Isakmp: Callback: No Sa Found For 0.0.0.0/0.0.0.0
- Isakmp: Callback: No Sa Found For 0.0.0.0/0.0.0.0 Money
- Isakmp: Callback: No Sa Found For 0.0.0.0/0.0.0.0 People
Do the phase 1 parameters
on both routers match?
Isakmp: Callback: No Sa Found For 0.0.0.0/0.0.0.0 Money
Yes, here the config I was given vs my running config
Local Tunnel Endpoint 65.103.174.121
Local Subnet 172.16.28.0
Local Mask 255.255.255.224
Remote Tunnel Endpoint 24.153.138.34
Remote Subnet 10.0.0.0
Remote Mask 255.255.255.0
IPSec Phase 1
Encryption Algorithm 3DES
Integrity Algorithm SHA1
Die-Hellman Group 2 (1024)
Key Life 28800
IPSec Phase 2
Encryption Algorithm 3DES
Integrity Algorithm SHA1
Key Life: 3600 sec.
Die-Hellman Group 2 (1024)
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hal
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$pd8l$l6R0Gprto9hmqmtd4UX1M.
enable password 7 121617151B1F0D08
!
username admin privilege 7 password 7 094F4A0C5A0B1D1B52
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.28.30
ip dhcp excluded-address 172.16.28.1 172.16.28.9
ip dhcp excluded-address 172.16.28.28 172.16.28.29
!
ip dhcp pool CLIENT
import all
network 172.16.28.0 255.255.255.224
default-router 172.16.28.30
lease 0 2
!
!
ip domain name cryptospace.upd
ip name-server 172.16.28.1
ip ips po max-events 100
ip ssh authentication-retries 4
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key -SGPr5b_TjnWkHRzGykG$*wd address 24.153.138.34 no-xauth
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
! Disabled because transform not supported by encryption hardware
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 24.153.138.34
set pfs group2
match address Crypto-list
!
!
!
interface Ethernet0
ip address 172.16.28.30 255.255.255.224
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet1
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cryptospace@qwest.net
ppp chap password 7 000B01040D4F0A0A
ppp pap sent-username cryptospace@qwest.net password 7 030B49090F1B2040
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN-Map-1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 172.16.28.5 3389 interface Dialer1 33**
ip nat inside source static tcp 172.16.28.1 3389 interface Dialer1 3390
ip nat inside source static tcp 172.16.28.3 3389 interface Dialer1 3389
ip nat inside source static tcp 172.16.28.4 80 interface Dialer1 80
ip nat inside source static tcp 172.16.28.4 25 interface Dialer1 25
!
!
ip access-list extended Crypto-list
permit ip any 10.0.0.0 0.255.255.255
ip access-list extended Internet-inbound-ACL
permit udp host 24.153.138.34 any eq isakmp
permit esp host 24.153.138.34 any
access-list 102 permit ip 172.16.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
password 7 130A051002180526
login
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
password 7 104D0D1C461**80255
login local
length 0
transport preferred all
transport input ssh
transport output all
!
scheduler max-task-time 5000
end
A couple of issues
First, your phase 1 lifetimes don't match.
IPSec Phase 1
Encryption Algorithm 3DES
Integrity Algorithm SHA1
Die-Hellman Group 2 (1024)
these differ -- Key Life 28800
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
these differ -- lifetime 3600
These don't match:
Remote Subnet 10.0.0.0
Remote Mask 255.255.255.0
ip access-list extended Crypto-list
permit ip any 10.0.0.0 0.255.255.255
--This should be 10.0.0.0 0.0.0.255 to match with Remote Mask 255.255.255.0
--Also, instead of 'any' I would use the actual subnet like this:
ip access-list extended Crypto-list
permit ip 172.16.28.0 0.0.0.31 10.0.0.0 0.0.0.255
Last, you don't want to perform NAT on the traffic crossing the tunnel so you need to change this:
access-list 102 permit ip 172.16.28.0 0.0.0.31 any
to
access-list 102 deny ip 172.16.28.0 0.0.0.31 10.0.0.0 0.0.0.255
access-list 102 permit ip 172.16.28.0 0.0.0.31 any
Correct those items and give her another try. If it still doesn't work, post back and we will take another look.
Hello, I try to establish route-based ipsec vpn between SRX650 and cisco router, but it's failed in phase2. From cisco debug log, you can see IKEQMPHASE2COMPLETE, but after later, cisco router try to establish vpn connection again.
- Cannot respond to IPsec SA request I'm struggling & hope someone can help! PPTP remote access works but connection keeps dropping so am trying IPSec and have a problem with this.
- VPN with Juniper Hello, We are trying to establish a VPN between a Fortigate 900D and a Juniper. It must be a DialUp VPN since the Juniper has PPPoE (not a static IP) and the version of JUNOS the device has don't support dynamicdns.
No beans.
Isakmp: Callback: No Sa Found For 0.0.0.0/0.0.0.0 People
Made those changes, and still getting these;
17:26:21: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 65.103.174.121, remote= 24.153.138.34,
local_proxy= 172.16.28.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x67E81565(1743263077), conn_id= 0, keysize= 0, flags= 0x400B
17:26:21: ISAKMP:(0:0:N/A:0):deleting SA reason 'P1 delete notify (in)' state (I) MM_NO_STATE (peer 24.1
17:26:21: ISAKMP: Unlocking IKE struct 0x8239A824 for isadb_mark_sa_deleted(), count 0
17:26:21: ISAKMP: Deleting peer node by peer_reap for 24.153.138.34: 8239A824
17:26:21: ISAKMP:(0:0:N/A:0):deleting node -1820283338 error FALSE reason 'IKE deleted'
17:26:21: ISAKMP:(0:0:N/A:0):deleting node 1311546730 error FALSE reason 'IKE deleted'
17:26:21: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
17:26:21: ISAKMP:(0:0:N/A:0)ld State = IKE_I_MM1 New State = IKE_DEST_SA
17:26:21: ISAKMP: received ke message (1/1)
17:26:21: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
17:26:21: ISAKMP: Created a peer struct for 24.153.138.34, peer port 500
17:26:21: ISAKMP: Locking peer struct 0x823C7DE8, IKE refcount 1 for isakmp_initiator
17:26:21: ISAKMP: local port 500, remote port 500
17:26:21: ISAKMP: set new node 0 to QM_IDLE
17:26:21: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82364330
17:26:21: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
17:26:21: ISAKMP: Looking for a matching key for 24.153.138.34 in default : success
17:26:21: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 24.153.138.34
17:26:21: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
17:26:21: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
17:26:21: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
17:26:21: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
17:26:21: ISAKMP:(0:0:N/A:0)ld State = IKE_READY New State = IKE_I_MM1
17:26:21: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
17:26:21: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
17:26:31: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
17:26:31: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
17:26:31: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
17:26:31: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
17:26:41: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
17:26:41: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
17:26:41: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
17:26:41: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
Here is my current config;
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hal
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$pd8l$l6R0Gprto9hmqmtd4UX1M.
enable password 7 121617151B1F0D08
!
username admin privilege 7 password 7 094F4A0C5A0B1D1B52
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.28.30
ip dhcp excluded-address 172.16.28.1 172.16.28.9
ip dhcp excluded-address 172.16.28.28 172.16.28.29
!
ip dhcp pool CLIENT
import all
network 172.16.28.0 255.255.255.224
default-router 172.16.28.30
lease 0 2
!
!
ip domain name cryptospace.upd
ip name-server 172.16.28.1
ip ips po max-events 100
ip ssh authentication-retries 4
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key -SGPr5b_TjnWkHRzGykG$*wd address 24.153.138.34 no-xauth
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
! Disabled because transform not supported by encryption hardware
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac
!
crypto ipsec profile GCT
description default GCT
set transform-set SDM_TRANSFORMSET_1
!
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 24.153.138.34
set transform-set SDM_TRANSFORMSET_2
set pfs group2
match address Crypto-list
!
!
!
interface Ethernet0
ip address 172.16.28.30 255.255.255.224
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet1
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cryptospace@qwest.net
ppp chap password 7 000B01040D4F0A0A
ppp pap sent-username cryptospace@qwest.net password 7 030B49090F1B2040
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN-Map-1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http secure-server
!
ip nat inside source static tcp 172.16.28.7 3389 interface Dialer1 3393
ip nat inside source static tcp 172.16.28.6 3389 interface Dialer1 3392
ip nat inside source static tcp 172.16.28.4 22 interface Dialer1 2202
ip nat inside source static tcp 172.16.28.2 22 interface Dialer1 2201
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 172.16.28.5 3389 interface Dialer1 33**
ip nat inside source static tcp 172.16.28.1 3389 interface Dialer1 3390
ip nat inside source static tcp 172.16.28.3 3389 interface Dialer1 3389
ip nat inside source static tcp 172.16.28.4 80 interface Dialer1 80
ip nat inside source static tcp 172.16.28.4 25 interface Dialer1 25
!
