Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
47894
Views
0
Helpful
20
Replies

IPSec VPN crypto sa is active but it doesn't work

Go to solution
sydflyer2011
Level 1
Level 1

‎07-16-2012 04:53 PM - edited ‎03-04-2019 04:59 PM

Hi guys,

My router is Cisco 2811 with IOS version 12.4(22)T1. It had established IPSec with another peer (203.*.*.250 shown below) for long until recently we make it re-establish IPSec VPN with another peer (203.*.*.30 shown below). It showed that the new sa is active but the result still showed there were 4 deleted SAs. The 4 obsolete sa entries won't vanish no matter what I do i.e. reset the interface, re-create crypto map, clear all sa and etc.

From numerous testings we knew that the VPN doesn't work even the desired sa is there remaining active. I reckon it has something to do with those deleted sas ( i mean it is supposed to show only the last one if it is working fine ).  I don't know how it would be come like this as we did pretty much the samething on other VPN routers with no problems.

1033.jpg

The relevant configuration is here:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

Please help! Thanks!

Regards,

Alex

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-18-2012 01:06 AM

Alex,

Thanks for confirming back! Have you checked the FW rules if UDP port 500 is open in the fortigate for the peering IP on the 2811?

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful
20 Replies 20

Go to solution
sydflyer2011
Level 1
Level 1

‎07-16-2012 04:57 PM

By the way, on the other end, the peer (a firewall working as VPN concentrator) of this IPSec VPN indicates that this VPN is up and running.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-16-2012 06:21 PM

hi alex,

kindly post the config of the remote FW/VPN device.

perform a 'clear crypto sa' on your 2811 and try to send a ping from a host on the192.168.21.0/24 subnet towards a LAN IP on the other remote side.

post both show crypto isakmp sa and show crypto ipsec sa commands from your 2811 afterwards.

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-16-2012 06:28 PM

Hi John,

Thanks for your reply, Firstly the FW/VPN device is a fortigate device which has set up another 3 similar IPSec with other routers at the other sites, only this one got a problem after peering with this firewall. I've done what you have instructed, please see the output:

router#clear crypto sa

router#ping 192.168.68.88 sour

router#ping 192.168.68.88 source 192.168.21.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.68.88, timeout is 2 seconds:

Packet sent with a source address of 192.168.21.1

.....

Success rate is 0 percent (0/5)

router#sh cryp

router#sh crypto isa

router#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.30   QM_IDLE           1143 ACTIVE

IPv6 Crypto ISAKMP SA

router#sh cryp

router#sh crypto ipsec sa

     PFS (Y/N): Y, DH group: group1

     PFS (Y/N): Y, DH group: group1

interface: Dialer1

    Crypto map tag: VPN, local addr 123.209.169.23

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 203.*.*.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 123.209.169.23, remote crypto endpt.: 203.*.*.30

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x8DDB100E(2379943950)

     inbound esp sas:

      spi: 0x3861CB(3695051)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3099, flow_id: NETGX:1099, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424991/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8DDB100E(2379943950)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3100, flow_id: NETGX:1100, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424990/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Cellular0/3/0

    Crypto map tag: VPN, local addr 123.209.169.23

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 203.*.*.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 123.209.169.23, remote crypto endpt.: 203.*.*.30

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x8DDB100E(2379943950)

     inbound esp sas:

      spi: 0x3861CB(3695051)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3099, flow_id: NETGX:1099, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424991/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8DDB100E(2379943950)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3100, flow_id: NETGX:1100, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424990/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Cheers.
Regards,
Alex

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-16-2012 06:49 PM

hi alex,

thanks for the update! could you post the 2811 running-config (remove sensitive info)?

it would be helpful to see the remove device's VPN config (IKE policies) for troubleshooting. VPN errors are most of the time due to config issue. also, when you re-created the VPN on the router did you issue the command 'crypto isakmp enable' from global config mode?

2811(config)#crypto isakmp enable

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-16-2012 06:58 PM

Hi John,

I tried the command crypto isakmp enable but the result of show crypto isakmp sa is still the same. Anyway, I'll post the config here:

router#sh run

Building configuration...

Current configuration : 7439 bytes

!

! Last configuration change at 01:51:52 UTC Tue Jul 17 2012 by alexadmin

! NVRAM config last updated at 10:42:33 UTC Tue Jul 10 2012 by alexadmin

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication login console-auth local

aaa authorization exec default group radius local

!

!

aaa session-id common

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip host members.dyndns.org 204.*.*.112

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw icmp

ip ddns update method cheltddns

HTTP

  add http://*:*@members.dyndns.org/nic/update?hostname=*&myip=*@members.dyndns.org/nic/update?hostname=*&myip=

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

chat-script internet "" "*" TIMEOUT 30 "CONNECT"

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

!

crypto pki trustpoint TP-self-signed-3295771654

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3295771654

revocation-check none

rsakeypair TP-self-signed-3295771654

!

!

crypto pki certificate chain TP-self-signed-3295771654

certificate self-signed 01

  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323935 37373136 3534301E 170D3132 30353131 31313132

  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393537

  37313635 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B864 A0926D93 086AE410 F324E1E1 F299BD77 9CACE140 6DE62D06 F79691D6

  19E81F19 3315E0AD 17293593 8626B56B 0EE7D3C8 D4168408 B38C8C60 40BBC6B0

  EAE2115A CE01A332 5187122B 70166FA1 80542BA9 16E1F965 EC30C71C B9E487FE

  9222FDF5 D537AAD2 7E96820C 2081AA73 CF208CC0 69380BE0 73C09F16 5F83A24E

  AF510203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D4D454C 312D5352 2D52542D 3032301F 0603551D 23041830

  16801413 C8890547 F3C80863 0DE8A451 BD1560EE 60B0FA30 1D060355 1D0E0416

  041413C8 890547F3 C808630D E8A451BD 1560EE60 B0FA300D 06092A86 4886F70D

  01010405 00038181 008D7ECC B2E9A6B8 5D99C38D E362350C C88A0870 B12ADAB2

  EAA20D30 0F11D749 8338753F 4371858E D31AFC2C 25C51676 4E3C091A BBDB1E74

  64D67D48 A6808E8D DF3CA7DD 7F66BDBD EE96B083 0EC8F92C 1B93F727 7C319A6F

  F26AD911 8C58B3B0 60066AD9 1D24A594 FCC6B783 7CCCD52C B83E946B 7265EB71

  AC00760D D94ED56E 87

        quit

!

!

username root privilege 15 password 7 09601F0D0F55460219

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

!

!

!

track 1 ip sla 1 reachability

delay down 180 up 60

!

track 2 ip sla 2 reachability

delay down 60 up 60

!

!

!

!

interface FastEthernet0/0

ip address 172.28.8.13 255.255.255.0

ip flow egress

duplex full

speed 100

!

interface FastEthernet0/1

bandwidth 2048

ip address 192.168.21.1 255.255.255.0

ip helper-address 192.168.20.3

ip flow egress

ip nat inside

no ip virtual-reassembly

duplex full

speed 100

!

interface ATM0/2/0

no ip address

no atm ilmi-keepalive

dsl bitswap both

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface Cellular0/3/0

no ip address

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 60

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

crypto map VPN

!

interface Dialer1

ip ddns update hostname *.dyndns.org

ip ddns update cheltddns

ip address negotiated

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string internet

dialer persistent

dialer-group 1

ppp chap hostname ""

ppp chap password 7 08630E

crypto map VPN

!

interface Dialer2

description ADSL2+

ip address negotiated

ip access-group 104 in

ip flow egress

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer idle-timeout 0

dialer persistent

dialer-group 2

ppp chap hostname *@dsl.*

ppp chap password 7 121B0816000A0A0F27

!

router ospf 100

router-id 13.13.13.13

log-adjacency-changes

redistribute connected subnets route-map OSPFRedi

network 172.28.8.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 200

ip route 192.168.68.33 255.255.255.255 Dialer1

ip route 192.168.68.88 255.255.255.255 Dialer1

ip route 203.*.*.30 255.255.255.255 Dialer1

ip route 203.*.*.250 255.255.255.255 Dialer1

ip route 204.13.248.112 255.255.255.255 Dialer1

ip http server

ip http authentication aaa login-authentication default

ip http secure-server

!

ip flow-cache timeout inactive 250

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.66.130 9996

!

ip nat inside source list 103 interface Dialer1 overload

!

ip radius source-interface FastEthernet0/1

ip sla 2

icmp-echo 8.8.8.8 source-interface Dialer2

timeout 1500

frequency 5

ip sla schedule 2 life forever start-time now

logging facility local5

access-list 5 permit 192.168.21.0 0.0.0.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 172.28.1.0 0.0.0.15

access-list 101 deny   ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

access-list 103 deny   ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 103 permit ip 192.168.21.0 0.0.0.255 any

access-list 104 deny   tcp any any

access-list 104 deny   udp any any

access-list 104 permit icmp any any echo

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any packet-too-big

access-list 104 permit icmp any any traceroute

access-list 104 permit icmp any any unreachable

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community GraysPriv RO 20

snmp-server ifindex persist

snmp-server host 192.168.66.130 version 2c GraysPriv

!

!

!

!

route-map OSPFRedi permit 10

match ip address 5

!

!

!

radius-server host 192.168.66.2 auth-port 1645 acct-port 1646 key 7 107A214A3743161E0551

!

control-plane

!

!

!

voice-port 0/0/0

!

voice-port 0/0/1

!

voice-port 0/0/2

!

voice-port 0/0/3

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!

!

!

!

!

!

line con 0

login authentication console-auth

line aux 0

line 0/3/0

exec-timeout 0 0

script dialer internet

no exec

transport input all

rxspeed 3600000

txspeed 384000

line vty 0 4

exec-timeout 0 0

!

scheduler allocate 20000 1000

ntp server 192.168.66.2

end

router#sh run

Building configuration...

Current configuration : 7439 bytes

!

! Last configuration change at 01:51:52 UTC Tue Jul 17 2012 by alexadmin

! NVRAM config last updated at 10:42:33 UTC Tue Jul 10 2012 by alexadmin

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication login console-auth local

aaa authorization exec default group radius local

!

!

aaa session-id common

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip host members.dyndns.org 204.*.*.112

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw icmp

ip ddns update method cheltddns

HTTP

  add http://*:*@members.dyndns.org/nic/update?hostname=*&myip=*@members.dyndns.org/nic/update?hostname=*&myip=

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

chat-script internet "" "*" TIMEOUT 30 "CONNECT"

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

!

crypto pki trustpoint TP-self-signed-3295771654

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3295771654

revocation-check none

rsakeypair TP-self-signed-3295771654

!

!

crypto pki certificate chain TP-self-signed-3295771654

certificate self-signed 01

  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323935 37373136 3534301E 170D3132 30353131 31313132

  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393537

  37313635 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B864 A0926D93 086AE410 F324E1E1 F299BD77 9CACE140 6DE62D06 F79691D6

  19E81F19 3315E0AD 17293593 8626B56B 0EE7D3C8 D4168408 B38C8C60 40BBC6B0

  EAE2115A CE01A332 5187122B 70166FA1 80542BA9 16E1F965 EC30C71C B9E487FE

  9222FDF5 D537AAD2 7E96820C 2081AA73 CF208CC0 69380BE0 73C09F16 5F83A24E

  AF510203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D4D454C 312D5352 2D52542D 3032301F 0603551D 23041830

  16801413 C8890547 F3C80863 0DE8A451 BD1560EE 60B0FA30 1D060355 1D0E0416

  041413C8 890547F3 C808630D E8A451BD 1560EE60 B0FA300D 06092A86 4886F70D

  01010405 00038181 008D7ECC B2E9A6B8 5D99C38D E362350C C88A0870 B12ADAB2

  EAA20D30 0F11D749 8338753F 4371858E D31AFC2C 25C51676 4E3C091A BBDB1E74

  64D67D48 A6808E8D DF3CA7DD 7F66BDBD EE96B083 0EC8F92C 1B93F727 7C319A6F

  F26AD911 8C58B3B0 60066AD9 1D24A594 FCC6B783 7CCCD52C B83E946B 7265EB71

  AC00760D D94ED56E 87

        quit

!

!

username root privilege 15 password 7 09601F0D0F55460219

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

!

!

!

track 1 ip sla 1 reachability

delay down 180 up 60

!

track 2 ip sla 2 reachability

delay down 60 up 60

!

!

!

!

interface FastEthernet0/0

ip address 172.28.8.13 255.255.255.0

ip flow egress

duplex full

speed 100

!

interface FastEthernet0/1

bandwidth 2048

ip address 192.168.21.1 255.255.255.0

ip helper-address 192.168.20.3

ip flow egress

ip nat inside

no ip virtual-reassembly

duplex full

speed 100

!

interface ATM0/2/0

no ip address

no atm ilmi-keepalive

dsl bitswap both

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface Cellular0/3/0

no ip address

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 60

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

crypto map VPN

!

interface Dialer1

ip ddns update hostname *.dyndns.org

ip ddns update cheltddns

ip address negotiated

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string internet

dialer persistent

dialer-group 1

ppp chap hostname ""

ppp chap password 7 08630E

crypto map VPN

!

interface Dialer2

description ADSL2+

ip address negotiated

ip access-group 104 in

ip flow egress

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer idle-timeout 0

dialer persistent

dialer-group 2

ppp chap hostname *@dsl.*

ppp chap password 7 121B0816000A0A0F27

!

router ospf 100

router-id 13.13.13.13

log-adjacency-changes

redistribute connected subnets route-map OSPFRedi

network 172.28.8.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 200

ip route 192.168.68.33 255.255.255.255 Dialer1

ip route 192.168.68.88 255.255.255.255 Dialer1

ip route 203.*.*.30 255.255.255.255 Dialer1

ip route 203.*.*.250 255.255.255.255 Dialer1

ip route 204.13.248.112 255.255.255.255 Dialer1

ip http server

ip http authentication aaa login-authentication default

ip http secure-server

!

ip flow-cache timeout inactive 250

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.66.130 9996

!

ip nat inside source list 103 interface Dialer1 overload

!

ip radius source-interface FastEthernet0/1

ip sla 2

icmp-echo 8.8.8.8 source-interface Dialer2

timeout 1500

frequency 5

ip sla schedule 2 life forever start-time now

logging facility local5

access-list 5 permit 192.168.21.0 0.0.0.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 172.28.1.0 0.0.0.15

access-list 101 deny   ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

access-list 103 deny   ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 103 permit ip 192.168.21.0 0.0.0.255 any

access-list 104 deny   tcp any any

access-list 104 deny   udp any any

access-list 104 permit icmp any any echo

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any packet-too-big

access-list 104 permit icmp any any traceroute

access-list 104 permit icmp any any unreachable

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community GraysPriv RO 20

snmp-server ifindex persist

snmp-server host 192.168.66.130 version 2c GraysPriv

!

!

!

!

route-map OSPFRedi permit 10

match ip address 5

!

!

!

radius-server host 192.168.66.2 auth-port 1645 acct-port 1646 key 7 107A214A3743161E0551

!

control-plane

!

!

!

voice-port 0/0/0

!

voice-port 0/0/1

!

voice-port 0/0/2

!

voice-port 0/0/3

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!

!

!

!

!

!

line con 0

login authentication console-auth

line aux 0

line 0/3/0

exec-timeout 0 0

script dialer internet

no exec

transport input all

rxspeed 3600000

txspeed 384000

line vty 0 4

exec-timeout 0 0

!

scheduler allocate 20000 1000

ntp server 192.168.66.2

end

Thanks very much!

Regards,
Alex

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1

‎07-16-2012 07:08 PM

And a portion of the debuging message of debug crypto isakmp is here:

641068: Jul 17 01:01:02.352: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

641069: Jul 17 01:01:02.352: ISAKMP: Unlocking peer struct 0x4A0A1934 for isadb_mark_sa_deleted(), count 0

641070: Jul 17 01:01:02.352: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 4A0A1934

641071: Jul 17 01:01:02.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

641072: Jul 17 01:01:02.356: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

641073: Jul 17 01:01:02.356: ISAKMP:(0):purging SA., sa=49CDF344, delme=49CDF344

641074: Jul 17 01:01:02.356: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250)

641075: Jul 17 01:01:02.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

641076: Jul 17 01:01:02.356: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

641077: Jul 17 01:01:05.920: ISAKMP:(1143):purging node 1283483346

641078: Jul 17 01:01:06.488: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE

641079: Jul 17 01:01:06.488: ISAKMP: set new node -809730676 to QM_IDLE

641080: Jul 17 01:01:06.488: ISAKMP:(1143): processing HASH payload. message ID = -809730676

641081: Jul 17 01:01:06.488: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -809730676, sa = 4A10A708

641082: Jul 17 01:01:06.488: ISAKMP:(1143):deleting node -809730676 error FALSE reason "Informational (in) state 1"

641083: Jul 17 01:01:06.488: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

641084: Jul 17 01:01:06.488: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641085: Jul 17 01:01:06.492: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x1879E

641086: Jul 17 01:01:06.492: ISAKMP: set new node 640495429 to QM_IDLE

641087: Jul 17 01:01:06.492: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1211805536, message ID = 640495429

641088: Jul 17 01:01:06.492: ISAKMP:(1143): seq. no 0x1879E

641089: Jul 17 01:01:06.492: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE

641090: Jul 17 01:01:06.492: ISAKMP:(1143):Sending an IKE IPv4 Packet.

641091: Jul 17 01:01:06.492: ISAKMP:(1143):purging node 640495429

641092: Jul 17 01:01:06.492: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

641093: Jul 17 01:01:06.492: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641094: Jul 17 01:01:08.380: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (R) MM_NO_STATE

641095: Jul 17 01:01:11.460: ISAKMP:(1143):purging node -1289646938

641096: Jul 17 01:01:12.181: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE

641097: Jul 17 01:01:12.181: ISAKMP: set new node 438076132 to QM_IDLE

641098: Jul 17 01:01:12.181: ISAKMP:(1143): processing HASH payload. message ID = 438076132

641099: Jul 17 01:01:12.181: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 438076132, sa = 4A10A708

641100: Jul 17 01:01:12.181: ISAKMP:(1143):deleting node 438076132 error FALSE reason "Informational (in) state 1"

641101: Jul 17 01:01:12.181: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

641102: Jul 17 01:01:12.181: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641103: Jul 17 01:01:12.185: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x1879F

641104: Jul 17 01:01:12.185: ISAKMP: set new node -846002752 to QM_IDLE

641105: Jul 17 01:01:12.185: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1211805536, message ID = -846002752

641106: Jul 17 01:01:12.185: ISAKMP:(1143): seq. no 0x1879F

641107: Jul 17 01:01:12.185: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE

641108: Jul 17 01:01:12.185: ISAKMP:(1143):Sending an IKE IPv4 Packet.

641109: Jul 17 01:01:12.185: ISAKMP:(1143):purging node -846002752

641110: Jul 17 01:01:12.189: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

641111: Jul 17 01:01:12.189: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

no d

641112: Jul 17 01:01:17.013: ISAKMP:(1143):purging node -730203910

641113: Jul 17 01:01:17.357: ISAKMP:(0):purging SA., sa=4A2D442C, delme=4A2D442C

641114: Jul 17 01:01:17.409: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (N) NEW SA

641115: Jul 17 01:01:17.409: ISAKMP: Created a peer struct for 203.*.*.250, peer port 500

641116: Jul 17 01:01:17.409: ISAKMP: New peer created peer = 0x4A0AE4DC peer_handle = 0x80013F42

641117: Jul 17 01:01:17.409: ISAKMP: Locking peer struct 0x4A0AE4DC, refcount 1 for crypto_isakmp_process_block

641118: Jul 17 01:01:17.409: ISAKMP: local port 500, remote port 500

641119: Jul 17 01:01:17.409: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A2D442C

641120: Jul 17 01:01:17.409: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

641121: Jul 17 01:01:17.409: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

641122: Jul 17 01:01:17.413: ISAKMP:(0): processing SA payload. message ID = 0

641123: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641124: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

641125: Jul 17 01:01:17.413: ISAKMP (0): vendor ID is NAT-T RFC 3947

641126: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641127: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

641128: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is NAT-T v3

641129: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641130: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

641131: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641132: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

641133: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is NAT-T v2

641134: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641135: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch

641136: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641137: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

641138: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641139: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is DPD

641140: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641141: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch

641142: Jul 17 01:01:17.413: ISAKMP:(0):No pre-shared key with 203.*.*.250!

641143: Jul 17 01:01:17.413: ISAKMP : Scanning profiles for xauth ...

641144: Jul 17 01:01:17.413: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

641145: Jul 17 01:01:17.413: ISAKMP:      life type in seconds

641146: Jul 17 01:01:17.413: ISAKMP:      life duration (basic) of 28800

641147: Jul 17 01:01:17.413: ISAKMP:      encryption 3DES-CBC

641148: Jul 17 01:01:17.413: ISAKMP:      auth pre-share

641149: Jul 17 01:01:17.413: ISAKMP:      hash SHA

641150: Jul 17 01:01:17.413: ISAKMP:      default group 5

641151: Jul 17 01:01:17.413: ISAKMP:(0):Preshared authentication offered but does not match policy!

641152: Jul 17 01:01:17.417: ISAKMP:(0):atts are not acceptable. Next payload is 0

641153: Jul 17 01:01:17.417: ISAKMP:(0):no offers accepted!

641154: Jul 17 01:01:17.417: ISAKMP:(0): phase 1 SA policy not acceptable! (local 123.209.169.23 remote 203.*.*.250)

641155: Jul 17 01:01:17.417: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

641156: Jul 17 01:01:17.417: ISAKMP:(0): Failed to construct AG informational message.

641157: Jul 17 01:01:17.417: ISAKMP:(0): sending packet to 203.*.*.250 my_port 500 peer_port 500 (R) MM_NO_STATE

641158: Jul 17 01:01:17.417: ISAKMP:(0):Sending an IKE IPv4 Packet.

641159: Jul 17 01:01:17.417: ISAKMP:(0):peer does not do paranoid keepalives.

641160: Jul 17 01:01:17.417: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

641161: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641162: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

641163: Jul 17 01:01:17.417: ISAKMP (0): vendor ID is NAT-T RFC 3947

641164: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641165: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

641166: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID is NAT-T v3

641167: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641168: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

641169: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641170: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

641171: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID is NAT-T v2

641172: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641173: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch

641174: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload

641175: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

641176: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload

641177: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID is DPD

641178: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload

641179: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch

641180: Jul 17 01:01:17.421: ISAKMP (0): FSM action returned error: 2

641181: Jul 17 01:01:17.421: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

641182: Jul 17 01:01:17.421: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

641183: Jul 17 01:01:17.421: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

641184: Jul 17 01:01:17.421: ISAKMP: Unlocking peer struct 0x4A0AE4DC for isadb_mark_sa_deleted(), count 0

641185: Jul 17 01:01:17.421: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 4A0AE4DC

641186: Jul 17 01:01:17.421: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

641187: Jul 17 01:01:17.421: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

641188: Jul 17 01:01:17.425: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250) ebug c

641189: Jul 17 01:01:17.425: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

641190: Jul 17 01:01:17.425: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

641191: Jul 17 01:01:17.829: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE

641192: Jul 17 01:01:17.829: ISAKMP: set new node -2063194255 to QM_IDLE

641193: Jul 17 01:01:17.829: ISAKMP:(1143): processing HASH payload. message ID = -2063194255

641194: Jul 17 01:01:17.829: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -2063194255, sa = 4A10A708

641195: Jul 17 01:01:17.829: ISAKMP:(1143):deleting node -2063194255 error FALSE reason "Informational (in) state 1"

641196: Jul 17 01:01:17.829: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

641197: Jul 17 01:01:17.829: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641198: Jul 17 01:01:17.829: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x187A0

641199: Jul 17 01:01:17.833: ISAKMP: set new node -2050772453 to QM_IDLE

641200: Jul 17 01:01:17.833: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1211805536, message ID = -2050772453

641201: Jul 17 01:01:17.833: ISAKMP:(1143): seq. no 0x187A0ryp

Sandringham_VPLS#no debug crypto

641202: Jul 17 01:01:17.833: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE

641203: Jul 17 01:01:17.833: ISAKMP:(1143):Sending an IKE IPv4 Packet.

641204: Jul 17 01:01:17.833: ISAKMP:(1143):purging node -2050772453

641205: Jul 17 01:01:17.833: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

641206: Jul 17 01:01:17.833: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-16-2012 07:41 PM

hi alex,

based from your debugs, i noticed 203.*.*.250 is still trying to establish IKE phase 1 with the remote peer but was rejected.

641068: Jul 17 01:01:02.352: ISAKMP:(0):deleting SA reason "Phase1 SA  policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

on the other hand, the new 203.*.*.30 has sucessfully established IKE phase 1.

IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

could you retest your VPN connectivity and issue a 'debug crypto ipsec' (for IKE phase 2) and post it here? i would appreciate if you could also post the relevant VPN config from your FW/VPN device as well.

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-16-2012 07:57 PM

Hi John,

Thanks for your reply. I've reset the interface and the debugging result is here:

router(config-if)#do debug crypto ipsec

Crypto IPSEC debugging is on

router(config-if)#no shut

router(config-if)#end

router#

641220: Jul 17 02:45:15.233: %LINK-3-UPDOWN: Interface Dialer1, changed state to up

641221: Jul 17 02:45:16.381: %SYS-5-CONFIG_I: Configured from console by alexadmin on vty0 (192.168.66.233)

641222: Jul 17 02:45:16.481: %LINK-3-UPDOWN: Interface Cellular0/3/0, changed state to up

641223: Jul 17 02:45:16.481: %DIALER-6-BIND: Interface Ce0/3/0 bound to profile Di1

641224: Jul 17 02:45:17.497: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/3/0, changed state to up

641225: Jul 17 02:45:19.265: IPSEC(recalculate_mtu): reset sadb_root 49B5E178 mtu to 1500

641226: Jul 17 02:46:32.099: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641227: Jul 17 02:46:34.247: IPSEC(validate_proposal_request): proposal part #1

641228: Jul 17 02:46:34.247: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641229: Jul 17 02:46:34.247: IPSEC(ipsec_process_proposal): proxy identities not supported

641230: Jul 17 02:46:34.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641231: Jul 17 02:46:36.159: IPSEC(validate_proposal_request): proposal part #1

641232: Jul 17 02:46:36.159: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641233: Jul 17 02:46:36.159: IPSEC(ipsec_process_proposal): proxy identities not supported

641234: Jul 17 02:47:36.868: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641235: Jul 17 02:47:38.172: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641236: Jul 17 02:47:38.860: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641237: Jul 17 02:47:39.196: IPSEC(validate_proposal_request): proposal part #1

641238: Jul 17 02:47:39.196: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641239: Jul 17 02:47:39.196: IPSEC(ipsec_process_proposal): proxy identities not supported

641240: Jul 17 02:47:41.168: IPSEC(validate_proposal_request): proposal part #1

641241: Jul 17 02:47:41.168: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641242: Jul 17 02:47:41.168: IPSEC(ipsec_process_proposal): proxy identities not supported

641243: Jul 17 02:48:41.202: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641244: Jul 17 02:48:41.890: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641245: Jul 17 02:48:43.170: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641246: Jul 17 02:48:43.858: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641247: Jul 17 02:48:44.210: IPSEC(validate_proposal_request): proposal part #1

641248: Jul 17 02:48:44.210: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641249: Jul 17 02:48:44.210: IPSEC(ipsec_process_proposal): proxy identities not supported

641250: Jul 17 02:48:46.170: IPSEC(validate_proposal_request): proposal part #1

641251: Jul 17 02:48:46.170: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641252: Jul 17 02:48:46.170: IPSEC(ipsec_process_proposal): proxy identities not supported

On the other hand, I'll post the screenhshot of the VPN config in the next reply

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-16-2012 08:02 PM

on the firewall configuration of phase 1

phase 2

regards,

Alex

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-16-2012 08:41 PM

alex,

thanks for the debug output and fortigate config screenshot. observing the debug output, it appears an ACL (for IPSEC traffic) could be your issue.

641242: Jul 17 02:47:41.168: IPSEC(ipsec_process_proposal): proxy identities not supported

could you re-configure your device ACLs as below:

2811:

no access-list 105

access-list 105 permit ip 192.168.21.0 0.0.0.255 192.168.68.0 0.0.0.255

FORTIGATE:

edit phase 2 > source address: 192.168.68.0/24

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-16-2012 09:09 PM

Hi John,

I'll try your suggestion and see how it goes. However I have to let you know that the ACL setup is the same way we setup for the other VPN routers to this firewall. Anyway, I'll see how it goes to narrow down the possibilities.


Regards,
Alex

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to sydflyer2011

‎07-16-2012 11:10 PM

Hi John,

I tried your suggestion but with no luck:

crypto map VPN 10 ipsec-isakmp

set peer 203.176.96.30

set transform-set ESP_3DES_SHA

match address 106

I created a new ACL 106 and its definition followed yours:

access-list 106 permit ip 192.168.21.0 0.0.0.255 192.168.68.0 0.0.0.255

and I change the phase 2 configuration on firewall to suit the ACL change as well. The VPN is up but I just can't use ping to justify that!

#ping 192.168.68.33 source 192.168.21.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.68.33, timeout is 2 seconds:
Packet sent with a source address of 192.168.21.1
.
642975: Jul 17 06:08:35.517: IPSEC(key_engine): got a queue event with 1 KMI message(s)....
Success rate is 0 percent (0/5)
Sandringham_VPLS#

Cheers.

Regards,
Alex

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-16-2012 11:27 PM

hi alex,

could you perform a ping test from host or a PC from the 192.168.21.0/24? post again the output of:

show crypto isakmp sa

show crypto ipsec sa

debug crypto isakmp

debug crypto ipsec

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-16-2012 11:40 PM

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.30   QM_IDLE           1473 ACTIVE

#sh crypto ipsec sa
     PFS (Y/N): Y, DH group: group1
     PFS (Y/N): N, DH group: none

interface: Dialer1
    Crypto map tag: VPN, local addr 123.209.60.106

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
   current_peer 203.*.*.30 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 123.209.60.106, remote crypto endpt.: 203.*.*.30
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x8DDB10D2(2379944146)

     inbound esp sas:
      spi: 0xED59B319(3982078745)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3113, flow_id: NETGX:1113, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4571804/258)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8DDB10D2(2379944146)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3114, flow_id: NETGX:1114, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4571800/258)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Cellular0/3/0
    Crypto map tag: VPN, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
   current_peer 203.*.*.30 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 203.*.*.30
     path mtu 1500, ip mtu 1500, ip mtu idb Cellular0/3/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


I'll post the debugging informationo in another reply. Thanks!


Regards,
Alex

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card