Solved: Re: policy based l2l ipsec vpn - Need XAUTH problem

ninterface · ‎09-07-2012

Hi,

I have a problem that I can see some solutions for but they do not work.

I have a p2p IPSec vpn that worked before I added a remote access VPN configuration (which works perfectly).

As per documentation I employed isakmp policy to allow the mixed tunnels. Now whenever I try to send traffic across the l2l link I am getting the following debug results which tell me the remote router is demanding XAUTH.

Sep 8 09:53:12: ISAKMP:(2015):Total payload length: 12

Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH

Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.

Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Sep 8 09:53:12: ISAKMP:(2015):Need XAUTH

Sep 8 09:53:12: ISAKMP: set new node 1635909437 to CONF_XAUTH

Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

Sep 8 09:53:12: ISAKMP:(2015): initiating peer config to [source]. ID = 1635909437

Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.

Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

Sep 8 09:53:12: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH

Sep 8 09:53:20: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH

Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...

Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH

Sep 8 09:53:27: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

Sep 8 09:53:27: ISAKMP:(2015):Sending an IKE IPv4 Packet.

Sep 8 09:53:28: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH

Sep 8 09:53:36: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH

Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...

Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH

Sep 8 09:53:42: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

Sep 8 09:53:42: ISAKMP:(2015):Sending an IKE IPv4 Packet.

Sep 8 09:53:44: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH

Sep 8 09:53:44: ISAKMP: set new node 2054552354 to CONF_XAUTH

Sep 8 09:53:44: ISAKMP:(2015): processing HASH payload. message ID = 2054552354

Sep 8 09:53:44: ISAKMP:(2015): processing DELETE payload. message ID = 2054552354

Sep 8 09:53:44: ISAKMP:(2015):peer does not do paranoid keepalives.

So it looks like Phase 1 is completing sans XAUTH.

Here is my crypto configurations:

crypto keyring s2s

pre-shared-key address [source] key [key]

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 5

encr 3des

authentication pre-share

lifetime 28800

!

crypto isakmp policy 10

authentication pre-share

lifetime 28800

!

crypto isakmp client configuration group [RA_GROUP]

key [key2]

dns 192.168.7.7

wins 192.168.7.222

domain ninterface.com

pool SDM_POOL_1

acl 100

max-users 6

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group [RA_GROUP]

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

crypto isakmp profile ISA_PROF

keyring s2s

match identity address [source] 255.255.255.255

crypto isakmp profile softclient

match identity group [RA_GROUP]

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_grop_ml_1

client configuration address respond

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set VPN_T_BW esp-3des esp-sha-hmac

crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac

crypto ipsec transform-set trans-rem esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

crypto dynamic-map [RA_GROUP] 77

set transform-set trans-rem

set isakmp-profile softclient

reverse-route

!

crypto map clientmap client authentication list RAD_GRP

crypto map clientmap isakmp authorization list rtr-remote

crypto map clientmap client configuration address respond

crypto map clientmap 77 ipsec-isakmp dynamic [RA_GROUP]

!

crypto map [RA_GROUP] client configuration address respond

!

crypto map remote-map isakmp authorization list rtr-remote

!

crypto map rtp 10 ipsec-isakmp

set peer [source]

set transform-set MY-SET

set pfs group2

match address 111

It's a bit of a dogs breakfast as I am just now implementing policy.

I was successful at blocking xauth before I was using policy by adding no_xauth to the end of my key statement but I cannot work out how to add this while using policy.

I'm betting something simple I've missed.

Thanks for your help!

Javier Portuguez · ‎09-07-2012

Hi Bruno,

Thanks for the brief explanation.

Which crypto map is applied on the outside interface?

I think the "crypto isakmp profile" solution is the best way, and they seem to be ok, however, we must remember that you can only have one crypto map per interface, so you should have something like this:

1- crypto dynamic-map outside_dynamic 10

set transform-set ESP-AES-SHA

2- crypto map outside_map 10 ipsec-isakmp

set peer xxxx.xxxx.xxxx.xxxx

3- crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynamic

4- interface f0/0

crypto map outside_map

*I am not configuring the entire crypto configuration, just wanted to give a better idea.

Please correct your configuraton to reflect only one single crypto map.

Just to add some more information about the isakmp profiles:

ISAKMP Profile Overview

Let me know.

Thanks.

Portu.

View solution in original post

Javier Portuguez · ‎09-07-2012

Hi Bruno,

Thanks for the brief explanation.

Which crypto map is applied on the outside interface?

I think the "crypto isakmp profile" solution is the best way, and they seem to be ok, however, we must remember that you can only have one crypto map per interface, so you should have something like this:

1- crypto dynamic-map outside_dynamic 10

set transform-set ESP-AES-SHA

2- crypto map outside_map 10 ipsec-isakmp

set peer xxxx.xxxx.xxxx.xxxx

3- crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynamic

4- interface f0/0

crypto map outside_map

*I am not configuring the entire crypto configuration, just wanted to give a better idea.

Please correct your configuraton to reflect only one single crypto map.

Just to add some more information about the isakmp profiles:

ISAKMP Profile Overview

Let me know.

Thanks.

Portu.

ninterface · ‎09-07-2012

Thanks Portu,

I'm going to have a play around with my config now.

I hadn't removed the old crypto maps in case I had to go back, the map that is applied is:

crypto map clientmap

I'll have another read over that link and see how I go, still struggling slightly with the dynamic maps.

Thanks for your input, I'll see how I go and revert.

Cheers,

Bruno

ninterface · ‎09-07-2012

Ok so on investigation I can see that my 3am hackjob was worse than I thought :|

I can see that above I have 2 different crypto maps where I thought I had combined them into one. I have now changed

crypto map rtp 10 ipsec-isakmp

set peer [source]

set transform-set MY-SET

set pfs group2

match address 111

to

crypto map clientmap 10 ipsec-isakmp

set peer [source]

set transform-set MY-SET

set pfs group2

match address 111

Still getting the same problem so I'll keep investigating but if anything sticks out let me know

b

ninterface · ‎09-07-2012

Got it!

Ok so I hadn't removed some details from a SUPER old configuration.

I had these:

crypto map clientmap client authentication list RAD_GRP

crypto map clientmap isakmp authorization list rtr-remote

applied to the whole clientmap that included the L2L. These are a legacy pair of entries that I've now removed when I noticed this was already being done here:

crypto isakmp profile ciscocp-ike-profile-1

match identity group conf-rem-adm

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

:|

Very silly boy!

Thanks Portu for your help, you definitely cleared my haze so I could find this.

B

Javier Portuguez · ‎09-10-2012

Hi Bruno,

I hope you had a nice weekend.

Great news to hear

Have a nice day.