Re: VPN won't come up

From: john matijevic (john.matijevic@gmail.com)
Date: Tue Jun 17 2008 - 05:20:50 ART

Hello Dane,
Please try remove and reenter the key please on both sides, also please post
the config of the other router.
Sincerely,
John

On Mon, Jun 16, 2008 at 11:49 PM, Dane Newman <dane.newman@gmail.com> wrote:

> oops sorry that was my terminal window changing
>
> no permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>
> into
>
> Rack1R3(config-ext-nacl)#$ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>
> Stupid terminal cutting stuff off
>
> On Mon, Jun 16, 2008 at 11:47 PM, Dane Newman <dane.newman@gmail.com>
> wrote:
>
> > Ah gotcha
> >
> > Tried no dice ;(
> > Rack1R3#config t
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Rack1R3(config)#ip access-list extended vlan3_to_vlan112
> > Rack1R3(config-ext-nacl)#$ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
> >
> > Rack1R3(config-ext-nacl)#permit ip host 10.3.3.3 host 192.10.6.254
> > Rack1R3(config-ext-nacl)#exit
> > Rack1R3(config)#exit
> > Rack1R3#ping 192.10.6.254 source 10.3.3.3
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
> > Packet sent with a source address of 10.3.3.3
> > .....
> > Success rate is 0 percent (0/5)
> > Rack1R3#
> >
> >
> > On Mon, Jun 16, 2008 at 11:25 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
> > wrote:
> >
> >> I meant change this:
> >> " ip access-list extended vlan3_to_vlan112
> >> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255"
> >> to this:
> >> ip access-list extended vlan3_to_vlan112
> >> permit ip host 10.3.3.3 <http://10.3.3.0/> host 192.10.6.254<
> http://192.10.6.0/>
> >>
> >>
> >>
> >> On Mon, Jun 16, 2008 at 11:21 PM, Dane Newman <dane.newman@gmail.com>
> >> wrote:
> >>
> >>> There is no access-list on R3's S1/1.35 interface which is what the
> >>> crypto map is applied too so there should be no filtering going on?
> >>>
> >>>
> >>> On Mon, Jun 16, 2008 at 10:33 PM, Luan Nguyen <luan.m.nguyen@gmail.com
> >
> >>> wrote:
> >>>
> >>>> Yeah, it should work...sorry, it just look funny at the moment :P
> >>>> So on the VPN side You have
> >>>> interface = its WAN 131.1.115.11
> >>>> bidirectional
> >>>> peer 10.3.3.3
> >>>> localnetwork ip address 192.10.6.254/0.0.0.0
> >>>> remotenetwork 10.3.3.3/0.0.0.0
> >>>> ?
> >>>> My only other suggestion would be on your router ACL, use permit host
> >>>> 10.3.3.3 host 192.10.6.254.
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Jun 16, 2008 at 10:06 PM, Dane Newman <dane.newman@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> In one of the requirements in the first part of the lab it told me to
> >>>>> do
> >>>>>
> >>>>> crypto map VPN local-address FastEthernet0/0
> >>>>>
> >>>>> To the crypto map VPN on r3. So I didnt want to break the
> requirement
> >>>>> on the first part so I put into the VPN3k the peer was fa0/0 of r3 (
> >>>>> 10.3.3.3) this config should work no?
> >>>>>
> >>>>> Dane
> >>>>>
> >>>>> On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <
> luan.m.nguyen@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>>> Local-address should be Serial1/1.35
> >>>>>>
> >>>>>> -Luan
> >>>>>>
> >>>>>> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <
> dane.newman@gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> I am doing a LAN to LAN vpn as per the scenario with a router and
> >>>>>>> the
> >>>>>>> vpn3k. Below is the debug. I see that during the isakmp phase 1
> it
> >>>>>>> finds a
> >>>>>>> policy on both devices that match but after that when I debug crypt
> >>>>>>> isa
> >>>>>>> error it shows the only error to be
> >>>>>>>
> >>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
> >>>>>>>
> >>>>>>>
> >>>>>>> I looked that Up online and it said
> >>>>>>>
> >>>>>>>
> >>>>>>> Indicates that the notify message received from the peer lacked a
> >>>>>>> valid
> >>>>>>> hash. This means that the notify message was not authenticated. For
> >>>>>>> security
> >>>>>>> reasons, this message is ignored.
> >>>>>>>
> >>>>>>>
> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
> >>>>>>>
> >>>>>>>
> >>>>>>> anyone able to comment?
> >>>>>>>
> >>>>>>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
> >>>>>>> Type escape sequence to abort.
> >>>>>>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2
> >>>>>>> seconds:
> >>>>>>> Packet sent with a source address of 10.3.3.3
> >>>>>>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
> >>>>>>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
> >>>>>>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
> >>>>>>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
> >>>>>>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
> >>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode,
> >>>>>>> trying
> >>>>>>> Main mode.
> >>>>>>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for
> >>>>>>> 132.1.115.11 in
> >>>>>>> default : success
> >>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key
> matching
> >>>>>>> 132.1.115.11
> >>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> >>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
> >>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
> >>>>>>> IKE_SA_REQ_MM
> >>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State
> =
> >>>>>>> IKE_I_MM1
> >>>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
> >>>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to
> 132.1.115.11my_port
> >>>>>>> 500 peer_port 500 (I) MM_NO_STATE
> >>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from
> 132.1.115.11dport
> >>>>>>> 500 sport 500 Global (I) MM_NO_STATE
> >>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> >>>>>>> IKE_MM_EXCH
> >>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State
> =
> >>>>>>> IKE_I_MM2
> >>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message
> ID
> >>>>>>> = 0
> >>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
> >>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but
> >>>>>>> major 194
> >>>>>>> mismatch
> >>>>>>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for
> >>>>>>> 132.1.115.11 in
> >>>>>>> default : success
> >>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key
> matching
> >>>>>>> 132.1.115.11
> >>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
> >>>>>>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
> >>>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1
> >>>>>>> against
> >>>>>>> priority 1 policy
> >>>>>>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
> >>>>>>> Jun 16 16:22:34.051: ISAKMP: hash MD5
> >>>>>>> Jun 16 16:22:34.051: ISAKMP: default group 2
> >>>>>>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
> >>>>>>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
> >>>>>>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1
> >>>>>>> 0x51 0x80
> >>>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next
> payload
> >>>>>>> is 0
> >>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
> >>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but
> >>>>>>> major 194
> >>>>>>> mismatch
> >>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> >>>>>>> IKE_PROCESS_MAIN_MODE
> >>>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State
> =
> >>>>>>> IKE_I_MM2
> >>>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to
> 132.1.115.11my_port
> >>>>>>> 500 peer_port 500 (I) MM_SA_SETUP
> >>>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> >>>>>>> IKE_PROCESS_COMPLETE
> >>>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State
> =
> >>>>>>> IKE_I_MM3
> >>>>>>> ....
> >>>>>>> Success rate is 0 percent (0/5)
> >>>>>>> Rack1R3#
> >>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
> >>>>>>> MM_SA_SETUP...
> >>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on
> sa:
> >>>>>>> retransmit phase 1
> >>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
> MM_SA_SETUP
> >>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to
> 132.1.115.11my_port
> >>>>>>> 500 peer_port 500 (I) MM_SA_SETUP
> >>>>>>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from
> 132.1.115.11dport
> >>>>>>> 500 sport 500 Global (I) MM_SA_SETUP
> >>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
> >>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> >>>>>>> IKE_INFO_NOTIFY
> >>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State
> =
> >>>>>>> IKE_I_MM3
> >>>>>>> Rack1R3#
> >>>>>>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
> >>>>>>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
> >>>>>>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached
> new
> >>>>>>> ipsec
> >>>>>>> request to it. (local 10.3.3.3, remote 132.1.115.11)
> >>>>>>> Rack1R3#
> >>>>>>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
> >>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid
> >>>>>>> keepalives.
> >>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
> >>>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP
> (peer
> >>>>>>> 132.1.115.11) input queue 0
> >>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
> >>>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP
> (peer
> >>>>>>> 132.1.115.11) input queue 0
> >>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error
> >>>>>>> TRUE
> >>>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
> >>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error
> >>>>>>> TRUE
> >>>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
> >>>>>>> Rack1R3#
> >>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> >>>>>>> IKE_PHASE1_DEL
> >>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State
> =
> >>>>>>> IKE_DEST_SA
> >>>>>>> Rack1R3#
> >>>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
> >>>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
> >>>>>>> Rack1R3#
> >>>>>>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
> >>>>>>> delme=83B46590
> >>>>>>> Rack1R3#u all
> >>>>>>> All possible debugging has been turned off
> >>>>>>> Rack1R3#
> >>>>>>>
> >>>>>>> Rack1R3#show run
> >>>>>>> Building configuration...
> >>>>>>> Current configuration : 3053 bytes
> >>>>>>> !
> >>>>>>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
> >>>>>>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
> >>>>>>> !
> >>>>>>> version 12.2
> >>>>>>> service timestamps debug datetime msec
> >>>>>>> service timestamps log datetime msec
> >>>>>>> no service password-encryption
> >>>>>>> !
> >>>>>>> hostname Rack1R3
> >>>>>>> !
> >>>>>>> logging queue-limit 100
> >>>>>>> enable password cisco
> >>>>>>> !
> >>>>>>> ip subnet-zero
> >>>>>>> !
> >>>>>>> !
> >>>>>>> no ip domain lookup
> >>>>>>> !
> >>>>>>> ip audit notify log
> >>>>>>> ip audit po max-events 100
> >>>>>>> mpls ldp logging neighbor-changes
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> crypto isakmp policy 1
> >>>>>>> encr 3des
> >>>>>>> hash md5
> >>>>>>> authentication pre-share
> >>>>>>> group 2
> >>>>>>> !
