Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎07-31-2012 04:43 PM

VPN issue - Attribute Mismatch

Jump to solution

Hi all, i am working on creating a tunnel between a cisco 3845 and an adtran 1335.

Other tunnels are working on the 3845 which go to other cisco's but the issue is only happening on the adtran 1335.

I am getting these errors on the 1335

2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInXformProcess: Attributes mismatch

2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInXformProcess: Transform number search failed

2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInProposalProcess: In response, transform payload malformed

2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeQMInitSAWaitProcess: IkeInProposalProcess failed

2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeProcessData : IkeQMInitSAWaitProcess failed

I've attached the debugs from a show crypto ike.  If anyone could give any direction on where to look it would be much appreciated. I've confirmed both sides have the same attributes and everything.

Thanks,

Sean

putty.log.zip
0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎08-02-2012 10:16 AM

Re: VPN issue - Attribute Mismatch

Jump to solution

Sean:

Thank you for asking this question in the support community.  When connecting a VPN from an ADTRAN to a Cisco, typically you will need to modify the NAT-traversal settings, as the defaults on the two vendors are different.  On the ADTRAN unit, change the IKE policy to:  nat-traversal v1 disable and nat-traversal v2 force.  After making the changes, your IKE policy should look similar to the following:

crypto ike policy 1

  initiate main

  respond anymode

  nat-traversal v1 disable

  nat-traversal v2 force

  local-id address X.X.X.X

  peer X.X.X.X

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 5

    lifetime 86400

Also, I noticed on the Cisco that you have a GRE tunnel configured.  Is this supposed to be a GRE/IPSec tunnel?  If so, there are additional configuration settings you will need on the ADTRAN.

Please, make the suggested configuration changes, and then reply with the output from the debug crypto ike command when the tunnel is attempting to establish.

Levi

View solution in original post

Reply
6 Replies
Anonymous
Not applicable
‎08-01-2012 07:24 AM

Re: VPN issue - Attribute Mismatch

Jump to solution

Hi smross:

Since the negotiation fails after the second IKE message, I would re-check your preshared key and also focus on the IKE policy attributes/timeout.

Best,

Chris

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎08-01-2012 07:52 AM

Re: VPN issue - Attribute Mismatch

Jump to solution

Yea i believe i've checked all those, below is the config of both sides.  The only difference is that the lifetime is showing up on the cisco under the isakmp policy even after i've set it.  Not sure if thats working as intended or not.

Adtran

!

ip crypto

ip crypto ffe

!

crypto ike policy 1

  initiate main

  respond anymode

  local-id address X.X.X.X

  peer X.X.X.X

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 5

    lifetime 86400

!

crypto ike remote-id address X.X.X.X preshared-key ciscovpn ike-policy 1 no-xauth

!     

crypto ipsec transform-set VPN esp-aes-256-cbc esp-sha-hmac

  mode tunnel

!

crypto map VPN 1 ipsec-ike

  match address gre-ip

  set peer X.X.X.X

  set transform-set VPN

  set pfs group5

  ike-policy 1

Cisco

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key ciscovpn address 0.0.0.0 0.0.0.0 no-xauth

!

!

crypto ipsec transform-set IPSEC-TRANS-SET esp-aes 256 esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer X.X.X.X

set transform-set IPSEC-TRANS-SET

set pfs group5

match address WAltamonte

interface Tunnel1

description WAltamonte

bandwidth 20000

ip address X.X.X.X 255.255.255.252

ip mtu 1420

keepalive 10 3

tunnel source GigabitEthernet0/1.65

tunnel destination X.X.X.X

ip access-list extended WAltamonte

permit gre host X.X.X.X host X.X.X.X

Thanks,

Sean

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎08-02-2012 09:08 AM

Re: VPN issue - Attribute Mismatch

Jump to solution

Yeah, if you're like me, you probably triple and quadruple-checked before taking it to the support forum.    Hopefully an ADTRAN engineer or other crypto ninja will chime in with something closer to a fix.  I'm definitely learning as I go, but your debug shows that the negotiation breaks during the first half of the IKE proposal where basic phase 1 details are offered/agreed.  This helps, because if we're not getting past that, then it's likely some mis-match with basic attributes.

I don't know Cisco configs well enough to be confident.  I don't know if something should be changed in yours.  Perhaps the timeout is omitted because it's the default value?  Or maybe there is something more to it and the timeouts are at play in your trouble.  Question for anyone:  are timeout values actually part of the negotiation?

Chris

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎08-02-2012 10:16 AM

Re: VPN issue - Attribute Mismatch

Jump to solution

Sean:

Thank you for asking this question in the support community.  When connecting a VPN from an ADTRAN to a Cisco, typically you will need to modify the NAT-traversal settings, as the defaults on the two vendors are different.  On the ADTRAN unit, change the IKE policy to:  nat-traversal v1 disable and nat-traversal v2 force.  After making the changes, your IKE policy should look similar to the following:

crypto ike policy 1

  initiate main

  respond anymode

  nat-traversal v1 disable

  nat-traversal v2 force

  local-id address X.X.X.X

  peer X.X.X.X

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 5

    lifetime 86400

Also, I noticed on the Cisco that you have a GRE tunnel configured.  Is this supposed to be a GRE/IPSec tunnel?  If so, there are additional configuration settings you will need on the ADTRAN.

Please, make the suggested configuration changes, and then reply with the output from the debug crypto ike command when the tunnel is attempting to establish.

Levi

Reply
Anonymous
Not applicable
‎08-08-2012 10:08 AM

Re: VPN issue - Attribute Mismatch

Jump to solution

:

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Levi

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎02-18-2013 04:23 PM

Re: VPN issue - Attribute Mismatch

Jump to solution

:

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi

0 Kudos
Accept as Solution Reply