[c-nsp] Help with IPSEC setup

Pedro Matusse malissende at gmail.com
Fri Apr 23 11:18:13 EDT 2010 

Hi there,



Can someone please help with Cisco Easy VPN Server troubleshooting on the
following setup?



It seems that everything run smoothly with IKE Phase 1 process and ISAKMP SA
and even with all other steps until it comes to IPSec SA establishment.



My server is a Cisco 1841 running  c1841-advsecurityk9-mz.124-3g.bin image.



I’m not comfortable with the fact that my p2p connection with my ISP is done
with private IP addresses and the public IP address on my LAN interface is a
secondary one. Can this be the reason that generates the “invalid local
address 196.AA.BB.CC <http://aa.bb.cc/>” as can be seen on the debug crypto
IPSec below?



Thanks in advance

Kind regards

Pedro Matusse
------------------------------------------------------------------- Relevant
config lines ------------------
aaa authentication login default local
aaa authorization network MY_USERS local

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group MY_GROUP
 key MY_KEY
 domain MY_DOMAIN
 pool MY_POOL
 acl 199
crypto isakmp profile MY_PROFILE
   description VPN clients profile
   match identity group MY_GROUP
   client authentication list MY_GROUP
   isakmp authorization list MY_USERS
   client configuration address respond
!
!
crypto ipsec transform-set local esp-3des esp-md5-hmac comp-lzs
!
crypto dynamic-map MY_MAP 255
 set transform-set local
 set isakmp-profile MY_PROFILE
 reverse-route
!
!
crypto map vpn 255 ipsec-isakmp dynamic MY_MAP
!!
!
interface FastEthernet0/0
 description HQ LAN
 ip address 196.AA.BB.CC <http://196.aa.bb.cc/> 255.255.255.248 secondary
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map vpn

interface Serial0/0/0
 description Connection to MY_ISP
 ip address 10.0.22.26 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 no cdp enable

========= #debug crypto ipsec excerpt ====================================

007019: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):Checking IPSec proposal
1
007020: *Apr 23 16:10:57.083 GMT: ISAKMP: transform 1, ESP_AES
007021: *Apr 23 16:10:57.083 GMT: ISAKMP:   attributes in transform:
007022: *Apr 23 16:10:57.083 GMT: ISAKMP:      authenticator is HMAC-MD5
007023: *Apr 23 16:10:57.083 GMT: ISAKMP:      key length is 256
007024: *Apr 23 16:10:57.083 GMT: ISAKMP:      encaps is 61443 (Tunnel-UDP)
007025: *Apr 23 16:10:57.083 GMT: ISAKMP:      SA life type in seconds
007026: *Apr 23 16:10:57.083 GMT: ISAKMP:      SA life duration (VPI) of
0x0 0x20 0xC4 0x9B
007027: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):atts are acceptable.
007028: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):Checking IPSec proposal
1
007029: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):transform 1, IPPCP LZS
007030: *Apr 23 16:10:57.083 GMT: ISAKMP:   attributes in transform:
007031: *Apr 23 16:10:57.083 GMT: ISAKMP:      encaps is 61443 (Tunnel-UDP)
007032: *Apr 23 16:10:57.083 GMT: ISAKMP:      SA life type in seconds
007033: *Apr 23 16:10:57.083 GMT: ISAKMP:      SA life duration (VPI) of
0x0 0x20 0xC4 0x9B
007034: *Apr 23 16:10:57.087 GMT: ISAKMP:(0:6:SW:1):atts are acceptable.
007035: *Apr 23 16:10:57.087 GMT: IPSEC(validate_proposal_request): proposal
part #1,
  (key eng. msg.) INBOUND local= 196.AA.BB.CC <http://196.aa.bb.cc/> ,
remote= 196.YY.WW.ZZ,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.16.10.102/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 256 esp-md5-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
007036: *Apr 23 16:10:57.087 GMT: IPSEC(validate_proposal_request): proposal
part #2,
  (key eng. msg.) INBOUND local= 196..AA.BB.CC <http://aa.bb.cc/> , remote=
196.YY.WW.ZZ,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.16.10.102/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= comp-lzs  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
007037: *Apr 23 16:10:57.087 GMT: IPSEC(validate_transform_proposal):
invalid local address 196..AA.BB.CC <http://aa.bb.cc/>
007038: *Apr 23 16:10:57.087 GMT: ISAKMP:(0:6:SW:1): IPSec policy
invalidated proposal

More information about the cisco-nsp mailing list