Re: Re: IPSEC VPN PROBLEM

From: adeolu@sympatico.ca
Date: Fri Sep 17 2004 - 10:57:16 GMT-3

Hi Guys,

Thanks a lot for all your suggestions. I have been able to solve the problem. To direct traffic towards the tunnel, I typically use default routes out to the interface (for flexibility reasons). However, the ISP dropped all traffic that was routed in this manner.

Thankfully, I had some static IP assignments from them. I used the gateway they supplied with this and voila, it worked like a charm.

Thanks for all your help, Josh.

Ade
>
> From: <adeolu@sympatico.ca>
> Date: 2004/09/14 Tue PM 04:24:47 EST
> To: "joshua lauer" <jslauer@hotmail.com>, <ccielab@groupstudy.com>
> Subject: Re: Re: IPSEC VPN PROBLEM
>
> Hi Josh,
>
> Thanks for looking at this. I have asked them a few times but they say that they do not have any restrictions.
>
>
> >
> > From: "joshua lauer" <jslauer@hotmail.com>
> > Date: 2004/09/14 Tue PM 03:51:47 EST
> > To: <adeolu@sympatico.ca>,
> > <ccielab@groupstudy.com>
> > Subject: Re: IPSEC VPN PROBLEM
> >
> > Is your ISP blocking any ports that you know of? Could be why your
> > connection isnt setting up. Make sure they are not blocking the critical
> > ports (port 500) needed for your connection set up. I've had a similar issue
> > working with nortel equipment in the past. Just a thought, I really didnt
> > have time to drill down into your debugs. I'll check them out when I get
> > home from work :)
> >
> >
> > Josh Lauer
> >
> >
> > ----- Original Message -----
> > From: <adeolu@sympatico.ca>
> > To: <ccielab@groupstudy.com>
> > Sent: Tuesday, September 14, 2004 3:02 PM
> > Subject: IPSEC VPN PROBLEM
> >
> >
> > >I was wondering if anyone could bail me out.....this issue has me at my
> > >wits' end. I am running a hub and spoke VPN for my company. The head-end
> > >router is a Cisco 7204 running IOS 12.2(13)T3 and I am running IOS
> > >12.3(7)T2 on the remote. The reason i am running such a recent version on
> > >the remote router is because of a need to support the 4-port switch WIC in
> > >the router.
> > >
> > > I was able to successfully test this using a PPPoE Internet connection
> > > (ADSL) but so far, I have been unable to successfully use it with Cable
> > > Internet (which is the link type on site). The connection just refuses to
> > > be set up. I have checked the ISAKMP policies, crypto maps etc. and
> > > ensured that they are matched.
> > >
> > > I have pasted some debugs below
> > >
> > > Any help will be appreciated.
> > >
> > > = 0x400A
> > > *Mar 10 02:25:10: ISAKMP: received ke message (1/1)
> > > *Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
> > > ipsec requ
> > > est to it. (local 24.86.96.233, remote 209.5.96.157)
> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit
> > > phase 1
> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500
> > > peer_port 500 (I) MM_NO_STATE
> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit
> > > phase 1
> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500
> > > peer_port 500 (I) MM_NO_STATE
> > > *Mar 10 02:25:28: IPSEC(key_engine): request timer fired: count = 1,
> > > (identity) local= 24.86.96.233, remote= 209.5.96.157,
> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
> > > *Mar 10 02:25:28: IPSEC(sa_request): ,
> > > (key eng. msg.) OUTBOUND local= 24.86.96.233, remote= 209.5.96.157,
> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
> > > lifedur= 3600s and 4608000kb,
> > > spi= 0xD029AD14(3492392212), conn_id= 0, keysize= 0, flags= 0x400A
> > > *Mar 10 02:25:28: ISAKMP: received ke message (1/1)
> > > *Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE
> > > *Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
> > > ipsec requ
> > > est to it. (local 24.86.96.233, remote 209.5.96.157)
> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit
> > > phase 1
> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500
> > > peer_port 500 (I) MM_NO_STATE
> > > *Mar 10 02:25:40: IPSEC(key_engine): request timer fired: count = 2,
> > > (identity) local= 24.86.96.233, remote= 209.5.96.157,
> > > local_proxy= 142.225.130.0/255.255.255.0/0/0 (type=4),
> > > remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
> > > *Mar 10 02:25:40: ISAKMP: received ke message (3/1)
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
> > >
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> > > delet
> > > e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> > > delet
> > > e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> > > *Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4 for
> > > isadb_mark_sa_dele
> > > ted(), count 0
> > > *Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap for
> > > 209.5.96.157: 824C
> > > 53A4
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -938513491 error TRUE
> > > reason "
> > > receive request to delete ike sa"
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1343263010 error TRUE
> > > reason
> > > "receive request to delete ike sa"
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -2146876017 error TRUE
> > > reason
> > > "receive request to delete ike sa"
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1379398450 error TRUE
> > > reason
> > > "receive request to delete ike sa"
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL,
> > > IKE_PHASE1_DEL
> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State =
> > > IKE_DEST_
> > > SA
> > >
> > > *Mar 10 02:25:50: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
> > > 142.225.150.134 (V
> > > lan521) is up: new adjacency
> > > *Mar 10 02:25:58: IPSEC(key_engine): request timer fired: count = 2,
> > > (identity) local= 24.86.96.233, remote= 209.5.96.157,
> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
> > > *Mar 10 02:25:58: ISAKMP: received ke message (3/1)
> > > *Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
> > > Log Buffer (4096 bytes):
> > > nding packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit phase 1
> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500 peer_port 500 (I) MM_NO_STATE
> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit phase 1
> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500 peer_port 500 (I) MM_NO_STATE
> > > *Sep 13 20:58:14: IPSEC(key_engine): request timer fired: count = 1,
> > > (identity) local= 209.5.255.142, remote= 209.5.96.157,
> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
> > > *Sep 13 20:58:14: IPSEC(sa_request): ,
> > > (key eng. msg.) OUTBOUND local= 209.5.255.142, remote= 209.5.96.157,
> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
> > > protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
> > > lifedur= 3600s and 4608000kb,
> > > spi= 0x21BF4A39(566184505), conn_id= 0, keysize= 0, flags= 0x400A
> > > *Sep 13 20:58:14: ISAKMP: received ke message (1/1)
> > > *Sep 13 20:58:14: ISAKMP: set new node 0 to QM_IDLE
> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
> > > ipsec request to it. (local 209.5.255.142, remote 209.5.96.157)
> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit phase 1
> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500 peer_port 500 (I) MM_NO_STATE
> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit phase 1
> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500 peer_port 500 (I) MM_NO_STATE
> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> > > retransmit phase 1
> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> > > my_port 500 peer_port 500 (I) MM_NO_STATE
> > > Sep 13 20:58:44: IPSEC(key_engine): request timer fired: count = 2,
> > > (identity) local= 209.5.255.142, remote= 209.5.96.157,
> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> > > remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
> > > *Sep 13 20:58:44: ISAKMP: received ke message (3/1)
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> > > delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> > > delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> > > *Sep 13 20:58:44: ISAKMP: Unlocking IKE struct 0x821712B4 for
> > > isadb_mark_sa_deleted(), count 0
> > > *Sep 13 20:58:44: ISAKMP: Deleting peer node by peer_reap for
> > > 209.5.96.157: 821712B4
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -862965495 error TRUE
> > > reason "receive request to delete ike sa"
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -542169726 error TRUE
> > > reason "receive request to delete ike sa"
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL,
> > > IKE_PHASE1_DEL
> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State =
> > > IKE_DEST_SA
> > > Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -862965495
> > > *Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -542169726
> > > *Sep 13 20:59:44: ISAKMP:(0:1:HW:2):purging SA., sa=829FC038,
> > > delme=829FC038
> > > fnbur020#
> > >
> > >
> > > I have pasted some debugs below
> > >
> > > _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:45 GMT-3