RE: IPSEC VPN PROBLEM

From: Mark Lewis (mark@mjlnet.com)
Date: Tue Sep 14 2004 - 19:09:59 GMT-3

It looks like IKE main mode has been initiated between the
peers, but that IKE cryptographic parameters (encryption
algorithm, hash algorithm, etc.) have not yet been agreed.
IKE cryptographic parameters are agreed using the 1st pair
of messages exchanged during main mode.

Some (but not all!) causes of main mode failure are:

1. a routing problem. Make sure that each peer has a route
to the other's IPsec packet source (usually the interface to
which the crypto map is applied, though it is possible to
modify this), as well as the destination address specified
in the crypto acl.

2. a crypto map is not correctly applied. Not likely in this
case, but make sure that the crypto map is applied to the
correct (outside) interface of each peer.

3. make sure that each peer's address is correctly
configured on the other peer (crypto map...set peer a.b.c.d).

4. make sure that ISAKMP (UDP port 500) is not blocked by a
firewall or access list on one of the peer's outside
interfaces.

5. is there a NAT device in the path between the peers? NAT
often causes IKE to fail (particularly if the peers do not
support IKE NAT traversal/the NAT device is not IPsec aware).

6. ISAKMP policies (cryptographic parameters) do not match
on the peers (though I know you have already checked this).

7. One of the peers does not have a pre-shared key
corresponding to the other/does not have a certificate. This
is unlikely because from the snippet of debug you have
included it looks like IKE is failing during the exchange of
the 1st pair of main mode messages (authentication using pre-
shared keys/certificates takes place during the exchange of
the 3rd pair of IKE main mode messages).

You've posted the output of the 'debug crypto isakmp'
*and* 'debug crypto ipsec' commands for one peer. If you
aren't able to find the cause of the problem using the list
of possible issues above, please post the output of 'debug
crypto isakmp' from *BOTH* peers, as well as the peers'
configurations (no need to include 'debug crypto ipsec' at
this stage).

HTH.

Mark

CCIE#6280 / CCSI#21051 / etc.

Author: www.ciscopress.com/1587051044

>From: <adeolu@sympatico.ca>
>Reply-To: <adeolu@sympatico.ca>
>To: <ccielab@groupstudy.com>
>Subject: IPSEC VPN PROBLEM
>Date: Tue, 14 Sep 2004 15:02:09 -0400
>
>I was wondering if anyone could bail me out.....this issue
has me at my wits' end. I am running a hub and spoke VPN
for my company. The head-end router is a Cisco 7204 running
IOS 12.2(13)T3 and I am running IOS 12.3(7)T2 on the
remote. The reason i am running such a recent version on
the remote router is because of a need to support the 4-port
switch WIC in the router.
>
>I was able to successfully test this using a PPPoE Internet
connection (ADSL) but so far, I have been unable to
successfully use it with Cable Internet (which is the link
type on site). The connection just refuses to be set up. I
have checked the ISAKMP policies, crypto maps etc. and
ensured that they are matched.
>
>I have pasted some debugs below
>
>Any help will be appreciated.
>
>= 0x400A
>*Mar 10 02:25:10: ISAKMP: received ke message (1/1)
>*Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
>*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding.
Attached new ipsec requ
>est to it. (local 24.86.96.233, remote 209.5.96.157)
>*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit
> phase 1
>*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500
>peer_port 500 (I) MM_NO_STATE
>*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit
> phase 1
>*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500
>peer_port 500 (I) MM_NO_STATE
>*Mar 10 02:25:28: IPSEC(key_engine): request timer fired:
count = 1,
> (identity) local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
>*Mar 10 02:25:28: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 24.86.96.233, remote=
209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac
(Tunnel),
> lifedur= 3600s and 4608000kb,
> spi= 0xD029AD14(3492392212), conn_id= 0, keysize= 0,
flags= 0x400A
>*Mar 10 02:25:28: ISAKMP: received ke message (1/1)
>*Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE
>*Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding.
Attached new ipsec requ
>est to it. (local 24.86.96.233, remote 209.5.96.157)
>*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit
> phase 1
>*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500
>peer_port 500 (I) MM_NO_STATE
>*Mar 10 02:25:40: IPSEC(key_engine): request timer fired:
count = 2,
> (identity) local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.130.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
>*Mar 10 02:25:40: ISAKMP: received ke message (3/1)
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do
paranoid keepalives.
>
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA
reason "receive request to delet
>e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input
queue 0
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA
reason "receive request to delet
>e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input
queue 0
>*Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4
for isadb_mark_sa_dele
>ted(), count 0
>*Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap
for 209.5.96.157: 824C
>53A4
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -
938513491 error TRUE reason "
>receive request to delete ike sa"
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -
1343263010 error TRUE reason
>"receive request to delete ike sa"
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -
2146876017 error TRUE reason
>"receive request to delete ike sa"
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -
1379398450 error TRUE reason
>"receive request to delete ike sa"
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input =
IKE_MESG_INTERNAL, IKE_PHASE1_DEL
>*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1
New State = IKE_DEST_
>SA
>
>*Mar 10 02:25:50: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10:
Neighbor 142.225.150.134 (V
>lan521) is up: new adjacency
>*Mar 10 02:25:58: IPSEC(key_engine): request timer fired:
count = 2,
> (identity) local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
>*Mar 10 02:25:58: ISAKMP: received ke message (3/1)
>*Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do
paranoid keepalives.
>Log Buffer (4096 bytes):
>nding packet to 209.5.96.157 my_port 500 peer_port 500 (I)
MM_NO_STATE
>*Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Sep 13 20:57:54: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit phase 1
>*Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Sep 13 20:57:54: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
>*Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Sep 13 20:58:04: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit phase 1
>*Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Sep 13 20:58:04: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
>*Sep 13 20:58:14: IPSEC(key_engine): request timer fired:
count = 1,
> (identity) local= 209.5.255.142, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
>*Sep 13 20:58:14: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 209.5.255.142, remote=
209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac
(Tunnel),
> lifedur= 3600s and 4608000kb,
> spi= 0x21BF4A39(566184505), conn_id= 0, keysize= 0,
flags= 0x400A
>*Sep 13 20:58:14: ISAKMP: received ke message (1/1)
>*Sep 13 20:58:14: ISAKMP: set new node 0 to QM_IDLE
>*Sep 13 20:58:14: ISAKMP:(0:1:HW:2):SA is still budding.
Attached new ipsec request to it. (local 209.5.255.142,
remote 209.5.96.157)
>*Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Sep 13 20:58:14: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit phase 1
>*Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Sep 13 20:58:14: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
>*Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Sep 13 20:58:24: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit phase 1
>*Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Sep 13 20:58:24: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
>*Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE...
>*Sep 13 20:58:34: ISAKMP:(0:1:HW:2):incrementing error
counter on sa: retransmit phase 1
>*Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1
MM_NO_STATE
>*Sep 13 20:58:34: ISAKMP:(0:1:HW:2): sending packet to
209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
>Sep 13 20:58:44: IPSEC(key_engine): request timer fired:
count = 2,
> (identity) local= 209.5.255.142, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
>*Sep 13 20:58:44: ISAKMP: received ke message (3/1)
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):peer does not do
paranoid keepalives.
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA
reason "receive request to delete ike sa" state (I)
MM_NO_STATE (peer 209.5.96.157) input queue 0
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA
reason "receive request to delete ike sa" state (I)
MM_NO_STATE (peer 209.5.96.157) input queue 0
>*Sep 13 20:58:44: ISAKMP: Unlocking IKE struct 0x821712B4
for isadb_mark_sa_deleted(), count 0
>*Sep 13 20:58:44: ISAKMP: Deleting peer node by peer_reap
for 209.5.96.157: 821712B4
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -
862965495 error TRUE reason "receive request to delete ike
sa"
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -
542169726 error TRUE reason "receive request to delete ike
sa"
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Input =
IKE_MESG_INTERNAL, IKE_PHASE1_DEL
>*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1
New State = IKE_DEST_SA
>Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -862965495
>*Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -542169726
>*Sep 13 20:59:44: ISAKMP:(0:1:HW:2):purging SA.,
sa=829FC038, delme=829FC038
>fnbur020#
>
>
>I have pasted some debugs below
>
>____________________________________________________________
___________
>Please help support GroupStudy by purchasing your study
materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:42 GMT-3