Oh the joys of SDM.....

notgoing2failnotgoing2fail Member Posts: 1,138
in CCNA Security
Ok, I'll try not to make this a long post so please bear with me.

My VPN tunnel works between two routers. There is no question about it. I configured everything via CLI and was able to ping across.

I then loaded up SDM only to see that SDM seems to think my tunnel is down. I ran a "tunnel test" and it seems to think there is an issue.

So I went ahead and deleted my CLI config and configured my VPN the "SDM way" by using SDM. Again, SDM thinks the tunnel is down, but it's not. All traffic works, all show crypto commands show that the tunnel is up.

The only thing that thinks the tunnel is down is SDM. Also, I've closed SDM and relaunched it with no success, hoping a clean refresh would work with SDM, it still thinks my tunnel is down.

Attached are two of the same pictures, one small and one large.

Could anyone please take a look and let me know your thoughts? I really detest SDM. My pictures prove that pings across both ways work. Below is just a quick structure of my VPN.



(Host: 172.16.0.5)
(Fa1: 172.16.0.1)(Fa0: 10.0.0.1)
(Fa0: 10.0.0.2)(Fa1: 192.168.50.1)
(Host: 192.168.50.5)


Host <----> 1811 Router <----> 3620 Router <----> Host



FYI: When I run the tunnel test on the SDM and tell it to ping a host on the other side, that host actually responds because I've issued debug ip icmp, so it gets the pings and it responds. Yet SDM gives me back an error saying it cannot ping the device....so frustrating....

FYI 2: I've also tested the tunnel by initiating the pings myself manually and still receive the same error from SDM....
· Share on FacebookShare on Twitter
«1

Comments

  • captobviouscaptobvious Member Posts: 648
    Did you delete your CLI configs from both routers? If so, did you SDM config the other router?

    Just spit balling....
    WIP
    CCNA:S

    Don't be a dumper!
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    captobvious wrote: »
    Did you delete your CLI configs from both routers? If so, did you SDM config the other router?

    Just spit balling....


    The other router 3620 doesn't support SDM unfortunately, and if it does, someone please let me know. But when I configured the SDM and clicked on the "mirrror config" option, I compared the configs and they were identicals other than SDM having "SDM" in its naming convention....
    · Share on FacebookShare on Twitter
  • k2737k2737 Member Posts: 10 ■□□□□□□□□□
    What does "show crypto isakmp sa" report for the state on each endpoint?

    Might want to enable "debug crypto isakmp" and "debug crypto ipsec" then ping across to bring the tunnel up and watch the logs on each side to see whats going on.
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    k2737 wrote: »
    What does "show crypto isakmp sa" report for the state on each endpoint?

    Might want to enable "debug crypto isakmp" and "debug crypto ipsec" then ping across to bring the tunnel up and watch the logs on each side to see whats going on.


    I can post that info once I get my lab back up again. Perhaps there's something someone can spot. But again, the issue to be clear is that the tunnel and VPN works.

    SDM to me I think is the issue....if I never have to see SDM again, I'd be very happy....
    · Share on FacebookShare on Twitter
  • captobviouscaptobvious Member Posts: 648
    Just because you can ping doesn't mean a tunnel is set up. That's why k2737 was asking you to check the isakmp security associations.
    WIP
    CCNA:S

    Don't be a dumper!
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    captobvious wrote: »
    Just because you can ping doesn't mean a tunnel is set up. That's why k2737 was asking you to check the isakmp security associations.

    I'll post the info soon, the info he's looking for definitely shows the tunnel is up. The QM idle status and all that good stuff looks good on my end.

    But it would be nice to have a fresh set of eyes take a look, perhaps I missed something...
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Here's the show crypto isakmp sa, and show crypto ipsec sa for both routers. I'll do a separate post for each one just to keep things organized....

    RTR-1811W#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.2        10.0.0.1        QM_IDLE           2001 ACTIVE



RTR-1811W#sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: SDM_CMAP_1, local addr 10.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
   current_peer 10.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x8ADE83C1(2329838529)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB2B26F3F(2998038335)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4539282/351[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8ADE83C1(2329838529)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4539282/351[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138 
    RTR-3620#sh crypto isakmp sa
dst             src             state          conn-id slot
10.0.0.2        10.0.0.1        QM_IDLE              1    0 



RTR-3620#sh crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: S2S-2, local addr. 10.0.0.2

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
   current_peer: 10.0.0.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest 2
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.2, remote crypto endpt.: 10.0.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: B2B26F3F

     inbound esp sas:
      spi: 0x8ADE83C1(2329838529)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: S2S-2
        sa timing: remaining key lifetime (k/sec): (4595179/3307)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB2B26F3F(2998038335)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: S2S-2
        sa timing: remaining key lifetime (k/sec): (4595179/3307)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:
RTR-3620#
    · Share on FacebookShare on Twitter
  • k2737k2737 Member Posts: 10 ■□□□□□□□□□
    Can you post both configs?
    · Share on FacebookShare on Twitter
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    Notgoing2fail,

    It's hard to tell without the configs. Can you clear the tunnel clear ipsec sa and then run a debug ipsec sa & debug isakmp sa and post the results from those commands. That will show the debug of your tunnel coming up.

    HTH
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Yes I'll post the configs, just need to turn my lab back on....I'll go ahead and run the debug as soon as I turn them on and post the output....
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Below are the debugs for "crypto isakmp" for both routers.....it's quite a doosie!!
    And yes, I realize the dates are off....
    *May  7 17:42:39.227: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): SA request profile is (NULL)
*May  7 17:42:39.231: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*May  7 17:42:39.231: ISAKMP: New peer created peer = 0x85337CA8 peer_handle = 0x80000002
*May  7 17:42:39.231: ISAKMP: Locking peer struct 0x85337CA8, refcount 1 for isakmp_initiator
*May  7 17:42:39.231: ISAKMP: local port 500, remote port 500
*May  7 17:42:39.231: ISAKMP: set new node 0 to QM_IDLE      
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):insert sa successfully sa = 86338134
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Can not start Aggressive mode, trying Main mode.
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):found peer pre-shared key matching 10.0.0.2
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): constructed NAT-T vendor-rfc3947 ID
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): constructed NAT-T vendor-07 ID
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): constructed NAT-T vendor-03 ID
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): constructed NAT-T vendor-02 ID
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Input 
RTR-1811W#= IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Old State = IKE_READY  New State = IKE_I_MM1 

*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): beginning Main Mode exchange
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May  7 17:42:39.231: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Sending an IKE IPv4 Packet.
*May  7 17:42:39.443: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): processing SA payload. message ID = 0
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): processing vendor id payload
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): vendor ID seems Unity/DPD but major 245 mismatch
*May  7 17:42:39.443: ISAKMP (0): vendor ID is NAT-T v7
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):found peer pre-shared key matching 10.0.0.2
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): local preshared key found
*May  7 17:42:39.443: ISAKMP : Scanning profiles for xauth ...
*May  7 17:42:39.443: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Checking ISAKMP transform 1 against priority 1 policy
*May  7 17:42:39.447: ISAKMP:      encryption 3DES-CBC
*May  7 17:42:39.447: ISAKMP:      hash MD5
*May  7 17:42:39.447: ISAKMP:      default group 2
*May  7 17:42:39.447: ISAKMP:      auth pre-share
*May  7 17:42:39.447: ISAKMP:      life type in seconds
*May  7 17:42:39.447: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):atts are acceptable. Next payload is 0
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Acceptable atts:actual life: 0
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Acceptable atts:life: 0
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Fill atts in sa vpi_length:4
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Fill atts in sa life_in_seconds:86400
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Returning Actual lifetime: 86400
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0)::Started lifetime timer: 86400.

*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): processing vendor id payload
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): vendor ID seems Unity/DPD but major 245 mismatch
*May  7 17:42:39.447: ISAKMP (0): vendor ID is NAT-T v7
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Sending an IKE IPv4 Packet.
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May  7 17:42:39.447: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

*May  7 17:42:39.687: ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May  7 17:42:39.687: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May  7 17:42:39.687: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

*May  7 17:42:39.687: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): processing KE payload. message ID = 0
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0): processing NONCE payload. message ID = 0
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):found peer pre-shared key matching 10.0.0.2
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing vendor id payload
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): vendor ID is Unity
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing vendor id payload
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): vendor ID is DPD
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing vendor id payload
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): speaking to another IOS box!
*May  7 17:42:39.719: ISAKMP (2001): His hash no match - this node outside NAT
*May  7 17:42:39.719: ISAKMP (2001): No NAT Found for self or peer
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May  7 17:42:39.719: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_I_MM4  New State = IKE_I_MM4 

*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Send initial contact
*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May  7 17:42:39.723: ISAKMP (2001): ID payload 
    next-payload : 8
    type         : 1 
    address      : 10.0.0.1 
    protocol     : 17 
    port         : 500 
    length       : 12
*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Total payload length: 12
*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Sending an IKE IPv4 Packet.
*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May  7 17:42:39.723: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_I_MM4  New State = IKE_I_MM5 

*May  7 17:42:39.751: ISAKMP (2001): received packet from 10.0.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing ID payload. message ID = 0
*May  7 17:42:39.751: ISAKMP (2001): ID payload 
    next-payload : 8
    type         : 1 
    address      : 10.0.0.2 
    protocol     : 17 
    port         : 500 
    length       : 12
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0):: peer matches *none* of the profiles
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing HASH payload. message ID = 0
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):SA authentication status:
    authenticated
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):SA has been authenticated with 10.0.0.2
*May  7 17:42:39.751: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.2/500/,  and inserted successfully 85337CA8.
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_I_MM5  New State = IKE_I_MM6 

*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_I_MM6  New State = IKE_I_MM6 

*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):beginning Quick Mode exchange, M-ID of 518492717
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):QM Initiator gets spi
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
*May  7 17:42:39.751: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Sending an IKE IPv4 Packet.
*May  7 17:42:39.755: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Node 518492717, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May  7 17:42:39.755: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*May  7 17:42:39.755: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May  7 17:42:39.755: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*May  7 17:42:40.039: ISAKMP (2001): received packet from 10.0.0.2 dport 500 sport 500 Global (I) QM_IDLE      
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing HASH payload. message ID = 518492717
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing SA payload. message ID = 518492717
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Checking IPSec proposal 1
*May  7 17:42:40.039: ISAKMP: transform 1, ESP_3DES
*May  7 17:42:40.039: ISAKMP:   attributes in transform:
*May  7 17:42:40.039: ISAKMP:      encaps is 1 (Tunnel)
*May  7 17:42:40.039: ISAKMP:      SA life type in seconds
*May  7 17:42:40.039: ISAKMP:      SA life duration (basic) of 3600
*May  7 17:42:40.039: ISAKMP:      SA life type in kilobytes
*May  7 17:42:40.039: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
*May  7 17:42:40.039: ISAKMP:      authenticator is HMAC-SHA
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):atts are acceptable.
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing NONCE payload. message ID = 518492717
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing ID payload. message ID = 518492717
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing ID payload. message ID = 518492717
*May  7 17:42:40.039: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): Creating IPSec SAs
*May  7 17:42:40.043:         inbound SA from 10.0.0.2 to 10.0.0.1 (f/i)  0/ 0
        (proxy 192.168.50.0 to 172.16.0.0)
*May  7 17:42:40.043:         has spi 0x5E6F578E and conn_id 0
*May  7 17:42:40.043:         lifetime of 3600 seconds
*May  7 17:42:40.043:         lifetime of 4608000 kilobytes
*May  7 17:42:40.043:         outbound SA from 10.0.0.1 to 10.0.0.2 (f/i) 0/0
        (proxy 172.16.0.0 to 192.168.50.0)
*May  7 17:42:40.043:         has spi  0xB8E76FE7 and conn_id 0
*May  7 17:42:40.043:         lifetime of 3600 seconds
*May  7 17:42:40.043:         lifetime of 4608000 kilobytes
*May  7 17:42:40.043: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
*May  7 17:42:40.043: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Sending an IKE IPv4 Packet.
*May  7 17:42:40.043: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):deleting node 518492717 error FALSE reason "No Error"
*May  7 17:42:40.043: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Node 518492717, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May  7 17:42:40.043: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
RTR-1811W#
RTR-1811W#
*May  7 17:43:30.043: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):purging node 518492717
RTR-1811W#

    *Mar  1 00:22:02.811: ISAKMP (0:0): received packet from 10.0.0.1 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:22:02.811: ISAKMP: Created a peer struct for 10.0.0.1, peer port 500
*Mar  1 00:22:02.811: ISAKMP: Locking peer struct 0x62CB5120, IKE refcount 1 for Responding to new initiation
*Mar  1 00:22:02.815: ISAKMP: local port 500, remote port 500
*Mar  1 00:22:02.815: ISAKMP: insert sa successfully sa = 62F61DC0
*Mar  1 00:22:02.819: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:22:02.819: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_R_MM1 

*Mar  1 00:22:02.823: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar  1 00:22:02.823: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
*Mar  1 00:22:02.823: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar  1 00:22:02.823: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:02.823: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 00:22:02.827: ISAKMP (0:1): vendor ID is NAT-T v3
*Mar  1 00:22:02.827: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:02.827: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:22:02.827: ISAKMP (0:1): vendor ID is NAT-T v2
*Mar  1 00:22:02.827: ISAKMP: Looking for a matching key for 10.0.0.1 in default : success
*Mar  1 00:22:02.827: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.1
*Mar  1 00:22:02.827: ISAKMP (0:1) local preshared key found
*Mar  1 00:22:02.827: ISAKMP : Scanning profiles for xauth ...
*Mar  1 00:22:02.827: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 00:22:02.827: ISAKMP:      encryption 3DES-CBC
*Mar  1 00:22:02.827: ISAKMP:      hash MD5
*Mar  1 00:22:02.831: ISAKMP:      default group 2
*Mar  1 00:22:02.831: ISAKMP:      auth pre-share
*Mar  1 00:22:02.831: ISAKMP:      life type in seconds
*Mar  1 00:22:02.831: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Mar  1 00:22:02.831: ISAKMP (0:1): atts are acceptable. Next payload is 3
*Mar  1 00:22:03.003: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
*Mar  1 00:22:03.007: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID is NAT-T v7
*Mar  1 00:22:03.007: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 00:22:03.007: ISAKMP (0:1): vendor ID is NAT-T v3
*Mar  1 00:22:03.007: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.011: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:22:03.011: ISAKMP (0:1): vendor ID is NAT-T v2
*Mar  1 00:22:03.011: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:22:03.011: ISAKMP (0:1): Old State = IKE_R_MM1  New State = IKE_R_MM1 

*Mar  1 00:22:03.015: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar  1 00:22:03.015: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar  1 00:22:03.015: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:22:03.015: ISAKMP (0:1): Old State = IKE_R_MM1  New State = IKE_R_MM2 

*Mar  1 00:22:03.027: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:22:03.027: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:22:03.031: ISAKMP (0:1): Old State = IKE_R_MM2  New State = IKE_R_MM3 

*Mar  1 00:22:03.031: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar  1 00:22:03.247: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar  1 00:22:03.247: ISAKMP: Looking for a matching key for 10.0.0.1 in default : success
*Mar  1 00:22:03.247: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.1
*Mar  1 00:22:03.251: ISAKMP (0:1): SKEYID state generated
*Mar  1 00:22:03.251: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.251: ISAKMP (0:1): vendor ID is DPD
*Mar  1 00:22:03.251: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.255: ISAKMP (0:1): speaking to another IOS box!
*Mar  1 00:22:03.255: ISAKMP (0:1): processing vendor id payload
*Mar  1 00:22:03.255: ISAKMP (0:1): vendor ID seems Unity/DPD but major 27 mismatch
*Mar  1 00:22:03.255: ISAKMP (0:1): vendor ID is XAUTH
*Mar  1 00:22:03.255: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:22:03.255: ISAKMP (0:1): Old State = IKE_R_MM3  New State = IKE_R_MM3 

*Mar  1 00:22:03.259: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar  1 00:22:03.259: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:22:03.259: ISAKMP (0:1): Old State = IKE_R_MM3  New State = IKE_R_MM4 

*Mar  1 00:22:03.303: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar  1 00:22:03.303: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:22:03.303: ISAKMP (0:1): Old State = IKE_R_MM4  New State = IKE_R_MM5 

*Mar  1 00:22:03.307: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar  1 00:22:03.307: ISAKMP (0:1): ID payload 
    next-payload : 8
    type         : 1 
    address      : 10.0.0.1 
    protocol     : 17 
    port         : 500 
    length       : 12
*Mar  1 00:22:03.307: ISAKMP (0:1): peer matches *none* of the profiles
*Mar  1 00:22:03.307: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar  1 00:22:03.311: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 62F61DC0
*Mar  1 00:22:03.311: ISAKMP (0:1): SA authentication status: 
    authenticated
*Mar  1 00:22:03.311: ISAKMP (0:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.0.0.2 remote 10.0.0.1 remote port 500
*Mar  1 00:22:03.311: ISAKMP (0:1): SA authentication status: 
    authenticated
*Mar  1 00:22:03.311: ISAKMP (0:1): SA has been authenticated with 10.0.0.1
*Mar  1 00:22:03.311: ISAKMP (0:1): peer matches *none* of the profiles
*Mar  1 00:22:03.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:22:03.315: ISAKMP (0:1): Old State = IKE_R_MM5  New State = IKE_R_MM5 

*Mar  1 00:22:03.315: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 00:22:03.315: ISAKMP (0:1): ID payload 
    next-payload : 8
    type         : 1 
    address      : 10.0.0.2 
    protocol     : 17 
    port         : 500 
    length       : 12
*Mar  1 00:22:03.319: ISAKMP (1): Total payload length: 12
*Mar  1 00:22:03.319: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar  1 00:22:03.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:22:03.323: ISAKMP (0:1): Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

*Mar  1 00:22:03.327: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 00:22:03.327: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  1 00:22:03.331: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) QM_IDLE      
*Mar  1 00:22:03.335: ISAKMP: set new node 518492717 to QM_IDLE      
*Mar  1 00:22:03.339: ISAKMP (0:1): processing HASH payload. message ID = 518492717
*Mar  1 00:22:03.339: ISAKMP (0:1): processing SA payload. message ID = 518492717
*Mar  1 00:22:03.339: ISAKMP (0:1): Checking IPSec proposal 1
*Mar  1 00:22:03.339: ISAKMP: transform 1, ESP_3DES
*Mar  1 00:22:03.339: ISAKMP:   attributes in transform:
*Mar  1 00:22:03.339: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 00:22:03.339: ISAKMP:      SA life type in seconds
*Mar  1 00:22:03.339: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 00:22:03.339: ISAKMP:      SA life type in kilobytes
*Mar  1 00:22:03.339: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
*Mar  1 00:22:03.339: ISAKMP:      authenticator is HMAC-SHA
*Mar  1 00:22:03.343: ISAKMP (0:1): atts are acceptable.
*Mar  1 00:22:03.343: ISAKMP (0:1): processing NONCE payload. message ID = 518492717
*Mar  1 00:22:03.343: ISAKMP (0:1): processing ID payload. message ID = 518492717
*Mar  1 00:22:03.343: ISAKMP (0:1): processing ID payload. message ID = 518492717
*Mar  1 00:22:03.347: ISAKMP (0:1): asking for 1 spis from ipsec
*Mar  1 00:22:03.347: ISAKMP (0:1): Node 518492717, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 00:22:03.347: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Mar  1 00:22:03.359: ISAKMP: received ke message (2/1)
*Mar  1 00:22:03.603: ISAKMP: Locking peer struct 0x62CB5120, IPSEC refcount 1 for for stuff_ke
*Mar  1 00:22:03.603: ISAKMP (0:1): Creating IPSec SAs
*Mar  1 00:22:03.603:         inbound SA from 10.0.0.1 to 10.0.0.2 (f/i)  0/ 0
        (proxy 172.16.0.0 to 192.168.50.0)
*Mar  1 00:22:03.607:         has spi 0xB8E76FE7 and conn_id 2000 and flags 2
*Mar  1 00:22:03.607:         lifetime of 3600 seconds
*Mar  1 00:22:03.607:         lifetime of 4608000 kilobytes
*Mar  1 00:22:03.607:         has client flags 0x0
*Mar  1 00:22:03.607:         outbound SA from 10.0.0.2        to 10.0.0.1        (f/i)  0/ 0 (proxy 192.168.50.0    to 172.16.0.0     )
*Mar  1 00:22:03.607:         has spi 1584355214 and conn_id 2001 and flags A
*Mar  1 00:22:03.607:         lifetime of 3600 seconds
*Mar  1 00:22:03.607:         lifetime of 4608000 kilobytes
*Mar  1 00:22:03.607:         has client flags 0x0
*Mar  1 00:22:03.611: ISAKMP (0:1): sending packet to 10.0.0.1 my_port 500 peer_port 500 (R) QM_IDLE      
*Mar  1 00:22:03.611: ISAKMP (0:1): Node 518492717, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar  1 00:22:03.611: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*Mar  1 00:22:03.623: ISAKMP (0:1): received packet from 10.0.0.1 dport 500 sport 500 Global (R) QM_IDLE      
*Mar  1 00:22:03.623: ISAKMP (0:1): deleting node 518492717 error FALSE reason "quick mode done (await)"
*Mar  1 00:22:03.627: ISAKMP (0:1): Node 518492717, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 00:22:03.627: ISAKMP (0:1): Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
RTR-3620#
*Mar  1 00:22:53.627: ISAKMP (0:1): purging node 518492717
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    And here are my configs....

    sh run
Building configuration...

Current configuration : 3748 bytes
!
version 15.1

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-1811W
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$JHH1$ExhFhZxJuOrLXRClMJkUn1
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name brandontek.com
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username brandon privilege 15 password 0 cisco
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
   F3020301 0001
  quit
!
!
crypto ikev2 diagnose error 50
!
!
ip ssh version 2
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.0.0.2
!
!
crypto ipsec transform-set BRANDON esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to10.0.0.2
 set peer 10.0.0.2
 set transform-set ESP-3DES-SHA 
 match address 100
!
!
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface FastEthernet0
 ip address 10.0.0.1 255.255.255.0
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 ip address 172.16.0.1 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
router rip
 version 2
 network 192.168.50.0
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip route 192.168.50.0 255.255.255.0 10.0.0.2
!
logging 150.113.156.5
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.50.0 0.0.0.255
access-list 101 remark SDM_ACL Category=16
access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.50.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco
 monitor
 transport input telnet
!
end

RTR-1811W#

    sh run
Building configuration...

Current configuration : 1547 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-3620
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.0.0.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set BRANDON esp-des esp-md5-hmac 
crypto ipsec transform-set BRANDON2 esp-3des esp-sha-hmac 
!
crypto map S2S 1 ipsec-isakmp 
 set peer 10.0.0.1
 set transform-set BRANDON 
 set pfs group2
 match address 101
!
crypto map S2S-2 2 ipsec-isakmp 
 set peer 10.0.0.1
 set transform-set BRANDON2 
 match address 101
!
!
!
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.0
 half-duplex
 crypto map S2S-2
!
interface Ethernet0/1
 ip address 192.168.50.1 255.255.255.0
 full-duplex
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
no ip http server
no ip http secure-server
ip classless
ip route 172.16.0.0 255.255.0.0 10.0.0.1
!
!
access-list 101 permit ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.255.255
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

RTR-3620#
    · Share on FacebookShare on Twitter
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    The tunnel looks as if it forms properly. The transform sets match... both IKE phase 1 & 2 is showing complete. Do you have any additional ACLs on your routers besides the one identifying your VPN traffic?
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    peanutnoggin wrote: »
    The tunnel looks as if it forms properly. The transform sets match... both IKE phase 1 & 2 is showing complete. Do you have any additional ACLs on your routers besides the one identifying your VPN traffic?


    Nope, no other ACL's, no other networks...not even any routing protocols....just a static route on each router telling it how to direct traffic.

    The SDM created it's own ACL called 101 I beleive. But it's identical to 100 which is the one I created...it's using it's own 101(ACL) and when I do a ping and then show access-list, I can see the hit count incrementing..

    Again, ping wise and everything else, it's a 100% complete established VPN.

    The dumb SDM won't show that the tunnel is up though. And testing the tunnel from SDM says there's a problem pinging...I can't stand SDM...

    What the heck is it's problem? It was bad enough I had to find a laptop with WindowsXP and mix and match the perfect java and firefox to get it to work...

    Now that it's working, it provides wrong VPN status...
    · Share on FacebookShare on Twitter
  • StoticStotic Member Posts: 248
    Can you ping from host A to host B? After doing so check to see if the packets are being encrypted by doing show crypto ipsec sa
    · Share on FacebookShare on Twitter
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    You won't get any disagreement from me on the SDM!!! Are you having any additional SDM problems? What about your java? Have you had a java update or something like that? Config wise on your routers... you appear to be fine!!! Do you have another PC that has XP on it? Also, have you tried to launch SDM with IE instead of FF?
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Stotic wrote: »
    Can you ping from host A to host B? After doing so check to see if the packets are being encrypted by doing show crypto ipsec sa


    Oh absolutely. did you look at my original post? I included screenshots of all the pings working. I know the quality didn't come out too well..

    I can provide ipsec sa data later today but I think most will agree the data from it will look fine....
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    peanutnoggin wrote: »
    You won't get any disagreement from me on the SDM!!! Are you having any additional SDM problems? What about your java? Have you had a java update or something like that? Config wise on your routers... you appear to be fine!!! Do you have another PC that has XP on it? Also, have you tried to launch SDM with IE instead of FF?

    IE and FF both work. I've tried with Windows 7, definitley a no no.

    I don't have any other XP's to test it out on. I tried a virtual XP on VMware and i got some kind of strange error installing java...

    Other than this current issue, I do have one other issue which is not being able to configure my wireless radio. When I try to configure it, SDM will launch a separate browser and it will be blank...

    Honestly, I've wasted so much time on using SDM, the only reason why I'm playing with it is for my CCNA security exam. Unless I run into a client who demands I use SDM, I don't ever want to look at SDM again...

    It is utterly frustrating. It feels like the entire application is an afterthought from Cisco and that they only slapped something together because other vendors had a GUI interface....
    · Share on FacebookShare on Twitter
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    notgoing2fail wrote: »
    IE and FF both work. I've tried with Windows 7, definitley a no no.

    I don't have any other XP's to test it out on. I tried a virtual XP on VMware and i got some kind of strange error installing java...

    Other than this current issue, I do have one other issue which is not being able to configure my wireless radio. When I try to configure it, SDM will launch a separate browser and it will be blank...

    Honestly, I've wasted so much time on using SDM, the only reason why I'm playing with it is for my CCNA security exam. Unless I run into a client who demands I use SDM, I don't ever want to look at SDM again...

    It is utterly frustrating. It feels like the entire application is an afterthought from Cisco and that they only slapped something together because other vendors had a GUI interface....

    I think for the wireless... you have to have a different file installed on your PC. I'll try to dig it up... when I first got my 877w I had to learn this the hard way. The wireless configuration is actually done through a separate java based web gui...
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    peanutnoggin wrote: »
    I think for the wireless... you have to have a different file installed on your PC. I'll try to dig it up... when I first got my 877w I had to learn this the hard way. The wireless configuration is actually done through a separate java based web gui...


    More reason why SDM is a clunker. I extracted some tar files that I thought might help for the wireless because it created more directories in flash that seem web related, that didn't work.

    Also, as soon as I enabled IPS, when I log into SDM, it asks me 3 times for my account! I mean, whoever designed SDM isn't intelligent enough to carry over my account info in via session? I have to log in THREE times?

    Sorry for ragging on SDM... icon_mrgreen.gif
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Here's the debug for IPsec...if you do see any errors, it took two pings to get the tunnel up....so that could be what you're seeing...
    RTR-1811W#
*May  7 20:08:06.035: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.1:500, remote= 10.0.0.2:500, 
    local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
    remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May  7 20:08:06.791: IPSEC(validate_proposal_request): proposal part #1
*May  7 20:08:06.791: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 10.0.0.1:0, remote= 10.0.0.2:0, 
    local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
    remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May  7 20:08:06.791: Crypto mapdb : proxy_match
    src addr     : 172.16.0.0
    dst addr     : 192.168.50.0
    protocol     : 0
    src port     : 0
    dst 
RTR-1811W#port     : 0
*May  7 20:08:06.795: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May  7 20:08:06.795: Crypto mapdb : proxy_match
    src addr     : 172.16.0.0
    dst addr     : 192.168.50.0
    protocol     : 0
    src port     : 0
    dst port     : 0
*May  7 20:08:06.795: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.0.0.2
*May  7 20:08:06.795: *** Sibling: round = 7 inner_to_outer = 49 outer_to_inner = 56 encrypted_overhead = 1 
*May  7 20:08:06.795: IPSEC(policy_db_add_ident): src 172.16.0.0, dest 192.168.50.0, dest_port 0

*May  7 20:08:06.795: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.0.0.1, sa_proto= 50, 
    sa_spi= 0xDD4CFA81(3712809601), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
    sa_lifetime(k/sec)= (4451034/3600)
*May  7 20:08:06.795: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.0.0.2, sa_proto= 50, 
    sa_spi= 0x91347BD5(2436135893), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (4451034/3600)
*May  7 20:08:06.795: *** crypto_ipsec_create_transform_sas: phyiscal MTU = 1500 setting MTU to 1446 
*May  7 20:08:06.795: IPSEC(update_current_outbound_sa): get enable SA peer 10.0.0.2 current outbound sa to SPI 91347BD5
*May  7 20:08:06.795: IPSEC(update_current_outbound_sa): updated peer 10.0.0.2 current outbound sa to SPI 91347BD5
RTR-1811W#
RTR-1811W#


    RTR-3620#
*Mar  1 00:08:20.803: IPSEC(key_engine): got a queue event...
*Mar  1 00:08:20.823: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 10.0.0.2, remote= 10.0.0.1, 
    local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar  1 00:08:20.823: IPSEC(kei_proxy): head = S2S-2, map->ivrf = , kei->ivrf = 
*Mar  1 00:08:20.827: IPSEC(key_engine): got a queue event...
*Mar  1 00:08:20.835: IPSEC(spi_response): getting spi 2436135893 for SA 
    from 10.0.0.2        to 10.0.0.1        for prot 3
*Mar  1 00:08:21.087: IPSEC(key_engine): got a queue event...
*Mar  1 00:08:21.087: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 10.0.0.2, remote= 10.0.0.1, 
    local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x91347BD5(2436135893), conn_id= 2000, keysize= 0, flags= 0x2
*Mar  1 00:08:21.091: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1, 
    local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0xDD4CFA81(3712809601), conn_id= 2001, keysize= 0, flags= 0xA
*Mar  1 00:08:21.091: IPSEC(kei_proxy): head = S2S-2, map->ivrf = , kei->ivrf = 
*Mar  1 00:08:21.095: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 10.0.0.1
*Mar  1 00:08:21.095: IPSEC(add mtree): src 192.168.50.0, dest 172.16.0.0, dest_port 0

*Mar  1 00:08:21.095: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.0.0.2, sa_prot= 50, 
    sa_spi= 0x91347BD5(2436135893), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
*Mar  1 00:08:21.095: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.0.0.1, sa_prot= 50, 
    sa_spi= 0xDD4CFA81(3712809601), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
*Mar  1 00:08:21.103: IPSEC(key_engine): got a queue event...
*Mar  1 00:08:21.103: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar  1 00:08:21.107: IPSEC(key_engine_enable_outbound): enable SA with spi 3712809601/50 for 10.0.0.1
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Ok, I have proof SDM sucks....I'm about to post some screenshots.

    I was able to get SDM to work with my old 3620. It doesn't show up as a supported router when I looked it up last week but it seems to work.

    When using SDM on the 3620, it shows that the tunnel is indeed UP!!

    I will post pictures to compare... you will all soon join me in the army of anti-SDM!!!
    · Share on FacebookShare on Twitter
  • k2737k2737 Member Posts: 10 ■□□□□□□□□□
    I don't think it will make any difference but you may want to set duplex and speed settings on both interfaces instead of having duplex set to half on one and auto for the rest of the settings.
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    k2737 wrote: »
    I don't think it will make any difference but you may want to set duplex and speed settings on both interfaces instead of having duplex set to half on one and auto for the rest of the settings.

    Yeah I noticed that too, it's worth a try though....I'll give it a shot...
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Ladies and gentlemen, below, I show you why SDM is unworthy!!!



    sdm-3620.png

    sdm-1811.png
    · Share on FacebookShare on Twitter
  • StoticStotic Member Posts: 248
    I wouldn't put too much weight into this. As long as you're aware of how to configure it on the router via CLI and SDM you should be good for the exam. I know it's frustrating, but just accept it as a bug and move on (and hopefully never use SDM again).
    · Share on FacebookShare on Twitter
  • k2737k2737 Member Posts: 10 ■□□□□□□□□□
    Are you always initiating traffic from the same side? I have had VPN's that would only come up when traffic was initiated from one side, and it wasn't a routing issue.
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Stotic wrote: »
    I wouldn't put too much weight into this. As long as you're aware of how to configure it on the router via CLI and SDM you should be good for the exam. I know it's frustrating, but just accept it as a bug and move on (and hopefully never use SDM again).



    yeah I'm putting it down as a bug. But as you can see, i had to jump hoops to come to this conclusion and ask for help from guys on this forum. All this is wasted time on a POS application (SDM that is...)

    It's just utterly annoying, my blood pressure rises when I think about SDM...
    · Share on FacebookShare on Twitter
  • notgoing2failnotgoing2fail Member Posts: 1,138
    k2737 wrote: »
    I don't think it will make any difference but you may want to set duplex and speed settings on both interfaces instead of having duplex set to half on one and auto for the rest of the settings.



    changed the settings with no difference. I'm not going to waste anymore of your guys time on this, but thanks for tuning in.

    You can see from the attached pics that it must be a bug....
    · Share on FacebookShare on Twitter
Sign In or Register to comment.