> >>>>>>> crypto isakmp policy 10
> >>>>>>> authentication pre-share
> >>>>>>> lifetime 2400
> >>>>>>> !
> >>>>>>> crypto isakmp policy 20
> >>>>>>> encr 3des
> >>>>>>> hash md5
> >>>>>>> authentication pre-share
> >>>>>>> group 2
> >>>>>>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> >>>>>>> !
> >>>>>>> !
> >>>>>>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
> >>>>>>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> crypto map VPN local-address FastEthernet0/0
> >>>>>>> crypto map VPN 10 ipsec-isakmp
> >>>>>>> set peer 10.4.4.4
> >>>>>>> set transform-set DES_MD5
> >>>>>>> match address vlan3_to_vlan44
> >>>>>>> crypto map VPN 20 ipsec-isakmp
> >>>>>>> set peer 132.1.115.11
> >>>>>>> set transform-set 3DES_MD5
> >>>>>>> match address vlan3_to_vlan112
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> no voice hpi capture buffer
> >>>>>>> no voice hpi capture destination
> >>>>>>> !
> >>>>>>> !
> >>>>>>> mta receive maximum-recipients 0
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> interface Loopback0
> >>>>>>> ip address 150.1.3.3 255.255.255.0
> >>>>>>> !
> >>>>>>> interface FastEthernet0/0
> >>>>>>> ip address 10.3.3.3 255.255.255.0
> >>>>>>> duplex auto
> >>>>>>> speed auto
> >>>>>>> !
> >>>>>>> interface FastEthernet0/1
> >>>>>>> ip address 132.1.33.3 255.255.255.0
> >>>>>>> duplex auto
> >>>>>>> speed auto
> >>>>>>> !
> >>>>>>> interface Serial1/0
> >>>>>>> no ip address
> >>>>>>> encapsulation frame-relay
> >>>>>>> !
> >>>>>>> interface Serial1/0.1234 point-to-point
> >>>>>>> ip address 132.1.0.3 255.255.255.0
> >>>>>>> ip ospf network point-to-multipoint
> >>>>>>> frame-relay interface-dlci 302
> >>>>>>> crypto map VPN
> >>>>>>> !
> >>>>>>> interface Serial1/1
> >>>>>>> no ip address
> >>>>>>> encapsulation frame-relay
> >>>>>>> !
> >>>>>>> interface Serial1/1.35 point-to-point
> >>>>>>> ip address 132.1.35.3 255.255.255.0
> >>>>>>> frame-relay interface-dlci 315
> >>>>>>> crypto map VPN
> >>>>>>> !
> >>>>>>> interface Serial1/2
> >>>>>>> no ip address
> >>>>>>> shutdown
> >>>>>>> !
> >>>>>>> interface Serial1/3
> >>>>>>> no ip address
> >>>>>>> shutdown
> >>>>>>> !
> >>>>>>> router ospf 1
> >>>>>>> router-id 150.1.3.3
> >>>>>>> log-adjacency-changes
> >>>>>>> redistribute connected subnets route-map CONNECTED_TO_OSPF
> >>>>>>> network 132.1.0.3 0.0.0.0 area 0
> >>>>>>> network 132.1.35.3 0.0.0.0 area 345
> >>>>>>> network 150.1.3.3 0.0.0.0 area 0
> >>>>>>> !
> >>>>>>> router bgp 100
> >>>>>>> no synchronization
> >>>>>>> bgp router-id 150.1.3.3
> >>>>>>> bgp log-neighbor-changes
> >>>>>>> neighbor 150.1.2.2 remote-as 100
> >>>>>>> neighbor 150.1.2.2 update-source Loopback0
> >>>>>>> no auto-summary
> >>>>>>> !
> >>>>>>> ip http server
> >>>>>>> no ip http secure-server
> >>>>>>> ip classless
> >>>>>>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
> >>>>>>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> ip access-list extended vlan3_to_vlan112
> >>>>>>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
> >>>>>>> ip access-list extended vlan3_to_vlan44
> >>>>>>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
> >>>>>>> !
> >>>>>>> !
> >>>>>>> route-map CONNECTED_TO_OSPF permit 10
> >>>>>>> match interface FastEthernet0/0
> >>>>>>> !
> >>>>>>> !
> >>>>>>> call rsvp-sync
> >>>>>>> !
> >>>>>>> !
> >>>>>>> mgcp profile default
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> dial-peer cor custom
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> !
> >>>>>>> line con 0
> >>>>>>> exec-timeout 0 0
> >>>>>>> privilege level 15
> >>>>>>> logging synchronous
> >>>>>>> line aux 0
> >>>>>>> exec-timeout 0 0
> >>>>>>> privilege level 15
> >>>>>>> line vty 0 4
> >>>>>>> password cisco
> >>>>>>> login
> >>>>>>> !
> >>>>>>> !
> >>>>>>> end
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> _______________________________________________________________________
> >>>>>>> Subscription information may be found at:
> >>>>>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART