VPN between Cisco router and Linksys router

[macfoxx]

Hi folks
I have a problem. I try connect Cisco 3620 and Linksys RV042 by site-to-site VPN and I can't establish 1 phase of ISAKMP.
This is output from debug of isakmp error:
router#
4d07h: ISAKMP (0:0): received packet from 83.17.159.254 dport 500 sport 500 Glob
al (N) NEW SA
4d07h: ISAKMP: Created a peer struct for 83.17.159.254, peer port 500
4d07h: ISAKMP: Locking peer struct 0x630776D4, IKE refcount 1 for crypto_ikmp_co
nfig_initialize_sa
4d07h: ISAKMP (0:0): Setting client config settings 62C50FF0
4d07h: ISAKMP: local port 500, remote port 500
4d07h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 62
A55DF0
4d07h: ISAKMP (0:4): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
4d07h: ISAKMP (0:4): Old State = IKE_READY New State = IKE_R_MM1

4d07h: ISAKMP (0:4): processing SA payload. message ID = 0
4d07h: ISAKMP (0:4): processing vendor id payload
4d07h: ISAKMP (0:4): vendor ID is DPD
4d07h: ISAKMP: Looking for a matching key for 83.17.159.254 in default : success
4d07h: ISAKMP (0:4): found peer pre-shared key matching 83.17.159.254
4d07h: ISAKMP (0:4) local preshared key found
4d07h: ISAKMP : Scanning profiles for xauth ...
4d07h: ISAKMP (0:4): Checking ISAKMP transform 0 against priority 3 policy
4d07h: ISAKMP: life type in seconds
4d07h: ISAKMP: life duration (basic) of 28800
4d07h: ISAKMP: encryption DES-CBC
4d07h: ISAKMP: hash SHA
4d07h: ISAKMP: auth pre-share
4d07h: ISAKMP: default group 2
4d07h: ISAKMP (0:4): atts are acceptable. Next payload is 0
4d07h: ISAKMP (0:4): processing vendor id payload
4d07h: ISAKMP (0:4): vendor ID is DPD
4d07h: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
4d07h: ISAKMP (0:4): Old State = IKE_R_MM1 New State = IKE_R_MM1

4d07h: ISAKMP: Error: payload length of VENDOR 0 < 4
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
4d07h: ISAKMP (0:4): Old State = IKE_R_MM1 New State = IKE_R_MM2

4d07h: ISAKMP (0:4): received packet from 83.17.159.254 dport 500 sport 500 Glob
al (R) MM_SA_SETUP
4d07h: ISAKMP (0:4): phase 1 packet is a duplicate of a previous packet.
4d07h: ISAKMP (0:4): retransmitting due to retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): received packet from 83.17.159.254 dport 500 sport 500 Glob

everything is well until this line:
4d07h: ISAKMP: Error: payload length of VENDOR 0 < 4
I search many site but i can't find any explain of this error.
thanks for any help
regards
Mac foxx

 

[ciscodagama]

One possibility is that the pre-shared keys on the two ends are not the same. Please verify that the pre-shared keys configured at the two ends are identical. If necessary delete them and type them in again making sure that they are the same.

Cisco da Gama

http://ciscostudy.blogspot.com

 

[macfoxx]

Thanks for your response, but I changed pre-shared key several times and I still get the same error on debug and console give me error:
5d00h: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 83.17.159.254 failed its sanity check or is malformed.
I know that is mine that pre-shared keys are incorect but I'm sure that when I entering keys on both routers they are the same. Any idea?
Mac Foxx

 

[ciscodagama]

Can you try getting the output from "debug crypto isakmp error" and post that? That will give a more details about what the ISAKMP error is about. Please remember to turn on buffered logging (with "logging buffered 10000" or something like that) and after recreating the error with the ISAKMP error message, do a "show log" to see the debug output. That may have some clues to the problem.

BTW what version of IOS are you running? Also, if you can please post your crypto configs (after sanitizing it).

Cisco da Gama

http://ciscostudy.blogspot.com

 

[macfoxx]

Hi Ciscodagama
You can see the output from "debug crypto isakmp error" in my first message and show log give me only the output:
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 83.17.159.254 failed its sanity check or is malformed.
My IOS version is 12.3(9)
This is my partial config:
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp key password address 83.17.159.254 no-xauth
!
crypto isakmp client configuration group 3000client
key password
dns 194.204.152.34
domain bytom.private
pool ippool
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac
crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac
crypto ipsec transform-set rtpset5 esp-des
crypto ipsec transform-set rtpset6 ah-md5-hmac esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 3 ipsec-isakmp
set peer 83.17.159.254
set transform-set myset rtpset2 rtpset3 rtpset4 rtpset5
match address 115
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description connected to EthernetLAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip tcp adjust-mss 1452
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet1/0
description connected to Internet
ip address 80.53.211.126 255.255.255.252
ip access-group 102 in
ip nat outside
half-duplex
crypto map clientmap
!
router rip
version 2
passive-interface Ethernet1/0
network 192.168.1.0
no auto-summary
!
ip local pool ippool 192.168.5.10 192.168.5.20
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1/0 overload
ip nat inside source route-map nonat interface Ethernet1/0 overload
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip classless
ip route 0.0.0.0 0.0.0.0 80.53.211.125
!
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq rip any eq rip
access-list 102 remark SDM_ACL Category=17
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit udp host 83.17.159.254 host 80.53.211.126 eq non500-isakm
p
access-list 102 permit udp host 83.17.159.254 host 80.53.211.126 eq isakmp
access-list 102 permit esp host 83.17.159.254 host 80.53.211.126
access-list 102 permit ahp host 83.17.159.254 host 80.53.211.126
access-list 102 permit ip host 192.168.5.10 any
access-list 102 permit ip host 192.168.5.11 any
access-list 102 permit ip host 192.168.5.12 any
access-list 102 permit ip host 192.168.5.13 any
access-list 102 permit ip host 192.168.5.14 any
access-list 102 permit ip host 192.168.5.15 any
access-list 102 permit ip host 192.168.5.16 any
access-list 102 permit ip host 192.168.5.17 any
access-list 102 permit ip host 192.168.5.18 any
access-list 102 permit ip host 192.168.5.19 any
access-list 102 permit ip host 192.168.5.20 any
access-list 102 permit esp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit ip any any
access-list 102 permit udp any host 80.53.211.126 eq isakmp
access-list 102 permit udp any host 80.53.211.126 eq non500-isakmp
access-list 102 permit esp any host 80.53.211.126
access-list 102 permit ahp any host 80.53.211.126
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny ip any host 192.168.5.10
access-list 103 deny ip any host 192.168.5.11
access-list 103 deny ip any host 192.168.5.12
access-list 103 deny ip any host 192.168.5.13
access-list 103 deny ip any host 192.168.5.14
access-list 103 deny ip any host 192.168.5.15
access-list 103 deny ip any host 192.168.5.16
access-list 103 deny ip any host 192.168.5.17
access-list 103 deny ip any host 192.168.5.18
access-list 103 deny ip any host 192.168.5.19
access-list 103 deny ip any host 192.168.5.20
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 remark SDM_ACL Category=18
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip any host 192.168.5.10
access-list 110 deny ip any host 192.168.5.11
access-list 110 deny ip any host 192.168.5.12
access-list 110 deny ip any host 192.168.5.13
access-list 110 deny ip any host 192.168.5.14
access-list 110 deny ip any host 192.168.5.15
access-list 110 deny ip any host 192.168.5.16
access-list 110 deny ip any host 192.168.5.17
access-list 110 deny ip any host 192.168.5.18
access-list 110 deny ip any host 192.168.5.19
access-list 110 deny ip any host 192.168.5.20
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map nonat permit 10
match ip address 110
!
BTW I' can connect to router from Cisco VPN client without the problem.
Thaknks for any advice
Mac Foxx

 

[MartinR82]

This is off of Cisco's website..

IKE Message From X.X.X.X Failed Its Sanity Check or Is Malformed

This debug error appears if the pre-shared keys on the peers do not match. In order to fix this issue, check the pre-shared keys on both sides.

1d00H:%CRPTO-4-IKMP_BAD_MESSAGE: IKE message from 150.150.150.1 failed its
sanity check or is malformed



Try using a longer key. There is definately an ISAKMP key mismatch

 

[tangostar]

Have you got your VPN to work?
I have a RV042 and I've got my vpn to work, mostly.

 

[macfoxx]

hello Tangostar
It dosn't work, still the same error. I tried many configuraton and nothing.
Can You give me some information like what Cisco router You've got? IOS Version? any example Your configuration?
Regards?

 

[tangostar]

I have a cisco 1812
my remote routers are linksys RV042 and RV082

config I'm using is:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxxxxxxx address 66.11.xx.xx no-xauth
crypto isakmp key xxxxxxxxxx address 207.139.xxx.xxx no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set laval esp-3des esp-md5-hmac
crypto ipsec transform-set alpine esp-3des esp-sha-hmac
!
crypto map quebec 1 ipsec-isakmp
description Tunnel to Alpine crypto-map
set peer 207.139.xx.xx
set transform-set alpine
match address 100
crypto map quebec 2 ipsec-isakmp
description Tunnel to Laval crypto-map
set peer 66.11.xx.xx
set transform-set alpine
match address 102
!
!
!
interface Tunnel0
description tunnel to Alpine
no ip address
ip mtu 1454
tunnel source 66.225.xxx.xxx
tunnel destination 216.95.xxx.xx
crypto map quebec
!
interface Tunnel1
description tunel to Laval
no ip address
tunnel source 66.225.xxx.xxx
tunnel destination 207.164.xxx.xx
tunnel path-mtu-discovery
crypto map quebec
!
interface FastEthernet0
description Terago$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 66.225.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 10
full-duplex
crypto map quebec
!
interface FastEthernet1
description WOW$ETH-LAN$
ip address 209.162.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.6 255.255.255.0
ip helper-address 10.0.0.22
ip mask-reply
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip route-cache flow

ip classless
ip default-network 10.0.0.0
ip route 0.0.0.0 0.0.0.0 66.225.xxx.xxx permanent
ip route 10.0.0.0 255.255.255.0 Vlan1 permanent
ip route 192.168.0.0 255.255.255.0 Tunnel1 permanent
ip route 192.168.123.0 255.255.255.0 Tunnel0 permanent
!


access-list 100 permit ip 10.0.0.0 0.0.255.255 192.168.123.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255

 

[macfoxx]

Thanks for Your configuration. I tried similar but still got the same error. Could You tell me what ports did you open for IPSec and ISAKMP protocols on outside interface? Maybe here I make some mistake.
Mac

 

[tangostar]

Sorry I didn't make any other changes.
THe cisco is my gateway so the next machine is my ISP's