Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
Pr0jecT

Eazy VPN & IPsec Tunnel

Recommended Posts

Dear All,

 

 

 

I have these configured on the same router but always for the normal Tunnel which is through pre-shared, it is giving me in the sh crypto isa sa the status as Conf_XAUTH"

 

aint this configuration related to Eazy VPN? how come it is happening to this one.

 

 

Thanks

Share this post


Link to post
Share on other sites

Dear All,

 

 

 

I have these configured on the same router but always for the normal Tunnel which is through pre-shared, it is giving me in the sh crypto isa sa the status as Conf_XAUTH"

 

aint this configuration related to Eazy VPN? how come it is happening to this one.

 

 

Thanks

 

Might help http://fengnet.com/book/vpnconf/ch19lev1sec1.html

 

Mark

 

 

 

Share this post


Link to post
Share on other sites

Thanks for the reply mark, i've already checked the page you've sent me it did not help. this is a part of the debug and i am getting something like deleting SA reason "No reason" state ® CONF_XAUTH.

 

Debug output:

 

 

018133: *Feb 27 13:04:45.719 : ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (N) NEW SA

018134: *Feb 27 13:04:45.719 : ISAKMP: Created a peer struct for x.x.x.x, peer port 500

018135: *Feb 27 13:04:45.719 : ISAKMP: New peer created peer = 0x4BC69680 peer_handle = 0x80000069

018136: *Feb 27 13:04:45.723 : ISAKMP: Locking peer struct 0x4BC69680, refcount 1 for crypto_isakmp_process_block

018137: *Feb 27 13:04:45.723 : ISAKMP:(0):Setting client config settings 4BBC6A58

018138: *Feb 27 13:04:45.723 : ISAKMP:(0):(Re)Setting client xauth list and state

018139: *Feb 27 13:04:45.723 : ISAKMP/xauth: initializing AAA request

018140: *Feb 27 13:04:45.723 : ISAKMP: local port 500, remote port 500

018141: *Feb 27 13:04:45.723 : ISAKMP:(0):insert sa successfully sa = 4C02391C

018142: *Feb 27 13:04:45.723 : ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

018143: *Feb 27 13:04:45.723 : ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

 

018144: *Feb 27 13:04:45.723 : ISAKMP:(0): processing SA payload. message ID = 0

018145: *Feb 27 13:04:45.723 : ISAKMP:(0): processing vendor id payload

018146: *Feb 27 13:04:45.723 : ISAKMP:(0): processing IKE frag vendor id payload

018147: *Feb 27 13:04:45.723 : ISAKMP:(0):Support for IKE Fragmentation not enabled

018148: *Feb 27 13:04:45.723 : ISAKMP:(0):found peer pre-shared key matching x.x.x.x

018149: *Feb 27 13:04:45.723 : ISAKMP:(0): local preshared key found

018150: *Feb 27 13:04:45.727 : ISAKMP:(0): Authentication by xauth preshared

018151: *Feb 27 13:04:45.727 : ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

018152: *Feb 27 13:04:45.727 : ISAKMP: default group 2

018153: *Feb 27 13:04:45.727 : ISAKMP: encryption 3DES-CBC

018154: *Feb 27 13:04:45.727 : ISAKMP: hash MD5

018155: *Feb 27 13:04:45.727 : ISAKMP: auth pre-share

018156: *Feb 27 13:04:45.727 : ISAKMP: life type in seconds

018157: *Feb 27 13:04:45.727 : ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

018158: *Feb 27 13:04:45.727 : ISAKMP:(0):Encryption algorithm offered does not match policy!

018159: *Feb 27 13:04:45.727 : ISAKMP:(0):atts are not acceptable. Next payload is 3

018160: *Feb 27 13:04:45.727 : ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy

018161: *Feb 27 13:04:45.727 : ISAKMP: default group 2

018162: *Feb 27 13:04:45.727 : ISAKMP: encryption AES-CBC

018163: *Feb 27 13:04:45.727 : ISAKMP: keylength of 256

018164: *Feb 27 13:04:45.727 : ISAKMP: hash MD5

018165: *Feb 27 13:04:45.727 : ISAKMP: auth pre-share

018166: *Feb 27 13:04:45.727 : ISAKMP: life type in seconds

018167: *Feb 27 13:04:45.727 : ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

018168: *Feb 27 13:04:45.727 : ISAKMP:(0):Hash algorithm offered does not match policy!

018169: *Feb 27 13:04:45.727 : ISAKMP:(0):atts are not acceptable. Next payload is 3

018170: *Feb 27 13:04:45.727 : ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy

018171: *Feb 27 13:04:45.727 : ISAKMP: default group 2

018172: *Feb 27 13:04:45.727 : ISAKMP: encryption AES-CBC

018173: *Feb 27 13:04:45.727 : ISAKMP: keylength of 256

018174: *Feb 27 13:04:45.727 : ISAKMP: hash SHA

018175: *Feb 27 13:04:45.727 : ISAKMP: auth pre-share

018176: *Feb 27 13:04:45.727 : ISAKMP: life type in seconds

018177: *Feb 27 13:04:45.727 : ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

018178: *Feb 27 13:04:45.731 : ISAKMP:(0):Proposed key length does not match policy

018179: *Feb 27 13:04:45.731 : ISAKMP:(0):atts are not acceptable. Next payload is 3

018180: *Feb 27 13:04:45.731 : ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy

018181: *Feb 27 13:04:45.731 : ISAKMP: default group 2

018182: *Feb 27 13:04:45.731 : ISAKMP: encryption 3DES-CBC

018183: *Feb 27 13:04:45.731 : ISAKMP: hash SHA

018184: *Feb 27 13:04:45.731 : ISAKMP: auth pre-share

018185: *Feb 27 13:04:45.731 : ISAKMP: life type in seconds

018186: *Feb 27 13:04:45.731 : ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

018187: *Feb 27 13:04:45.731 : ISAKMP:(0):Encryption algorithm offered does not match policy!

018188: *Feb 27 13:04:45.731 : ISAKMP:(0):atts are not acceptable. Next payload is 3

018189: *Feb 27 13:04:45.731 : ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy

018190: *Feb 27 13:04:45.731 : ISAKMP: default group 2

018191: *Feb 27 13:04:45.731 : ISAKMP: encryption DES-CBC

018192: *Feb 27 13:04:45.731 : ISAKMP: hash MD5

018193: *Feb 27 13:04:45.731 : ISAKMP: auth pre-share

018194: *Feb 27 13:04:45.731 : ISAKMP: life type in seconds

018195: *Feb 27 13:04:45.731 : ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

018196: *Feb 27 13:04:45.731 : ISAKMP:(0):Encryption algorithm offered does not match policy!

018197: *Feb 27 13:04:45.731 : ISAKMP:(0):atts are not acceptable. Next payload is 3

018198: *Feb 27 13:04:45.731 : ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy

018199: *Feb 27 13:04:45.731 : ISAKMP: default group 2

018200: *Feb 27 13:04:45.731 : ISAKMP: encryption AES-CBC

018201: *Feb 27 13:04:45.731 : ISAKMP: keylength of 128

018202: *Feb 27 13:04:45.731 : ISAKMP: hash SHA

018203: *Feb 27 13:04:45.731 : ISAKMP: auth pre-share

018204: *Feb 27 13:04:45.731 : ISAKMP: life type in seconds

018205: *Feb 27 13:04:45.731 : ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

018206: *Feb 27 13:04:45.731 : ISAKMP:(0):atts are acceptable. Next payload is 3

018207: *Feb 27 13:04:45.731 : ISAKMP:(0):Acceptable atts:actual life: 0

018208: *Feb 27 13:04:45.731 : ISAKMP:(0):Acceptable atts:life: 0

018209: *Feb 27 13:04:45.731 : ISAKMP:(0):Fill atts in sa vpi_length:4

018210: *Feb 27 13:04:45.731 : ISAKMP:(0):Fill atts in sa life_in_seconds:86400

018211: *Feb 27 13:04:45.731 : ISAKMP:(0):Returning Actual lifetime: 86400

018212: *Feb 27 13:04:45.731 : ISAKMP:(0)::Started lifetime timer: 86400.

 

018213: *Feb 27 13:04:45.731 : ISAKMP:(0): processing vendor id payload

018214: *Feb 27 13:04:45.735 : ISAKMP:(0): processing IKE frag vendor id payload

018215: *Feb 27 13:04:45.735 : ISAKMP:(0):Support for IKE Fragmentation not enabled

018216: *Feb 27 13:04:45.735 : ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

018217: *Feb 27 13:04:45.735 : ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

 

018218: *Feb 27 13:04:45.735 : ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 ® MM_SA_SETUP

018219: *Feb 27 13:04:45.735 : ISAKMP:(0):Sending an IKE IPv4 Packet.

018220: *Feb 27 13:04:45.735 : ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

018221: *Feb 27 13:04:45.735 : ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

 

018222: *Feb 27 13:04:45.963 : ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global ® MM_SA_SETUP

018223: *Feb 27 13:04:45.963 : ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

018224: *Feb 27 13:04:45.963 : ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

 

018225: *Feb 27 13:04:45.963 : ISAKMP:(0): processing KE payload. message ID = 0

018226: *Feb 27 13:04:46.023 : ISAKMP:(0): processing NONCE payload. message ID = 0

018227: *Feb 27 13:04:46.023 : ISAKMP:(0):found peer pre-shared key matching x.x.x.x

018228: *Feb 27 13:04:46.023 : ISAKMP:(5194): processing vendor id payload

018229: *Feb 27 13:04:46.023 : ISAKMP:(5194): vendor ID is Unity

018230: *Feb 27 13:04:46.023 : ISAKMP:(5194): processing vendor id payload

018231: *Feb 27 13:04:46.023 : ISAKMP:(5194): vendor ID seems Unity/DPD but major 171 mismatch

018232: *Feb 27 13:04:46.023 : ISAKMP:(5194): vendor ID is XAUTH

018233: *Feb 27 13:04:46.023 : ISAKMP:(5194): processing vendor id payload

018234: *Feb 27 13:04:46.023 : ISAKMP:(5194): speaking to another IOS box!

018235: *Feb 27 13:04:46.023 : ISAKMP:(5194): processing vendor id payload

018236: *Feb 27 13:04:46.023 : ISAKMP:(5194):vendor ID seems Unity/DPD but hash mismatch

018237: *Feb 27 13:04:46.023 : ISAKMP:(5194):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

018238: *Feb 27 13:04:46.023 : ISAKMP:(5194):Old State = IKE_R_MM3 New State = IKE_R_MM3

 

018239: *Feb 27 13:04:46.027 : ISAKMP:(5194): sending packet to x.x.x.x my_port 500 peer_port 500 ® MM_KEY_EXCH

018240: *Feb 27 13:04:46.027 : ISAKMP:(5194):Sending an IKE IPv4 Packet.

018241: *Feb 27 13:04:46.027 : ISAKMP:(5194):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

018242: *Feb 27 13:04:46.027 : ISAKMP:(5194):Old State = IKE_R_MM3 New State = IKE_R_MM4

 

018243: *Feb 27 13:04:46.307 : ISAKMP (5194): received packet from x.x.x.x dport 500 sport 500 Global ® MM_KEY_EXCH

018244: *Feb 27 13:04:46.311 : ISAKMP:(5194):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

018245: *Feb 27 13:04:46.319 : ISAKMP:(5194):Old State = IKE_R_MM4 New State = IKE_R_MM5

 

018246: *Feb 27 13:04:46.323 : ISAKMP:(5194): processing ID payload. message ID = 0

018247: *Feb 27 13:04:46.327 : ISAKMP (5194): ID payload

next-payload : 8

type : 1

address : x.x.x.x

protocol : 17

port : 500

length : 12

018248: *Feb 27 13:04:46.327 : ISAKMP:(0):: peer matches *none* of the profiles

018249: *Feb 27 13:04:46.327 : ISAKMP:(5194): processing HASH payload. message ID = 0

018250: *Feb 27 13:04:46.327 : ISAKMP:received payload type 17

018251: *Feb 27 13:04:46.327 : ISAKMP:(5194): processing keep alive: proposal=32767/32767 sec., actual=30/5 sec.

018252: *Feb 27 13:04:46.327 : ISAKMP:(5194): processing vendor id payload

018253: *Feb 27 13:04:46.327 : ISAKMP:(5194): vendor ID is DPD

018254: *Feb 27 13:04:46.327 : ISAKMP:(5194):SA authentication status:

authenticated

018255: *Feb 27 13:04:46.327 : ISAKMP:(5194):SA has been authenticated with x.x.x.x

018256: *Feb 27 13:04:46.327 : ISAKMP: Trying to insert a peer y.y.y.y/x.x.x.x/500/, and inserted successfully 4BC69680.

018257: *Feb 27 13:04:46.327 : ISAKMP:(5194):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

018258: *Feb 27 13:04:46.327 : ISAKMP:(5194):Old State = IKE_R_MM5 New State = IKE_R_MM5

 

018259: *Feb 27 13:04:46.327 : ISAKMP:(5194):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

018260: *Feb 27 13:04:46.327 : ISAKMP (5194): ID payload

next-payload : 8

type : 1

address : y.y.y.y

protocol : 17

port : 500

length : 12

018261: *Feb 27 13:04:46.327 : ISAKMP:(5194):Total payload length: 12

018262: *Feb 27 13:04:46.331 : ISAKMP:(5194): sending packet to x.x.x.x my_port 500 peer_port 500 ® MM_KEY_EXCH

018263: *Feb 27 13:04:46.331 : ISAKMP:(5194):Sending an IKE IPv4 Packet.

018264: *Feb 27 13:04:46.331 : ISAKMP:(5194):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

018265: *Feb 27 13:04:46.331 : ISAKMP:(5194):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

 

018266: *Feb 27 13:04:46.335 : ISAKMP:(5194):Need XAUTH

018267: *Feb 27 13:04:46.339 : ISAKMP: set new node 1765006829 to CONF_XAUTH

018268: *Feb 27 13:04:46.339 : ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

018269: *Feb 27 13:04:46.339 : ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

018270: *Feb 27 13:04:46.339 : ISAKMP:(5194): initiating peer config to x.x.x.x ID = 1765006829

018271: *Feb 27 13:04:46.339 : ISAKMP:(5194): sending packet to x.x.x.x my_port 500 peer_port 500 ® CONF_XAUTH

018272: *Feb 27 13:04:46.343 : ISAKMP:(5194):Sending an IKE IPv4 Packet.

018273: *Feb 27 13:04:46.347 : ISAKMP:(5194):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

--More--

018274: *Feb 27 13:04:46.347 : ISAKMP:(5194):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

 

018275: *Feb 27 13:04:46.575 : ISAKMP (5194): received packet from x.x.x.x dport 500 sport 500 Global ® CONF_XAUTH

018276: *Feb 27 13:04:47.243 : ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

018277: *Feb 27 13:04:47.243 : ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

018278: *Feb 27 13:04:47.243 : ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

 

--More--

018291: *Feb 27 13:04:54.559 : ISAKMP (5194): received packet from x.x.x.x dport 500 sport 500 Global ® CONF_XAUTH

--More--

018409: *Feb 27 13:05:09.663 : ISAKMP:(5193):deleting node 2095058897 error FALSE reason "Informational (in) state 1"

018410: *Feb 27 13:05:09.663 : IPSEC(key_engine): got a queue event with 1 KMI message(s)

018411: *Feb 27 13:05:09.663 : IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

018412: *Feb 27 13:05:10.555 : ISAKMP (5194): received packet from x.x.x.x dport 500 sport 500 Global ® CONF_XAUTH

018413: *Feb 27 13:05:10.595 : ISAKMP (5194): received packet from x.x.x.x dport 500 sport 500 Global ® CONF_XAUTH

018414: *Feb 27 13:05:10.595 : ISAKMP: set new node -1912896919 to CONF_XAUTH

018415: *Feb 27 13:05:10.599 : ISAKMP:(5194): processing HASH payload. message ID = -1912896919

018416: *Feb 27 13:05:10.599 : ISAKMP:(5194): processing DELETE payload. message ID = -1912896919

018417: *Feb 27 13:05:10.599 : ISAKMP:(5194):peer does not do paranoid keepalives.

 

018418: *Feb 27 13:05:10.599 : ISAKMP:(5194):deleting node -1912896919 error FALSE reason "Informational (in) state 1"

018419: *Feb 27 13:05:10.599 : ISAKMP (5194): received packet from x.x.x.x dport 500 sport 500 Global ® CONF_XAUTH

018420: *Feb 27 13:05:10.599 : ISAKMP: set new node 1909751046 to CONF_XAUTH

018421: *Feb 27 13:05:10.599 : ISAKMP:(5194): processing HASH payload. message ID = 1909751046

018422: *Feb 27 13:05:10.599 : ISAKMP:(5194): processing DELETE payload. message ID = 1909751046

018423: *Feb 27 13:05:10.599 : ISAKMP:(5194):peer does not do paranoid keepalives.

 

018424: *Feb 27 13:05:10.599 : ISAKMP:(5194):peer does not do paranoid keepalives.

 

018425: *Feb 27 13:05:10.599 : ISAKMP:(5194):deleting SA reason "No reason" state ® CONF_XAUTH (peer x.x.x.x)

018426: *Feb 27 13:05:10.599 : ISAKMP:(5194):deleting node 1909751046 error FALSE reason "Informational (in) state 1"

018427: *Feb 27 13:05:10.603 : IPSEC(key_engine): got a queue event with 1 KMI message(s)

018428: *Feb 27 13:05:10.603 : IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

018429: *Feb 27 13:05:10.603 : IPSEC(key_engine): got a queue event with 1 KMI message(s)

018430: *Feb 27 13:05:10.603 : IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

018431: *Feb 27 13:05:10.603 : IPSEC(key_engine_delete_sas): delete all SAs shared with peer x.x.x.x

018432: *Feb 27 13:05:10.603 : ISAKMP: set new node -1589476174 to CONF_XAUTH

018433: *Feb 27 13:05:10.603 : ISAKMP:(5194): sending packet to x.x.x.x my_port 500 peer_port 500 ® CONF_XAUTH

018434: *Feb 27 13:05:10.603 : ISAKMP:(5194):Sending an IKE IPv4 Packet.

018435: *Feb 27 13:05:10.603 : ISAKMP:(5194):purging node -1589476174

018436: *Feb 27 13:05:10.603 : ISAKMP:(5194):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

018437: *Feb 27 13:05:10.603 : ISAKMP:(5194):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA

 

 

Thank You

Share this post


Link to post
Share on other sites

Try:

crypto isakmp key PASS address IP no-xauth

Edited by laf_c

Share this post


Link to post
Share on other sites

Dear Laf,

 

you are the saviour of my day.

 

 

But explain to me what does this do.

 

 

The conflict is occuring because it is the same crypto map being used but with one entry static? or what.

 

 

I will try this and get back to you.

 

 

Thanks

Share this post


Link to post
Share on other sites

Dear Laf,

 

 

Thanks a lot, everything is working properly now.

 

I think if easy VPN was configured on the same router, by default if you did not specify the no-xauth, it will consider it as a part of the easy VPN and will try to auth it.

 

 

I really appreciate your help.

 

 

Regards

Share this post


Link to post
Share on other sites

Dear Laf,

 

 

Thanks a lot, everything is working properly now.

 

I think if easy VPN was configured on the same router, by default if you did not specify the no-xauth, it will consider it as a part of the easy VPN and will try to auth it.

 

 

I really appreciate your help.

 

 

Regards

 

Glad you figured it out ;).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×