royalblues Sat, 07/07/2007 - 04:35
User Badges:
  • Green, 3000 points or more

Are the tunnel destination reachable from both ends? i do not see any routes except for one static route to tunnel

can you post sh ip route


Can you also add the transform set under the crypto profile

crypto ipsec profile VTI

set transform-set ali


HTH

Narayan

alsayed@litani.... Sat, 07/07/2007 - 07:50
User Badges:

Hi Narayan

the tunel interface on both side are Down:

Tunnel0 192.168.3.2 YES manual reset down


sh ip route

Gateway of last resort is not set


C 192.1.1.0/24 is directly connected, Serial1/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

Router-A#

alsayed@litani.... Sat, 07/07/2007 - 07:57
User Badges:

Hi

new entry:

Tunnel0 192.168.3.1 YES manual up down

ROUTER-B#sh crypto isakmp sa

dst src state conn-id slot status

192.1.1.1 193.1.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)

10xs

royalblues Sat, 07/07/2007 - 08:19
User Badges:
  • Green, 3000 points or more

Ali,


How are routerA and router B connected?


with the information you provided, routerA does not seem to have a route for the tunnel destination and hence the tunnel is not coming up. The VPN will come up only when your tunnel is up


HTH

Narayan

sundar.palaniappan Sat, 07/07/2007 - 08:38
User Badges:
  • Green, 3000 points or more

Ali,


Add static route to the tunnel destination address on both routers. You should be able to ping the GRE tunnel IP address of each other. IPSEC SA should come up after that.


HTH


Sundar

royalblues Sat, 07/07/2007 - 09:05
User Badges:
  • Green, 3000 points or more

are these routers connected directly?



sundar.palaniappan Sat, 07/07/2007 - 09:31
User Badges:
  • Green, 3000 points or more

Ali,


The static route(s) you have is for the LAN at the far end but you need a static route to get to the tunnel destination address itself. Can you add the following static routes on both routers. This would cause the tunnel int to come up and you should be able to ping the tunnel IP of each other router.


Router-A:


ip route 193.1.1.1 255.255.255.255 (next-hop-address)


Router-B:


ip route 192.1.1.1 255.255.255.255 (next-hop-address)


HTH


Sundar

sundar.palaniappan Sat, 07/07/2007 - 09:35
User Badges:
  • Green, 3000 points or more

I just noticed you posted that these are routers are directly connected to each other via serial int. If they are directly connected to each other the serial interface of both routers need to be on the same subnet. Can you reconfigure it that way.



royalblues Sat, 07/07/2007 - 09:40
User Badges:
  • Green, 3000 points or more

Ali,


The serial interfaces are connected together but yet in o yur configuration they lie in a seperate subnet


on router B configure

interface Serial1/2

ip address 192.1.1.2 255.255.255.0


interface Tunnel0

tunnel source 192.1.1.2

tunnel destination 192.1.1.1


On router A

nterface Tunnel0

tunnel source 192.1.1.1

tunnel destination 192.1.1.2


and also set the transform set under the crypto profile

crypto ipsec profile VTI

set transform-set ali


have a look at this for an example configuration

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8029d629.shtml


HTH, rate if it does

Narayan

alsayed@litani.... Sat, 07/07/2007 - 09:54
User Badges:

hello

how can i fix this:

*Mar 1 23:03:17.994: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.1.1.1


royalblues Sat, 07/07/2007 - 10:07
User Badges:
  • Green, 3000 points or more

this generally means the devices are not configured with the same properties.


Make sure the profile parameters are similar in both the peers otherwise negotiations will fail


Narayan

Jon Marshall Sat, 07/07/2007 - 10:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Ali


For Cisco error message doc


=============================================


%CRYPTO-6-IKMP_MODE_FAILURE : Processing of [chars] mode failed with peer at [IP_address]

Explanation Negotiation with the remote peer has failed.


Recommended Action If this situation persists, contact the remote peer.


=============================================


You may see this even if you successfully negotiate a tunnel. Could you post full debug when tunnel is failing.


Jon

alsayed@litani.... Sat, 07/07/2007 - 10:13
User Badges:

HELLO Experts!

the error was here:

crypto isakmp key 6 cisco123 address 193.1.1.1 no-xauth

i adjusted it to 192.1.1.2

10xs a lot

royalblues Sat, 07/07/2007 - 10:19
User Badges:
  • Green, 3000 points or more

Good to know that you got it working :-)

alsayed@litani.... Sat, 07/07/2007 - 10:27
User Badges:

Hello!


Router-A#show crypto session detail

Crypto session current status


Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

M - Continuous Channel Mode


Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 192.1.1.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 192.1.1.2

Desc: (none)

IKE SA: local 192.1.1.1/500 remote 192.1.1.2/500 Active

Capabilities:(none) connid:1 lifetime:23:50:07

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4413422/3010

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4413422/3010

*********************************************

Gateway of last resort is not set


C 192.1.1.0/24 is directly connected, Serial1/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S 192.168.2.0/24 is directly connected, Tunnel0

C 192.168.3.0/24 is directly connected, Tunnel0

Router-A#

*********************************************

Router-A#s

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

Serial1/0 unassigned YES unset administratively down down

Serial1/1 192.1.1.1 YES manual up up

Serial1/2 unassigned YES unset administratively down down

Serial1/3 unassigned YES unset administratively down down

Tunnel0 192.168.3.1 YES manual up up

*********************************************

Router-A#sh crypto isa

Router-A#sh crypto isakmp sa

dst src state conn-id slot status

192.1.1.2 192.1.1.1 QM_IDLE 1 0 ACTIVE

*********************************************


Actions

This Discussion