Troubleshoot ipsec?
We have an established ispec tunnel but it's not the traffic that goes. I see only my end and everything seems in good condition.
When I run a 'sh crypto ipsec his counterpart x.x.x.x"I can see that the encapsulated packets get but none become décapsulés.
Tracer package running watch also my traffic is allowed.
How can I know for certain that the issue is at the other end of the tunnel?
Hi Louis,.
If you see that your end is encapsulating packets from your end... then coming to tunnel and out with encapsulated... other peripheral end FW/VPN should receive it and décapsulent the same to send traffic to the destination... it's to go on traffic... the return package or the response packet will wrap again and send it to us , which will get opens and the applicant...
Here, you need to check on the other end of the firewall and see if it gets décapsulés and encapsulated in this way... that you may need to check the delivery for remote lan to the remote peer, NAT and ipsec rules policies matches, etc...
run a debug crypto ipsec 128 on your side to see if that gives a...
If you do all these step by step... no doubt, you can sort the question...
Concerning
Knockaert
Tags: Cisco Security
Similar Questions
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
debugging/troubleshooting IPSec one-way traffic tunnel
I'll put up a business network IPSec consists of a UC520 at the head end (Headquarters) and several routers Linksys WRV remotes nodes/network. I see that ISAKMP and IPSec SA on both ends and I ping the IP of the remote networks UC520 internal. However, I can not ping any other IP on the network of the company.
I see of "cry ips to show his" packages are décapsulés (remote business) but none are encapsulated (remote business). I can also see (from a traceroute) how remote business packages are sent to the default gateway of the UC520 to the Internet instead of being placed in the tunnel. This jives with what I see with ' sho ips cry her. "
I made sure to create an ACL for the NAT for corporate remote subnets are not translated, but I don't know what else to check. I tried to do a "debug IP packet detail xxx' with a corresponding company in remote traffic but the debug and ACL get no success.
Any other ideas?
Thank you
DiegoWell, looks like that your exemption of Nat does not work. Check 'show ip nat trans' confirm this when sending traffic.
Can you maybe post your config NAT (together)?
-
I'm confused about the ACL for the ipsec traffic. The phase 1 and Phase 2 work correctly [no error].
I've separated the nat no ACL and interested traffic such as recommended.
access-list outside_1_cryptomap
access-list inside_nat0_outbound
NAT (inside) 0-list of access inside_nat0_outbound
card crypto outside_map 1 match address outside_1_cryptomap
I do a ping of source to the other side (ip to ip) and the #pkts decaps and (#pkts :) program increment as expected.)
4 packs get decaps and 4-response to echo gets encapsulated [I do not get a full path to the source].
So my question is: why is my access list hitcnt = do not increment. If the return circulation (eho-answer) makes card encryption must be encapsulated so I guess the echo response proceeded by the ACL and I see the hitcnt ACL mount. I do not see at all or an increment.
I'm interpreting this incorrectly?
Thank you
Pete
NAT 0 access list will increment, in accordance with the following:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/no.html#wp1756533
(quoted by above the URL):
Note List of access hit counts, as evidenced by the show access-list command, do not increment the access lists NAT exemption. )
Crypto ACL will only increment on the first package when he tries to open the tunnel, all subsequent connection will not increment the number of accesses.
Here is the URL for your reference:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/C5.html#wp2238243
(quoted by above the URL):
Hit of the account increase access list only when the tunnel is initiated. Once the tunnel is up, the numbers of access does not increase on a stream by package).
Hope that answers your questions.
-
Is there a GUI, other than the Assistant Deputy Ministers and the Security Manager cisco IPSec of Cisco ASA5505/5510 test site to vpn tunnels. I usually go through the steps listed in here in the link below in the terminal window, but it sucks when you have several tunnels to keep abreast of.
http://www.nwdump.com/troubleshooting-IPSec-VPN-on-ASA/
I would have preferred one that works with Freebsd or LInux, as the cisco security manager CSM v4.1 is limited to only current running on windows server 2008 ent.
Thank you
Jason
No, for troubleshooting the best way is to use the CLI that will give you debug output on where it is lacking.
For configuration, outside the CLI, ASDM and CSM, unfortunately there is no other tool that works on Linux/Freebsd because it is more specific orders of the ASA and only limited to the CLI, ASDM, or CSM.
-
Need to patch to get IPsec to start working in Internet instant Mesasenger - I fought this for about 3 months. I can't do a Messenger call for more than a minute before having to re - connect - it's driving me crazy - fix your product - Paul * address email is removed from the privacy *. Settings information (network security) Diagnostics that can block connections:
filter name: Messaging microsoft instant - name for the provider context: windows Instant Messenger - provider name: Microsoft Corp.Provider - description: Microsoft Windows Firewall: IPsec provider
Hi paulrhea,-What version of the operating system are you using?-You are able to go online with no problems?-Have you been able to use the Messenger without any problem before?If you use Windows 7 or Windows Vista, follow the suggestion given here.Try to disable the firewall for the moment and check if it helps fix the problem.If the problem is resolved, you may need to contact the manufacturer of the program for the settings that can be changed or if there are other updates for this program.
Note: Firewall can keep the computer worm, pirates etc. Therefore, be sure to turn on the firewall once you are finished with the test.
If it is Windows Firewall, see the article below:
Allow a program to communicate through Windows Firewall
Additional reference on:
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
PIX, IOS ipsec troubleshooting commands
I'm checking isakmp and negotiate IPsec between a PIX 535 and a router in 1711, but do not have knowledge of the command to check the Phase 1 and Phase 2 on both devices. They ping each other, then connectivity is not a problem, but I have no evidence of the negotiations going on on the other end.
Does anyone know what the ' see the #' orders are to check active negotiations of Phase 1 and Phase 2 between these boxes?
Thank you
Marc
Hi Marc,
The basic display orders are ' show crypto isakmp his ' ' show crypto ipsec his ' to show active sessions in search "QM-IDLE" on the isakmp his and active incoming and outgoing his on ipsec.
Debugs is also useful for establishing where a problem might ask. "debug crypto isakmp" debug crypto ipsec' ''(router only) engine debug crypto.
The following doc is a good source of info.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml
Good luck
Paul.
-
Termination of IPSEC Services and anonymous logon
Ending IPSEC Services, I receive the following event in the log to start. I also have a message of success for a logon by ANONYMOUS. I realize that this account peut be an issue of access network system using the (intentionally by MS?) Scary ID of ANONYMOUS but I am concerned about the fact that it could be something nasty.DetailsProduct: Windows Operating SystemID: 7023Source: Service Control ManagerVersion: 5.2Symbolic name: EVENT_SERVICE_EXIT_FAILEDMessage: The %1 service is stopped with the following error:%2ExplanationThe specified service has stopped unexpectedly with the error specified in the message. The service closed safely.User actionTo fix the error:Check the error information displayed in the message.To view error WIN32_EXIT_CODE SCM met, at the command prompt, typeSC query service nameThe displayed information can help you troubleshoot the possible causes of the error.I tried every combo of syntax, that I can think of, but I can't this query to run.I got up and down from behind firewall router firewall protection more live Superantispyware more live Winpatrol and regularly scan with Malwarebytes and Microsoft Security Essentials. Secunia PSI keep an eye on the status of my programs. In this case, I ran additional full scans with all that I have more than 3 online scanners known. All say CLEAN but I still get these messages. BTW account 'Guest' is disabled.
Any help please?
Hello
Have you made changes on the computer before this problem?
The following articles could be useful.
IPSec tools and settings
http://TechNet.Microsoft.com/en-us/library/cc738298%28WS.10%29.aspx
IPSec troubleshooting tools
http://TechNet.Microsoft.com/en-us/library/cc784300%28WS.10%29.aspx -
Implementation of IPSec Port Forwarding on a Windows 2012 with a LRT224 Server
Hi all I hope someone can help me validate my troubleshooting. I'm deploying a Server Windows 2012 that will server as a server vpn for customers. In place is a LRT224 with 4 VLANS set up. I have enabled port forwarding for IPSec (UDP/500), L2TP (UDP/1701) and L2TP (UDP/4500) to go on the server.
In my Initial test, I put the LRT224 on the same network as the client of my test and realized the Test Client (10 Windows) to try to connect to the WAN of the LRT224 interface. I get this message:
Thinking it could be the configuration of the server, I then put the client system on the same vlan on the LRT224 server. When I tried to connect to it directly by using the IP address of the server as a destination, he succeeded. It is leading me to believe that it is the LRT224.
I confirmed that VPN passthrough is enabled.
The firmware version is by: v1.0.5.03 (February 22, 2016 10:12:17)
Currently, the firewall is disabled (I would activate once I'm working)
If anyone has ideas or notice a fault in my tests, I would really appreciate the feedback.
If additional information would be useful, please let me know what you want and I can work for it.
Thanks to all in advance.
FreeFallFour wrote:
I then put the client system on the same vlan on the LRT224 server. When I tried to connect to it directly by using the IP address of the server as a destination, he succeeded. It is leading me to believe that it is the LRT224.
It does normally not as I KNOW because the VPN in an outside in the process. You should test the VPN connection outside the server's IP subnet.
You have the server configuration that the DNS server in the router to DHCP with DNS Proxy is disabled?
Are you doing load balancing Internet connection?
-
Tunnel VPN IPSEC (LAN to LAN) not succeeded traffic
I had a temporary scenario I need to establish an IPSEC VPN between branch (cisco router) and HQ (VPN concentrator).
The tunnel is established end but traffic stop happening after some 5-10 minutes. I have to manually clear the session encryption and then connectivity is fine. To test the above, I'll send branch ICMP packets to HQ. I can see ' cryto isakmp his ' and ' crytpo ipsec his ' active and fine.
Share your opinion on this guy!
Hello
Make sure that this life corresponds to the router and the hub.
This is a doc for IPSEC troubleshooting: -.
http://www.Cisco.com/en/us/customer/products/ps6120/products_tech_note09186a00807e0aca.shtml
Parminder Sian
-
Failling L2PT/IPSEC for Android (transform invalid proposal flags - 0 x 800)
Hello
I have implemented a L2PT/IPSEC tunnel using a router Cisco 1905, located behind a Cisco ASA FW. This tunnel must be established between the router and mobile devices, mainly of iPhones and androids. In the sake of troubleshooting, I made sure the FW is not the way (open all required ports, configured NAT and routes, etc.). It turns out that iPhones correctly establish the tunnel but androids fail.
Apparently, the problem is the phase 2 of the IPSec protocol, like where it says in debugging
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): invalid transform proposal flags - 0 x 800
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 1024I tried AES and 3DES in games of conversion, but it seems he just doesn´t work.
Can someone help me?
Router: Cisco 1905 image: c1900-universalk9-mz. Spa. 150 - 1.M8.bin
iPhone: 6 (iOS 8.1) and 5 (9.1)
Android: Motorola MotoG (Android 4.4.2)Installation program for mobile devices:
Type: L2TP/IPSec PSL
Server address:
Password preshared IPSec: cisco
username: cisco
password: ciscoCisco 1905 relevant config:
AAA of authentication ppp default local
!
VPDN enable
!
VPDN-group L2TP
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!
username cisco password cisco
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
life 3600
address of cisco key crypto isakmp 0.0.0.0 0.0.0.0 no.-xauth
ISAKMP crypto keepalive 3600
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac ipnetconfig
transport mode
!
encryption dynamic-map ipnetconfig-card 10
Set nat demux
Set transform-set ipnetconfig
!
!
cisco 10 ipnetconfig-map ipsec isakmp crypto dynamic map
!
!
interface GigabitEthernet0/0
the IP 192.168.0.1 255.255.255.192
no ip proxy-arp
automatic duplex
automatic speed
Cisco card crypto
!
!
interface virtual-Template1
IP unnumbered GigabitEthernet0/0
peer default ip address pool poolipnetconfig
PPP encryption mppe 40
PPP authentication ms-chap-v2 pap, chap, ms-chap
!
local pool IP 192.168.1.1 poolipnetconfig 192.168.1.255Debug:
12:42:30.763 18 Dec: ISAKMP (0): received 200.247.229.53 packet dport 500 sport 50003 Global (N) SA NEWS
12:42:30.763 18 Dec: ISAKMP: created a struct peer 200.247.229.53, peer port 50003
12:42:30.763 18 Dec: ISAKMP: new created position = 0x285F5FBC peer_handle = 0 x 80000018
12:42:30.763 18 Dec: ISAKMP: lock struct 0x285F5FBC, refcount 1 to peer crypto_isakmp_process_block
12:42:30.763 18 Dec: ISAKMP: 500 local port, remote port 50003
12:42:30.763 18 Dec: ISAKMP: (0): insert his with his 28840894 = success
12:42:30.763 18 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:30.763 18 Dec: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM118 Dec 12:42:30.763: ISAKMP: (0): treatment ITS payload. Message ID = 0
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
12:42:30.763 18 Dec: ISAKMP (0): provider ID is NAT - T RFC 3947
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
18 Dec 12:42:30.763: ISAKMP: (0): provider ID is NAT - T v2
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): IKE frag vendor processing id payload
12:42:30.763 18 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID is DPD
12:42:30.763 18 Dec: ISAKMP: (0): pair found pre-shared key matching 200.247.229.53
18 Dec 12:42:30.763: ISAKMP: (0): pre-shared key local found
12:42:30.763 18 Dec: ISAKMP: analysis of the profiles for xauth...
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 256
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 256
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: MD5 hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 128
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 128
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: MD5 hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: 3DES-CBC encryption
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): atts are acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): Acceptable atts: real life: 3600
12:42:30.767 18 Dec: ISAKMP: (0): Acceptable atts:life: 0
12:42:30.767 18 Dec: ISAKMP: (0): base life_in_seconds:28800
12:42:30.767 18 Dec: ISAKMP: (0): return real life: 3600
12:42:30.767 18 Dec: ISAKMP: (0): timer life Started: 3600.18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
12:42:30.767 18 Dec: ISAKMP (0): provider ID is NAT - T RFC 3947
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
18 Dec 12:42:30.767: ISAKMP: (0): provider ID is NAT - T v2
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): IKE frag vendor processing id payload
12:42:30.767 18 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID is DPD
12:42:30.767 18 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:30.767 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM118 Dec 12:42:30.767: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
18 Dec 12:42:30.767: ISAKMP: (0): lot of 200.247.229.53 sending my_port 500 peer_port 50003 (R) MM_SA_SETUP
12:42:30.767 18 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
12:42:30.767 18 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:30.767 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM212:42:31.730 18 Dec: ISAKMP (0): received 200.247.229.53 packet dport 500 sport 50003 Global (R) MM_SA_SETUP
12:42:31.730 18 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:31.730 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM318 Dec 12:42:31.730: ISAKMP: (0): processing KE payload. Message ID = 0
18 Dec 12:42:31.758: ISAKMP: (0): processing NONCE payload. Message ID = 0
12:42:31.758 18 Dec: ISAKMP: (0): pair found pre-shared key matching 200.247.229.53
12:42:31.758 18 Dec: ISAKMP: receives the payload type 20
12:42:31.758 18 Dec: ISAKMP (1028): NAT found, both nodes inside the NAT
12:42:31.758 18 Dec: ISAKMP: receives the payload type 20
12:42:31.758 18 Dec: ISAKMP (1028): NAT found, both nodes inside the NAT
12:42:31.758 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:31.758 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM3 = IKE_R_MM318 Dec 12:42:31.758: ISAKMP: (1028): lot of 200.247.229.53 sending my_port 500 peer_port 50003 (R) MM_KEY_EXCH
12:42:31.758 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:31.758 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:31.758 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM3 = IKE_R_MM412:42:32.278 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50001 Global (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM4 = IKE_R_MM518 Dec 12:42:32.278: ISAKMP: (1028): payload ID for treatment. Message ID = 0
12:42:32.278 18 Dec: ISAKMP (1028): payload ID
next payload: 8
type: 1
address: 10.92.110.15
Protocol: 17
Port: 500
Length: 12
12:42:32.278 18 Dec: ISAKMP: (0): peer games * no * profiles
18 Dec 12:42:32.278: ISAKMP: (1028): HASH payload processing. Message ID = 0
12:42:32.278 18 Dec: ISAKMP: (1028): SA authentication status:
authenticated
12:42:32.278 18 Dec: ISAKMP: (1028): SA has been authenticated with 200.247.229.53
12:42:32.278 18 Dec: ISAKMP: (1028): port detected floating port = 50001
12:42:32.278 18 Dec: ISAKMP: attempts to insert a peer and inserted 192.168.0.1/200.247.229.53/50001/ 285F5FBC successfully.
12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM5 = IKE_R_MM512:42:32.278 18 Dec: ISAKMP: (1028): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
12:42:32.278 18 Dec: ISAKMP (1028): payload ID
next payload: 8
type: 1
address: 192.168.0.1
Protocol: 17
Port: 0
Length: 12
12:42:32.278 18 Dec: ISAKMP: (1028): the total payload length: 12
18 Dec 12:42:32.278: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:32.278 18 Dec: ISAKMP: (1028): real life of return: 3600
12:42:32.278 18 Dec: ISAKMP: node set 662318345 to QM_IDLE
12:42:32.278 18 Dec: ISAKMP: (1028): Protocol to send NOTIFIER RESPONDER_LIFETIME 1
SPI 672252680, message ID = 662318345
18 Dec 12:42:32.278: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:32.278 18 Dec: ISAKMP: (1028): purge the node 662318345
12:42:32.278 18 Dec: ISAKMP: phase sending 1 machine life 360012:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE12:42:32.278 18 Dec: ISAKMP: (1028): IKE_DPD is enabled, the initialization of timers
12:42:32.282 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
12:42:32.282 18 Dec: ISAKMP: (1028): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE12:42:32.834 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50001 Global (R) QM_IDLE
12:42:32.834 18 Dec: ISAKMP: node set-647285005 to QM_IDLE
18 Dec 12:42:32.834: ISAKMP: (1028): HASH payload processing. Message ID =-647285005
18 Dec 12:42:32.834: ISAKMP: (1028): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-647285005, his 28840894 =
12:42:32.834 18 Dec: ISAKMP: (1028): SA authentication status:
authenticated
18 Dec 12:42:32.834: ISAKMP: (1028): process of first contact.
dropping existing phase 1 and 2 with local 192.168.0.1 distance distance 200.247.229.53 port 50001
12:42:32.834 18 Dec: ISAKMP: (1028): node-647285005 error suppression FALSE reason 'informational (en) State 1.
12:42:32.834 18 Dec: ISAKMP: (1028): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
12:42:32.834 18 Dec: ISAKMP: (1028): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE18 Dec 12:42:32.834: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
12:42:34.222 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
12:42:34.222 18 Dec: ISAKMP: node set-725923158 to QM_IDLE
18 Dec 12:42:34.222: ISAKMP: (1028): HASH payload processing. Message ID =-725923158
18 Dec 12:42:34.222: ISAKMP: (1028): treatment ITS payload. Message ID =-725923158
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 1, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 256
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turning 2, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 256
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 3, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 128
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 4, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 128
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 5, ESP_3DES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 6, ESP_3DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 7, ESP_DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 8, ESP_DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes 256 esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes 256 esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): invalid transform proposal flags - 0 x 800
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 1024
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp-3des esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{des-esp esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{des-esp esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: ISAKMP: (1028): politics of ITS phase 2 is not acceptable! (local 192.168.0.1 200.247.229.53 remote)
12:42:34.226 18 Dec: ISAKMP: node set 924420306 to QM_IDLE
12:42:34.226 18 Dec: ISAKMP: (1028): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 672251800, message ID = 924420306
18 Dec 12:42:34.226: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) QM_IDLE
12:42:34.226 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:34.226 18 Dec: ISAKMP: (1028): purge the node 924420306
12:42:34.226 18 Dec: ISAKMP: (1028): node-725923158 error suppression REAL reason "QM rejected."
12:42:34.226 18 Dec: ISAKMP: (1028): entrance, node-725923158 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
12:42:34.226 18 Dec: ISAKMP: (1028): former State = new State IKE_QM_READY = IKE_QM_READY
12:42:36.558 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:36.558: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:36.558: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:36.558: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:40.670 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:40.670: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:40.670: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:40.670: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:42.566 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:42.566: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:42.566: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:42.566: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:47.262 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:47.262: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:47.262: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:47.262: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:49.414 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:49.414: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:49.414: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:49.414: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:52.466 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:52.466: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:52.466: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:52.466: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:54.574 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:54.574: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:54.574: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:54.574: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:58.738 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:58.738: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:58.738: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:58.738: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:43:00.626 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:43:00.626: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:43:00.626: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:43:00.626: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:43:04.274 Dec 18: L2X:pak 0 nec vrf tableid
12:43:04.274 18 Dec: L2X: Punting to the queue of L2TP control messages
12:43:04.274 Dec 18: L2X:pak 0 nec vrf tableid
12:43:04.274 18 Dec: L2X: Punting to the queue of L2TP control messages
12:43:04.278 18 Dec: L2TP _: _: ERROR: NULL found l2x cc with handle [32787]In fact, the main problem is NAT - T, so avoid the connection through a NAT - T should work.
The solution of closure seems to be a possible workaround.
Enjoy the holidays!
-Randy-
-
Original title: The IPsec negotiation failure prevents the connection
My internet connection is constantly visitor drop-off and restarted, and when I troubleshoot I get this message "the IPsec negotiation failure prevents the connection." I don't use VPN or anything so I have no idea what it means. I restarted the router several times. Any other ideas?
Hello
1. you are using a wired or a wireless connection?
2. If it works well before?
3 did you changes to the computer before the show?
Method 1: Reset the router and see if that helps.
Note: To help you reset the router, you can consult the manual that came with the router or the router contact manufacturer.
Method 2: Uninstall and reinstall the NIC drivers and see if that helps.
See the following steps:
(a) click Start, right click on computer.
(b) click on properties, click on Device Manager
(c) expand the network card, right-click the wireless adapter option
(d) click on uninstall
(e) now go to your computer/wireless device manufacturer's website, download the updated drivers and install them.
Reference:
Updated a hardware driver that is not working properly:
http://Windows.Microsoft.com/en-us/Windows7/update-a-driver-for-hardware-that-isn ' t-work correctly
-
Unable to Ping IP across 2 IPsec Tunnels
Hello world
Here's the Setup program
Server1 - layer 2 switch-ASA1 -L2 tunnel-ASA2 -Layer2 tunnel-ASA3- layer 2 switch - Server2.
Server1 IP 10.31.2.83/28
Server2 IP 10.31.2.35/28
Server1 has its default gateway to ASA1
Server1 can ping the ASA1 but cannot ping the Server2.
ASA1 is also unable to ping server2.
Ping 10.31.2.35
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
?????
Success rate is 0% (0/5)ASA2 can ping the Server2
Ping 10.31.2.35
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10ASA2 can ping Server1
Ping 10.31.2.83
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.83, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10ACL is allowing traffic, routing, crypto card also allows the traffic.
What else can I check?
Any help is appreciated.
Concerning
Mahesh
I don't understand what you mean with Tunnel of Layer2. Is it relevant to this question?
IPsec is involved?
Do you have any troubleshooting basic Layer 3? Check the routing information?
(1) the ASA2 has 2 interfaces, one for each tunnel?
- ASA2 there transatlantic lines?
- 10.31.2.80 255.255.255.240 to ASA1
- 10.31.2.32 to ASA3 255.255.255.240
(2) ASA2 has only one interface for the two tunnels?
- You same-security-traffic allow intra-interface?
- If IPsec is involved, understanding Cryptography ACLs on ASA2
- 10.31.2.80/28-> 10.31.2.32/28 to ASA3
- 10.31.2.32/28-> 10.31.2.80/28 to ASA1
The following command will help all three ASAs:
SH, route
HS card crypto
SH crypto ipsec his (look for the counters of packets on the SAs)
Best regards, MiKa
- ASA2 there transatlantic lines?
-
IPSEC or AnyConnect for MAC OSX. How to view the network settings on the client
With Windows using AnyConnect or IPSEC on ASA Cisco's customer, I can type IPCONFIG/all and see associated network settings - search IP addresses, DNS, domain, etc. under the Cisco VPN adapter. This is very useful for troubleshooting connectivity issues.
I can't find similar commands for MAC OSX (GUI or command line). Networksetup does not seem to see any VPN adapter at all.
Can we with a better knowledge of MAC I have help? Thank you.
I use both OS X built-in Cisco IPSEC's and AnyConnect. I can't speak to
Cisco IPSEC client.
So with AnyConnect market I can click on the menu ca and see some statistics
as IP address, etc.
ifconfig returns:
utun0: flags = 8091 mtu 1406
INET 10.10.10.91--> 10.10.10.91 netmask 0xffffff00
I can see the ip address and dns with AnyConnect down and accumulated in IPSEC
servers in use through network prefs gui and if config returns:
utun0: flags = 8011 mtu 1280
INET 10.10.10.91--> 10.10.10.91 netmask 0xffffff00
You should try to get out of old Cisco IPSEC client if you can.
Do you use an ASA? On an ASA5510 with 8.2 software is only $100 for a
250 user base AnyConnect client license.
Brandon
Wednesday, February 17, 2010 at 12:20, kbyrd
Maybe you are looking for
-
I can't upgrade to 38.0.5
I get the pop up saying I need to update to 38.0.5, but every time I try it fails after restart of firefox and the reports that I need to check if there is an another Firefox running on the computer, which there isn't. I checked all the processes run
-
Satellite X 200-219: 3 screens in the display options
My x 200-219 has been less than a year when he started playing up.He went to the authorized repair center of Toshiba warranty, unfortunately, these guys wasn't able to fix it if she had to go back to Toshiba direct. The problem I had was with the gra
-
Hard drive replacement on Satellite L500
Hello I need to buy a new hard drive, but want to make sure that the new one will agree and will work. they have laptops are all the same size. I have a satellite l500. http://www.umart.com.au/newindex2.phtml?bid=4 Will this hard drive fit into my po
-
TV will not recognize disc scan
have a sony 40 "of one year old gt1 led tv. will not identify 32gig scandisc cruiser. any comment?
-
I went here and found some users who got the 430 gt to work on their M57. My only concern is: it will work in ANY M57, or they all have the same motherboard?