Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
9
Replies

isakmp/ipsec tunnel fails between routers

m.matteson
Level 2
Level 2

‎01-28-2003 09:48 AM - edited ‎03-02-2019 04:36 AM

here is the error message

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x88B3B116(2293477654), conn_id= 0, keysize= 0, flags= 0x4004

00:46:49: ISAKMP: received ke message (1/2)

00:46:49: ISAKMP: local port 500, remote port 500

00:46:49: ISAKMP (0:1): No Cert or pre-shared address key.

00:46:49: ISAKMP (0:1): Can not start Main mode

00:46:49: ISAKMP: 66.21.160.58 not in host cache

00:46:49: ISAKMP (0:1): Can not start aggressive mode.

00:46:49: ISAKMP (0:1): purging SA., sa=8265176C, delme=8265176C

00:46:49: ISAKMP (0:1): purging node -1502739524

i have the access-list logging entries so it shows that it is allowing the packets through. the keys are the same i issue "sh crypto isa key" on both routers and they are identical. i left the default tunneling mode on both routers, could this be one reason? thanks!

Labels:
0 Helpful
9 Replies 9

thisisshanky
Level 11
Level 11

‎01-28-2003 02:35 PM

Please check whether you have confiugred the remote Peer ip addresses, in the isakmp key definition properly.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

m.matteson
Level 2
Level 2
In response to thisisshanky

‎01-28-2003 02:43 PM

this is what i have:

crypto map toSwansea 100 ipsec-isakmp

set peer 66.x.x.x

set transform-set toSwansea

match address 101

0 Helpful

thisisshanky
Level 11
Level 11
In response to m.matteson

‎01-28-2003 02:49 PM

The above defines the crypto-map which is applied to the interfaces. IF you are using preshared keys u need to define the isakmp preshared keys.

crypto isakmp key IPSECkey address 66.x.x.x

This command shud be entered on both routers, IPSECkey is the ISAKMP key. and should be same on both ends. On router A, the address should be that of router B and vice versa.

Take a look at the following link for a sample config.

http://www.cisco.com/warp/public/105/IPSECpart8.shtml

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

m.matteson
Level 2
Level 2
In response to thisisshanky

‎01-28-2003 03:47 PM

i have set the ISAKMP key on both routers and they are the same. here is the config of both routers. i am running nat on the routers but i denied the traffic i want to tunnel from the nat acl.

RouterA

======

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key cisco123 hostname routerb

!

!

crypto ipsec transform-set torouterb ah-md5-hmac esp-des

!

crypto map torouterb 100 ipsec-isakmp

set peer 66.11.11.11

set transform-set torouterb

match address 101

!

interface Ethernet0/0

ip address dhcp

ip nat outside

full-duplex

no cdp enable

crypto map torouterb

!

ip nat inside source list 100 interface Ethernet0/0 overload

!

access-list 100 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 log

ROUTERB

========

!

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key cisco123 hostname routera

!

!

crypto ipsec transform-set toroutera ah-md5-hmac esp-des

!

crypto map toroutera 100 ipsec-isakmp

set peer 68.14.91.241

set transform-set toroutera

match address 101

!

interface Ethernet0/0

mac-address 0020.78c8.6ed3

ip address dhcp

ip nat outside

full-duplex

no cdp enable

crypto map toroutera

!

!

ip nat inside source list 100 interface Ethernet0/0 overload

!

access-list 100 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 any

access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log

0 Helpful

thisisshanky
Level 11
Level 11
In response to m.matteson

‎01-28-2003 04:41 PM

Configs look fine, whats the outcome??

Also have u defined, host to ip mappings for routerb and routera??

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

m.matteson
Level 2
Level 2
In response to thisisshanky

‎01-28-2003 04:51 PM

yes i have

0 Helpful

m.matteson
Level 2
Level 2
In response to thisisshanky

‎01-28-2003 05:27 PM

well it doesn't seem like i can ping a host in the remote network. times out. :( am i missing some miniscule command???

0 Helpful

m.matteson
Level 2
Level 2
In response to thisisshanky

‎01-28-2003 02:46 PM

is the crypto map toSwansea local-address Ethernet0/0 optional? can't you just specify the map on the interface with the crypto map toSwansea command?

0 Helpful

thisisshanky
Level 11
Level 11
In response to m.matteson

‎01-28-2003 03:00 PM

This command is optional.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents