[c-nsp] VPN-tunnel between two Cisco routers stuck in MM_KEY_EXCH
Ziv Leyes
zivl at gilat.net
Wed Jun 23 07:33:10 EDT 2010
The problem doesn't seem to be related to preshared key, but more on the settings, are you totally sure that the other side has identical configuration?
Could you post the relevant sections of both sides running-config?
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Dib
Sent: Wednesday, June 23, 2010 11:43 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN-tunnel between two Cisco routers stuck in MM_KEY_EXCH
Hi,
I am having some trouble setting up a VPN-tunnel between two Cisco
routers. One end is my router and the other end is controlled by
another company.
We seem to get stuck in the key exchange in ISAKMP phase 1. This is
strange since tunnel has been up before but won't come up again.
Neither of us
have changed the config.
Config on my side:
crypto isakmp policy 45
encr 3des
authentication pre-share
group 2
lifetime 14400
crypto isakmp key removed address x.x.x.x
crypto map SDM_CMAP_1 24 ipsec-isakmp set peer x.x.x.x
set transform-set ESP-3DES-SHA match address 122
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac Other side:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 14400
crypto isakmp key removed address y.y.y.y
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
crypto map SDM_CMAP_1 3 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-3DES-SHA
sh crypto isakmp sa shows the following:
x.x.x.x y.y.y.y MM_KEY_EXCH 636 0
Seems we get stuck in key exchange although we have verified we have
the same key.
I have ran a debug crypto isakmp, full debug is available at
http://pastebin.com/uUhBjKK6
Here are some relevant messages from debug:
2010-06-23 08:38:31 Local7.Debug 413731: *Jun 23
07:40:57.897: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
2010-06-23 08:38:31 Local7.Debug 413752: *Jun 23
07:40:57.925: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major
157 mismatch
2010-06-23 08:38:31 Local7.Debug 413775: *Jun 23
07:40:57.925: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
2010-06-23 08:38:31 Local7.Debug 413829: *Jun 23
07:40:58.029: ISAKMP: set new node -560194497 to QM_IDLE
Looks good so far, tunnel is in QM_IDLE but after this the problem starts:
2010-06-23 08:38:31 Local7.Debug 413834:
<009>unauthenticated (missing hash payload).
2010-06-23 08:38:31 Local7.Debug 413835: *Jun 23
07:40:58.029: ISAKMP:(0:628:HW:2):Rejecting unauthenticated
RESPONDER_LIFETIME.
2010-06-23 08:38:31 Local7.Debug 413836: *Jun 23
07:40:58.029: ISAKMP:(0:628:HW:2):deleting node -560194497 error FALSE
reason "Informational (in) state 1"
2010-06-23 08:38:31 Local7.Debug 413848: *Jun 23
07:40:58.029: ISAKMP:(0:628:HW:2):: peer matches *none* of the profiles
2010-06-23 08:38:31 Local7.Debug 413853: *Jun 23
07:40:58.033: ISAKMP:(0:628:HW:2): unable to compute hash!
2010-06-23 08:38:31 Local7.Debug 413854: *Jun 23
07:40:58.033: ISAKMP:(0:628:HW:2): Unable to compute other party's hash!
2010-06-23 08:38:31 Local7.Debug 413858: *Jun 23
07:40:58.033: ISAKMP: reserved not zero on ID payload!
2010-06-23 08:38:31 Local7.Warning 413859: *Jun 23
07:40:58.033: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x
failed its sanity check or is malformed
2010-06-23 08:38:32 Local7.Debug 413865: *Jun 23
07:40:59.057: ISAKMP:(0:628:HW:2): phase 1 packet is a duplicate of a
previous packet.
2010-06-23 08:38:32 Local7.Debug 413866: *Jun 23
07:40:59.057: ISAKMP:(0:628:HW:2): retransmitting due to retransmit
phase 1
2010-06-23 08:38:32 Local7.Debug 413867: *Jun 23
07:40:59.057: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH...
2010-06-23 08:38:32 Local7.Debug 413868: *Jun 23
07:40:59.441: ISAKMP:(0:621:HW:2):purging node 188143359
2010-06-23 08:38:32 Local7.Debug 413869: *Jun 23
07:40:59.557: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH...
2010-06-23 08:38:32 Local7.Debug 413870: *Jun 23
07:40:59.557: ISAKMP:(0:628:HW:2):incrementing error counter on sa:
retransmit phase 1
2010-06-23 08:38:33 Local7.Debug 413871: *Jun 23
07:40:59.557: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH
2010-06-23 08:38:33 Local7.Debug 413872: *Jun 23
07:40:59.557: ISAKMP:(0:628:HW:2): sending packet to x.x.x.x my_port
500 peer_port 500 (I) MM_KEY_EXCH
2010-06-23 08:38:33 Local7.Debug 413873: *Jun 23
07:41:00.077: ISAKMP (0:268436084): received packet from x.x.x.x dport
500 sport 500 Global (I) MM_KEY_EXCH
2010-06-23 08:38:33 Local7.Debug 413874: *Jun 23
07:41:00.077: ISAKMP:(0:628:HW:2): phase 1 packet is a duplicate of a
previous packet.
2010-06-23 08:38:33 Local7.Debug 413875: *Jun 23
07:41:00.077: ISAKMP:(0:628:HW:2): retransmission skipped for phase 1
(time since last transmission 520)
2010-06-23 08:38:36 Local7.Debug 413876: *Jun 23
07:41:03.185: ISAKMP:(0:623:HW:2):purging node -764606901
What could be wrong, we have the same key, I have tried reentering key
at my side with no difference. I am waiting for other side to do the
same thing. What else could be wrong? Our config is the same.
/Daniel
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
More information about the cisco-nsp
mailing list