06-21-2007 03:59 AM - edited 03-03-2019 05:32 PM
Hi,
We config the vpn but it does not work.
following is the setting:
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address x.x.x.x
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap local-address GigabitEthernet0/0
crypto map mymap 101 ipsec-isakmp
description VPN to tw
set peer x.x.x.x
set transform-set myset
match address 101
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
"Side B" setting is the similar it but different ip address and access lits. Anything i missing, please advise.
best regards
06-21-2007 04:08 AM
The access-list at the other end needs to be an exact mirror of what is configured at this end.
Is the crypto map applied to the correct interface?can you post the other side config as well
Narayan
06-21-2007 05:25 AM
Hi,
interface GigabitEthernet0/0
crypto map mymap
Jun 21 13:04:50.522 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x
Best regards
06-21-2007 05:29 AM
The posted config looks pretty reasonable. I have several suggestions of things to check. If the original poster could be a bit more specific about what does not work we might be able to provide better advice.
- do you have good IP connectivity to the peer address? (ping is an adequate test. extended ping would be better. in the extended ping specify the peer address as destination and specify the gig interface specified as local address as the source)
- is it possible that there is a firewall examining traffic going out from your side or examining traffic into the other side? if so verify that it allows UDP port 500 for isakmp and allows protocol 50 for ESP.
- in addition to verifying that the access list on the other side is a mirror of the access list on this side, verify that the isakmp policy on the other side is an exact match to the policy on this side.
- if none of these reveal any problem then it would be helpful to run debug crypto isakmp and post the output.
HTH
Rick
06-21-2007 06:38 AM
hi,
following is log, x.x.x.x is side A, y.y.y.y is side B.
Jun 21 14:33:40.209 UTC: ISAKMP (0:0): received packet from x.x.x.x dport 500 sport 500 Global (N) NEW SA
Jun 21 14:33:40.209 UTC: ISAKMP: Found a peer struct for x.x.x.x, peer port 500
Jun 21 14:33:40.209 UTC: ISAKMP: Locking peer struct 0x6493A7E4, IKE refcount 2 for crypto_isakmp_process_block
Jun 21 14:33:40.209 UTC: ISAKMP: local port 500, remote port 500
Jun 21 14:33:40.209 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 659CF0BC
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching x.x.x.x
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0): local preshared key found
Jun 21 14:33:40.209 UTC: ISAKMP : Scanning profiles for xauth ...
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jun 21 14:33:40.209 UTC: ISAKMP: encryption DES-CBC
Jun 21 14:33:40.209 UTC: ISAKMP: hash SHA
Jun 21 14:33:40.209 UTC: ISAKMP: auth pre-share
Jun 21 14:33:40.209 UTC: ISAKMP: default group 1
Jun 21 14:33:40.209 UTC: ISAKMP: life type in seconds
Jun 21 14:33:40.209 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 10 policy
Jun 21 14:33:40.209 UTC: ISAKMP: encryption DES-CBC
Jun 21 14:33:40.209 UTC: ISAKMP: hash MD5
Jun 21 14:33:40.209 UTC: ISAKMP: auth pre-share
Jun 21 14:33:40.209 UTC: ISAKMP: default group 1
Jun 21 14:33:40.209 UTC: ISAKMP: life type in seconds
Jun 21 14:33:40.209 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10
Jun 21 14:33:40.209 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 21 14:33:40.217 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jun 21 14:33:40.825 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
Jun 21 14:33:40.825 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 21 14:33:40.825 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
Jun 21 14:33:40.825 UTC: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):found peer pre-shared key matching x.x.x.x
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):SKEYID state generated
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
--- part 1 ----
06-21-2007 06:39 AM
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
Jun 21 14:33:41.701 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : x.x.x.x
protocol : 0
port : 0
length : 12
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA has been authenticated with x.x.x.x
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : y.y.y.y
protocol : 17
port : 500
length : 12
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Total payload length: 12
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
--- part 2 ----
06-21-2007 06:41 AM
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 21 14:33:40.837 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
Jun 21 14:33:41.701 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : x.x.x.x
protocol : 0
port : 0
length : 12
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA has been authenticated with x.x.x.x
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 21 14:33:41.705 UTC: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : y.y.y.y
protocol : 17
port : 500
length : 12
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Total payload length: 12
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
06-21-2007 06:44 AM
-----
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 21 14:33:41.705 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 21 14:33:41.909 UTC: ISAKMP (0:134217730): received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE
Jun 21 14:33:41.909 UTC: ISAKMP: set new node 1125641852 to QM_IDLE
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 1125641852
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 1125641852
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1
Jun 21 14:33:41.909 UTC: ISAKMP: transform 1, ESP_DES
Jun 21 14:33:41.909 UTC: ISAKMP: attributes in transform:
Jun 21 14:33:41.909 UTC: ISAKMP: SA life type in seconds
Jun 21 14:33:41.909 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Jun 21 14:33:41.909 UTC: ISAKMP: encaps is 1 (Tunnel)
Jun 21 14:33:41.909 UTC: ISAKMP: authenticator is HMAC-MD5
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):atts are acceptable.
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)
Jun 21 14:33:41.909 UTC: ISAKMP: set new node -1019059564 to QM_IDLE
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1699976904, message ID = -1019059564
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):purging node -1019059564
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):deleting node 1125641852 error TRUE reason "QM rejected"
Jun 21 14:33:41.909 UTC: ISAKMP (0:134217730): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1125641852: state = IKE_QM_READY
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Node 1125641852, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 21 14:33:41.909 UTC: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY
Jun 21 14:33:41.909 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x
--- part 4 ---
06-21-2007 06:47 AM
Hi,
How to make the vpn start to connect? any "shutdown" or " not shut" command?
Best regards
06-21-2007 07:04 AM
There is not any shutdown or no shut that is needed to start the IPSec. If the configuration is correct and if there is interesting traffic to be protected by IPSec then the VPN should start on its own.
Thanks for posting the additional information with the debug output. It shows that the ISAKMP negotiation is successful (main mode negotiation) and that there is an error in negotiating the IPSec session. The most likely cause is some mismatch in configuring between the routers. I would start with the transform set. You give the transform on this router as:
crypto ipsec transform-set myset esp-des esp-md5-hmac
I would check the other side and see what its transform is. It would be helpful if you would post the config from the other side.
HTH
Rick
06-21-2007 08:35 AM
Hi,
the config is the same as you mention
crypto ipsec transform-set myset esp-des esp-md5-hmac
one thing, the internal interface 192.168.0.0/24 is not plug to the hub. does it cause to vpn down?
Best regards
06-21-2007 08:51 AM
Hi,
how do we check the vpn connection? (similar sh ip route). thanks
Best regards
06-21-2007 10:35 AM
You can check the vpn connection by the command sh crypto isakmp sa
the state should be seen as QM_IDLE when the vpn has succesfully established
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide