IPsec Mikrotik RB 150 to Cisco problem to phase2?

samples · August 30, 2008, 3:42pm

Hello,

I have situation where I can pass phase 1 but I stuck on phase 2.
Here is what they need at Cisco (don’t know a model) side .

IKE policy:
encryption algorithm: 3DES
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman group: #2
lifetime: 86400 seconds, no volume limit
preshared-key: *********

IPSec policy:
IP adresa peer-a: 97.152.258.18
encryption algorithm: 3DES
hash algorithm: SHA
mode: tunnel
local network (adresa servera): 160.30.60.20/30
lifetime: 4608000 kilobytes/3600 seconds
Destination IP address: 160.30.60.20;160.30.60.21; 160.30.60.22; 160.30.60.23
Destination IP port: 80, 443
Protocol: tcp

Config on Cisco:

Crypto Map “Parlay” 110 ipsec-isakmp
Peer = 222.144.122.218
Extended IP access list IPSEC_MM
access-list IPSEC_MM permit ip 160.30.60.20 0.0.0.3 host 10.10.10.254
Current peer: 222.144.122.218
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ 3DES_SHA, }

Here is Mikrotik side:

Mikrotik configuration (ver. 2.9.51):
Address list:

Address: 10.10.10.254/26 Network: 10.10.10.192 Broadcast: 10.10.10.255 Interface: DMZ
Address: 192.168.2.1/24 Network: 192.168.2.255 Broadcast: 192.168.2.255 LAN
Address: 222.144.122.218/29 Nerwork: 222.144.122.216 Broadcast: 222.144.122.213 WAN

ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 src-address=10.10.10.254/32:any dst-address=160.30.60.20/30:any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=222.144.122.218
sa-dst-address=97.152.258.18 proposal=Tm manual-sa=none dont-fragment=clear

ip ipsec> peer print
Flags: X - disabled
0 address=97.152.258.18/32:500 secret=“********” generate-policy=yes
exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=4608000

1 X address=97.152.258.18/32:500 secret=“” generate-policy=no exchange-mode=main
send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0

ip ipsec> proposal print
Flags: X - disabled
0 name=“Tm” auth-algorithms=sha1 enc-algorithms=3des lifetime=1h lifebytes=460800
pfs-group=modp1024

1 X name=“default” auth-algorithms=md5 enc-algorithms=3des lifetime=0s lifebytes=0
pfs-group=none

installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual

Any idea why I can’t pass phase2 and connect to their server?

Thank you

Regards

Samples

andrewluck · August 31, 2008, 4:27pm

PFS is turned on at one end and off at the other.

Generate-policy should be set to No for this type of link.

Post the debug output from the Cisco for ISAKMP as this will offer some more clues.

Kind regards

Andrew

samples · August 31, 2008, 6:04pm

Hi Andrew,

Thnx for your feedback.
I will ask for debug output from the Cisco for ISAKMP and post it.

Regards

samples · September 1, 2008, 1:54pm

Here is a Cisco config:

2621_BulkSMS_IPSec#sh crypto ipsec sa

local ident (addr/mask/prot/port): (160.30.60.20/255.255.255.252/0/0)

remote ident (addr/mask/prot/port): (192.168.110.53/255.255.255.255/0/0)

current_peer: 222.144.122.218
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 97.152.258.18, remote crypto endpt.: 222.144.122.218

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh crypto isakmp sa: nothing (possible is not connected)

samples · September 1, 2008, 7:19pm

some ideas?

andrewluck · September 1, 2008, 7:54pm

debug crypto isakmp output please.

Kind regards

Andrew

samples · September 3, 2008, 1:55pm

Hi Andrew,

they told me that they can’t receive nothing on debugging (possible it is phase 1 also can’t connect).
Can you told me from information’s which I provide here it is good configuration on mikrotik or it is not?
I can send you configuration file by email?

Thnx

Regards

Samples

samples · September 4, 2008, 7:16pm

does anybody have solutions?

samples · September 8, 2008, 1:03pm

I have also this information’s:
Cisco 2621 (MPC860) processor (revision 0x102) with 59392K/6144K bytes of memory.
Firewall: PIX-515E
Can anybody help with that problem, please?

Thank you

andrewluck · September 8, 2008, 5:41pm

You said that IKE phase 1 was OK, but that there’s no debugging output from Cisco. Both statements can’t be true. If the router is completing phase 1 then it WILL be generating debug output if you enable it.

You didn’t mention the PIX before. Is it in front of the router? is it doing NAT?

To many questions, too little information!

Kind regards

Andrew