Hi all, i am working on creating a tunnel between a cisco 3845 and an adtran 1335.
Other tunnels are working on the 3845 which go to other cisco's but the issue is only happening on the adtran 1335.
I am getting these errors on the 1335
2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInXformProcess: Attributes mismatch
2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInXformProcess: Transform number search failed
2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInProposalProcess: In response, transform payload malformed
2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeQMInitSAWaitProcess: IkeInProposalProcess failed
2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeProcessData : IkeQMInitSAWaitProcess failed
I've attached the debugs from a show crypto ike. If anyone could give any direction on where to look it would be much appreciated. I've confirmed both sides have the same attributes and everything.
Thanks,
Sean
Sean:
Thank you for asking this question in the support community. When connecting a VPN from an ADTRAN to a Cisco, typically you will need to modify the NAT-traversal settings, as the defaults on the two vendors are different. On the ADTRAN unit, change the IKE policy to: nat-traversal v1 disable and nat-traversal v2 force. After making the changes, your IKE policy should look similar to the following:
crypto ike policy 1
initiate main
respond anymode
nat-traversal v1 disable
nat-traversal v2 force
local-id address X.X.X.X
peer X.X.X.X
attribute 1
encryption aes-256-cbc
authentication pre-share
group 5
lifetime 86400
Also, I noticed on the Cisco that you have a GRE tunnel configured. Is this supposed to be a GRE/IPSec tunnel? If so, there are additional configuration settings you will need on the ADTRAN.
Please, make the suggested configuration changes, and then reply with the output from the debug crypto ike command when the tunnel is attempting to establish.
Levi
Hi smross:
Since the negotiation fails after the second IKE message, I would re-check your preshared key and also focus on the IKE policy attributes/timeout.
Best,
Chris
Yea i believe i've checked all those, below is the config of both sides. The only difference is that the lifetime is showing up on the cisco under the isakmp policy even after i've set it. Not sure if thats working as intended or not.
Adtran
!
ip crypto
ip crypto ffe
!
crypto ike policy 1
initiate main
respond anymode
local-id address X.X.X.X
peer X.X.X.X
attribute 1
encryption aes-256-cbc
authentication pre-share
group 5
lifetime 86400
!
crypto ike remote-id address X.X.X.X preshared-key ciscovpn ike-policy 1 no-xauth
!
crypto ipsec transform-set VPN esp-aes-256-cbc esp-sha-hmac
mode tunnel
!
crypto map VPN 1 ipsec-ike
match address gre-ip
set peer X.X.X.X
set transform-set VPN
set pfs group5
ike-policy 1
Cisco
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ciscovpn address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set IPSEC-TRANS-SET esp-aes 256 esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer X.X.X.X
set transform-set IPSEC-TRANS-SET
set pfs group5
match address WAltamonte
interface Tunnel1
description WAltamonte
bandwidth 20000
ip address X.X.X.X 255.255.255.252
ip mtu 1420
keepalive 10 3
tunnel source GigabitEthernet0/1.65
tunnel destination X.X.X.X
ip access-list extended WAltamonte
permit gre host X.X.X.X host X.X.X.X
Thanks,
Sean
Yeah, if you're like me, you probably triple and quadruple-checked before taking it to the support forum. Hopefully an ADTRAN engineer or other crypto ninja will chime in with something closer to a fix. I'm definitely learning as I go, but your debug shows that the negotiation breaks during the first half of the IKE proposal where basic phase 1 details are offered/agreed. This helps, because if we're not getting past that, then it's likely some mis-match with basic attributes.
I don't know Cisco configs well enough to be confident. I don't know if something should be changed in yours. Perhaps the timeout is omitted because it's the default value? Or maybe there is something more to it and the timeouts are at play in your trouble. Question for anyone: are timeout values actually part of the negotiation?
Chris
Sean:
Thank you for asking this question in the support community. When connecting a VPN from an ADTRAN to a Cisco, typically you will need to modify the NAT-traversal settings, as the defaults on the two vendors are different. On the ADTRAN unit, change the IKE policy to: nat-traversal v1 disable and nat-traversal v2 force. After making the changes, your IKE policy should look similar to the following:
crypto ike policy 1
initiate main
respond anymode
nat-traversal v1 disable
nat-traversal v2 force
local-id address X.X.X.X
peer X.X.X.X
attribute 1
encryption aes-256-cbc
authentication pre-share
group 5
lifetime 86400
Also, I noticed on the Cisco that you have a GRE tunnel configured. Is this supposed to be a GRE/IPSec tunnel? If so, there are additional configuration settings you will need on the ADTRAN.
Please, make the suggested configuration changes, and then reply with the output from the debug crypto ike command when the tunnel is attempting to establish.
Levi
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi