01-28-2003 09:48 AM - edited 03-02-2019 04:36 AM
here is the error message
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x88B3B116(2293477654), conn_id= 0, keysize= 0, flags= 0x4004
00:46:49: ISAKMP: received ke message (1/2)
00:46:49: ISAKMP: local port 500, remote port 500
00:46:49: ISAKMP (0:1): No Cert or pre-shared address key.
00:46:49: ISAKMP (0:1): Can not start Main mode
00:46:49: ISAKMP: 66.21.160.58 not in host cache
00:46:49: ISAKMP (0:1): Can not start aggressive mode.
00:46:49: ISAKMP (0:1): purging SA., sa=8265176C, delme=8265176C
00:46:49: ISAKMP (0:1): purging node -1502739524
i have the access-list logging entries so it shows that it is allowing the packets through. the keys are the same i issue "sh crypto isa key" on both routers and they are identical. i left the default tunneling mode on both routers, could this be one reason? thanks!
01-28-2003 02:35 PM
Please check whether you have confiugred the remote Peer ip addresses, in the isakmp key definition properly.
01-28-2003 02:43 PM
this is what i have:
crypto map toSwansea 100 ipsec-isakmp
set peer 66.x.x.x
set transform-set toSwansea
match address 101
01-28-2003 02:49 PM
The above defines the crypto-map which is applied to the interfaces. IF you are using preshared keys u need to define the isakmp preshared keys.
crypto isakmp key IPSECkey address 66.x.x.x
This command shud be entered on both routers, IPSECkey is the ISAKMP key. and should be same on both ends. On router A, the address should be that of router B and vice versa.
Take a look at the following link for a sample config.
http://www.cisco.com/warp/public/105/IPSECpart8.shtml
01-28-2003 03:47 PM
i have set the ISAKMP key on both routers and they are the same. here is the config of both routers. i am running nat on the routers but i denied the traffic i want to tunnel from the nat acl.
RouterA
======
crypto isakmp policy 100
hash md5
authentication pre-share
crypto isakmp key cisco123 hostname routerb
!
!
crypto ipsec transform-set torouterb ah-md5-hmac esp-des
!
crypto map torouterb 100 ipsec-isakmp
set peer 66.11.11.11
set transform-set torouterb
match address 101
!
interface Ethernet0/0
ip address dhcp
ip nat outside
full-duplex
no cdp enable
crypto map torouterb
!
ip nat inside source list 100 interface Ethernet0/0 overload
!
access-list 100 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 log
ROUTERB
========
!
crypto isakmp policy 100
hash md5
authentication pre-share
crypto isakmp key cisco123 hostname routera
!
!
crypto ipsec transform-set toroutera ah-md5-hmac esp-des
!
crypto map toroutera 100 ipsec-isakmp
set peer 68.14.91.241
set transform-set toroutera
match address 101
!
interface Ethernet0/0
mac-address 0020.78c8.6ed3
ip address dhcp
ip nat outside
full-duplex
no cdp enable
crypto map toroutera
!
!
ip nat inside source list 100 interface Ethernet0/0 overload
!
access-list 100 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 any
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
01-28-2003 04:41 PM
Configs look fine, whats the outcome??
Also have u defined, host to ip mappings for routerb and routera??
01-28-2003 04:51 PM
yes i have
01-28-2003 05:27 PM
well it doesn't seem like i can ping a host in the remote network. times out. :( am i missing some miniscule command???
01-28-2003 02:46 PM
is the crypto map toSwansea local-address Ethernet0/0 optional? can't you just specify the map on the interface with the crypto map toSwansea command?
01-28-2003 03:00 PM
This command is optional.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: