RE: VPN won't come up

From: Omkar Tambalkar (otambalkar@proflowers.com)
Date: Mon Jun 16 2008 - 21:07:06 ART

Looks like an issue with the phase 2 negotiations. What is the
configuration for transform-set and crypto map on both sides of the VPN?

Thank you,
Omkar Tambalkar, CCNP
 
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Dane Newman
Sent: Monday, June 16, 2008 4:32 PM
To: Cisco certification
Subject: VPN won't come up

I am doing a LAN to LAN vpn as per the scenario with a router and the
vpn3k. Below is the debug. I see that during the isakmp phase 1 it
finds a
policy on both devices that match but after that when I debug crypt isa
error it shows the only error to be

Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.

I looked that Up online and it said

Indicates that the notify message received from the peer lacked a valid
hash. This means that the notify message was not authenticated. For
security
reasons, this message is ignored.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt
/omt_03a.htm

anyone able to comment?

Rack1R3#ping 192.10.6.254 source 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode, trying
Main mode.
Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for 132.1.115.11
in
default : success
Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
132.1.115.11
Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
IKE_I_MM1
Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11
my_port
500 peer_port 500 (I) MM_NO_STATE
Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11
dport
500 sport 500 Global (I) MM_NO_STATE
Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
IKE_I_MM2
Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID = 0
Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major
194
mismatch
Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for 132.1.115.11
in
default : success
Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
132.1.115.11
Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1 against
priority 1 policy
Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
Jun 16 16:22:34.051: ISAKMP: hash MD5
Jun 16 16:22:34.051: ISAKMP: default group 2
Jun 16 16:22:34.051: ISAKMP: auth pre-share
Jun 16 16:22:34.051: ISAKMP: life type in seconds
Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
0x80
Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload is
0
Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major
194
mismatch
Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
IKE_I_MM2
Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11
my_port
500 peer_port 500 (I) MM_SA_SETUP
Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
IKE_I_MM3
....
Success rate is 0 percent (0/5)
Rack1R3#
Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11
my_port
500 peer_port 500 (I) MM_SA_SETUP
Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11
dport
500 sport 500 Global (I) MM_SA_SETUP
Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
IKE_INFO_NOTIFY
Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
IKE_I_MM3
Rack1R3#
Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new
ipsec
request to it. (local 10.3.3.3, remote 132.1.115.11)
Rack1R3#
Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid keepalives.
Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
"gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
132.1.115.11) input queue 0
Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
"gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
132.1.115.11) input queue 0
Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
reason "gen_ipsec_isakmp_delete but doi isakmp"
Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error TRUE
reason "gen_ipsec_isakmp_delete but doi isakmp"
Rack1R3#
Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
IKE_DEST_SA
Rack1R3#
Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
Rack1R3#
Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
delme=83B46590
Rack1R3#u all
All possible debugging has been turned off
Rack1R3#

 Rack1R3#show run
Building configuration...
Current configuration : 3053 bytes
!
! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R3
!
logging queue-limit 100
enable password cisco
!
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 authentication pre-share
 lifetime 2400
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
!
!
crypto map VPN local-address FastEthernet0/0
crypto map VPN 10 ipsec-isakmp
 set peer 10.4.4.4
 set transform-set DES_MD5
 match address vlan3_to_vlan44
crypto map VPN 20 ipsec-isakmp
 set peer 132.1.115.11
 set transform-set 3DES_MD5
 match address vlan3_to_vlan112
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
 ip address 150.1.3.3 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.3.3.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 132.1.33.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
!
interface Serial1/0.1234 point-to-point
 ip address 132.1.0.3 255.255.255.0
 ip ospf network point-to-multipoint
 frame-relay interface-dlci 302
 crypto map VPN
!
interface Serial1/1
 no ip address
 encapsulation frame-relay
!
interface Serial1/1.35 point-to-point
 ip address 132.1.35.3 255.255.255.0
 frame-relay interface-dlci 315
 crypto map VPN
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
router ospf 1
 router-id 150.1.3.3
 log-adjacency-changes
 redistribute connected subnets route-map CONNECTED_TO_OSPF
 network 132.1.0.3 0.0.0.0 area 0
 network 132.1.35.3 0.0.0.0 area 345
 network 150.1.3.3 0.0.0.0 area 0
!
router bgp 100
 no synchronization
 bgp router-id 150.1.3.3
 bgp log-neighbor-changes
 neighbor 150.1.2.2 remote-as 100
 neighbor 150.1.2.2 update-source Loopback0
 no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 132.1.115.0 255.255.255.0 132.1.35.5
ip route 192.10.6.0 255.255.255.0 132.1.35.6
!
!
!
ip access-list extended vlan3_to_vlan112
 permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
ip access-list extended vlan3_to_vlan44
 permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
!
!
route-map CONNECTED_TO_OSPF permit 10
 match interface FastEthernet0/0
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
line vty 0 4
 password cisco
 login
!
!
end

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART