1. Home
  2. Cisco Systems
  3. IPSEC Tunnel between Cisco 837 and Shiva Vpn Gateway

IPSEC Tunnel between Cisco 837 and Shiva Vpn Gateway

Hello Gurus,

I have been tryin for almost a week, to establish a tunnel between a cisco 837 adsl router and a shiva vpn gateway. When I debug I have noticed that the negotiatin doesnt pass through phase 1. I think what would help is the configs on botht the devices. So here we go..

Cisco 837 : version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname xxxxxx! logging queue-limit 100 enable secret 5 $xxxxxxxxxxxxxxxxxxxxx ! ip subnet-zero ! ! ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 ! crypto isakmp key 0 xxxxxx address a.b.c.d

! ! crypto ipsec transform-set set1 esp-des esp-md5-hmac

! crypto map common 1 ipsec-isakmp set peer a.b.c.d set transform-set set1 match address 110 ! ! ! ! ! interface Ethernet0 ip address 170.10.0.1 255.255.0.0 no ip route-cache ip tcp adjust-mss 1452 no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address no ip route-cache no ip mroute-cache no atm ilmi-keepalive pvc 0/100 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto hold-queue 224 in ! interface Dialer0 ip address negotiated encapsulation ppp no ip route-cache no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp pap sent-username xxxxxxxxxxxxx password 0 xxxxxxxxxxxx ppp ipcp dns request crypto map common ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 no ip http server no ip http secure-server ! access-list 1 permit a.b.c.d access-list 1 permit 170.10.0.0 0.0.255.255 access-list 1 permit 170.20.0.0 0.0.255.255 access-list 101 remark Traffic allowed to enter the router from Internet access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 deny ip any any log access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit gre any any access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 110 permit ip 170.10.0.0 0.0.255.255 170.20.0.0

0.0.255.255 dialer-list 1 protocol ip permit ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class 1 in exec-timeout 120 0 password xxxxxxxx login length 0 ! scheduler max-task-time 5000 !

Shiva VPN version 6.90 config ! !!!!! NORMAL CONFIGURATION ! hostname xxxxxxx timezone GMT sntp 0.0.0.0 123 0 ! int e 0 ip address 170.20.0.0 255.255.0.0 ip mtu 1500 mode red bandwidth 100 duplex FULL dhcp-relay enable dhcp-relay-server m.n.o.p q.r.s.t int e 1 ip address 192.168.135.1 255.255.255.0 ip mtu 1500 mode black bandwidth AUTO duplex FULL dhcp-relay disable int a 0 shutdown ip address 0.0.0.0 0.0.0.0 encapsulation ppp ip mtu 1500 mtu 2048 mode red bandwidth 115200 keepalive 0 chat "" idle-timeout 10 chat-timeout 30 compression off ppp-authentication pap bridge 0.0.0.0 0.0.0.0 ! ip red-gateway 0.0.0.0 ip black-gateway 0.0.0.0 ip default-gateway 192.168.135.200 ! key-pair-life 365 !

secure-profile IPSEC-Default encapsulation v2-esp authentication key secondary-authentication none ike-group 2 ike-algorithm des ike-authentication hmac-md5 ike-crypto-period 1440 ike-kbyte-limit 0 aggressive-mode off perfect-forward-secrecy off ipsec-commitbit disable negotiate-higher-security off preserve-tos on esp-authentication hmac-md5 ah none algorithm des tunnel-esp-mode on crypto-period 60 kbyte-limit 100000 timeout 0 keep-alive 0 client-timeout 0 client-keep-alive 0 udp-encapsulation 0 split-tunnel enable ! remote-group IPSEC tunnel-type ipsec mode red profile IPSEC-Default client-ip dhcp 64 auth-key encryptor [external ip of cisco 837 router] xxx negotiation master no tunnel-type ipsec mode red failover-for 0.0.0.0 0 cleartext-backup 0.0.0.0 profile IPSEC-Default auth-key ******** sa test destination 170.10.0.0 255.255.0.0 all source 170.20.0.0 255.255.0.0 all protocol all profile IPSEC-Default metric 0 ! min-proxy-timeout 0 max-proxy-timeout 0 ! snmp-server snmp-community xxxxxx snmp-trapip 0.0.0.0 xxxxxxxx snmp-threshold 0 snmp-bytes-per-sec 0 snmp-aggregate-threshold 0 snmp-aggregate-bytes-per-sec 0

! ace-master 0.0.0.0 5500 ace-slave 0.0.0.0 5500 ! radius-prim-auth-ip 0.0.0.0 1645 radius-sec-auth-ip 0.0.0.0 1645 radius-prim-acct-ip 0.0.0.0 1646 radius-sec-acct-ip 0.0.0.0 1646 radius-client-logging no ! !Secondary Syslog hosts syslog host x.x.x.x 514 ! syslog destination host syslog facility 7 syslog priority all 7 syslog message-id disable ! entrust-manager 0.0.0.0 709 entrust-directory 0.0.0.0 389 entrust-refnum 0 entrust-auth-code ! manager admin ******** full manager-allow both manager-protocol 17 max-telnet 2 console-timeout 5 telnet-timeout 5 ! acl-match-exact off ! end

And Here's the snippet of the debug log from Cisco 837:

*Mar 4 22:48:32.704: ISAKMP (0:299): received packet from [SHIVA VPN EXTN IP] dport 500 sport 500 Global (R) MM_SA_SETUP *Mar 4 22:48:32.704: ISAKMP (0:299): phase 1 packet is a duplicate of a previou s packet. *Mar 4 22:48:32.704: ISAKMP (0:299): retransmitting due to retransmit phase 1 *Mar 4 22:48:32.704: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:33.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:33.204: ISAKMP (0:299): incrementing error counter onn sa: retrans mit phase 1 *Mar 4 22:48:33.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP *Mar 4 22:48:33.204: ISAKMP (0:299): sending packet to [SHIVA VPN EXTN IP] my_port 5 00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:33.216: ISAKMP (0:297): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:33.216: ISAKMP (0:297): incrementing error counter on sa: retransm it phase 1 *Mar 4 22:48:33.216: ISAKMP (0:297): retransmitting phase 1 MM_SA_SETUP *Mar 4 22:48:33.216: ISAKMP (0:297): sending packet to deb co [SHIVA VPN EXTN IP] my _port 500 peer_port 500 (R) MM_SA_SETUPry isa *Mar 4 22:48:38.208: ISAKMP (0:298): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:38.208: ISAKMP (0:298): incrementing error counter on sa: retransm it phase 1 *Mar 4 22:48:38.208: ISAKMP (0:298): retransmitting phase 1 MM_SA_SETUP *Mar 4 22:48:38.208: ISAKMP (0:298): sending packet to [SHIVA VPN EXTN IP] my_port 5 00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:40.840: ISAKMP (0:0): received packet from [SHIVA VPN EXTN IP] dport 50 0 sport 500 Global (N) NEW SA *Mar 4 22:48:40.840: ISAKMP: local port 500, remote port 500 *Mar 4 22:48:40.840: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 812FFA24 *Mar 4 22:48:40.840: ISAKMP (0:300): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 4 22:48:40.840: ISAKMP (0:300): Old State = IKE_READY New State = IKE_R_M M1

*Mar 4 22:48:40.844: ISAKMP (0:300): processing SA payload. message ID = 0

*Mar 4 22:48:40.844: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:40.844: ISAKMP (0:300): vendor ID seems Unity/DPD but major 214 mi smatch *Mar 4 22:48:40.844: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:40.844: ISAKMP (0:300): vendor ID seems Unity/DPD but major 31 mis match *Mar 4 22:48:40.844: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:40.844: ISAKMP (0:300): vendor ID seems Unity/DPD but major 254 mi smatch *Mar 4 22:48:40.844: ISAKMP: Loo Crypto ISAKMP debugging is off admin#king for a matching key for [SHIVA VPN EXTN IP] in default : success *Mar 4 22:48:40.844: ISAKMP (0:300): found peer pre-shared key matching [SHIVA VPN EXTN IP]*Mar 4 22:48:40.848: ISAKMP (0:300) local preshared key found *Mar 4 22:48:40.848: ISAKMP : Scanning profiles for xauth ... *Mar 4 22:48:40.848: ISAKMP (0:300): Checking ISAKMP transform 1 against priori ty 1 policy *Mar 4 22:48:40.848: ISAKMP: encryption DES-CBC *Mar 4 22:48:40.848: ISAKMP: hash MD5 *Mar 4 22:48:40.848: ISAKMP: auth pre-share *Mar 4 22:48:40.848: ISAKMP: default group 2 *Mar 4 22:48:40.848: ISAKMP: life type in seconds *Mar 4 22:48:40.848: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 4 22:48:40.848: ISAKMP (0:300): atts are acceptable. Next payload is 0 *Mar 4 22:48:41.072: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:41.072: ISAKMP (0:300): vendor ID seems Unity/DPD but major 214 mi smatch *Mar 4 22:48:41.072: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:41.072: ISAKMP (0:300): vendor ID seems Unity/DPD but major 31 mis match *Mar 4 22:48:41.076: ISAKMP (0:300): processing vendor id payload *Mar 4 22:48:41.076: ISAKMP (0:300): vendor ID seems Unity/DPD but major 254 mi smatch *Mar 4 22:48:41.076: ISAKMP (0:300): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAI N_MODE *Mar 4 22:48:41.076: ISAKMP (0:300): Old State = IKE_R_MM1 New State = IKE_R_M M1

*Mar 4 22:48:41.076: ISAKMP (0:300): sending packet to [SHIVA VPN EXTN IP] my_port 5

00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:41.080: ISAKMP (0:300): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COM PLETE *Mar 4 22:48:41.080: ISAKMP (0:300): Old State = IKE_R_MM1 New State = IKE_R_M M2

*Mar 4 22:48:43.196: ISAKMP (0:291): purging SA., sa=814527AC, delme=814527AC

*Mar 4 22:48:43.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:43.204: ISAKMP (0:299): incrementing error counter on sa: retransm it phase 1 admin#4 22:48:43.204: ISAKMP (0:299): retransmitting phase 1 MM_SA_SETUP admin# admin# admin# *Mar 4 22:48:43.204: ISAKMP (0:299): sending packet to [SHIVA VPN EXTN IP]my_port 5 00 peer_port 500 (R) MM_SA_SETUP *Mar 4 22:48:43.216: ISAKMP (0:297): retransmitting phase 1 MM_SA_SETUP... *Mar 4 22:48:43.216: ISAKMP (0:297): peer does not do paranoid keepalives.

*Mar 4 22:48:43.216: ISAKMP (0:297): deleting SA reason "death by retransmissio n P1" state (R) MM_SA_SETUP (peer [SHIVA VPN EXTN IP]) input queue 0

*Mar 4 22:48:43.216: ISAKMP (0:297): deleting SA reason "death by retransmissio n P1" state (R

I know its a time consuming query. Would really appreciate any help.

Thank you Ankit Parikh

Reply to
apsolar
Loading thread data ...

Looking at the logs, I see that the 837 has accepted the shiva's attributes, but I see that it feels it needs to retransmit to the shiva.

I have not configured IPSec on an IOS device (and never used a Shiva at all); my experience is with PIX. If I saw that log on a PIX, I would say "it's a routing problem, or else ESP packets are not getting through."

The first level, where it is getting the attributes, is handled with UDP 4500, but it then attempts to establish a security association via ESP (IP protocol 50.) If there is a routing or filtering issue that prevents ESP from getting through then you would get retransmits such as you see.

ESP might not get through if there is NAT (Network Address Translation) somewhere between the two devices. The older fix for that is to be sure to have a one-to-one static address translation on both sides; the newer fix for it [provided both ends support it] is to turn on isakmp "nat traversal", which creates a negotiation mechanism to detect NAT and to encapsulate within UDP if necessary. I have no idea if the Shiva supports it.

Reply to
Walter Roberson

Hello,

I haven't configured cisco 837 routers before. I was going thorught their documentation to find out how to enable NAT traversal. Couldn't find any information. Could somebody tell me how to enable NAT traversal.

Could you check the debug log again to find some other mistakes.

Thanks Ankit

Reply to
apsolar

I noticed from your 837 configuration that you are at 12.2 something. nat-traversal requires 12.2(13)T or later, and is automatic. The following page discusses it and tells how it would be turned -off-.

formatting link

Reply to
Walter Roberson

I haven't used the Shiva at all; it appears to me that the line in the configuration for it that would likely have to be modified is

udp-encapsulation 0

I would speculate that for NAT-T the configuration value would be either 1 (logical true) or 4500 (UDP port number).

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.