Re: Strange VPN issue

From: Chamara Peris (dimsyboy@gmail.com)
Date: Wed Oct 24 2007 - 18:35:17 ART

Hi Tarun,

Using different DNS servers. How ever router can resolve the domain without
a issue. Debug attached from the HUB router.

Oct 25 07:26:36.300: ISAKMP (0:0): received packet from
222.111.111.172dport 500 sport 500 Global (N) NEW SA
Oct 25 07:26:36.304: ISAKMP: Created a peer struct for 222.111.111.172, peer
port 500
Oct 25 07:26:36.304: ISAKMP: New peer created peer = 0x82E88B4C peer_handle
= 0x80000004
Oct 25 07:26:36.304: ISAKMP: Locking peer struct 0x82E88B4C, refcount 1 for
crypto_isakmp_process_block
Oct 25 07:26:36.304: ISAKMP: local port 500, remote port 500
Oct 25 07:26:36.304: insert sa successfully sa = 82F383B4
Oct 25 07:26:36.304: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 25 07:26:36.304: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Oct 25 07:26:36.304: ISAKMP:(0): processing SA payload. message ID = 0
Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
Oct 25 07:26:36.304: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
Oct 25 07:26:36.304: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
Oct 25 07:26:36.304: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Oct 25 07:26:36.304: ISAKMP:(0): vendor ID is NAT-T v3
Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Oct 25 07:26:36.308: ISAKMP:(0): vendor ID is NAT-T v2
Oct 25 07:26:36.308: ISAKMP:(0):found peer pre-shared key matching
222.111.111.172
Oct 25 07:26:36.308: ISAKMP:(0): local preshared key found
Oct 25 07:26:36.308: ISAKMP : Scanning profiles for xauth ... HH
Oct 25 07:26:36.308: ISAKMP:(0):Checking ISAKMP transform 1 against priority
1 policy
Oct 25 07:26:36.308: ISAKMP: encryption 3DES-CBC
Oct 25 07:26:36.308: ISAKMP: hash SHA
Oct 25 07:26:36.308: ISAKMP: default group 2
Oct 25 07:26:36.308: ISAKMP: auth pre-share
Oct 25 07:26:36.308: ISAKMP: life type in seconds
Oct 25 07:26:36.308: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 25 07:26:36.308: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
Oct 25 07:26:36.308: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Oct 25 07:26:36.308: ISAKMP:(0): vendor ID is NAT-T v3
Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
Oct 25 07:26:36.312: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Oct 25 07:26:36.312: ISAKMP:(0): vendor ID is NAT-T v2
Oct 25 07:26:36.312: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 25 07:26:36.312: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Oct 25 07:26:36.312: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 25 07:26:36.312: ISAKMP:(0): sending packet to 222.111.111.172 my_port
500 peer_port 500 (R) MM_SA_SETUP
Oct 25 07:26:36.312: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Oct 25 07:26:36.312: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Oct 25 07:26:36.688: ISAKMP (0:0): received packet from
222.111.111.172dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 25 07:26:36.692: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 25 07:26:36.692: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Oct 25 07:26:36.692: ISAKMP:(0): processing KE payload. message ID = 0
Oct 25 07:26:36.732: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 25 07:26:36.736: ISAKMP:(0):found peer pre-shared key matching
222.111.111.172
Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
Oct 25 07:26:36.736: ISAKMP:(2003): vendor ID is Unity
Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
Oct 25 07:26:36.736: ISAKMP:(2003): vendor ID is DPD
Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
Oct 25 07:26:36.736: ISAKMP:(2003): speaking to another IOS box!
Oct 25 07:26:36.736: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 25 07:26:36.736: ISAKMP:(2003):Old State = IKE_R_MM3 New State =
IKE_R_MM3

Oct 25 07:26:36.740: ISAKMP:(2003): sending packet to
222.111.111.172my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 25 07:26:36.740: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Oct 25 07:26:36.740: ISAKMP:(2003):Old State = IKE_R_MM3 New State =
IKE_R_MM4

Oct 25 07:26:37.168: ISAKMP (0:2003): received packet from
222.111.111.172dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 25 07:26:37.168: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 25 07:26:37.168: ISAKMP:(2003):Old State = IKE_R_MM4 New State =
IKE_R_MM5

Oct 25 07:26:37.168: ISAKMP:(2003): processing ID payload. message ID = 0
Oct 25 07:26:37.168: ISAKMP (0:2003): ID payload
        next-payload : 8
        type : 1
        address : 222.111.111.172
        protocol : 17
        port : 500
        length : 12
Oct 25 07:26:37.168: ISAKMP:(0):: peer matches *none* of the profiles
Oct 25 07:26:37.168: ISAKMP:(2003): processing HASH payload. message ID = 0
Oct 25 07:26:37.168: ISAKMP:received payload type 17
Oct 25 07:26:37.168: ISAKMP:(2003): processing NOTIFY INITIAL_CONTACT
protocol 1
        spi 0, message ID = 0, sa = 82F383B4
Oct 25 07:26:37.168: ISAKMP:(2003):SA authentication status:
        authenticated
Oct 25 07:26:37.168: ISAKMP:(2003):SA has been authenticated with
222.111.111.172
Oct 25 07:26:37.172: ISAKMP:(2003):SA authentication status:
        authenticated
Oct 25 07:26:37.172: ISAKMP:(2003): Process initial contact,
bring down existing phase 1 and 2 SA's with local 124.111.211.181 remote
222.111.111.172 remote port 500
Oct 25 07:26:37.172: ISAKMP: Trying to insert a peer
124.111.211.181/222.111.111.172/500/, and inserted successfully 82E88B4C.
Oct 25 07:26:37.172: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 25 07:26:37.172: ISAKMP:(2003):Old State = IKE_R_MM5 New State =
IKE_R_MM5

Oct 25 07:26:37.172: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
Oct 25 07:26:37.172: ISAKMP:(2003):SA is doing pre-shared key authentication
using id type ID_IPV4_ADDR
Oct 25 07:26:37.172: ISAKMP (0:2003): ID payload
        next-payload : 8
        type : 1
        address : 124.111.211.181
        protocol : 17
        port : 500
        length : 12
Oct 25 07:26:37.172: ISAKMP:(2003):Total payload length: 12
Oct 25 07:26:37.176: ISAKMP:(2003): sending packet to
222.111.111.172my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 25 07:26:37.176: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Oct 25 07:26:37.176: ISAKMP:(2003):Old State = IKE_R_MM5 New State =
IKE_P1_COMPLETE

Oct 25 07:26:37.176: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
Oct 25 07:26:37.176: ISAKMP:(2003):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE

Oct 25 07:26:37.552: ISAKMP (0:2003): received packet from
222.111.111.172dport 500 sport 500 Global (R) QM_IDLE
Oct 25 07:26:37.552: ISAKMP: set new node -1997029058 to QM_IDLE
Oct 25 07:26:37.552: ISAKMP:(2003): processing HASH payload. message ID =
-1997029058
Oct 25 07:26:37.552: ISAKMP:(2003): processing SA payload. message ID =
-1997029058
Oct 25 07:26:37.552: ISAKMP:(2003):Checking IPSec proposal 1
Oct 25 07:26:37.552: ISAKMP: transform 1, ESP_3DES
Oct 25 07:26:37.552: ISAKMP: attributes in transform:
Oct 25 07:26:37.552: ISAKMP: encaps is 1 (Tunnel)
Oct 25 07:26:37.552: ISAKMP: SA life type in seconds
Oct 25 07:26:37.552: ISAKMP: SA life duration (basic) of 3600
Oct 25 07:26:37.552: ISAKMP: SA life type in kilobytes
Oct 25 07:26:37.552: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50
0x0
Oct 25 07:26:37.552: ISAKMP: authenticator is HMAC-SHA
Oct 25 07:26:37.552: ISAKMP:(2003):atts are acceptable.
Oct 25 07:26:37.556: IPSEC(validate_proposal_request): proposal part #1
Oct 25 07:26:37.556: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 124.111.211.181, remote= 222.111.111.172,
    local_proxy= 192.168.60.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.61.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 25 07:26:37.556: Crypto mapdb : proxy_match
        src addr : 192.168.60.0
        dst addr : 192.168.61.0
        protocol : 0
        src port : 0
        dst port : 0
Oct 25 07:26:37.556: map_db_check_isakmp_profile profile did not match
Oct 25 07:26:37.556: Crypto mapdb : proxy_match
        src addr : 192.168.60.0
        dst addr : 192.168.61.0
        protocol : 0
        src port : 0
        dst port : 0
Oct 25 07:26:37.556: map_db_check_isakmp_profile profile did not match
Oct 25 07:26:37.556: map_db_find_best did not find matching map
Oct 25 07:26:37.556: IPSEC(crypto_ipsec_process_proposal): proxy identities
not supported
Oct 25 07:26:37.556: ISAKMP:(2003): IPSec policy invalidated proposal with
error 32
Oct 25 07:26:37.556: ISAKMP:(2003): phase 2 SA policy not acceptable! (local
124.111.211.181 remote 222.111.111.172)
Oct 25 07:26:37.556: ISAKMP: set new node 1861558090 to QM_IDLE
Oct 25 07:26:37.560: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN
protocol 3
        spi 2208230480, message ID = 1861558090
Oct 25 07:26:37.560: ISAKMP:(2003): sending packet to
222.111.111.172my_port 500 peer_port 500 (R) QM_IDLE
Oct 25 07:26:37.560: ISAKMP:(2003):purging node 1861558090
Oct 25 07:26:37.560: ISAKMP:(2003):deleting node -1997029058 error TRUE
reason "QM rejected"
Oct 25 07:26:37.560: ISAKMP:(2003):Node -1997029058, Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 25 07:26:37.560: ISAKMP:(2003):Old State = IKE_QM_READY New State =
IKE_QM_READY

On 10/25/07, Tarun Pahuja <pahujat@gmail.com> wrote:
>
> Chamara,
> Are the working and non working routers using the same DNS
> servers or different DNS servers? You can specify multiple criteria for
> matching.
>
>
> http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml
>
> Do me a favor, revert back your configuration to use Match identity host
> domain , try to initiate the tunnel and capture the debug and send it to me,
> Seems like the FQDN is not getting resolved correctly.
>
> Thanks,
> Tarun
>
>
> On 10/23/07, Chamara Peris <dimsyboy@gmail.com > wrote:
>
> > same IOS version on working setup and non working setup :(
> >
> > On 10/24/07, WorkerBee < ciscobee@gmail.com> wrote:
> > >
> > > Before you check on the IOS version, if you change the type domain to
> > > address , does it work? Changing to address type is to make sure no
> > > configuration or firewall issue.
> > >
> > > On 10/24/07, WorkerBee <ciscobee@gmail.com> wrote:
> > > > Maybe is IOS version? Check the version against the working setup.
> > > >
> > > > On 10/24/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > Hi All,
> > > > >
> > > > > Any ideas on this issue?
> > > > >
> > > > >
> > > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > >
> > > > > > I have ip domain-lookup enabled and hub router & spoke both can
> > > ping the
> > > > > > test123.vpn.com (it resolves it).
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 10/23/07, WorkerBee < ciscobee@gmail.com> wrote:
> > > > > > >
> > > > > > > Do you have 'ip domain-lookup' enable?
> > > > > > >
> > > > > > > Try to do a ping test123.vpn.com and see if the router can
> > resolve
> > > the
> > > > > > > domain
> > > > > > > name correctly.
> > > > > > >
> > > > > > >
> > > > > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > > > > Hi Group,
> > > > > > > >
> > > > > > > > I am experiencing a very strange VPN issue. I have two
> > sites
> > > connect
> > > > > > > via
> > > > > > > > VPN. Hub site has a static IP and spoke site is dynamic.
> > Please
> > > refer
> > > > > > > to
> > > > > > > > configs of each site below.
> > > > > > > >
> > > > > > > > HUB:
> > > > > > > >
> > > > > > > > crypto keyring sats
> > > > > > > > pre-shared-key address 0.0.0.0 0.0.0.0 key testing123
> > > > > > > > !
> > > > > > > > crypto isakmp policy 1
> > > > > > > > encr 3des
> > > > > > > > authentication pre-share
> > > > > > > > group 2
> > > > > > > >
> > > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > > crypto isakmp profile HH
> > > > > > > > keyring sats
> > > > > > > > match identity host domain test123.vpn.com
> > > > > > > >
> > > > > > > > !
> > > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > > !
> > > > > > > > crypto dynamic-map dynmap 11
> > > > > > > > set transform-set myset
> > > > > > > > set isakmp-profile HH
> > > > > > > > match address 137
> > > > > > > >
> > > > > > > > crypto map xyz 10 ipsec-isakmp dynamic dynmap
> > > > > > > >
> > > > > > > >
> > > > > > > > access-list 137 permit ip 192.168.60.0 0.0.0.255
> > 192.168.61.0
> > > > > > > 0.0.0.255
> > > > > > > >
> > > > > > > >
> > > > > > > > SPOKE:
> > > > > > > >
> > > > > > > > crypto isakmp policy 1
> > > > > > > > encr 3des
> > > > > > > > authentication pre-share
> > > > > > > > group 2
> > > > > > > > crypto isakmp key testing123 address 111.111.111.111
> > > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > > crypto isakmp keepalive 360
> > > > > > > > !
> > > > > > > > !
> > > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > > !
> > > > > > > > crypto map xyz 2 ipsec-isakmp
> > > > > > > > set peer 111.111.111.111
> > > > > > > > set transform-set myset
> > > > > > > > match address 137
> > > > > > > >
> > > > > > > > access-list 137 permit ip 192.168.61.0 0.0.0.255
> > 192.168.60.0
> > > > > > > 0.0.0.255
> > > > > > > >
> > > > > > > >
> > > > > > > > My problem is this setup doesn't work in this environment.
> > > However
> > > > > > > same
> > > > > > > > setup on another set of routers works perfectly. All the
> > routers
> > > have
> > > > > > > domain
> > > > > > > > name setup and name servers setup.
> > > > > > > >
> > > > > > > > Only way to get this going on this set of routers is to
> > change
> > > > > > > following
> > > > > > > > on HUB router.
> > > > > > > >
> > > > > > > > match identity host domain test123.vpn.com -----> match
> > identity
> > > > > > > address
> > > > > > > > 0.0.0.0
> > > > > > > >
> > > > > > > > With the above change it works. But I can't understand why
> > match
> > > > > > > identity
> > > > > > > > host domain doesn't work on this setup.
> > > > > > > >
> > > > > > > > Any ideas and help?
> > > > > > > >
> > > > > > > > Regards
> > > > > > > > CP
> > > > > > > >
> > > > > > > >
> > > > > > >
> > >
> > _______________________________________________________________________
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART