10-26-2008 08:36 PM
Hi,
We are new users of CISCO VPN SPA. We are currently trying to establish a Site-to-Site VPN connection with one of our clients and we are having a hard time connecting it. The following are the logs on the debug mode of the router. Any idea what causing this problem?
Oct 27 11:20:18.012: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= <*.*.*.*>, remote= <*.*.*.*>,
local_proxy= 192.168.145.54/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.46.29/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 27 11:20:18.012: ISAKMP:(0): SA request profile is CBCPROFILE
Oct 27 11:20:18.012: ISAKMP: Created a peer struct for <*.*.*.*>, peer port 500
Oct 27 11:20:18.012: ISAKMP: New peer created peer = 0x4561D640 peer_handle = 0x800000B2
Oct 27 11:20:18.012: ISAKMP: Locking peer struct 0x4561D640, refcount 1 for isakmp_initiator
Oct 27 11:20:18.012: ISAKMP: local port 500, remote port 500
Oct 27 11:20:18.016: ISAKMP: set new node 0 to QM_IDLE
Oct 27 11:20:18.016: insert sa successfully sa = 492FB734
Oct 27 11:20:18.016: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 27 11:20:18.016: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 27 11:20:18.016: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 27 11:20:18.016: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 27 11:20:18.016: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 27 11:20:18.016: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 27 11:20:18.016: ISAKMP:(0): beginning Main Mode exchange
Oct 27 11:20:18.016: ISAKMP:(0): sending packet to <*.*.*.*> my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 27 11:20:18.088: ISAKMP (0): received packet from <*.*.*.*> dport 500 sport 500 SSHWWW (I) MM_NO_STATE
Oct 27 11:20:18.088: ISAKMP:(0):Couldn't find node: message_id -2086833778
Oct 27 11:20:18.088: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Oct 27 11:20:18.088: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Oct 27 11:20:18.088: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Oct 27 11:20:18.088: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at <*.*.*.*>
Oct 27 11:20:28.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct 27 11:20:28.016: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 27 11:20:28.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct 27 11:20:28.016: ISAKMP:(0): sending packet to <*.*.*.*> my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 27 11:20:38.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct 27 11:20:38.016: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 27 11:20:38.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct 27 11:20:38.016: ISAKMP:(0): sending packet to <*.*.*.*> my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 27 11:20:48.011: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= <*.*.*.*>, remote= <*.*.*.*>,
local_proxy= 192.168.145.54/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.46.29/255.255.255.255/0/0 (type=1)
Oct 27 11:20:48.011: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= <*.*.*.*>, remote= <*.*.*.*>,
local_proxy= 192.168.145.54/255.255.255.255/0/0 (type=1),
remote_proxy= 172.20.46.29/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 27 11:20:48.011: ISAKMP: set new node 0 to QM_IDLE
Oct 27 11:20:48.011: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <*.*.*.*>, remote <*.*.*.*>)
Oct 27 11:20:48.011: ISAKMP: Error while processing SA request: Failed to initialize SA
10-27-2008 01:07 AM
Here is the Config for this particular peer:
Peer is Checkpoint.
crypto keyring CBCKEY
pre-shared-key address *.*.*.* key ********
crypto ipsec transform-set CBCTRANS esp-3des esp-md5-hmac
crypto isakmp profile CBCPROFILE
vrf CBCVPN
keyring CBCKEY
match identity address *.*.*.* 255.255.255.255
crypto map CBCMAP 2 ipsec-isakmp
set peer *.*.*.*
set security-association lifetime seconds 190
set transform-set CBCTRANS
set isakmp-profile CBCPROFILE
match address CBCACL
ip access-list extended CBCACL
permit ip host ******* host *.*.*.*
permit ip host 172.20.46.29 host 192.168.145.54
permit ip host 192.168.145.54 host 172.20.46.29
permit ip host *.*.*.* host *******
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
We are sure that we both have the Ssame IKE parameters set.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide