VPN - IKE Phase 1 Failing

Answered Question
Jun 8th, 2010

Hi All,


Im having difficulty with a site-to-site vpn where it can only be initiated/established from one side of the VPN.


So from 1 side of the vpn i can ping accross with no issues and vpn tunnel is established successfully, however when i try this from the other side of the vpn it never establishes and the state is stuck in MM_KEY_EXCH.


I have verfied the configurations at both ends and all appears to be fine (please see below), also please find a debug crypto isakmp attached from the router that doesn't seem to establish the vpn - any ideas why this is failing?


VPN is being established on a C837 to a C857.


***

crypto isakmp policy 10

encr des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address 81.140.73.140 no-xauth
!
crypto ipsec security-association lifetime seconds 3000
!
crypto ipsec transform-set secure esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 81.140.73.140
set transform-set secure
match address VPN-Traffic


***


Many Thanks

Correct Answer by Federico Coto F... about 6 years 8 months ago

That could very well be causing this problem.

If you have static-to-dynamic setup for IPsec between two routers, please make sure you have this configuration:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml


You see that the dynamic IP site has a normal static crypto map, but the static IP side has a dynamic crypto map.

This example assumes you're doing NAT also.

With this configuration, the tunnel can only be initiated from the dynamic side.


Hope it helps.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 06/08/2010 - 07:04

Hi,


Seems strange that from one side you can initiate the tunnel correctly, because according to the logs, the other side is configured with rsa digital certificates authentication for phase 1.


Make sure the other end has this configuration when issuing a ''sh cry isa poli''


crypto isakmp policy 10   ---> could be 10 or any number

encr des
hash md5
authentication pre-share
group 2


The error of ''key exchange'' is because there's no phase 1 established to transport the secret key.


Federico.

kris-andrews Tue, 06/08/2010 - 07:53

Hi Federico,


Many thanks for your reply, I did notice in the debug that rsa is being requested, however this is not configured on the remote host? The config for the other router is below.


***

!
crypto isakmp policy 10

encr des
hash md5
authentication pre-share
group 2
crypto isakmp key secret hostname *omitted* no-xauth
!
crypto ipsec security-association lifetime seconds 3000
!
crypto ipsec transform-set secure esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer *omitted* dynamic
set transform-set secure
match address VPN-Traffic
!

***



It is very strange as i have just initiated the connection from the other side and it came up straight away?


R1#sh cry isa sa
dst             src             state          conn-id slot status
90.196.168.104  81.140.73.140   QM_IDLE             10    0 ACTIVE



Debug attached.

Federico Coto F... Tue, 06/08/2010 - 08:01

From both routers... one has a static IP and the other has a dynamic IP?

If so, the tunnel will normally be able to establish only from the dynamic side (is this the side where you can bring the tunnel up fine)?


Do you have a static-to-dynamic IPsec configuration?


Federico.

kris-andrews Tue, 06/08/2010 - 08:13

Hi Federico,


Thankyou for your response,


Yes, the side that i have the dynamic configuration is the side that is able to successfully bring up the vpn.


The scenario i have is that one site has a static internet ip address and the other side has a dynamic ip address so i have used a dns name to overcome the problem of the dynamic internet ip.


Is this causing the problem? if so is there a solution in this scenario?


Many Thanks


Kris

Correct Answer
Federico Coto F... Tue, 06/08/2010 - 08:19

That could very well be causing this problem.

If you have static-to-dynamic setup for IPsec between two routers, please make sure you have this configuration:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml


You see that the dynamic IP site has a normal static crypto map, but the static IP side has a dynamic crypto map.

This example assumes you're doing NAT also.

With this configuration, the tunnel can only be initiated from the dynamic side.


Hope it helps.


Federico.

kris-andrews Tue, 06/08/2010 - 08:47

Hi Federico,


Many thanks, i have now updated my configuration with a dynamic crypto map and it now works!


The only issue i have with the current setup is that the vpn can only be initiated from one side (now the problem is the opposite way round) the site with the dynamic ip is now the only site that can bring up the vpn. Is there a way i can allow the router with the static internet ip to establish the vpn to the dynamic ip router? or a way for the dynamic router to always keep up the vpn?


Regards


Kris

Federico Coto F... Tue, 06/08/2010 - 08:55

Kris,


Since one side has a dynamic IP and its not known before-hand, that's why the static side cannot initiate the tunnel (the dynamic side should always be able to initiate the tunnel).

If you want both sides to be able to initiate the tunnel, normally you need a static IP on both sides.

I'm not sure if by pointing the static side to a DNS name mapped to the dynamic IPs that the dynamic site might get, will allow the static site to bring up the tunnel as well....


To keep the tunnel always up from the dynamic side, there has to be interesting traffic passing through. If there's a constant PING or some sort of traffic always flowing through the tunnel, the tunnel should always be up.


Federico.

kris-andrews Tue, 06/08/2010 - 13:59

Hi Federico,


Thankyou for your support, i thought that be the answer...


I have now scheduled an ip sla echo on the dynamic side to keep the vpn alive.


Many Thanks!!!


Kris

Actions

This Discussion

Related Content