Re: VPN won't come up

From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Mon Jun 16 2008 - 23:33:48 ART

Yeah, it should work...sorry, it just look funny at the moment :P
So on the VPN side You have
interface = its WAN 131.1.115.11
bidirectional
peer 10.3.3.3
localnetwork ip address 192.10.6.254/0.0.0.0
remotenetwork 10.3.3.3/0.0.0.0
?
My only other suggestion would be on your router ACL, use permit host
10.3.3.3 host 192.10.6.254.

On Mon, Jun 16, 2008 at 10:06 PM, Dane Newman <dane.newman@gmail.com> wrote:

> In one of the requirements in the first part of the lab it told me to do
>
> crypto map VPN local-address FastEthernet0/0
>
> To the crypto map VPN on r3. So I didnt want to break the requirement on
> the first part so I put into the VPN3k the peer was fa0/0 of r3 (10.3.3.3) this
> config should work no?
>
> Dane
>
> On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
> wrote:
>
>> Local-address should be Serial1/1.35
>>
>> -Luan
>>
>> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <dane.newman@gmail.com>
>> wrote:
>>
>>> I am doing a LAN to LAN vpn as per the scenario with a router and the
>>> vpn3k. Below is the debug. I see that during the isakmp phase 1 it
>>> finds a
>>> policy on both devices that match but after that when I debug crypt isa
>>> error it shows the only error to be
>>>
>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>
>>>
>>> I looked that Up online and it said
>>>
>>>
>>> Indicates that the notify message received from the peer lacked a valid
>>> hash. This means that the notify message was not authenticated. For
>>> security
>>> reasons, this message is ignored.
>>>
>>> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>>>
>>>
>>> anyone able to comment?
>>>
>>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
>>> Packet sent with a source address of 10.3.3.3
>>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
>>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
>>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
>>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
>>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
>>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode, trying
>>> Main mode.
>>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for 132.1.115.11in
>>> default : success
>>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
>>> 132.1.115.11
>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
>>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
>>> IKE_SA_REQ_MM
>>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
>>> IKE_I_MM1
>>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
>>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>> 500 peer_port 500 (I) MM_NO_STATE
>>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11dport
>>> 500 sport 500 Global (I) MM_NO_STATE
>>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>> IKE_MM_EXCH
>>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
>>> IKE_I_MM2
>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID = 0
>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
>>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>> 194
>>> mismatch
>>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for 132.1.115.11in
>>> default : success
>>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
>>> 132.1.115.11
>>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
>>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
>>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1 against
>>> priority 1 policy
>>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
>>> Jun 16 16:22:34.051: ISAKMP: hash MD5
>>> Jun 16 16:22:34.051: ISAKMP: default group 2
>>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
>>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
>>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
>>> 0x80
>>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload is 0
>>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
>>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>> 194
>>> mismatch
>>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>> IKE_PROCESS_MAIN_MODE
>>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>> IKE_I_MM2
>>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>> 500 peer_port 500 (I) MM_SA_SETUP
>>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>> IKE_PROCESS_COMPLETE
>>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>> IKE_I_MM3
>>> ....
>>> Success rate is 0 percent (0/5)
>>> Rack1R3#
>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
>>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
>>> retransmit phase 1
>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
>>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>> 500 peer_port 500 (I) MM_SA_SETUP
>>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11dport
>>> 500 sport 500 Global (I) MM_SA_SETUP
