Re: VPN won't come up

From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Tue Jun 17 2008 - 00:25:47 ART

I meant change this:
" ip access-list extended vlan3_to_vlan112
 permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255"
to this:
ip access-list extended vlan3_to_vlan112
 permit ip host 10.3.3.3 <http://10.3.3.0/> host
192.10.6.254<http://192.10.6.0/>

On Mon, Jun 16, 2008 at 11:21 PM, Dane Newman <dane.newman@gmail.com> wrote:

> There is no access-list on R3's S1/1.35 interface which is what the crypto
> map is applied too so there should be no filtering going on?
>
>
> On Mon, Jun 16, 2008 at 10:33 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
> wrote:
>
>> Yeah, it should work...sorry, it just look funny at the moment :P
>> So on the VPN side You have
>> interface = its WAN 131.1.115.11
>> bidirectional
>> peer 10.3.3.3
>> localnetwork ip address 192.10.6.254/0.0.0.0
>> remotenetwork 10.3.3.3/0.0.0.0
>> ?
>> My only other suggestion would be on your router ACL, use permit host
>> 10.3.3.3 host 192.10.6.254.
>>
>>
>>
>> On Mon, Jun 16, 2008 at 10:06 PM, Dane Newman <dane.newman@gmail.com>
>> wrote:
>>
>>> In one of the requirements in the first part of the lab it told me to do
>>>
>>> crypto map VPN local-address FastEthernet0/0
>>>
>>> To the crypto map VPN on r3. So I didnt want to break the requirement on
>>> the first part so I put into the VPN3k the peer was fa0/0 of r3 (
>>> 10.3.3.3) this config should work no?
>>>
>>> Dane
>>>
>>> On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>>> wrote:
>>>
>>>> Local-address should be Serial1/1.35
>>>>
>>>> -Luan
>>>>
>>>> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <dane.newman@gmail.com>
>>>> wrote:
>>>>
>>>>> I am doing a LAN to LAN vpn as per the scenario with a router and the
>>>>> vpn3k. Below is the debug. I see that during the isakmp phase 1 it
>>>>> finds a
>>>>> policy on both devices that match but after that when I debug crypt isa
>>>>> error it shows the only error to be
>>>>>
>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>>
>>>>>
>>>>> I looked that Up online and it said
>>>>>
>>>>>
>>>>> Indicates that the notify message received from the peer lacked a valid
>>>>> hash. This means that the notify message was not authenticated. For
>>>>> security
>>>>> reasons, this message is ignored.
>>>>>
>>>>> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>>>>>
>>>>>
>>>>> anyone able to comment?
>>>>>
>>>>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>>>>> Type escape sequence to abort.
>>>>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
>>>>> Packet sent with a source address of 10.3.3.3
>>>>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
>>>>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
>>>>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
>>>>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
>>>>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode,
>>>>> trying
>>>>> Main mode.
>>>>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for
>>>>> 132.1.115.11 in
>>>>> default : success
>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
>>>>> 132.1.115.11
>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
>>>>> IKE_SA_REQ_MM
>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
>>>>> IKE_I_MM1
>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>> 500 peer_port 500 (I) MM_NO_STATE
>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>>> 500 sport 500 Global (I) MM_NO_STATE
>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>>> IKE_MM_EXCH
>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
>>>>> IKE_I_MM2
>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID =
>>>>> 0
>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>>>> 194
>>>>> mismatch
>>>>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for
>>>>> 132.1.115.11 in
>>>>> default : success
>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
>>>>> 132.1.115.11
>>>>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
>>>>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1 against
>>>>> priority 1 policy
>>>>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
>>>>> Jun 16 16:22:34.051: ISAKMP: hash MD5
>>>>> Jun 16 16:22:34.051: ISAKMP: default group 2
>>>>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
>>>>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
>>>>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
>>>>> 0x80
>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload is
>>>>> 0
>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>>>> 194
>>>>> mismatch
>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>> IKE_PROCESS_MAIN_MODE
>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>>> IKE_I_MM2
>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>> IKE_PROCESS_COMPLETE
>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>>> IKE_I_MM3
>>>>> ....
>>>>> Success rate is 0 percent (0/5)
>>>>> Rack1R3#
>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
>>>>> MM_SA_SETUP...
>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
>>>>> retransmit phase 1
>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>>> 500 sport 500 Global (I) MM_SA_SETUP
>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>>> IKE_INFO_NOTIFY
>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>>> IKE_I_MM3
>>>>> Rack1R3#
>>>>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
>>>>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
>>>>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new
>>>>> ipsec
>>>>> request to it. (local 10.3.3.3, remote 132.1.115.11)
>>>>> Rack1R3#
>>>>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid
>>>>> keepalives.
>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>>> 132.1.115.11) input queue 0
>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>>> 132.1.115.11) input queue 0
>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error TRUE
>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>>> Rack1R3#
>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>> IKE_PHASE1_DEL
>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>>> IKE_DEST_SA
>>>>> Rack1R3#
>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
>>>>> Rack1R3#
>>>>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
>>>>> delme=83B46590
>>>>> Rack1R3#u all
>>>>> All possible debugging has been turned off
>>>>> Rack1R3#
>>>>>
>>>>> Rack1R3#show run
>>>>> Building configuration...
>>>>> Current configuration : 3053 bytes
>>>>> !
>>>>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
>>>>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
>>>>> !
>>>>> version 12.2
>>>>> service timestamps debug datetime msec
>>>>> service timestamps log datetime msec
>>>>> no service password-encryption
>>>>> !
>>>>> hostname Rack1R3
>>>>> !
>>>>> logging queue-limit 100
>>>>> enable password cisco
>>>>> !
>>>>> ip subnet-zero
>>>>> !
>>>>> !
>>>>> no ip domain lookup
>>>>> !
>>>>> ip audit notify log
>>>>> ip audit po max-events 100
>>>>> mpls ldp logging neighbor-changes
>>>>> !
>>>>> !
>>>>> !
>>>>> crypto isakmp policy 1
>>>>> encr 3des
>>>>> hash md5
>>>>> authentication pre-share
>>>>> group 2
>>>>> !
>>>>> crypto isakmp policy 10
>>>>> authentication pre-share
>>>>> lifetime 2400
>>>>> !
>>>>> crypto isakmp policy 20
>>>>> encr 3des
>>>>> hash md5
>>>>> authentication pre-share
>>>>> group 2
>>>>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>>>>> !
>>>>> !
>>>>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
>>>>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
>>>>> !
>>>>> !
>>>>> !
>>>>> crypto map VPN local-address FastEthernet0/0
>>>>> crypto map VPN 10 ipsec-isakmp
>>>>> set peer 10.4.4.4
>>>>> set transform-set DES_MD5
>>>>> match address vlan3_to_vlan44
>>>>> crypto map VPN 20 ipsec-isakmp
>>>>> set peer 132.1.115.11
>>>>> set transform-set 3DES_MD5
>>>>> match address vlan3_to_vlan112
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> no voice hpi capture buffer
>>>>> no voice hpi capture destination
>>>>> !
>>>>> !
>>>>> mta receive maximum-recipients 0
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> interface Loopback0
>>>>> ip address 150.1.3.3 255.255.255.0
>>>>> !
>>>>> interface FastEthernet0/0
>>>>> ip address 10.3.3.3 255.255.255.0
>>>>> duplex auto
>>>>> speed auto
>>>>> !
>>>>> interface FastEthernet0/1
>>>>> ip address 132.1.33.3 255.255.255.0
>>>>> duplex auto
>>>>> speed auto
>>>>> !
>>>>> interface Serial1/0
>>>>> no ip address
>>>>> encapsulation frame-relay
>>>>> !
>>>>> interface Serial1/0.1234 point-to-point
>>>>> ip address 132.1.0.3 255.255.255.0
>>>>> ip ospf network point-to-multipoint
>>>>> frame-relay interface-dlci 302
>>>>> crypto map VPN
>>>>> !
>>>>> interface Serial1/1
>>>>> no ip address
>>>>> encapsulation frame-relay
>>>>> !
>>>>> interface Serial1/1.35 point-to-point
>>>>> ip address 132.1.35.3 255.255.255.0
>>>>> frame-relay interface-dlci 315
>>>>> crypto map VPN
>>>>> !
>>>>> interface Serial1/2
>>>>> no ip address
>>>>> shutdown
>>>>> !
>>>>> interface Serial1/3
>>>>> no ip address
>>>>> shutdown
>>>>> !
>>>>> router ospf 1
>>>>> router-id 150.1.3.3
>>>>> log-adjacency-changes
>>>>> redistribute connected subnets route-map CONNECTED_TO_OSPF
>>>>> network 132.1.0.3 0.0.0.0 area 0
>>>>> network 132.1.35.3 0.0.0.0 area 345
>>>>> network 150.1.3.3 0.0.0.0 area 0
>>>>> !
>>>>> router bgp 100
>>>>> no synchronization
>>>>> bgp router-id 150.1.3.3
>>>>> bgp log-neighbor-changes
>>>>> neighbor 150.1.2.2 remote-as 100
>>>>> neighbor 150.1.2.2 update-source Loopback0
>>>>> no auto-summary
>>>>> !
>>>>> ip http server
>>>>> no ip http secure-server
>>>>> ip classless
>>>>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
>>>>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
>>>>> !
>>>>> !
>>>>> !
>>>>> ip access-list extended vlan3_to_vlan112
>>>>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>>>>> ip access-list extended vlan3_to_vlan44
>>>>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
>>>>> !
>>>>> !
>>>>> route-map CONNECTED_TO_OSPF permit 10
>>>>> match interface FastEthernet0/0
>>>>> !
>>>>> !
>>>>> call rsvp-sync
>>>>> !
>>>>> !
>>>>> mgcp profile default
>>>>> !
>>>>> !
>>>>> !
>>>>> dial-peer cor custom
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> !
>>>>> line con 0
>>>>> exec-timeout 0 0
>>>>> privilege level 15
>>>>> logging synchronous
>>>>> line aux 0
>>>>> exec-timeout 0 0
>>>>> privilege level 15
>>>>> line vty 0 4
>>>>> password cisco
>>>>> login
>>>>> !
>>>>> !
>>>>> end
>>>>>
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART