IP SEC DEBUG? Any Ideas?

DANMOH009

Im not sure this is really CCNA related its more security related. Can anyone pin point me in the right place to look.

I am creating an IPSEC tunnel between 2 sites (for ccna-s practice): And cant seem to get the IPSEC tunnels up. This the ipsec is a complete new topic for me.

I have the following debug. The IPs are not live so dont worry about them.

000136: May 22 12:56:26.878 UTC: ISAKMP (2001): received packet from 50.50.50.14 dport 500 sport 500 Global (R) QM_IDLE
000137: May 22 12:56:26.878 UTC: ISAKMP: set new node 1319459469 to QM_IDLE
000138: May 22 12:56:26.878 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing HASH payload. message ID = 1319459469
000139: May 22 12:56:26.878 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): processing SA payload. message ID = 1319459469
000140: May 22 12:56:26.878 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Checking IPSec proposal 1
000141: May 22 12:56:26.878 UTC: ISAKMP: transform 1, ESP_3DES
000142: May 22 12:56:26.878 UTC: ISAKMP:   attributes in transform:
000143: May 22 12:56:26.878 UTC: ISAKMP:      SA life type in seconds
000144: May 22 12:56:26.878 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
000145: May 22 12:56:26.882 UTC: ISAKMP:      encaps is 1 (Tunnel)
000146: May 22 12:56:26.882 UTC: ISAKMP:      authenticator is HMAC-MD5
000147: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):atts are acceptable.
000148: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): IPSec policy invalidated proposal with error 1024
000149: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): phase 2 SA policy not acceptable! (local 60.60.60.198 remote 50.50.50.14)
000150: May 22 12:56:26.882 UTC: ISAKMP: set new node 395288763 to QM_IDLE
000151: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2264223528, message ID = 395288763
000152: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): sending packet to 50.50.50.14 my_port 500 peer_port 500 (R) QM_IDLE
000153: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Sending an IKE IPv4 Packet.
000154: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):purging node 395288763
000155: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):deleting node 1319459469 error TRUE reason "QM rejected"
000156: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Node 1319459469, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000157: May 22 12:56:26.882 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001):Old State = IKE_QM_READY  New State = IKE_QM_READY
000158: May 22 12:56:30.902 UTC: ISAKMP (2001): received packet from 50.50.50.14 dport 500 sport 500 Global (R) QM_IDLE
000159: May 22 12:56:30.902 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): phase 2 packet is a duplicate of a previous packet.
000160: May 22 12:56:30.902 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): retransmitting due to retransmit phase 2
000161: May 22 12:56:30.902 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): ignoring retransmission,because phase2 node marked dead 1319459469
000162: May 22 12:56:36.918 UTC: ISAKMP (2001): received packet from 50.50.50.14 dport 500 sport 500 Global (R) QM_IDLE
000163: May 22 12:56:36.918 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): phase 2 packet is a duplicate of a previous packet.
000164: May 22 12:56:36.918 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): retransmitting due to retransmit phase 2
000165: May 22 12:56:36.918 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): ignoring retransmission,because phase2 node marked dead 1319459469
000166: May 22 12:56:44.939 UTC: ISAKMP (2001): received packet from 50.50.50.14 dport 500 sport 500 Global (R) QM_IDLE
000167: May 22 12:56:44.939 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): phase 2 packet is a duplicate of a previous packet.
000168: May 22 12:56:44.939 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): retransmitting due to retransmit phase 2
000169: May 22 12:56:44.939 UTC: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]2001): ignoring retransmission,because phase2 node marked dead 1319459469u all

powmia

Check your crypto ACLs.

networker050184

What do the configs look like? It seems you have something mismatched.

DANMOH009

The IPSEC im connecting it to is a speedtouch so i cant just copy the commands on both device's the speedtouch has a GUI.

Is it failing on stage 1 ?

should i be able to ping the remote end tunnel?

boredgamelad

Post the config from the Cisco device at least, it will probably help.

DANMOH009

Well the weird thing is its now showing as up and running but because im connecting it to a speed touch the speed touch wont allow ping across it.

anyways heres the config

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
Corporation
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
logging buffered 131072
logging console critical
enable secret 4 *******************
!
aaa new-model
!
!
aaa group server radius centralauth
aaa authentication login centralauth group centralauth local
aaa authorization console!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.4.100 192.168.4.150
!
ip dhcp pool 192.168.4.0
network 192.168.4.0 255.255.255.0
default-router 192.168.4.254
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name test.net.uk
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect WAAS flush-timeout 10
no ipv6 cef
!
!
license udi pid CISCO887VA-K9
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
path flash:cfg-archive
write-memory
username admin privilege 6 password 7
!
!
!
!
controller VDSL 0
firmware filename
modem UKfeature
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco1 address 50.50.50.14
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 50.50.50.14
set transform-set TRANSFORM
set pfs group2
match address 115
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description local network
ip address 192.168.4.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname test@123
ppp chap password 7 03898985SCD56E60
no cdp enable
crypto map VPN
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat pool CUST-NATPOOL 60.60.60.198 60.60.60.198 netmask 255.255.255.248
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map NONAT pool CUST-NATPOOL overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip radius source-interface Dialer0
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 9 remark permit NTP Server
access-list 9 permit 8.10.8.10
access-list 10 permit 212.0.9.0 0.0.0.255
access-list 10 permit 212.0.8.1 0.0.0.15
access-list 10 permit 192.168.4.0 0.0.0.255
access-list 110 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
access-list 115 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map NONAT permit 10
match ip address 110
!
snmp-server community iternal RO 10
snmp-server enable traps tty
!
!
privilege exec level 6 show running-config
privilege exec level 6 show configuration
privilege exec level 6 show logging
privilege exec level 6 show
privilege exec level 6 clear counters
privilege exec level 6 clear
banner exec ^CC
banner
banner login ^C
test2 banner
^C
!
line con 0
authorization exec centralauth
login authentication centralauth
stopbits 1
line aux 0
authorization exec centralauth
login authentication centralauth
line vty 0 4
access-class 10 in
exec-timeout 15 0
authorization exec centralauth
login authentication centralauth
transport preferred none
transport input ssh
!
ntp access-group peer 9
ntp update-calendar
ntp server 8.10.8.10
end