>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>> IKE_INFO_NOTIFY
>>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>> IKE_I_MM3
>>> Rack1R3#
>>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
>>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
>>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new
>>> ipsec
>>> request to it. (local 10.3.3.3, remote 132.1.115.11)
>>> Rack1R3#
>>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
>>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid keepalives.
>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>> 132.1.115.11) input queue 0
>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>> 132.1.115.11) input queue 0
>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error TRUE
>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>> Rack1R3#
>>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>> IKE_PHASE1_DEL
>>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>> IKE_DEST_SA
>>> Rack1R3#
>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
>>> Rack1R3#
>>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
>>> delme=83B46590
>>> Rack1R3#u all
>>> All possible debugging has been turned off
>>> Rack1R3#
>>>
>>> Rack1R3#show run
>>> Building configuration...
>>> Current configuration : 3053 bytes
>>> !
>>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
>>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
>>> !
>>> version 12.2
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> no service password-encryption
>>> !
>>> hostname Rack1R3
>>> !
>>> logging queue-limit 100
>>> enable password cisco
>>> !
>>> ip subnet-zero
>>> !
>>> !
>>> no ip domain lookup
>>> !
>>> ip audit notify log
>>> ip audit po max-events 100
>>> mpls ldp logging neighbor-changes
>>> !
>>> !
>>> !
>>> crypto isakmp policy 1
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> !
>>> crypto isakmp policy 10
>>> authentication pre-share
>>> lifetime 2400
>>> !
>>> crypto isakmp policy 20
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>>> !
>>> !
>>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
>>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
>>> !
>>> !
>>> !
>>> crypto map VPN local-address FastEthernet0/0
>>> crypto map VPN 10 ipsec-isakmp
>>> set peer 10.4.4.4
>>> set transform-set DES_MD5
>>> match address vlan3_to_vlan44
>>> crypto map VPN 20 ipsec-isakmp
>>> set peer 132.1.115.11
>>> set transform-set 3DES_MD5
>>> match address vlan3_to_vlan112
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> no voice hpi capture buffer
>>> no voice hpi capture destination
>>> !
>>> !
>>> mta receive maximum-recipients 0
>>> !
>>> !
>>> !
>>> !
>>> interface Loopback0
>>> ip address 150.1.3.3 255.255.255.0
>>> !
>>> interface FastEthernet0/0
>>> ip address 10.3.3.3 255.255.255.0
>>> duplex auto
>>> speed auto
>>> !
>>> interface FastEthernet0/1
>>> ip address 132.1.33.3 255.255.255.0
>>> duplex auto
>>> speed auto
>>> !
>>> interface Serial1/0
>>> no ip address
>>> encapsulation frame-relay
>>> !
>>> interface Serial1/0.1234 point-to-point
>>> ip address 132.1.0.3 255.255.255.0
>>> ip ospf network point-to-multipoint
>>> frame-relay interface-dlci 302
>>> crypto map VPN
>>> !
>>> interface Serial1/1
>>> no ip address
>>> encapsulation frame-relay
>>> !
>>> interface Serial1/1.35 point-to-point
>>> ip address 132.1.35.3 255.255.255.0
>>> frame-relay interface-dlci 315
>>> crypto map VPN
>>> !
>>> interface Serial1/2
>>> no ip address
>>> shutdown
>>> !
>>> interface Serial1/3
>>> no ip address
>>> shutdown
>>> !
>>> router ospf 1
>>> router-id 150.1.3.3
>>> log-adjacency-changes
>>> redistribute connected subnets route-map CONNECTED_TO_OSPF
>>> network 132.1.0.3 0.0.0.0 area 0
>>> network 132.1.35.3 0.0.0.0 area 345
>>> network 150.1.3.3 0.0.0.0 area 0
>>> !
>>> router bgp 100
>>> no synchronization
>>> bgp router-id 150.1.3.3
>>> bgp log-neighbor-changes
>>> neighbor 150.1.2.2 remote-as 100
>>> neighbor 150.1.2.2 update-source Loopback0
>>> no auto-summary
>>> !
>>> ip http server
>>> no ip http secure-server
>>> ip classless
>>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
>>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
>>> !
>>> !
>>> !
>>> ip access-list extended vlan3_to_vlan112
>>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>>> ip access-list extended vlan3_to_vlan44
>>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
>>> !
>>> !
>>> route-map CONNECTED_TO_OSPF permit 10
>>> match interface FastEthernet0/0
>>> !
>>> !
>>> call rsvp-sync
>>> !
>>> !
>>> mgcp profile default
>>> !
>>> !
>>> !
>>> dial-peer cor custom
>>> !
>>> !
>>> !
>>> !
>>> !
>>> line con 0
>>> exec-timeout 0 0
>>> privilege level 15
>>> logging synchronous
>>> line aux 0
>>> exec-timeout 0 0
>>> privilege level 15
>>> line vty 0 4
>>> password cisco
>>> login
>>> !
>>> !
>>> end
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART