04-16-2008 11:06 AM - edited 03-11-2019 05:32 AM
Hi. I want to create a ipsec vpn between 2611 and pix ( pix is not on my side ). I have this configuration on 2611.
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address y.y.y.y
!
!
crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac
!
crypto map First2 10 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-AES-256
match address 101
!
!
!
interface FastEthernet0/0
description $xxxxxxxxxx$
ip address z.z.z.z
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map First2
But the ipsec is stacked and i get this debug.
*Jul 17 19:34:14.953: ISAKMP:(0:204:SW:1):purging node -23803899
*Jul 17 19:34:14.953: ISAKMP:(0:204:SW:1):purging node -1819979460
*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1): retransmitting phase 1 MM_KEY_EXCH...
*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1):incrementing error counter on sa: retransmit phase 1
*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1): retransmitting phase 1 MM_KEY_EXCH
*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jul 17 19:34:24.957: ISAKMP:(0:204:SW:1):purging SA., sa=8299AE80, delme=8299AE80
*Jul 17 19:34:24.957: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 192.168.5.23/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.5.22/255.255.255.255/0/0 (type=1)
*Jul 17 19:34:24.961: ISAKMP: received ke message (3/1)
*Jul 17 19:34:24.961: ISAKMP:(0:205:SW:1):peer does not do paranoid keepalives.
*Jul 17 19:34:24.965: ISAKMP:(0:205:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer y.y.y.y)
*Jul 17 19:34:24.965: ISAKMP:(0:205:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer y.y.y.y)
*Jul 17 19:34:24.969: ISAKMP: Unlocking IKE struct 0x8299C0A4 for isadb_mark_sa_deleted(), count 0
*Jul 17 19:34:24.969: ISAKMP: Deleting peer node by peer_reap for y.y.y.y: 8299C0A4
*Jul 17 19:34:24.969: ISAKMP:(0:205:SW:1):deleting node 1414074541 error FALSE reason "IKE deleted"
*Jul 17 19:34:24.969: ISAKMP:(0:205:SW:1):deleting node -1895397965 error FALSE reason "IKE deleted"
*Jul 17 19:34:24.969: ISAKMP:(0:205:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul 17 19:34:24.973: ISAKMP:(0:205:SW:1):Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Jul 17 19:34:24.973: IPSEC(key_engine): got a queue event with 1 kei messages
*Jul 17 19:34:34.958: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.x, remote= y.y.y.y,
local_proxy= 192.168.5.23/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.5.22/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x470577EF(1191540719), conn_id= 0, keysize= 256, flags= 0x400A
*Jul 17 19:34:34.962: ISAKMP: received ke message (1/1)
*Jul 17 19:34:34.962: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Jul 17 19:34:34.962: ISAKMP: Created a peer struct for y.y.y.y, peer port 500
*Jul 17 19:34:34.966: ISAKMP: New peer created peer = 0x8299C0A4 peer_handle = 0x800006A6
*Jul 17 19:34:34.966: ISAKMP: Locking peer struct 0x8299C0A4, IKE refcount 1 for isakmp_initiator
04-22-2008 12:17 PM
This message indicates that IOS is trying to delete dangling IPSEC sa when receiving delete for IKE sa. This should only happen if keepalives is configured. verify your configuration.
04-26-2008 04:00 PM
Looks like isakmp keepalives do not match at the both ends. You have default and may be at the other end they have configured a different value.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide