Announcement

Collapse
No announcement yet.

Ipsec VPN between cisco 877 and windows 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ipsec VPN between cisco 877 and windows 2008

    Hi,

    I'm trying to connect cisco 877 router to windows 2008 server using ipsec between them. Device successfully passes PHASE 1 negotation (main mode) but stops at PHASE 2 level (Quick mode).

    Main goal is to securlly connect 192.168.2.0 computers to windows server on its private ip address 192.168.5.1

    CISCO:

    Code:
    crypto isakmp policy 1
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key <PASSWORD> address <WINDOWS WAN IP>
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-sha-hmac
    !
    crypto map rtp 1 ipsec-isakmp
     set peer <WINDOWS WAN IP>
     set transform-set rtpset
     match address 115
    !
    interface Vlan2
     ip address 192.168.2.1 255.255.255.0
     no ip redirects
     ip directed-broadcast
     ip nat inside
     ip virtual-reassembly
     zone-member security INSIDE
     no autostate
    !
    interface BVI1
     ip address <CISCO WAN IP>
     no ip redirects
     ip nat outside
     ip virtual-reassembly
     zone-member security OUTSIDE
     crypto map rtp
    !
    ip route 192.168.5.0 255.255.255.0 BVI1 <WINDOWS WAN IP>
    ip route 0.0.0.0 0.0.0.0 BVI1 dhcp
    !
    ip nat inside source list NAT interface BVI1 overload
    !
    ip access-list extended NAT
     deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
     permit ip 192.168.2.0 0.0.0.255 any
    !
    access-list 115 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
    Winwows side configured with connection security rules in Tunnel mode.

    Endpoint 1: <WINDOWS WAN IP>
    Endpoint 2: <CISCO WAN IP>
    Source Subnet: 192.168.5.0
    Destination Subnet: 192.168.2.0

    route add 192.168.2.0 mask 255.255.255.0 <CISCO WAN IP>

    192.168.5.1 IP Address is bind to windows WAN adapter as a secondary ip.

    When I do extended ping, debug ipsec error shows:

    Code:
    877W#ping 192.168.5.1 source 192.168.2.1 repeat 1
    
    Type escape sequence to abort.
    Sending 1, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.2.1
    
    000830: *Jul 15 04:21:20.397: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= <CISCO WAN IP>, remote= <WINDOWS WAN IP>,
        local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
        remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
        lifedur= 3600s and 4608000kb,
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    000831: *Jul 15 04:21:20.409: ISAKMP:(2029):deleting node -1312726829 error TRUE reason "Delete Larval".
    Success rate is 0 percent (0/1)
    show crypto ipsec sa shows:

    Code:
       Crypto map tag: rtp, local addr <CISCO WAN IP>
    
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
       current_peer <WINDOWS WAN IP> port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 11, #recv errors 0
    
         local crypto endpt.: <CISCO WAN IP>, remote crypto endpt.: <WINDOWS WAN IP>
         path mtu 1500, ip mtu 1500, ip mtu idb BVI1
         current outbound spi: 0x0(0)
         PFS (Y/N): N, DH group: none
    
         inbound esp sas:
    
         inbound ah sas:
    
         inbound pcp sas:
    
         outbound esp sas:
    
         outbound ah sas:
    
         outbound pcp sas:
    Windows Main Mode Event Log:

    Code:
    An IPsec Main Mode security association was established. Extended Mode was not enabled.  Certificate authentication was not used.
    
    Local Endpoint:
        Principal Name:    -
        Network Address:    
        Keying Module Port:    500
    
    Remote Endpoint:
        Principal Name:    -
        Network Address:    
        Keying Module Port:    500
    
    Security Association Information:
        Lifetime (minutes):    480
        Quick Mode Limit:    0
        Main Mode SA ID:    352
    
    Cryptographic Information:
        Cipher Algorithm:    DES
        Integrity Algorithm:    SHA1
        Diffie-Hellman Group:    DH group 2
    
    Additional Information:
        Keying Module Name:    IKE
        Authentication Method:    Preshared key
        Role:    Responder
        Impersonation State:    Not enabled
    Windows Quick Mode Event Log:

    Code:
    An IPsec Quick Mode negotiation failed.
    
