isakmp failing at phase 1 negotiation?

Unanswered Question
Nov 4th, 2008

hi,


I am trying to bring up a site2site vpn tunnel but looks like phase 1 is failing..


can someone please take a look?


thanks


*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0):Looking for a matching key for 203.200.xxx.xxx in default

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0): : success

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 203.200.xxx.xxx

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1


*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Nov 4 20:56:36.217: ISAKMP:(0:0:N/A:0): sending packet to 203.200.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE

*Nov 4 20:56:36.221: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 203.200.xxx.xxx)

*Nov 4 20:56:36.221: ISAKMP: Unlocking IKE struct 0x43711B80 for isadb_mark_sa_deleted(), count 0

*Nov 4 20:56:36.221: ISAKMP: Deleting peer node by peer_reap for 203.200.xxx.xxx: 43711B80

*Nov 4 20:56:36.221: ISAKMP:(0:0:N/A:0):deleting node 1146726567 error FALSE reason "IKE deleted"

*Nov 4 20:56:36.221: ISAKMP:(0:0:N/A:0):deleting node -2133103557 error FALSE reason "IKE deleted"

*Nov 4 20:56:36.221: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Nov 4 20:56:36.221: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA


*Nov 4 20:56:36.221: ISAKMP:(0:0:N/A:0):purging SA., sa=43716E60, delme=43716E60

*Nov 4 20:56:36.221: IPSEC(key_engine): got a queue event with 1 kei messages

*Nov 4 20:56:46.221: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Nov 4 20:56:46.221: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Nov 4 20:56:46.221: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Nov 4 20:56:46.221: ISAKMP:(0:0:N/A:0): sending packet to 203.200.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE

*Nov 4 20:56:56.221: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Nov 4 20:56:56.221: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Nov 4 20:56:56.221: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Nov 4 20:56:56.221: ISAKMP:(0:0:N/A:0): sending packet to 203.200.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE

*Nov 4 20:57:06.213: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 119.111.xxx.xxx, remote= 203.200.xxx.xxx,

local_proxy= 10.10.0.0/255.255.240.0/0/0 (type=4),

remote_proxy= 10.126.1.14/255.255.255.255/0/0 (type=1)

*Nov 4 20:57:06.213: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 119.111.xxx.xxx, remote= 203.200.xxx.xxx,

local_proxy= 10.10.0.0/255.255.240.0/0/0 (type=4),

remote_proxy= 10.126.1.14/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x712A5AF7(1898601207), conn_id= 0, keysize= 0, flags= 0x400A

*Nov 4 20:57:06.213: ISAKMP: received ke message (1/1)

*Nov 4 20:57:06.213: ISAKMP: set new node 0 to QM_IDLE

*Nov 4 20:57:06.213: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 119.111.xxx.xxx, remote 203.200.xxx.xxx)

*Nov 4 20:57:06.221: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Nov 4 20:57:06.221: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Nov 4 20:57:06.221: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Nov 4 20:57:06.221: ISAKMP:(0:0:N/A:0): sending packet to 203.200.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Tue, 11/04/2008 - 13:42

Hi,


What is 203.200.xxx.xxx address. Looks like your VPN Server is sending UDP Port 500 packets to the remote 203.200.xxx.xxx and not getting any kind of response. Do you know if UDP Port 500 is blocked on the remote side.


Do you have a copy of the configurations from both the VPN Servers.


Regards,

Arul


*Pls rate if it helps*

Actions

This Discussion