Cisco 837 to Draytek

Discussion in 'Cisco' started by Rob, Dec 14, 2004.

  1. Rob

    Rob Guest

    Hi All!

    SOS!

    I am in the process of setting up a on demand vpn between our branch
    offices with a Cisco 837 ADSL router to Draytek.

    -I do not have access to the Draytek as it is maintained by other
    people however we have agreed on preshared keys and encryption etc.

    -The Draytek is on a leased line so it not permanently on is there any
    extra configuration on my side to only connect once data is sent
    across??

    -My access list is as follows
    access-list 116 permit ip [LOCAL_NET] 0.0.0.255 [REMOTE_IP] 0.0.0.255

    -I dont seem to be establishing an SA so I have posted parts of the
    debug as I am at a loss!

    PLease help and thanks in advance!!!

    Rob
    ---------------------start_debug------------------------------------------
    Mar 1 00:46:31.503: ISAKMP: received ke message (3/1)
    *Mar 1 00:46:31.503: ISAKMP: ignoring request to send delete notify
    (no ISAKMP sa) src LOCAL_IP dst REMOTE_IP for SPI 0x0
    *Mar 1 00:46:42.843: ISAKMP: received ke message (1/1)
    *Mar 1 00:46:42.847: ISAKMP (0:0): no idb in request
    *Mar 1 00:46:42.847: ISAKMP: local port 500, remote port 500
    *Mar 1 00:46:42.847: ISAKMP: set new node 0 to QM_IDLE
    *Mar 1 00:46:42.847: ISAKMP (0:4): constructed NAT-T vendor ID
    *Mar 1 00:46:42.847: ISAKMP (0:4): Input = IKE_MESG_FROM_IPSEC,
    IKE_SA_REQ_MM
    *Mar 1 00:46:42.847: ISAKMP (0:4): Old State = IKE_READY New State =
    IKE_I_MM1

    *Mar 1 00:46:42.851: ISAKMP (0:4): beginning Main Mode exchange
    *Mar 1 00:46:42.851: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_NO_STATE
    *Mar 1 00:46:42.883: ISAKMP (0:4): received packet from REMOTE_IP
    dport 500 sport 500 (I) MM_NO_STATE
    *Mar 1 00:46:42.887: ISAKMP (0:4): Input = IKE_MESG_FROM_PEER,
    IKE_MM_EXCH
    *Mar 1 00:46:42.887: ISAKMP (0:4): Old State = IKE_I_MM1 New State =
    IKE_I_MM2

    *Mar 1 00:46:42.887: ISAKMP (0:4): processing SA payload. message ID =
    0
    *Mar 1 00:46:42.887: ISAKMP (0:4): found peer pre-shared key matching
    REMOTE_IP
    *Mar 1 00:46:42.887: ISAKMP (0:4) local preshared key found
    *Mar 1 00:46:42.891: ISAKMP (0:4): Checking ISAKMP transform 1 against
    priority 5 policy
    *Mar 1 00:46:42.891: ISAKMP: encryption 3DES-CBC
    *Mar 1 00:46:42.891: ISAKMP: hash MD5
    *Mar 1 00:46:42.891: ISAKMP: default group 1
    *Mar 1 00:46:42.891: ISAKMP: auth pre-share
    *Mar 1 00:46:42.891: ISAKMP: life type in seconds
    *Mar 1 00:46:42.891: ISAKMP: life duration (basic) of 3600
    *Mar 1 00:46:42.891: ISAKMP (0:4): atts are acceptable. Next payload
    is 0
    *Mar 1 00:46:43.027: ISAKMP (0:4): Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_MAIN_MODE
    *Mar 1 00:46:43.031: ISAKMP (0:4): Old State = IKE_I_MM2 New State =
    IKE_I_MM2

    *Mar 1 00:46:43.031: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_SA_SETUP
    *Mar 1 00:46:43.035: ISAKMP (0:4): Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_COMPLETE
    *Mar 1 00:46:43.035: ISAKMP (0:4): Old State = IKE_I_MM2 New State =
    IKE_I_MM3

    *Mar 1 00:46:43.955: ISAKMP (0:4): received packet from REMOTE_IP
    dport 500 sport 500 (I) MM_SA_SETUP
    *Mar 1 00:46:43.955: ISAKMP (0:4): Input = IKE_MESG_FROM_PEER,
    IKE_MM_EXCH
    *Mar 1 00:46:43.955: ISAKMP (0:4): Old State = IKE_I_MM3 New State =
    IKE_I_MM4

    *Mar 1 00:46:43.955: ISAKMP (0:4): processing KE payload. message ID =
    0
    *Mar 1 00:46:44.119: ISAKMP (0:4): processing NONCE payload. message
    ID = 0
    *Mar 1 00:46:44.119: ISAKMP (0:4): found peer pre-shared key matching
    REMOTE_IP
    *Mar 1 00:46:44.119: ISAKMP (0:4): SKEYID state generated
    *Mar 1 00:46:44.123: ISAKMP (0:4): Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_MAIN_MODE
    *Mar 1 00:46:44.123: ISAKMP (0:4): Old State = IKE_I_MM4 New State =
    IKE_I_MM4

    *Mar 1 00:46:44.231: ISAKMP (0:4): Send initial contact
    *Mar 1 00:46:44.231: ISAKMP (0:4): SA is doing pre-shared key
    authentication using id type ID_IPV4_ADDR
    *Mar 1 00:46:44.231: ISAKMP (4): ID payload
    next-payload : 8
    type : 1
    addr : LOCAL_IP
    protocol : 17
    port : 0
    length : 8
    *Mar 1 00:46:44.231: ISAKMP (4): Total payload length: 12
    *Mar 1 00:46:44.239: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_KEY_EXCH
    *Mar 1 00:46:44.239: ISAKMP (0:4): Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_COMPLETE
    *Mar 1 00:46:44.239: ISAKMP (0:4): Old State = IKE_I_MM4 New State =
    IKE_I_MM5

    *Mar 1 00:46:46.719: ISAKMP (0:4): received packet from REMOTE_IP
    dport 500 sport 500 (I) MM_KEY_EXCH
    *Mar 1 00:46:46.719: ISAKMP (0:4): phase 1 packet is a duplicate of a
    previous packet.
    *Mar 1 00:46:46.719: ISAKMP (0:4): retransmitting due to retransmit
    phase 1
    *Mar 1 00:46:46.719: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:46:47.219: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:46:47.219: ISAKMP (0:4): incrementing error counter on sa:
    retransmit phase 1
    *Mar 1 00:46:47.219: ISAKMP (0:4): retransmitting phase 1 MM_KEY_EXCH
    *Mar 1 00:46:47.219: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_KEY_EXCH
    *Mar 1 00:46:52.647: ISAKMP (0:4): received packet from REMOTE_IP
    dport 500 sport 500 (I) MM_KEY_EXCH
    *Mar 1 00:46:52.647: ISAKMP (0:4): phase 1 packet is a duplicate of a
    previous packet.
    *Mar 1 00:46:52.647: ISAKMP (0:4): retransmitting due to retransmit
    phase 1
    *Mar 1 00:46:52.647: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:46:53.147: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:46:53.147: ISAKMP (0:4): incrementing error counter on sa:
    retransmit phase 1
    *Mar 1 00:46:53.147: ISAKMP (0:4): retransmitting phase 1 MM_KEY_EXCH
    *Mar 1 00:46:53.147: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_KEY_EXCH
    *Mar 1 00:47:03.147: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:47:03.147: ISAKMP (0:4): incrementing error counter on sa:
    retransmit phase 1
    *Mar 1 00:47:03.147: ISAKMP (0:4): retransmitting phase 1 MM_KEY_EXCH
    *Mar 1 00:47:03.147: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_KEY_EXCH
    *Mar 1 00:47:12.267: ISAKMP (0:3): purging node 496325154
    *Mar 1 00:47:12.271: ISAKMP (0:3): purging node -777041986
    *Mar 1 00:47:12.843: ISAKMP: received ke message (1/1)
    *Mar 1 00:47:12.843: ISAKMP: set new node 0 to QM_IDLE
    *Mar 1 00:47:12.843: ISAKMP (0:4): SA is still budding. Attached new
    ipsec request to it.
    *Mar 1 00:47:13.147: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:47:13.147: ISAKMP (0:4): incrementing error counter on sa:
    retransmit phase 1
    *Mar 1 00:47:13.147: ISAKMP (0:4): retransmitting phase 1 MM_KEY_EXCH
    *Mar 1 00:47:13.147: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_KEY_EXCH
    *Mar 1 00:47:22.271: ISAKMP (0:3): purging SA., sa=813ED708,
    delme=813ED708
    *Mar 1 00:47:23.147: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:47:23.147: ISAKMP (0:4): incrementing error counter on sa:
    retransmit phase 1
    *Mar 1 00:47:23.147: ISAKMP (0:4): retransmitting phase 1 MM_KEY_EXCH
    *Mar 1 00:47:23.147: ISAKMP (0:4): sending packet to REMOTE_IP my_port
    500 peer_port 500 (I) MM_KEY_EXCH
    *Mar 1 00:47:33.147: ISAKMP (0:4): retransmitting phase 1
    MM_KEY_EXCH...
    *Mar 1 00:47:33.147: ISAKMP (0:4): peer does not do paranoid
    keepalives.

    *Mar 1 00:47:33.147: ISAKMP (0:4): deleting SA reason "death by
    retransmission P1" state (I) MM_KEY_EXCH (peer REMOTE_IP) input queue 0
    *Mar 1 00:47:33.147: ISAKMP (0:4): deleting SA reason "death by
    retransmission P1" state (I) MM_KEY_EXCH (peer REMOTE_IP) input queue 0
    -------------------end_debug------------------------------------
    Rob, Dec 14, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,643
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,598
  3. Richard Antony Burton
    Replies:
    0
    Views:
    6,071
    Richard Antony Burton
    Jan 5, 2004
  4. Peter
    Replies:
    1
    Views:
    1,293
    Uli Link
    Mar 28, 2005
  5. Replies:
    4
    Views:
    4,123
Loading...

Share This Page