Re: DMVPN ipsec from olumayokun fowowe on 2009-05-12 (Ccielab archives 05/2009)

From: olumayokun fowowe <olumayokun_at_gmail.com>
Date: Tue, 12 May 2009 17:22:31 +0100

Hello all,

Thanks for your help so far. I have done all that you've suggested but the
situation still remain the same:

Crypto ISAKMP debugging is on
SPOKE#
May 12 15:18:07.334: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:07.334: ISAKMP (0:0): incrementing error counter on sa, attempt
2 of 5: retransmit phase 1
May 12 15:18:07.334: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:07.334: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:17.333: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:17.333: ISAKMP (0:0): incrementing error counter on sa, attempt
3 of 5: retransmit phase 1
May 12 15:18:17.333: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:17.333: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:17.333: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1)
May 12 15:18:17.333: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
May 12 15:18:17.333: ISAKMP: set new node 0 to QM_IDLE
May 12 15:18:17.333: ISAKMP:(0):SA is still budding. Attached new ipsec
request to it. (local y.y.50.26, remote y.y.50.102)
May 12 15:18:17.333: ISAKMP: Error while processing SA request: Failed to
initialize SA
May 12 15:18:17.333: ISAKMP: Error while processing KMI message 0, error 2.
May 12 15:18:27.332: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:27.332: ISAKMP (0:0): incrementing error counter on sa, attempt
4 of 5: retransmit phase 1
May 12 15:18:27.332: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:27.332: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:32.980: ISAKMP:(0):purging node 878653728
May 12 15:18:32.980: ISAKMP:(0):purging node -1735576608
May 12 15:18:37.331: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:37.331: ISAKMP (0:0): incrementing error counter on sa, attempt
5 of 5: retransmit phase 1
May 12 15:18:37.331: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:37.331: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:42.979: ISAKMP:(0):purging SA., sa=645B0170, delme=645B0170un
all
May 12 15:18:47.331: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1)
May 12 15:18:47.331: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:47.331: ISAKMP:(0):peer does not do paranoid keepalives.

May 12 15:18:47.331: ISAKMP:(0):deleting SA reason "Death by retransmission
P1" state (I) MM_NO_STATE (peer y.y.50.102)
May 12 15:18:47.331: ISAKMP:(0):deleting SA reason "Death by retransmission
P1" state (I) MM_NO_STATE (peer y.y.50.102)
May 12 15:18:47.331: ISAKMP: Unlocking peer struct 0x652A68A8 for
isadb_mark_sa_deleted(), count 0
May 12 15:18:47.331: ISAKMP: Deleting peer node by peer_reap for y.y.50.102:
652A68A8
May 12 15:18:47.331: ISAKMP:(0):deleting node 921848229 error FALSE reason
"IKE deleted"
May 12 15:18:47.331: ISAKMP:(0):deleting node -1937311521 error FALSE reason
"IKE deleted"
May 12 15:18:47.331: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 12 15:18:47.331: ISAKMP:(0):Old State = IKE_I_MM1 New State =
IKE_DEST_SA

May 12 15:18:47.331: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
May 12 15:18:48.282: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
May 12 15:18:48.282: ISAKMP:(0): SA request profile is (NULL)
May 12 15:18:48.282: ISAKMP: Created a peer struct for y.y.50.102, peer port
500
May 12 15:18:48.282: ISAKMP: New peer created peer = 0x652A68A8 peer_handle
= 0x8000000A
May 12 15:18:48.282: ISAKMP: Locking peer struct 0x652A68A8, refcount 1 for
isakmp_initiator
May 12 15:18:48.282: ISAKMP: local port 500, remote port 500
May 12 15:18:48.282: ISAKMP: set new node 0 to QM_IDLE
May 12 15:18:48.282: ISAKMP: Find a dup sa in the avl tree during calling
isadb_insert sa = 645B0170
May 12 15:18:48.282: ISAKMP:(0):Can not start Aggressive mode, trying Main
mode.
May 12 15:18:48.282: ISAKMP:(0):found peer pre-shared key matching
y.y.50.102
May 12 15:18:48.282: ISAKMP:(0): constructed NAT-T vendor-07 ID
May 12 15:18:48.282: ISAKMP:(0): constructed NAT-T vendor-03 ID
May 12 15:18:48.282: ISAKMP:(0): constructed NAT-T vendor-02 ID
May 12 15:18:48.282: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 12 15:18:48.286: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

May 12 15:18:48.286: ISAKMP:(0): beginning Main Mode exchange
May 12 15:18:48.286: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
All possible debugging has been turned off

On Tue, May 12, 2009 at 2:50 PM, Dale Shaw <dale.shaw_at_gmail.com> wrote:

> Hi,
>
> Sorry, I missed your earlier point about it all working until you apply
> IPSec.
>
> On Tue, May 12, 2009 at 11:18 PM, olumayokun fowowe
> <olumayokun_at_gmail.com> wrote:
> > Hello Dale
> >
> > I did tunnel mode gre multipoint as you suggested but I'm sitll having
> the
> > same error as indcated below:
>
> Try:
>
> crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
> mode transport
>
> The other differences I see in your config to my working config are:
>
> crypto ipsec profile cisco_vpnprof
> set pfs group2
>
> (but it's probably not that)
>
> int tun0
> ip mtu 1420
>
> (you need that, but it's probably not that)
>
> on the spokes:
>
> int tun0
> ip nhrp nhs 10.x.x.1
>
> (you need that, but I don't think that'll stop a spoke-to-hub tunnel
> forming)
>
> Take it back to basics.. are you sure you've got the IPSec stuff
> configured properly on all routers? 'tunnel protection ipsec' is
> configured on all tunnel interfaces?
>
> Troubleshoot it as an IPSec problem and forget about DMVPN. Enable
> some debugs -- 'debug crypto isakmp' first, then 'debug crypto ipsec',
> then maybe 'debug crypto engine'
>
> I'm not sure why you're seeing a GRE packet (protocol 47) there..
>
> If all else fails, gather your configs again, except this time post
> the underlying physical interface config used by your tunnels.
>
> cheers,
> Dale

Blogs and organic groups at http://www.ccie.net
Received on Tue May 12 2009 - 17:22:31 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART