Hi,

interface GigabitEthernet0/0

crypto map mymap

Jun 21 13:04:50.522 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x

Best regards

The posted config looks pretty reasonable. I have several suggestions of things to check. If the original poster could be a bit more specific about what does not work we might be able to provide better advice.

- do you have good IP connectivity to the peer address? (ping is an adequate test. extended ping would be better. in the extended ping specify the peer address as destination and specify the gig interface specified as local address as the source)

- is it possible that there is a firewall examining traffic going out from your side or examining traffic into the other side? if so verify that it allows UDP port 500 for isakmp and allows protocol 50 for ESP.

- in addition to verifying that the access list on the other side is a mirror of the access list on this side, verify that the isakmp policy on the other side is an exact match to the policy on this side.

- if none of these reveal any problem then it would be helpful to run debug crypto isakmp and post the output.

HTH

Rick

hi,

following is log, x.x.x.x is side A, y.y.y.y is side B.

Jun 21 14:33:40.209 UTC: ISAKMP (0:0): received packet from x.x.x.x dport 500 sport 500 Global (N) NEW SA

Jun 21 14:33:40.209 UTC: ISAKMP: Found a peer struct for x.x.x.x, peer port 500

Jun 21 14:33:40.209 UTC: ISAKMP: Locking peer struct 0x6493A7E4, IKE refcount 2 for crypto_isakmp_process_block

Jun 21 14:33:40.209 UTC: ISAKMP: local port 500, remote port 500

Jun 21 14:33:40.209 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 659CF0BC

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching x.x.x.x

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0): local preshared key found

Jun 21 14:33:40.209 UTC: ISAKMP : Scanning profiles for xauth ...

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

Jun 21 14:33:40.209 UTC: ISAKMP: encryption DES-CBC

Jun 21 14:33:40.209 UTC: ISAKMP: hash SHA

Jun 21 14:33:40.209 UTC: ISAKMP: auth pre-share

Jun 21 14:33:40.209 UTC: ISAKMP: default group 1

Jun 21 14:33:40.209 UTC: ISAKMP: life type in seconds

Jun 21 14:33:40.209 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 10 policy

Jun 21 14:33:40.209 UTC: ISAKMP: encryption DES-CBC

Jun 21 14:33:40.209 UTC: ISAKMP: hash MD5

Jun 21 14:33:40.209 UTC: ISAKMP: auth pre-share

Jun 21 14:33:40.209 UTC: ISAKMP: default group 1

Jun 21 14:33:40.209 UTC: ISAKMP: life type in seconds

Jun 21 14:33:40.209 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10

Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3

Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1

Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP

Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2

Jun 21 14:33:40.825 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP

Jun 21 14:33:40.825 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jun 21 14:33:40.825 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3

Jun 21 14:33:40.825 UTC: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):found peer pre-shared key matching x.x.x.x

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):SKEYID state generated

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3

--- part 1 ----

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4

Jun 21 14:33:41.701 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0

Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload

next-payload : 8

type : 1

address : x.x.x.x

protocol : 0

port : 0

length : 12

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA authentication status:

authenticated

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA has been authenticated with x.x.x.x

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload

next-payload : 8

type : 1

address : y.y.y.y

protocol : 17

port : 500

length : 12

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Total payload length: 12

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

--- part 2 ----

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4

Jun 21 14:33:41.701 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0

Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload

next-payload : 8

type : 1

address : x.x.x.x

protocol : 0

port : 0

length : 12

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA authentication status:

authenticated

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA has been authenticated with x.x.x.x

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload

next-payload : 8

type : 1

address : y.y.y.y

protocol : 17

port : 500

length : 12

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Total payload length: 12

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

-----

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 21 14:33:41.909 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE

Jun 21 14:33:41.909 UTC: ISAKMP: set new node 1125641852 to QM_IDLE

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 1125641852

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 1125641852

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1

Jun 21 14:33:41.909 UTC: ISAKMP: transform 1, ESP_DES

Jun 21 14:33:41.909 UTC: ISAKMP: attributes in transform:

Jun 21 14:33:41.909 UTC: ISAKMP: SA life type in seconds

Jun 21 14:33:41.909 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

Jun 21 14:33:41.909 UTC: ISAKMP: encaps is 1 (Tunnel)

Jun 21 14:33:41.909 UTC: ISAKMP: authenticator is HMAC-MD5

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):atts are acceptable.

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)

Jun 21 14:33:41.909 UTC: ISAKMP: set new node -1019059564 to QM_IDLE

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1699976904, message ID = -1019059564

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):purging node -1019059564

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):deleting node 1125641852 error TRUE reason "QM rejected"

Jun 21 14:33:41.909 UTC: ISAKMP (0:134217730): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1125641852: state = IKE_QM_READY

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Node 1125641852, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY

Jun 21 14:33:41.909 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x

--- part 4 ---

Hi,

How to make the vpn start to connect? any "shutdown" or " not shut" command?

Best regards

There is not any shutdown or no shut that is needed to start the IPSec. If the configuration is correct and if there is interesting traffic to be protected by IPSec then the VPN should start on its own.

Thanks for posting the additional information with the debug output. It shows that the ISAKMP negotiation is successful (main mode negotiation) and that there is an error in negotiating the IPSec session. The most likely cause is some mismatch in configuring between the routers. I would start with the transform set. You give the transform on this router as:

crypto ipsec transform-set myset esp-des esp-md5-hmac

I would check the other side and see what its transform is. It would be helpful if you would post the config from the other side.

HTH

Rick

Hi,

the config is the same as you mention

crypto ipsec transform-set myset esp-des esp-md5-hmac

one thing, the internal interface 192.168.0.0/24 is not plug to the hub. does it cause to vpn down?

Best regards

Hi,

how do we check the vpn connection? (similar sh ip route). thanks

Best regards

You can check the vpn connection by the command sh crypto isakmp sa

the state should be seen as QM_IDLE when the vpn has succesfully established

Narayan