Re: VPN won't come up

From: Dane Newman (dane.newman@gmail.com)
Date: Tue Jun 17 2008 - 00:21:41 ART

There is no access-list on R3's S1/1.35 interface which is what the crypto
map is applied too so there should be no filtering going on?

On Mon, Jun 16, 2008 at 10:33 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
wrote:

> Yeah, it should work...sorry, it just look funny at the moment :P
> So on the VPN side You have
> interface = its WAN 131.1.115.11
> bidirectional
> peer 10.3.3.3
> localnetwork ip address 192.10.6.254/0.0.0.0
> remotenetwork 10.3.3.3/0.0.0.0
> ?
> My only other suggestion would be on your router ACL, use permit host
> 10.3.3.3 host 192.10.6.254.
>
>
>
> On Mon, Jun 16, 2008 at 10:06 PM, Dane Newman <dane.newman@gmail.com>
> wrote:
>
>> In one of the requirements in the first part of the lab it told me to do
>>
>> crypto map VPN local-address FastEthernet0/0
>>
>> To the crypto map VPN on r3. So I didnt want to break the requirement on
>> the first part so I put into the VPN3k the peer was fa0/0 of r3 (10.3.3.3) this
>> config should work no?
>>
>> Dane
>>
>> On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>> wrote:
>>
>>> Local-address should be Serial1/1.35
>>>
>>> -Luan
>>>
>>> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <dane.newman@gmail.com>
>>> wrote:
>>>
>>>> I am doing a LAN to LAN vpn as per the scenario with a router and the
>>>> vpn3k. Below is the debug. I see that during the isakmp phase 1 it
>>>> finds a
>>>> policy on both devices that match but after that when I debug crypt isa
>>>> error it shows the only error to be
>>>>
>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>
>>>>
>>>> I looked that Up online and it said
>>>>
>>>>
>>>> Indicates that the notify message received from the peer lacked a valid
>>>> hash. This means that the notify message was not authenticated. For
>>>> security
>>>> reasons, this message is ignored.
>>>>
>>>> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>>>>
>>>>
>>>> anyone able to comment?
>>>>
>>>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>>>> Type escape sequence to abort.
>>>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
>>>> Packet sent with a source address of 10.3.3.3
>>>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
>>>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
>>>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
>>>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
>>>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode, trying
>>>> Main mode.
>>>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for
>>>> 132.1.115.11 in
>>>> default : success
>>>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
>>>> 132.1.115.11
>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
>>>> IKE_SA_REQ_MM
>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
>>>> IKE_I_MM1
>>>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
>>>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>> 500 peer_port 500 (I) MM_NO_STATE
>>>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>> 500 sport 500 Global (I) MM_NO_STATE
>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>> IKE_MM_EXCH
>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
>>>> IKE_I_MM2
>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID = 0
>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
>>>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>>> 194
>>>> mismatch
>>>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for
>>>> 132.1.115.11 in
>>>> default : success
>>>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
>>>> 132.1.115.11
>>>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
>>>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
>>>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1 against
>>>> priority 1 policy
>>>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
>>>> Jun 16 16:22:34.051: ISAKMP: hash MD5
>>>> Jun 16 16:22:34.051: ISAKMP: default group 2
>>>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
>>>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
>>>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
>>>> 0x80
>>>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload is
>>>> 0
>>>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
>>>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>>> 194
>>>> mismatch
>>>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>> IKE_PROCESS_MAIN_MODE
>>>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>> IKE_I_MM2
>>>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>> IKE_PROCESS_COMPLETE
>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>> IKE_I_MM3
>>>> ....
>>>> Success rate is 0 percent (0/5)
>>>> Rack1R3#
>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
>>>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
>>>> retransmit phase 1
>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
>>>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>> 500 sport 500 Global (I) MM_SA_SETUP
>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>> IKE_INFO_NOTIFY
>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>> IKE_I_MM3
>>>> Rack1R3#
>>>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
>>>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
>>>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new
>>>> ipsec
>>>> request to it. (local 10.3.3.3, remote 132.1.115.11)
>>>> Rack1R3#
>>>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
>>>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid keepalives.
>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>> 132.1.115.11) input queue 0
>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>> 132.1.115.11) input queue 0
>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error TRUE
>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>> Rack1R3#
>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>> IKE_PHASE1_DEL
>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>> IKE_DEST_SA
>>>> Rack1R3#
>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
>>>> Rack1R3#
>>>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
>>>> delme=83B46590
>>>> Rack1R3#u all
>>>> All possible debugging has been turned off
>>>> Rack1R3#
>>>>
>>>> Rack1R3#show run
>>>> Building configuration...
>>>> Current configuration : 3053 bytes
>>>> !
>>>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
>>>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
>>>> !
>>>> version 12.2
>>>> service timestamps debug datetime msec
>>>> service timestamps log datetime msec
>>>> no service password-encryption
>>>> !
>>>> hostname Rack1R3
>>>> !
>>>> logging queue-limit 100
>>>> enable password cisco
>>>> !
>>>> ip subnet-zero
>>>> !
>>>> !
>>>> no ip domain lookup
>>>> !
>>>> ip audit notify log
>>>> ip audit po max-events 100
>>>> mpls ldp logging neighbor-changes
>>>> !
>>>> !
>>>> !
>>>> crypto isakmp policy 1
>>>> encr 3des
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> !
>>>> crypto isakmp policy 10
>>>> authentication pre-share
>>>> lifetime 2400
>>>> !
>>>> crypto isakmp policy 20
>>>> encr 3des
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>>>> !
>>>> !
>>>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
>>>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
>>>> !
>>>> !
>>>> !
>>>> crypto map VPN local-address FastEthernet0/0
>>>> crypto map VPN 10 ipsec-isakmp
>>>> set peer 10.4.4.4
>>>> set transform-set DES_MD5
>>>> match address vlan3_to_vlan44
>>>> crypto map VPN 20 ipsec-isakmp
>>>> set peer 132.1.115.11
>>>> set transform-set 3DES_MD5
>>>> match address vlan3_to_vlan112
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> no voice hpi capture buffer
>>>> no voice hpi capture destination
>>>> !
>>>> !
>>>> mta receive maximum-recipients 0
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 150.1.3.3 255.255.255.0
>>>> !
>>>> interface FastEthernet0/0
>>>> ip address 10.3.3.3 255.255.255.0
>>>> duplex auto
>>>> speed auto
>>>> !
>>>> interface FastEthernet0/1
>>>> ip address 132.1.33.3 255.255.255.0
>>>> duplex auto
>>>> speed auto
>>>> !
>>>> interface Serial1/0
>>>> no ip address
>>>> encapsulation frame-relay
>>>> !
>>>> interface Serial1/0.1234 point-to-point
>>>> ip address 132.1.0.3 255.255.255.0
>>>> ip ospf network point-to-multipoint
>>>> frame-relay interface-dlci 302
>>>> crypto map VPN
>>>> !
>>>> interface Serial1/1
>>>> no ip address
>>>> encapsulation frame-relay
>>>> !
>>>> interface Serial1/1.35 point-to-point
>>>> ip address 132.1.35.3 255.255.255.0
>>>> frame-relay interface-dlci 315
>>>> crypto map VPN
>>>> !
>>>> interface Serial1/2
>>>> no ip address
>>>> shutdown
>>>> !
>>>> interface Serial1/3
>>>> no ip address
>>>> shutdown
>>>> !
>>>> router ospf 1
>>>> router-id 150.1.3.3
>>>> log-adjacency-changes
>>>> redistribute connected subnets route-map CONNECTED_TO_OSPF
>>>> network 132.1.0.3 0.0.0.0 area 0
>>>> network 132.1.35.3 0.0.0.0 area 345
>>>> network 150.1.3.3 0.0.0.0 area 0
>>>> !
>>>> router bgp 100
>>>> no synchronization
>>>> bgp router-id 150.1.3.3
>>>> bgp log-neighbor-changes
>>>> neighbor 150.1.2.2 remote-as 100
>>>> neighbor 150.1.2.2 update-source Loopback0
>>>> no auto-summary
>>>> !
>>>> ip http server
>>>> no ip http secure-server
>>>> ip classless
>>>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
>>>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
>>>> !
>>>> !
>>>> !
>>>> ip access-list extended vlan3_to_vlan112
>>>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>>>> ip access-list extended vlan3_to_vlan44
>>>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
>>>> !
>>>> !
>>>> route-map CONNECTED_TO_OSPF permit 10
>>>> match interface FastEthernet0/0
>>>> !
>>>> !
>>>> call rsvp-sync
>>>> !
>>>> !
>>>> mgcp profile default
>>>> !
>>>> !
>>>> !
>>>> dial-peer cor custom
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> line con 0
>>>> exec-timeout 0 0
>>>> privilege level 15
>>>> logging synchronous
>>>> line aux 0
>>>> exec-timeout 0 0
>>>> privilege level 15
>>>> line vty 0 4
>>>> password cisco
>>>> login
>>>> !
>>>> !
>>>> end
>>>>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART