Re: VPN not establishing.

examples20001 · ‎03-20-2006

Hello,

I configured an IOS VPN in cisco router 2821 with IOS 12.4(5) ADVSEC.

The other end VPN box is a third party box.

I have attached the debug results.

What is miss matching in my settings.

I have checked both ends VPN box and settings are same.

P.Q.R.S is the globalIP at my H.O VPN box, 192.30.111.0/24 is LAN segment at my H.O side.

A.B.C.D is the globalIP of remote end VPN box, 172.29.250.0/24 is the LAN segment of remote VPN box.

attrgautam · ‎03-20-2006

Are you using ISAKMP keepalive ? Can you remove the ISAKMP keepalives and see if it works.

examples20001 · ‎03-20-2006

Yes, I am using ISAKMP keepalive.

Now removed it. no crypto isakmp keepalive 30 periodic

But same error contiues.

attrgautam · ‎03-20-2006

Just to probe further, did this work btn 2 cisco devices ? Also what is the remote end device ? Can you do a crypto isakmp enable globally and see if it helps.Can you force all auth, hash and DH grp at either side and see if it helps

examples20001 · ‎03-20-2006

Hi,

Othere end device is not Cisco, its WatchGuard Firebox.

Cisco is at H.O and it has got around 30 tunnels to different locations and all are working fine, some locations are using Firebox and VPN is OK between them too.

Only this site is showing problem.

In my attached file of debug messages, can you please tell, from which point the VPN is getting error.

Any particular line from my debug message, which shows that the VPN settings are mis-matching.

examples20001 · ‎03-21-2006

My H.O Cisco setting is like below:

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp key address A.B.C.D no-xauth

!

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 periodic

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set testset esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 16 ipsec-isakmp

description Tunnel toA.B.C.D

set peer A.B.C.D

set transform-set testset

match address 119

!

access-list 119 permit ip 192.30.111.0 0.0.0.255 172.29.250.0 0.0.0.255

!

Other end box setting is also same.

attrgautam · ‎03-21-2006

What does sh crypto isakmp sa and sh crypto ipsec sa give you. Is this a problem affecting only one tunnel or all the tunnels to the VPN box ? Can you force the hashing as well in the ISAKMP policy as well.

examples20001 · ‎03-21-2006

This problem is affecting only to one tunnel. All other tunnel is working fine.

I forced the hashing in ISAKMP policy, but in running-config, it is not showing up.

test1#show crypto isa sa

A.B.C.D P.Q.R.S MM_KEY_EXCH 231 0 ACTIVE

A.B.C.D P.Q.R.S MM_KEY_EXCH 230 0 ACTIVE

A.B.C.D P.Q.R.S MM_NO_STATE 229 0 ACTIVE (deleted)

A.B.C.D P.Q.R.S MM_NO_STATE 228 0 ACTIVE (deleted)

test1#show crypto ipsec sa peer A.B.C.D detail

interface: GigabitEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr P.Q.R.S

protected vrf: (none)

local ident (addr/mask/prot/port): (192.30.111.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.29.250.0/255.255.255.0/0/0)

current_peer A.B.C.D port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 4059, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: P.Q.R.S, remote crypto endpt.: A.B.C.D

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

examples20001 · ‎03-21-2006

Hi,

WatchGuard Firebox Error log for VPN establishment with Cisco ISR:

06/05/84 16:05 iked[119]: Policy(0) direction(outbound) disp(secure) -> tunnel(test1):

06/05/84 16:05 iked[119]: src_ip(172.29.250.0/255.255.255.0) dst_ip(192.30.111.0/255.255.255.0)

06/05/84 16:05 iked[119]: proto(0/0), src_port(0/0), dst_port(0/0) tos(0/0)

06/05/84 16:05 kernel: ipsec: Removing old input bundle

06/05/84 16:05 kernel: ipsec: Removing input bundle

06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2:4500 proto 17

06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2:500 proto 17

06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2 proto 50

06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2 proto 51

06/05/84 16:05 iked[119]: Key acquire proxyraddr = 192.30.111.0

06/05/84 16:05 iked[119]: Key acquire proxyladdr = 172.29.250.0

06/05/84 16:05 iked[119]: ipsec_acquire_keys: laddr = 192.168.0.2, raddr = P.Q.R.S

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_SA ISA_VENDORID

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_KE ISA_NONCE NAT-D NAT-D

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D

06/05/84 16:05 iked[119]: Rejecting peer XAUTH request: not configured

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR*# ISA_ID ISA_HASH

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_SA ISA_VENDORID

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D

06/05/84 16:05 iked[119]: Rejecting peer XAUTH request: not configured

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_KE ISA_NONCE NAT-D NAT-D

06/05/84 16:05 iked[119]: CRYPTO ACTIVE after delay

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR*# ISA_ID ISA_HASH

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR*# ISA_ID ISA_HASH

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID

06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID

06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID

06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_SA ISA_VENDORID

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D

06/05/84 16:05 iked[119]: Rejecting peer XAUTH request: not configured

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_KE ISA_NONCE NAT-D NAT-D

06/05/84 16:05 iked[119]: CRYPTO ACTIVE after delay

06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR*# ISA_ID ISA_HASH

06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR*# ISA_ID ISA_HASH

06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID

06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID Unknown Payload Type

06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID

06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S

davidecooper1967 · ‎04-03-2006

It appears you may not have the transform-set configured on the Watchguard correctly to match the Cisco.

DC