×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Solve phase 1 issue in VPN betwwen 2 routers

Unanswered Question
Sep 12th, 2014
User Badges:

Hello,

 

I’m trying to establish a VPN connection between 2 routers (800-serie).

Site A is the central point. Site A has 2 Cisco routers: A1 and A2.

Site B is the remote point.

 

Currently a VNP connection is established between B and A1. It works very fine.

I just want to establish now the VPN connection between B and A2.

 

In the A2 router, I’ve added these lines:

 

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

 lifetime 43200

crypto isakmp key hr5*******9r6 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

!

crypto map staticmap 10 ipsec-isakmp

 set peer public_ip_B

 set transform-set myset

 match address 101

 

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.32.0 0.0.0.255

 

The original config of the B router is:

 

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

 lifetime 43200

crypto isakmp key hr5*******9r6 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

!

crypto map staticmap 10 ipsec-isakmp

 set peer public_ip_A1

 set transform-set myset

 match address 101

 

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.20.0 0.0.0.255

 

On the B router, I execute these lines to alter the peer from A1 to A2:

 

crypto map staticmap 10 ipsec-isakmp

 no set peer public_ip_A1

set peer public_ip_A2

 

The VPN connection does not get established. The debug info taken from B shows that the phase 1 remains on MM_NO_STATE.

 

Could someone help me to solve this issue? Thanks in advance.

 

Kind regards,

 

Guy

Hello,

 

I’m trying to establish a VPN connection between 2 routers (800-serie).

Site A is the central point. Site A has 2 Cisco routers: A1 and A2.

Site B is the remote point.

 

Currently a VNP connection is established between B and A1. It works very fine.

I just want to establish now the VPN connection between B and A2.

 

In the A2 router, I’ve added these lines:

 

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

 lifetime 43200

crypto isakmp key hr5*******9r6 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

!

crypto map staticmap 10 ipsec-isakmp

 set peer public_ip_B

 set transform-set myset

 match address 101

 

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.32.0 0.0.0.255

 

The original config of the B router is:

 

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

 lifetime 43200

crypto isakmp key hr5*******9r6 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

!

crypto map staticmap 10 ipsec-isakmp

 set peer public_ip_A1

 set transform-set myset

 match address 101

 

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.32.0 0.0.0.255 192.168.20.0 0.0.0.255

 

On the B router, I execute these lines to alter the peer from A1 to A2:

 

crypto map staticmap 10 ipsec-isakmp

 no set peer public_ip_A1

set peer public_ip_A2

 

The VPN connection does not get established. The debug info taken from B shows that the phase 1 remains on MM_NO_STATE.

 

Could someone help me to solve this issue? Thanks in advance.

 

Kind regards,

 

Guy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kamlesh yadav Fri, 09/12/2014 - 04:43
User Badges:

This clearly says that ISAKMP main mode phase 1  has been failed. As per the config ISAKMP policy for the phase 1 is matching on both sides.

If peer IP has been changed, please clear the VPN session "clear ipsec sa peer <remote peer ip>" .

Also you can remove the crypto map from interface applied and then reconfigure.

MercatorIneo Wed, 04/01/2015 - 13:47
User Badges:

Thank you for your help.

Changing the startup-config (new ip of the peer) and restarting solved this problem.

Regards,

Guy

Actions

This Discussion