RE: HELP with IPSEC VPN

From: Jason Aarons (jaarons@hotmail.com)
Date: Tue Nov 30 2004 - 11:33:52 GMT-3

• Next message: Dan: "Re: DHCP and the 3550"
• Previous message: Onwude daniel: "RE: LAN QoS"
• Maybe in reply to: Jamie Sanbower: "HELP with IPSEC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you allowed 0.0.0.0 in the peer? I haven't tried that.

show crypto isakmp policy on both sides, anything mismatching? The debug
indicates a mismatch somewhere..

Encryption

>algorithm offered does not match policy!

>From: Jamie Sanbower <ccie13637@yahoo.com> >Reply-To: Jamie Sanbower
<ccie13637@yahoo.com> >To: ccielab@groupstudy.com,
security@groupstudy.com >Subject: HELP with IPSEC VPN >Date: Mon, 29 Nov
2004 11:58:51 -0800 (PST) > >I am having problems establishing a vpn. I
have a 1605 >with 12.3.10 FW/IPSEC 56. I not sure why the tunnel is >not
coming up. > >Here is the config: >username jamie privilege 15 password
xxxxxxxxxxxx >aaa new-model >! >aaa authentication login default local
>aaa authorization exec default local >aaa session-id common >ip
subnet-zero >ip dhcp excluded-address 172.16.28.1 172.16.28.99 >! >ip
inspect name myfw udp timeout 15 >ip inspect name myfw tcp timeout 3600
>ip inspect name myfw ftp timeout 3600 >ip inspect name myfw http timeout
3600 >ip inspect name myfw smtp timeout 3600 >! >! >! >! >crypto isakmp
policy 10 > hash md5 > authentication pre-share >crypto isakmp key
cisco1234 address 0.0.0.0 0.0.0.0 >crypto isakmp client configuration
address-pool local >ourpool >! >crypto isakmp client configuration group
jamie > key cisco1234 > pool ourpool >! >crypto ipsec transform-set
mypolicy esp-des >esp-md5-hmac >! >! >crypto dynamic-map dyna 10 > set
transform-set mypolicy >! >! >crypto map test client configuration
address initiate >crypto map test client configuration address respond
>crypto map test 5 ipsec-isakmp dynamic dyna >! >interface Ethernet0
> ip address dhcp hostname FW > ip access-group inbound in > no ip
unreachables > ip nat outside > ip inspect myfw out > no cdp enable
> crypto map test >! >interface Ethernet1 > ip address 172.16.28.1
255.255.255.0 > ip nat inside > no keepalive > no cdp enable >! >ip
local pool ourpool 172.17.28.200 172.17.28.201 >ip nat inside source
route-map nonat interface >Ethernet0 overload >! >ip route 0.0.0.0
0.0.0.0 dhcp >! >ip access-list extended inbound > permit udp any any eq
isakmp log > permit esp any any log > permit udp any eq bootps any eq
bootpc log > deny ip any any log >access-list 110 deny ip
172.16.28.0 0.0.0.255 >172.17.28.0 0.0.0.255 >access-list 110 permit ip
172.16.28.0 0.0.0.255 any >! >route-map nonat permit 10 > match ip
address 110 > >here is the debug output of "debug crypto isakmp" when >i
try to establish a vpn(i replaced all of my outside >IP to 2.2.2.2 and
the source ip to 1.1.1.1: > >Nov 29 14:44:32.468: ISAKMP (0:0): received
packet >from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA >Nov 29
14:44:32.476: ISAKMP: Created a peer struct for >1.1.1.1, peer port 500
>Nov 29 14:44:32.476: ISAKMP: Locking peer struct >0x3361D08, IKE
refcount 1 for >crypto_ikmp_config_initialize_sa >Nov 29 14:44:32.480:
ISAKMP (0:0): Setting client >config settings 33AB430 >Nov 29
14:44:32.480: ISAKMP: local port 500, remote >port 500 >Nov 29
14:44:32.491: ISAKMP: insert sa successfully sa >= 33B2628 >Nov 29
14:44:32.491: ISAKMP (0:1): processing SA >payload. message ID = 0 >Nov
29 14:44:32.491: ISAKMP (0:1): processing ID >payload. message ID = 0
>Nov 29 14:44:32.495: ISAKMP (0:1): ID payload > next-payload :
13 > type : 11 > group id : jamie >
protocol : 17 > port : 500 > length :
13 >Nov 29 14:44:32.499: ISAKMP (0:1): peer matches *none* >of the
profiles >Nov 29 14:44:32.499: ISAKMP (0:1): processing vendor >id
payload >Nov 29 14:44:32.503: ISAKMP (0:1): vendor ID seems >Unity/DPD
but major 215 mismatch >Nov 29 14:44:32.503: ISAKMP (0:1): vendor ID is
XAUTH >Nov 29 14:44:32.507: ISAKMP (0:1): processing vendor >id payload
>Nov 29 14:44:32.507: ISAKMP (0:1): vendor ID is DPD >Nov 29
14:44:32.511: ISAKMP (0:1): processing vendor >id payload >Nov 29
14:44:32.511: ISAKMP (0:1): vendor ID seems >Unity/DPD but major 123
mismatch >Nov 29 14:44:32.515: ISAKMP (0:1): vendor ID is NAT-T >v2 >Nov
29 14:44:32.515: ISAKMP (0:1): processing vendor >id payload >Nov 29
14:44:32.515: ISAKMP (0:1): vendor ID seems >Unity/DPD but major 194
mismatch >Nov 29 14:44:32.519: ISAKMP (0:1): processing vendor >id
payload >Nov 29 14:44:32.519: ISAKMP (0:1): vendor ID is Unity >Nov 29
14:44:32.523: ISAKMP : Scanning profiles for >xauth ... >Nov 29
14:44:32.523: ISAKMP (0:1): Checking ISAKMP >transform 1 against priority
10 policy >Nov 29 14:44:32.527: ISAKMP: encryption AES-CBC >Nov 29
14:44:32.527: ISAKMP: hash SHA >Nov 29 14:44:32.527:
ISAKMP: default group 2 >Nov 29 14:44:32.531: ISAKMP: auth
>XAUTHInitPreShared >Nov 29 14:44:32.531: ISAKMP: life type in
seconds >Nov 29 14:44:32.531: ISAKMP: life duration (VPI) >of 0x0
0x20 0xC4 0x9B >Nov 29 14:44:32.535: ISAKMP: keylength of 256 >Nov
29 14:44:32.535: ISAKMP (0:1): Encryption >algorithm offered does not
match policy! >Nov 29 14:44:32.539: ISAKMP (0:1): atts are not
>acceptable. Next payload is 3 > >....more debug > >Nov 29 14:44:33.099:
ISAKMP (0:1): no offers accepted! >Nov 29 14:44:33.099: ISAKMP (0:1):
phase 1 SA policy >not acceptable! (local 2.2.2.2 remote 1.1.1.1) >Nov 29
14:44:33.103: ISAKMP (0:1): incrementing error >counter on sa:
construct_fail_ag_init >Nov 29 14:44:33.107: ISAKMP (0:1): Unknown Input
>IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY >Nov 29
14:44:33.107: ISAKMP (0:1): Input = >IKE_MESG_FROM_PEER, IKE_AM_EXCH >Nov
29 14:44:33.110: ISAKMP (0:1): Old State = >IKE_READY New State =
IKE_READY > >Nov 29 14:44:33.110: %CRYPTO-6-IKMP_MODE_FAILURE:
>Processing of Aggressive mode failed with peer at >1.1.1.1 >Nov 29
14:44:37.507: ISAKMP (0:1): received packet >from 1.1.1.1 dport 500 sport
500 Global (R) >AG_NO_STATE >Nov 29 14:44:37.515: ISAKMP (0:1): phase 1
packet is a >duplicate of a previous packet. >Nov 29 14:44:37.515: ISAKMP
(0:1): retransmitting due >to retransmit phase 1 >Nov 29 14:44:37.519:
ISAKMP (0:1): retransmitting >phase 1 AG_NO_STATE... >Nov 29
14:44:37.650: %SEC-6-IPACCESSLOGP: list inbound >permitted udp
1.1.1.1(500) -> 2.2.2.2(500), 2 packets >Nov 29 14:44:37.654:
%SEC-6-IPACCESSLOGP: list inbound >permitted tcp 1.1.1.1(1430) ->
2.2.2.2(3389), 91 >packets >Nov 29 14:44:38.015: ISAKMP (0:1):
retransmitting >phase 1 AG_NO_STATE... >Nov 29 14:44:38.015: ISAKMP
(0:1): incrementing error >counter on sa: retransmit phase 1 >Nov 29
14:44:38.019: ISAKMP (0:1): retransmitting >phase 1 AG_NO_STATE >Nov 29
14:44:38.019: ISAKMP (0:1): sending packet to >1.1.1.1 my_port 500
peer_port 500 (R) AG_NO_STATE > > >Please help!!! > >Jamie > > >
>__________________________________ >Do you Yahoo!? >Read only the mail
you want - Yahoo! Mail SpamGuard. >http://promotions.yahoo.com/new_mail >
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

------------------------------------------------------------------------

Rock, jazz, country, soul & more. Find the music you love on MSN Music!

• Next message: Dan: "Re: DHCP and the 3550"
• Previous message: Onwude daniel: "RE: LAN QoS"
• Maybe in reply to: Jamie Sanbower: "HELP with IPSEC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:51 GMT-3