[c-nsp] VPN-tunnel between two Cisco routers stuck in MM_KEY_EXCH

Ziv Leyes zivl at gilat.net
Wed Jun 23 07:33:10 EDT 2010


The problem doesn't seem to be related to preshared key, but more on the settings, are you totally sure that the other side has identical configuration?
Could you post the relevant sections of both sides running-config?


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Dib
Sent: Wednesday, June 23, 2010 11:43 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN-tunnel between two Cisco routers stuck in MM_KEY_EXCH

Hi,

I am having some trouble setting up a VPN-tunnel between two Cisco 
routers. One end is my router and the other end is controlled by 
another company.
We seem to get stuck in the key exchange in ISAKMP phase 1. This is 
strange since tunnel has been up before but won't come up again. 
Neither of us
have changed the config.

Config on my side:

crypto isakmp policy 45
encr 3des
authentication pre-share
group 2
lifetime 14400

crypto isakmp key removed address x.x.x.x

crypto map SDM_CMAP_1 24 ipsec-isakmp set peer x.x.x.x
set transform-set ESP-3DES-SHA match address 122

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac Other side:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 14400

crypto isakmp key removed address y.y.y.y

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA

crypto map SDM_CMAP_1 3 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-3DES-SHA

sh crypto isakmp sa shows the following:

x.x.x.x  y.y.y.y  MM_KEY_EXCH        636    0

Seems we get stuck in key exchange although we have verified we have 
the same key.
I have ran a debug crypto isakmp, full debug is available at 
http://pastebin.com/uUhBjKK6

Here are some relevant messages from debug:

2010-06-23 08:38:31     Local7.Debug            413731: *Jun 23 
07:40:57.897: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
2010-06-23 08:38:31     Local7.Debug            413752: *Jun 23 
07:40:57.925: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 
157 mismatch
2010-06-23 08:38:31     Local7.Debug            413775: *Jun 23 
07:40:57.925: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
2010-06-23 08:38:31     Local7.Debug            413829: *Jun 23 
07:40:58.029: ISAKMP: set new node -560194497 to QM_IDLE

Looks good so far, tunnel is in QM_IDLE but after this the problem starts:

2010-06-23 08:38:31     Local7.Debug            413834: 
<009>unauthenticated (missing hash payload).
2010-06-23 08:38:31     Local7.Debug            413835: *Jun 23 
07:40:58.029: ISAKMP:(0:628:HW:2):Rejecting unauthenticated 
RESPONDER_LIFETIME.
2010-06-23 08:38:31     Local7.Debug            413836: *Jun 23 
07:40:58.029: ISAKMP:(0:628:HW:2):deleting node -560194497 error FALSE 
reason "Informational (in) state 1"
2010-06-23 08:38:31     Local7.Debug            413848: *Jun 23 
07:40:58.029: ISAKMP:(0:628:HW:2):: peer matches *none* of the profiles
2010-06-23 08:38:31     Local7.Debug            413853: *Jun 23 
07:40:58.033: ISAKMP:(0:628:HW:2): unable to compute hash!
2010-06-23 08:38:31     Local7.Debug            413854: *Jun 23 
07:40:58.033: ISAKMP:(0:628:HW:2): Unable to compute other party's hash!
2010-06-23 08:38:31     Local7.Debug            413858: *Jun 23 
07:40:58.033: ISAKMP: reserved not zero on ID payload!
2010-06-23 08:38:31     Local7.Warning          413859: *Jun 23 
07:40:58.033: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x  
failed its sanity check or is malformed
2010-06-23 08:38:32     Local7.Debug            413865: *Jun 23 
07:40:59.057: ISAKMP:(0:628:HW:2): phase 1 packet is a duplicate of a 
previous packet.
2010-06-23 08:38:32     Local7.Debug            413866: *Jun 23 
07:40:59.057: ISAKMP:(0:628:HW:2): retransmitting due to retransmit 
phase 1
2010-06-23 08:38:32     Local7.Debug            413867: *Jun 23 
07:40:59.057: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH...
2010-06-23 08:38:32     Local7.Debug            413868: *Jun 23 
07:40:59.441: ISAKMP:(0:621:HW:2):purging node 188143359
2010-06-23 08:38:32     Local7.Debug            413869: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH...
2010-06-23 08:38:32     Local7.Debug            413870: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2):incrementing error counter on sa: 
retransmit phase 1
2010-06-23 08:38:33     Local7.Debug            413871: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH
2010-06-23 08:38:33     Local7.Debug            413872: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2): sending packet to x.x.x.x my_port 
500 peer_port 500 (I) MM_KEY_EXCH
2010-06-23 08:38:33     Local7.Debug            413873: *Jun 23 
07:41:00.077: ISAKMP (0:268436084): received packet from x.x.x.x dport 
500 sport 500 Global (I) MM_KEY_EXCH
2010-06-23 08:38:33     Local7.Debug            413874: *Jun 23 
07:41:00.077: ISAKMP:(0:628:HW:2): phase 1 packet is a duplicate of a 
previous packet.
2010-06-23 08:38:33     Local7.Debug            413875: *Jun 23 
07:41:00.077: ISAKMP:(0:628:HW:2): retransmission skipped for phase 1 
(time since last transmission 520)
2010-06-23 08:38:36     Local7.Debug            413876: *Jun 23 
07:41:03.185: ISAKMP:(0:623:HW:2):purging node -764606901

What could be wrong, we have the same key, I have tried reentering key 
at my side with no difference. I am waiting for other side to do the 
same thing. What else could be wrong? Our config is the same.

/Daniel

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






More information about the cisco-nsp mailing list