    Local Endpoint:
        Network Address:    
        Network Address mask:    
        Port:            0
        Tunnel Endpoint:        
    
    Remote Endpoint:
        Network Address:    
        Address Mask:        
        Port:            0
        Tunnel Endpoint:        
        Private Address:        
    
    Additional Information:
        Protocol:        0
        Keying Module Name:    IKE
        Mode:            Tunnel
        Role:            Responder
        Quick Mode Filter ID:    0
        Main Mode SA ID:    343
    
    Failure Information:
        State:            No state
        Message ID:        2982240467
        Failure Point:        Local computer
        Failure Reason:        No policy configured
    Here I can't understand what does this Failure Reason, "No policy configured" means, as I think I have it configured in firewall. Encryption settings are same at both sides as well as routings and as well as ACL.

    Please someone help me to figure this out, I'm already going mad!
    Last edited by zx128k; 24th May 2012, 17:28.

  • #2
    Re: Ipsec VPN between cisco 877 and windows 2008

    Well its definately an issue with Phase 2. Your config on the router looks fine. I would double check your policy for phase 2 on the windows server.


    192.168.5.1 IP Address is bind to windows WAN adapter as a secondary ip.

    I wonder if this is the issue being its a secondary ip on that interface. Meaning when traffic is sent from the server is it being sourced from the wan ip or the secondary ip address.
    Last edited by auglan; 24th May 2012, 17:39.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Ipsec VPN between cisco 877 and windows 2008

      thanks for reply auglan

      I'm also confused about it but the server has only one physical interface that connects to the internet. I had to somehow make private subnet.

      I definitely know that both sides have the same encryptions.

      One more thing, I can't find info about this error message - error TRUE reason "Delete Larval"

      Comment


      • #4
        Re: Ipsec VPN between cisco 877 and windows 2008

        "Meaning when traffic is sent from the server is it being sourced from the wan ip or the secondary ip address."

        I'm starting to think about it... as you may be absolutely right

        but how can I check it?.....

        Comment


        • #5
          Re: Ipsec VPN between cisco 877 and windows 2008

          Double check your Proxy ACL on the server side (Interesting traffic ACL)


          "Meaning when traffic is sent from the server is it being sourced from the wan ip or the secondary ip address."

          I'm starting to think about it... as you may be absolutely right

          but how can I check it?.....
          Only really way to tell is with a packet capture.

          You could also clear the tunnel from the cisco side:


          clear crypto sa

          clear crypto isakmp sa



          Then you could debug phase 2. I would send it to the buffer as it will be very verbose. This should tell you why phase 2 is failing


          debug crypto ipsec
          Last edited by auglan; 24th May 2012, 18:07.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Ipsec VPN between cisco 877 and windows 2008

            I have created a loopback interface in windows with 192.168.5.1 onto it, so now I have private address seperated from WAN adapter but the results are same. no ping reply.

            done your commands but the debug message is the same, error TRUE reason "Delete Larval".

            have no idea what to do next

            Comment


            • #7
              Re: Ipsec VPN between cisco 877 and windows 2008

              auglan I'm not sure if this will somehow help us find problem but I have tested VPN configuration in Cisco Configuration Professional and got this message during routing table check:

              Code:
              The peer must be routed through the crypto map interface. The following peer(s)  do not have a routing entry in the routing table. 1) <WINDOWS WAN IP>
              even more confusing :/ why it needs additional routing when I have already configured it with 192.168.5.0 255.255.255.0 <WINDOWS WAN IP>?

              Comment


              • #8
                Re: Ipsec VPN between cisco 877 and windows 2008

                Im guessing that may be a bug in the CCP. Make sure the next hop mentioned in the route is the same ip as in your crypto config. The CCP message is referring to the WAN IP of the endpoint not the local lan subnet. In reality your default route pointing out the BVI interface should be enough but it wont hurt to try:


                ip route 192.168.5.0 255.255.255.0 BVI1

                ip route <windows wan ip> 255.255.255.255 BVI1


                Also instead of debug crypto ipsec do:


                debug crypto isakmp and post the output if you can.
                Last edited by auglan; 24th May 2012, 18:49.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Ipsec VPN between cisco 877 and windows 2008

                  ok, here's full debug:

                  Part1:

                  Code:
                  877W#ping 192.168.5.1 source 192.168.2.1 repeat 1
                  
                  Type escape sequence to abort.
                  Sending 1, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
                  Packet sent with a source address of 192.168.2.1
                  
                  001030: *Jul 15 07:05:30.914: IPSEC(sa_request): ,
                    (key eng. msg.) OUTBOUND local= <CISCO WAN IP>, remote= <WINDOWS WAN IP>,
                      local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
                      remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
                      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
                      lifedur= 3600s and 4608000kb,
                      spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
                  001031: *Jul 15 07:05:30.914: ISAKMP:(0): SA request profile is (NULL)
                  001032: *Jul 15 07:05:30.918: ISAKMP: Created a peer struct for <WINDOWS WAN IP>, peer port 500
                  001033: *Jul 15 07:05:30.918: ISAKMP: New peer created peer = 0x84F2190C peer_handle = 0x80000037
                  001034: *Jul 15 07:05:30.918: ISAKMP: Locking peer struct 0x84F2190C, refcount 1 for isakmp_initiator
                  001035: *Jul 15 07:05:30.918: ISAKMP: local port 500, remote port 500
                  001036: *Jul 15 07:05:30.918: ISAKMP: set new node 0 to QM_IDLE
                  001037: *Jul 15 07:05:30.918: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85782108
                  001038: *Jul 15 07:05:30.918: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
                  001039: *Jul 15 07:05:30.918: ISAKMP:(0):found peer pre-shared key matching <WINDOWS WAN IP>
                  001040: *Jul 15 07:05:30.918: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
                  001041: *Jul 15 07:05:30.918: ISAKMP:(0): constructed NAT-T vendor-07 ID
                  001042: *Jul 15 07:05:30.918: ISAKMP:(0): constructed NAT-T vendor-03 ID
                  001043: *Jul 15 07:05:30.918: ISAKMP:(0): constructed NAT-T vendor-02 ID
                  001044: *Jul 15 07:05:30.918: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
                  001045: *Jul 15 07:05:30.918: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
                  
                  001046: *Jul 15 07:05:30.922: ISAKMP:(0): beginning Main Mode exchange
                  001047: *Jul 15 07:05:30.922: ISAKMP:(0): sending packet to <WINDOWS WAN IP> my_port 500 peer_port 500 (I) MM_NO_STATE
                  001048: *Jul 15 07:05:30.922: ISAKMP:(0):Sending an IKE IPv4 Packet.
                  001049: *Jul 15 07:05:30.926: ISAKMP (0): received packet from <WINDOWS WAN IP> dport 500 sport 500 Global (I) MM_NO_STATE
                  001050: *Jul 15 07:05:30.926: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
                  001051: *Jul 15 07:05:30.926: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
                  
                  001052: *Jul 15 07:05:30.926: ISAKMP:(0): processing SA payload. message ID = 0
                  001053: *Jul 15 07:05:30.926: ISAKMP:(0): processing vendor id payload
                  001054: *Jul 15 07:05:30.926: ISAKMP:(0): processing IKE frag .
                  Success rate is 0 percent (0/1)
                  877W#vendor id payload
                  001055: *Jul 15 07:05:30.930: ISAKMP:(0):Support for IKE Fragmentation not enabled
                  001056: *Jul 15 07:05:30.930: ISAKMP:(0): processing vendor id payload
                  001057: *Jul 15 07:05:30.930: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
                  001058: *Jul 15 07:05:30.930: ISAKMP (0): vendor ID is NAT-T RFC 3947
                  001059: *Jul 15 07:05:30.930: ISAKMP:(0): processing vendor id payload
                  001060: *Jul 15 07:05:30.930: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
                  001061: *Jul 15 07:05:30.930: ISAKMP:(0): vendor ID is NAT-T v2
                  001062: *Jul 15 07:05:30.930: ISAKMP:(0): processing vendor id payload
                  001063: *Jul 15 07:05:30.930: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
                  001064: *Jul 15 07:05:30.930: ISAKMP:(0): processing vendor id payload
                  001065: *Jul 15 07:05:30.930: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
                  001066: *Jul 15 07:05:30.930: ISAKMP:(0): processing vendor id payload
                  001067: *Jul 15 07:05:30.930: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
                  001068: *Jul 15 07:05:30.930: ISAKMP:(0):found peer pre-shared key matching <WINDOWS WAN IP>
                  001069: *Jul 15 07:05:30.930: ISAKMP:(0): local preshared key found
                  001070: *Jul 15 07:05:30.930: ISAKMP : Scanning profiles for xauth ...
                  001071: *Jul 15 07:05:30.930: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
                  001072: *Jul 15 07:05:30.930: ISAKMP:      encryption DES-CBC
                  001073: *Jul 15 07:05:30.930: ISAKMP:      hash SHA
                  001074: *Jul 15 07:05:30.930: ISAKMP:      default group 2
                  001075: *Jul 15 07:05:30.930: ISAKMP:      auth pre-share
                  001076: *Jul 15 07:05:30.930: ISAKMP:      life type in seconds
                  001077: *Jul 15 07:05:30.930: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
                  001078: *Jul 15 07:05:30.930: ISAKMP:(0):atts are acceptable. Next payload is 0
                  001079: *Jul 15 07:05:30.930: ISAKMP:(0):Acceptable atts:actual life: 0
                  001080: *Jul 15 07:05:30.934: ISAKMP:(0):Acceptable atts:life: 0
                  001081: *Jul 15 07:05:30.934: ISAKMP:(0):Fill atts in sa vpi_length:4
                  001082: *Jul 15 07:05:30.934: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
                  001083: *Jul 15 07:05:30.934: ISAKMP:(0):Returning Actual lifetime: 28800
                  001084: *Jul 15 07:05:30.934: ISAKMP:(0)::Started lifetime timer: 28800.

                  Comment


                  • #10
                    Re: Ipsec VPN between cisco 877 and windows 2008

                    Part2:

                    Code:
                    001085: *Jul 15 07:05:30.934: ISAKMP:(0): processing vendor id payload
                    001086: *Jul 15 07:05:30.934: ISAKMP:(0): processing IKE frag vendor id payload
                    001087: *Jul 15 07:05:30.934: ISAKMP:(0):Support for IKE Fragmentation not enabled
                    001088: *Jul 15 07:05:30.934: ISAKMP:(0): processing vendor id payload
                    001089: *Jul 15 07:05:30.934: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
                    001090: *Jul 15 07:05:30.934: ISAKMP (0): vendor ID is NAT-T RFC 3947
                    001091: *Jul 15 07:05:30.934: ISAKMP:(0): processing vendor id payload
                    001092: *Jul 15 07:05:30.934: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
                    001093: *Jul 15 07:05:30.934: ISAKMP:(0): vendor ID is NAT-T v2
                    001094: *Jul 15 07:05:30.934: ISAKMP:(0): processing vendor id payload
                    001095: *Jul 15 07:05:30.934: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
                    001096: *Jul 15 07:05:30.934: ISAKMP:(0): processing vendor id payload
                    001097: *Jul 15 07:05:30.934: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
                    001098: *Jul 15 07:05:30.934: ISAKMP:(0): processing vendor id payload
                    001099: *Jul 15 07:05:30.934: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
                    001100: *Jul 15 07:05:30.934: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
                    001101: *Jul 15 07:05:30.938: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
                    
                    001102: *Jul 15 07:05:30.938: ISAKMP:(0): sending packet to <WINDOWS WAN IP> my_port 500 peer_port 500 (I) MM_SA_SETUP
                    001103: *Jul 15 07:05:30.938: ISAKMP:(0):Sending an IKE IPv4 Packet.
                    001104: *Jul 15 07:05:30.938: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
                    001105: *Jul 15 07:05:30.938: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
                    001106: *Jul 15 07:05:30.966: ISAKMP (0): received packet from <WINDOWS WAN IP> dport 500 sport 500 Global (I) MM_SA_SETUP
                    001107: *Jul 15 07:05:30.970: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
                    001108: *Jul 15 07:05:30.970: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
                    001109: *Jul 15 07:05:30.970: ISAKMP:(0): processing KE payload. message ID = 0
                    001110: *Jul 15 07:05:31.014: ISAKMP:(0): processing NONCE payload. message ID = 0
                    001111: *Jul 15 07:05:31.014: ISAKMP:(0):found peer pre-shared key matching <WINDOWS WAN IP>
                    001112: *Jul 15 07:05:31.014: ISAKMP:received payload type 20
                    001113: *Jul 15 07:05:31.014: ISAKMP (2036): His hash no match - this node outside NAT
                    001114: *Jul 15 07:05:31.014: ISAKMP:received payload type 20
                    001115: *Jul 15 07:05:31.014: ISAKMP (2036): No NAT Found for self or peer
                    001116: *Jul 15 07:05:31.014: ISAKMP:(2036):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
                    001117: *Jul 15 07:05:31.014: ISAKMP:(2036):Old State = IKE_I_MM4  New State = IKE_I_MM4
                    
                    001118: *Jul 15 07:05:31.014: ISAKMP:(2036):Send initial contact
                    001119: *Jul 15 07:05:31.014: ISAKMP:(2036):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
                    001120: *Jul 15 07:05:31.014: ISAKMP (2036): ID payload
                            next-payload : 8
                            type         : 1
                            address      : <CISCO WAN IP>
                            protocol     : 17
                            port         : 500
                            length       : 12
                    001121: *Jul 15 07:05:31.018: ISAKMP:(2036):Total payload length: 12
                    001122: *Jul 15 07:05:31.018: ISAKMP:(2036): sending packet to <WINDOWS WAN IP> my_port 500 peer_port 500 (I) MM_KEY_EXCH
                    001123: *Jul 15 07:05:31.018: ISAKMP:(2036):Sending an IKE IPv4 Packet.
                    001124: *Jul 15 07:05:31.018: ISAKMP:(2036):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
                    001125: *Jul 15 07:05:31.018: ISAKMP:(2036):Old State = IKE_I_MM4  New State = IKE_I_MM5
                    
                    001126: *Jul 15 07:05:31.026: ISAKMP (2036): received packet from <WINDOWS WAN IP> dport 500 sport 500 Global (I) MM_KEY_EXCH
                    001127: *Jul 15 07:05:31.026: ISAKMP:(2036): processing ID payload. message ID = 0
                    001128: *Jul 15 07:05:31.026: ISAKMP (2036): ID payload
                            next-payload : 8
                            type         : 1
                            address      : <WINDOWS WAN IP>
                            protocol     : 0
                            port         : 0
                            length       : 12
                    001129: *Jul 15 07:05:31.026: ISAKMP:(0):: peer matches *none* of the profiles
                    001130: *Jul 15 07:05:31.026: ISAKMP:(2036): processing HASH payload. message ID = 0
                    001131: *Jul 15 07:05:31.026: ISAKMP:(2036):SA authentication status:
                            authenticated
                    001132: *Jul 15 07:05:31.026: ISAKMP:(2036):SA has been authenticated with <WINDOWS WAN IP>
                    001133: *Jul 15 07:05:31.026: ISAKMP: Trying to insert a peer <CISCO WAN IP>/<WINDOWS WAN IP>/500/,  and inserted successfully 84F2190C.
                    001134: *Jul 15 07:05:31.026: ISAKMP:(2036):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
                    001135: *Jul 15 07:05:31.030: ISAKMP:(2036):Old State = IKE_I_MM5  New State = IKE_I_MM6
                    001136: *Jul 15 07:05:31.030: ISAKMP:(2036):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
                    001137: *Jul 15 07:05:31.030: ISAKMP:(2036):Old State = IKE_I_MM6  New State = IKE_I_MM6
                    001138: *Jul 15 07:05:31.030: ISAKMP:(2036):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
                    001139: *Jul 15 07:05:31.030: ISAKMP:(2036):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
                    001140: *Jul 15 07:05:31.030: ISAKMP:(2036):beginning Quick Mode exchange, M-ID of 1085702344
                    001141: *Jul 15 07:05:31.030: ISAKMP:(2036):QM Initiator gets spi
                    001142: *Jul 15 07:05:31.034: ISAKMP:(2036): sending packet to <WINDOWS WAN IP> my_port 500 peer_port 500 (I) QM_IDLE
                    001143: *Jul 15 07:05:31.034: ISAKMP:(2036):Sending an IKE IPv4 Packet.
                    001144: *Jul 15 07:05:31.034: ISAKMP:(2036):Node 1085702344, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
                    001145: *Jul 15 07:05:31.034: ISAKMP:(2036):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
                    001146: *Jul 15 07:05:31.034: ISAKMP:(2036):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
                    001147: *Jul 15 07:05:31.034: ISAKMP:(2036):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
                    001148: *Jul 15 07:05:31.038: ISAKMP (2036): received packet from <WINDOWS WAN IP> dport 500 sport 500 Global (I) QM_IDLE
                    001149: *Jul 15 07:05:31.038: ISAKMP: set new node 1860807508 to QM_IDLE
                    001150: *Jul 15 07:05:31.038: ISAKMP:(2036): processing HASH payload. message ID = 1860807508
                    001151: *Jul 15 07:05:31.038: ISAKMP:(2036): processing NOTIFY INVALID_ID_INFO protocol 3
                            spi 3338526614, message ID = 1860807508, sa = 85782108
                    001152: *Jul 15 07:05:31.038: ISAKMP:(2036): deleting spi 3338526614 message ID = 1085702344
                    001153: *Jul 15 07:05:31.038: ISAKMP:(2036):deleting node 1085702344 error TRUE reason "Delete Larval"
                    001154: *Jul 15 07:05:31.038: ISAKMP:(2036):deleting node 1860807508 error FALSE reason "Informational (in) state 1"
                    001155: *Jul 15 07:05:31.038: ISAKMP:(2036):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
                    001156: *Jul 15 07:05:31.042: ISAKMP:(2036):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
                    
                    001157: *Jul 15 07:05:32.326: ISAKMP:(2035):purging node -304183989
                    001158: *Jul 15 07:05:32.326: ISAKMP:(2035):purging node 2019498854

                    Comment


                    • #11
                      Re: Ipsec VPN between cisco 877 and windows 2008

                      Hmm, I would go back through the server config and check and make sure the Phase 2 options are the same as the router:


                      1. peer address (make sure its the ip of the remote endpoint)
                      2. Transform set is identical to include the encapsulation (ESP), encryption aes (make sure the correct type 128,256 etc) and check the hash (md5 or sha)
                      3. Double check the proxy acl Not sure what its called on the windows box


                      Old State = IKE_QM_READY New State = IKE_QM_I_QM1

                      You are making it to QM1. There are 3 messages in QM. The first is the proposal for Phase2 which is everything in your crypto map. Triple check that stuff.

                      Also make sure on the server side that Protocol 50 (ESP) is allowed through the firewall.
                      Last edited by auglan; 24th May 2012, 20:43.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: Ipsec VPN between cisco 877 and windows 2008

                        peer address is good
                        transform sets are good
                        acl is good (Endpoints in firewall)

                        I'm not sure about QMs. I see that but have no idea why it is happening 3 times

                        esp is opened

                        someone kill me

                        I wonder why event viewer says that ipsec policy is not configured...

                        Comment


                        • #13
                          Re: Ipsec VPN between cisco 877 and windows 2008

                          ACL should have the traffic you want encrypted not the endpoints.

                          Quick Mode for ipsec 3 uses 3 messages/exchanges unlike MM which uses 6.

                          Not sure why the server says that but I would look at that. Your router config looks good.
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: Ipsec VPN between cisco 877 and windows 2008

                            sure, let me show the screens
                            Attached Files

                            Comment


                            • #15
                              Re: Ipsec VPN between cisco 877 and windows 2008

                              Hmm Im stumped. The router config is fine but I have a feeling the server side is where the issue is. Have you rebooted?
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X