Re: VPN won't come up

From: Bill Eyer (beyer@optonline.net)
Date: Mon Jun 16 2008 - 20:54:50 ART

Dane,

Do you have the config for the other side?

Bill

Dane Newman wrote:
> I am doing a LAN to LAN vpn as per the scenario with a router and the
> vpn3k. Below is the debug. I see that during the isakmp phase 1 it finds a
> policy on both devices that match but after that when I debug crypt isa
> error it shows the only error to be
>
> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>
>
> I looked that Up online and it said
>
>
> Indicates that the notify message received from the peer lacked a valid
> hash. This means that the notify message was not authenticated. For security
> reasons, this message is ignored.
> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>
>
> anyone able to comment?
>
> Rack1R3#ping 192.10.6.254 source 10.3.3.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
> Packet sent with a source address of 10.3.3.3
> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode, trying
> Main mode.
> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for 132.1.115.11 in
> default : success
> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
> 132.1.115.11
> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
> IKE_SA_REQ_MM
> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
> IKE_I_MM1
> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11 my_port
> 500 peer_port 500 (I) MM_NO_STATE
> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11 dport
> 500 sport 500 Global (I) MM_NO_STATE
> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
> IKE_I_MM2
> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID = 0
> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194
> mismatch
> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for 132.1.115.11 in
> default : success
> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
> 132.1.115.11
> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1 against
> priority 1 policy
> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
> Jun 16 16:22:34.051: ISAKMP: hash MD5
> Jun 16 16:22:34.051: ISAKMP: default group 2
> Jun 16 16:22:34.051: ISAKMP: auth pre-share
> Jun 16 16:22:34.051: ISAKMP: life type in seconds
> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload is 0
> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194
> mismatch
> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
> IKE_I_MM2
> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11 my_port
> 500 peer_port 500 (I) MM_SA_SETUP
> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
> IKE_I_MM3
> ....
> Success rate is 0 percent (0/5)
> Rack1R3#
> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 1
> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11 my_port
> 500 peer_port 500 (I) MM_SA_SETUP
> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11 dport
> 500 sport 500 Global (I) MM_SA_SETUP
> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_INFO_NOTIFY
> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
> IKE_I_MM3
> Rack1R3#
> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new ipsec
> request to it. (local 10.3.3.3, remote 132.1.115.11)
> Rack1R3#
> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid keepalives.
> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
> 132.1.115.11) input queue 0
> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
> 132.1.115.11) input queue 0
> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
> reason "gen_ipsec_isakmp_delete but doi isakmp"
> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error TRUE
> reason "gen_ipsec_isakmp_delete but doi isakmp"
> Rack1R3#
> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
> IKE_DEST_SA
> Rack1R3#
> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
> Rack1R3#
> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590, delme=83B46590
> Rack1R3#u all
> All possible debugging has been turned off
> Rack1R3#
>
> Rack1R3#show run
> Building configuration...
> Current configuration : 3053 bytes
> !
> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
> !
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Rack1R3
> !
> logging queue-limit 100
> enable password cisco
> !
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip audit notify log
> ip audit po max-events 100
> mpls ldp logging neighbor-changes
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp policy 10
> authentication pre-share
> lifetime 2400
> !
> crypto isakmp policy 20
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
> !
> !
> !
> crypto map VPN local-address FastEthernet0/0
> crypto map VPN 10 ipsec-isakmp
> set peer 10.4.4.4
> set transform-set DES_MD5
> match address vlan3_to_vlan44
> crypto map VPN 20 ipsec-isakmp
> set peer 132.1.115.11
> set transform-set 3DES_MD5
> match address vlan3_to_vlan112
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> mta receive maximum-recipients 0
> !
> !
> !
> !
> interface Loopback0
> ip address 150.1.3.3 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 10.3.3.3 255.255.255.0
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 132.1.33.3 255.255.255.0
> duplex auto
> speed auto
> !
> interface Serial1/0
> no ip address
> encapsulation frame-relay
> !
> interface Serial1/0.1234 point-to-point
> ip address 132.1.0.3 255.255.255.0
> ip ospf network point-to-multipoint
> frame-relay interface-dlci 302
> crypto map VPN
> !
> interface Serial1/1
> no ip address
> encapsulation frame-relay
> !
> interface Serial1/1.35 point-to-point
> ip address 132.1.35.3 255.255.255.0
> frame-relay interface-dlci 315
> crypto map VPN
> !
> interface Serial1/2
> no ip address
> shutdown
> !
> interface Serial1/3
> no ip address
> shutdown
> !
> router ospf 1
> router-id 150.1.3.3
> log-adjacency-changes
> redistribute connected subnets route-map CONNECTED_TO_OSPF
> network 132.1.0.3 0.0.0.0 area 0
> network 132.1.35.3 0.0.0.0 area 345
> network 150.1.3.3 0.0.0.0 area 0
> !
> router bgp 100
> no synchronization
> bgp router-id 150.1.3.3
> bgp log-neighbor-changes
> neighbor 150.1.2.2 remote-as 100
> neighbor 150.1.2.2 update-source Loopback0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> ip classless
> ip route 132.1.115.0 255.255.255.0 132.1.35.5
> ip route 192.10.6.0 255.255.255.0 132.1.35.6
> !
> !
> !
> ip access-list extended vlan3_to_vlan112
> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
> ip access-list extended vlan3_to_vlan44
> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
> !
> !
> route-map CONNECTED_TO_OSPF permit 10
> match interface FastEthernet0/0
> !
> !
> call rsvp-sync
> !
> !
> mgcp profile default
> !
> !
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line aux 0
> exec-timeout 0 0
> privilege level 15
> line vty 0 4
> password cisco
> login
> !
> !
> end
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART