Re: VPN won't come up

From: Dane Newman (dane.newman@gmail.com)
Date: Mon Jun 16 2008 - 23:06:00 ART

In one of the requirements in the first part of the lab it told me to do

crypto map VPN local-address FastEthernet0/0

To the crypto map VPN on r3. So I didnt want to break the requirement on
the first part so I put into the VPN3k the peer was fa0/0 of r3 (10.3.3.3) this
config should work no?

Dane

On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
wrote:

> Local-address should be Serial1/1.35
>
> -Luan
>
> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <dane.newman@gmail.com>
> wrote:
>
>> I am doing a LAN to LAN vpn as per the scenario with a router and the
>> vpn3k. Below is the debug. I see that during the isakmp phase 1 it finds
>> a
>> policy on both devices that match but after that when I debug crypt isa
>> error it shows the only error to be
>>
>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>
>>
>> I looked that Up online and it said
>>
>>
>> Indicates that the notify message received from the peer lacked a valid
>> hash. This means that the notify message was not authenticated. For
>> security
>> reasons, this message is ignored.
>>
>> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>>
>>
>> anyone able to comment?
>>
>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
>> Packet sent with a source address of 10.3.3.3
>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode, trying
>> Main mode.
>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for 132.1.115.11in
>> default : success
>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
>> 132.1.115.11
>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
>> IKE_SA_REQ_MM
>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
>> IKE_I_MM1
>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11 my_port
>> 500 peer_port 500 (I) MM_NO_STATE
>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11dport
>> 500 sport 500 Global (I) MM_NO_STATE
>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
>> IKE_I_MM2
>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID = 0
>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194
>> mismatch
>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for 132.1.115.11in
>> default : success
>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
>> 132.1.115.11
>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1 against
>> priority 1 policy
>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
>> Jun 16 16:22:34.051: ISAKMP: hash MD5
>> Jun 16 16:22:34.051: ISAKMP: default group 2
>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
>> 0x80
>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload is 0
>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194
>> mismatch
>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>> IKE_PROCESS_MAIN_MODE
>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>> IKE_I_MM2
>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11 my_port
>> 500 peer_port 500 (I) MM_SA_SETUP
>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>> IKE_PROCESS_COMPLETE
>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>> IKE_I_MM3
>> ....
>> Success rate is 0 percent (0/5)
>> Rack1R3#
>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
>> retransmit phase 1
>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11 my_port
>> 500 peer_port 500 (I) MM_SA_SETUP
>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11dport
>> 500 sport 500 Global (I) MM_SA_SETUP
>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>> IKE_INFO_NOTIFY
>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>> IKE_I_MM3
>> Rack1R3#
>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new ipsec
>> request to it. (local 10.3.3.3, remote 132.1.115.11)
>> Rack1R3#
>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid keepalives.
>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>> 132.1.115.11) input queue 0
>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>> 132.1.115.11) input queue 0
>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error TRUE
>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>> Rack1R3#
>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>> IKE_PHASE1_DEL
>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>> IKE_DEST_SA
>> Rack1R3#
>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
>> Rack1R3#
>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
>> delme=83B46590
>> Rack1R3#u all
>> All possible debugging has been turned off
>> Rack1R3#
>>
>> Rack1R3#show run
>> Building configuration...
>> Current configuration : 3053 bytes
>> !
>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
>> !
>> version 12.2
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> no service password-encryption
>> !
>> hostname Rack1R3
>> !
>> logging queue-limit 100
>> enable password cisco
>> !
>> ip subnet-zero
>> !
>> !
>> no ip domain lookup
>> !
>> ip audit notify log
>> ip audit po max-events 100
>> mpls ldp logging neighbor-changes
>> !
>> !
>> !
>> crypto isakmp policy 1
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> !
>> crypto isakmp policy 10
>> authentication pre-share
>> lifetime 2400
>> !
>> crypto isakmp policy 20
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>> !
>> !
>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
>> !
>> !
>> !
>> crypto map VPN local-address FastEthernet0/0
>> crypto map VPN 10 ipsec-isakmp
>> set peer 10.4.4.4
>> set transform-set DES_MD5
>> match address vlan3_to_vlan44
>> crypto map VPN 20 ipsec-isakmp
>> set peer 132.1.115.11
>> set transform-set 3DES_MD5
>> match address vlan3_to_vlan112
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> no voice hpi capture buffer
>> no voice hpi capture destination
>> !
>> !
>> mta receive maximum-recipients 0
>> !
>> !
>> !
>> !
>> interface Loopback0
>> ip address 150.1.3.3 255.255.255.0
>> !
>> interface FastEthernet0/0
>> ip address 10.3.3.3 255.255.255.0
>> duplex auto
>> speed auto
>> !
>> interface FastEthernet0/1
>> ip address 132.1.33.3 255.255.255.0
>> duplex auto
>> speed auto
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> !
>> interface Serial1/0.1234 point-to-point
>> ip address 132.1.0.3 255.255.255.0
>> ip ospf network point-to-multipoint
>> frame-relay interface-dlci 302
>> crypto map VPN
>> !
>> interface Serial1/1
>> no ip address
>> encapsulation frame-relay
>> !
>> interface Serial1/1.35 point-to-point
>> ip address 132.1.35.3 255.255.255.0
>> frame-relay interface-dlci 315
>> crypto map VPN
>> !
>> interface Serial1/2
>> no ip address
>> shutdown
>> !
>> interface Serial1/3
>> no ip address
>> shutdown
>> !
>> router ospf 1
>> router-id 150.1.3.3
>> log-adjacency-changes
>> redistribute connected subnets route-map CONNECTED_TO_OSPF
>> network 132.1.0.3 0.0.0.0 area 0
>> network 132.1.35.3 0.0.0.0 area 345
>> network 150.1.3.3 0.0.0.0 area 0
>> !
>> router bgp 100
>> no synchronization
>> bgp router-id 150.1.3.3
>> bgp log-neighbor-changes
>> neighbor 150.1.2.2 remote-as 100
>> neighbor 150.1.2.2 update-source Loopback0
>> no auto-summary
>> !
>> ip http server
>> no ip http secure-server
>> ip classless
>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
>> !
>> !
>> !
>> ip access-list extended vlan3_to_vlan112
>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>> ip access-list extended vlan3_to_vlan44
>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
>> !
>> !
>> route-map CONNECTED_TO_OSPF permit 10
>> match interface FastEthernet0/0
>> !
>> !
>> call rsvp-sync
>> !
>> !
>> mgcp profile default
>> !
>> !
>> !
>> dial-peer cor custom
>> !
>> !
>> !
>> !
>> !
>> line con 0
>> exec-timeout 0 0
>> privilege level 15
>> logging synchronous
>> line aux 0
>> exec-timeout 0 0
>> privilege level 15
>> line vty 0 4
>> password cisco
>> login
>> !
>> !
>> end
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART