283: ISAKMP: New peer created peer = 0x652F5A44 peer_handle = 0x8000002E

*Mar 22 10:37:05.283: ISAKMP: Locking peer struct 0x652F5A44, IKE refcount 1 for isakmp_initiator

*Mar 22 10:37:05.283: ISAKMP: local port 500, remote port 500

*Mar 22 10:37:05.283: ISAKMP: set new node 0 to QM_IDLE

*Mar 22 10:37:05.283: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6552C524

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 212.24.93.25

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Mar 22 10:37:05.283: ISAKMP:(0:0:N/A:0): sending packet to 212.24.93.25 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 22 10:37:05.315: ISAKMP (0:0): received packet from 212.24.93.25 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 212.24.93.25

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0): local preshared key found

*Mar 22 10:37:05.315: ISAKMP : Scanning profiles for xauth ...

*Mar 22 10:37:05.315: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 22 10:37:05.315: ISAKMP:      encryption AES-CBC

*Mar 22 10:37:05.315: ISAKMP:      keylength of 256

*Mar 22 10:37:05.315: ISAKMP:      hash SHA

*Mar 22 10:37:05.315: ISAKMP:      default group 5

*Mar 22 10:37:05.315: ISAKMP:      auth pre-share

*Mar 22 10:37:05.315: ISAKMP:      life type in seconds

*Mar 22 10:37:05.319: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar 22 10:37:05.319: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Mar 22 10:37:05.431: ISAKMP:(0:45:SW:1): processing vendor id payload

*Mar 22 10:37:05.431: ISAKMP:(0:45:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 22 10:37:05.431: ISAKMP:(0:45:SW:1): vendor ID is NAT-T v2

*Mar 22 10:37:05.431: ISAKMP:(0:45:SW:1): processing vendor id payload

*Mar 22 10:37:05.431: ISAKMP:(0:45:SW:1): vendor ID seems Unity/DPD but major 194 mismatch

*Mar 22 10:37:05.431: ISAKMP:(0:45:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 22 10:37:05.435: ISAKMP:(0:45:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar 22 10:37:05.435: ISAKMP:(0:45:SW:1): sending packet to 212.24.93.25 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar 22 10:37:05.435: ISAKMP:(0:45:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 22 10:37:05.435: ISAKMP:(0:45:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar 22 10:37:05.519: ISAKMP (0:134217773): received packet from 212.24.93.25 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar 22 10:37:05.519: ISAKMP:(0:45:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 22 10:37:05.519: ISAKMP:(0:45:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar 22 10:37:05.519: ISAKMP:(0:45:SW:1): processing KE payload. message ID = 0

*Mar 22 10:37:05.667: ISAKMP:(0:45:SW:1): processing NONCE payload. message ID = 0

*Mar 22 10:37:05.667: ISAKMP:(0:45:SW:1):found peer pre-shared key matching 212.24.93.25

*Mar 22 10:37:05.667: ISAKMP:(0:45:SW:1):SKEYID state generated

*Mar 22 10:37:05.667: ISAKMP:(0:45:SW:1): processing vendor id payload

*Mar 22 10:37:05.667: ISAKMP:(0:45:SW:1): vendor ID is Unity

*Mar 22 10:37:05.667: ISAKMP:(0:45:SW:1): processing vendor id payload

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1): vendor ID seems Unity/DPD but major 8 mismatch

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1): vendor ID is XAUTH

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1): processing vendor id payload

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1): speaking to another IOS box!

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1): processing vendor id payload

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1):vendor ID seems Unity/DPD but hash mismatch

*Mar 22 10:37:05.671: ISAKMP:received payload type 20

*Mar 22 10:37:05.671: ISAKMP (0:134217773): NAT found, the node inside NAT

*Mar 22 10:37:05.671: ISAKMP:received payload type 20

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 22 10:37:05.671: ISAKMP:(0:45:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar 22 10:37:05.679: ISAKMP:(0:45:SW:1):Send initial contact

*Mar 22 10:37:05.679: ISAKMP:(0:45:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 22 10:37:05.679: ISAKMP (0:134217773): ID payload

        next-payload : 8

        type         : 1

        address      : 193.108.215.71

        protocol     : 17

        port         : 0

        length       : 12

*Mar 22 10:37:05.679: ISAKMP:(0:45:SW:1):Total payload length: 12

*Mar 22 10:37:05.679: ISAKMP:(0:45:SW:1): sending packet to 212.24.93.25 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 22 10:37:05.683: ISAKMP:(0:45:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 22 10:37:05.683: ISAKMP:(0:45:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

2 REPLIES
Bronze

IPSec VPN not working

crypto isakmp key ########### address 212.24.93.25 no-xauth

access-list 121 permit udp any any eq 500

access-list 121 permit udp any any eq 4500

access-list 121 permit esp any any

If you don't want to use UDP 4500 (NAT-T), I suggest that you disable on your router:

no crypto ipsec nat-tranns udp-encapsulation

This will disable NAT-T and force the router to use ESP.

do you also udp 500, udp 4500 and ESP traffics across the CP firewall in both direction?  Please provide "uname -a" and "fw ver" output of Checkpoint firewall?

New Member

IPSec VPN not working

Hi,

Unfortunately I do not have any control over the Checkpoint firewall, all I know is that all ports are open for our ASA.

We have however managed to get a workaround for now by removing the "ip access-group 121 in" from the Fa0/0 interface!!

As far as I can see the ACL  (121) is correct so do not understand why this has worked???

3306
Views
0
Helpful
2
Replies
CreatePlease login to create content