Re: VPN won't come up

From: Bill Eyer (beyer@optonline.net)
Date: Mon Jun 16 2008 - 21:14:46 ART

Dane,

I have never worked with the 3k concentrator, but I have worked with a
lot of IOS VPN's. I notice that on your router you have the F0/0
interface as the local identity, but on the concentrator you are using
the loopback interface as the peer address. If I were guessing, I would
say that is a likely cause. The crypto isakmp key cisco address 0.0.0.0
<http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> statement indicates you will
accept key exchanges without authenticating the peer address, just the
key, but I think the concentrator side you are specifying a different
address then referenced by your loopback.

Sincerely,

Bill

Dane Newman wrote:
> Attached are screen shots of the LAN to LAN config on the vpn3k
>
> On Mon, Jun 16, 2008 at 7:54 PM, Bill Eyer <beyer@optonline.net
> <mailto:beyer@optonline.net>> wrote:
>
> Dane,
>
> Do you have the config for the other side?
>
> Bill
>
> Dane Newman wrote:
>
> I am doing a LAN to LAN vpn as per the scenario with a router
> and the
> vpn3k. Below is the debug. I see that during the isakmp
> phase 1 it finds a
> policy on both devices that match but after that when I debug
> crypt isa
> error it shows the only error to be
>
> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>
>
> I looked that Up online and it said
>
>
> Indicates that the notify message received from the peer
> lacked a valid
> hash. This means that the notify message was not
> authenticated. For security
> reasons, this message is ignored.
> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>
>
> anyone able to comment?
>
> Rack1R3#ping 192.10.6.254 <http://192.10.6.254/> source
> 10.3.3.3 <http://10.3.3.3/>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.10.6.254
> <http://192.10.6.254/>, timeout is 2 seconds:
> Packet sent with a source address of 10.3.3.3 <http://10.3.3.3/>
> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive
> mode, trying
> Main mode.
> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for
> 132.1.115.11 <http://132.1.115.11/> in
> default : success
> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key
> matching
> 132.1.115.11 <http://132.1.115.11/>
> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
> IKE_SA_REQ_MM
> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New
> State =
> IKE_I_MM1
> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to
> 132.1.115.11 <http://132.1.115.11/> my_port
> 500 peer_port 500 (I) MM_NO_STATE
> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from
> 132.1.115.11 <http://132.1.115.11/> dport
> 500 sport 500 Global (I) MM_NO_STATE
> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_MM_EXCH
> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New
> State =
> IKE_I_MM2
> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload.
> message ID = 0
> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD
> but major 194
> mismatch
> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for
> 132.1.115.11 <http://132.1.115.11/> in
> default : success
> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key
> matching
> 132.1.115.11 <http://132.1.115.11/>
> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform
> 1 against
> priority 1 policy
> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
> Jun 16 16:22:34.051: ISAKMP: hash MD5
> Jun 16 16:22:34.051: ISAKMP: default group 2
> Jun 16 16:22:34.051: ISAKMP: auth pre-share
> Jun 16 16:22:34.051: ISAKMP: life type in seconds
> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0
> 0x1 0x51 0x80
> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next
> payload is 0
> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD
> but major 194
> mismatch
> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New
> State =
> IKE_I_MM2
> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to
> 132.1.115.11 <http://132.1.115.11/> my_port
> 500 peer_port 500 (I) MM_SA_SETUP
> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New
> State =
> IKE_I_MM3
> ....
> Success rate is 0 percent (0/5)
> Rack1R3#
> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
> MM_SA_SETUP...
> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter
> on sa:
> retransmit phase 1
> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
> MM_SA_SETUP
> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to
> 132.1.115.11 <http://132.1.115.11/> my_port
> 500 peer_port 500 (I) MM_SA_SETUP
> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from
> 132.1.115.11 <http://132.1.115.11/> dport
> 500 sport 500 Global (I) MM_SA_SETUP
> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_INFO_NOTIFY
> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New
> State =
> IKE_I_MM3
> Rack1R3#
> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding.
> Attached new ipsec
> request to it. (local 10.3.3.3 <http://10.3.3.3/>, remote
> 132.1.115.11 <http://132.1.115.11/>)
> Rack1R3#
> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid
> keepalives.
> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP
> (peer
> 132.1.115.11 <http://132.1.115.11/>) input queue 0
> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP
> (peer
> 132.1.115.11 <http://132.1.115.11/>) input queue 0
> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071
> error TRUE
> reason "gen_ipsec_isakmp_delete but doi isakmp"
> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716
> error TRUE
> reason "gen_ipsec_isakmp_delete but doi isakmp"
> Rack1R3#
> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New
> State =
> IKE_DEST_SA
> Rack1R3#
> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
> Rack1R3#
> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
> delme=83B46590
> Rack1R3#u all
> All possible debugging has been turned off
> Rack1R3#
>
> Rack1R3#show run
> Building configuration...
> Current configuration : 3053 bytes
> !
> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
> !
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Rack1R3
> !
> logging queue-limit 100
> enable password cisco
> !
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip audit notify log
> ip audit po max-events 100
> mpls ldp logging neighbor-changes
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp policy 10
> authentication pre-share
> lifetime 2400
> !
> crypto isakmp policy 20
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 <http://0.0.0.0/>
> 0.0.0.0 <http://0.0.0.0/>
> !
> !
> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
> !
> !
> !
> crypto map VPN local-address FastEthernet0/0
> crypto map VPN 10 ipsec-isakmp
> set peer 10.4.4.4 <http://10.4.4.4/>
> set transform-set DES_MD5
> match address vlan3_to_vlan44
> crypto map VPN 20 ipsec-isakmp
> set peer 132.1.115.11 <http://132.1.115.11/>
> set transform-set 3DES_MD5
> match address vlan3_to_vlan112
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> mta receive maximum-recipients 0
> !
> !
> !
> !
> interface Loopback0
> ip address 150.1.3.3 <http://150.1.3.3/> 255.255.255.0
> <http://255.255.255.0/>
> !
> interface FastEthernet0/0
> ip address 10.3.3.3 <http://10.3.3.3/> 255.255.255.0
> <http://255.255.255.0/>
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 132.1.33.3 <http://132.1.33.3/> 255.255.255.0
> <http://255.255.255.0/>
> duplex auto
> speed auto
> !
> interface Serial1/0
> no ip address
> encapsulation frame-relay
> !
> interface Serial1/0.1234 point-to-point
> ip address 132.1.0.3 <http://132.1.0.3/> 255.255.255.0
> <http://255.255.255.0/>
> ip ospf network point-to-multipoint
> frame-relay interface-dlci 302
> crypto map VPN
> !
> interface Serial1/1
> no ip address
> encapsulation frame-relay
> !
> interface Serial1/1.35 point-to-point
> ip address 132.1.35.3 <http://132.1.35.3/> 255.255.255.0
> <http://255.255.255.0/>
> frame-relay interface-dlci 315
> crypto map VPN
> !
> interface Serial1/2
> no ip address
> shutdown
> !
> interface Serial1/3
> no ip address
> shutdown
> !
> router ospf 1
> router-id 150.1.3.3 <http://150.1.3.3/>
> log-adjacency-changes
> redistribute connected subnets route-map CONNECTED_TO_OSPF
> network 132.1.0.3 <http://132.1.0.3/> 0.0.0.0
> <http://0.0.0.0/> area 0
> network 132.1.35.3 <http://132.1.35.3/> 0.0.0.0
> <http://0.0.0.0/> area 345
> network 150.1.3.3 <http://150.1.3.3/> 0.0.0.0
> <http://0.0.0.0/> area 0
> !
> router bgp 100
> no synchronization
> bgp router-id 150.1.3.3 <http://150.1.3.3/>
> bgp log-neighbor-changes
> neighbor 150.1.2.2 <http://150.1.2.2/> remote-as 100
> neighbor 150.1.2.2 <http://150.1.2.2/> update-source Loopback0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> ip classless
> ip route 132.1.115.0 <http://132.1.115.0/> 255.255.255.0
> <http://255.255.255.0/> 132.1.35.5 <http://132.1.35.5/>
> ip route 192.10.6.0 <http://192.10.6.0/> 255.255.255.0
> <http://255.255.255.0/> 132.1.35.6 <http://132.1.35.6/>
> !
> !
> !
> ip access-list extended vlan3_to_vlan112
> permit ip 10.3.3.0 <http://10.3.3.0/> 0.0.0.255
> <http://0.0.0.255/> 192.10.6.0 <http://192.10.6.0/> 0.0.0.255
> <http://0.0.0.255/>
> ip access-list extended vlan3_to_vlan44
> permit ip 10.3.3.0 <http://10.3.3.0/> 0.0.0.255
> <http://0.0.0.255/> 10.4.4.0 <http://10.4.4.0/> 0.0.0.255
> <http://0.0.0.255/>
> !
> !
> route-map CONNECTED_TO_OSPF permit 10
> match interface FastEthernet0/0
> !
> !
> call rsvp-sync
> !
> !
> mgcp profile default
> !
> !
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line aux 0
> exec-timeout 0 0
> privilege level 15
> line vty 0 4
> password cisco
> login
> !
> !
> end
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART