Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
4
Replies

IPSec with HSRP

Scott Cannon
Level 1
Level 1

‎01-22-2009 01:12 AM - edited ‎02-21-2020 04:07 PM

Hi Guys,

I'm trying to setup IPSec with HSRP but I'm having some problems.

I have a single router TEST_R3 acting as a client on an unknown IP address.

I have 2 routers TEST_R0 and TEST_R1 acting as end points, both configured with a HSRP group called REDUNDANT2.

TEST_R1 is the active router (TEST_R0 is actually switched off). The standby IP is 10.2.1.254

The client, TEST_R3 is configured to peer with the HSRP IP address.

When TEST_R3 attempts connectivity I receive the following error on TEST_R1:

*Mar 1 01:04:38.451: map_db_find_best did not find matching map

*Mar 1 01:04:38.455: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.2.1.254

*Mar 1 01:04:38.467: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 99.0.0.3

It says something about invalid transform sets yet I assure you there are valid matching sets configured on each end. So I suppose my question is, what is this error trying to tell me?

I've attached relevant config for each device.

TIA

Scott

Labels:
Preview file
1 KB
Preview file
1 KB
0 Helpful
4 Replies 4

Scott Cannon
Level 1
Level 1

‎01-22-2009 01:14 AM

Sorry guys, screwed up on those attachments. The file name depicts the correct device. So file 1 is R3, file 2 is R1

0 Helpful

Scott Cannon
Level 1
Level 1
In response to Scott Cannon

‎01-27-2009 08:12 PM

Just bumping this up.

If my setup is hard to understand, I can post the GNS3 .net file, or preferably, someone could post me their working setup with configs and leave me to figure it out from there.

Cheers

Scott

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to Scott Cannon

‎01-28-2009 06:08 AM

Have you tried removing the crypto map from the interface, and clearing all the crypto states "clear crypto sa" "clear crypto isakmp" then applying the crypto map again?

I remember I had this issue long ago, and I think it was an issue with the hsrp configuration, can remember what exactly, so try to go over the configuraiton again.

0 Helpful

Scott Cannon
Level 1
Level 1
In response to Ivan Martinon

‎02-01-2009 01:21 PM

Thanks Ivan. I've give nthat a go but no luck unfortunately. I've found some more examples just now that have slightly diffrerent config. I'll try them when I get home. Let you know what I find.

 

Rgds

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents