08-27-2013 06:50 AM
I am trying to set up a VPN with a service provider. Here is what they have given me for phase 2
Encryption: | AES256 |
Authentication: | SHA1 |
PFS (On/Off): | On |
DH Group: | 5 |
Key Lifetime: | 28800 |
Autokey Keepalive (On/Off): | On |
Replay Detection (On/Off): | On |
Here is what I configured
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
!
crypto map VPN local-address Serial0/0/1:1
crypto map VPN 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set VPN
set pfs group5
match address SS_VPN
Currently Phase 2 is not working. Please let me know if you need more of the config.
THANKS!
08-27-2013 12:53 PM
Are you sure phase 1 is completing successfully?
Those parameters that you mention are for Phase 1 and don't have anything to do with Phase 2.
Did they give you a preshared key (which is configured under the tunnel-group?) Also the pfs, although it is also DH, it is a second DH algorithm for extra security. Double check if they have have the pfs configured also.
Either way, your config should look something like this (I have not included the NAT exempt statements):
access-list cryptoACL extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map outside_map 1 match address cryptoACL crypto map outside_map 1 set peer 172.17.1.1 crypto map outside_map 1 set transform-set esp-sha esp-sha-hmac crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 lifetime 86400
tunnel-group 172.17.1.1 type ipsec-l2l tunnel-group 172.17.1.1 ipsec-attributes pre-shared-key cisco123
08-27-2013 01:14 PM
He is using an IOS-router, not an ASA.
Based on the info, the config looks fine. But the question is the same: Is Phase one finishing?
What is the output of "show crypto isakmp sa"? If it's not QM_IDLE, it should be debugged with "debug crypto isakmp".
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2013 01:18 PM
Well, I overlooked that. But would still check to see if the transform set matches the other end and if DH is configured in phase 2 also (pfs config).
08-28-2013 07:27 AM
Here are som show commands. There is zero output from debug crypto ipsec
MC-2550-DC-VG01#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
x.x.x.x x.x.x.x QM_IDLE 1055 0 ACTIVE
MC-2550-DC-VG01#sh crypto ips sa
interface: Serial0/0/1:1
Crypto map tag: VPN, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (10.24.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1:1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Output from debug crypto isa
*Aug 28 09:30:16.987 CST: ISAKMP:(1055):purging node 558338111
MC-2550-DC-VG01#
*Aug 28 09:30:20.827 CST: ISAKMP: set new node 1913143294 to QM_IDLE
*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1200032232, message ID = 1913143294
*Aug 28 09:30:20.827 CST: ISAKMP:(1055): seq. no 0x3AB85382
*Aug 28 09:30:20.827 CST: ISAKMP:(1055): sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Sending an IKE IPv4 Packet.
*Aug 28 09:30:20.827 CST: ISAKMP:(1055):purging node 1913143294
*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 28 09:30:20.867 CST: ISAKMP (0:1055): received packet from x.x.x.x dport 500 sport 500 Global (R) Q M_IDLE
*Aug 28 09:30:20.871 CST: ISAKMP: set new node 580432525 to QM_IDLE
*Aug 28 09:30:20.871 CST: ISAKMP:(1055): processing HASH payload. message ID = 580432525
*Aug 28 09:30:20.871 CST: ISAKMP:(1055): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 580432525, sa = 4AE05AF0
*Aug 28 09:30:20.871 CST: ISAKMP:(1055): DPD/R_U_THERE_ACK received from peer x.x.x.x, sequence 0x3AB853 82
and it repeats over and over
08-28-2013 08:07 AM
local ident (addr/mask/prot/port): (10.24.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
You have to adjust your crypto-ACL and change the destination to the network that your peer gave you.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2013 08:17 AM
They gave me "any". I think that is what the all 0s means.
We are supposed to be able to send web traffic out of it and have them do the webfiltering.
08-28-2013 12:11 PM
ok, qite uncommon, but then the remote identity is ok. Ask the other side if they see anything in the debugs.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide