09-07-2012 05:05 PM - edited 02-21-2020 06:19 PM
Hi,
I have a problem that I can see some solutions for but they do not work.
I have a p2p IPSec vpn that worked before I added a remote access VPN configuration (which works perfectly).
As per documentation I employed isakmp policy to allow the mixed tunnels. Now whenever I try to send traffic across the l2l link I am getting the following debug results which tell me the remote router is demanding XAUTH.
Sep 8 09:53:12: ISAKMP:(2015):Total payload length: 12
Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Need XAUTH
Sep 8 09:53:12: ISAKMP: set new node 1635909437 to CONF_XAUTH
Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Sep 8 09:53:12: ISAKMP:(2015): initiating peer config to [source]. ID = 1635909437
Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Sep 8 09:53:12: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:20: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...
Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:28: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:36: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...
Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:44: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:44: ISAKMP: set new node 2054552354 to CONF_XAUTH
Sep 8 09:53:44: ISAKMP:(2015): processing HASH payload. message ID = 2054552354
Sep 8 09:53:44: ISAKMP:(2015): processing DELETE payload. message ID = 2054552354
Sep 8 09:53:44: ISAKMP:(2015):peer does not do paranoid keepalives.
So it looks like Phase 1 is completing sans XAUTH.
Here is my crypto configurations:
crypto keyring s2s
pre-shared-key address [source] key [key]
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 5
encr 3des
authentication pre-share
lifetime 28800
!
crypto isakmp policy 10
authentication pre-share
lifetime 28800
!
crypto isakmp client configuration group [RA_GROUP]
key [key2]
dns 192.168.7.7
wins 192.168.7.222
domain ninterface.com
pool SDM_POOL_1
acl 100
max-users 6
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ISA_PROF
keyring s2s
match identity address [source] 255.255.255.255
crypto isakmp profile softclient
match identity group [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN_T_BW esp-3des esp-sha-hmac
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set trans-rem esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto dynamic-map [RA_GROUP] 77
set transform-set trans-rem
set isakmp-profile softclient
reverse-route
!
!
!
crypto map clientmap client authentication list RAD_GRP
crypto map clientmap isakmp authorization list rtr-remote
crypto map clientmap client configuration address respond
crypto map clientmap 77 ipsec-isakmp dynamic [RA_GROUP]
!
crypto map [RA_GROUP] client configuration address respond
!
crypto map remote-map isakmp authorization list rtr-remote
!
crypto map rtp 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
It's a bit of a dogs breakfast as I am just now implementing policy.
I was successful at blocking xauth before I was using policy by adding no_xauth to the end of my key statement but I cannot work out how to add this while using policy.
I'm betting something simple I've missed.
Thanks for your help!
Solved! Go to Solution.
09-07-2012 06:10 PM
Hi Bruno,
Thanks for the brief explanation.
Which crypto map is applied on the outside interface?
I think the "crypto isakmp profile" solution is the best way, and they seem to be ok, however, we must remember that you can only have one crypto map per interface, so you should have something like this:
1- crypto dynamic-map outside_dynamic 10
set transform-set ESP-AES-SHA
2- crypto map outside_map 10 ipsec-isakmp
set peer xxxx.xxxx.xxxx.xxxx
3- crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynamic
4- interface f0/0
crypto map outside_map
*I am not configuring the entire crypto configuration, just wanted to give a better idea.
Please correct your configuraton to reflect only one single crypto map.
Just to add some more information about the isakmp profiles:
Let me know.
Thanks.
Portu.
09-07-2012 06:10 PM
Hi Bruno,
Thanks for the brief explanation.
Which crypto map is applied on the outside interface?
I think the "crypto isakmp profile" solution is the best way, and they seem to be ok, however, we must remember that you can only have one crypto map per interface, so you should have something like this:
1- crypto dynamic-map outside_dynamic 10
set transform-set ESP-AES-SHA
2- crypto map outside_map 10 ipsec-isakmp
set peer xxxx.xxxx.xxxx.xxxx
3- crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynamic
4- interface f0/0
crypto map outside_map
*I am not configuring the entire crypto configuration, just wanted to give a better idea.
Please correct your configuraton to reflect only one single crypto map.
Just to add some more information about the isakmp profiles:
Let me know.
Thanks.
Portu.
09-07-2012 07:22 PM
Thanks Portu,
I'm going to have a play around with my config now.
I hadn't removed the old crypto maps in case I had to go back, the map that is applied is:
crypto map clientmap
I'll have another read over that link and see how I go, still struggling slightly with the dynamic maps.
Thanks for your input, I'll see how I go and revert.
Cheers,
Bruno
09-07-2012 07:40 PM
Ok so on investigation I can see that my 3am hackjob was worse than I thought :|
I can see that above I have 2 different crypto maps where I thought I had combined them into one. I have now changed
crypto map rtp 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
to
crypto map clientmap 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
Still getting the same problem so I'll keep investigating but if anything sticks out let me know
b
09-07-2012 08:02 PM
Got it!
Ok so I hadn't removed some details from a SUPER old configuration.
I had these:
crypto map clientmap client authentication list RAD_GRP
crypto map clientmap isakmp authorization list rtr-remote
applied to the whole clientmap that included the L2L. These are a legacy pair of entries that I've now removed when I noticed this was already being done here:
crypto isakmp profile ciscocp-ike-profile-1
match identity group conf-rem-adm
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
:|
Very silly boy!
Thanks Portu for your help, you definitely cleared my haze so I could find this.
B
09-10-2012 06:24 AM
Hi Bruno,
I hope you had a nice weekend.
Great news to hear
Have a nice day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide