cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23690
Views
0
Helpful
8
Replies

IPSEC PHASE 2 Problem

habibnoubissi
Level 1
Level 1

H everybody,

I have a problem with my ipsec phase 2 connexion, the phase 1 is active but phase 2 no, below are the output of some command like sh crypto session detail and sh crypto isakmp sa; please help me to troubleshoot this problem.

router#sh crypto session

Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 81.192.103.150 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 81.192.103.150
      Desc: (none)
  IKE SA: local 41.205.80.45/500 remote 81.192.103.150/500 Active
          Capabilities:(none) connid:1 lifetime:23:59:48
  IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.20.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 75 life (KB/Sec) 0/0

router#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.192.100.50  41.200.90.45    MM_SA_SETUP          1    0 ACTIVE

router#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.192.100.50  41.200.90.45    QM_IDLE              1    0 ACTIVE

8 Replies 8

Joe B Danford
Cisco Employee
Cisco Employee

Can you do the following?

show cry isa sa

In the output above you will see the conn id for the SA

clear cry isa


term mon

debug cry isa

debug cry ipsec

Run the debugs so we can see what is being passed. Also, do you have the configs for both end devices? Was this tunnel ever working? Make sure the transform-set and match ACL matches on both ends.

thank you very much for your reply,

the attached documents are my confir, the peer config (our partner) and the output of the debug command.

this tunnel has never work before we are setting it up now.

thank you once more

crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac

!

crypto map vpnregeo 50 ipsec-isakmp

description tunel-to-M2M

set peer xxx.xxx.xxx.xxx

set transform-set vpn

match address 118

Your config appears to have an issue. You are reference TS Set VPN when you have VPN1 configured. Make the following changes.

crypto map vpnregeo 50 ipsec-isakmp

no set transform-set vpn

set transform-set vpn1

Try again and see if this works.

Thanks,

Joe

Thanks,

I have tried what you ask me to do, but the problem remaining.

Excuse me Joe

if the peer router is not a CISCO router, do I have a particular thing to do in my CISCO router?

Sorry,

The TSet in your config reads

crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac

should be

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac

THANK YOU vey much Joe

that was the mistake, but see that the peer router is not a CISCO router, Ihave also set the lifetime for the two phases as it is set in the peer router, the two phases are up now.

Thanks to CISCO for such a plateform.

Excellent! No problem glad I could help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: