NAT Transparency in DMVPN
hi,
I am trying to understand the DMVPN and NAT Transparency but i am not able to get it, so any one please help me to make it easy with good explanation???
regards
Devang
DMVPN spokes are often situated behind a NAT router (which is often controlled by the ISP for the spoke site) with the outside interface address of the spoke router being dynamically assigned by the ISP using a private IP address (per Internet Engineering Task Force [IETF] RFC 1918).
Similar Messages
-
Is there a difference between NAT Traversal & NAT Transparency?
What is the difference between NAT Traversal & NAT Transparency?
And does (NAT-T) refers to NAT Traversal or NAT Transparency?As in, how the screen's pixels display colors? No, there shouldn't be any difference.
-
Config no NAT, Transparent client IP
Hello, I have to change in configuration to not use NAT and have the client IP (transparent mode).
My configuration:
ssh maxsessions 1
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe icmp PROBE_PING
interval 30
probe tcp PROBE_TCP
interval 30
rserver host WEB_1
ip address 172.16.10.11
conn-limit max 50000 min 40000
weight 1
inservice
rserver host WEB_1AND1
ip address 82.165.194.101
conn-limit max 50000 min 40000
inservice
rserver host WEB_2
ip address 172.16.10.10
conn-limit max 50000 min 40000
weight 1
inservice
serverfarm host FARM_HTTPS
transparent
predictor leastconns
probe PROBE_TCP
rserver WEB_1 443
inservice
rserver WEB_2 443
inservice
serverfarm host FARM_WEB
transparent
predictor leastconns
probe PROBE_TCP
rserver WEB_1
inservice
rserver WEB_2
inservice
serverfarm host FARM_WP
transparent
probe PROBE_TCP
rserver WEB_1
inservice
parameter-map type http HTTP_PARAMETER_MAP
no persistence-rebalance
class-map match-all FARM_HTTPS
2 match virtual-address 178.33.0.129 tcp eq https
class-map match-all L4-WEB-IP
2 match virtual-address 178.33.0.129 tcp eq www
class-map type management match-all PUBLIC_REMOTE
2 match protocol ssh source-address 82.165.194.101 255.255.255.255
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
class-map type management match-any SECURE_HTTPS
2 match protocol https any
3 match protocol ssh any
class-map type http loadbalance match-all WP_BLOG
2 match http header Host header-value "www[.]WEB[.]com"
3 match http url /blog.*
class-map type http loadbalance match-all WP_ECO
2 match http header Host header-value "www[.]WEB[.]com"
3 match http url /eco.*
class-map type http loadbalance match-all WP_INFO
2 match http header Host header-value "www[.]WEB[.]com"
3 match http url /info.*
class-map match-all public_remote
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match REMOTE_PUBLIC_MGMT
class PUBLIC_REMOTE
permit
class SECURE_HTTPS
permit
policy-map type management first-match SECURE_HTTPS_POLICY
class SECURE_HTTPS
permit
policy-map type loadbalance http first-match FARM_HTTPS_POLICY
class class-default
serverfarm FARM_HTTPS
insert-http x-forward header-value "%is"
policy-map type loadbalance http first-match WEB_L7_POLICY
class WP_ECO
serverfarm FARM_WP
insert-http x-forward header-value "%is"
class WP_INFO
serverfarm FARM_WP
insert-http x-forward header-value "%is"
class WP_BLOG
serverfarm FARM_WP
insert-http x-forward header-value "%is"
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
policy-map multi-match POLICY_HTTPS
class FARM_HTTPS
loadbalance vip inservice
loadbalance policy FARM_HTTPS_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2222
appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2222
appl-parameter http advanced-options HTTP_PARAMETER_MAP
access-group input ANY
interface vlan 1215
ip address 178.33.0.138 255.255.255.240
alias 178.33.0.137 255.255.255.240
peer ip address 178.33.0.139 255.255.255.240
service-policy input REMOTE_PUBLIC_MGMT
service-policy input WEB-to-vIPs
service-policy input SECURE_HTTPS_POLICY
service-policy input POLICY_HTTPS
no shutdown
interface vlan 2222
ip address 172.31.255.250 255.240.0.0
alias 172.31.255.249 255.240.0.0
peer ip address 172.31.255.251 255.240.0.0
nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ft track interface VLAN1215
track-interface vlan 1215
peer track-interface vlan 1215
priority 50
peer priority 5
ip route 0.0.0.0 0.0.0.0 178.33.0.142
default-domain
Any idea??? ThanksHi Javier,
To me it looks like you are not doing SSL offload on ACE. So x-forward is not going to work. As ACE cannot look into the data.
I see that ACE is in routed mode. As server and VIP belongs to two different subnet.
So ideally if you can point the default gateway on servers to ACE Alias IP. You can remove the NAT without any issues.
In case if server is having dual nic make sure default gateway is only configured on the NIC facing ACE.
Hope that helps.
regards,
Ajay Kumar -
Hi,
Cisco IPsec works fine for me, but only in native mode: using ESP protocol. Since it's a Cisco implementation I guess it supports NAT-T. Does anyone know:
a) it should work automatically
b) should I configure NAT-T (UDP or TCP) somewhere else?
So: native mode is okay, but sice I go through a NAT device, IPSec NAT_T is my goal.
Thanks,
AaGo to Configuration > System > Tunneling Protocols > IPSec > IKE proposals. Once there, select the Active proposal used by Group and check if you are using XAUTH. To change the config, click the modify button and choose "Preshared Keys (XAUTH)" under Authentication mode.
-
Hi,
Can anyone tell me how can I enable NAT-T in a Cisco 877?
I have setup a VPN between a Cisco 877 and a Cisco VPN client installed in a remote PC which is behind a NAT ADSL router. My vpn is established without problems, but traffic does not go through it. In the remote client I have enable NAT-T, so all VPN traffic travels in UDP packets. I want to enable NAT_T in my 807 Gateway router, so It can understand this traffic. Can anyone help me?
Thanks in advance.
Best regards,
JorgeYou may disregard this message... Unless you want to check over the config and make comments. It turns out that we stopped using DHCP when we switched to the 877 and we did not add the WINS server to our workstations. I believe this may have been the first issue. The second issue is isolated to a specific remote machine and we are planning on analysing their router and checking with their ISP before looking at the 877.
Thanks all -
Urgent NAT-T DMVPN help?
can some one please provide me with the configuration of the DMVPN hub-server when the hub-server is configured with nat???
i`ll be thankfull.............Hi Mohammed,
I think you may want to check these links:
NAT-Transparency Aware DMVPN
"Also added in Cisco IOS Releases 12.3(9a) and 12.3(11)T is the capability to have the hub DMVPN router behind static NAT. This was a change in the ISAKMP NAT-T support. For this functionality to be used, all the DMVPN spoke routers and hub routers must be upgraded, and IPsec must use transport mode.
For these NAT-Transparency Aware enhancements to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency (IKE and IPsec) can support two peers (IKE and IPsec) being translated to the same IP address (using the UDP ports to differentiate them), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated."
Static NAT & DMVPN Hub ---> Another similar post.
Hope it helps.
Thanks.
Portu
Message was edited by: Javier Portuguez -
we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is "X"
Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.Here is some additional infor to help
hub config:
interface Tunnel0
bandwidth 512
ip address "hubtunnelIP" 255.255.255.0
no ip redirects
ip nhrp authentication "XXX"
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile net1
crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
mode transport
crypto ipsec profile net1
set transform-set "mytransformset"
Spoke config:
crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching
crypto ipsec profile net1
set transform-set "mytransformset"
interface Tunnel0
bandwidth 512
ip address "spoketunnelIP" 255.255.255.0
no ip redirects
ip nhrp authentication "XXX"
ip nhrp map multicast "Remote IP"
ip nhrp map "hubtunnelIP" "Remote IP"
ip nhrp network-id 1
ip nhrp nhs "hubtunnelIP"
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile net1 shared -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast. -
Not Seeing NAT Translations Across GRE IPSec Tunnel
Hello,
I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
Thanks for any help you guys may be able to provide!
Anthony, CCNA (Network/Voice)Can you send over the configurations
You seem to have a phase 1 issue, it's not negotiating correctly.
Thanks -
Does 1812J supported by NAT-T(RFC3948)
Hi all,
I ask question of NAT-T(3948)
Does Cisco 1812J supported by NAT-T(RFC3948)?
Do you know this information on CCO?
Do you know Feature Navigator's name of NAT-T?
H/W : Cisco 1812J
IOS : 12.4T
Regards
Ryusuke.Hi Leo,
NAT-T is NAT Transparency, isn't it?
I was thought that NAT-T is NAT Traversal.
This link is NAT Transparensy.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm
Thanks your help.
Ryusuke -
Are all the below strategies for IPSec to work accross NAT same??
NAT - T
NAT transparency
Transparent NAT
Transparent Tunnell
IPSEC Pass through
What's the difference between them? Do we have any more of these?
Why so many ?Read the below links - everything you will ever need to know
http://www.networksorcery.com/enp/topic/ipsecsuite.htm
HTH> -
Internet connexion problem for remote site in Site to site VPN asa 5505
Hi all
I'm configuring a site to site Ipsec VPN in 2 sites using ASA 5505 V 8.2, The VPN is working fine i can ping machine in the 2 sides but the problem is the remote site dont' have internet.
The architecture is, we 2 site Site1 is the main site and Site2 is secondary site there will be Site3, ...
The internet connection is based in Site1 and site2 and site 3 will have internet connection through Site1. Site1, Site2 and Site 3 is interconnected by Ipsec VPN.
Here is my ASA 5505 Configuration :
SITE 1:
ASA Version 8.2(5)
hostname test-malabo
domain-name test.mg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd ta.qizy4R//ChqQH encrypted
names
interface Ethernet0/0
description "Sortie Internet"
switchport access vlan 2
interface Ethernet0/1
description "Interconnexion"
switchport access vlan 171
interface Ethernet0/2
description "management"
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 41.79.49.42 255.255.255.192
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.100 255.255.0.0
interface Vlan171
nameif interco
security-level 0
ip address 10.22.19.254 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.mg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list interco_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
mtu interco 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any interco
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (interco) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 41.79.49.1 1
route interco 192.168.3.0 255.255.255.0 10.22.19.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map interco_map0 1 match address interco_1_cryptomap
crypto map interco_map0 1 set pfs group1
crypto map interco_map0 1 set peer 10.22.19.5
crypto map interco_map0 1 set transform-set ESP-3DES-SHA
crypto map interco_map0 interface interco
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable interco
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access interco
dhcpd option 3 ip 192.168.1.1
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 41.79.48.66 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.5 type ipsec-l2l
tunnel-group 10.22.19.5 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect snmp
inspect icmp
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5aa0d27f15e49ea597c8097cfdb755b8
: end
SITE2:
ASA Version 8.2(5)
hostname test-luba
domain-name test.eg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description "Sortie Interco-Internet"
switchport access vlan 2
interface Ethernet0/1
description "management"
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.22.19.5 255.255.255.0
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.101 255.255.0.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.eg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 10.22.19.254 1
route outside 192.168.1.0 255.255.255.0 10.22.19.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs group1
crypto map outside_map0 1 set peer 10.22.19.254
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.3.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.254 type ipsec-l2l
tunnel-group 10.22.19.254 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:185bd689118ba24f9a0ef2f7e80494f6
Can anybody help why my remote site can't connect to Internet.
REgards,
RaitsarevoHi Carv,
Thanks for your reply. i have done finally
i used no crypto ipsec nat-transparency udp-encapsulation in my end router only.
and in remote access VPN i have enabled UDP for client configuration. the most imprtant is i have given IP add of same LAN pool to VPN user,
Regards,
Satya.M -
Not able to estabislt phase1 of site-to-site VPN
Hi Experts,
Site-B(router)------Modem------Internet--------Site-A(router)
I'm trying to create a Ipsec Site-to-stie VPN between cisco2900 & cisco 861 and below is the scenario. kindly find the connectivity diagram in attached files.
The issue is there is a modem provided by ISP on Site-B and cisco 861 router is connected back to that modem and the connection is given through RJ11 and there is no ADSL port available on Site-B router.
Based on above mentioned scenario here is config
Site B:-
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CITDENjan2014 address 80.227.xx.xx
crypto ipsec transform-set ETH-to-Dxb esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 80.227.xx.xx
set transform-set ETH-to-Dxb
match address 110
interface fa 4
ip address 192.168.1.254 255.255.255.0
crypto map VPN
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip access-list ext 110
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
Kindly find screenshots of ADSL modem for below information
Configuration on LAN interface of ADSL modem with dual ip address
i have done port forwarding on modem, though i haven't done port forwarding before so i'm not sure it's correct or not.
Site-A router Config:-
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CITDENjan2014 address 197.156.xx.xx
crypto ipsec transform-set Dxb-to-ETH esp-3des esp-md5-hmac
mode tunnel
crypto map Dxb-to-Nigeria 20 ipsec-isakmp
set peer 197.156.xx.xx
set transform-set Dxb-to-ETH
match address 120
interface GigabitEthernet0/1
ip address 80.227.xx.xx 255.255.255.252
crypto map Dxb-to-Nigeria
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
route-map SDM_RMAP_1 permit 1
match ip address 101
Logs on Site-B router:-
*Apr 16 13:02:06.735: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (N) NEW SA
*Apr 16 13:02:06.735: ISAKMP: Created a peer struct for 80.227.xx.xx, peer port 1
*Apr 16 13:02:06.735: ISAKMP: New peer created peer = 0x886B0310 peer_handle = 0x8000001D
*Apr 16 13:02:06.735: ISAKMP: Locking peer struct 0x886B0310, refcount 1 for crypto_isakmp_process_block
*Apr 16 13:02:06.735: ISAKMP: local port 500, remote port 1
*Apr 16 13:02:06.735: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88776A88
*Apr 16 13:02:06.735: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:02:06.735: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Apr 16 13:02:06.735: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 16 13:02:06.735: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:02:06.735: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16
ETH-CIT# 13:02:06.735: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
*Apr 16 13:02:06.739: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
*Apr 16 13:02:06.739: ISAKMP:(0): local preshared key found
*Apr 16 13:02:06.739: ISAKMP : Scanning profiles for xauth ...
*Apr 16 13:02:06.739: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 16 13:02:06.739: ISAKMP: encryption 3DES-CBC
*Apr 16 13:02:06.739: ISAKMP: hash MD5
*Apr 16 13:02:06.739: ISAKMP: default group 2
*Apr 16 13:02:06.739: ISAKMP: auth pre-share
*Apr 16 13:02:06.739: ISAKMP: life type in seconds
*Apr 16 13:02:06.739: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 16 13:02:06.739: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:life: 0
*Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Apr 16 13:02:06.739: ISAKMP:(0):Returning Actual lifetime: 86400
*Apr 16 13:02:06.739: ISAKMP:(0)::Started lifetime timer: 86400.
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
*Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Apr 16 13:02:06.739: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 16 13:02:06.739: ISAKMP:(0): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_SA_SETUP
*Apr 16 13:02:06.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Apr 16 13:02:06.995: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
*Apr 16 13:02:06.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:02:06.999: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Apr 16 13:02:06.999: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 16 13:02:07.027: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 16 13:02:07.027: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is DPD
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): speaking to another IOS box!
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID seems Unity/DPD but major 241 mismatch
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is XAUTH
*Apr 16 13:02:07.027: ISAKMP:received payload type 20
*Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
*Apr 16 13:02:07.027: ISAKMP:received payload type 20
*Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
*Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Apr 16 13:02:07.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
*Apr 16 13:02:07.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
*Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3 New State = IKE_R_MM4
ETH-CIT#
ETH-CIT#
*Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:02:17.027: ISAKMP (2028): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:02:17.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
*Apr 16 13:02:17.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
Logs on Site-A router:-
*Apr 16 13:15:28.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:15:28.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:15:28.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
*Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:28.609: ISAKMP (1263): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:15:28.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:15:28.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
DXB-CIT#
*Apr 16 13:15:38.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:15:38.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:15:38.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
*Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:38.609: ISAKMP (1263): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:15:38.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:15:38.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
DXB-CIT#
*Apr 16 13:15:47.593: ISAKMP: set new node 0 to QM_IDLE
*Apr 16 13:15:47.593: ISAKMP:(1263):SA is still budding. Attached new ipsec request to it. (local 80.227.xx.xx, remote 197.156.xx.xx)
*Apr 16 13:15:47.593: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 16 13:15:47.593: ISAKMP: Error while processing KMI message 0, error 2.
*Apr 16 13:15:48.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:48.609: ISAKMP:(1263):peer does not do paranoid keepalives.
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
*Apr 16 13:15:48.609: ISAKMP: Unlocking peer struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
*Apr 16 13:15:48.609: ISAKMP: Deleting peer node by peer_reap for 197.156.xx.xx: 23193AD4
DXB-CIT#
DXB-CIT#
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1134682361 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 680913363 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1740991762 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 16 13:15:48.609: ISAKMP:(1263):Old State = IKE_I_MM5 New State = IKE_DEST_SA
DXB-CIT#
DXB-CIT#shoc cry
DXB-CIT#sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
197.156.xx.xx 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
*Apr 16 13:16:17.593: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.227.xx.xx:0, remote= 197.156.xx.xx:0,
local_proxy= 192.168.10.0/255.255.255.0/256/0,
remote_proxy= 192.168.1.0/255.255.255.0/256/0
*Apr 16 13:16:17.609: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.227.xx.xx:500, remote= 197.156.xx.xx:500,
local_proxy= 192.168.10.0/255.255.255.0/256/0,
remote_proxy= 192.168.1.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Apr 16 13:16:17.609: ISAKMP:(0): SA request profile is (NULL)
*Apr 16 13:16:17.609: ISAKMP: Created a peer struct for 197.156.xx.xx, peer port 500
*Apr 16 13:16:17.609: ISAKMP: New peer created peer = 0x23193AD4 peer_handle = 0x80001862
*Apr 16 13:16:17.609: ISAKMP: Locking peer struct 0x23193AD4, refcount 1 for isakmp_initiator
*Apr 16 13:16:17.609: ISAKMP: local port 500, remote port 500
*Apr 16 13:16:17.609: ISAKMP: set new node 0 to QM_IDLE
*Apr 16 13:16:17.609: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 270A2FD0
*Apr 16 13:16:17.609: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 16 13:16:17.609: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 16 13:16:17.609: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 16 13:16:17.609: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Apr 16 13:16:17.609: ISAKMP:(0): beginning Main Mode exchange
*Apr 16 13:16:17.609: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 16 13:16:17.609: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:16:17.865: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 16 13:16:17.865: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:16:17.865: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Apr 16 13:16:17.865: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
*Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:16:17.869: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:17.869: ISAKMP:(0): local preshared key found
*Apr 16 13:16:17.869: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
*Apr 16 13:16:17.869: ISAKMP:(0): Authentication by xauth preshared
*Apr 16 13:16:17.869: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 16 13:16:17.869: ISAKMP: encryption 3DES-CBC
*Apr 16 13:16:17.869: ISAKMP: hash MD5
*Apr 16 13:16:17.869: ISAKMP: default group 2
*Apr 16 13:16:17.869: ISAKMP: auth pre-share
*Apr 16 13:16:17.869: ISAKMP: life type in seconds
*Apr 16 13:16:17.869: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 16 13:16:17.869: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:life: 0
*Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Apr 16 13:16:17.869: ISAKMP:(0):Returning Actual lifetime: 86400
*Apr 16 13:16:17.869: ISAKMP:(0)::Started lifetime timer: 86400.
*Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
*Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Apr 16 13:16:17.869: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_SA_SETUP
*Apr 16 13:16:17.869: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Apr 16 13:16:18.157: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_SA_SETUP
*Apr 16 13:16:18.157: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:16:18.157: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Apr 16 13:16:18.157: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 16 13:16:18.181: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 16 13:16:18.181: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is Unity
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is DPD
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.185: ISAKMP:(1264): speaking to another IOS box!
*Apr 16 13:16:18.185: ISAKMP:received payload type 20
*Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
*Apr 16 13:16:18.185: ISAKMP:received payload type 20
*Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
*Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Apr 16 13:16:18.185: ISAKMP:(1264):Send initial contact
*Apr 16 13:16:18.185: ISAKMP:(1264):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 16 13:16:18.185: ISAKMP (1264): ID payload
next-payload : 8
type : 1
address : 80.227.xx.xx
protocol : 17
port : 0
length : 12
*Apr 16 13:16:18.185: ISAKMP:(1264):Total payload length: 12
*Apr 16 13:16:18.185: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:16:18.185: ISAKMP:(1264):Sending an IKE IPv4 Packet.
*Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4 New State = IKE_I_MM5
DXB-CIT#
*Apr 16 13:16:28.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:16:28.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:16:28.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
*Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:16:28.657: ISAKMP (1264): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:16:28.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
DXB-CIT#
*Apr 16 13:16:28.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#u all
All possible debugging has been turned off
DXB-CIT#
DXB-CIT#
*Apr 16 13:16:38.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:16:38.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:16:38.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1134682361
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 680913363
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1740991762
*Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:16:38.657: ISAKMP (1264): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
*Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:16:38.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:16:38.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.Hello salman.abid,
its hard to troubleshoot if there is some 3th party device in way. I tried your config in my lab and I established IPSec successfuly.
So it seems that modem would do some problems during IPSec establishment.
Basically if you are configuring L2L IPSec VPN so there is few things what have to match
1. check cryptomap, transform sets etc. if they match on both sides. Especially preshared keys.
2. permit protocol ESP, ISAKMP (UDP 500), and NAT-T (UDP 4500) if applicable.
3. check default GW is configured properly
4. check NAT configuration
Regarding crypto ipsec nat-transparency udp-encapsulation it could help you but also enable UDP/4500 port.
HTH
Jan -
I have a very simple LAN-2-LAN between two cisco routers running IOS version 12.4(15)T8 as follows:
RouterA:
crypto isakmp key test123 address 4.2.97.15 no-xauth
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 4.2.97.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn
interface FastEthernet0/0
ip address 207.15.205.15 255.255.255.0
speed 100
full-duplex
crypto map vpn
ip access-list extended vpn
permit ip 129.174.15.0 0.0.0.255 129.174.16.0 0.0.0.255
RouterB:
crypto isakmp key test123 address 207.15.205.15 no-xauth
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 207.15.205.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn
interface FastEthernet0/0
ip address 4.2.97.15 255.255.255.0
speed 100
full-duplex
crypto map vpn
ip access-list extended vpn
permit ip 129.174.16.0 0.0.0.255 129.174.15.0 0.0.0.255
Every now and then I am seeing this message in the log file:
Jul 27 00:25:20.603: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd
IPSEC packet has invalid spi for destaddr=207.15.205.15, prot=50,
spi=0x681E0955(1746798933), srcaddr=4.2.97.15.
Why am I seeing this message? The VPN peer between two router is very stable without any errors.
I've asked several ccie consultant folks and none of them is able to provide me with a satifactory answer regarding this message.
Anyone know why? Thanks in advance.I know its been a while since this was asked but to help anyone who may still want to know here is the reason from Cisco:
It simply means IPsec Security Associations are out of sync between the peer devices. As a result, an encrypting device will encrypt traffic with SAs that its peer does not know about. These packets are dropped on the peer with the above message logged to the syslog
Read more here: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device will encrypt traffic with SAs that its peer does not know about. These packets are dropped on the peer with this message logged to the syslog: Sep 2 13:27:57.707: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
has invalid spi for destaddr=20.1.1.2, prot=50, spi=0xB761863E(3076621886),
srcaddr=10.1.1.1 -
DMVPN Hub and Spoke behind NAT device
Hi All,
I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
But My case i involve in both situation.
1) HUB have a Load Balancer (2 WAN Link) ISP A & B
2) Spoke have Load Balancer (2 WAN Link) ISP A & B
Now the requirement is Spoke ISP A Tunnel to HUB ISP A. Spoke ISP B tunnel to HUB ISP B
So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
Any problem will face with this setup? Any guide?
Sample config at HUB.
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
Spoke Config
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 199.1.1.1
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel destination 200.1.1.1
tunnel key 1
tunnel protection ipsec profile ciscoHi Marcin,
thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below is TAC's explanation. All is good now. Thanks
. Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum. Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check. In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."
Maybe you are looking for
-
How to modify content in a rejected item
Hello all, We created two users, user1 (contributor) and user2(approver). We have a page were user1 can access with permissions (manage with approval), and in the approval tab we inserted the user2 as lonely approver for this page. So user1 added an
-
IMovie 09 Cutaway Sound Is Terminally Flawed?
... which kind of kills half the reason I upgraded really. Fantastic feature .. pity it dont work then. Yes, yes. The whole point of the cutaway or video insert edit .. is to quite literally there, insert video clips without sound over the underlaid
-
Case-sensitive passwords in 11g
Hello, This is a rather silly post, but I've been Googling and can't find whether SQL Developer supports case-sensitive login or not. I've read that some other clients always send an "uppercase" password (no matter how you typed it) which causes prob
-
Creating a slider bar with images?!!?
Hi All, I am trying to mimic something similar to this http://www.danannett.co.uk/ Is this done purely in Flash CS4 or is another one of Adobe's products involved too? If it is just CS4 then can someone point me in the right direction?! Thanks
-
Is there such a thing as a byte array
I have an array of chars in my c code which I need to pass an array to from my Java code. I was just wondering what the equivalent is in Java is there such a thing as a byte[]