From: joshua lauer (jslauer@hotmail.com)
Date: Fri Sep 17 2004 - 11:26:58 GMT-3
No problem,
glad you got things working! Enjoy your VPN! :)
cheers,
josh
Josh Lauer
----- Original Message -----
From: <adeolu@sympatico.ca>
To: <adeolu_adeoye@yahoo.com>; "joshua lauer" <jslauer@hotmail.com>;
<ccielab@groupstudy.com>
Sent: Friday, September 17, 2004 9:57 AM
Subject: Re: Re: IPSEC VPN PROBLEM
> Hi Guys,
>
> Thanks a lot for all your suggestions. I have been able to solve the
> problem. To direct traffic towards the tunnel, I typically use default
> routes out to the interface (for flexibility reasons). However, the ISP
> dropped all traffic that was routed in this manner.
>
> Thankfully, I had some static IP assignments from them. I used the
> gateway they supplied with this and voila, it worked like a charm.
>
> Thanks for all your help, Josh.
>
> Ade
>>
>> From: <adeolu@sympatico.ca>
>> Date: 2004/09/14 Tue PM 04:24:47 EST
>> To: "joshua lauer" <jslauer@hotmail.com>, <ccielab@groupstudy.com>
>> Subject: Re: Re: IPSEC VPN PROBLEM
>>
>> Hi Josh,
>>
>> Thanks for looking at this. I have asked them a few times but they say
>> that they do not have any restrictions.
>>
>>
>> >
>> > From: "joshua lauer" <jslauer@hotmail.com>
>> > Date: 2004/09/14 Tue PM 03:51:47 EST
>> > To: <adeolu@sympatico.ca>,
>> > <ccielab@groupstudy.com>
>> > Subject: Re: IPSEC VPN PROBLEM
>> >
>> > Is your ISP blocking any ports that you know of? Could be why your
>> > connection isnt setting up. Make sure they are not blocking the
>> > critical
>> > ports (port 500) needed for your connection set up. I've had a similar
>> > issue
>> > working with nortel equipment in the past. Just a thought, I really
>> > didnt
>> > have time to drill down into your debugs. I'll check them out when I
>> > get
>> > home from work :)
>> >
>> >
>> > Josh Lauer
>> >
>> >
>> > ----- Original Message -----
>> > From: <adeolu@sympatico.ca>
>> > To: <ccielab@groupstudy.com>
>> > Sent: Tuesday, September 14, 2004 3:02 PM
>> > Subject: IPSEC VPN PROBLEM
>> >
>> >
>> > >I was wondering if anyone could bail me out.....this issue has me at
>> > >my
>> > >wits' end. I am running a hub and spoke VPN for my company. The
>> > >head-end
>> > >router is a Cisco 7204 running IOS 12.2(13)T3 and I am running IOS
>> > >12.3(7)T2 on the remote. The reason i am running such a recent
>> > >version on
>> > >the remote router is because of a need to support the 4-port switch
>> > >WIC in
>> > >the router.
>> > >
>> > > I was able to successfully test this using a PPPoE Internet
>> > > connection
>> > > (ADSL) but so far, I have been unable to successfully use it with
>> > > Cable
>> > > Internet (which is the link type on site). The connection just
>> > > refuses to
>> > > be set up. I have checked the ISAKMP policies, crypto maps etc. and
>> > > ensured that they are matched.
>> > >
>> > > I have pasted some debugs below
>> > >
>> > > Any help will be appreciated.
>> > >
>> > > = 0x400A
>> > > *Mar 10 02:25:10: ISAKMP: received ke message (1/1)
>> > > *Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
>> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
>> > > ipsec requ
>> > > est to it. (local 24.86.96.233, remote 209.5.96.157)
>> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit
>> > > phase 1
>> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500
>> > > peer_port 500 (I) MM_NO_STATE
>> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit
>> > > phase 1
>> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500
>> > > peer_port 500 (I) MM_NO_STATE
>> > > *Mar 10 02:25:28: IPSEC(key_engine): request timer fired: count = 1,
>> > > (identity) local= 24.86.96.233, remote= 209.5.96.157,
>> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
>> > > *Mar 10 02:25:28: IPSEC(sa_request): ,
>> > > (key eng. msg.) OUTBOUND local= 24.86.96.233, remote= 209.5.96.157,
>> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
>> > > lifedur= 3600s and 4608000kb,
>> > > spi= 0xD029AD14(3492392212), conn_id= 0, keysize= 0, flags= 0x400A
>> > > *Mar 10 02:25:28: ISAKMP: received ke message (1/1)
>> > > *Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE
>> > > *Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
>> > > ipsec requ
>> > > est to it. (local 24.86.96.233, remote 209.5.96.157)
>> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit
>> > > phase 1
>> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500
>> > > peer_port 500 (I) MM_NO_STATE
>> > > *Mar 10 02:25:40: IPSEC(key_engine): request timer fired: count = 2,
>> > > (identity) local= 24.86.96.233, remote= 209.5.96.157,
>> > > local_proxy= 142.225.130.0/255.255.255.0/0/0 (type=4),
>> > > remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
>> > > *Mar 10 02:25:40: ISAKMP: received ke message (3/1)
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do paranoid
>> > > keepalives.
>> > >
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive
>> > > request to
>> > > delet
>> > > e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive
>> > > request to
>> > > delet
>> > > e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
>> > > *Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4 for
>> > > isadb_mark_sa_dele
>> > > ted(), count 0
>> > > *Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap for
>> > > 209.5.96.157: 824C
>> > > 53A4
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -938513491 error
>> > > TRUE
>> > > reason "
>> > > receive request to delete ike sa"
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1343263010 error
>> > > TRUE
>> > > reason
>> > > "receive request to delete ike sa"
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -2146876017 error
>> > > TRUE
>> > > reason
>> > > "receive request to delete ike sa"
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1379398450 error
>> > > TRUE
>> > > reason
>> > > "receive request to delete ike sa"
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL,
>> > > IKE_PHASE1_DEL
>> > > *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State
>> > > =
>> > > IKE_DEST_
>> > > SA
>> > >
>> > > *Mar 10 02:25:50: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
>> > > 142.225.150.134 (V
>> > > lan521) is up: new adjacency
>> > > *Mar 10 02:25:58: IPSEC(key_engine): request timer fired: count = 2,
>> > > (identity) local= 24.86.96.233, remote= 209.5.96.157,
>> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
>> > > *Mar 10 02:25:58: ISAKMP: received ke message (3/1)
>> > > *Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid
>> > > keepalives.
>> > > Log Buffer (4096 bytes):
>> > > nding packet to 209.5.96.157 my_port 500 peer_port 500 (I)
>> > > MM_NO_STATE
>> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit phase 1
>> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500 peer_port 500 (I) MM_NO_STATE
>> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit phase 1
>> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500 peer_port 500 (I) MM_NO_STATE
>> > > *Sep 13 20:58:14: IPSEC(key_engine): request timer fired: count = 1,
>> > > (identity) local= 209.5.255.142, remote= 209.5.96.157,
>> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
>> > > *Sep 13 20:58:14: IPSEC(sa_request): ,
>> > > (key eng. msg.) OUTBOUND local= 209.5.255.142, remote= 209.5.96.157,
>> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
>> > > protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
>> > > lifedur= 3600s and 4608000kb,
>> > > spi= 0x21BF4A39(566184505), conn_id= 0, keysize= 0, flags= 0x400A
>> > > *Sep 13 20:58:14: ISAKMP: received ke message (1/1)
>> > > *Sep 13 20:58:14: ISAKMP: set new node 0 to QM_IDLE
>> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
>> > > ipsec request to it. (local 209.5.255.142, remote 209.5.96.157)
>> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit phase 1
>> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500 peer_port 500 (I) MM_NO_STATE
>> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit phase 1
>> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500 peer_port 500 (I) MM_NO_STATE
>> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE...
>> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
>> > > retransmit phase 1
>> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1
>> > > MM_NO_STATE
>> > > *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
>> > > my_port 500 peer_port 500 (I) MM_NO_STATE
>> > > Sep 13 20:58:44: IPSEC(key_engine): request timer fired: count = 2,
>> > > (identity) local= 209.5.255.142, remote= 209.5.96.157,
>> > > local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
>> > > remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
>> > > *Sep 13 20:58:44: ISAKMP: received ke message (3/1)
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):peer does not do paranoid
>> > > keepalives.
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive
>> > > request to
>> > > delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue
>> > > 0
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive
>> > > request to
>> > > delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue
>> > > 0
>> > > *Sep 13 20:58:44: ISAKMP: Unlocking IKE struct 0x821712B4 for
>> > > isadb_mark_sa_deleted(), count 0
>> > > *Sep 13 20:58:44: ISAKMP: Deleting peer node by peer_reap for
>> > > 209.5.96.157: 821712B4
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -862965495 error
>> > > TRUE
>> > > reason "receive request to delete ike sa"
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -542169726 error
>> > > TRUE
>> > > reason "receive request to delete ike sa"
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL,
>> > > IKE_PHASE1_DEL
>> > > *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State
>> > > =
>> > > IKE_DEST_SA
>> > > Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -862965495
>> > > *Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -542169726
>> > > *Sep 13 20:59:44: ISAKMP:(0:1:HW:2):purging SA., sa=829FC038,
>> > > delme=829FC038
>> > > fnbur020#
>> > >
>> > >
>> > > I have pasted some debugs below
>> > >
>> > > _______________________________________________________________________
>> > > Please help support GroupStudy by purchasing your study materials
>> > > from:
>> > > http://shop.groupstudy.com
>> > >
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:45 GMT-3