01-24-2004 04:42 AM - edited 03-09-2019 06:13 AM
Hiya
I am getting error messages such as
VPN Peer:ISAKMP: Peer Info for 172.27.17.70/500 not found - peers:0 and
Embryonic : 1
dst src state pending created
172.27.17.70 172.27.255.73 MM_NO_STATE 0 0
My config is attached but I can't find anything wrong with it: any ideas?
access-list net_msc_acl permit ip 172.31.0.0 255.255.0.0 172.27.21.0 255.255.255.0
access-list net_msc_acl permit ip inside_net1 255.255.255.0 172.27.21.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip inside_net1 255.255.255.0 172.27.21.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Inside_net 255.255.255.0 172.27.21.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 149.199.0.0 255.255.0.0 172.30.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip host Switch 172.30.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip host Xylinx-OTM 172.30.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip Xylinx-Lan2 255.255.0.0 172.30.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip host Xylinx-SNMP 172.30.1.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip host Cisco_3662 172.30.1.248 255.255.255.248
nat (inside) 0 access-list inside_outbound_nat0_acl
route inside inside_net1 255.255.255.0 172.31.1.2 1
route outside 172.30.1.248 255.255.255.248 x.x.x.x 1
crypto ipsec transform-set net-msc esp-des esp-sha-hmac
crypto map net-map 10 ipsec-isakmp
crypto map net-map 10 match address net_msc_acl
crypto map net-map 10 set peer 172.27.17.70
crypto map net-map 10 set transform-set net-msc
crypto map net-map 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map net-map interface Test
isakmp enable outside
isakmp enable inside
isakmp enable Test
isakmp key ******** address 172.27.17.70 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
01-24-2004 02:57 PM
how about the other config?
is there a reason you have isakmp enabled on three interfaces? if outside is the one the tunnel should connect to, then get rid of the other statements
02-08-2004 09:21 AM
I don't know if you've resolved your issue, and the error you were getting may appear for other reasons, but I had the same issue.In my case, I found that the encryption level for the IKE policies were set to DES on one box and 3DES on the other. Changing this got me past Phase 1. Hope that helps.
02-09-2004 04:34 PM
It appears that your peer is misconfigured or not ready to accept the IKE initiation connection. You may want to check that the VPN peer is reachable. If it is, then review your configuration on that device to ensure that it is ready to at least recognize that IKE negotiations are occuring.
HTH,
-mrew-
02-10-2004 03:07 PM
make sure that the remote peer is indeed set for
isakmp identity address
and
isakmp policy 10 group 2
VPN Peer:ISAKMP: Peer Info for 172.27.17.70/500 not found - peers:0 and
Embryonic : 1
i usually see that when the SA's don't match in between the devices (especially when DH group 1 is configured on the other side)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: