Re: VPN won't come up

From: Dane Newman (dane.newman@gmail.com)
Date: Tue Jun 17 2008 - 00:49:28 ART

oops sorry that was my terminal window changing

no permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255

into

Rack1R3(config-ext-nacl)#$ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255

Stupid terminal cutting stuff off

On Mon, Jun 16, 2008 at 11:47 PM, Dane Newman <dane.newman@gmail.com> wrote:

> Ah gotcha
>
> Tried no dice ;(
> Rack1R3#config t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack1R3(config)#ip access-list extended vlan3_to_vlan112
> Rack1R3(config-ext-nacl)#$ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>
> Rack1R3(config-ext-nacl)#permit ip host 10.3.3.3 host 192.10.6.254
> Rack1R3(config-ext-nacl)#exit
> Rack1R3(config)#exit
> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
> Packet sent with a source address of 10.3.3.3
> .....
> Success rate is 0 percent (0/5)
> Rack1R3#
>
>
> On Mon, Jun 16, 2008 at 11:25 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
> wrote:
>
>> I meant change this:
>> " ip access-list extended vlan3_to_vlan112
>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255"
>> to this:
>> ip access-list extended vlan3_to_vlan112
>> permit ip host 10.3.3.3 <http://10.3.3.0/> host 192.10.6.254<http://192.10.6.0/>
>>
>>
>>
>> On Mon, Jun 16, 2008 at 11:21 PM, Dane Newman <dane.newman@gmail.com>
>> wrote:
>>
>>> There is no access-list on R3's S1/1.35 interface which is what the
>>> crypto map is applied too so there should be no filtering going on?
>>>
>>>
>>> On Mon, Jun 16, 2008 at 10:33 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>>> wrote:
>>>
>>>> Yeah, it should work...sorry, it just look funny at the moment :P
>>>> So on the VPN side You have
>>>> interface = its WAN 131.1.115.11
>>>> bidirectional
>>>> peer 10.3.3.3
>>>> localnetwork ip address 192.10.6.254/0.0.0.0
>>>> remotenetwork 10.3.3.3/0.0.0.0
>>>> ?
>>>> My only other suggestion would be on your router ACL, use permit host
>>>> 10.3.3.3 host 192.10.6.254.
>>>>
>>>>
>>>>
>>>> On Mon, Jun 16, 2008 at 10:06 PM, Dane Newman <dane.newman@gmail.com>
>>>> wrote:
>>>>
>>>>> In one of the requirements in the first part of the lab it told me to
>>>>> do
>>>>>
>>>>> crypto map VPN local-address FastEthernet0/0
>>>>>
>>>>> To the crypto map VPN on r3. So I didnt want to break the requirement
>>>>> on the first part so I put into the VPN3k the peer was fa0/0 of r3 (
>>>>> 10.3.3.3) this config should work no?
>>>>>
>>>>> Dane
>>>>>
>>>>> On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Local-address should be Serial1/1.35
>>>>>>
>>>>>> -Luan
>>>>>>
>>>>>> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <dane.newman@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I am doing a LAN to LAN vpn as per the scenario with a router and
>>>>>>> the
>>>>>>> vpn3k. Below is the debug. I see that during the isakmp phase 1 it
>>>>>>> finds a
>>>>>>> policy on both devices that match but after that when I debug crypt
>>>>>>> isa
>>>>>>> error it shows the only error to be
>>>>>>>
>>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>>>>
>>>>>>>
>>>>>>> I looked that Up online and it said
>>>>>>>
>>>>>>>
>>>>>>> Indicates that the notify message received from the peer lacked a
>>>>>>> valid
>>>>>>> hash. This means that the notify message was not authenticated. For
>>>>>>> security
>>>>>>> reasons, this message is ignored.
>>>>>>>
>>>>>>> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>>>>>>>
>>>>>>>
>>>>>>> anyone able to comment?
>>>>>>>
>>>>>>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>>>>>>> Type escape sequence to abort.
>>>>>>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2
>>>>>>> seconds:
>>>>>>> Packet sent with a source address of 10.3.3.3
>>>>>>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
>>>>>>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
>>>>>>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
>>>>>>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
>>>>>>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
>>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode,
>>>>>>> trying
>>>>>>> Main mode.
>>>>>>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for
>>>>>>> 132.1.115.11 in
>>>>>>> default : success
>>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
>>>>>>> 132.1.115.11
>>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
>>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
>>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
>>>>>>> IKE_SA_REQ_MM
>>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
>>>>>>> IKE_I_MM1
>>>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
>>>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>>>> 500 peer_port 500 (I) MM_NO_STATE
>>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>>>>> 500 sport 500 Global (I) MM_NO_STATE
>>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>>>>> IKE_MM_EXCH
>>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
>>>>>>> IKE_I_MM2
>>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID
>>>>>>> = 0
>>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
>>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but
>>>>>>> major 194
>>>>>>> mismatch
>>>>>>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for
>>>>>>> 132.1.115.11 in
>>>>>>> default : success
>>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
>>>>>>> 132.1.115.11
>>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
>>>>>>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
>>>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1
>>>>>>> against
>>>>>>> priority 1 policy
>>>>>>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
>>>>>>> Jun 16 16:22:34.051: ISAKMP: hash MD5
>>>>>>> Jun 16 16:22:34.051: ISAKMP: default group 2
>>>>>>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
>>>>>>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
>>>>>>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1
>>>>>>> 0x51 0x80
>>>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload
>>>>>>> is 0
>>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
>>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but
>>>>>>> major 194
>>>>>>> mismatch
>>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>>>> IKE_PROCESS_MAIN_MODE
>>>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>>>>> IKE_I_MM2
>>>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>>>> IKE_PROCESS_COMPLETE
>>>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>>>>> IKE_I_MM3
>>>>>>> ....
>>>>>>> Success rate is 0 percent (0/5)
>>>>>>> Rack1R3#
>>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
>>>>>>> MM_SA_SETUP...
>>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
>>>>>>> retransmit phase 1
>>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
>>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>>>>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>>>>> 500 sport 500 Global (I) MM_SA_SETUP
>>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>>>>> IKE_INFO_NOTIFY
>>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>>>>> IKE_I_MM3
>>>>>>> Rack1R3#
>>>>>>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
>>>>>>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
>>>>>>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new
>>>>>>> ipsec
>>>>>>> request to it. (local 10.3.3.3, remote 132.1.115.11)
>>>>>>> Rack1R3#
>>>>>>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
>>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid
>>>>>>> keepalives.
>>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>>>>> 132.1.115.11) input queue 0
>>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>>>>> 132.1.115.11) input queue 0
>>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error
>>>>>>> TRUE
>>>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error
>>>>>>> TRUE
>>>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>>>>> Rack1R3#
>>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>>>> IKE_PHASE1_DEL
>>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>>>>> IKE_DEST_SA
>>>>>>> Rack1R3#
>>>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
>>>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
>>>>>>> Rack1R3#
>>>>>>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
>>>>>>> delme=83B46590
>>>>>>> Rack1R3#u all
>>>>>>> All possible debugging has been turned off
>>>>>>> Rack1R3#
>>>>>>>
>>>>>>> Rack1R3#show run
>>>>>>> Building configuration...
>>>>>>> Current configuration : 3053 bytes
>>>>>>> !
>>>>>>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
>>>>>>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
>>>>>>> !
>>>>>>> version 12.2
>>>>>>> service timestamps debug datetime msec
>>>>>>> service timestamps log datetime msec
>>>>>>> no service password-encryption
>>>>>>> !
>>>>>>> hostname Rack1R3
>>>>>>> !
>>>>>>> logging queue-limit 100
>>>>>>> enable password cisco
>>>>>>> !
>>>>>>> ip subnet-zero
>>>>>>> !
>>>>>>> !
>>>>>>> no ip domain lookup
>>>>>>> !
>>>>>>> ip audit notify log
>>>>>>> ip audit po max-events 100
>>>>>>> mpls ldp logging neighbor-changes
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> crypto isakmp policy 1
>>>>>>> encr 3des
>>>>>>> hash md5
>>>>>>> authentication pre-share
>>>>>>> group 2
>>>>>>> !
>>>>>>> crypto isakmp policy 10
>>>>>>> authentication pre-share
>>>>>>> lifetime 2400
>>>>>>> !
>>>>>>> crypto isakmp policy 20
>>>>>>> encr 3des
>>>>>>> hash md5
>>>>>>> authentication pre-share
>>>>>>> group 2
>>>>>>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>>>>>>> !
>>>>>>> !
>>>>>>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
>>>>>>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> crypto map VPN local-address FastEthernet0/0
>>>>>>> crypto map VPN 10 ipsec-isakmp
>>>>>>> set peer 10.4.4.4
>>>>>>> set transform-set DES_MD5
>>>>>>> match address vlan3_to_vlan44
>>>>>>> crypto map VPN 20 ipsec-isakmp
>>>>>>> set peer 132.1.115.11
>>>>>>> set transform-set 3DES_MD5
>>>>>>> match address vlan3_to_vlan112
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> no voice hpi capture buffer
>>>>>>> no voice hpi capture destination
>>>>>>> !
>>>>>>> !
>>>>>>> mta receive maximum-recipients 0
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> interface Loopback0
>>>>>>> ip address 150.1.3.3 255.255.255.0
>>>>>>> !
>>>>>>> interface FastEthernet0/0
>>>>>>> ip address 10.3.3.3 255.255.255.0
>>>>>>> duplex auto
>>>>>>> speed auto
>>>>>>> !
>>>>>>> interface FastEthernet0/1
>>>>>>> ip address 132.1.33.3 255.255.255.0
>>>>>>> duplex auto
>>>>>>> speed auto
>>>>>>> !
>>>>>>> interface Serial1/0
>>>>>>> no ip address
>>>>>>> encapsulation frame-relay
>>>>>>> !
>>>>>>> interface Serial1/0.1234 point-to-point
>>>>>>> ip address 132.1.0.3 255.255.255.0
>>>>>>> ip ospf network point-to-multipoint
>>>>>>> frame-relay interface-dlci 302
>>>>>>> crypto map VPN
>>>>>>> !
>>>>>>> interface Serial1/1
>>>>>>> no ip address
>>>>>>> encapsulation frame-relay
>>>>>>> !
>>>>>>> interface Serial1/1.35 point-to-point
>>>>>>> ip address 132.1.35.3 255.255.255.0
>>>>>>> frame-relay interface-dlci 315
>>>>>>> crypto map VPN
>>>>>>> !
>>>>>>> interface Serial1/2
>>>>>>> no ip address
>>>>>>> shutdown
>>>>>>> !
>>>>>>> interface Serial1/3
>>>>>>> no ip address
>>>>>>> shutdown
>>>>>>> !
>>>>>>> router ospf 1
>>>>>>> router-id 150.1.3.3
>>>>>>> log-adjacency-changes
>>>>>>> redistribute connected subnets route-map CONNECTED_TO_OSPF
>>>>>>> network 132.1.0.3 0.0.0.0 area 0
>>>>>>> network 132.1.35.3 0.0.0.0 area 345
>>>>>>> network 150.1.3.3 0.0.0.0 area 0
>>>>>>> !
>>>>>>> router bgp 100
>>>>>>> no synchronization
>>>>>>> bgp router-id 150.1.3.3
>>>>>>> bgp log-neighbor-changes
>>>>>>> neighbor 150.1.2.2 remote-as 100
>>>>>>> neighbor 150.1.2.2 update-source Loopback0
>>>>>>> no auto-summary
>>>>>>> !
>>>>>>> ip http server
>>>>>>> no ip http secure-server
>>>>>>> ip classless
>>>>>>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
>>>>>>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> ip access-list extended vlan3_to_vlan112
>>>>>>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>>>>>>> ip access-list extended vlan3_to_vlan44
>>>>>>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
>>>>>>> !
>>>>>>> !
>>>>>>> route-map CONNECTED_TO_OSPF permit 10
>>>>>>> match interface FastEthernet0/0
>>>>>>> !
>>>>>>> !
>>>>>>> call rsvp-sync
>>>>>>> !
>>>>>>> !
>>>>>>> mgcp profile default
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> dial-peer cor custom
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> !
>>>>>>> line con 0
>>>>>>> exec-timeout 0 0
>>>>>>> privilege level 15
>>>>>>> logging synchronous
>>>>>>> line aux 0
>>>>>>> exec-timeout 0 0
>>>>>>> privilege level 15
>>>>>>> line vty 0 4
>>>>>>> password cisco
>>>>>>> login
>>>>>>> !
>>>>>>> !
>>>>>>> end
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART