VPN SPA Problem

Unanswered Question
Oct 26th, 2008
User Badges:

Hi,


We are new users of CISCO VPN SPA. We are currently trying to establish a Site-to-Site VPN connection with one of our clients and we are having a hard time connecting it. The following are the logs on the debug mode of the router. Any idea what causing this problem?


Oct 27 11:20:18.012: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= <*.*.*.*>, remote= <*.*.*.*>,

local_proxy= 192.168.145.54/255.255.255.255/0/0 (type=1),

remote_proxy= 172.20.46.29/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 190s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Oct 27 11:20:18.012: ISAKMP:(0): SA request profile is CBCPROFILE

Oct 27 11:20:18.012: ISAKMP: Created a peer struct for <*.*.*.*>, peer port 500

Oct 27 11:20:18.012: ISAKMP: New peer created peer = 0x4561D640 peer_handle = 0x800000B2

Oct 27 11:20:18.012: ISAKMP: Locking peer struct 0x4561D640, refcount 1 for isakmp_initiator

Oct 27 11:20:18.012: ISAKMP: local port 500, remote port 500

Oct 27 11:20:18.016: ISAKMP: set new node 0 to QM_IDLE

Oct 27 11:20:18.016: insert sa successfully sa = 492FB734

Oct 27 11:20:18.016: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Oct 27 11:20:18.016: ISAKMP:(0): constructed NAT-T vendor-07 ID

Oct 27 11:20:18.016: ISAKMP:(0): constructed NAT-T vendor-03 ID

Oct 27 11:20:18.016: ISAKMP:(0): constructed NAT-T vendor-02 ID

Oct 27 11:20:18.016: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Oct 27 11:20:18.016: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Oct 27 11:20:18.016: ISAKMP:(0): beginning Main Mode exchange

Oct 27 11:20:18.016: ISAKMP:(0): sending packet to <*.*.*.*> my_port 500 peer_port 500 (I) MM_NO_STATE

Oct 27 11:20:18.088: ISAKMP (0): received packet from <*.*.*.*> dport 500 sport 500 SSHWWW (I) MM_NO_STATE

Oct 27 11:20:18.088: ISAKMP:(0):Couldn't find node: message_id -2086833778

Oct 27 11:20:18.088: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Oct 27 11:20:18.088: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Oct 27 11:20:18.088: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1


Oct 27 11:20:18.088: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at <*.*.*.*>

Oct 27 11:20:28.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Oct 27 11:20:28.016: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Oct 27 11:20:28.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Oct 27 11:20:28.016: ISAKMP:(0): sending packet to <*.*.*.*> my_port 500 peer_port 500 (I) MM_NO_STATE

Oct 27 11:20:38.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Oct 27 11:20:38.016: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Oct 27 11:20:38.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Oct 27 11:20:38.016: ISAKMP:(0): sending packet to <*.*.*.*> my_port 500 peer_port 500 (I) MM_NO_STATE

Oct 27 11:20:48.011: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= <*.*.*.*>, remote= <*.*.*.*>,

local_proxy= 192.168.145.54/255.255.255.255/0/0 (type=1),

remote_proxy= 172.20.46.29/255.255.255.255/0/0 (type=1)

Oct 27 11:20:48.011: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= <*.*.*.*>, remote= <*.*.*.*>,

local_proxy= 192.168.145.54/255.255.255.255/0/0 (type=1),

remote_proxy= 172.20.46.29/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 190s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Oct 27 11:20:48.011: ISAKMP: set new node 0 to QM_IDLE

Oct 27 11:20:48.011: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <*.*.*.*>, remote <*.*.*.*>)

Oct 27 11:20:48.011: ISAKMP: Error while processing SA request: Failed to initialize SA


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
griever060684 Mon, 10/27/2008 - 01:07
User Badges:

Here is the Config for this particular peer:


Peer is Checkpoint.


crypto keyring CBCKEY

pre-shared-key address *.*.*.* key ********

crypto ipsec transform-set CBCTRANS esp-3des esp-md5-hmac

crypto isakmp profile CBCPROFILE

vrf CBCVPN

keyring CBCKEY

match identity address *.*.*.* 255.255.255.255

crypto map CBCMAP 2 ipsec-isakmp

set peer *.*.*.*

set security-association lifetime seconds 190

set transform-set CBCTRANS

set isakmp-profile CBCPROFILE

match address CBCACL


ip access-list extended CBCACL

permit ip host ******* host *.*.*.*

permit ip host 172.20.46.29 host 192.168.145.54

permit ip host 192.168.145.54 host 172.20.46.29

permit ip host *.*.*.* host *******


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2


We are sure that we both have the Ssame IKE parameters set.

Actions

This Discussion