Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

isakmp/ipsec tunnel fails between routers

here is the error message

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x88B3B116(2293477654), conn_id= 0, keysize= 0, flags= 0x4004

00:46:49: ISAKMP: received ke message (1/2)

00:46:49: ISAKMP: local port 500, remote port 500

00:46:49: ISAKMP (0:1): No Cert or pre-shared address key.

00:46:49: ISAKMP (0:1): Can not start Main mode

00:46:49: ISAKMP: 66.21.160.58 not in host cache

00:46:49: ISAKMP (0:1): Can not start aggressive mode.

00:46:49: ISAKMP (0:1): purging SA., sa=8265176C, delme=8265176C

00:46:49: ISAKMP (0:1): purging node -1502739524

i have the access-list logging entries so it shows that it is allowing the packets through. the keys are the same i issue "sh crypto isa key" on both routers and they are identical. i left the default tunneling mode on both routers, could this be one reason? thanks!

  • Other Network Infrastructure Subjects
9 REPLIES

Re: isakmp/ipsec tunnel fails between routers

Please check whether you have confiugred the remote Peer ip addresses, in the isakmp key definition properly.

New Member

Re: isakmp/ipsec tunnel fails between routers

this is what i have:

crypto map toSwansea 100 ipsec-isakmp

set peer 66.x.x.x

set transform-set toSwansea

match address 101

Re: isakmp/ipsec tunnel fails between routers

The above defines the crypto-map which is applied to the interfaces. IF you are using preshared keys u need to define the isakmp preshared keys.

crypto isakmp key IPSECkey address 66.x.x.x

This command shud be entered on both routers, IPSECkey is the ISAKMP key. and should be same on both ends. On router A, the address should be that of router B and vice versa.

Take a look at the following link for a sample config.

http://www.cisco.com/warp/public/105/IPSECpart8.shtml

New Member

Re: isakmp/ipsec tunnel fails between routers

i have set the ISAKMP key on both routers and they are the same. here is the config of both routers. i am running nat on the routers but i denied the traffic i want to tunnel from the nat acl.

RouterA

======

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key cisco123 hostname routerb

!

!

crypto ipsec transform-set torouterb ah-md5-hmac esp-des

!

crypto map torouterb 100 ipsec-isakmp

set peer 66.11.11.11

set transform-set torouterb

match address 101

!

interface Ethernet0/0

ip address dhcp

ip nat outside

full-duplex

no cdp enable

crypto map torouterb

!

ip nat inside source list 100 interface Ethernet0/0 overload

!

access-list 100 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 log

ROUTERB

========

!

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key cisco123 hostname routera

!

!

crypto ipsec transform-set toroutera ah-md5-hmac esp-des

!

crypto map toroutera 100 ipsec-isakmp

set peer 68.14.91.241

set transform-set toroutera

match address 101

!

interface Ethernet0/0

mac-address 0020.78c8.6ed3

ip address dhcp

ip nat outside

full-duplex

no cdp enable

crypto map toroutera

!

!

ip nat inside source list 100 interface Ethernet0/0 overload

!

access-list 100 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 any

access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log

Re: isakmp/ipsec tunnel fails between routers

Configs look fine, whats the outcome??

Also have u defined, host to ip mappings for routerb and routera??

New Member

Re: isakmp/ipsec tunnel fails between routers

yes i have

New Member

Re: isakmp/ipsec tunnel fails between routers

well it doesn't seem like i can ping a host in the remote network. times out. :( am i missing some miniscule command???

New Member

Re: isakmp/ipsec tunnel fails between routers

is the crypto map toSwansea local-address Ethernet0/0 optional? can't you just specify the map on the interface with the crypto map toSwansea command?

Re: isakmp/ipsec tunnel fails between routers

This command is optional.

201
Views
0
Helpful
9
Replies