Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site ipsec vpn

Hey all, I have been tasked to setup a site-to-site vpn tunnel between 2 offices. I think I have everything configured correctly for the most part however when I generate interesting traffic, tunnel doesn't come up. Can you tell me from looking at the below debug output what the issue might be? My IP address is aaa.aaa.aaa.aaa and my peer's IP address is bbb.bbb.bbb.bbb

ROUTER#

*Feb 27 14:41:30.677: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= aaa.aaa.aaa.aaa:500, remote= bbb.bbb.bbb.bbb:500,

    local_proxy= 172.18.230.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.230.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 86400s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Feb 27 14:41:30.677: ISAKMP: local port 500, remote port 500

*Feb 27 14:41:30.677: ISAKMP: set new node 0 to QM_IDLE     

*Feb 27 14:41:30.677: ISAKMP:(0):insert sa successfully sa = 4BA8CE24

*Feb 27 14:41:30.677: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Feb 27 14:41:30.677: ISAKMP:(0):found peer pre-shared key matching bbb.bbb.bbb.bbb

*Feb 27 14:41:30.677: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Feb 27 14:41:30.677: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Feb 27 14:41:30.677: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Feb 27 14:41:30.677: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Feb 27 14:41:30.677: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Feb 27 14:41:30.677: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb 27 14:41:30.677: ISAKMP:(0): beginning Main Mode exchange

*Feb 27 14:41:30.677: ISAKMP:(0): sending packet to bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) MM_NO_STATE

*Feb 27 14:41:30.677: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Feb 27 14:41:30.713: ISAKMP (0): received packet from bbb.bbb.bbb.bbb dport 500 sport 500 Global (I) MM_NO_STATE

*Feb 27 14:41:30.713: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Feb 27 14:41:30.713: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Feb 27 14:41:30.713: ISAKMP:(0): processing SA payload. message ID = 0

*Feb 27 14:41:30.713: ISAKMP:(0): processing vendor id payload

*Feb 27 14:41:30.713: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Feb 27 14:41:30.713: ISAKMP:(0): vendor ID is NAT-T v2

*Feb 27 14:41:30.713: ISAKMP:(0): processing vendor id payload

*Feb 27 14:41:30.713: ISAKMP:(0): processing IKE frag vendor id payload

*Feb 27 14:41:30.717: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Feb 27 14:41:30.717: ISAKMP:(0):found peer pre-shared key matching bbb.bbb.bbb.bbb

*Feb 27 14:41:30.717: ISAKMP:(0): local preshared key found

*Feb 27 14:41:30.717: ISAKMP:(0): Authentication by xauth preshared

*Feb 27 14:41:30.717: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy

*Feb 27 14:41:30.717: ISAKMP:      encryption 3DES-CBC

*Feb 27 14:41:30.717: ISAKMP:      hash SHA

*Feb 27 14:41:30.717: ISAKMP:      default group 2

*Feb 27 14:41:30.717: ISAKMP:      auth pre-share

*Feb 27 14:41:30.717: ISAKMP:      life type in seconds

*Feb 27 14:41:30.717: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Feb 27 14:41:30.717: ISAKMP:(0):Hash algorithm offered does not match policy!

*Feb 27 14:41:30.717: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Feb 27 14:41:30.717: ISAKMP:(0):Checking ISAKMP transform 3 against priority 15 policy

*Feb 27 14:41:30.717: ISAKMP:      encryption 3DES-CBC

*Feb 27 14:41:30.717: ISAKMP:      hash SHA

*Feb 27 14:41:30.717: ISAKMP:      default group 2

*Feb 27 14:41:30.717: ISAKMP:      auth pre-share

*Feb 27 14:41:30.717: ISAKMP:      life type in seconds

*Feb 27 14:41:30.717: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Feb 27 14:41:30.717: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Feb 27 14:41:30.717: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Feb 27 14:41:30.717: ISAKMP:(0):Checking ISAKMP transform 3 against priority 20 policy

*Feb 27 14:41:30.717: ISAKMP:      encryption 3DES-CBC

*Feb 27 14:41:30.717: ISAKMP:      hash SHA

*Feb 27 14:41:30.717: ISAKMP:      default group 2

*Feb 27 14:41:30.717: ISAKMP:      auth pre-share

*Feb 27 14:41:30.717: ISAKMP:      life type in seconds

*Feb 27 14:41:30.717: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Feb 27 14:41:30.717: ISAKMP:(0):atts are acceptable. Next payload is 0

*Feb 27 14:41:30.717: ISAKMP:(0):Acceptable atts:actual life: 0

*Feb 27 14:41:30.717: ISAKMP:(0):Acceptable atts:life: 0

*Feb 27 14:41:30.717: ISAKMP:(0):Fill atts in sa vpi_length:4

*Feb 27 14:41:30.717: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Feb 27 14:41:30.717: ISAKMP:(0):Returning Actual lifetime: 86400

*Feb 27 14:41:30.717: ISAKMP:(0)::Started lifetime timer: 86400.

*Feb 27 14:41:30.717: ISAKMP:(0): processing vendor id payload

*Feb 27 14:41:30.717: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Feb 27 14:41:30.717: ISAKMP:(0): vendor ID is NAT-T v2

*Feb 27 14:41:30.717: ISAKMP:(0): processing vendor id payload

*Feb 27 14:41:30.717: ISAKMP:(0): processing IKE frag vendor id payload

*Feb 27 14:41:30.717: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Feb 27 14:41:30.717: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Feb 27 14:41:30.717: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Feb 27 14:41:30.717: ISAKMP:(0): sending packet to bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) MM_SA_SETUP

*Feb 27 14:41:30.717: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Feb 27 14:41:30.721: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Feb 27 14:41:30.721: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Feb 27 14:41:30.753: ISAKMP (0): received packet from bbb.bbb.bbb.bbb dport 500 sport 500 Global (I) MM_SA_SETUP

*Feb 27 14:41:30.753: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Feb 27 14:41:30.753: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Feb 27 14:41:30.757: ISAKMP:(0): processing KE payload. message ID = 0

*Feb 27 14:41:30.789: ISAKMP:(0): processing NONCE payload. message ID = 0

*Feb 27 14:41:30.789: ISAKMP:(0):found peer pre-shared key matching bbb.bbb.bbb.bbb

*Feb 27 14:41:30.789: ISAKMP:(1640): processing vendor id payload

*Feb 27 14:41:30.789: ISAKMP:(1640): vendor ID is Unity

*Feb 27 14:41:30.789: ISAKMP:(1640): processing vendor id payload

*Feb 27 14:41:30.789: ISAKMP:(1640): vendor ID seems Unity/DPD but major 193 mismatch

*Feb 27 14:41:30.789: ISAKMP:(1640): vendor ID is XAUTH

*Feb 27 14:41:30.789: ISAKMP:(1640): processing vendor id payload

*Feb 27 14:41:30.789: ISAKMP:(1640): speaking to another IOS box!

*Feb 27 14:41:30.789: ISAKMP:(1640): processing vendor id payload

*Feb 27 14:41:30.789: ISAKMP:(1640):vendor ID seems Unity/DPD but hash mismatch

*Feb 27 14:41:30.789: ISAKMP:received payload type 20

*Feb 27 14:41:30.789: ISAKMP (1640): His hash no match - this node outside NAT

*Feb 27 14:41:30.789: ISAKMP:received payload type 20

*Feb 27 14:41:30.789: ISAKMP (1640): No NAT Found for self or peer

*Feb 27 14:41:30.789: ISAKMP:(1640):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Feb 27 14:41:30.789: ISAKMP:(1640):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Feb 27 14:41:30.789: ISAKMP:(1640):Send initial contact

*Feb 27 14:41:30.789: ISAKMP:(1640):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Feb 27 14:41:30.789: ISAKMP (1640): ID payload

        next-payload : 8

        type         : 1

        address      : aaa.aaa.aaa.aaa

        protocol     : 17

        port         : 500

        length       : 12

*Feb 27 14:41:30.789: ISAKMP:(1640):Total payload length: 12

*Feb 27 14:41:30.789: ISAKMP:(1640): sending packet to bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Feb 27 14:41:30.789: ISAKMP:(1640):Sending an IKE IPv4 Packet.

*Feb 27 14:41:30.793: ISAKMP:(1640):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Feb 27 14:41:30.793: ISAKMP:(1640):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Feb 27 14:41:30.825: ISAKMP (1640): received packet from bbb.bbb.bbb.bbb dport 500 sport 500 Global (I) MM_KEY_EXCH

*Feb 27 14:41:30.825: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from bbb.bbb.bbb.bbb was not encrypted and it should've been.

*Feb 27 14:41:30.825: ISAKMP (1640): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

*Feb 27 14:41:31.825: ISAKMP:(1640): retransmitting phase 1 MM_KEY_EXCH...

*Feb 27 14:41:31.825: ISAKMP (1640): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Feb 27 14:41:31.825: ISAKMP:(1640): retransmitting phase 1 MM_KEY_EXCH

*Feb 27 14:41:31.825: ISAKMP:(1640): sending packet to bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Feb 27 14:41:31.825: ISAKMP:(1640):Sending an IKE IPv4 Packet.

*Feb 27 14:41:31.857: ISAKMP (1640): received packet from bbb.bbb.bbb.bbb dport 500 sport 500 Global (I) MM_KEY_EXCH

*Feb 27 14:41:31.857: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from bbb.bbb.bbb.bbb was not encrypted and it should've been.

*Feb 27 14:41:31.857: ISAKMP (1640): incrementing error counter on sa, attempt 3 of 5: reset_retransmission

*Feb 27 14:41:32.857: ISAKMP:(1640): retransmitting phase 1 MM_KEY_EXCH...

*Feb 27 14:41:32.857: ISAKMP (1640): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Feb 27 14:41:32.857: ISAKMP:(1640): retransmitting phase 1 MM_KEY_EXCH

*Feb 27 14:41:32.857: ISAKMP:(1640): sending packet to bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Feb 27 14:41:32.857: ISAKMP:(1640):Sending an IKE IPv4 Packet.

*Feb 27 14:41:32.889: ISAKMP (1640): received packet from bbb.bbb.bbb.bbb dport 500 sport 500 Global (I) MM_KEY_EXCH

*Feb 27 14:41:32.889: ISAKMP:(1640): phase 1 packet is a duplicate of a previous packet.

*Feb 27 14:41:32.889: ISAKMP:(1640): retransmission skipped for phase 1 (time since last transmission 32)

ROUTER#u all

Turned off crypto conditional debug.

All possible debugging has been turned off

*Feb 27 14:42:00.821: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from bbb.bbb.bbb.bbb was not encrypted and it should've been.

*Feb 27 14:42:01.853: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from bbb.bbb.bbb.bbb was not encrypted and it should've been.

Thanks all

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

site-to-site ipsec vpn

2 REPLIES
New Member

site-to-site ipsec vpn

New Member

site-to-site ipsec vpn

Thank you. I was able to fix this issue by correcting an issue with my phase 1 negotiation parameters.

I do have a question about the article you sent me. In that post it says:

Make sure that the Access Control Lists (ACLs) configured for the crypto map are mirror    images of each other at opposite VPN endpoints

If the above statement is true, then this answers one of my other concerns where I was a bit curious about the remote peer configuring it's ACL to access my other subnets via this tunnel which would've been a huge security hole.  Is that correct?

1240
Views
0
Helpful
2
Replies