[c-nsp] Cisco IPsec with Nat ?
Phibee Network Operation Center
noc at phibee.net
Thu Mar 25 13:14:25 EDT 2010
Hi
i am search a small help, we have this:
Lan => Cisco 1721 => ISP Router NAT => Internet => Cisco 2821
- Cisco 2821 have a Internet adresse aa.bb.cc.dd
- Cisco 1721 are on a lan in 192.168.1.200 and ISP Routers 192.168.1.254
- Routers of ISP hav a Static IP and we have a nat/pat for UDP/TCP port 500
My tunnels are up but crypto are down. anyone know if it's possible to
connect
two cisco in site to site with a NAT on one site ?
On my cisco 2821, i have this logs:
(78.xx.xx.xx is wan ip of c2821)
(95.xx.xx.xx is the wan IP of the ISP Routers)
Mar 25 17:09:28.307: ISAKMP:(0): SA request profile is HLGXXX
Mar 25 17:09:28.307: ISAKMP: Created a peer struct for 95.XX.XX.XX, peer
port 500
Mar 25 17:09:28.307: ISAKMP: New peer created peer = 0x497AFC38
peer_handle = 0x8000025B
Mar 25 17:09:28.307: ISAKMP: Locking peer struct 0x497AFC38, refcount 1
for isakmp_initiator
Mar 25 17:09:28.307: ISAKMP: local port 500, remote port 500
Mar 25 17:09:28.307: ISAKMP: set new node 0 to QM_IDLE
Mar 25 17:09:28.307: ISAKMP: Find a dup sa in the avl tree during
calling isadb_insert sa = 48439754
Mar 25 17:09:28.307: ISAKMP:(0):Can not start Aggressive mode, trying
Main mode.
Mar 25 17:09:28.307: ISAKMP:(0):Found ADDRESS key in keyring default
Mar 25 17:09:28.307: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 25 17:09:28.307: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 25 17:09:28.307: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 25 17:09:28.307: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 25 17:09:28.307: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 25 17:09:28.307: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 25 17:09:28.307: ISAKMP:(0): beginning Main Mode exchange
Mar 25 17:09:28.307: ISAKMP:(0): sending packet to 95.XX.xx.xx my_port
500 peer_port 500 (I) MM_NO_STATE
Mar 25 17:09:28.307: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 25 17:09:30.299: %LINK-3-UPDOWN: Interface Tunnel8, changed state to up
Mar 25 17:09:30.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel8, changed state to up
Mar 25 17:09:30.547: ISAKMP:(0):purging node 1571326894
Mar 25 17:09:30.547: ISAKMP:(0):purging node 1053064614
Mar 25 17:09:38.306: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 25 17:09:38.306: ISAKMP (0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
Mar 25 17:09:38.306: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 25 17:09:38.306: ISAKMP:(0): sending packet to 95.xx.xx.xx my_port
500 peer_port 500 (I) MM_NO_STATE
Mar 25 17:09:38.306: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 25 17:09:40.546: ISAKMP:(0):purging SA., sa=484DA7F0, delme=484DA7F0
Mar 25 17:09:46.430: ISAKMP (0): received packet from 95.xx.xx.xx dport
500 sport 10054 Global (N) NEW SA
Mar 25 17:09:46.430: ISAKMP: Created a peer struct for 95.xx.xx.xx, peer
port 10054
Mar 25 17:09:46.430: ISAKMP: New peer created peer = 0x48460318
peer_handle = 0x800001BF
Mar 25 17:09:46.430: ISAKMP: Locking peer struct 0x48460318, refcount 1
for crypto_isakmp_process_block
Mar 25 17:09:46.430: ISAKMP: local port 500, remote port 10054
Mar 25 17:09:46.430: ISAKMP:(0):insert sa successfully sa = 484BE044
Mar 25 17:09:46.434: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 25 17:09:46.434: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Mar 25 17:09:46.434: ISAKMP:(0): processing SA payload. message ID = 0
Mar 25 17:09:46.434: ISAKMP:(0): processing vendor id payload
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
Mar 25 17:09:46.434: ISAKMP (0): vendor ID is NAT-T v7
Mar 25 17:09:46.434: ISAKMP:(0): processing vendor id payload
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID is NAT-T v3
Mar 25 17:09:46.434: ISAKMP:(0): processing vendor id payload
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID is NAT-T v2
Mar 25 17:09:46.434: ISAKMP:(0):found peer pre-shared key matching
95.xx.xx.xx
Mar 25 17:09:46.434: ISAKMP:(0): local preshared key found
Mar 25 17:09:46.434: ISAKMP : Scanning profiles for xauth ... vpn vpn1
Mar 25 17:09:46.434: ISAKMP:(0): Authentication by xauth preshared
Mar 25 17:09:46.434: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 1 policy
Mar 25 17:09:46.434: ISAKMP: encryption 3DES-CBC
Mar 25 17:09:46.434: ISAKMP: hash SHA
Mar 25 17:09:46.434: ISAKMP: default group 2
Mar 25 17:09:46.434: ISAKMP: auth pre-share
Mar 25 17:09:46.434: ISAKMP: life type in seconds
Mar 25 17:09:46.434: ISAKMP: life duration (basic) of 3600
Mar 25 17:09:46.434: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 25 17:09:46.434: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 25 17:09:46.434: ISAKMP:(0):Acceptable atts:life: 0
Mar 25 17:09:46.434: ISAKMP:(0):Basic life_in_seconds:3600
Mar 25 17:09:46.434: ISAKMP:(0):Returning Actual lifetime: 3600
Mar 25 17:09:46.434: ISAKMP:(0)::Started lifetime timer: 3600.
Mar 25 17:09:46.434: ISAKMP:(0): processing vendor id payload
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
Mar 25 17:09:46.434: ISAKMP (0): vendor ID is NAT-T v7
Mar 25 17:09:46.434: ISAKMP:(0): processing vendor id payload
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID is NAT-T v3
Mar 25 17:09:46.434: ISAKMP:(0): processing vendor id payload
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Mar 25 17:09:46.434: ISAKMP:(0): vendor ID is NAT-T v2
Mar 25 17:09:46.434: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Mar 25 17:09:46.434: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Mar 25 17:09:46.434: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 25 17:09:46.434: ISAKMP:(0): sending packet to 95.xx.xx.xx my_port
500 peer_port 10054 (R) MM_SA_SETUP
Mar 25 17:09:46.434: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 25 17:09:46.438: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Mar 25 17:09:46.438: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Mar 25 17:09:46.713: ISAKMP (0): received packet from 95.xx.xx.xx dport
500 sport 10054 Global (R) MM_SA_SETUP
Mar 25 17:09:46.713: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 25 17:09:46.713: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Mar 25 17:09:46.713: ISAKMP:(0): processing KE payload. message ID = 0
Mar 25 17:09:46.717: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 25 17:09:46.717: ISAKMP:(0):found peer pre-shared key matching
95.xx.xx.xx
Mar 25 17:09:46.721: ISAKMP:(4977): processing vendor id payload
Mar 25 17:09:46.721: ISAKMP:(4977): vendor ID is Unity
Mar 25 17:09:46.721: ISAKMP:(4977): processing vendor id payload
Mar 25 17:09:46.721: ISAKMP:(4977): vendor ID is DPD
Mar 25 17:09:46.721: ISAKMP:(4977): processing vendor id payload
Mar 25 17:09:46.721: ISAKMP:(4977): speaking to another IOS box!
Mar 25 17:09:46.721: ISAKMP (4977): His hash no match - this node
outside NAT
Mar 25 17:09:46.721: ISAKMP (4977): His hash no match - this node
outside NAT
Mar 25 17:09:46.721: ISAKMP:(4977):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Mar 25 17:09:46.721: ISAKMP:(4977):Old State = IKE_R_MM3 New State =
IKE_R_MM3
Mar 25 17:09:46.721: ISAKMP:(4977): sending packet to 95.xx.xx.xx
my_port 500 peer_port 10054 (R) MM_KEY_EXCH
Mar 25 17:09:46.721: ISAKMP:(4977):Sending an IKE IPv4 Packet.
