Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

help cisco to cisco vpn with nat

Status
Not open for further replies.
iozone

iozone

IS-IT--Management
Jul 5, 2005
9
US
hi guys, i.m having problems establishing a vpn between a 2610 ios c2600-ik9o3s-mz.122-10a and a 3620 ios c3620-ik9o3s6-mz.123-9a. copied below are the debug ipsec/isakmp outputs.
i,m a relative newby so be nice, but it seems unusual to me that i only get debug info from the initiating router, from either direction.
here's the debug and thanks in advance for your help..


fstpres#
*Mar 1 16:30:45.267: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 64.104.56.122, remote= 64.104.56.86,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x10D9C8F0(282708208), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 16:30:45.271: ISAKMP: received ke message (1/1)
*Mar 1 16:30:45.271: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 16:30:45.271: ISAKMP: local port 500, remote port 500
*Mar 1 16:30:45.271: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 16:30:45.275: ISAKMP: insert sa successfully sa = 623DB004
*Mar 1 16:30:45.275: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 16:30:45.275: ISAKMP: Looking for a matching key for 64.104.56.86 in default : success
*Mar 1 16:30:45.275: ISAKMP (0:1): found peer pre-shared key matching 64.104.56.86
*Mar 1 16:30:45.275: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 16:30:45.275: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 16:30:45.275: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 16:30:45.275: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 16:30:45.279: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 16:30:45.279: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 16:30:45.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE
*Mar 1 16:30:55.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 16:30:55.279: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
*Mar 1 16:30:55.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 16:30:55.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE
*Mar 1 16:31:05.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 16:31:05.279: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
*Mar 1 16:31:05.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 16:31:05.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE
*Mar 1 16:31:15.267: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 64.104.56.122, remote= 64.104.56.86,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4)
*Mar 1 16:31:15.267: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 64.104.56.122, remote= 64.104.56.86,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x90551986(2421496198), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 16:31:15.267: ISAKMP: received ke message (1/1)
*Mar 1 16:31:15.271: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 16:31:15.271: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 63
.103.55.122, remote 64.104.56.86)
*Mar 1 16:31:15.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 16:31:15.279: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
*Mar 1 16:31:15.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 16:31:15.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE
*Mar 1 16:31:25.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 16:31:25.279: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
*Mar 1 16:31:25.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 16:31:25.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE
*Mar 1 16:31:35.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 16:31:35.279: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
*Mar 1 16:31:35.279: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 16:31:35.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE
*Mar 1 16:31:45.267: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 64.104.56.122, remote= 64.104.56.86,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4)
*Mar 1 16:31:45.267: ISAKMP: received ke message (3/1)
*Mar 1 16:31:45.267: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar 1 16:31:45.267: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" stat
e (I) MM_NO_STATE (peer 64.104.56.86) input queue 0
*Mar 1 16:31:45.271: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" stat
e (I) MM_NO_STATE (peer 64.104.56.86) input queue 0
*Mar 1 16:31:45.271: ISAKMP (0:1): deleting node -855103855 error TRUE reason "gen_ipsec_isakmp_del
ete but doi isakmp"
*Mar 1 16:31:45.271: ISAKMP (0:1): deleting node 91484349 error TRUE reason "gen_ipsec_isakmp_delet
e but doi isakmp"
*Mar 1 16:31:45.275: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 16:31:45.275: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Mar 1 16:32:45.271: ISAKMP (0:1): purging SA., sa=623DB004, delme=623DB004
*Mar 1 16:32:45.271: ISAKMP (0:1): purging node -855103855
*Mar 1 16:32:45.271: ISAKMP (0:1): purging node 91484349




jona#
01:29:23: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 64.104.56.86, remote= 64.104.56.122,
local_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0xEC823FBF(3967958975), conn_id= 0, keysize= 0, flags= 0x400C
01:29:23: ISAKMP: received ke message (1/1)
01:29:23: ISAKMP: local port 500, remote port 500
01:29:23: ISAKMP (0:3): beginning Main Mode exchange
01:29:23: ISAKMP (0:3): sending packet to 64.104.56.122 (I) MM_NO_STATE
01:29:33: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE...
01:29:33: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
01:29:33: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE
01:29:33: ISAKMP (0:3): sending packet to 64.104.56.122 (I) MM_NO_STATE
01:29:41: ISAKMP (0:2): purging node -931780196
01:29:41: ISAKMP (0:2): purging node -389324940
01:29:43: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE...
01:29:43: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
01:29:43: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE
01:29:43: ISAKMP (0:3): sending packet to 64.104.56.122 (I) MM_NO_STATE
01:29:51: ISAKMP (0:2): purging SA., sa=82068960, delme=82068960
01:29:53: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 64.104.56.86, remote= 64.104.56.122,
local_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4)
01:29:53: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 64.104.56.86, remote= 64.104.56.122,
local_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x58B7B053(1488433235), conn_id= 0, keysize= 0, flags= 0x400C
01:29:53: ISAKMP: received ke message (1/1)
01:29:53: ISAKMP (0:3): SA is still budding. Attached new ipsec request to it.
01:29:53: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE...
01:29:53: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
01:29:53: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE
01:29:53: ISAKMP (0:3): sending packet to 64.104.56.122 (I) MM_NO_STATE
01:30:03: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE...
01:30:03: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
01:30:03: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE
01:30:03: ISAKMP (0:3): sending packet to 64.104.56.122 (I) MM_NO_STATE
01:30:13: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE...
01:30:13: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
01:30:13: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE
01:30:13: ISAKMP (0:3): sending packet to 64.104.56.122 (I) MM_NO_STATE
01:30:23: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 64.104.56.86, remote= 64.104.56.122,
local_proxy= 10.10.200.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4)
01:30:23: ISAKMP: received ke message (3/1)
01:30:23: ISAKMP (0:3): ignoring request to send delete notify (sa not authentic
ated) src 64.104.56.86 dst 64.104.56.122
01:30:23: ISAKMP (0:3): retransmitting phase 1 MM_NO_STATE...
01:30:23: ISAKMP (0:3): peer does not do paranoid keepalives.

01:30:23: ISAKMP (0:3): deleting SA reason "death by retransmission P1" state (I
) MM_NO_STATE (peer 64.104.56.122) input queue 0
01:30:23: ISAKMP (0:3): deleting node -897275214 error TRUE reason "death by ret
ransmission P1"
01:30:23: ISAKMP (0:3): deleting node 2030647763 error TRUE reason "death by ret
ransmission P1"

01:31:13: ISAKMP (0:3): purging node -897275214
01:31:13: ISAKMP (0:3): purging node 2030647763
01:31:23: ISAKMP (0:3): purging SA., sa=82067D64, delme=82067D64
 
Sort by date Sort by votes
Would you mind copy and paste your configuration? Sometimes it's easier to check for configuration errors.
 
Upvote 0 Downvote
sure, here goes:

fstpres#
Current configuration : 2051 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname fstpres
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Hm/q$AG3nzQLloIhRrYJWDhbb.0
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip dhcp excluded-address 192.168.100.1 192.168.100.50
ip dhcp excluded-address 192.168.100.200 192.168.100.254
!
ip dhcp pool 192.168.100.0/24
network 192.168.100.0 255.255.255.0
default-router 192.168.100.11
dns-server 205.230.30.2
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
hash md5
authentication pre-share
crypto isakmp key cisco123 address 64.104.56.86
!
!
crypto ipsec transform-set testset esp-des
!
crypto map maptest 10 ipsec-isakmp
set peer 64.104.56.86
set transform-set testset
match address 115
!
!
!
!
interface Ethernet0/0
ip address 64.104.56.122 255.255.255.252
ip nat outside
full-duplex
crypto map maptest
!
interface Ethernet0/1
ip address 10.10.20.1 255.255.255.0
ip nat inside
full-duplex
!
interface Ethernet0/2
ip address 192.168.100.11 255.255.255.0
ip nat inside
full-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
!
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 64.104.56.121
!
!
access-list 110 deny ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 110 permit ip 10.10.20.0 0.0.0.255 any
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
access-list 115 permit ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
!
route-map nonat permit 10
match ip address 110
!
!
!
!
!
!
line con 0
password 7 061000384D490C0B54
login
line aux 0
password 7 15040415052D2E3679
login
line vty 0
password 7 09454113160B12
login
line vty 1 4
login
!
!
end








jona#
Current configuration : 1621 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname jona
!
enable secret 5 $1$Yp6D$hkDXO6KJH0V0y8SRbrdyh/
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 10.10.200.1 10.10.200.9
!
ip dhcp pool 10.10.200.0/24
network 10.10.200.0 255.255.255.0
default-router 10.10.200.1
dns-server 205.230.30.1 205.230.30.2
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 64.104.56.122
!
!
crypto ipsec transform-set testset esp-des
!
crypto map test 5 ipsec-isakmp
set peer 64.104.56.122
set transform-set testset
match address 115
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 10.10.200.1 255.255.255.0
ip nat inside
half-duplex
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
ip address 64.104.56.86 255.255.255.252
ip nat outside
half-duplex
crypto map test
!
ip nat inside source route-map nonat interface Ethernet1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.104.56.85
no ip http server
ip pim bidir-enable
!
access-list 110 deny ip 10.10.200.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 permit ip 10.10.200.0 0.0.0.255 any
access-list 115 permit ip 10.10.200.0 0.0.0.255 10.10.20.0 0.0.0.255
route-map nonat permit 10
match ip address 110
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
password 7 031254120708245E1F
login
line aux 0
line vty 0
password 7 1100161F181C0E
login
line vty 1 4
login
!
end
 
Upvote 0 Downvote
Your configuration should be working fine if the following URL is showing the correct configuration:


Btw can you ping from the nat outside interface of one router to the nat outside interface of another router?

And I'd like to give it a try to turn on IP CEF on the router "jona", or you turn off fast switching on interface e1/0 by using the command "no ip route-cache". I prefer to try CEF first.
 
Upvote 0 Downvote
hi,
yes i can ping the outside interfaces of each router from inside the other router and from the nat inside nodes. everything is functional except the vpn.
i've run a port scanner on both exterior interfaces to check port 500 and it seems to be open. the isp indicates that there are no ports closed lower than 4000 and then only a couple for virus blocking.

help please, anyone??
 
Upvote 0 Downvote
As I've said, try to turn on CEF on "jona" by using the global command "ip cef"

or

turn off fast switching on interface e1/0 on "jona" by using the interface command "no ip route-cache
 
Upvote 0 Downvote
good mornong:)
please excuse my frustration last night.

ok i've done both, global cef and turned off fast switching on e0/1. there has been no change.
 
Upvote 0 Downvote
let me clarify my last post, i first enabled cef and then tested with ping. then ip route-cache was disabled on e1/0 and tested with ping. neither has been returned to its initial state.
 
Upvote 0 Downvote
did you use extended ping and ping between subnets in your ACL 115?
 
Upvote 0 Downvote
From the debug log it sounds like the problem exists even before the Phase 1 negotiation:

*Mar 1 16:30:45.279: ISAKMP (0:1): sending packet to 64.104.56.86 my_port 500 peer_port 500 (I) MM_
NO_STATE

And there's no reply from the peer for this.


Do you have a spare router and test back-to-back with the same configuration?
 
Upvote 0 Downvote
yes, i do have a spare router,in fact a mockup was done successfully before installation on the network. the configuration has changed since then with the addition of the 192 network on fstpres. in retrospect the configuration was not tested thoroughly enough, i didnt read the debug output but quit when i recieved a successful ping from the remote nodes.
today i am testing for port closure from the inside on the isp devices (previous testing was on the outside). if no port closures are found i may consider another mockup.
 
Upvote 0 Downvote
hello all,
this weekend i pulled both routers off line (one at a time) and tested in an off line mockup. all security associations were established without problem.

the isp claims to be blocking nothing that would affect the sa's. my port scans show end to end connectivity for port 500 although one of the isp end devices shows port 500 blocked. pings from and to the outside cisco ports are successfull.

any suggestions???? what else can i look for? i believe the problem is with the isp however i don't know what else to test for to prove this.
 
Upvote 0 Downvote
ok problem solved.

the isp this afternoon reexamined their equipment. still not finding any port blockage, completely cleared their configuration. the cisco vpn then became operational.

i would still like to know if anyone has a better way to trouble shoot the outside connections. thanks for your assistance lambent. good day
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
352
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
217
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
576
nt8d09
nt8d09
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
542
Jared R
Jared R
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
569
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top