IPSec with HSRP

Unanswered Question
Jan 22nd, 2009
User Badges:

Hi Guys,


I'm trying to setup IPSec with HSRP but I'm having some problems.


I have a single router TEST_R3 acting as a client on an unknown IP address.


I have 2 routers TEST_R0 and TEST_R1 acting as end points, both configured with a HSRP group called REDUNDANT2.


TEST_R1 is the active router (TEST_R0 is actually switched off). The standby IP is 10.2.1.254


The client, TEST_R3 is configured to peer with the HSRP IP address.


When TEST_R3 attempts connectivity I receive the following error on TEST_R1:


*Mar 1 01:04:38.451: map_db_find_best did not find matching map

*Mar 1 01:04:38.455: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.2.1.254

*Mar 1 01:04:38.467: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 99.0.0.3


It says something about invalid transform sets yet I assure you there are valid matching sets configured on each end. So I suppose my question is, what is this error trying to tell me?


I've attached relevant config for each device.


TIA

Scott



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Cannon Thu, 01/22/2009 - 01:14
User Badges:

Sorry guys, screwed up on those attachments. The file name depicts the correct device. So file 1 is R3, file 2 is R1

Scott Cannon Tue, 01/27/2009 - 20:12
User Badges:

Just bumping this up.


If my setup is hard to understand, I can post the GNS3 .net file, or preferably, someone could post me their working setup with configs and leave me to figure it out from there.


Cheers

Scott

Ivan Martinon Wed, 01/28/2009 - 06:08
User Badges:
  • Cisco Employee,

Have you tried removing the crypto map from the interface, and clearing all the crypto states "clear crypto sa" "clear crypto isakmp" then applying the crypto map again?


I remember I had this issue long ago, and I think it was an issue with the hsrp configuration, can remember what exactly, so try to go over the configuraiton again.

Scott Cannon Sun, 02/01/2009 - 13:21
User Badges:


Thanks Ivan. I've give nthat a go but no luck unfortunately. I've found some more examples just now that have slightly diffrerent config. I'll try them when I get home. Let you know what I find.


 


Rgds


Scott

Actions

This Discussion