[vpn-help] VPN to cisco IOS crypto map

Kenneth Long kelong_2000 at yahoo.com
Mon Jul 14 15:43:08 CDT 2014 

Hello

I am using VPN client 2.2.1 on xubuntu 14.04.  And I am stuck trying to get past phase 2 to a cisco IOS crypto map.

I'm not sure if I have the network interface for  tap0 configured correctly?   not sure what to change on the vpn client next.   appreciate any help.


thank you


My iked.log shows numerous  DPD ARE-YOU-THERE  messages. 


14/07/14 16:17:24 >= : message 370c044c
14/07/14 16:17:24 >= : encrypt iv ( 16 bytes )
14/07/14 16:17:24 == : encrypt packet ( 84 bytes )
14/07/14 16:17:24 == : stored iv ( 16 bytes )
14/07/14 16:17:24 -> : send NAT-T:IKE packet 24.144.135.177:4500 -> 205.131.188.61:4500 ( 124 bytes )
14/07/14 16:17:24 ii : DPD ARE-YOU-THERE sequence 03285c3d requested
14/07/14 16:17:24 DB : phase1 found
14/07/14 16:17:24 -> : send NAT-T:KEEP-ALIVE packet 24.144.135.177:4500 -> 205.131.188.61:4500
14/07/14 16:17:29 -> : resend 1 phase2 packet(s) [1/2] 24.144.135.177:4500 -> 205.131.188.61:4500
14/07/14 16:17:29 -> : resend 1 phase2 packet(s) [1/2] 24.144.135.177:4500 -> 205.131.188.61:4500
14/07/14 16:17:29 -> : resend 1 phase2 packet(s) [1/2] 24.144.135.177:4500 -> 205.131.188.61:4500
14/07/14 16:17:39 DB : phase1 found




My routing table changes...

routing before
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         24.144.135.1    0.0.0.0         UG    0      0        0 eth0
24.144.135.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0


# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         24.144.135.1    0.0.0.0         UG    0      0        0 eth0
24.144.135.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
24.144.135.177  198.18.104.11   255.255.255.255 UGH   0      0        0 tap0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
198.18.0.0      0.0.0.0         255.254.0.0     U     0      0        0 tap0
205.131.188.61  198.18.104.11   255.255.255.255 UGH   0      0        0 tap0
205.131.188.61  24.144.135.1    255.255.255.255 UGH   0      0        0 eth0




cisco debug logs shows phase 1 completes. 


Jul 14 16:17:17 192.168.3.1 29540503: *Sep 13 19:52:13.519: ISAKMP:(1042):SA authentication status:
Jul 14 16:17:17 192.168.3.1 29540504: ^Iauthenticated
Jul 14 16:17:17 192.168.3.1 29540505: *Sep 13 19:52:13.523: ISAKMP:(1042):SA has been authenticated with 24.144.135.177
Jul 14 16:17:17 192.168.3.1 29540506: *Sep 13 19:52:13.523: ISAKMP:(1042):Detected port floating to port = 4500
Jul 14 16:17:17 192.168.3.1 29540507: *Sep 13 19:52:13.523: ISAKMP: Trying to insert a peer 172.16.224.61/24.144.135.177/4500/,  and inserted successfully 83C59C8C.
Jul 14 16:17:17 192.168.3.1 29540508: *Sep 13 19:52:13.523: ISAKMP:(1042):Setting UDP ENC peer struct 0x83A49B8C sa= 0x8448E07C
Jul 14 16:17:17 192.168.3.1 29540509: *Sep 13 19:52:13.527: ISAKMP:(1042):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 14 16:17:17 192.168.3.1 29540510: *Sep 13 19:52:13.527: ISAKMP:(1042):Old State = IKE_R_MM5  New State = IKE_R_MM5 
Jul 14 16:17:17 192.168.3.1 29540511: 
Jul 14 16:17:17 192.168.3.1 29540512: *Sep 13 19:52:13.531: ISAKMP:(1042):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 14 16:17:17 192.168.3.1 29540513: *Sep 13 19:52:13.531: ISAKMP (0:1042): ID payload 
Jul 14 16:17:17 192.168.3.1 29540514: ^Inext-payload : 8
Jul 14 16:17:17 192.168.3.1 29540515: ^Itype         : 1 
Jul 14 16:17:17 192.168.3.1 29540516: ^Iaddress      : 172.16.224.61
Jul 14 16:17:17 192.168.3.1 29540517:  
Jul 14 16:17:17 192.168.3.1 29540518: ^Iprotocol     : 17 
Jul 14 16:17:17 192.168.3.1 29540519: ^Iport         : 0 
Jul 14 16:17:17 192.168.3.1 29540520: ^Ilength       : 12
Jul 14 16:17:17 192.168.3.1 29540521: *Sep 13 19:52:13.531: ISAKMP:(1042):Total payload length: 12
Jul 14 16:17:17 192.168.3.1 29540522: *Sep 13 19:52:13.535: ISAKMP:(1042): sending packet to 24.144.135.177 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Jul 14 16:17:17 192.168.3.1 29540523: *Sep 13 19:52:13.535: ISAKMP:(1042):Sending an IKE IPv4 Packet.
Jul 14 16:17:17 192.168.3.1 29540524: *Sep 13 19:52:13.539: ISAKMP:(1042):Returning Actual lifetime: 3600
Jul 14 16:17:17 192.168.3.1 29540525: *Sep 13 19:52:13.539: ISAKMP: set new node 1736466818 to QM_IDLE      
Jul 14 16:17:17 192.168.3.1 29540526: *Sep 13 19:52:13.539: ISAKMP:(1042):Sending NOTIFY RESPONDER_LIFETIME protocol 1
Jul 14 16:17:17 192.168.3.1 29540527: ^Ispi 2209681816, message ID = 1736466818
Jul 14 16:17:17 192.168.3.1 29540528: *Sep 13 19:52:13.543: ISAKMP:(1042): sending packet to 24.144.135.177 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Jul 14 16:17:17 192.168.3.1 29540529: *Sep 13 19:52:13.543: ISAKMP:(1042):Sending an IKE IPv4 Packet.
Jul 14 16:17:17 192.168.3.1 29540530: *Sep 13 19:52:13.543: ISAKMP:(1042):purging node 1736466818
Jul 14 16:17:17 192.168.3.1 29540531: *Sep 13 19:52:13.547: ISAKMP: Sending phase 1 responder lifetime 3600
Jul 14 16:17:17 192.168.3.1 29540532: 
Jul 14 16:17:17 192.168.3.1 29540533: *Sep 13 19:52:13.547: ISAKMP:(1042):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 14 16:17:17 192.168.3.1 29540534: *Sep 13 19:52:13.547: ISAKMP:(1042):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 
Jul 14 16:17:17 192.168.3.1 29540535: 
Jul 14 16:17:17 192.168.3.1 29540536: *Sep 13 19:52:13.551: ISAKMP:(1042):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jul 14 16:17:17 192.168.3.1 29540537: *Sep 13 19:52:13.551: ISAKMP:(1042):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 
Jul 14 16:17:17 192.168.3.1 29540538: 
Jul 14 16:17:17 192.168.3.1 29540539: *Sep 13 19:52:13.587: ISAKMP (0:1042): received packet from 24.144.135.177 dport 4500 sport 4500 Global (R) QM_IDLE      
Jul 14 16:17:17 192.168.3.1 29540540: *Sep 13 19:52:13.587: ISAKMP: set new node -1966322217 to QM_IDLE      
Jul 14 16:17:17 192.168.3.1 29540541: *Sep 13 19:52:13.591: ISAKMP:(1042): processing HASH payload. message ID = -1966322217
Jul 14 16:17:17 192.168.3.1 29540542: *Sep 13 19:52:13.591: ISAKMP:(1042): processing NOTIFY INITIAL_CONTACT protocol 1
Jul 14 16:17:17 192.168.3.1 29540543: ^Ispi 0, message ID = -1966322217, sa = 8448E07C
Jul 14 16:17:17 192.168.3.1 29540544: *Sep 13 19:52:13.591: ISAKMP:(1042):SA authentication status:
Jul 14 16:17:17 192.168.3.1 29540545: ^Iauthenticated
Jul 14 16:17:17 192.168.3.1 29540546: *Sep 13 19:52:13.595: ISAKMP:(1042): Process initial contact,
Jul 14 16:17:17 192.168.3.1 29540547: bring down existing phase 1 and 2 SA's with local 172.16.224.61 remote 24.144.135.177 remote port 4500
Jul 14 16:17:17 192.168.3.1 29540548: *Sep 13 19:52:13.595: ISAKMP:(1042):deleting node -1966322217 error FALSE reason "Informational (in) state 1"
Jul 14 16:17:18 192.168.3.1 29540549: *Sep 13 19:52:13.595: ISAKMP:(1042):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jul 14 16:17:18 192.168.3.1 29540550: *Sep 13 19:52:13.599: ISAKMP:(1042):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20140714/1b1f7b73/attachment.html>

More information about the vpn-help mailing list