03-20-2006 08:19 PM
Hello,
I configured an IOS VPN in cisco router 2821 with IOS 12.4(5) ADVSEC.
The other end VPN box is a third party box.
I have attached the debug results.
What is miss matching in my settings.
I have checked both ends VPN box and settings are same.
P.Q.R.S is the globalIP at my H.O VPN box, 192.30.111.0/24 is LAN segment at my H.O side.
A.B.C.D is the globalIP of remote end VPN box, 172.29.250.0/24 is the LAN segment of remote VPN box.
03-20-2006 08:52 PM
Are you using ISAKMP keepalive ? Can you remove the ISAKMP keepalives and see if it works.
03-20-2006 09:08 PM
Yes, I am using ISAKMP keepalive.
Now removed it. no crypto isakmp keepalive 30 periodic
But same error contiues.
03-20-2006 10:35 PM
Just to probe further, did this work btn 2 cisco devices ? Also what is the remote end device ? Can you do a crypto isakmp enable globally and see if it helps.Can you force all auth, hash and DH grp at either side and see if it helps
03-20-2006 11:57 PM
Hi,
Othere end device is not Cisco, its WatchGuard Firebox.
Cisco is at H.O and it has got around 30 tunnels to different locations and all are working fine, some locations are using Firebox and VPN is OK between them too.
Only this site is showing problem.
In my attached file of debug messages, can you please tell, from which point the VPN is getting error.
Any particular line from my debug message, which shows that the VPN settings are mis-matching.
03-21-2006 12:06 AM
My H.O Cisco setting is like below:
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp key
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set testset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 16 ipsec-isakmp
description Tunnel toA.B.C.D
set peer A.B.C.D
set transform-set testset
match address 119
!
access-list 119 permit ip 192.30.111.0 0.0.0.255 172.29.250.0 0.0.0.255
!
Other end box setting is also same.
03-21-2006 01:41 AM
What does sh crypto isakmp sa and sh crypto ipsec sa give you. Is this a problem affecting only one tunnel or all the tunnels to the VPN box ? Can you force the hashing as well in the ISAKMP policy as well.
03-21-2006 11:48 PM
This problem is affecting only to one tunnel. All other tunnel is working fine.
I forced the hashing in ISAKMP policy, but in running-config, it is not showing up.
test1#show crypto isa sa
A.B.C.D P.Q.R.S MM_KEY_EXCH 231 0 ACTIVE
A.B.C.D P.Q.R.S MM_KEY_EXCH 230 0 ACTIVE
A.B.C.D P.Q.R.S MM_NO_STATE 229 0 ACTIVE (deleted)
A.B.C.D P.Q.R.S MM_NO_STATE 228 0 ACTIVE (deleted)
test1#show crypto ipsec sa peer A.B.C.D detail
interface: GigabitEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr P.Q.R.S
protected vrf: (none)
local ident (addr/mask/prot/port): (192.30.111.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.29.250.0/255.255.255.0/0/0)
current_peer A.B.C.D port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 4059, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: P.Q.R.S, remote crypto endpt.: A.B.C.D
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
03-21-2006 11:58 PM
Hi,
WatchGuard Firebox Error log for VPN establishment with Cisco ISR:
06/05/84 16:05 iked[119]: Policy(0) direction(outbound) disp(secure) -> tunnel(test1):
06/05/84 16:05 iked[119]: src_ip(172.29.250.0/255.255.255.0) dst_ip(192.30.111.0/255.255.255.0)
06/05/84 16:05 iked[119]: proto(0/0), src_port(0/0), dst_port(0/0) tos(0/0)
06/05/84 16:05 kernel: ipsec: Removing old input bundle
06/05/84 16:05 kernel: ipsec: Removing input bundle
06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2:4500 proto 17
06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2:500 proto 17
06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2 proto 50
06/05/84 16:05 iked[119]: Added rule: P.Q.R.S->192.168.0.2 proto 51
06/05/84 16:05 iked[119]: Key acquire proxyraddr = 192.30.111.0
06/05/84 16:05 iked[119]: Key acquire proxyladdr = 172.29.250.0
06/05/84 16:05 iked[119]: ipsec_acquire_keys: laddr = 192.168.0.2, raddr = P.Q.R.S
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_SA ISA_VENDORID
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_KE ISA_NONCE NAT-D NAT-D
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D
06/05/84 16:05 iked[119]: Rejecting peer XAUTH request: not configured
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR*# ISA_ID ISA_HASH
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_SA ISA_VENDORID
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D
06/05/84 16:05 iked[119]: Rejecting peer XAUTH request: not configured
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_KE ISA_NONCE NAT-D NAT-D
06/05/84 16:05 iked[119]: CRYPTO ACTIVE after delay
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR*# ISA_ID ISA_HASH
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR*# ISA_ID ISA_HASH
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID
06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID
06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID
06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_SA ISA_VENDORID
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D
06/05/84 16:05 iked[119]: Rejecting peer XAUTH request: not configured
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR ISA_KE ISA_NONCE NAT-D NAT-D
06/05/84 16:05 iked[119]: CRYPTO ACTIVE after delay
06/05/84 16:05 iked[119]: FROM P.Q.R.S MM-HDR*# ISA_ID ISA_HASH
06/05/84 16:05 iked[119]: TO P.Q.R.S MM-HDR*# ISA_ID ISA_HASH
06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID
06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID Unknown Payload Type
06/05/84 16:05 iked[119]: RE-TO P.Q.R.S MM-HDR*# ISA_ID
06/05/84 16:05 iked[119]: Skipping duplicate packet from P.Q.R.S
04-03-2006 06:55 AM
It appears you may not have the transform-set configured on the Watchguard correctly to match the Cisco.
DC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: