Hello Gurus,
I have been tryin for almost a week, to establish a tunnel between a cisco 837 adsl router and a shiva vpn gateway. When I debug I have noticed that the negotiatin doesnt pass through phase 1. I think what would help is the configs on botht the devices. So here we go..
Cisco 837 : version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname xxxxxx! logging queue-limit 100 enable secret 5 $xxxxxxxxxxxxxxxxxxxxx ! ip subnet-zero ! ! ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 ! crypto isakmp key 0 xxxxxx address a.b.c.d
! ! crypto ipsec transform-set set1 esp-des esp-md5-hmac
! crypto map common 1 ipsec-isakmp set peer a.b.c.d set transform-set set1 match address 110 ! ! ! ! ! interface Ethernet0 ip address 170.10.0.1 255.255.0.0 no ip route-cache ip tcp adjust-mss 1452 no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address no ip route-cache no ip mroute-cache no atm ilmi-keepalive pvc 0/100 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto hold-queue 224 in ! interface Dialer0 ip address negotiated encapsulation ppp no ip route-cache no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp pap sent-username xxxxxxxxxxxxx password 0 xxxxxxxxxxxx ppp ipcp dns request crypto map common ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 no ip http server no ip http secure-server ! access-list 1 permit a.b.c.d access-list 1 permit 170.10.0.0 0.0.255.255 access-list 1 permit 170.20.0.0 0.0.255.255 access-list 101 remark Traffic allowed to enter the router from Internet access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 deny ip any any log access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit gre any any access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 110 permit ip 170.10.0.0 0.0.255.255 170.20.0.0
0.0.255.255 dialer-list 1 protocol ip permit ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class 1 in exec-timeout 120 0 password xxxxxxxx login length 0 ! scheduler max-task-time 5000 !Shiva VPN version 6.90 config ! !!!!! NORMAL CONFIGURATION ! hostname xxxxxxx timezone GMT sntp 0.0.0.0 123 0 ! int e 0 ip address 170.20.0.0 255.255.0.0 ip mtu 1500 mode red bandwidth 100 duplex FULL dhcp-relay enable dhcp-relay-server m.n.o.p q.r.s.t int e 1 ip address 192.168.135.1 255.255.255.0 ip mtu 1500 mode black bandwidth AUTO duplex FULL dhcp-relay disable int a 0 shutdown ip address 0.0.0.0 0.0.0.0 encapsulation ppp ip mtu 1500 mtu 2048 mode red bandwidth 115200 keepalive 0 chat "" idle-timeout 10 chat-timeout 30 compression off ppp-authentication pap bridge 0.0.0.0 0.0.0.0 ! ip red-gateway 0.0.0.0 ip black-gateway 0.0.0.0 ip default-gateway 192.168.135.200 ! key-pair-life 365 !
secure-profile IPSEC-Default encapsulation v2-esp authentication key secondary-authentication none ike-group 2 ike-algorithm des ike-authentication hmac-md5 ike-crypto-period 1440 ike-kbyte-limit 0 aggressive-mode off perfect-forward-secrecy off ipsec-commitbit disable negotiate-higher-security off preserve-tos on esp-authentication hmac-md5 ah none algorithm des tunnel-esp-mode on crypto-period 60 kbyte-limit 100000 timeout 0 keep-alive 0 client-timeout 0 client-keep-alive 0 udp-encapsulation 0 split-tunnel enable ! remote-group IPSEC tunnel-type ipsec mode red profile IPSEC-Default client-ip dhcp 64 auth-key encryptor [external ip of cisco 837 router] xxx negotiation master no tunnel-type ipsec mode red failover-for 0.0.0.0 0 cleartext-backup 0.0.0.0 profile IPSEC-Default auth-key ******** sa test destination 170.10.0.0 255.255.0.0 all source 170.20.0.0 255.255.0.0 all protocol all profile IPSEC-Default metric 0 ! min-proxy-timeout 0 max-proxy-timeout 0 ! snmp-server snmp-community xxxxxx snmp-trapip 0.0.0.0 xxxxxxxx snmp-threshold 0 snmp-bytes-per-sec 0 snmp-aggregate-threshold 0 snmp-aggregate-bytes-per-sec 0
! ace-master 0.0.0.0 5500 ace-slave 0.0.0.0 5500 ! radius-prim-auth-ip 0.0.0.0 1645 radius-sec-auth-ip 0.0.0.0 1645 radius-prim-acct-ip 0.0.0.0 1646 radius-sec-acct-ip 0.0.0.0 1646 radius-client-logging no ! !Secondary Syslog hosts syslog host x.x.x.x 514 ! syslog destination host syslog facility 7 syslog priority all 7 syslog message-id disable ! entrust-manager 0.0.0.0 709 entrust-directory 0.0.0.0 389 entrust-refnum 0 entrust-auth-code ! manager admin ******** full manager-allow both manager-protocol 17 max-telnet 2 console-timeout 5 telnet-timeout 5 ! acl-match-exact off ! end
And Here's the snippet of the debug log from Cisco 837:
*Mar 4 22:48:32.704: ISAKMP (0:299): received packet from [SHIVA VPN EXTN IP] dport 500 sport 500 Global (R) MM_SA_SETUP *Mar 4 22:48:32.704: ISAKMP (0:299): phase 1 packet is a duplicate of a previou s packet. *Mar 4 22:48:32.704: ISAKMP (0:299): retransmitting due to retransmit phase 1 *Mar 4 22:48:32.704: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:33.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:33.204: ISAKMP (0:299): incrementing error counter onn sa: retrans mit phase 1 *Mar 4 22:48:33.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP *Mar 4 22:48:33.204: ISAKMP (0:299): sending packet to [SHIVA VPN EXTN IP] my_port 5 00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:33.216: ISAKMP (0:297): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:33.216: ISAKMP (0:297): incrementing error counter on sa: retransm it phase 1 *Mar 4 22:48:33.216: ISAKMP (0:297): retransmitting phase 1 MM_SA_SETUP *Mar 4 22:48:33.216: ISAKMP (0:297): sending packet to deb co [SHIVA VPN EXTN IP] my _port 500 peer_port 500 (R) MM_SA_SETUPry isa *Mar 4 22:48:38.208: ISAKMP (0:298): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:38.208: ISAKMP (0:298): incrementing error counter on sa: retransm it phase 1 *Mar 4 22:48:38.208: ISAKMP (0:298): retransmitting phase 1 MM_SA_SETUP *Mar 4 22:48:38.208: ISAKMP (0:298): sending packet to [SHIVA VPN EXTN IP] my_port 5 00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:40.840: ISAKMP (0:0): received packet from [SHIVA VPN EXTN IP] dport 50 0 sport 500 Global (N) NEW SA *Mar 4 22:48:40.840: ISAKMP: local port 500, remote port 500 *Mar 4 22:48:40.840: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 812FFA24 *Mar 4 22:48:40.840: ISAKMP (0:300): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 4 22:48:40.840: ISAKMP (0:300): Old State = IKE_READY New State = IKE_R_M M1*Mar 4 22:48:40.844: ISAKMP (0:300): processing SA payload. message ID = 0
*Mar 4 22:48:40.844: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:40.844: ISAKMP (0:300): vendor ID seems Unity/DPD but major 214 mi smatch *Mar 4 22:48:40.844: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:40.844: ISAKMP (0:300): vendor ID seems Unity/DPD but major 31 mis match *Mar 4 22:48:40.844: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:40.844: ISAKMP (0:300): vendor ID seems Unity/DPD but major 254 mi smatch *Mar 4 22:48:40.844: ISAKMP: Loo Crypto ISAKMP debugging is off admin#king for a matching key for [SHIVA VPN EXTN IP] in default : success *Mar 4 22:48:40.844: ISAKMP (0:300): found peer pre-shared key matching [SHIVA VPN EXTN IP]*Mar 4 22:48:40.848: ISAKMP (0:300) local preshared key found *Mar 4 22:48:40.848: ISAKMP : Scanning profiles for xauth ... *Mar 4 22:48:40.848: ISAKMP (0:300): Checking ISAKMP transform 1 against priori ty 1 policy *Mar 4 22:48:40.848: ISAKMP: encryption DES-CBC *Mar 4 22:48:40.848: ISAKMP: hash MD5 *Mar 4 22:48:40.848: ISAKMP: auth pre-share *Mar 4 22:48:40.848: ISAKMP: default group 2 *Mar 4 22:48:40.848: ISAKMP: life type in seconds *Mar 4 22:48:40.848: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 4 22:48:40.848: ISAKMP (0:300): atts are acceptable. Next payload is 0 *Mar 4 22:48:41.072: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:41.072: ISAKMP (0:300): vendor ID seems Unity/DPD but major 214 mi smatch *Mar 4 22:48:41.072: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:41.072: ISAKMP (0:300): vendor ID seems Unity/DPD but major 31 mis match *Mar 4 22:48:41.076: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:41.076: ISAKMP (0:300): vendor ID seems Unity/DPD but major 254 mi smatch *Mar 4 22:48:41.076: ISAKMP (0:300): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAI N_MODE *Mar 4 22:48:41.076: ISAKMP (0:300): Old State = IKE_R_MM1 New State = IKE_R_M M1*Mar 4 22:48:41.076: ISAKMP (0:300): sending packet to [SHIVA VPN EXTN IP] my_port 5
00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:41.080: ISAKMP (0:300): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COM PLETE *Mar 4 22:48:41.080: ISAKMP (0:300): Old State = IKE_R_MM1 New State = IKE_R_M M2*Mar 4 22:48:43.196: ISAKMP (0:291): purging SA., sa=814527AC, delme=814527AC
*Mar 4 22:48:43.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:43.204: ISAKMP (0:299): incrementing error counter on sa: retransm it phase 1 admin#4 22:48:43.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP admin# admin# admin# *Mar 4 22:48:43.204: ISAKMP (0:299): sending packet to [SHIVA VPN EXTN IP]my_port 5 00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:43.216: ISAKMP (0:297): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:43.216: ISAKMP (0:297): peer does not do paranoid keepalives.*Mar 4 22:48:43.216: ISAKMP (0:297): deleting SA reason "death by retransmissio n P1" state (R) MM_SA_SETUP (peer [SHIVA VPN EXTN IP]) input queue 0
*Mar 4 22:48:43.216: ISAKMP (0:297): deleting SA reason "death by retransmissio n P1" state (RI know its a time consuming query. Would really appreciate any help.
Thank you Ankit Parikh