Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Office to Office VPN Tunnel

Status
Not open for further replies.

nunzeo

Programmer
Nov 17, 2003
196
US
I am trying to send all traffic through the IPSEC VPN tunnel. This router connects to a cisco 3000 back at our datacenter. I want internet traffic to go through the tunnel and out the datacenter side.

Right now all 10.x.x.x networks go through the tunnel, but when I try to go to a website, the traffic goes out FE4 and to the ISP. Can you look at this config and tell me what I am doing wrong? Thanks, Nunzeo




Current configuration : 7726 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!

!
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address x.x.x.25
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.25
set peer x.x.x.25
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address x.x.x.50 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.31.5.83 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local policy route-map SDM_RMAP_1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.54
ip route 10.31.0.0 255.255.252.0 10.31.5.1
ip route 10.31.6.0 255.255.255.0 10.31.5.1
ip route 10.31.200.0 255.255.255.0 10.31.5.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.5.0 0.0.0.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 167.147.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.6.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.8.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.9.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.14.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.15.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.16.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.17.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.23.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.24.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.25.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.26.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.28.0.0 0.0.255.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 167.147.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.6.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.8.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.9.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.14.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.15.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.16.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.17.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.23.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.24.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.25.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.26.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.28.0.0 0.0.255.255
access-list 101 deny ip 10.31.0.0 0.0.255.255 10.29.0.0 0.0.255.255
access-list 101 permit ip 10.31.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
 
I'm assuming you don't go through a proxy for web access:
Code:
All traffic from 10.31.0.0/16 through tunnel
-----------------
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
no access-list 101 permit ip 10.31.0.0 0.0.255.255 any
access-list 101 deny ip 10.31.0.0 0.0.255.255 any
You can also remove a lot of your ACL statements with the permit any since they would be redundant with the config above.
 
One more thing I wanted to add:

When you do the 'no access-list 101 permit ip 10.31.0.0 0.0.255.255 any' command, it will remove the entire 101 access list.

You can get around that by using the command 'ip access-list extended <ACL name or number>'. That will allow you to remove specific line items instead of blowing out the entire ACL.
 
thanks netrx, but when i modified to what you said the tunnel drops. i might have the concentrator on the opposite side setup imporperly.

there are two network lists on the 3000 in the LAN to LAN connection:

local network - has network list 10.31.0.0/0.0.255.255

remote network - has network list 0.0.0.0/0.0.0.0 I just modified this list from all my networks to 0.0.0.0.

is this incorrect?

nunzeo
 
Just so we're clear, when you replace ACL 100 with "access-list 100 permit ip any any" the tunnel drops? If so, assuming it is ok to do testing, what is the output of a "debug crypto ipsec"? That should tell you why the tunnel won't form.

CCNP, CCDP
 
when i replace acl 100 with ip any any the tunnel drops. i have made no other changes, just that one. here is the logging output. only error i think i see is "peer does not do paranoid keepalives" not sure what that is






*Mar 8 21:15:28.615: ISAKMP:(0:8:HW:2): vendor ID seems Unity/DPD but major 4 mismatch
*Mar 8 21:15:28.615: ISAKMP:received payload type 20
*Mar 8 21:15:28.615: ISAKMP:received payload type 20
*Mar 8 21:15:28.615: ISAKMP:(0:8:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 8 21:15:28.615: ISAKMP:(0:8:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Mar 8 21:15:28.619: ISAKMP:(0:8:HW:2):Send initial contact
*Mar 8 21:15:28.619: ISAKMP:(0:8:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 8 21:15:28.619: ISAKMP (0:268435464): ID payload
next-payload : 8
type : 1
address : x.x.x.50
protocol : 17
port : 500
length : 12
*Mar 8 21:15:28.619: ISAKMP:(0:8:HW:2):Total payload length: 12
*Mar 8 21:15:28.619: ISAKMP:(0:8:HW:2): sending packet to x.x.x.25 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 8 21:15:28.619: ISAKMP:(0:8:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 8 21:15:28.619: ISAKMP:(0:8:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 8 21:15:28.739: ISAKMP (0:268435464): received packet from x.x.x.25 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2): processing ID payload. message ID = 0
*Mar 8 21:15:28.743: ISAKMP (0:268435464): ID payload
next-payload : 8
type : 1
address : x.x.x.25
protocol : 17
port : 0
length : 12
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2):: peer matches *none* of the profiles
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2): processing HASH payload. message ID = 0
*Mar 8 21:15:28.743: ISAKMP:received payload type 17
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2): processing vendor id payload
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2): vendor ID is DPD
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2):SA authentication status:
authenticated
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2):SA has been authenticated with x.x.x.25
*Mar 8 21:15:28.743: ISAKMP: Trying to insert a peer x.x.x.50/x.x.x.25/500/, and inserted successfully 827809A0.
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:15:28.743: ISAKMP:(0:8:HW:2):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 8 21:15:28.747: ISAKMP:(0:8:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 8 21:15:28.747: ISAKMP:(0:8:HW:2):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 8 21:15:28.747: ISAKMP:(0:8:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 8 21:15:28.747: ISAKMP:(0:8:HW:2):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 8 21:15:28.747: ISAKMP:(0:8:HW:2):beginning Quick Mode exchange, M-ID of 148081990
*Mar 8 21:15:28.751: ISAKMP:(0:8:HW:2): sending packet to x.x.x.25 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 8 21:15:28.751: ISAKMP:(0:8:HW:2):Node 148081990, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 8 21:15:28.751: ISAKMP:(0:8:HW:2):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 8 21:15:28.751: ISAKMP:(0:8:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 8 21:15:28.751: ISAKMP:(0:8:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 8 21:15:28.783: ISAKMP (0:268435464): received packet from x.x.x.25 dport 500 sport 500 Global (I) QM_IDLE
*Mar 8 21:15:28.783: ISAKMP: set new node 586302514 to QM_IDLE
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2): processing HASH payload. message ID = 586302514
*Mar 8 21:15:28.787: ISAKMP:received payload type 18
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2): processing DELETE_WITH_REASON payload, message ID = 586302514, reason: Unknown delete reason!
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):peer does not do paranoid keepalives.

*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):deleting SA reason "No error" state (I) QM_IDLE (peer x.x.x.25)
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):deleting node 586302514 error FALSE reason "Informational (in) state 1"
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):deleting SA reason "No reason" state (I) QM_IDLE (peer x.x.x.25)
*Mar 8 21:15:28.787: ISAKMP: Unlocking IKE struct 0x827809A0 for isadb_mark_sa_deleted(), count 0
*Mar 8 21:15:28.787: ISAKMP: Deleting peer node by peer_reap for x.x.x.25: 827809A0
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):deleting node 148081990 error FALSE reason "IKE deleted"
*Mar 8 21:15:28.787: ISAKMP:(0:8:HW:2):deleting node 586302514 error FALSE reason "IKE deleted"
*Mar 8 21:15:28.791: ISAKMP:(0:8:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:15:28.791: ISAKMP:(0:8:HW:2):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Mar 8 21:15:47.823: ISAKMP:(0:7:HW:2):purging node 1481620355
*Mar 8 21:15:47.823: ISAKMP:(0:7:HW:2):purging node -711237836
*Mar 8 21:15:57.823: ISAKMP:(0:7:HW:2):purging SA., sa=82783744, delme=82783744
*Mar 8 21:15:58.251: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.50, remote= x.x.x.25,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Mar 8 21:15:58.251: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.50, remote= x.x.x.25,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xE9A7FA57(3920099927), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 8 21:15:58.251: ISAKMP: received ke message (1/1)
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 8 21:15:58.251: ISAKMP: Created a peer struct for x.x.x.25, peer port 500
*Mar 8 21:15:58.251: ISAKMP: Locking peer struct 0x827809A0, IKE refcount 1 for isakmp_initiator
*Mar 8 21:15:58.251: ISAKMP: local port 500, remote port 500
*Mar 8 21:15:58.251: ISAKMP: set new node 0 to QM_IDLE
*Mar 8 21:15:58.251: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82781F04
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 8 21:15:58.251: ISAKMP: Looking for a matching key for x.x.x.25 in default : success
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching x.x.x.25
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 8 21:15:58.251: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 8 21:15:58.255: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 8 21:15:58.255: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 8 21:15:58.255: ISAKMP:(0:0:N/A:0): sending packet to x.x.x.25 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 8 21:15:58.395: ISAKMP (0:0): received packet from x.x.x.25 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 8 21:15:58.395: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:15:58.395: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Mar 8 21:15:58.395: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 8 21:15:58.395: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 8 21:15:58.395: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 8 21:15:58.399: ISAKMP: Looking for a matching key for x.x.x.25 in default : success
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching x.x.x.25
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 8 21:15:58.399: ISAKMP : Scanning profiles for xauth ...
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 8 21:15:58.399: ISAKMP: encryption AES-CBC
*Mar 8 21:15:58.399: ISAKMP: keylength of 128
*Mar 8 21:15:58.399: ISAKMP: hash SHA
*Mar 8 21:15:58.399: ISAKMP: default group 2
*Mar 8 21:15:58.399: ISAKMP: auth pre-share
*Mar 8 21:15:58.399: ISAKMP: life type in seconds
*Mar 8 21:15:58.399: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 8 21:15:58.399: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2): vendor ID is NAT-T v2
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2): sending packet to x.x.x.25 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 8 21:15:58.431: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Mar 8 21:15:58.575: ISAKMP (0:268435465): received packet from x.x.x.25 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 8 21:15:58.575: ISAKMP:(0:9:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:15:58.575: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Mar 8 21:15:58.575: ISAKMP:(0:9:HW:2): processing KE payload. message ID = 0
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): processing NONCE payload. message ID = 0
*Mar 8 21:15:58.607: ISAKMP: Looking for a matching key for x.x.x.25 in default : success
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2):found peer pre-shared key matching x.x.x.25
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2):SKEYID state generated
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): vendor ID is Unity
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): vendor ID seems Unity/DPD but major 126 mismatch
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): vendor ID is XAUTH
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): speaking to another IOS box!
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.607: ISAKMP:(0:9:HW:2): vendor ID seems Unity/DPD but major 4 mismatch
*Mar 8 21:15:58.607: ISAKMP:received payload type 20
*Mar 8 21:15:58.607: ISAKMP:received payload type 20
*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2):Send initial contact
*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 8 21:15:58.611: ISAKMP (0:268435465): ID payload
next-payload : 8
type : 1
address : x.x.x.50
protocol : 17
port : 500
length : 12
*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2):Total payload length: 12
*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2): sending packet to x.x.x.25 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 8 21:15:58.611: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 8 21:15:58.615: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 8 21:15:58.739: ISAKMP (0:268435465): received packet from x.x.x.25 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 8 21:15:58.739: ISAKMP:(0:9:HW:2): processing ID payload. message ID = 0
*Mar 8 21:15:58.739: ISAKMP (0:268435465): ID payload
next-payload : 8
type : 1
address : x.x.x.25
protocol : 17
port : 0
length : 12
*Mar 8 21:15:58.739: ISAKMP:(0:9:HW:2):: peer matches *none* of the profiles
*Mar 8 21:15:58.739: ISAKMP:(0:9:HW:2): processing HASH payload. message ID = 0
*Mar 8 21:15:58.743: ISAKMP:received payload type 17
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2): processing vendor id payload
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2): vendor ID is DPD
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):SA authentication status:
authenticated
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):SA has been authenticated with x.x.x.25
*Mar 8 21:15:58.743: ISAKMP: Trying to insert a peer x.x.x.50/x.x.x.25/500/, and inserted successfully 827809A0.
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 8 21:15:58.743: ISAKMP:(0:9:HW:2):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Mar 8 21:15:58.747: ISAKMP:(0:9:HW:2):beginning Quick Mode exchange, M-ID of -2034578900
*Mar 8 21:15:58.747: ISAKMP:(0:9:HW:2): sending packet to x.x.x.25 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 8 21:15:58.747: ISAKMP:(0:9:HW:2):Node -2034578900, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 8 21:15:58.747: ISAKMP:(0:9:HW:2):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 8 21:15:58.751: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 8 21:15:58.751: ISAKMP:(0:9:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 8 21:15:58.787: ISAKMP (0:268435465): received packet from x.x.x.25 dport 500 sport 500 Global (I) QM_IDLE
*Mar 8 21:15:58.787: ISAKMP: set new node -1277464938 to QM_IDLE
*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2): processing HASH payload. message ID = -1277464938
*Mar 8 21:15:58.787: ISAKMP:received payload type 18
*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2): processing DELETE_WITH_REASON payload, message ID = -1277464938, reason: Unknown delete reason!
*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2):peer does not do paranoid keepalives.

*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2):deleting SA reason "No error" state (I) QM_IDLE (peer x.x.x.25)
*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2):deleting node -1277464938 error FALSE reason "Informational (in) state 1"
*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 8 21:15:58.787: ISAKMP:(0:9:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Mar 8 21:15:58.791: ISAKMP:(0:9:HW:2):deleting SA reason "No reason" state (I) QM_IDLE (peer x.x.x.25)
*Mar 8 21:15:58.791: ISAKMP: Unlocking IKE struct 0x827809A0 for isadb_mark_sa_deleted(), count 0
*Mar 8 21:15:58.791: ISAKMP: Deleting peer node by peer_reap for x.x.x.25: 827809A0
*Mar 8 21:15:58.791: ISAKMP:(0:9:HW:2):deleting node -2034578900 error FALSE reason "IKE deleted"
*Mar 8 21:15:58.791: ISAKMP:(0:9:HW:2):deleting node -1277464938 error FALSE reason "IKE deleted"
*Mar 8 21:15:58.791: ISAKMP:(0:9:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:15:58.791: ISAKMP:(0:9:HW:2):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Mar 8 21:16:18.787: ISAKMP:(0:8:HW:2):purging node 148081990
*Mar 8 21:16:18.791: ISAKMP:(0:8:HW:2):purging node 586302514
*Mar 8 21:16:28.251: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.50, remote= x.x.x.25,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Mar 8 21:16:28.251: ISAKMP: received ke message (3/1)
*Mar 8 21:16:28.251: ISAKMP:(0:9:HW:2):peer does not do paranoid keepalives.

*Mar 8 21:16:28.251: ISAKMP:(0:8:HW:2):peer does not do paranoid keepalives.

*Mar 8 21:16:28.791: ISAKMP:(0:8:HW:2):purging SA., sa=82776F2C, delme=82776F2C
WOO-VPN#
 
Hmm... What does the other side expect to be encrypted? That ACL 100 controls what your router will encrypt, and what it expects the other side to encrypt, so it's possible there is a disagreement there.

CCNP, CCDP
 
so if i do ip access-list 10.31.0.0 0.0.255.255 any on the router side, do i do 0.0.0.0/0.0.0.0 on the concentrator side?
 
quadratic, you were right. i had to put 0.0.0.0/255.255.255.255 in the config on the concentrator on the far side as the local network in order for tunnel to come back up and for all traffic to go through tunnel.

thanks for everyones help.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top