IPsec Tunnel Between Cisco and XP, Quick Mode fails When Initiated By Router

Question

I have been trying to set up a IPsec tunnel between a router and my Windows XP box. The router is 192.168.254.30, and the XP machine is 192.168.254.128. However, I can't seem to get the tunnel working. I have set the tunnel to apply it ICMP, and pings are not working from either side. On the Windows side, I can see it is being applied because I get "Negotiating IP Security."

The IOS Configuration:

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN_TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$3p0B$h21M/3z9dR0n3gnJPWjBm/
enable password test1
!
aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authorization network default group radius 
aaa session-id common
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 l2tp security crypto-profile l2tpprof
 no l2tp tunnel authentication
!
async-bootp dns-server 192.168.254.253
!
!
!
!
!
!
!
!
!
!
!
!
username atestuser password 0 atestuser
!
!
! 
!
crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key testvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set l2tptrans esp-3des esp-md5-hmac 
 mode transport
crypto ipsec transform-set radius-trans-set esp-des esp-md5-hmac 
!
crypto map l2tpmap 2 ipsec-isakmp 
 set peer 192.168.254.128
 set transform-set radius-trans-set 
 match address for_radius
crypto map l2tpmap 10 ipsec-isakmp profile l2tpprof 
 set transform-set l2tptrans 
!
!
!
!
interface Loopback0
 ip address 172.16.7.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.6.1 255.255.255.0
 speed auto
 half-duplex
!
interface FastEthernet1/0
 ip address 192.168.254.30 255.255.255.0
 duplex auto
 speed auto
 crypto map l2tpmap
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip access-group vpn-in in
 peer default ip address pool RA_VPN_pool
 ppp authentication ms-chap-v2
!
ip local pool RA_VPN_pool 10.20.10.1 10.20.10.100
ip http server
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
!
!
ip access-list extended for_radius
 permit udp any host 192.168.254.128
 permit icmp any host 192.168.254.128
ip access-list extended vpn-in
 permit ip any 192.168.254.0 0.0.0.255
 permit ip any 172.16.6.0 0.0.0.255
!
radius-server host 192.168.254.253 auth-port 1645 acct-port 1646 key ciscosecret
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password test
!
!
end

On the Windows Side:
I have created one IPsec policy. That IPsec policy has two IP Filters. One for each direction as described in this document.

Errors on the Router:
When I try to ping from the router, I get the following with IPsec and isakmp debugging on 7:

VPN_TEST#ping 192.168.254.128 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.254.128, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
VPN_TEST#show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 3513 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 85 message lines logged

Log Buffer (4096 bytes):
I_MM4 

*Mar  2 01:26:59.829: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar  2 01:26:59.845: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar  2 01:26:59.845: ISAKMP: Looking for a matching key for 192.168.254.128 in default : success
*Mar  2 01:26:59.845: ISAKMP (0:1): found peer pre-shared key matching 192.168.254.128
*Mar  2 01:26:59.849: ISAKMP (0:1): SKEYID state generated
*Mar  2 01:26:59.849: ISAKMP:received payload type 20
*Mar  2 01:26:59.849: ISAKMP:received payload type 20
*Mar  2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Mar  2 01:26:59.849: ISAKMP (0:1): Send initial contact
*Mar  2 01:26:59.849: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  2 01:26:59.849: ISAKMP (0:1): ID payload 
    next-payload : 8
        type         : 1 
    address      : 192.168.254.30 
    protocol     : 17 
    port         : 500 
    length       : 12
*Mar  2 01:26:59.849: ISAKMP (1): Total payload length: 12
*Mar  2 01:26:59.849: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5 

*Mar  2 01:26:59.853: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  2 01:26:59.853: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar  2 01:26:59.853: ISAKMP (0:1): ID payload 
    next-payload : 8
    type         : 1 
    address      : 192.168.254.128 
    protocol     : 0 
    port         : 0 
    length       : 12
*Mar  2 01:26:59.853: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar  2 01:26:59.853: ISAKMP (0:1): SA authentication status: 
    authenticated
*Mar  2 01:26:59.853: ISAKMP (0:1): SA has been authenticated with 192.168.254.128
*Mar  2 01:26:59.853: ISAKMP (0:1): peer matches *none* of the profiles
*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6 

*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6 

*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.857: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -952376679
*Mar  2 01:26:59.857: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar  2 01:26:59.857: ISAKMP (0:1): Node -952376679, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  2 01:26:59.857: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  2 01:26:59.857: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  2 01:26:59.857: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.865: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) QM_IDLE      
*Mar  2 01:26:59.865: ISAKMP: set new node -1887423582 to QM_IDLE      
*Mar  2 01:26:59.865: ISAKMP (0:1): processing HASH payload. message ID = -1887423582
*Mar  2 01:26:59.865: ISAKMP (0:1): processing NOTIFY INVALID_ID_INFO protocol 3
    spi 0, message ID = -1887423582, sa = 62F606C8
*Mar  2 01:26:59.865: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  2 01:26:59.865: ISAKMP (0:1): deleting node -1887423582 error FALSE reason "informational (in) state 1"
*Mar  2 01:26:59.865: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  2 01:26:59.865: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.865: IPSEC(key_engine): got a queue event...
*Mar  2 01:26:59.865: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar  2 01:26:59.865: IPSEC(key_engine_delete_sas): delete all SAs shared with 192.168.254.128:500

Edit:

I have it working, but only if the windows side initiates the tunnel. So if I try to ping from the router to the windows server, it doesn't work unless I have already pinged it from windows recently. In windows I get the following Audit log:

Event Type: Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   547
Date:       11/13/2009
Time:       8:59:21 AM
User:       NT AUTHORITY\NETWORK SERVICE
Computer:   BRANDT-VM
Description:
IKE security association negotiation failed.
 Mode: 
Data Protection Mode (Quick Mode)

 Filter: 
Source IP Address 192.168.254.128
Source IP Address Mask 0.0.0.0
Destination IP Address 0.0.0.0
Destination IP Address Mask 255.255.255.255
Protocol 1
Source Port 0
Destination Port 0
IKE Local Addr 192.168.254.128
IKE Peer Addr 192.168.254.30
 Peer Identity: 
Preshared key ID.
Peer IP Address: 192.168.254.30
  Failure Point: 
Me
 Failure Reason: 
No policy configured
 Extra Status: 
0x0 0x0

Kyle Brandt · Accepted Answer · 2009-11-13T13:53:46.740

0

I had a mismatch (SHA instead of MD5) between my transform-set on router side and the Filter Action 'Negotiate Security Method' setting for ESP Integrity.

Edit:
But actually, now it is only working when the Windows initiates a connection. So if I try to ping the Windows server from the router after a clear crypto sa it does not work. However, if I first ping from windows, and then ping from the router, it works. So for some reason it looks like the Cisco router is not allowed to establish the tunnel.

edited Nov 13 '09 at 13:53

answered Nov 12 '09 at 20:39

Kyle Brandt

82,107
71
302
444

I am basically giving up on this, I get it working, and then it doesn't work, and the IP filters don't seem to follow a sensible logic in tunnel mode. I understand that in tunnel mode, neither the the protocol or mirrored filters work. But even then, dst and src ip don't seem work if by that they mean those fields in the IP headers. – Kyle Brandt Nov 17 '09 at 14:17

IPsec Tunnel Between Cisco and XP, Quick Mode fails When Initiated By Router

1 Answers1

Linked