Something has been changed after I remove then reconfigure everything. The
remote router is behind a 3G router that do NAT for the remote site,
The vpn is established for a while then discounted for another while, I feel
the 3G router change its real IP, but the remote router don't know this
change so it keeps believe of the same SPI, and the server can't work with
the same SPI if the IP changed for the remote, see the bellow out put on the
server side, i.e. what command I need to avoid the rapid change in the
remote site ip address, specially the remote don't know that the IP has
changed because it is behind a NATing device!!
*Jan 3 19:12:19.439: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=217.66.227.245, prot=50,
spi=0x471383AB(1192461227), srcaddr=188.64.204.78
*Jan 3 19:12:19.439: ISAKMP: ignoring request to send delete notify (no
ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB
*Jan 3 19:12:28.135: ISAKMP: ignoring request to send delete notify (no
ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB
*Jan 3 19:12:37.827: ISAKMP: ignoring request to send delete notify (no
ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB
*Jan 3 19:12:57.475: ISAKMP: ignoring request to send delete notify (no
ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB
From: Piotr Matusiak [mailto:pitt2k_at_gmail.com]
Sent: Tuesday, January 03, 2012 10:59 PM
To: amin
Cc: Sadiq Yakasai; ccielab_at_groupstudy.com
Subject: Re: proxy identities not supported
Paste output of 'deb cry isa' on both sides during connection.
Regards,
-- Piotr Matusiak CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor website: www.MicronicsTraining.com <http://www.micronicstraining.com/> blog: www.ccie1.com <http://www.ccie1.com/> "If you can't explain it simply, you don't understand it well enough" - Albert Einstein 2012/1/3 amin <amin_at_axizo.com> server side version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname test ! boot-start-marker boot-end-marker ! logging message-counter syslog ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! ! aaa session-id common ! ! dot11 syslog ip source-route ! ! ip dhcp excluded-address 192.168.0.1 192.168.0.80 ! ip dhcp pool POOL network 192.168.0.0 255.255.255.128 dns-server 192.168.0.20 8.8.8.8 default-router 192.168.0.1 ! ! ip cef ! multilink bundle-name authenticated ! ! ! username test privilege 15 password test username test privilege 15 user-maxlinks 255 test ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key test address 0.0.0.0 0.0.0.0 ! crypto isakmp client configuration group test key test pool SDM_POOL_1 acl 101 save-password max-users 5000 crypto isakmp profile sdm-ike-profile-1 match identity group test client authentication list sdm_vpn_xauth_ml_1 isakmp authorization list sdm_vpn_group_ml_2 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA ! crypto ipsec profile SDM_Profile2 set transform-set ESP-3DES-SHA1 set isakmp-profile sdm-ike-profile-1 ! ! archive log config hidekeys ! ! ! ! ! interface Tunnel1 bandwidth 1000 ip address 172.31.0.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 1 ip nat inside ip nhrp authentication DMVPN_NW ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip virtual-reassembly ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 delay 1000 keepalive 3 3 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile SDM_Profile1 ! interface FastEthernet0/0 ip address 192.168.0.201 255.255.255.128 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.0.138 255.255.255.0 secondary ip address 192.168.0.1 255.255.255.128 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface ATM0/0/0 no ip address no atm ilmi-keepalive pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface Virtual-Template1 type tunnel ip unnumbered Dialer1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile2 ! interface Dialer1 bandwidth 1000 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication pap callin ppp pap sent-username 022955051_at_hadara password 0 022955051 ! router eigrp 1 redistribute static metric 1 1 1 1 1 network 172.31.0.0 0.0.0.255 network 192.168.0.0 0.0.0.127 no auto-summary ! ip local pool SDM_POOL_1 10.1.2.1 10.1.2.100 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 2 ip route 192.168.1.128 255.255.255.128 192.168.0.200 ip route 192.168.2.128 255.255.255.128 192.168.0.200 ip route 192.168.3.128 255.255.255.128 192.168.0.200 ip route 192.168.4.128 255.255.255.128 192.168.0.200 ip route 192.168.5.128 255.255.255.128 192.168.0.200 ip route 192.168.6.128 255.255.255.128 192.168.0.200 ip route 192.168.7.128 255.255.255.128 192.168.0.200 ip route 192.168.8.128 255.255.255.128 192.168.0.200 ip http server ip http authentication local no ip http secure-server ! ! ip nat inside source list 100 interface Dialer1 overload ! access-list 100 permit ip 192.168.0.0 0.0.255.255 any access-list 100 permit ip 10.0.0.0 0.0.255.255 any access-list 101 remark SDM_ACL Category=4 access-list 101 permit ip 192.168.0.0 0.0.255.255 any access-list 101 permit ip 10.0.0.0 0.255.255.255 any ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! scheduler allocate 20000 1000 end Client side service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Aanata ! boot-start-marker boot-end-marker ! ! no logging buffered no logging console enable secret test ! no aaa new-model ! dot11 syslog ip source-route ! ! ! ! ! ip cef ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! ! ! license udi pid CISCO1841 sn FCZ113438W2 username test privilege 15 password test ! redundancy ! ! ! ! ! ! ! ! crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 connect auto group test key test mode network-extension peer 217.66.227.245 username test password test xauth userid mode local ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.17.50.50 255.255.0.0 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 ! interface FastEthernet0/1 ip address 172.16.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 ! ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ! ! ip nat inside source list 1 interface FastEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 172.16.1.1 ip route 0.0.0.0 0.0.0.0 172.17.0.1 ! access-list 1 permit 172.16.2.0 0.0.0.255 ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 no login transport input all ! scheduler allocate 20000 1000 end From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com] Sent: Tuesday, January 03, 2012 12:46 PM To: amin Cc: ccielab_at_groupstudy.com Subject: Re: proxy identities not supported Hi Amin, Can you please debug the VPN connection attempt and attach? show running-config on both ends would also be informative. Thanks, Sadiq On Tue, Jan 3, 2012 at 10:34 AM, amin <amin_at_axizo.com> wrote: Hi experts, I am configuring easy VPN between two cisco router, on the server always I got this error message "proxy identities not supported", cisco website says that the two access list need to be mirror on each side, but in my case is easy vpn, which mean no access list configuraiton on the client side. Any hits about this issue? Regards, Amin Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>Received on Tue Jan 03 2012 - 23:03:56 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART