Re: Phase 2 help!

nkillgore · ‎08-27-2013

I am trying to set up a VPN with a service provider. Here is what they have given me for phase 2

Encryption:	AES256
Authentication:	SHA1
PFS (On/Off):	On
DH Group:	5
Key Lifetime:	28800
Autokey Keepalive (On/Off):	On
Replay Detection (On/Off):	On

Here is what I configured

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac

!

crypto map VPN local-address Serial0/0/1:1

crypto map VPN 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set security-association lifetime seconds 28800

set transform-set VPN

set pfs group5

match address SS_VPN

Currently Phase 2 is not working. Please let me know if you need more of the config.

THANKS!

Marius Gunnerud · ‎08-27-2013

Are you sure phase 1 is completing successfully?

Those parameters that you mention are for Phase 1 and don't have anything to do with Phase 2.

Did they give you a preshared key (which is configured under the tunnel-group?) Also the pfs, although it is also DH, it is a second DH algorithm for extra security. Double check if they have have the pfs configured also.

Either way, your config should look something like this (I have not included the NAT exempt statements):

access-list cryptoACL extended permit ip 10.10.10.0 255.255.255.0 
10.20.10.0 255.255.255.0

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address cryptoACL
crypto map outside_map 1 set peer 172.17.1.1
 crypto map outside_map 1 set transform-set esp-sha esp-sha-hmac
crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400

tunnel-group 172.17.1.1 type ipsec-l2l
tunnel-group 172.17.1.1 ipsec-attributes
 pre-shared-key cisco123

--
Please remember to select a correct answer and rate helpful posts

Karsten Iwen · ‎08-27-2013

He is using an IOS-router, not an ASA.

Based on the info, the config looks fine. But the question is the same: Is Phase one finishing?

What is the output of "show crypto isakmp sa"? If it's not QM_IDLE, it should be debugged with "debug crypto isakmp".

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Marius Gunnerud · ‎08-27-2013

Well, I overlooked that. But would still check to see if the transform set matches the other end and if DH is configured in phase 2 also (pfs config).

--
Please remember to select a correct answer and rate helpful posts

nkillgore · ‎08-28-2013

Here are som show commands. There is zero output from debug crypto ipsec

MC-2550-DC-VG01#sh crypto isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

x.x.x.x x.x.x.x QM_IDLE 1055 0 ACTIVE

MC-2550-DC-VG01#sh crypto ips sa

interface: Serial0/0/1:1

Crypto map tag: VPN, local addr x.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (10.24.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1:1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Output from debug crypto isa

*Aug 28 09:30:16.987 CST: ISAKMP:(1055):purging node 558338111

MC-2550-DC-VG01#

*Aug 28 09:30:20.827 CST: ISAKMP: set new node 1913143294 to QM_IDLE

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 1200032232, message ID = 1913143294

*Aug 28 09:30:20.827 CST: ISAKMP:(1055): seq. no 0x3AB85382

*Aug 28 09:30:20.827 CST: ISAKMP:(1055): sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Sending an IKE IPv4 Packet.

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):purging node 1913143294

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Aug 28 09:30:20.867 CST: ISAKMP (0:1055): received packet from x.x.x.x dport 500 sport 500 Global (R) Q M_IDLE

*Aug 28 09:30:20.871 CST: ISAKMP: set new node 580432525 to QM_IDLE

*Aug 28 09:30:20.871 CST: ISAKMP:(1055): processing HASH payload. message ID = 580432525

*Aug 28 09:30:20.871 CST: ISAKMP:(1055): processing NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 0, message ID = 580432525, sa = 4AE05AF0

*Aug 28 09:30:20.871 CST: ISAKMP:(1055): DPD/R_U_THERE_ACK received from peer x.x.x.x, sequence 0x3AB853 82

and it repeats over and over

Karsten Iwen · ‎08-28-2013

   local  ident (addr/mask/prot/port): (10.24.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

You have to adjust your crypto-ACL and change the destination to the network that your peer gave you.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

nkillgore · ‎08-28-2013

They gave me "any". I think that is what the all 0s means.

We are supposed to be able to send web traffic out of it and have them do the webfiltering.

Karsten Iwen · ‎08-28-2013

ok, qite uncommon, but then the remote identity is ok. Ask the other side if they see anything in the debugs.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni