WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Double VPN with NAT Traversal issue

0 votes
733 views 2 comments
by anonymous
Hi dear friends,

I have encountered a strange issue regarding the IPsec tunnel between Teltonika and Cisco Router.

I have set up an IPSec connection with the Mobile operator(First VPN tunnel). For our Local network, they have provided us virtual subnet(172.28.28.0/29), and for the remote network - 10.101.1.0/24.

So, My aim is to provide end-to-end encryption and build a new tunnel over the existing IPsec tunnel.
On our Internet gateway, I have configured NAT for 192.168.170.254 VPN RT. At the same time, Nat-T is enabled on both ends.

Once I enable IPsec on Teltonika, on the Cisco VPN router, I see output below.

192.168.170.254   10.101.1.10    MM_NO_STATE      15295 ACTIVE (deleted)

I have checked configurations several times. Phase 1, phase 2. Crypto ACL, pfs etc.

Could you share your thoughts?
by anonymous
Jan 10 20:40:26: ISAKMP-PAK: (0):received packet from 10.101.1.10 dport 500 sport 500 Global (N) NEW SA
Jan 10 20:40:26: ISAKMP: (0):Created a peer struct for 10.101.1.10, peer port 500
Jan 10 20:40:26: ISAKMP: (0):New peer created peer = 0x1752DF48 peer_handle = 0x80327127
Jan 10 20:40:26: ISAKMP: (0):Locking peer struct 0x1752DF48, refcount 1 for crypto_isakmp_process_block
Jan 10 20:40:26: ISAKMP: (0):local port 500, remote port 500
Jan 10 20:40:26: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 13E4004C
Jan 10 20:40:26: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 10 20:40:26: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 10 20:40:26: ISAKMP: (0):processing SA payload. message ID = 0
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID seems Unity/DPD but major 215 mismatch
Jan 10 20:40:26: ISAKMP: (0):vendor ID is XAUTH
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID is DPD
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):processing IKE frag vendor id payload
Jan 10 20:40:26: ISAKMP: (0):Support for IKE Fragmentation not enabled
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 10 20:40:26: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 10 20:40:26: ISAKMP: (0):vendor ID is NAT-T v2
Jan 10 20:40:26: ISAKMP: (0):found peer pre-shared key matching 10.101.1.10
Jan 10 20:40:26: ISAKMP: (0):local preshared key found
Jan 10 20:40:26: ISAKMP: (0):Checking ISAKMP transform 1 against priority 25 policy
Jan 10 20:40:26: ISAKMP: (0):      encryption 3DES-CBC
Jan 10 20:40:26: ISAKMP: (0):      hash SHA
Jan 10 20:40:26: ISAKMP: (0):      default group 2
Jan 10 20:40:26: ISAKMP: (0):      auth pre-share
Jan 10 20:40:26: ISAKMP: (0):      life type in seconds
Jan 10 20:40:26: ISAKMP:      life duration (VPI) of  0x0 0x1 0x4F 0xF0
Jan 10 20:40:26: ISAKMP: (0):atts are acceptable. Next payload is 0
Jan 10 20:40:26: ISAKMP: (0):Acceptable atts:actual life: 86000
Jan 10 20:40:26: ISAKMP: (0):Acceptable atts:life: 0
Jan 10 20:40:26: ISAKMP: (0):Fill atts in sa vpi_length:4
Jan 10 20:40:26: ISAKMP: (0):Fill atts in sa life_in_seconds:86000
Jan 10 20:40:26: ISAKMP: (0):Returning Actual lifetime: 86000
Jan 10 20:40:26: ISAKMP: (0):Started lifetime timer: 86000.

Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID seems Unity/DPD but major 215 mismatch
Jan 10 20:40:26: ISAKMP: (0):vendor ID is XAUTH
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID is DPD
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):processing IKE frag vendor id payload
Jan 10 20:40:26: ISAKMP: (0):Support for IKE Fragmentation not enabled
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 10 20:40:26: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 10 20:40:26: ISAKMP: (0):processing vendor id payload
Jan 10 20:40:26: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 10 20:40:26: ISAKMP: (0):vendor ID is NAT-T v2
Jan 10 20:40:26: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 10 20:40:26: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 10 20:40:26: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Jan 10 20:40:26: ISAKMP-PAK: (0):sending packet to 10.101.1.10 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jan 10 20:40:26: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 10 20:40:26: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 10 20:40:26: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Jan 10 20:40:27: ISAKMP-PAK: (0):received packet from 10.101.1.10 dport 500 sport 500 Global (R) MM_SA_SETUP
Jan 10 20:40:27: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 10 20:40:27: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Jan 10 20:40:27: ISAKMP: (0):processing KE payload. message ID = 0
Jan 10 20:40:27: ISAKMP: (0):processing NONCE payload. message ID = 0
Jan 10 20:40:27: ISAKMP: (0):found peer pre-shared key matching 10.101.1.10
Jan 10 20:40:27: ISAKMP: (15288):received payload type 20
Jan 10 20:40:27: ISAKMP: (15288):NAT found, both nodes inside NAT
Jan 10 20:40:27: ISAKMP: (15288):received payload type 20
Jan 10 20:40:27: ISAKMP: (15288):NAT found, both nodes inside NAT
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_R_MM3  New State = IKE_R_MM3

Jan 10 20:40:27: ISAKMP-PAK: (15288):sending packet to 10.101.1.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 10 20:40:27: ISAKMP: (15288):Sending an IKE IPv4 Packet.
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_R_MM3  New State = IKE_R_MM4

Jan 10 20:40:27: ISAKMP-PAK: (15288):received packet from 10.101.1.10 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_R_MM4  New State = IKE_R_MM5

Jan 10 20:40:27: ISAKMP: (15288):processing ID payload. message ID = 0
Jan 10 20:40:27: ISAKMP: (15288):ID payload
        next-payload : 8
        type         : 1
Jan 10 20:40:27: ISAKMP: (15288):       address      : 10.101.1.10
Jan 10 20:40:27: ISAKMP: (15288):       protocol     : 0
        port         : 0
        length       : 12
Jan 10 20:40:27: ISAKMP: (15288):processing HASH payload. message ID = 0
Jan 10 20:40:27: ISAKMP: (15288):processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0x13E4004C
Jan 10 20:40:27: ISAKMP: (15288):SA authentication status:
        authenticated
Jan 10 20:40:27: ISAKMP: (15288):SA has been authenticated with 10.101.1.10
Jan 10 20:40:27: ISAKMP: (15288):Detected port floating to port = 4500
Jan 10 20:40:27: ISAKMP: (15288):Trying to find existing peer192.168.170.254/10.101.1.10/4500/
Jan 10 20:40:27: ISAKMP: (15288):SA authentication status:
        authenticated
Jan 10 20:40:27: ISAKMP: (15288):Process initial contact,
bring down existing phase 1 and 2 SA's with local192.168.170.254 remote 10.101.1.10 remote port 4500
Jan 10 20:40:27: ISAKMP: (0):Trying to insert a peer192.168.170.254/10.101.1.10/4500/,
Jan 10 20:40:27: ISAKMP: (0): and inserted successfully 1752DF48.
Jan 10 20:40:27: ISAKMP: (15288):Setting UDP ENC peer struct 0x102168DC sa= 0x13E4004C
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_R_MM5  New State = IKE_R_MM5

Jan 10 20:40:27: ISAKMP: (15288):SA is doing
Jan 10 20:40:27: ISAKMP: (15288):pre-shared key authentication using id type ID_IPV4_ADDR
Jan 10 20:40:27: ISAKMP: (15288):ID payload
        next-payload : 8
        type         : 1
Jan 10 20:40:27: ISAKMP: (15288):       address      :192.168.170.254
Jan 10 20:40:27: ISAKMP: (15288):       protocol     : 17
        port         : 0
        length       : 12
Jan 10 20:40:27: ISAKMP: (15288):Total payload length: 12
Jan 10 20:40:27: ISAKMP-PAK: (15288):sending packet to 10.101.1.10 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Jan 10 20:40:27: ISAKMP: (15288):Sending an IKE IPv4 Packet.
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Jan 10 20:40:27: ISAKMP: (15288):IKE_DPD is enabled, initializing timers
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 10 20:40:27: ISAKMP-PAK: (15288):received packet from 10.101.1.10 dport 4500 sport 4500 Global (R) QM_IDLE      
Jan 10 20:40:27: ISAKMP: (15288):set new node -1813728279 to QM_IDLE      
Jan 10 20:40:27: ISAKMP: (15288):processing HASH payload. message ID = 2481239017
Jan 10 20:40:27: ISAKMP: (15288):processing DELETE payload. message ID = 2481239017
Jan 10 20:40:27: ISAKMP: (15288):peer does not do paranoid keepalives.
Jan 10 20:40:27: ISAKMP: (15288):deleting SA reason "No reason" state (R) QM_IDLE       (peer 10.101.1.10)
Jan 10 20:40:27: ISAKMP: (15288):deleting node -1813728279 error FALSE reason "Informational (in) state 1"
Jan 10 20:40:27: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
Jan 10 20:40:27: ISAKMP (15288): IPSec has no more SA's with this peer.  Won't keepalive phase 1.
Jan 10 20:40:27: ISAKMP: (15288):set new node 603792729 to QM_IDLE      
Jan 10 20:40:27: ISAKMP-PAK: (15288):sending packet to 10.101.1.10 my_port 4500 peer_port 4500 (R) QM_IDLE      
Jan 10 20:40:27: ISAKMP: (15288):Sending an IKE IPv4 Packet.
Jan 10 20:40:27: ISAKMP: (15288):purging node 603792729
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jan 10 20:40:27: ISAKMP: (15288):deleting SA reason "No reason" state (R) QM_IDLE       (peer 10.101.1.10)
Jan 10 20:40:27: ISAKMP: (0):Unlocking peer struct 0x1752DF48 for isadb_mark_sa_deleted(), count 0
Jan 10 20:40:27: ISAKMP: (0):Deleting peer node by peer_reap for 10.101.1.10: 1752DF48
Jan 10 20:40:27: ISAKMP: (15288):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 10 20:40:27: ISAKMP: (15288):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Jan 10 20:40:27: ISAKMP: (15286):purging SA., sa=1065BC8, delme=1065BC8

1 Answer

0 votes
by anonymous

Hello,

Phase 1 seems to complete without any issues, but phase 2 seems to be failing. I've done some brief research online and majority of the replies all indicate the same cause of this issue - PFS settings mismatch. While it is impossible to tell what configuration is currently running on both Teltonika and Cisco devices, I would strongly suggest to completely disable PFS on Teltonika device (in phase 2 settings) & take out any reference to it in relationship to crypto-map of your Cisco router. 

Note: additionally, forcing crypto proposals on Teltonika side is advised, because Teltonika's IPsec (strongSwan) is quite flexible in terms of negotiation and it will negotiate a decent amount of algorithm combinations by the remote side.

Once done, verify if this is indeed the issue or if the tunnel is still failing to establish phase 2.

The following messages seem to indicate this issue:

Jan 10 20:40:27: ISAKMP: (15288):peer does not do paranoid keepalives.
Jan 10 20:40:27: ISAKMP: (15288):deleting SA reason "No reason" state (R) QM_IDLE       (peer 10.101.1.10)

 

If the issue persists after giving a shot with PFS related settings, please post relevant part of your Cisco configuration (sanitize sensitive parts, if there are any) and additionally attach a troubleshoot file from Teltonika device, which may be downloaded via WebUI from the following location:

System → Administration → Troubleshoot

by anonymous
Hi Tomas,

Thank you for your answer.

I disabled the PFS config on both sides and tested them. No result. I have also forced phases to use exact policies.

As MTUs are 1500 on all devices including intermediate firewalls(which establish the first tunnel), I suspect the df-bit set issue is guilty.
So, I captured isakmp packets. Teltonika sends with a Df-bit set, however, the Cisco router sends without a df-bit set.
On the intermediate firewalls, I have disabled the df-bit check on our side. I'll talk to the mobile operator about configuring not to drop if df-bit is set.
Unfortunately, I can't decrease MTU on the Cisco router as it has VPN connectivity with other devices using the same interface.
What do you think? could this be the reason?