GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Strange VPN issue posted 10/26/2007
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi Chamara, did you try aggressive mode instead? This is usually the way to go when having a dynamic IP on one end


-- Richard

-----Message d'origine-----
De : nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] 
Envoyi : Friday, October 26, 2007 11:21 PM
@ : Farrukh Haroon
Cc : Tarun Pahuja; WorkerBee; Cisco certification
Objet : Re: Strange VPN issue

Hi Farrukh,

I've tried the both ways (with host and without host) as you suggested. But
still the same issue.

Cheers,
Chamara


On 10/27/07, Farrukh Haroon <farrukhharoon@xxxxxxxxx> wrote:
>
> Chamara, can you try one of the following:
>
> match identity host  test123.vpn.com
> (without the 'domain' keyword),
> _or_
> match identity host domain vpn.com <http://test123.vpn.com/>
>
> The command reference is quite ambiguous about the proper use.
>
> Regards
>
> Farrukh
>
> On 10/25/07, Chamara Peris <dimsyboy@xxxxxxxxx> wrote:
> >
> > Hi Tarun,
> >
> > Using different DNS servers. How ever router can resolve the domain
> > without
> > a issue. Debug attached from the HUB router.
> >
> >
> > Oct 25 07:26:36.300: ISAKMP (0:0): received packet from
> > 222.111.111.172dport 500 sport 500 Global (N) NEW SA
> > Oct 25 07:26:36.304: ISAKMP: Created a peer struct for 222.111.111.172,
> > peer
> > port 500
> > Oct 25 07:26:36.304: ISAKMP: New peer created peer = 0x82E88B4C
> > peer_handle
> > = 0x80000004
> > Oct 25 07:26:36.304: ISAKMP: Locking peer struct 0x82E88B4C, refcount 1
> > for
> > crypto_isakmp_process_block
> > Oct 25 07:26:36.304: ISAKMP: local port 500, remote port 500
> > Oct 25 07:26:36.304: insert sa successfully sa = 82F383B4
> > Oct 25 07:26:36.304: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> > Oct 25 07:26:36.304: ISAKMP:(0):Old State = IKE_READY  New State =
> > IKE_R_MM1
> >
> > Oct 25 07:26:36.304: ISAKMP:(0): processing SA payload. message ID = 0
> > Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
> > Oct 25 07:26:36.304: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
> > mismatch
> > Oct 25 07:26:36.304: ISAKMP (0:0): vendor ID is NAT-T v7
> > Oct 25 07:26: 36.304: ISAKMP:(0): processing vendor id payload
> > Oct 25 07:26:36.304: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
> > mismatch
> > Oct 25 07:26:36.304: ISAKMP:(0): vendor ID is NAT-T v3
> > Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
> > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
> > mismatch
> > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID is NAT-T v2
> > Oct 25 07:26:36.308: ISAKMP:(0):found peer pre-shared key matching
> > 222.111.111.172
> > Oct 25 07:26:36.308: ISAKMP:(0): local preshared key found
> > Oct 25 07:26:36.308: ISAKMP : Scanning profiles for xauth ... HH
> > Oct 25 07:26:36.308: ISAKMP:(0):Checking ISAKMP transform 1 against
> > priority
> > 1 policy
> > Oct 25 07:26:36.308: ISAKMP:      encryption 3DES-CBC
> > Oct 25 07:26:36.308: ISAKMP:      hash SHA
> > Oct 25 07:26:36.308: ISAKMP:      default group 2
> > Oct 25 07:26:36.308: ISAKMP:      auth pre-share
> > Oct 25 07:26:36.308: ISAKMP:      life type in seconds
> > Oct 25 07:26:36.308: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51
> > 0x80
> > Oct 25 07:26:36.308: ISAKMP:(0):atts are acceptable. Next payload is 3
> > Oct 25 07:26: 36.308: ISAKMP:(0): processing vendor id payload
> > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
> > mismatch
> > Oct 25 07:26:36.308: ISAKMP (0:0): vendor ID is NAT-T v7
> > Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
> > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
> > mismatch
> > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID is NAT-T v3
> > Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
> > Oct 25 07:26: 36.312: ISAKMP:(0): vendor ID seems Unity/DPD but major
> > 123
> > mismatch
> > Oct 25 07:26:36.312: ISAKMP:(0): vendor ID is NAT-T v2
> > Oct 25 07:26:36.312: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> > IKE_PROCESS_MAIN_MODE
> > Oct 25 07:26: 36.312: ISAKMP:(0):Old State = IKE_R_MM1  New State =
> > IKE_R_MM1
> >
> > Oct 25 07:26:36.312: ISAKMP:(0): constructed NAT-T vendor-07 ID
> > Oct 25 07:26:36.312: ISAKMP:(0): sending packet to 222.111.111.172my_port
> > 500 peer_port 500 (R) MM_SA_SETUP
> > Oct 25 07:26:36.312: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> > IKE_PROCESS_COMPLETE
> > Oct 25 07:26:36.312: ISAKMP:(0):Old State = IKE_R_MM1  New State =
> > IKE_R_MM2
> >
> > Oct 25 07:26:36.688: ISAKMP (0:0): received packet from
> > 222.111.111.172dport 500 sport 500 Global (R) MM_SA_SETUP
> > Oct 25 07:26:36.692: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> > Oct 25 07:26:36.692 : ISAKMP:(0):Old State = IKE_R_MM2  New State =
> > IKE_R_MM3
> >
> > Oct 25 07:26:36.692: ISAKMP:(0): processing KE payload. message ID = 0
> > Oct 25 07:26:36.732: ISAKMP:(0): processing NONCE payload. message ID =
> > 0
> > Oct 25 07:26: 36.736: ISAKMP:(0):found peer pre-shared key matching
> > 222.111.111.172
> > Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
> > Oct 25 07:26:36.736: ISAKMP:(2003): vendor ID is Unity
> > Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
> > Oct 25 07:26:36.736: ISAKMP:(2003): vendor ID is DPD
> > Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
> > Oct 25 07:26:36.736: ISAKMP:(2003): speaking to another IOS box!
> > Oct 25 07:26:36.736: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > IKE_PROCESS_MAIN_MODE
> > Oct 25 07:26:36.736: ISAKMP:(2003):Old State = IKE_R_MM3  New State =
> > IKE_R_MM3
> >
> > Oct 25 07:26:36.740: ISAKMP:(2003): sending packet to
> > 222.111.111.172my_port 500 peer_port 500 (R) MM_KEY_EXCH
> > Oct 25 07:26:36.740: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > IKE_PROCESS_COMPLETE
> > Oct 25 07:26:36.740: ISAKMP:(2003):Old State = IKE_R_MM3  New State =
> > IKE_R_MM4
> >
> > Oct 25 07:26:37.168: ISAKMP (0:2003): received packet from
> > 222.111.111.172dport 500 sport 500 Global (R) MM_KEY_EXCH
> > Oct 25 07:26:37.168: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER,
> > IKE_MM_EXCH
> > Oct 25 07:26:37.168: ISAKMP:(2003):Old State = IKE_R_MM4  New State =
> > IKE_R_MM5
> >
> > Oct 25 07:26:37.168: ISAKMP:(2003): processing ID payload. message ID =
> > 0
> > Oct 25 07:26:37.168: ISAKMP (0:2003): ID payload
> >         next-payload : 8
> >         type         : 1
> >         address      : 222.111.111.172
> >         protocol     : 17
> >         port         : 500
> >         length       : 12
> > Oct 25 07:26:37.168: ISAKMP:(0):: peer matches *none* of the profiles
> > Oct 25 07:26:37.168: ISAKMP:(2003): processing HASH payload. message ID
> > = 0
> > Oct 25 07:26:37.168: ISAKMP:received payload type 17
> > Oct 25 07:26:37.168: ISAKMP:(2003): processing NOTIFY INITIAL_CONTACT
> > protocol 1
> >         spi 0, message ID = 0, sa = 82F383B4
> > Oct 25 07:26:37.168: ISAKMP:(2003):SA authentication status:
> >         authenticated
> > Oct 25 07:26:37.168: ISAKMP:(2003):SA has been authenticated with
> > 222.111.111.172
> > Oct 25 07:26:37.172: ISAKMP:(2003):SA authentication status:
> >         authenticated
> > Oct 25 07:26:37.172: ISAKMP:(2003): Process initial contact,
> > bring down existing phase 1 and 2 SA's with local 124.111.211.181 remote
> > 222.111.111.172 remote port 500
> > Oct 25 07:26:37.172: ISAKMP: Trying to insert a peer
> > 124.111.211.181/222.111.111.172/500/,  and inserted successfully
> > 82E88B4C.
> > Oct 25 07:26:37.172: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > IKE_PROCESS_MAIN_MODE
> > Oct 25 07:26:37.172: ISAKMP:(2003):Old State = IKE_R_MM5  New State =
> > IKE_R_MM5
> >
> > Oct 25 07:26:37.172: IPSEC(key_engine): got a queue event with 1 KMI
> > message(s)
> > Oct 25 07:26:37.172: ISAKMP:(2003):SA is doing pre-shared key
> > authentication
> > using id type ID_IPV4_ADDR
> > Oct 25 07:26: 37.172: ISAKMP (0:2003): ID payload
> >         next-payload : 8
> >         type         : 1
> >         address      : 124.111.211.181
> >         protocol     : 17
> >         port         : 500
> >         length       : 12
> > Oct 25 07:26:37.172: ISAKMP:(2003):Total payload length: 12
> > Oct 25 07:26:37.176: ISAKMP:(2003): sending packet to
> > 222.111.111.172my_port 500 peer_port 500 (R) MM_KEY_EXCH
> > Oct 25 07:26: 37.176: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > IKE_PROCESS_COMPLETE
> > Oct 25 07:26:37.176: ISAKMP:(2003):Old State = IKE_R_MM5  New State =
> > IKE_P1_COMPLETE
> >
> > Oct 25 07:26:37.176: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > IKE_PHASE1_COMPLETE
> > Oct 25 07:26:37.176: ISAKMP:(2003):Old State = IKE_P1_COMPLETE  New
> > State =
> > IKE_P1_COMPLETE
> >
> > Oct 25 07:26:37.552: ISAKMP (0:2003): received packet from
> > 222.111.111.172dport 500 sport 500 Global (R) QM_IDLE
> > Oct 25 07:26:37.552: ISAKMP: set new node -1997029058 to QM_IDLE
> > Oct 25 07:26:37.552: ISAKMP:(2003): processing HASH payload. message ID
> > =
> > -1997029058
> > Oct 25 07:26:37.552: ISAKMP:(2003): processing SA payload. message ID =
> > -1997029058
> > Oct 25 07:26:37.552: ISAKMP:(2003):Checking IPSec proposal 1
> > Oct 25 07:26:37.552: ISAKMP: transform 1, ESP_3DES
> > Oct 25 07:26:37.552: ISAKMP:   attributes in transform:
> > Oct 25 07:26:37.552: ISAKMP:      encaps is 1 (Tunnel)
> > Oct 25 07:26:37.552: ISAKMP:      SA life type in seconds
> > Oct 25 07:26:37.552: ISAKMP:      SA life duration (basic) of 3600
> > Oct 25 07:26:37.552: ISAKMP:      SA life type in kilobytes
> > Oct 25 07:26:37.552: ISAKMP:      SA life duration (VPI) of  0x0 0x46
> > 0x50
> > 0x0
> > Oct 25 07:26:37.552: ISAKMP:      authenticator is HMAC-SHA
> > Oct 25 07:26:37.552: ISAKMP:(2003):atts are acceptable.
> > Oct 25 07:26:37.556: IPSEC(validate_proposal_request): proposal part #1
> > Oct 25 07:26: 37.556: IPSEC(validate_proposal_request): proposal part
> > #1,
> >   (key eng. msg.) INBOUND local= 124.111.211.181, remote=
> > 222.111.111.172,
> >     local_proxy= 192.168.60.0/255.255.255.0/0/0 (type=4),
> >     remote_proxy= 192.168.61.0/255.255.255.0/0/0 (type=4),
> >     protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
> >     lifedur= 0s and 0kb,
> >     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
> > Oct 25 07:26:37.556: Crypto mapdb : proxy_match
> >         src addr     : 192.168.60.0
> >         dst addr     : 192.168.61.0
> >         protocol     : 0
> >         src port     : 0
> >         dst port     : 0
> > Oct 25 07:26:37.556: map_db_check_isakmp_profile profile did not match
> > Oct 25 07:26: 37.556: Crypto mapdb : proxy_match
> >         src addr     : 192.168.60.0
> >         dst addr     : 192.168.61.0
> >         protocol     : 0
> >         src port     : 0
> >         dst port     : 0
> > Oct 25 07:26:37.556: map_db_check_isakmp_profile profile did not match
> > Oct 25 07:26:37.556: map_db_find_best did not find matching map
> > Oct 25 07:26:37.556: IPSEC(crypto_ipsec_process_proposal): proxy
> > identities
> > not supported
> > Oct 25 07:26:37.556: ISAKMP:(2003): IPSec policy invalidated proposal
> > with
> > error 32
> > Oct 25 07:26:37.556: ISAKMP:(2003): phase 2 SA policy not acceptable!
> > (local
> > 124.111.211.181 remote 222.111.111.172)
> > Oct 25 07:26:37.556: ISAKMP: set new node 1861558090 to QM_IDLE
> > Oct 25 07:26:37.560: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN
> > protocol 3
> >         spi 2208230480, message ID = 1861558090
> > Oct 25 07:26:37.560: ISAKMP:(2003): sending packet to
> > 222.111.111.172my_port 500 peer_port 500 (R) QM_IDLE
> > Oct 25 07:26:37.560: ISAKMP:(2003):purging node 1861558090
> > Oct 25 07:26:37.560: ISAKMP:(2003):deleting node -1997029058 error TRUE
> > reason "QM rejected"
> > Oct 25 07:26:37.560: ISAKMP:(2003):Node -1997029058, Input =
> > IKE_MESG_FROM_PEER, IKE_QM_EXCH
> > Oct 25 07:26: 37.560: ISAKMP:(2003):Old State = IKE_QM_READY  New State
> > =
> > IKE_QM_READY
> >
> >
> >
> > On 10/25/07, Tarun Pahuja <pahujat@xxxxxxxxx> wrote:
> > >
> > > Chamara,
> > >                 Are the working and non working routers using the same
> > DNS
> > > servers or different DNS servers? You can specify multiple criteria
> > for
> > > matching.
> > >
> > >
> > > http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml
> >
> > >
> > > Do me a favor, revert back your configuration to use Match identity
> > host
> > > domain , try to initiate the tunnel and capture the debug and send it
> > to me,
> > > Seems like the FQDN is not getting resolved correctly.
> > >
> > > Thanks,
> > > Tarun
> > >
> > >
> > >  On 10/23/07, Chamara Peris <dimsyboy@xxxxxxxxx > wrote:
> > >
> > > > same IOS version on working setup and non working setup :(
> > > >
> > > > On 10/24/07, WorkerBee < ciscobee@xxxxxxxxx> wrote:
> > > > >
> > > > > Before you check on the IOS version, if you change the type domain
> > to
> > > > > address , does it work? Changing to address type is to make sure
> > no
> > > > > configuration or firewall issue.
> > > > >
> > > > > On 10/24/07, WorkerBee < ciscobee@xxxxxxxxx> wrote:
> > > > > > Maybe is IOS version? Check the version against the working
> > setup.
> > > > > >
> > > > > > On 10/24/07, Chamara Peris < dimsyboy@xxxxxxxxx> wrote:
> > > > > > > Hi All,
> > > > > > >
> > > > > > > Any ideas on this issue?
> > > > > > >
> > > > > > >
> > > > > > > On 10/23/07, Chamara Peris < dimsyboy@xxxxxxxxx> wrote:
> > > > > > > >
> > > > > > > > I have ip domain-lookup enabled and hub router & spoke
> > both  can
> > > > > ping the
> > > > > > > > test123.vpn.com (it resolves it).
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On 10/23/07, WorkerBee < ciscobee@xxxxxxxxx> wrote:
> > > > > > > > >
> > > > > > > > > Do you have 'ip domain-lookup' enable?
> > > > > > > > >
> > > > > > > > > Try to do a ping test123.vpn.com and see if the router can
> > > > resolve
> > > > > the
> > > > > > > > > domain
> > > > > > > > > name correctly.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 10/23/07, Chamara Peris < dimsyboy@xxxxxxxxx> wrote:
> > > > > > > > > > Hi Group,
> > > > > > > > > >
> > > > > > > > > > I am experiencing a very strange VPN issue.  I have two
> > > > sites
> > > > > connect
> > > > > > > > > via
> > > > > > > > > > VPN. Hub site has a static IP and spoke site is dynamic.
> > > > Please
> > > > > refer
> > > > > > > > > to
> > > > > > > > > > configs of each site below.
> > > > > > > > > >
> > > > > > > > > > HUB:
> > > > > > > > > >
> > > > > > > > > > crypto keyring sats
> > > > > > > > > >   pre-shared-key address 0.0.0.0 0.0.0.0 key testing123
> > > > > > > > > > !
> > > > > > > > > > crypto isakmp policy 1
> > > > > > > > > >  encr 3des
> > > > > > > > > >  authentication pre-share
> > > > > > > > > >  group 2
> > > > > > > > > >
> > > > > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > > > > crypto isakmp profile HH
> > > > > > > > > >    keyring sats
> > > > > > > > > >    match identity host domain test123.vpn.com
> > > > > > > > > >
> > > > > > > > > > !
> > > > > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > > > > !
> > > > > > > > > > crypto dynamic-map dynmap 11
> > > > > > > > > >  set transform-set myset
> > > > > > > > > >  set isakmp-profile HH
> > > > > > > > > >  match address 137
> > > > > > > > > >
> > > > > > > > > > crypto map xyz 10 ipsec-isakmp dynamic dynmap
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > access-list 137 permit ip 192.168.60.0 0.0.0.255
> > > > 192.168.61.0
> > > > > > > > > 0.0.0.255
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > SPOKE:
> > > > > > > > > >
> > > > > > > > > > crypto isakmp policy 1
> > > > > > > > > >  encr 3des
> > > > > > > > > >  authentication pre-share
> > > > > > > > > >  group 2
> > > > > > > > > > crypto isakmp key testing123 address 111.111.111.111
> > > > > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > > > > crypto isakmp keepalive 360
> > > > > > > > > > !
> > > > > > > > > > !
> > > > > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > > > > !
> > > > > > > > > > crypto map xyz 2 ipsec-isakmp
> > > > > > > > > >  set peer 111.111.111.111
> > > > > > > > > >  set transform-set myset
> > > > > > > > > >  match address 137
> > > > > > > > > >
> > > > > > > > > > access-list 137 permit ip 192.168.61.0 0.0.0.255
> > > > 192.168.60.0
> > > > > > > > > 0.0.0.255
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > My problem is this setup doesn't work in this
> > environment.
> > > > > However
> > > > > > > > > same
> > > > > > > > > > setup on another set of routers works perfectly. All the
> > > > routers
> > > > > have
> > > > > > > > > domain
> > > > > > > > > > name setup and name servers setup.
> > > > > > > > > >
> > > > > > > > > > Only way to get this going on this set of routers is to
> > > > change
> > > > > > > > > following
> > > > > > > > > > on HUB router.
> > > > > > > > > >
> > > > > > > > > > match identity host domain test123.vpn.com -----> match
> > > > identity
> > > > > > > > > address
> > > > > > > > > > 0.0.0.0
> > > > > > > > > >
> > > > > > > > > > With the above change it works. But I can't understand
> > why
> > > > match
> > > > > > > > > identity
> > > > > > > > > > host domain doesn't work on this setup.
> > > > > > > > > >
> > > > > > > > > > Any ideas and help?
> > > > > > > > > >
> > > > > > > > > > Regards
> > > > > > > > > > CP
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > >
> > > >
> > _______________________________________________________________________
> > > > > > > > > > Subscription information may be found at:
> > > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > > >
> > > >
> > _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html


**********************************************************************
Any opinions expressed in the email are those of the individual and not necessarily the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient.  If you are not the intended recipient or the person responsible for delivering it to the intended recipient, be advised that you have received this email in error and that any dissemination, distribution, copying or use is strictly prohibited.

If you have received this email in error, or if you are concerned with the content of this email please e-mail to: e-security.support@xxxxxxxxxx

The contents of an attachment to this e-mail may contain software viruses which could damage your own computer system. While the sender has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachments to this e-mail. 

Vanco UK Ltd Registered in England No: 2296733 Registered Office: John Busch House, 277 London Road, Isleworth, Middlesex TW7 5AX

Please consider the environment before printing this e-mail
**********************************************************************