IPSEC PHASE 2 Problem

Unanswered Question
Jan 8th, 2010

H everybody,

I have a problem with my ipsec phase 2 connexion, the phase 1 is active but phase 2 no, below are the output of some command like sh crypto session detail and sh crypto isakmp sa; please help me to troubleshoot this problem.

router#sh crypto session

Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 81.192.103.150 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 81.192.103.150
      Desc: (none)
  IKE SA: local 41.205.80.45/500 remote 81.192.103.150/500 Active
          Capabilities:(none) connid:1 lifetime:23:59:48
  IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.20.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 75 life (KB/Sec) 0/0

router#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.192.100.50  41.200.90.45    MM_SA_SETUP          1    0 ACTIVE

router#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.192.100.50  41.200.90.45    QM_IDLE              1    0 ACTIVE

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Joe B Danford Fri, 01/08/2010 - 05:43

Can you do the following?

show cry isa sa

In the output above you will see the conn id for the SA

clear cry isa


term mon

debug cry isa

debug cry ipsec

Run the debugs so we can see what is being passed. Also, do you have the configs for both end devices? Was this tunnel ever working? Make sure the transform-set and match ACL matches on both ends.

habibnoubissi Fri, 01/08/2010 - 07:31

thank you very much for your reply,

the attached documents are my confir, the peer config (our partner) and the output of the debug command.

this tunnel has never work before we are setting it up now.

thank you once more

Attachment: 
Joe B Danford Fri, 01/08/2010 - 07:49

crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac

!

crypto map vpnregeo 50 ipsec-isakmp

description tunel-to-M2M

set peer xxx.xxx.xxx.xxx

set transform-set vpn

match address 118

Your config appears to have an issue. You are reference TS Set VPN when you have VPN1 configured. Make the following changes.

crypto map vpnregeo 50 ipsec-isakmp

no set transform-set vpn

set transform-set vpn1

Try again and see if this works.

Thanks,

Joe

habibnoubissi Fri, 01/08/2010 - 08:41

Excuse me Joe

if the peer router is not a CISCO router, do I have a particular thing to do in my CISCO router?

Joe B Danford Fri, 01/08/2010 - 09:02

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Sorry,

The TSet in your config reads

crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac

should be

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac

habibnoubissi Fri, 01/08/2010 - 09:44

THANK YOU vey much Joe

that was the mistake, but see that the peer router is not a CISCO router, Ihave also set the lifetime for the two phases as it is set in the peer router, the two phases are up now.

Thanks to CISCO for such a plateform.

Actions

Login or Register to take actions

This Discussion

Posted January 8, 2010 at 5:38 AM
Stats:
Replies:8 Avg. Rating:
Views:7295 Votes:0
Shares:0
Tags: ipsec_phase2
+

Related Content

Discussions Leaderboard