[zx128k]

Hi,

I'm trying to connect cisco 877 router to windows 2008 server using ipsec between them. Device successfully passes PHASE 1 negotation (main mode) but stops at PHASE 2 level (Quick mode).

Main goal is to securlly connect 192.168.2.0 computers to windows server on its private ip address 192.168.5.1

CISCO:

Code:

crypto isakmp policy 1
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key <PASSWORD> address <WINDOWS WAN IP>
!
!
crypto ipsec transform-set rtpset esp-des esp-sha-hmac
!
crypto map rtp 1 ipsec-isakmp
 set peer <WINDOWS WAN IP>
 set transform-set rtpset
 match address 115
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 zone-member security INSIDE
 no autostate
!
interface BVI1
 ip address <CISCO WAN IP>
 no ip redirects
 ip nat outside
 ip virtual-reassembly
 zone-member security OUTSIDE
 crypto map rtp
!
ip route 192.168.5.0 255.255.255.0 BVI1 <WINDOWS WAN IP>
ip route 0.0.0.0 0.0.0.0 BVI1 dhcp
!
ip nat inside source list NAT interface BVI1 overload
!
ip access-list extended NAT
 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 115 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

Winwows side configured with connection security rules in Tunnel mode.

Endpoint 1: <WINDOWS WAN IP>
Endpoint 2: <CISCO WAN IP>
Source Subnet: 192.168.5.0
Destination Subnet: 192.168.2.0

route add 192.168.2.0 mask 255.255.255.0 <CISCO WAN IP>

192.168.5.1 IP Address is bind to windows WAN adapter as a secondary ip.

When I do extended ping, debug ipsec error shows:

Code:

877W#ping 192.168.5.1 source 192.168.2.1 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1

000830: *Jul 15 04:21:20.397: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= <CISCO WAN IP>, remote= <WINDOWS WAN IP>,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000831: *Jul 15 04:21:20.409: ISAKMP:(2029):deleting node -1312726829 error TRUE reason "Delete Larval".
Success rate is 0 percent (0/1)

show crypto ipsec sa shows:

Code:

   Crypto map tag: rtp, local addr <CISCO WAN IP>

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer <WINDOWS WAN IP> port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 11, #recv errors 0

     local crypto endpt.: <CISCO WAN IP>, remote crypto endpt.: <WINDOWS WAN IP>
     path mtu 1500, ip mtu 1500, ip mtu idb BVI1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Windows Main Mode Event Log:

Code:

An IPsec Main Mode security association was established. Extended Mode was not enabled.  Certificate authentication was not used.

Local Endpoint:
    Principal Name:    -
    Network Address:    
    Keying Module Port:    500

Remote Endpoint:
    Principal Name:    -
    Network Address:    
    Keying Module Port:    500

Security Association Information:
    Lifetime (minutes):    480
    Quick Mode Limit:    0
    Main Mode SA ID:    352

Cryptographic Information:
    Cipher Algorithm:    DES
    Integrity Algorithm:    SHA1
    Diffie-Hellman Group:    DH group 2

Additional Information:
    Keying Module Name:    IKE
    Authentication Method:    Preshared key
    Role:    Responder
    Impersonation State:    Not enabled

Windows Quick Mode Event Log:

Code:

An IPsec Quick Mode negotiation failed.

Local Endpoint:
    Network Address:    
    Network Address mask:    
    Port:            0
    Tunnel Endpoint:        

Remote Endpoint:
    Network Address:    
    Address Mask:        
    Port:            0
    Tunnel Endpoint:        
    Private Address:        

Additional Information:
    Protocol:        0
    Keying Module Name:    IKE
    Mode:            Tunnel
    Role:            Responder
    Quick Mode Filter ID:    0
    Main Mode SA ID:    343

Failure Information:
    State:            No state
    Message ID:        2982240467
    Failure Point:        Local computer
    Failure Reason:        No policy configured

Here I can't understand what does this Failure Reason, "No policy configured" means, as I think I have it configured in firewall. Encryption settings are same at both sides as well as routings and as well as ACL.

Please someone help me to figure this out, I'm already going mad!

[auglan]

Well its definately an issue with Phase 2. Your config on the router looks fine. I would double check your policy for phase 2 on the windows server.


192.168.5.1 IP Address is bind to windows WAN adapter as a secondary ip.

I wonder if this is the issue being its a secondary ip on that interface. Meaning when traffic is sent from the server is it being sourced from the wan ip or the secondary ip address.

[zx128k]

thanks for reply auglan

I'm also confused about it but the server has only one physical interface that connects to the internet. I had to somehow make private subnet.

I definitely know that both sides have the same encryptions.

One more thing, I can't find info about this error message - error TRUE reason "Delete Larval"

[zx128k]

"Meaning when traffic is sent from the server is it being sourced from the wan ip or the secondary ip address."

I'm starting to think about it... as you may be absolutely right

but how can I check it?.....

[auglan]

Double check your Proxy ACL on the server side (Interesting traffic ACL)

Quote:

"Meaning when traffic is sent from the server is it being sourced from the wan ip or the secondary ip address."

I'm starting to think about it... as you may be absolutely right

but how can I check it?.....

Only really way to tell is with a packet capture.

You could also clear the tunnel from the cisco side:


clear crypto sa

clear crypto isakmp sa



Then you could debug phase 2. I would send it to the buffer as it will be very verbose. This should tell you why phase 2 is failing


debug crypto ipsec

[zx128k]

I have created a loopback interface in windows with 192.168.5.1 onto it, so now I have private address seperated from WAN adapter but the results are same. no ping reply.

done your commands but the debug message is the same, error TRUE reason "Delete Larval".

have no idea what to do next

[zx128k]

auglan I'm not sure if this will somehow help us find problem but I have tested VPN configuration in Cisco Configuration Professional and got this message during routing table check:

Code:

The peer must be routed through the crypto map interface. The following peer(s)  do not have a routing entry in the routing table. 1) <WINDOWS WAN IP>

even more confusing :/ why it needs additional routing when I have already configured it with 192.168.5.0 255.255.255.0 <WINDOWS WAN IP>?