Cisco 2811 to Windows 2003 IpSec tunnel - SAs fine but no traffic...

Discussion in 'Cisco' started by paperiq@gmail.com, Mar 3, 2006.

  1. Guest

    I'm trying to setup a Cisco 2811 router with site-to-site IpSec tunnels
    to Windows Server 2003 servers at a data centre. Each tunnel is to a
    single 2003 server.

    The config is based on the well advertised info at:
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml
    and...
    http://support.microsoft.com/default.aspx?scid=kb;en-us;816514

    The only difference is that there's clearly no network 'behind' the
    2003 server - it just has a 192.168.202.1 private address that's used
    from the network behind the cisco (192.168.100.0/255.255.255.0).
    There's obviously a static route on the 2003 server for the
    192.168.100.0 network pointing back to the cisco peer.

    However, although both the 2811 and the 2003 server indicate that both
    phase 1 & 2 SAs are successfully setup, no traffic can be routed over
    the tunnel and it drops after 5 mins.

    The 2811 indicates several packets encapsulated with some send errors
    and none being decapsulated, which makes sense given the lack of
    traffic across the tunnel.

    The log excerpt below is from the 2003 server's oakley log shows the
    successful completion of phase 2 and then the drop after 5 mins.

    I'd appreciate any pointers from anyone who's had experience in getting
    a cisco-ms IpSec tunnel up and running successfully.

    Many thanks,

    James


    3-03: 20:03:19:192:1f28 Adding QMs: src = 192.168.202.1.0000, dst =
    192.168.100.0.0000, proto = 00, context = 000002E5, my tunnel =
    x.x.x.x, peer tunnel = y.y.y.y, SrcMask = 0.0.0.0, DestMask =
    255.255.255.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags 1 Direction
    1 EncapType 1
    3-03: 20:03:19:192:1f28 Algo[0] Operation: ESP Algo: DES CBC HMAC:
    MD5
    3-03: 20:03:19:192:1f28 Algo[0] MySpi: 773182938 PeerSpi: 4012818715
    3-03: 20:03:19:192:1f28 Encap Ports Src 500 Dst 500
    3-03: 20:03:19:192:1f28 isadb_set_status sa:01C039B0 centry:01C83C60
    status 0
    3-03: 20:03:19:192:1f28 Constructing Commit Notify
    3-03: 20:03:19:192:1f28 constructing ISAKMP Header
    3-03: 20:03:19:192:1f28 constructing HASH (null)
    3-03: 20:03:19:192:1f28 constructing NOTIFY 16384
    3-03: 20:03:19:192:1f28 constructing HASH (QM)
    3-03: 20:03:19:192:1f28
    3-03: 20:03:19:192:1f28 Sending: SA = 0x01C039B0 to y.y.y.y:Type 4.500
    3-03: 20:03:19:192:1f28 ISAKMP Header: (V1.0), len = 76
    3-03: 20:03:19:192:1f28 I-COOKIE 2a798ab2edfdb903
    3-03: 20:03:19:192:1f28 R-COOKIE f53edfad5d086eaf
    3-03: 20:03:19:192:1f28 exchange: Oakley Quick Mode
    3-03: 20:03:19:192:1f28 flags: 3 ( encrypted commit )
    3-03: 20:03:19:192:1f28 next payload: HASH
    3-03: 20:03:19:192:1f28 message ID: 72de9cce
    3-03: 20:03:19:192:1f28 Ports S:f401 D:f401
    3-03: 20:03:28:677:1f28 ClearFragList
    3-03: 20:04:13:692:1f28 CE Dead. sa:01C039B0 ce:01C83C60 status:35f0
    3-03: 20:08:18:255:24a0
    3-03: 20:08:18:255:24a0 Receive: (get) SA = 0x01c039b0 from
    y.y.y.y.500
    3-03: 20:08:18:255:24a0 ISAKMP Header: (V1.0), len = 76
    3-03: 20:08:18:255:24a0 I-COOKIE 2a798ab2edfdb903
    3-03: 20:08:18:255:24a0 R-COOKIE f53edfad5d086eaf
    3-03: 20:08:18:255:24a0 exchange: ISAKMP Informational Exchange
    3-03: 20:08:18:255:24a0 flags: 1 ( encrypted )
    3-03: 20:08:18:255:24a0 next payload: HASH
    3-03: 20:08:18:255:24a0 message ID: b24f8b73
    3-03: 20:08:18:255:24a0 processing HASH (Notify/Delete)
    3-03: 20:08:18:255:24a0 processing payload DELETE
    3-03: 20:08:18:255:24a0 Expiring SPI 773182938 src 1f8a0c54 dst
    eccdabd5
    3-03: 20:08:18:255:24a0 QM Deleted. Notify from driver: Src
    192.168.202.1 Dest 192.168.100.0 InSPI 773182938 OutSpi 4012818715
    Tunnel 1f8a0c54 TunnelFilter 0
    3-03: 20:08:18:255:24a0 PrivatePeerAddr 0
     
    , Mar 3, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,092
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,128
  3. AM
    Replies:
    7
    Views:
    4,457
    kh_alex81
    Jul 19, 2007
  4. Paul
    Replies:
    2
    Views:
    5,639
  5. GuenTech
    Replies:
    5
    Views:
    4,257
    sdunn96
    Nov 19, 2010
Loading...

Share This Page