Mar 25 17:09:46.721: ISAKMP:(4977):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Mar 25 17:09:46.725: ISAKMP:(4977):Old State = IKE_R_MM3 New State =
IKE_R_MM4
Mar 25 17:09:47.057: ISAKMP (4977): received packet from 95.xx.xx.xx
dport 4500 sport 10055 Global (R) MM_KEY_EXCH
Mar 25 17:09:47.057: ISAKMP:(4977):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 25 17:09:47.057: ISAKMP:(4977):Old State = IKE_R_MM4 New State =
IKE_R_MM5
Mar 25 17:09:47.057: ISAKMP:(4977): processing ID payload. message ID = 0
Mar 25 17:09:47.057: ISAKMP (4977): ID payload
next-payload : 8
type : 1
address : 192.168.21.240
protocol : 17
port : 0
length : 12
Mar 25 17:09:47.057: ISAKMP:(0):: peer matches *none* of the profiles
Mar 25 17:09:47.057: ISAKMP:(4977): processing HASH payload. message ID = 0
Mar 25 17:09:47.057: ISAKMP:(4977): processing NOTIFY INITIAL_CONTACT
protocol 1
spi 0, message ID = 0, sa = 484BE044
Mar 25 17:09:47.057: ISAKMP:(4977):SA authentication status:
authenticated
Mar 25 17:09:47.057: ISAKMP:(4977):SA has been authenticated with
95.xx.xx.xx
Mar 25 17:09:47.057: ISAKMP:(4977):Detected port floating to port = 10055
Mar 25 17:09:47.057: ISAKMP: Trying to find existing peer
78.xx.xx.xx/95.xx.xx.xx/10055/ and found existing peer 484BDE80 to
reuse, free 48460318
Mar 25 17:09:47.057: ISAKMP: Unlocking peer struct 0x48460318 Reuse
existing peer, count 0
Mar 25 17:09:47.057: ISAKMP: Deleting peer node by peer_reap for
95.xx.xx.xx: 48460318
Mar 25 17:09:47.057: ISAKMP: Locking peer struct 0x484BDE80, refcount 33
for Reuse existing peer
Mar 25 17:09:47.061: ISAKMP:(4977):SA authentication status:
authenticated
Mar 25 17:09:47.061: ISAKMP:(4977): Process initial contact,
bring down existing phase 1 and 2 SA's with local 78.xx.xx.xx remote
95.xx.xx.xx remote port 10055
Mar 25 17:09:47.061: ISAKMP:(4977):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Mar 25 17:09:47.061: ISAKMP:(4977):Old State = IKE_R_MM5 New State =
IKE_R_MM5
Mar 25 17:09:47.061: ISAKMP:(4977):SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
Mar 25 17:09:47.061: ISAKMP (4977): ID payload
next-payload : 8
type : 1
address : 78.xx.xx.xx
protocol : 17
port : 0
length : 12
Mar 25 17:09:47.061: ISAKMP:(4977):Total payload length: 12
Mar 25 17:09:47.061: ISAKMP:(4977): sending packet to 95.xx.xx.xx
my_port 4500 peer_port 10055 (R) MM_KEY_EXCH
Mar 25 17:09:47.061: ISAKMP:(4977):Sending an IKE IPv4 Packet.
Mar 25 17:09:47.061: ISAKMP:(4977):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Mar 25 17:09:47.065: ISAKMP:(4977):Old State = IKE_R_MM5 New State =
IKE_P1_COMPLETE
Mar 25 17:09:47.065: ISAKMP:(4977):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
Mar 25 17:09:47.065: ISAKMP:(4977):Old State = IKE_P1_COMPLETE New
State = IKE_P1_COMPLETE
Mar 25 17:09:47.133: ISAKMP (4977): received packet from 95.xx.xx.xx
dport 4500 sport 10055 Global (R) QM_IDLE
Mar 25 17:09:47.133: ISAKMP: set new node 1745660611 to QM_IDLE
Mar 25 17:09:47.137: ISAKMP:(4977): processing HASH payload. message ID
= 1745660611
Mar 25 17:09:47.137: ISAKMP:(4977): processing SA payload. message ID =
1745660611
Mar 25 17:09:47.137: ISAKMP:(4977):Checking IPSec proposal 1
Mar 25 17:09:47.137: ISAKMP: transform 1, ESP_3DES
Mar 25 17:09:47.137: ISAKMP: attributes in transform:
Mar 25 17:09:47.137: ISAKMP: encaps is 3 (Tunnel-UDP)
Mar 25 17:09:47.137: ISAKMP: SA life type in seconds
Mar 25 17:09:47.137: ISAKMP: SA life duration (basic) of 3600
Mar 25 17:09:47.137: ISAKMP: SA life type in kilobytes
Mar 25 17:09:47.137: ISAKMP: SA life duration (VPI) of 0x0 0x46
0x50 0x0
Mar 25 17:09:47.137: ISAKMP:(4977):atts are acceptable.
Mar 25 17:09:47.137: ISAKMP:(4977): IPSec policy invalidated proposal
with error 32
Mar 25 17:09:47.137: ISAKMP:(4977): phase 2 SA policy not acceptable!
(local 78.xx.xx.xx remote 95.xx.xx.xx)
Mar 25 17:09:47.137: ISAKMP: set new node -581394508 to QM_IDLE
Mar 25 17:09:47.137: ISAKMP:(4977):Sending NOTIFY PROPOSAL_NOT_CHOSEN
protocol 3
spi 1250403208, message ID = -581394508
Mar 25 17:09:47.137: ISAKMP:(4977): sending packet to 95.xx.xx.xx
my_port 4500 peer_port 10055 (R) QM_IDLE
Mar 25 17:09:47.137: ISAKMP:(4977):Sending an IKE IPv4 Packet.
Mar 25 17:09:47.137: ISAKMP:(4977):purging node -581394508
Mar 25 17:09:47.137: ISAKMP:(4977):deleting node 1745660611 error TRUE
reason "QM rejected"
Mar 25 17:09:47.137: ISAKMP:(4977):Node 1745660611, Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 25 17:09:47.137: ISAKMP:(4977):Old State = IKE_QM_READY New State =
IKE_QM_READY
Mar 25 17:09:48.305: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 25 17:09:48.305: ISAKMP (0): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
Mar 25 17:09:48.305: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 25 17:09:48.305: ISAKMP:(0): sending packet to 95.xx.xx.xx my_port
500 peer_port 500 (I) MM_NO_STATE
Mar 25 17:09:48.305: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 25 17:09:58.304: ISAKMP: set new node 0 to QM_IDLE
Mar 25 17:09:58.304: ISAKMP:(0):SA is still budding. Attached new ipsec
request to it. (local 78.xx.xx.xx, remote 95.xx.xx.xx)
Mar 25 17:09:58.304: ISAKMP: Error while processing SA request: Failed
to initialize SA
Mar 25 17:09:58.304: ISAKMP: Error while processing KMI message 0, error 2.
Mar 25 17:09:58.304: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 25 17:09:58.304: ISAKMP (0): incrementing error counter on sa,
attempt 3 of 5: retransmit phase 1
Mar 25 17:09:58.304: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 25 17:09:58.304: ISAKMP:(0): sending packet to 95.xx.xx.xx my_port
500 peer_port 500 (I) MM_NO_STATE
Mar 25 17:09:58.304: ISAKMP:(0):Sending an IKE IPv4 Packet.
Thanks for your help
Jerome
More information about the cisco-nsp
mailing list