Hello,
I'm having quite a bit of trouble getting these two devices to 'vpn' well together.
The situation is as follows:
internal net is 192.0.0.0/24 protected by ns208
external net is 10.1.1.0/24 protected by 1721
transit networks are 20.1.1.0/24 (ethernet) and 192.168.80.0/24 (ISDN). The isdn dialup is done by an other cisco router.
the VPN is supposed to run between the ns208 and the 1721.
With some digging through documentation I've configured both devices and when initiated by traffic they negotiate a vpn link.
The problem is that when a packet is actually received on the cisco it discards it with the following error message:
02:23:38: %CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't match negotiated
identity
(ip) dest_addr= 192.168.80.10, src_addr= 20.1.1.2, prot= 1
(ident) local=192.168.80.10, remote=20.1.1.2
local proxy=10.1.1.10/255.255.255.255/0/0,
remote_proxy=192.0.0.0/255.255.255.0/0/0
02:23:38: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:23:49: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:24:00: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:24:10: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
the netscreen displays no errors and thinks the vpn is up although it does change that opinion after a while to 'down'.
the netscreen has OS release 4.0.0r1, the cisco has 12.2(8)T5.
At the moment I'm quite stuck with this. I've been in touch with both support desks and although they are working on it (for several days already) they both think their respective configs are fine and dont understand why its not working.
I've included the config of both devices below.
If there's anyone who could offer some assistence or better yet has a similar set-up in operation and is willing to provide working configs that would be very much appreciated!
thanks in advance,
Esger
cisco config:
Current configuration : 1625 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1721B
!
enable secret 5 $1$nNH6$E4BctAYoaohhGO1A3jzi40
enable password XXXXXXXX
!
username 1721A password 0 XXXXXXXXX
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
ip audit notify log
isdn switch-type basic-net3
!
crypto isakmp policy 25
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key XXXXXX address 20.1.1.2
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set paalA esp-3des esp-sha-hmac
!
crypto map tunnelmap 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set paalA
set pfs group1
match address 101
!
!
!
!
interface BRI0
no ip address
encapsulation ppp
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-net3
isdn spid1 25
isdn spid2 26
isdn answer1 25
isdn answer2 26
no cdp enable
ppp authentication chap
!
interface FastEthernet0
ip address 10.1.1.10 255.255.255.0
no ip mroute-cache
speed auto
half-duplex
!
interface Dialer1
ip address 192.168.80.10 255.255.255.0
encapsulation ppp
authentication chap
dialer pool 1
dialer idle-timeout 3600
no cdp enable
crypto map tunnelmap
!
ip classless
ip route 20.1.1.0 255.255.255.0 192.168.80.1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit any
access-list 2 permit any
access-list 3 permit any
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
line con 0
line aux 0
line vty 0 4
password makkie1
login
!
no scheduler allocate
end
netscreen config:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set clock "timezone" 1
set admin format dos
set admin name "netscreen"
set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
set admin auth timeout 10
set admin auth server "Local"
unset vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone id 1000 "3rdparty"
set zone id 1001 "IA_palen"
set zone "Trust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" vrouter "untrust-vr"
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" vrouter "untrust-vr"
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone "3rdparty" vrouter "trust-vr"
set zone "3rdparty" block
set zone "3rdparty" tcp-rst
set zone "IA_palen" vrouter "trust-vr"
set zone "IA_palen" block
set zone "IA_palen" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "3rdparty"
set interface "ethernet3" zone "Untrust"
set interface "ethernet5" zone "Trust"
set interface vlan1 ip 192.0.0.2/24
set interface ethernet1 ip 192.0.0.2/24
set interface ethernet1 route
set interface ethernet2 ip 20.1.1.2/24
set interface ethernet2 route
unset interface ethernet3 ip manageable
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet3 manage-ip 192.168.1.1
set interface ethernet2 manage ping
set address Trust "192.0.0.0/24" 192.0.0.0 255.255.255.0
set address Trust "192.0.0.12" 192.0.0.12 255.255.255.255
set address 3rdparty "10.1.1.0/24" 10.1.1.0 255.255.255.0
set address 3rdparty "1721" 192.168.80.10 255.255.255.255
set firewall log-self
set snmp name "ns208"
set ike p1-proposal "pre-g1-3des-sha" Preshare Group1 esp 3DES SHA-1 second 28800
set ike p2-proposal "g1-esp-3des-sha" Group1 ESP 3DES SHA-1 second 28800
set ike gateway "1721B" ip 192.168.80.10 Main outgoing-interface "ethernet2" preshare "secret" proposal "pre-g1-3
des-sha"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "IA-vpn" id 6 gateway "1721B" replay tunnel idletime 0 proposal "g1-esp-3des-sha"
set vpn "IA-vpn" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 0 name "vpn-test" from "Trust" to "3rdparty" "192.0.0.0/24" "10.1.1.0/24" "ANY" Tunnel vpn "IA-vpn
" id 9 pair-policy 1 no-session-backup
set policy id 1 name "vpn-test" from "3rdparty" to "Trust" "10.1.1.0/24" "192.0.0.0/24" "ANY" Tunnel vpn "IA-vpn" id 9 pair-policy 0 no-session-backup
unset global-pro policy-manager primary outgoing-interface
unset global-pro policy-manager secondary outgoing-interface
set nsrp track-ip ip
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set add-default-route vrouter untrust-vr
set route 192.168.80.0/24 interface ethernet2 gateway 20.1.1.20
set route 10.1.1.0/24 interface ethernet2
exit
I'm having quite a bit of trouble getting these two devices to 'vpn' well together.
The situation is as follows:
internal net is 192.0.0.0/24 protected by ns208
external net is 10.1.1.0/24 protected by 1721
transit networks are 20.1.1.0/24 (ethernet) and 192.168.80.0/24 (ISDN). The isdn dialup is done by an other cisco router.
the VPN is supposed to run between the ns208 and the 1721.
With some digging through documentation I've configured both devices and when initiated by traffic they negotiate a vpn link.
The problem is that when a packet is actually received on the cisco it discards it with the following error message:
02:23:38: %CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't match negotiated
identity
(ip) dest_addr= 192.168.80.10, src_addr= 20.1.1.2, prot= 1
(ident) local=192.168.80.10, remote=20.1.1.2
local proxy=10.1.1.10/255.255.255.255/0/0,
remote_proxy=192.0.0.0/255.255.255.0/0/0
02:23:38: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:23:49: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:24:00: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
02:24:10: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
the netscreen displays no errors and thinks the vpn is up although it does change that opinion after a while to 'down'.
the netscreen has OS release 4.0.0r1, the cisco has 12.2(8)T5.
At the moment I'm quite stuck with this. I've been in touch with both support desks and although they are working on it (for several days already) they both think their respective configs are fine and dont understand why its not working.
I've included the config of both devices below.
If there's anyone who could offer some assistence or better yet has a similar set-up in operation and is willing to provide working configs that would be very much appreciated!
thanks in advance,
Esger
cisco config:
Current configuration : 1625 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1721B
!
enable secret 5 $1$nNH6$E4BctAYoaohhGO1A3jzi40
enable password XXXXXXXX
!
username 1721A password 0 XXXXXXXXX
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
ip audit notify log
isdn switch-type basic-net3
!
crypto isakmp policy 25
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key XXXXXX address 20.1.1.2
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set paalA esp-3des esp-sha-hmac
!
crypto map tunnelmap 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set paalA
set pfs group1
match address 101
!
!
!
!
interface BRI0
no ip address
encapsulation ppp
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-net3
isdn spid1 25
isdn spid2 26
isdn answer1 25
isdn answer2 26
no cdp enable
ppp authentication chap
!
interface FastEthernet0
ip address 10.1.1.10 255.255.255.0
no ip mroute-cache
speed auto
half-duplex
!
interface Dialer1
ip address 192.168.80.10 255.255.255.0
encapsulation ppp
authentication chap
dialer pool 1
dialer idle-timeout 3600
no cdp enable
crypto map tunnelmap
!
ip classless
ip route 20.1.1.0 255.255.255.0 192.168.80.1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit any
access-list 2 permit any
access-list 3 permit any
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
line con 0
line aux 0
line vty 0 4
password makkie1
login
!
no scheduler allocate
end
netscreen config:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set clock "timezone" 1
set admin format dos
set admin name "netscreen"
set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
set admin auth timeout 10
set admin auth server "Local"
unset vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone id 1000 "3rdparty"
set zone id 1001 "IA_palen"
set zone "Trust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" vrouter "untrust-vr"
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" vrouter "untrust-vr"
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone "3rdparty" vrouter "trust-vr"
set zone "3rdparty" block
set zone "3rdparty" tcp-rst
set zone "IA_palen" vrouter "trust-vr"
set zone "IA_palen" block
set zone "IA_palen" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "3rdparty"
set interface "ethernet3" zone "Untrust"
set interface "ethernet5" zone "Trust"
set interface vlan1 ip 192.0.0.2/24
set interface ethernet1 ip 192.0.0.2/24
set interface ethernet1 route
set interface ethernet2 ip 20.1.1.2/24
set interface ethernet2 route
unset interface ethernet3 ip manageable
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet3 manage-ip 192.168.1.1
set interface ethernet2 manage ping
set address Trust "192.0.0.0/24" 192.0.0.0 255.255.255.0
set address Trust "192.0.0.12" 192.0.0.12 255.255.255.255
set address 3rdparty "10.1.1.0/24" 10.1.1.0 255.255.255.0
set address 3rdparty "1721" 192.168.80.10 255.255.255.255
set firewall log-self
set snmp name "ns208"
set ike p1-proposal "pre-g1-3des-sha" Preshare Group1 esp 3DES SHA-1 second 28800
set ike p2-proposal "g1-esp-3des-sha" Group1 ESP 3DES SHA-1 second 28800
set ike gateway "1721B" ip 192.168.80.10 Main outgoing-interface "ethernet2" preshare "secret" proposal "pre-g1-3
des-sha"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "IA-vpn" id 6 gateway "1721B" replay tunnel idletime 0 proposal "g1-esp-3des-sha"
set vpn "IA-vpn" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 0 name "vpn-test" from "Trust" to "3rdparty" "192.0.0.0/24" "10.1.1.0/24" "ANY" Tunnel vpn "IA-vpn
" id 9 pair-policy 1 no-session-backup
set policy id 1 name "vpn-test" from "3rdparty" to "Trust" "10.1.1.0/24" "192.0.0.0/24" "ANY" Tunnel vpn "IA-vpn" id 9 pair-policy 0 no-session-backup
unset global-pro policy-manager primary outgoing-interface
unset global-pro policy-manager secondary outgoing-interface
set nsrp track-ip ip
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set add-default-route vrouter untrust-vr
set route 192.168.80.0/24 interface ethernet2 gateway 20.1.1.20
set route 10.1.1.0/24 interface ethernet2
exit