!
ip access-list extended Crypto-list
permit ip 172.16.28.0 0.0.0.31 10.0.0.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 24.153.138.34 any eq isakmp
permit esp host 24.153.138.34 any
access-list 102 deny ip 172.16.28.0 0.0.0.31 10.0.0.0 0.0.0.255
access-list 102 permit ip 172.16.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
password 7 130A051002180526
login
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
password 7 104D0D1C461**80255
login local
length 0
transport preferred all
transport input ssh
transport output all
!
scheduler max-task-time 5000
end
Which debug are you running
If you aren't already doing so, run:
debug crypto isakmp
and post the output. It still looks like it's failing on phase 1.
Cisco needs to make these Marine proof
here is the output
18:48:12: ISAKMP:(0:0:N/A:0)urging node -1295764948
18:48:12: ISAKMP:(0:0:N/A:0)urging node 1592451257
18:48:22: ISAKMP:(0:0:N/A:0)urging SA., sa=824403BC, delme=824403BC
hal#
18:48:59: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 65.103.174.121, remote= 24.153.138.34,
local_proxy= 172.16.28.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x8248C9A7(2185808295), conn_id= 0, keysize= 0, flags= 0x400B
18:48:59: ISAKMP: received ke message (1/1)
18:48:59: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
18:48:59: ISAKMP: Created a peer struct for 24.153.138.34, peer port 500
18:48:59: ISAKMP: Locking peer struct 0x8232B4D0, IKE refcount 1 for isakmp_initiator
18:48:59: ISAKMP: local port 500, remote port 500
18:48:59: ISAKMP: set new node 0 to QM_IDLE
18:48:59: insert sa successfully sa = 824355A8
18:48:59: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
18:48:59: ISAKMP: Looking for a matching key for 24.153.138.34 in default : success
18:48:59: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 24.153.138.34
18:48:59: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
18:48:59: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
18:48:59: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
18:48:59: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
18:48:59: ISAKMP:(0:0:N/A:0)ld State = IKE_READY New State = IKE_I_MM1
18:48:59: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
18:48:59: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
18:49:09: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
18:49:09: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
18:49:09: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
18:49:09: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
18:49:19: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
18:49:19: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
18:49:19: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
18:49:19: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
18:49:29: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 65.103.174.121, remote= 24.153.138.34,
local_proxy= 172.16.28.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4)
18:49:29: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 65.103.174.121, remote= 24.153.138.34,
local_proxy= 172.16.28.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0xE3D023E(238879294), conn_id= 0, keysize= 0, flags= 0x400B
18:49:29: ISAKMP: received ke message (1/1)
18:49:29: ISAKMP: set new node 0 to QM_IDLE
18:49:29: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 65.103.174.121)
18:49:29: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
18:49:29: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
18:49:29: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
18:49:29: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
18:49:39: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
18:49:39: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
18:49:39: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
18:49:39: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
18:49:49: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE..
18:49:49: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
18:49:49: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
18:49:49: ISAKMP:(0:0:N/A:0): sending packet to 24.153.138.34 my_port 500 peer_port 500 (I) MM_NO_STATE
18:49:59: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 65.103.174.121, remote= 24.153.138.34,
local_proxy= 172.16.28.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4)
18:49:59: ISAKMP: received ke message (3/1)
18:49:59: ISAKMP:(0:0:N/A:0)eer does not do paranoid keepalives.
18:49:59: ISAKMP:(0:0:N/A:0):deleting SA reason 'P1 delete notify (in)' state (I) MM_NO_STATE (peer 24.15)
18:49:59: ISAKMP:(0:0:N/A:0):deleting SA reason 'P1 delete notify (in)' state (I) MM_NO_STATE (peer 24.15
18:49:59: ISAKMP: Unlocking IKE struct 0x8232B4D0 for isadb_mark_sa_deleted(), count 0
18:49:59: ISAKMP: Deleting peer node by peer_reap for 24.153.138.34: 8232B4D0
18:49:59: ISAKMP:(0:0:N/A:0):deleting node 144080543 error FALSE reason 'IKE deleted'
18:49:59: ISAKMP:(0:0:N/A:0):deleting node 400261366 error FALSE reason 'IKE deleted'
18:49:59: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
18:49:59: ISAKMP:(0:0:N/A:0)ld State = IKE_I_MM1 New State = IKE_DEST_SA
I am running these;
hal#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto ISAKMP High Availability debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
hal#
The Energize power temporarily rebuilds destroyed walls, allowing you to run across them. While you will use magic plates again to travel to areas otherwise impassable (This time they're purple!), the Energize power mixes in a lot of acrobatic sequences.The acrobatic sequences are more satisfying in Epilogue, but the increased difficulty also hampers the fluidity that made POP special. Prince of persia pc games. Sequences are longer as well, so while you still can't die, failure will punish you a bit more than it did in the retail game.A new power has been added for Elika. You'll often need to look ahead to the second trap in a sequence before making that first leap. It's a tradeoff that will satisfy those who felt POP was far too easy (it's still not 'hard') but may disappoint those who enjoyed the relaxed experience of the retail offering.There's a considerable amount of fighting in the Epilogue, as you will battle the same two bosses several times over the course of the two-hour adventure.
Need to verify Settings
It's not getting very far on phase 1. Either it can't contact the other end or the settings don't match. Cisco to Netopia is usually a walk in park. I would re-verify the settings on the other end and if there is someone there that can look at the log on the netopia and see if your router is even getting to it. I have several VPNs setup between a Cisco 831 and a bunch of Netopia R910s. I ran the debug while one of them cam up. Here is what it should look like:
Network-831#clear crypto sa peer 208.XX.X.XX
Network-831#
*Dec 18 16:07:39 CST: ISAKMP (0:0): received packet from 208.XX.X.XX dport 500
sport 500 Global (N) NEW SA
*Dec 18 16:07:39 CST: ISAKMP: Created a peer struct for 208.XX.X.XX, peer port
500
*Dec 18 16:07:39 CST: ISAKMP: New peer created peer = 0x81F05194 peer_handle = 0
x800000C6
*Dec 18 16:07:39 CST: ISAKMP: Locking peer struct 0x81F05194, IKE refcount 1 for
crypto_isakmp_process_block
*Dec 18 16:07:39 CST: ISAKMP: local port 500, remote port 500
*Dec 18 16:07:39 CST: insert sa successfully sa = 81EF2598
*Dec 18 16:07:
Network-831#39 CST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0)ld State = IKE_READY New State = IKE_
R_MM1
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0):Looking for a matching key for 208.XX.
XX.XX in default
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0): : success
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 208.
XX.XX.XX
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0): local preshared key found
*Dec 18 16:07:39 CST: ISAKMP : Scanning profiles for xauth ..
*Dec 18 16:07:39 CST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 10 policy
*Dec 18 16:07:39 CST: ISAKMP: life type in seconds
*Dec 18 16:07:39 CST: ISAKMP: life duration (basic) of 28800
*Dec 18 16:07:39 CST: ISAKMP: encryption DES-CBC
*Dec 18 16:07:39 CST: ISAKMP: auth pre-share
*Dec 18 16:07:39 CST: ISAKMP: hash MD5
*Dec 18 16:07:39 CST: ISAKMP: default group 2
*Dec 18 16:07:39 CST: ISAKMP:(0:0:
Network-831#N/A:0):atts are acceptable. Next payload is 0
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
MAIN_MODE
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM1 New State = IKE_
R_MM1
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2): sending packet to 208.XX.X.XX my_por
t 500 peer_port 500 (R) MM_SA_SETUP
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
COMPLETE
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM1 New State = IKE_
R_MM2
*Dec 18 16:
Network-831#07:40 CST: ISAKMP (0:268435472): received packet from 208.XX.X.XX
dport 500 sport 500 Global (R) MM_SA_SETUP
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM2 New State = IKE_
R_MM3
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2): processing KE payload. message ID = 0
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2): processing NONCE payload. message ID =
0
*Dec 18 16:07:40 CST: ISAKMP:(0:0:N/A:0):Looking for a matching key for 208.XX.
XX.XX in default
*Dec 18 16:07:40 CST: ISAKMP:(0:0:N/A:0): : success
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):found peer pre-shared key matching 208.XX.XX.XX *Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):SKEYID state generated
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2): processing vendor id payload
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2): vendor ID seems Unity/DPD but major 16
2 mismatch
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
MAIN_MODE
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM
Network-831#3 New State = IKE_R_MM3
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2): sending packet to 208.XX.X.XX my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
COMPLETE
*Dec 18 16:07:40 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM3 New State = IKE_
R_MM4
*Dec 18 16:07:41 CST: ISAKMP (0:268435472): received packet from 208.XX.X.XX d
port 500 sport 500 Global (R) MM_KEY_EXCH
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec
Network-831#18 16:07:41 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM4 New State
= IKE_R_MM5
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): processing ID payload. message ID = 0
*Dec 18 16:07:41 CST: ISAKMP (0:268435472): ID payload
next-payload : 8
type : 1
address : 208.XX.X.XX
protocol : 17
port : 500
length : 12
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):: peer matches *none* of the profiles
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): processing HASH payload. message ID =
0
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):SA authentication status:
authenticated
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):SA has been authenticated with 208.XX.XX.XX
*Dec 18 16:07:41 CST: ISAKMP: Trying to insert a peer 69.XX.XX.XX/208.XX.X.XX/
500/, and inserted successfully 81F05194.
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
MAIN_MODE
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM5 New State = IKE_
R_MM5
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):SA is doing pre-shared key authenti
Network-831#cation using id type ID_IPV4_ADDR
*Dec 18 16:07:41 CST: ISAKMP (0:268435472): ID payload
next-payload : 8
type : 1
address : 69.XX.XX.XX
protocol : 17
port : 500
length : 12
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):Total payload length: 12
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): sending packet to 208.XX.X.XX my_por
t 500 peer_port 500 (R) MM_KEY_EXCH
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
COMPLETE
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2)ld State = IKE_R_MM5 New State = IKE_
P1_COMPLETE
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_C
OMPLETE
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2)ld State = IKE_P1_COMPLETE New State
= IKE_P1_COMPLETE
*Dec 18 16:07:41 CST: ISAKMP (0:268435472): received packet from 208.XX.X.XX d
port 500 sport 500 Global (R) QM_IDLE
*Dec 18 16:07:41 CST: ISAKMP: set new node -1507312796 to QM_IDLE
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): processing HASH payload. message ID =
-1507312796
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): processing NOTIFY INITIAL_CONTACT prot
ocol 1
spi 0, message ID = -1507312796, sa = 81EF2598
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):SA authentication status:
authenticated
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): Process initial contact,
bring down existing phase 1 and 2 SA's with local 69.XX.XX.XX remote 208.XX.XX.XX
remote port 500
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):deleting node -1507312796 error FALSE r
eason 'Informational (in) state 1'
*Dec 18 16:07:41 CST: ISAKM
Network-831#P:(0:16:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2)ld State = IKE_P1_COMPLETE New State
= IKE_P1_COMPLETE
*Dec 18 16:07:41 CST: ISAKMP (0:268435472): received packet from 208.XX.X.XX d
port 500 sport 500 Global (R) QM_IDLE
*Dec 18 16:07:41 CST: ISAKMP: set new node 1377935587 to QM_IDLE
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): processing HASH payload. message ID =
1377935587
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2): processing SA payload. message ID = 13
77935587
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):Checking IPSec proposal 1
*Dec 18 16:07:41 CST: ISAKMP: transform 1, ESP_DES
*Dec 18 16:07:41 CST: ISAKMP: attributes in transform:
*Dec 18 16:07:41 CST: ISAKMP: SA life type in seconds
*Dec 18 16:07:41 CST: ISAKMP: SA life duration (basic) of 28798
*Dec 18 16:07:41 CST: ISAKMP: encaps is 1 (Tunnel)
*Dec 18 16:07:41 CST: ISAKMP: authenticator is HMAC-MD5
*Dec 18 16:07:41 CST: ISAKMP: group is 2
*Dec 18 16:07:41 CST: ISAKMP:(0:16:HW:2):atts are acceptable.
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): processing NONCE payload. message ID =
1377935587
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): processing KE payload. message ID = 13
77935587
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): processing ID payload. message ID = 13
77935587
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): processing ID payload. message ID = 13
77935587
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): asking for 1 spis from ipsec
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2):Node 1377935587, Input = IKE_MESG_FROM_
PEER, IKE_QM_EXCH
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2)ld State = IKE_QM_READY New State = I
KE_QM_SPI_STARVE
*Dec 18 16:07:42 CST: ISAKMP: received ke message (2/1)
*Dec 18 16:07:42 CST: ISAKMP: Locking peer struct 0x81F05194, IPSEC refcount 1 f
or for stuff_ke
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): Creating IPSec SAs
*Dec 18 16:07:42 CST: inbound SA from 208.XX.X.XX to 69.XX.XX.XX (f/i)
0/ 0
(proxy 192.168.1.0 to 192.168.69.0)
*Dec 18 16:07:42 CST: has spi 0x21C60740 and conn_id 0 and flags 23
*Dec 18 1
Network-831#6:07:42 CST: lifetime of 28798 seconds
*Dec 18 16:07:42 CST: has client flags 0x0
*Dec 18 16:07:42 CST: outbound SA from 69.XX.XX.XX to 208.XX.X.XX (f/i
) 0/0
(proxy 192.168.69.0 to 192.168.1.0)
*Dec 18 16:07:42 CST: has spi -569533285 and conn_id 0 and flags 2B
*Dec 18 16:07:42 CST: lifetime of 28798 seconds
*Dec 18 16:07:42 CST: has client flags 0x0
*Dec 18 16:07:42 CST: ISAKMP: Locking peer struct 0x81F05194, IPSEC refcount 2 f
or from create_transforms
*Dec 18 16:07:42 CST: ISAKMP: Unlocking IPSEC struct 0x81F05194 from create_tran
sforms, count 1
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2): sending packet to 208.XX.X.XX my_por
t 500 peer_port 500 (R) QM_IDLE
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2):Node 1377935587, Input = IKE_MESG_FROM_
IPSEC, IKE_SPI_REPLY
*Dec 18 16:07:42 CST: ISAKMP:(0:16:HW:2)ld State = IKE_QM_SPI_STARVE New Stat
e = IKE_QM_R_QM2
*Dec 18 16:07:43 CST: ISAKMP (0:268435472): received packet from 208.XX.X.XX d
port 500 sport 500 Global (R) QM_IDLE
*Dec 18 16:07:43 CST: ISAKMP:(0:16:HW:2):deleting node 1377935587 error FALSE re
ason 'QM done (await)'
*Dec 18 16:07:43 CST: ISAKMP:(0:16:HW:2):Node 1377935587, Input = IKE_MESG_FROM_
PEER, IKE_QM_EXCH
*Dec 18 16:07:43 CST: ISAKMP:(0:16:HW:2)ld State = IKE_QM_R_QM2 New State = I
KE_QM_PHASE2_COMPLETE
Network-831#u all
All possible debugging has been turned off
Network-831#
Hi all,
I'm tryng to establish a vpn between Nokia E65 and Cisco 2600 router. I've prepared pkg, pol and pin files and configured cisco router.
When I try, phone connect fine, obtain IP, GW, DNS and by cisco log the IKE/IPSEC session go up.
The problem is that any application works and, phone show 'No gateway answer' and I can't connect to any site.
it's connected to VPN but no traffic correctly pass over the tunnel.
This is my POL configuration:
SECURITY_FILE_VERSION: 3
[INFO]
VPN-Policy for Nokia Mobile VPN Client v3.0.
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 3
max_encrypt_bits 256
auth_alg 2
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1(IP_PUB_GW) }
inbound = { }
outbound = { }
[IKE]
ADDR: IP_PUB_GW 255.255.255.255
MODE: Aggressive
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: nokiavpn
GROUP_DESCRIPTION_II: MODP_1024
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: 3DES-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: MD5
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 11 xxxx
and this is my cisco config:
Building configuration..
Current configuration : 2439 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userlist local
aaa authorization network nokiavpn local
!
aaa session-id common
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
!
!
ip name-server xxxxxxxx
ip name-server xxxxxxxxx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol l2tp
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username test password 0 test
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 25
ip tcp path-mtu-discovery
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 10 5
crypto isakmp client configuration address-pool local dynpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group nokiavpn
key xxxxx
dns xxxxxx
domain xxxx.it
pool dynpool
!
crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map DefaultRAGroup client authentication list userlist
crypto map DefaultRAGroup isakmp authorization list nokiavpn
crypto map DefaultRAGroup client configuration address respond
crypto map DefaultRAGroup 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address IP_ON_NOKIA_CLIENT_POOL_NETWORK
!
interface FastEthernet0/0
ip address PUBLIC_IP
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map DefaultRAGroup
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip local pool dynpool XX.XX.XX.XX XX.XX.XX.XX
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
ip route XX.XX.XX.XX FastEthernet0/0
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Could you please help me!?
Thanks
Simone