atlantian2004
IS-IT--Management
Ok, we have a Cisco2611 that we need to get an IPSEC tunnel and a GRE tunnel on for multicast data. Here is the weird thing, the IPSEC tunnel will not come up unless I turn off ip routing, however, if IP routing is off then my GRE tunnel won't work since I do have IP routes. It appears as though maybe traffic is flowing over the router and preventing the vpn to establish? I assume I need to beef up the access list, I have allows, and did a deny ip any any, but that didn't do anything. I tried to do an IP deny any any, but had no luck.
Anyways, if anyone can figure this out and give me a proper config that works, I'll send you a gift card to thinkgeek or your store of choice.
here are error message from when ip routing is on, then following are the good messages from when it is off, and my config..
Nov 27 18:38:37.512: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:38:37.512: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet. Nov 27 18:38:37.512: ISAKMP (0:74): retransmitting due to retransmit phase 1 Nov 27 18:38:38.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP... Nov 27 18:38:38.013: ISAKMP (0:74): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 Nov 27 18:38:38.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP Nov 27 18:38:38.013: ISAKMP (0:74): sending packet to 64.125.177.134 my_port 500 peer_port 500 (R) MM_SA_SETUPi Nov 27 18:38:47.512: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:38:47.512: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet. Nov 27 18:38:47.512: ISAKMP (0:74): retransmitting due to retransmit phase 1 Nov 27 18:38:48.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP... Nov 27 18:38:48.013: ISAKMP (0:74): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Nov 27 18:38:48.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP Nov 27 18:38:48.013: ISAKMP (0:74): sending packet to 64.125.177.134 my_port 500 peer_port 500 (R) MM_SA_SETUP Nov 27 18:38:57.513: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:38:57.513: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet. Nov 27 18:38:57.513: ISAKMP (0:74): retransmitting due to retransmit phase 1 Nov 27 18:38:58.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP... Nov 27 18:38:58.013: ISAKMP (0:74): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Nov 27 18:38:58.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP Nov 27 18:38:58.013: ISAKMP (0:74): sending packet to 64.125.177.134 my_port 500 peer_port 500 (R) MM_SA_SETUP Nov 27 18:39:07.513: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:39:07.513: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet.
Here are the messages when ip routing is off:
IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY *Mar 1 00:43:54.101: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Mar 1 00:43:54.101: IPSEC(key_engine): got a queue event... *Mar 1 00:43:54.101: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 70.19.112.9, remote= 64.125.177.134, local_proxy= 10.74.0.112/0.0.0.0/47/0 (type=1), remote_proxy= 10.74.254.1/0.0.0.0/47/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x3F8AC5A9(1066059177), conn_id= 2000, keysize= 0, flags= 0x2 *Mar 1 00:43:54.105: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 70.19.112.9, remote= 64.125.177.134, local_proxy= 10.74.0.112/0.0.0.0/47/0 (type=1), remote_proxy= 10.74.254.1/0.0.0.0/47/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xCD4A0107(3444179207), conn_id= 2001, keysize= 0, flags= 0xA *Mar 1 00:43:54.109: IPSEC(kei_proxy): head = cmevpn, map->ivrf = , kei->ivrf = *Mar 1 00:43:54.109: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 64.125.177.134 *Mar 1 00:43:54.109: IPSEC(add mtree): src 10.74.0.112, dest 10.74.254.1, dest_port 0 *Mar 1 00:43:54.109: IPSEC(create_sa): sa created, (sa) sa_dest= 70.19.112.9, sa_prot= 50, sa_spi= 0x3F8AC5A9(1066059177), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000 *Mar 1 00:43:54.113: IPSEC(create_sa): sa created, (sa) sa_dest= 64.125.177.134, sa_prot= 50, sa_spi= 0xCD4A0107(3444179207), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001 *Mar 1 00:43:54.157: ISAKMP (0:1): received packet from 64.125.177.134 dport 500 sport 500 Global (R) QM_IDLE *Mar 1 00:43:54.161: ISAKMP (0:1): deleting node -1256300117 error FALSE reason "quick mode done (await)" *Mar 1 00:43:54.161: ISAKMP (0:1): Node -1256300117, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 1 00:43:54.161: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Mar 1 00:43:54.161: IPSEC(key_engine): got a queue event... *Mar 1 00:43:54.161: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Mar 1 00:43:54.165: IPSEC(key_engine_enable_outbound): enable SA with spi 3444179207/50 for 64.125.177.134 *Mar 1 00:44:44.163: ISAKMP (0:1): purging node -1256300117
Here is my current config:
Building configuration...
Current configuration : 2085 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 *edited*
enable password *edited*
!
no aaa new-model
ip subnet-zero
no ip routing
no ip cef
!
ip multicast-routing
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key *edited* address 64.125.177.134
!
!
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
!
crypto map cmevpn 1 ipsec-isakmp
set peer 64.125.177.134
set transform-set cmevpn
match address 100
!
interface Loopback0
ip address 10.74.0.112 255.255.255.255
shutdown
!
interface Tunnel0
ip address 10.74.2.153 255.255.255.252
ip pim sparse-mode
shutdown
tunnel source 10.74.0.112
tunnel destination 10.74.254.1
!
interface Ethernet0/0
ip address 10.74.112.1 255.255.255.0
ip pim sparse-mode
no ip route-cache
half-duplex
no cdp enable
!
interface Ethernet0/1
ip address *edited* 255.255.255.0
ip access-group 199 in
no ip route-cache
half-duplex
crypto map cmevpn
!
no ip http server
no ip http secure-server
ip classless
ip route 10.71.0.0 255.255.255.0 Tunnel0
!
ip pim rp-address 10.71.0.5
!
access-list 100 permit ip 10.74.112.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 100 permit ip 10.74.112.0 0.0.0.255 10.1.56.0 0.0.0.255
access-list 100 permit ip 10.74.112.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 100 permit gre host 10.74.0.112 host 10.74.254.1
access-list 199 permit ip 10.1.16.0 0.0.0.255 10.74.112.0 0.0.0.255
access-list 199 permit ip 10.1.56.0 0.0.0.255 10.74.112.0 0.0.0.255
access-list 199 permit ip 10.1.63.0 0.0.0.255 10.74.112.0 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit ahp any any
access-list 199 permit esp any any
access-list 199 deny ip any any
access-list 199 permit gre host 10.74.254.1 host 10.74.0.112
!
!
Anyways, if anyone can figure this out and give me a proper config that works, I'll send you a gift card to thinkgeek or your store of choice.
here are error message from when ip routing is on, then following are the good messages from when it is off, and my config..
Nov 27 18:38:37.512: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:38:37.512: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet. Nov 27 18:38:37.512: ISAKMP (0:74): retransmitting due to retransmit phase 1 Nov 27 18:38:38.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP... Nov 27 18:38:38.013: ISAKMP (0:74): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 Nov 27 18:38:38.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP Nov 27 18:38:38.013: ISAKMP (0:74): sending packet to 64.125.177.134 my_port 500 peer_port 500 (R) MM_SA_SETUPi Nov 27 18:38:47.512: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:38:47.512: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet. Nov 27 18:38:47.512: ISAKMP (0:74): retransmitting due to retransmit phase 1 Nov 27 18:38:48.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP... Nov 27 18:38:48.013: ISAKMP (0:74): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Nov 27 18:38:48.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP Nov 27 18:38:48.013: ISAKMP (0:74): sending packet to 64.125.177.134 my_port 500 peer_port 500 (R) MM_SA_SETUP Nov 27 18:38:57.513: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:38:57.513: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet. Nov 27 18:38:57.513: ISAKMP (0:74): retransmitting due to retransmit phase 1 Nov 27 18:38:58.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP... Nov 27 18:38:58.013: ISAKMP (0:74): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Nov 27 18:38:58.013: ISAKMP (0:74): retransmitting phase 1 MM_SA_SETUP Nov 27 18:38:58.013: ISAKMP (0:74): sending packet to 64.125.177.134 my_port 500 peer_port 500 (R) MM_SA_SETUP Nov 27 18:39:07.513: ISAKMP (0:74): received packet from 64.125.177.134 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 27 18:39:07.513: ISAKMP (0:74): phase 1 packet is a duplicate of a previous packet.
Here are the messages when ip routing is off:
IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY *Mar 1 00:43:54.101: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Mar 1 00:43:54.101: IPSEC(key_engine): got a queue event... *Mar 1 00:43:54.101: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 70.19.112.9, remote= 64.125.177.134, local_proxy= 10.74.0.112/0.0.0.0/47/0 (type=1), remote_proxy= 10.74.254.1/0.0.0.0/47/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x3F8AC5A9(1066059177), conn_id= 2000, keysize= 0, flags= 0x2 *Mar 1 00:43:54.105: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 70.19.112.9, remote= 64.125.177.134, local_proxy= 10.74.0.112/0.0.0.0/47/0 (type=1), remote_proxy= 10.74.254.1/0.0.0.0/47/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xCD4A0107(3444179207), conn_id= 2001, keysize= 0, flags= 0xA *Mar 1 00:43:54.109: IPSEC(kei_proxy): head = cmevpn, map->ivrf = , kei->ivrf = *Mar 1 00:43:54.109: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 64.125.177.134 *Mar 1 00:43:54.109: IPSEC(add mtree): src 10.74.0.112, dest 10.74.254.1, dest_port 0 *Mar 1 00:43:54.109: IPSEC(create_sa): sa created, (sa) sa_dest= 70.19.112.9, sa_prot= 50, sa_spi= 0x3F8AC5A9(1066059177), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000 *Mar 1 00:43:54.113: IPSEC(create_sa): sa created, (sa) sa_dest= 64.125.177.134, sa_prot= 50, sa_spi= 0xCD4A0107(3444179207), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001 *Mar 1 00:43:54.157: ISAKMP (0:1): received packet from 64.125.177.134 dport 500 sport 500 Global (R) QM_IDLE *Mar 1 00:43:54.161: ISAKMP (0:1): deleting node -1256300117 error FALSE reason "quick mode done (await)" *Mar 1 00:43:54.161: ISAKMP (0:1): Node -1256300117, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 1 00:43:54.161: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Mar 1 00:43:54.161: IPSEC(key_engine): got a queue event... *Mar 1 00:43:54.161: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Mar 1 00:43:54.165: IPSEC(key_engine_enable_outbound): enable SA with spi 3444179207/50 for 64.125.177.134 *Mar 1 00:44:44.163: ISAKMP (0:1): purging node -1256300117
Here is my current config:
Building configuration...
Current configuration : 2085 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 *edited*
enable password *edited*
!
no aaa new-model
ip subnet-zero
no ip routing
no ip cef
!
ip multicast-routing
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key *edited* address 64.125.177.134
!
!
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
!
crypto map cmevpn 1 ipsec-isakmp
set peer 64.125.177.134
set transform-set cmevpn
match address 100
!
interface Loopback0
ip address 10.74.0.112 255.255.255.255
shutdown
!
interface Tunnel0
ip address 10.74.2.153 255.255.255.252
ip pim sparse-mode
shutdown
tunnel source 10.74.0.112
tunnel destination 10.74.254.1
!
interface Ethernet0/0
ip address 10.74.112.1 255.255.255.0
ip pim sparse-mode
no ip route-cache
half-duplex
no cdp enable
!
interface Ethernet0/1
ip address *edited* 255.255.255.0
ip access-group 199 in
no ip route-cache
half-duplex
crypto map cmevpn
!
no ip http server
no ip http secure-server
ip classless
ip route 10.71.0.0 255.255.255.0 Tunnel0
!
ip pim rp-address 10.71.0.5
!
access-list 100 permit ip 10.74.112.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 100 permit ip 10.74.112.0 0.0.0.255 10.1.56.0 0.0.0.255
access-list 100 permit ip 10.74.112.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 100 permit gre host 10.74.0.112 host 10.74.254.1
access-list 199 permit ip 10.1.16.0 0.0.0.255 10.74.112.0 0.0.0.255
access-list 199 permit ip 10.1.56.0 0.0.0.255 10.74.112.0 0.0.0.255
access-list 199 permit ip 10.1.63.0 0.0.0.255 10.74.112.0 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit ahp any any
access-list 199 permit esp any any
access-list 199 deny ip any any
access-list 199 permit gre host 10.74.254.1 host 10.74.0.112
!
!