Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected" - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, September 5, 2017

Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected"

There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:

Diagram

1. Enabled Debugging on Cisco IOS Router

vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor







2. Debugging results
It shows invalidated proposal and ISAKMP deleted node with reason "QM rejected"

003345: Sep  5 10:49:31.279 EDT: ISAKMP (1060): received packet from 20.20.34.50 dport 500 sport 500 Global (R) QM_IDLE      
003346: Sep  5 10:49:31.279 EDT: ISAKMP: set new node 1450843075 to QM_IDLE      
003347: Sep  5 10:49:31.279 EDT: ISAKMP:(1060): processing HASH payload. message ID = 1450843075
003348: Sep  5 10:49:31.279 EDT: ISAKMP:(1060): processing SA payload. message ID = 1450843075
003349: Sep  5 10:49:31.279 EDT: ISAKMP:(1060):Checking IPSec proposal 1
003350: Sep  5 10:49:31.279 EDT: ISAKMP: transform 0, ESP_3DES
003351: Sep  5 10:49:31.279 EDT: ISAKMP:   attributes in transform:
003352: Sep  5 10:49:31.279 EDT: ISAKMP:      authenticator is HMAC-SHA
003353: Sep  5 10:49:31.279 EDT: ISAKMP:      group is 2
003354: Sep  5 10:49:31.279 EDT: ISAKMP:      SA life type in seconds
003355: Sep  5 10:49:31.279 EDT: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10 
003356: Sep  5 10:49:31.279 EDT: ISAKMP:      encaps is 1 (Tunnel)
003357: Sep  5 10:49:31.279 EDT: ISAKMP:(1060):atts are acceptable.
003358: Sep  5 10:49:31.279 EDT: IPSEC(validate_proposal_request): proposal part #1
003359: Sep  5 10:49:31.279 EDT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 200.153.121.58:0, remote= 20.20.34.50:0,
    local_proxy= 10.9.106.18/255.255.255.255/256/0,
    remote_proxy= 10.21.51.128/255.255.255.255/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0


003361: Sep  5 10:49:31.279 EDT: Crypto mapdb : proxy_match
 src addr     : 10.9.106.18
 dst addr     : 10.21.51.128
 protocol     : 0
 src port     : 0
 dst port     : 0
.......
003369: Sep  5 10:49:31.283 EDT: map_db_find_best did not find matching map
003370: Sep  5 10:49:31.283 EDT: IPSEC(ipsec_process_proposal): proxy identities not supported
003371: Sep  5 10:49:31.283 EDT: ISAKMP:(1060): IPSec policy invalidated proposal with error 32
003372: Sep  5 10:49:31.283 EDT: ISAKMP:(1060): phase 2 SA policy not acceptable! (local 20.15.121.58 remote 20.20.34.50)
003373: Sep  5 10:49:31.283 EDT: ISAKMP: set new node -2087949406 to QM_IDLE      
003374: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
 spi 739556696, message ID = 2207017890
003375: Sep  5 10:49:31.283 EDT: ISAKMP:(1060): sending packet to 20.20.34.50 my_port 500 peer_port 500 (R) QM_IDLE      
003376: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Sending an IKE IPv4 Packet.
003377: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):purging node -2087949406
003378: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):deleting node 1450843075 error TRUE reason "QM rejected"
003379: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Node 1450843075, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
vpn-router#
003380: Sep  5 10:49:31.283 EDT: ISAKMP:(1060):Old State = IKE_QM_READY  New State = IKE_QM_READY
003382: Sep  5 10:50:21.284 EDT: ISAKMP:(1060):purging node 1450843075





3. Checking configuration

Cisco Router's crypto map

vpn-router#show crypto map 
 Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "vpn" 20 ipsec-isakmp
 Description: VPN to C
 Peer = 20.20.34.50
 Extended IP access list C-VPN-List
     access-list C-VPN-List permit ip host 10.9.106.18 host 10.1.254.19
 Current peer: 20.20.34.50
 Security association lifetime: 4608000 kilobytes/3600 seconds
 Responder-Only (Y/N): N
 PFS (Y/N): Y
 DH group:  group2
 Mixed-mode : Disabled
 Transform sets={ 
  Conductor:  { esp-3des esp-sha-hmac  } , 
 }






Peer Juniper SRX 550 configuraiton:

set interfaces st0 unit 22 description Cisco-R
set security ike policy ike-policy-Cisco-R mode main
set security ike policy ike-policy-Cisco-R proposals ike-proposal-Padrao
set security ike policy ike-policy-Cisco-R pre-shared-key ascii-text "$APfTz0O"
set security ike gateway ike-gate-Cisco-R ike-policy ike-policy-Cisco-R
set security ike gateway ike-gate-Cisco-R address 20.15.121.58
set security ike gateway ike-gate-Cisco-R remote-identity inet 20.15.121.58
set security ike gateway ike-gate-Cisco-R external-interface reth0.0
set security ipsec vpn ipsec-vpn-Cisco-R bind-interface st0.22
set security ipsec vpn ipsec-vpn-Cisco-R ike gateway ike-gate-Cisco-R
set security ipsec vpn ipsec-vpn-Cisco-R ike proxy-identity local 10.21.51.128/32
set security ipsec vpn ipsec-vpn-Cisco-R ike proxy-identity remote 10.9.106.18/32
set security ipsec vpn ipsec-vpn-Cisco-R ike proxy-identity service any
set security ipsec vpn ipsec-vpn-Cisco-R ike ipsec-policy ipsec-policy-P
set security ipsec vpn ipsec-vpn-Cisco-R establish-tunnels immediately




set security ike proposal ike-proposal-P authentication-method pre-shared-keys
set security ike proposal ike-proposal-P dh-group group2
set security ike proposal ike-proposal-P authentication-algorithm sha1
set security ike proposal ike-proposal-P encryption-algorithm 3des-cbc
set security ike proposal ike-proposal-P lifetime-seconds 28800


set security ipsec policy ipsec-policy-P perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-P proposals ipsec-proposal-Padrao
set security ipsec proposal ipsec-proposal-P protocol esp
set security ipsec proposal ipsec-proposal-P authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-P encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-P lifetime-seconds 3600




Cisco IOS Router 1900 Configuration:



crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!


crypto isakmp key 76tyYuty!2@ address 20.13.194.17
!crypto isakmp aggressive-mode disable

crypto ipsec transform-set C esp-3des esp-sha-hmac
mode tunnel


crypto map vpn 20 ipsec-isakmp
description VPN to C
set peer 20.20.34.50
set transform-set Conductor
set pfs group2
match address C-VPN-List


ip access-list extended C-VPN-List
permit ip host 10.9.106.18 host 10.1.254.19

interface GigabitEthernet0/0
ip address 20.15.121.58 255.255.255.248
duplex auto
speed auto
crypto map vpn




Solution:
It clearly shows access-list not matching on both end. Juniper SRX has a NAT from 10.1.254.19 to 10.21.51.128. Cisco router only knows their Internal IP 10.1.254.19. Once Cisco router changed access-list to match Juniper. Tunnel is up right away.

1 comment:

  1. At the moment the Inside and DMZ nat are Outside interface (so when it goes out it uses 1.1.1.1) - my DMZ uses an outside DNS Server for name resolution which seems to be fine - I get an error message which looks like it cant communicate to outside address - if i try the samething from internet, it works but i need it to work from DMZ interface as well.. andy michael

    ReplyDelete