1. Home
  2. Virtual Private Networks
  3. VPN with Linksys BEFVP41 V2 and Cisco AS5300

VPN with Linksys BEFVP41 V2 and Cisco AS5300

I am trying to setup a VPN between a BEFVP41 V2 and a Cisco AS5300. I have the following settings on the Linksys side:

WAN IP: 111.111.111.4

Local Secure Group: SubnetIP IP: 10.10.7.0 Mask: 255.255.255.0

-------------------------------------------------------- Remote Secure Group: SubnetIP IP: 10.10.5.0 Mask: 255.255.255.0

---------------------------------------------------------------- Remote Security Gateway: IP Address: 222.222.222.42

---------------------------------------------------------------- Encryption: 3DES Authentication: SHA

---------------------------------------------------------------- Key Management Auto. (IKE) PFS: Enabled Pre-shared Key: 112233 Key Lifetime: 86400 Sec.

----------------------------------------------------------------- Tunnel 1 Phase 1: Operation mode : Main mode Proposal : Encryption : 3DES Authentication :SHA Group : 768-bit Key Lifetime : 86400 seconds (Note: Following three additional proposals are also proposed in Main mode: DES/MD5/768, 3DES/SHA/1024 and 3DES/MD5/1024.) Phase 2: Proposal : Encryption : 3DES Authentication : SHA PFS : ON Group : 768-bit Key Lifetime : 86400 seconds

Other Setting: Keep-Alive

-------------------------------------------------------------

Cisco side:

crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 112233 address 111.111.111.4 crypto isakmp key 112233 address 10.10.7.1 ! ! crypto ipsec transform-set rtpset1 esp-3des esp-sha-hmac ! crypto map rtp 1 ipsec-isakmp set peer 111.111.111.4 set peer 10.10.7.1 set transform-set rtpset1 set pfs group1 match address 101 ! ! ! interface Loopback0 no ip address ! interface Tunnel0 ip address 10.10.5.1 255.255.255.0 tunnel source 10.10.5.0 tunnel destination 111.111.111.4 tunnel mode dvmrp tunnel key 112233 crypto map rtp ! interface FastEthernet0 ip address 222.222.222.42 255.255.255.240 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 222.222.222.33 ip route 10.10.7.0 255.255.255.0 Tunnel0 ! ! access-list 101 permit ip 10.10.5.0 0.0.0.255 10.10.7.0 0.0.0.255

--------------------------------------------------------------

This is what i get when doing a debug crypto isakmp in Cisco:

Aug 31 05:07:51.831: ISAKMP (0:0): received packet from 111.111.111.4 dport 500 sport 500 Global (N) NEW SA Aug 31 05:07:51.835: ISAKMP: Locking peer struct 0x6366476C, IKE refcount 15 for Responding to new initiation Aug 31 05:07:51.835: ISAKMP: local port 500, remote port 500 Aug 31 05:07:51.835: ISAKMP: Find a dup sa in the avl tree during calling isadb_ insert sa = 63017FB4 Aug 31 05:07:51.835: ISAKMP (0:164): processing SA payload. message ID = 0 Aug 31 05:07:51.835: ISAKMP (0:164): processing ID payload. message ID = 0 Aug 31 05:07:51.835: ISAKMP (0:164): ID payload next-payload : 0 type : 1 address : 111.111.111.4 protocol : 0 port : 0 length : 12 Aug 31 05:07:51.835: ISAKMP (0:164): peer matches *none* of the profiles Aug 31 05:07:51.835: ISAKMP (0:164) local preshared key found Aug 31 05:07:51.835: ISAKMP : Scanning profiles for xauth ... Aug 31 05:07:51.835: ISAKMP (0:164): Checking ISAKMP transform 1 against priorit y 1 policy Aug 31 05:07:51.835: ISAKMP: encryption 3DES-CBC Aug 31 05:07:51.835: ISAKMP: hash SHA Aug 31 05:07:51.835: ISAKMP: auth pre-share Aug 31 05:07:51.835: ISAKMP: default group 1 Aug 31 05:07:51.835: ISAKMP: life type in seconds Aug 31 05:07:51.835: ISAKMP: life duration (VPI) of 0x0 0x1 0x51

0x80 Aug 31 05:07:51.835: ISAKMP (0:164): atts are acceptable. Next payload is 3 Aug 31 05:07:51.891: ISAKMP (0:164): processing KE payload. message ID = 0 Aug 31 05:07:51.959: ISAKMP (0:164): processing NONCE payload. message ID = 0 Aug 31 05:07:51.959: ISAKMP (0:164): SKEYID state generated Aug 31 05:07:51.959: ISAKMP (0:164): SA is doing pre-shared key authentication u sing id type ID_IPV4_ADDR Aug 31 05:07:51.963: ISAKMP (0:164): ID payload next-payload : 10 type : 1 address : 222.222.222.42 protocol : 17 port : 0 length : 12 Aug 31 05:07:51.963: ISAKMP (164): Total payload length: 12 Aug 31 05:07:51.963: ISAKMP (0:164): sending packet to 111.111.111.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH Aug 31 05:07:51.963: ISAKMP (0:164): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Aug 31 05:07:51.963: ISAKMP (0:164): Old State = IKE_READY New State = IKE_R_AM2 Aug 31 05:07:53.403: ISAKMP (0:164): received packet from 111.111.111.4 dport 500 sport 500 Global (R) AG_INIT_EXCH Aug 31 05:07:53.403: ISAKMP: set new node -519190985 to QM_IDLE Aug 31 05:07:53.407: ISAKMP: reserved not zero on HASH payload! Aug 31 05:07:53.407: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 111.111.111.4 failed its sanity check or is malformed Aug 31 05:07:53.407: ISAKMP: set new node -1793324501 to QM_IDLE Aug 31 05:07:53.407: ISAKMP (0:164): Sending NOTIFY PAYLOAD_MALFORMED protocol 1 spi 0, message ID = -1793324501 Aug 31 05:07:53.407: ISAKMP (0:164): sending packet to 111.111.111.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH Aug 31 05:07:53.407: ISAKMP (0:164): purging node -1793324501 Aug 31 05:07:53.407: ISAKMP (0:164): incrementing error counter on sa, attempt 1 of 5: reset_retransmission Aug 31 05:07:54.407: ISAKMP (0:164): retransmitting phase 2 AG_INIT_EXCH -519190985 ... Aug 31 05:07:54.407: ISAKMP (0:164): incrementing error counter on node, attempt 1 of 5: retransmit phase 2 Aug 31 05:07:54.407: ISAKMP (0:164): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2 Aug 31 05:07:54.407: ISAKMP (0:164): no outgoing phase 2 packet to retransmit. -519190985 AG_INIT_EXCHno debug all Aug 31 05:08:01.963: ISAKMP (0:164): retransmitting phase 1 AG_INIT_EXCH... Aug 31 05:08:01.963: ISAKMP (0:164): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Aug 31 05:08:01.963: ISAKMP (0:164): retransmitting phase 1 AG_INIT_EXCH Aug 31 05:08:01.963: ISAKMP (0:164): sending packet to 111.111.111.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH All possible debugging has been turned off Aug 31 05:08:03.023: ISAKMP (0:164): received packet from 111.111.111.4 dport 500 sport 500 Global (R) AG_INIT_EXCH Aug 31 05:08:03.023: ISAKMP: reserved not zero on HASH payload! Aug 31 05:08:03.023: ISAKMP (0:164): incrementing error counter on sa, attempt 4 of 5: PAYLOAD_MALFORMED Aug 31 05:08:03.023: ISAKMP (0:164): sending packet to 111.111.111.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH Aug 31 05:08:03.023: ISAKMP (0:164): incrementing error counter on sa, attempt 5 of 5: reset_retransmission Aug 31 05:08:03.435: ISAKMP (0:164): received packet from 111.111.111.4 dport 500 sport 500 Global (R) AG_INIT_EXCH Aug 31 05:08:03.435: ISAKMP: set new node -1840514816 to QM_IDLE Aug 31 05:08:03.435: ISAKMP: reserved not zero on HASH payload! Aug 31 05:08:03.435: ISAKMP: set new node 231668340 to QM_IDLE Aug 31 05:08:03.435: ISAKMP (0:164): Sending NOTIFY PAYLOAD_MALFORMED protocol 1 spi 0, message ID = 231668340 Aug 31 05:08:03.439: ISAKMP (0:164): peer does not do paranoid keepalives. Aug 31 05:08:03.439: ISAKMP (0:164): deleting SA reason "death by retransmission throw" state (R) AG_INIT_EXCH (peer 111.111.111.4) input queue 0 Aug 31 05:08:03.439: ISAKMP (0:164): incrementing error counter on sa, attempt 6 of 5: reset_retransmission Aug 31 05:08:03.439: ISAKMP (0:164): deleting SA reason "death by retransmission throw" state (R) AG_INIT_EXCH (peer 111.111.111.4) input queue 0 Aug 31 05:08:03.439: ISAKMP: Unlocking IKE struct 0x6366476C for isadb_mark_sa_deleted(), count 14 Aug 31 05:08:03.439: ISAKMP (0:164): deleting node -519190985 error TRUE reason"death by retransmission throw" Aug 31 05:08:03.439: ISAKMP (0:164): deleting node -1840514816 error TRUE reason "death by retransmission throw" Aug 31 05:08:03.439: ISAKMP (0:164): deleting node 231668340 error TRUE reason "death by retransmission throw" Aug 31 05:08:03.439: ISAKMP (0:164): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Aug 31 05:08:03.439: ISAKMP (0:164): Old State = IKE_R_AM2 New State = IKE_DEST_SA

And this is what Linksys says:

System Log ALLSystem LogAccess LogFirewall LogVPN Log

00:00:00 [10.10.7.1] : System is ready 00:00:00 System is warm start 00:00:00 00xx@sys Firmware Version : 1.01.04, Jan 18 2005 00:00:00 Internet(static) IP is 222.222.222.4 2005-08-31 00:32:46 Get current time from NTP server : Aug. 31 2005 Tue. 0:32:46 2005-08-31 00:32:47 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:32:49 UDP from 111.111.111.42:500 to 222.222.222.4:500 2005-08-31 00:32:49 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:32:49 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:32:55 tunnel select = 0 2005-08-31 00:32:58 NV.Log=1 2005-08-31 00:33:12 2005-08-31 00:33:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:33:13 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:33:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:33:42 2005-08-31 00:33:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:34:12 2005-08-31 00:34:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:34:13 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:34:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:34:42 2005-08-31 00:34:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:34:43 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:34:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:35:12 2005-08-31 00:35:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:35:13 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:35:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:35:42 2005-08-31 00:35:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:35:43 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:35:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:36:12 2005-08-31 00:36:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:36:23 UDP from 111.111.111.42:500 to 222.222.222.4:500 2005-08-31 00:36:23 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:36:23 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:36:39 TCP from 218.22.170.107:4820 to 222.222.222.4:42 2005-08-31 00:36:40 TCP from 218.22.170.107:4822 to 222.222.222.4:80 2005-08-31 00:36:42 2005-08-31 00:36:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:36:43 UDP from 111.111.111.42:500 to 222.222.222.4:500 2005-08-31 00:36:43 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:36:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:36:46 TCP from 218.22.170.107:4820 to 222.222.222.4:42 2005-08-31 00:36:49 TCP from 218.22.170.107:4822 to 222.222.222.4:80 2005-08-31 00:37:12 2005-08-31 00:37:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:37:13 UDP from 111.111.111.42:500 to 222.222.222.4:500 2005-08-31 00:37:13 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:37:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:37:42 2005-08-31 00:37:42 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:37:43 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:37:43 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:37:54 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:37:54 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID 2005-08-31 00:38:12 2005-08-31 00:38:12 IKE[1] Tx >> AG_I1 : 111.111.111.42 SA, KE, Nonce, ID 2005-08-31 00:38:13 IKE[1] Rx > AG_I2 : 111.111.111.42 HASH 2005-08-31 00:38:13 IKE[1] Tx >> QM_I1 : 111.111.111.42 HASH, SA, NONCE, KE, ID, ID

----------------------------------------------

Any idea what am I doing wrong here?

Reply to
gigi
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.