+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 35
  1. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #1

    Default Oh the joys of SDM.....

    Ok, I'll try not to make this a long post so please bear with me.

    My VPN tunnel works between two routers. There is no question about it. I configured everything via CLI and was able to ping across.

    I then loaded up SDM only to see that SDM seems to think my tunnel is down. I ran a "tunnel test" and it seems to think there is an issue.

    So I went ahead and deleted my CLI config and configured my VPN the "SDM way" by using SDM. Again, SDM thinks the tunnel is down, but it's not. All traffic works, all show crypto commands show that the tunnel is up.

    The only thing that thinks the tunnel is down is SDM. Also, I've closed SDM and relaunched it with no success, hoping a clean refresh would work with SDM, it still thinks my tunnel is down.

    Attached are two of the same pictures, one small and one large.

    Could anyone please take a look and let me know your thoughts? I really detest SDM. My pictures prove that pings across both ways work. Below is just a quick structure of my VPN.



    (Host: 172.16.0.5) ----- (Fa1: 172.16.0.1)(Fa0: 10.0.0.1) ------ (Fa0: 10.0.0.2)(Fa1: 192.168.50.1) -----(Host: 192.168.50.5)


    Host <----> 1811 Router <----> 3620 Router <----> Host



    FYI: When I run the tunnel test on the SDM and tell it to ping a host on the other side, that host actually responds because I've issued debug ip icmp, so it gets the pings and it responds. Yet SDM gives me back an error saying it cannot ping the device....so frustrating....

    FYI 2: I've also tested the tunnel by initiating the pings myself manually and still receive the same error from SDM....
    Attached Images Attached Images
    Reply With Quote Quote  

  2. SS -->
  3. Left for Android! =)
    Join Date
    Dec 2008
    Location
    Upstate NY
    Posts
    648

    Certifications
    A+, Network+, CCNA
    #2
    Did you delete your CLI configs from both routers? If so, did you SDM config the other router?

    Just spit balling....
    Reply With Quote Quote  

  4. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #3
    Quote Originally Posted by captobvious View Post
    Did you delete your CLI configs from both routers? If so, did you SDM config the other router?

    Just spit balling....

    The other router 3620 doesn't support SDM unfortunately, and if it does, someone please let me know. But when I configured the SDM and clicked on the "mirrror config" option, I compared the configs and they were identicals other than SDM having "SDM" in its naming convention....
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    May 2010
    Location
    Florida
    Posts
    10

    Certifications
    MCSE:M, CCNA:S, VCA-DCV
    #4
    What does "show crypto isakmp sa" report for the state on each endpoint?

    Might want to enable "debug crypto isakmp" and "debug crypto ipsec" then ping across to bring the tunnel up and watch the logs on each side to see whats going on.
    Reply With Quote Quote  

  6. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #5
    Quote Originally Posted by k2737 View Post
    What does "show crypto isakmp sa" report for the state on each endpoint?

    Might want to enable "debug crypto isakmp" and "debug crypto ipsec" then ping across to bring the tunnel up and watch the logs on each side to see whats going on.

    I can post that info once I get my lab back up again. Perhaps there's something someone can spot. But again, the issue to be clear is that the tunnel and VPN works.

    SDM to me I think is the issue....if I never have to see SDM again, I'd be very happy....
    Reply With Quote Quote  

  7. Left for Android! =)
    Join Date
    Dec 2008
    Location
    Upstate NY
    Posts
    648

    Certifications
    A+, Network+, CCNA
    #6
    Just because you can ping doesn't mean a tunnel is set up. That's why k2737 was asking you to check the isakmp security associations.
    Reply With Quote Quote  

  8. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #7
    Quote Originally Posted by captobvious View Post
    Just because you can ping doesn't mean a tunnel is set up. That's why k2737 was asking you to check the isakmp security associations.
    I'll post the info soon, the info he's looking for definitely shows the tunnel is up. The QM idle status and all that good stuff looks good on my end.

    But it would be nice to have a fresh set of eyes take a look, perhaps I missed something...
    Reply With Quote Quote  

  9. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #8
    Here's the show crypto isakmp sa, and show crypto ipsec sa for both routers. I'll do a separate post for each one just to keep things organized....


    Code:
    RTR-1811W#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    10.0.0.2        10.0.0.1        QM_IDLE           2001 ACTIVE
    
    
    
    RTR-1811W#sh crypto ipsec sa
    
    interface: FastEthernet0
        Crypto map tag: SDM_CMAP_1, local addr 10.0.0.1
    
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
       current_peer 10.0.0.2 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 1, #recv errors 0
    
         local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
         current outbound spi: 0x8ADE83C1(2329838529)
         PFS (Y/N): N, DH group: none
    
         inbound esp sas:
          spi: 0xB2B26F3F(2998038335)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: SDM_CMAP_1
            sa timing: remaining key lifetime (k/sec): (4539282/3518)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
    
         inbound ah sas:
    
         inbound pcp sas:
    
         outbound esp sas:
          spi: 0x8ADE83C1(2329838529)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: SDM_CMAP_1
            sa timing: remaining key lifetime (k/sec): (4539282/3518)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
    
         outbound ah sas:
    
         outbound pcp sas:
    Reply With Quote Quote  

  10. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #9
    Code:
    RTR-3620#sh crypto isakmp sa
    dst             src             state          conn-id slot
    10.0.0.2        10.0.0.1        QM_IDLE              1    0 
    
    
    
    RTR-3620#sh crypto ipsec sa
    
    interface: Ethernet0/0
        Crypto map tag: S2S-2, local addr. 10.0.0.2
    
       protected vrf:
       local  ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
       current_peer: 10.0.0.1:500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 2, #pkts encrypt: 2, #pkts digest 2
        #pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 10.0.0.2, remote crypto endpt.: 10.0.0.1
         path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
         current outbound spi: B2B26F3F
    
         inbound esp sas:
          spi: 0x8ADE83C1(2329838529)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2000, flow_id: 1, crypto map: S2S-2
            sa timing: remaining key lifetime (k/sec): (4595179/3307)
            IV size: 8 bytes
            replay detection support: Y
    
         inbound ah sas:
    
         inbound pcp sas:
    
         outbound esp sas:
          spi: 0xB2B26F3F(2998038335)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2001, flow_id: 2, crypto map: S2S-2
            sa timing: remaining key lifetime (k/sec): (4595179/3307)
            IV size: 8 bytes
            replay detection support: Y
    
         outbound ah sas:
    
         outbound pcp sas:
    RTR-3620#
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    May 2010
    Location
    Florida
    Posts
    10

    Certifications
    MCSE:M, CCNA:S, VCA-DCV
    #10
    Can you post both configs?
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #11
    Notgoing2fail,

    It's hard to tell without the configs. Can you clear the tunnel clear ipsec sa and then run a debug ipsec sa & debug isakmp sa and post the results from those commands. That will show the debug of your tunnel coming up.

    HTH
    Reply With Quote Quote  

  13. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #12
    Yes I'll post the configs, just need to turn my lab back on....I'll go ahead and run the debug as soon as I turn them on and post the output....
    Reply With Quote Quote  

  14. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #13
    Below are the debugs for "crypto isakmp" for both routers.....it's quite a doosie!!
    And yes, I realize the dates are off....

    Code:
    *May  7 17:42:39.227: ISAKMP:(0): SA request profile is (NULL)
    *May  7 17:42:39.231: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
    *May  7 17:42:39.231: ISAKMP: New peer created peer = 0x85337CA8 peer_handle = 0x80000002
    *May  7 17:42:39.231: ISAKMP: Locking peer struct 0x85337CA8, refcount 1 for isakmp_initiator
    *May  7 17:42:39.231: ISAKMP: local port 500, remote port 500
    *May  7 17:42:39.231: ISAKMP: set new node 0 to QM_IDLE      
    *May  7 17:42:39.231: ISAKMP:(0):insert sa successfully sa = 86338134
    *May  7 17:42:39.231: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    *May  7 17:42:39.231: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
    *May  7 17:42:39.231: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *May  7 17:42:39.231: ISAKMP:(0): constructed NAT-T vendor-07 ID
    *May  7 17:42:39.231: ISAKMP:(0): constructed NAT-T vendor-03 ID
    *May  7 17:42:39.231: ISAKMP:(0): constructed NAT-T vendor-02 ID
    *May  7 17:42:39.231: ISAKMP:(0):Input 
    RTR-1811W#= IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    *May  7 17:42:39.231: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 
    
    *May  7 17:42:39.231: ISAKMP:(0): beginning Main Mode exchange
    *May  7 17:42:39.231: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
    *May  7 17:42:39.231: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *May  7 17:42:39.443: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
    *May  7 17:42:39.443: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *May  7 17:42:39.443: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 
    
    *May  7 17:42:39.443: ISAKMP:(0): processing SA payload. message ID = 0
    *May  7 17:42:39.443: ISAKMP:(0): processing vendor id payload
    *May  7 17:42:39.443: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    *May  7 17:42:39.443: ISAKMP (0): vendor ID is NAT-T v7
    *May  7 17:42:39.443: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
    *May  7 17:42:39.443: ISAKMP:(0): local preshared key found
    *May  7 17:42:39.443: ISAKMP : Scanning profiles for xauth ...
    *May  7 17:42:39.443: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    *May  7 17:42:39.447: ISAKMP:      encryption 3DES-CBC
    *May  7 17:42:39.447: ISAKMP:      hash MD5
    *May  7 17:42:39.447: ISAKMP:      default group 2
    *May  7 17:42:39.447: ISAKMP:      auth pre-share
    *May  7 17:42:39.447: ISAKMP:      life type in seconds
    *May  7 17:42:39.447: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
    *May  7 17:42:39.447: ISAKMP:(0):atts are acceptable. Next payload is 0
    *May  7 17:42:39.447: ISAKMP:(0):Acceptable atts:actual life: 0
    *May  7 17:42:39.447: ISAKMP:(0):Acceptable atts:life: 0
    *May  7 17:42:39.447: ISAKMP:(0):Fill atts in sa vpi_length:4
    *May  7 17:42:39.447: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    *May  7 17:42:39.447: ISAKMP:(0):Returning Actual lifetime: 86400
    *May  7 17:42:39.447: ISAKMP:(0)::Started lifetime timer: 86400.
    
    *May  7 17:42:39.447: ISAKMP:(0): processing vendor id payload
    *May  7 17:42:39.447: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    *May  7 17:42:39.447: ISAKMP (0): vendor ID is NAT-T v7
    *May  7 17:42:39.447: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *May  7 17:42:39.447: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 
    
    *May  7 17:42:39.447: ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
    *May  7 17:42:39.447: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *May  7 17:42:39.447: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *May  7 17:42:39.447: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 
    
    *May  7 17:42:39.687: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
    *May  7 17:42:39.687: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *May  7 17:42:39.687: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 
    
    *May  7 17:42:39.687: ISAKMP:(0): processing KE payload. message ID = 0
    *May  7 17:42:39.719: ISAKMP:(0): processing NONCE payload. message ID = 0
    *May  7 17:42:39.719: ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
    *May  7 17:42:39.719: ISAKMP:(2001): processing vendor id payload
    *May  7 17:42:39.719: ISAKMP:(2001): vendor ID is Unity
    *May  7 17:42:39.719: ISAKMP:(2001): processing vendor id payload
    *May  7 17:42:39.719: ISAKMP:(2001): vendor ID is DPD
    *May  7 17:42:39.719: ISAKMP:(2001): processing vendor id payload
    *May  7 17:42:39.719: ISAKMP:(2001): speaking to another IOS box!
    *May  7 17:42:39.719: ISAKMP (2001): His hash no match - this node outside NAT
    *May  7 17:42:39.719: ISAKMP (2001): No NAT Found for self or peer
    *May  7 17:42:39.719: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *May  7 17:42:39.719: ISAKMP:(2001):Old State = IKE_I_MM4  New State = IKE_I_MM4 
    
    *May  7 17:42:39.723: ISAKMP:(2001):Send initial contact
    *May  7 17:42:39.723: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    *May  7 17:42:39.723: ISAKMP (2001): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.0.0.1 
        protocol     : 17 
        port         : 500 
        length       : 12
    *May  7 17:42:39.723: ISAKMP:(2001):Total payload length: 12
    *May  7 17:42:39.723: ISAKMP:(2001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    *May  7 17:42:39.723: ISAKMP:(2001):Sending an IKE IPv4 Packet.
    *May  7 17:42:39.723: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *May  7 17:42:39.723: ISAKMP:(2001):Old State = IKE_I_MM4  New State = IKE_I_MM5 
    
    *May  7 17:42:39.751: ISAKMP (2001): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
    *May  7 17:42:39.751: ISAKMP:(2001): processing ID payload. message ID = 0
    *May  7 17:42:39.751: ISAKMP (2001): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.0.0.2 
        protocol     : 17 
        port         : 500 
        length       : 12
    *May  7 17:42:39.751: ISAKMP:(0):: peer matches *none* of the profiles
    *May  7 17:42:39.751: ISAKMP:(2001): processing HASH payload. message ID = 0
    *May  7 17:42:39.751: ISAKMP:(2001):SA authentication status:
        authenticated
    *May  7 17:42:39.751: ISAKMP:(2001):SA has been authenticated with 10.0.0.2
    *May  7 17:42:39.751: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.2/500/,  and inserted successfully 85337CA8.
    *May  7 17:42:39.751: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *May  7 17:42:39.751: ISAKMP:(2001):Old State = IKE_I_MM5  New State = IKE_I_MM6 
    
    *May  7 17:42:39.751: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *May  7 17:42:39.751: ISAKMP:(2001):Old State = IKE_I_MM6  New State = IKE_I_MM6 
    
    *May  7 17:42:39.751: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *May  7 17:42:39.751: ISAKMP:(2001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 
    
    *May  7 17:42:39.751: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 518492717
    *May  7 17:42:39.751: ISAKMP:(2001):QM Initiator gets spi
    *May  7 17:42:39.751: ISAKMP:(2001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
    *May  7 17:42:39.751: ISAKMP:(2001):Sending an IKE IPv4 Packet.
    *May  7 17:42:39.755: ISAKMP:(2001):Node 518492717, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    *May  7 17:42:39.755: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    *May  7 17:42:39.755: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    *May  7 17:42:39.755: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 
    
    *May  7 17:42:40.039: ISAKMP (2001): received packet from 10.0.0.2 dport 500 sport 500 Global (I) QM_IDLE      
    *May  7 17:42:40.039: ISAKMP:(2001): processing HASH payload. message ID = 518492717
    *May  7 17:42:40.039: ISAKMP:(2001): processing SA payload. message ID = 518492717
    *May  7 17:42:40.039: ISAKMP:(2001):Checking IPSec proposal 1
    *May  7 17:42:40.039: ISAKMP: transform 1, ESP_3DES
    *May  7 17:42:40.039: ISAKMP:   attributes in transform:
    *May  7 17:42:40.039: ISAKMP:      encaps is 1 (Tunnel)
    *May  7 17:42:40.039: ISAKMP:      SA life type in seconds
    *May  7 17:42:40.039: ISAKMP:      SA life duration (basic) of 3600
    *May  7 17:42:40.039: ISAKMP:      SA life type in kilobytes
    *May  7 17:42:40.039: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
    *May  7 17:42:40.039: ISAKMP:      authenticator is HMAC-SHA
    *May  7 17:42:40.039: ISAKMP:(2001):atts are acceptable.
    *May  7 17:42:40.039: ISAKMP:(2001): processing NONCE payload. message ID = 518492717
    *May  7 17:42:40.039: ISAKMP:(2001): processing ID payload. message ID = 518492717
    *May  7 17:42:40.039: ISAKMP:(2001): processing ID payload. message ID = 518492717
    *May  7 17:42:40.039: ISAKMP:(2001): Creating IPSec SAs
    *May  7 17:42:40.043:         inbound SA from 10.0.0.2 to 10.0.0.1 (f/i)  0/ 0
            (proxy 192.168.50.0 to 172.16.0.0)
    *May  7 17:42:40.043:         has spi 0x5E6F578E and conn_id 0
    *May  7 17:42:40.043:         lifetime of 3600 seconds
    *May  7 17:42:40.043:         lifetime of 4608000 kilobytes
    *May  7 17:42:40.043:         outbound SA from 10.0.0.1 to 10.0.0.2 (f/i) 0/0
            (proxy 172.16.0.0 to 192.168.50.0)
    *May  7 17:42:40.043:         has spi  0xB8E76FE7 and conn_id 0
    *May  7 17:42:40.043:         lifetime of 3600 seconds
    *May  7 17:42:40.043:         lifetime of 4608000 kilobytes
    *May  7 17:42:40.043: ISAKMP:(2001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
    *May  7 17:42:40.043: ISAKMP:(2001):Sending an IKE IPv4 Packet.
    *May  7 17:42:40.043: ISAKMP:(2001):deleting node 518492717 error FALSE reason "No Error"
    *May  7 17:42:40.043: ISAKMP:(2001):Node 518492717, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    *May  7 17:42:40.043: ISAKMP:(2001):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
    RTR-1811W#
    RTR-1811W#
    *May  7 17:43:30.043: ISAKMP:(2001):purging node 518492717
    RTR-1811W#
    Code:
    *Mar  1 00:22:02.811: ISAKMP (0:0): received packet from 10.0.0.1 dport 500 sport 500 Global (N) NEW SA
    *Mar  1 00:22:02.811: ISAKMP: Created a peer struct for 10.0.0.1, peer port 500
    *Mar  1 00:22:02.811: ISAKMP: Locking peer struct 0x62CB5120, IKE refcount 1 for Responding to new initiation
    *Mar  1 00:22:02.815: ISAKMP: local port 500, remote port 500
    *Mar  1 00:22:02.815: ISAKMP: insert sa successfully sa = 62F61DC0
    *Mar  1 00:22:02.819: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar  1 00:22:02.819: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_R_MM1 
    
    *Mar  1 00:22:02.823: ISAKMP (0:1): processing SA payload. message ID = 0
    *Mar  1 00:22:02.823: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
    *Mar  1 00:22:02.823: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
    *Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID is NAT-T v7
    *Mar  1 00:22:02.823: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
    *Mar  1 00:22:02.827: ISAKMP (0:1): vendor ID is NAT-T v3
    *Mar  1 00:22:02.827: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:02.827: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
    *Mar  1 00:22:02.827: ISAKMP (0:1): vendor ID is NAT-T v2
    *Mar  1 00:22:02.827: ISAKMP: Looking for a matching key for 10.0.0.1 in default : success
    *Mar  1 00:22:02.827: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.1
    *Mar  1 00:22:02.827: ISAKMP (0:1) local preshared key found
    *Mar  1 00:22:02.827: ISAKMP : Scanning profiles for xauth ...
    *Mar  1 00:22:02.827: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
    *Mar  1 00:22:02.827: ISAKMP:      encryption 3DES-CBC
    *Mar  1 00:22:02.827: ISAKMP:      hash MD5
    *Mar  1 00:22:02.831: ISAKMP:      default group 2
    *Mar  1 00:22:02.831: ISAKMP:      auth pre-share
    *Mar  1 00:22:02.831: ISAKMP:      life type in seconds
    *Mar  1 00:22:02.831: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
    *Mar  1 00:22:02.831: ISAKMP (0:1): atts are acceptable. Next payload is 3
    *Mar  1 00:22:03.003: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
    *Mar  1 00:22:03.007: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
    *Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID is NAT-T v7
    *Mar  1 00:22:03.007: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
    *Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID is NAT-T v3
    *Mar  1 00:22:03.007: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.011: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
    *Mar  1 00:22:03.011: ISAKMP (0:1): vendor ID is NAT-T v2
    *Mar  1 00:22:03.011: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Mar  1 00:22:03.011: ISAKMP (0:1): Old State = IKE_R_MM1  New State = IKE_R_MM1 
    
    *Mar  1 00:22:03.015: ISAKMP (0:1): constructed NAT-T vendor-07 ID
    *Mar  1 00:22:03.015: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
    *Mar  1 00:22:03.015: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Mar  1 00:22:03.015: ISAKMP (0:1): Old State = IKE_R_MM1  New State = IKE_R_MM2 
    
    *Mar  1 00:22:03.027: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_SA_SETUP
    *Mar  1 00:22:03.027: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar  1 00:22:03.031: ISAKMP (0:1): Old State = IKE_R_MM2  New State = IKE_R_MM3 
    
    *Mar  1 00:22:03.031: ISAKMP (0:1): processing KE payload. message ID = 0
    *Mar  1 00:22:03.247: ISAKMP (0:1): processing NONCE payload. message ID = 0
    *Mar  1 00:22:03.247: ISAKMP: Looking for a matching key for 10.0.0.1 in default : success
    *Mar  1 00:22:03.247: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.1
    *Mar  1 00:22:03.251: ISAKMP (0:1): SKEYID state generated
    *Mar  1 00:22:03.251: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.251: ISAKMP (0:1): vendor ID is DPD
    *Mar  1 00:22:03.251: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.255: ISAKMP (0:1): speaking to another IOS box!
    *Mar  1 00:22:03.255: ISAKMP (0:1): processing vendor id payload
    *Mar  1 00:22:03.255: ISAKMP (0:1): vendor ID seems Unity/DPD but major 27 mismatch
    *Mar  1 00:22:03.255: ISAKMP (0:1): vendor ID is XAUTH
    *Mar  1 00:22:03.255: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Mar  1 00:22:03.255: ISAKMP (0:1): Old State = IKE_R_MM3  New State = IKE_R_MM3 
    
    *Mar  1 00:22:03.259: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    *Mar  1 00:22:03.259: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Mar  1 00:22:03.259: ISAKMP (0:1): Old State = IKE_R_MM3  New State = IKE_R_MM4 
    
    *Mar  1 00:22:03.303: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
    *Mar  1 00:22:03.303: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar  1 00:22:03.303: ISAKMP (0:1): Old State = IKE_R_MM4  New State = IKE_R_MM5 
    
    *Mar  1 00:22:03.307: ISAKMP (0:1): processing ID payload. message ID = 0
    *Mar  1 00:22:03.307: ISAKMP (0:1): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.0.0.1 
        protocol     : 17 
        port         : 500 
        length       : 12
    *Mar  1 00:22:03.307: ISAKMP (0:1): peer matches *none* of the profiles
    *Mar  1 00:22:03.307: ISAKMP (0:1): processing HASH payload. message ID = 0
    *Mar  1 00:22:03.311: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 62F61DC0
    *Mar  1 00:22:03.311: ISAKMP (0:1): SA authentication status: 
        authenticated
    *Mar  1 00:22:03.311: ISAKMP (0:1): Process initial contact,
    bring down existing phase 1 and 2 SA's with local 10.0.0.2 remote 10.0.0.1 remote port 500
    *Mar  1 00:22:03.311: ISAKMP (0:1): SA authentication status: 
        authenticated
    *Mar  1 00:22:03.311: ISAKMP (0:1): SA has been authenticated with 10.0.0.1
    *Mar  1 00:22:03.311: ISAKMP (0:1): peer matches *none* of the profiles
    *Mar  1 00:22:03.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Mar  1 00:22:03.315: ISAKMP (0:1): Old State = IKE_R_MM5  New State = IKE_R_MM5 
    
    *Mar  1 00:22:03.315: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    *Mar  1 00:22:03.315: ISAKMP (0:1): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.0.0.2 
        protocol     : 17 
        port         : 500 
        length       : 12
    *Mar  1 00:22:03.319: ISAKMP (1): Total payload length: 12
    *Mar  1 00:22:03.319: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    *Mar  1 00:22:03.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Mar  1 00:22:03.323: ISAKMP (0:1): Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 
    
    *Mar  1 00:22:03.327: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    *Mar  1 00:22:03.327: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 
    
    *Mar  1 00:22:03.331: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) QM_IDLE      
    *Mar  1 00:22:03.335: ISAKMP: set new node 518492717 to QM_IDLE      
    *Mar  1 00:22:03.339: ISAKMP (0:1): processing HASH payload. message ID = 518492717
    *Mar  1 00:22:03.339: ISAKMP (0:1): processing SA payload. message ID = 518492717
    *Mar  1 00:22:03.339: ISAKMP (0:1): Checking IPSec proposal 1
    *Mar  1 00:22:03.339: ISAKMP: transform 1, ESP_3DES
    *Mar  1 00:22:03.339: ISAKMP:   attributes in transform:
    *Mar  1 00:22:03.339: ISAKMP:      encaps is 1 (Tunnel)
    *Mar  1 00:22:03.339: ISAKMP:      SA life type in seconds
    *Mar  1 00:22:03.339: ISAKMP:      SA life duration (basic) of 3600
    *Mar  1 00:22:03.339: ISAKMP:      SA life type in kilobytes
    *Mar  1 00:22:03.339: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
    *Mar  1 00:22:03.339: ISAKMP:      authenticator is HMAC-SHA
    *Mar  1 00:22:03.343: ISAKMP (0:1): atts are acceptable.
    *Mar  1 00:22:03.343: ISAKMP (0:1): processing NONCE payload. message ID = 518492717
    *Mar  1 00:22:03.343: ISAKMP (0:1): processing ID payload. message ID = 518492717
    *Mar  1 00:22:03.343: ISAKMP (0:1): processing ID payload. message ID = 518492717
    *Mar  1 00:22:03.347: ISAKMP (0:1): asking for 1 spis from ipsec
    *Mar  1 00:22:03.347: ISAKMP (0:1): Node 518492717, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    *Mar  1 00:22:03.347: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
    *Mar  1 00:22:03.359: ISAKMP: received ke message (2/1)
    *Mar  1 00:22:03.603: ISAKMP: Locking peer struct 0x62CB5120, IPSEC refcount 1 for for stuff_ke
    *Mar  1 00:22:03.603: ISAKMP (0:1): Creating IPSec SAs
    *Mar  1 00:22:03.603:         inbound SA from 10.0.0.1 to 10.0.0.2 (f/i)  0/ 0
            (proxy 172.16.0.0 to 192.168.50.0)
    *Mar  1 00:22:03.607:         has spi 0xB8E76FE7 and conn_id 2000 and flags 2
    *Mar  1 00:22:03.607:         lifetime of 3600 seconds
    *Mar  1 00:22:03.607:         lifetime of 4608000 kilobytes
    *Mar  1 00:22:03.607:         has client flags 0x0
    *Mar  1 00:22:03.607:         outbound SA from 10.0.0.2        to 10.0.0.1        (f/i)  0/ 0 (proxy 192.168.50.0    to 172.16.0.0     )
    *Mar  1 00:22:03.607:         has spi 1584355214 and conn_id 2001 and flags A
    *Mar  1 00:22:03.607:         lifetime of 3600 seconds
    *Mar  1 00:22:03.607:         lifetime of 4608000 kilobytes
    *Mar  1 00:22:03.607:         has client flags 0x0
    *Mar  1 00:22:03.611: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) QM_IDLE      
    *Mar  1 00:22:03.611: ISAKMP (0:1): Node 518492717, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
    *Mar  1 00:22:03.611: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
    *Mar  1 00:22:03.623: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) QM_IDLE      
    *Mar  1 00:22:03.623: ISAKMP (0:1): deleting node 518492717 error FALSE reason "quick mode done (await)"
    *Mar  1 00:22:03.627: ISAKMP (0:1): Node 518492717, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    *Mar  1 00:22:03.627: ISAKMP (0:1): Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
    RTR-3620#
    *Mar  1 00:22:53.627: ISAKMP (0:1): purging node 518492717
    Reply With Quote Quote  

  15. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #14
    And here are my configs....


    Code:
    sh run
    Building configuration...
    
    Current configuration : 3748 bytes
    !
    version 15.1
    
    !
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RTR-1811W
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$JHH1$ExhFhZxJuOrLXRClMJkUn1
    !
    aaa new-model
    !
    !
    !
    !
    !
    !
    !
    aaa session-id common
    !
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    ip domain name brandontek.com
    login on-failure log
    login on-success log
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    username brandon privilege 15 password 0 cisco
    !
    crypto key pubkey-chain rsa
     named-key realm-cisco.pub signature
      key-string
       30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
       00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
       17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
       B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
       5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
       FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
       50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
       006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
       2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
       F3020301 0001
      quit
    !
    !
    crypto ikev2 diagnose error 50
    !
    !
    ip ssh version 2
    ! 
    !
    crypto isakmp policy 1
     encr 3des
     hash md5
     authentication pre-share
     group 2
    !
    crypto isakmp policy 2
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key cisco address 10.0.0.2
    !
    !
    crypto ipsec transform-set BRANDON esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp 
     description Tunnel to10.0.0.2
     set peer 10.0.0.2
     set transform-set ESP-3DES-SHA 
     match address 100
    !
    !
    !
    !
    !
    interface Dot11Radio0
     no ip address
     shutdown
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    !
    interface Dot11Radio1
     no ip address
     shutdown
     speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
     station-role root
    !
    interface FastEthernet0
     ip address 10.0.0.1 255.255.255.0
     duplex auto
     speed auto
     crypto map SDM_CMAP_1
    !
    interface FastEthernet1
     ip address 172.16.0.1 255.255.0.0
     duplex auto
     speed auto
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
     no ip address
    !
    interface Async1
     no ip address
     encapsulation slip
    !
    router rip
     version 2
     network 192.168.50.0
    !
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    !
    !
    ip route 192.168.50.0 255.255.255.0 10.0.0.2
    !
    logging 150.113.156.5
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.50.0 0.0.0.255
    access-list 101 remark SDM_ACL Category=16
    access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.50.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
    line 1
     modem InOut
     stopbits 1
     speed 115200
     flowcontrol hardware
    line aux 0
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     password cisco
     monitor
     transport input telnet
    !
    end
    
    RTR-1811W#
    Code:
    sh run
    Building configuration...
    
    Current configuration : 1547 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RTR-3620
    !
    boot-start-marker
    boot-end-marker
    !
    enable password cisco
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    ip cef
    !
    ip audit po max-events 100
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ! 
    !
    crypto isakmp policy 1
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key cisco address 10.0.0.1 255.255.255.0
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set BRANDON esp-des esp-md5-hmac 
    crypto ipsec transform-set BRANDON2 esp-3des esp-sha-hmac 
    !
    crypto map S2S 1 ipsec-isakmp 
     set peer 10.0.0.1
     set transform-set BRANDON 
     set pfs group2
     match address 101
    !
    crypto map S2S-2 2 ipsec-isakmp 
     set peer 10.0.0.1
     set transform-set BRANDON2 
     match address 101
    !
    !
    !
    !
    interface Ethernet0/0
     ip address 10.0.0.2 255.255.255.0
     half-duplex
     crypto map S2S-2
    !
    interface Ethernet0/1
     ip address 192.168.50.1 255.255.255.0
     full-duplex
    !
    interface Serial1/0
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    no ip http server
    no ip http secure-server
    ip classless
    ip route 172.16.0.0 255.255.0.0 10.0.0.1
    !
    !
    access-list 101 permit ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.255.255
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     password cisco
     login
    !
    !
    end
    
    RTR-3620#
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #15
    The tunnel looks as if it forms properly. The transform sets match... both IKE phase 1 & 2 is showing complete. Do you have any additional ACLs on your routers besides the one identifying your VPN traffic?
    Reply With Quote Quote  

  17. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #16
    Quote Originally Posted by peanutnoggin View Post
    The tunnel looks as if it forms properly. The transform sets match... both IKE phase 1 & 2 is showing complete. Do you have any additional ACLs on your routers besides the one identifying your VPN traffic?

    Nope, no other ACL's, no other networks...not even any routing protocols....just a static route on each router telling it how to direct traffic.

    The SDM created it's own ACL called 101 I beleive. But it's identical to 100 which is the one I created...it's using it's own 101(ACL) and when I do a ping and then show access-list, I can see the hit count incrementing..

    Again, ping wise and everything else, it's a 100% complete established VPN.

    The dumb SDM won't show that the tunnel is up though. And testing the tunnel from SDM says there's a problem pinging...I can't stand SDM...

    What the heck is it's problem? It was bad enough I had to find a laptop with WindowsXP and mix and match the perfect java and firefox to get it to work...

    Now that it's working, it provides wrong VPN status...
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Oct 2006
    Location
    New York
    Posts
    251

    Certifications
    CCNA, CCNA:Security, CCDA, CCNP
    #17
    Can you ping from host A to host B? After doing so check to see if the packets are being encrypted by doing show crypto ipsec sa
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #18
    You won't get any disagreement from me on the SDM!!! Are you having any additional SDM problems? What about your java? Have you had a java update or something like that? Config wise on your routers... you appear to be fine!!! Do you have another PC that has XP on it? Also, have you tried to launch SDM with IE instead of FF?
    Reply With Quote Quote  

  20. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #19
    Quote Originally Posted by Stotic View Post
    Can you ping from host A to host B? After doing so check to see if the packets are being encrypted by doing show crypto ipsec sa

    Oh absolutely. did you look at my original post? I included screenshots of all the pings working. I know the quality didn't come out too well..

    I can provide ipsec sa data later today but I think most will agree the data from it will look fine....
    Reply With Quote Quote  

  21. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #20
    Quote Originally Posted by peanutnoggin View Post
    You won't get any disagreement from me on the SDM!!! Are you having any additional SDM problems? What about your java? Have you had a java update or something like that? Config wise on your routers... you appear to be fine!!! Do you have another PC that has XP on it? Also, have you tried to launch SDM with IE instead of FF?
    IE and FF both work. I've tried with Windows 7, definitley a no no.

    I don't have any other XP's to test it out on. I tried a virtual XP on VMware and i got some kind of strange error installing java...

    Other than this current issue, I do have one other issue which is not being able to configure my wireless radio. When I try to configure it, SDM will launch a separate browser and it will be blank...

    Honestly, I've wasted so much time on using SDM, the only reason why I'm playing with it is for my CCNA security exam. Unless I run into a client who demands I use SDM, I don't ever want to look at SDM again...

    It is utterly frustrating. It feels like the entire application is an afterthought from Cisco and that they only slapped something together because other vendors had a GUI interface....
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #21
    Quote Originally Posted by notgoing2fail View Post
    IE and FF both work. I've tried with Windows 7, definitley a no no.

    I don't have any other XP's to test it out on. I tried a virtual XP on VMware and i got some kind of strange error installing java...

    Other than this current issue, I do have one other issue which is not being able to configure my wireless radio. When I try to configure it, SDM will launch a separate browser and it will be blank...

    Honestly, I've wasted so much time on using SDM, the only reason why I'm playing with it is for my CCNA security exam. Unless I run into a client who demands I use SDM, I don't ever want to look at SDM again...

    It is utterly frustrating. It feels like the entire application is an afterthought from Cisco and that they only slapped something together because other vendors had a GUI interface....
    I think for the wireless... you have to have a different file installed on your PC. I'll try to dig it up... when I first got my 877w I had to learn this the hard way. The wireless configuration is actually done through a separate java based web gui...
    Reply With Quote Quote  

  23. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #22
    Quote Originally Posted by peanutnoggin View Post
    I think for the wireless... you have to have a different file installed on your PC. I'll try to dig it up... when I first got my 877w I had to learn this the hard way. The wireless configuration is actually done through a separate java based web gui...

    More reason why SDM is a clunker. I extracted some tar files that I thought might help for the wireless because it created more directories in flash that seem web related, that didn't work.

    Also, as soon as I enabled IPS, when I log into SDM, it asks me 3 times for my account! I mean, whoever designed SDM isn't intelligent enough to carry over my account info in via session? I have to log in THREE times?

    Sorry for ragging on SDM...
    Reply With Quote Quote  

  24. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #23
    Here's the debug for IPsec...if you do see any errors, it took two pings to get the tunnel up....so that could be what you're seeing...

    Code:
    RTR-1811W#
    *May  7 20:08:06.035: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= 10.0.0.1:500, remote= 10.0.0.2:500, 
        local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
        remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    *May  7 20:08:06.791: IPSEC(validate_proposal_request): proposal part #1
    *May  7 20:08:06.791: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 10.0.0.1:0, remote= 10.0.0.2:0, 
        local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
        remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= NONE  (Tunnel), 
        lifedur= 0s and 0kb, 
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    *May  7 20:08:06.791: Crypto mapdb : proxy_match
        src addr     : 172.16.0.0
        dst addr     : 192.168.50.0
        protocol     : 0
        src port     : 0
        dst 
    RTR-1811W#port     : 0
    *May  7 20:08:06.795: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    *May  7 20:08:06.795: Crypto mapdb : proxy_match
        src addr     : 172.16.0.0
        dst addr     : 192.168.50.0
        protocol     : 0
        src port     : 0
        dst port     : 0
    *May  7 20:08:06.795: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.0.0.2
    *May  7 20:08:06.795: *** Sibling: round = 7 inner_to_outer = 49 outer_to_inner = 56 encrypted_overhead = 1 
    *May  7 20:08:06.795: IPSEC(policy_db_add_ident): src 172.16.0.0, dest 192.168.50.0, dest_port 0
    
    *May  7 20:08:06.795: IPSEC(create_sa): sa created,
      (sa) sa_dest= 10.0.0.1, sa_proto= 50, 
        sa_spi= 0xDD4CFA81(3712809601), 
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
        sa_lifetime(k/sec)= (4451034/3600)
    *May  7 20:08:06.795: IPSEC(create_sa): sa created,
      (sa) sa_dest= 10.0.0.2, sa_proto= 50, 
        sa_spi= 0x91347BD5(2436135893), 
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2
        sa_lifetime(k/sec)= (4451034/3600)
    *May  7 20:08:06.795: *** crypto_ipsec_create_transform_sas: phyiscal MTU = 1500 setting MTU to 1446 
    *May  7 20:08:06.795: IPSEC(update_current_outbound_sa): get enable SA peer 10.0.0.2 current outbound sa to SPI 91347BD5
    *May  7 20:08:06.795: IPSEC(update_current_outbound_sa): updated peer 10.0.0.2 current outbound sa to SPI 91347BD5
    RTR-1811W#
    RTR-1811W#

    Code:
    RTR-3620#
    *Mar  1 00:08:20.803: IPSEC(key_engine): got a queue event...
    *Mar  1 00:08:20.823: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 10.0.0.2, remote= 10.0.0.1, 
        local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
        lifedur= 0s and 0kb, 
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
    *Mar  1 00:08:20.823: IPSEC(kei_proxy): head = S2S-2, map->ivrf = , kei->ivrf = 
    *Mar  1 00:08:20.827: IPSEC(key_engine): got a queue event...
    *Mar  1 00:08:20.835: IPSEC(spi_response): getting spi 2436135893 for SA 
        from 10.0.0.2        to 10.0.0.1        for prot 3
    *Mar  1 00:08:21.087: IPSEC(key_engine): got a queue event...
    *Mar  1 00:08:21.087: IPSEC(initialize_sas): ,
      (key eng. msg.) INBOUND local= 10.0.0.2, remote= 10.0.0.1, 
        local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0x91347BD5(2436135893), conn_id= 2000, keysize= 0, flags= 0x2
    *Mar  1 00:08:21.091: IPSEC(initialize_sas): ,
      (key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1, 
        local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0xDD4CFA81(3712809601), conn_id= 2001, keysize= 0, flags= 0xA
    *Mar  1 00:08:21.091: IPSEC(kei_proxy): head = S2S-2, map->ivrf = , kei->ivrf = 
    *Mar  1 00:08:21.095: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 10.0.0.1
    *Mar  1 00:08:21.095: IPSEC(add mtree): src 192.168.50.0, dest 172.16.0.0, dest_port 0
    
    *Mar  1 00:08:21.095: IPSEC(create_sa): sa created,
      (sa) sa_dest= 10.0.0.2, sa_prot= 50, 
        sa_spi= 0x91347BD5(2436135893), 
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
    *Mar  1 00:08:21.095: IPSEC(create_sa): sa created,
      (sa) sa_dest= 10.0.0.1, sa_prot= 50, 
        sa_spi= 0xDD4CFA81(3712809601), 
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
    *Mar  1 00:08:21.103: IPSEC(key_engine): got a queue event...
    *Mar  1 00:08:21.103: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
    *Mar  1 00:08:21.107: IPSEC(key_engine_enable_outbound): enable SA with spi 3712809601/50 for 10.0.0.1
    Reply With Quote Quote  

  25. Senior Member notgoing2fail's Avatar
    Join Date
    Mar 2010
    Location
    New York
    Posts
    1,140

    Certifications
    CCNA, CCNA(Security), CSSA
    #24
    Ok, I have proof SDM sucks....I'm about to post some screenshots.

    I was able to get SDM to work with my old 3620. It doesn't show up as a supported router when I looked it up last week but it seems to work.

    When using SDM on the 3620, it shows that the tunnel is indeed UP!!

    I will post pictures to compare... you will all soon join me in the army of anti-SDM!!!
    Reply With Quote Quote  

  26. Junior Member
    Join Date
    May 2010
    Location
    Florida
    Posts
    10

    Certifications
    MCSE:M, CCNA:S, VCA-DCV
    #25
    I don't think it will make any difference but you may want to set duplex and speed settings on both interfaces instead of having duplex set to half on one and auto for the rest of the settings.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks