Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't get past IKE Phase 1

Hiya

I am getting error messages such as

VPN Peer:ISAKMP: Peer Info for 172.27.17.70/500 not found - peers:0 and

Embryonic : 1

dst src state pending created

172.27.17.70 172.27.255.73 MM_NO_STATE 0 0

My config is attached but I can't find anything wrong with it: any ideas?

access-list net_msc_acl permit ip 172.31.0.0 255.255.0.0 172.27.21.0 255.255.255.0

access-list net_msc_acl permit ip inside_net1 255.255.255.0 172.27.21.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip inside_net1 255.255.255.0 172.27.21.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip Inside_net 255.255.255.0 172.27.21.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 149.199.0.0 255.255.0.0 172.30.1.248 255.255.255.248

access-list inside_outbound_nat0_acl permit ip host Switch 172.30.1.248 255.255.255.248

access-list inside_outbound_nat0_acl permit ip host Xylinx-OTM 172.30.1.248 255.255.255.248

access-list inside_outbound_nat0_acl permit ip Xylinx-Lan2 255.255.0.0 172.30.1.248 255.255.255.248

access-list inside_outbound_nat0_acl permit ip host Xylinx-SNMP 172.30.1.248 255.255.255.248

access-list inside_outbound_nat0_acl permit ip host Cisco_3662 172.30.1.248 255.255.255.248

nat (inside) 0 access-list inside_outbound_nat0_acl

route inside inside_net1 255.255.255.0 172.31.1.2 1

route outside 172.30.1.248 255.255.255.248 x.x.x.x 1

crypto ipsec transform-set net-msc esp-des esp-sha-hmac

crypto map net-map 10 ipsec-isakmp

crypto map net-map 10 match address net_msc_acl

crypto map net-map 10 set peer 172.27.17.70

crypto map net-map 10 set transform-set net-msc

crypto map net-map 10 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map net-map interface Test

isakmp enable outside

isakmp enable inside

isakmp enable Test

isakmp key ******** address 172.27.17.70 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

4 REPLIES
Silver

Re: Can't get past IKE Phase 1

how about the other config?

is there a reason you have isakmp enabled on three interfaces? if outside is the one the tunnel should connect to, then get rid of the other statements

New Member

Re: Can't get past IKE Phase 1

I don't know if you've resolved your issue, and the error you were getting may appear for other reasons, but I had the same issue.In my case, I found that the encryption level for the IKE policies were set to DES on one box and 3DES on the other. Changing this got me past Phase 1. Hope that helps.

New Member

Re: Can't get past IKE Phase 1

It appears that your peer is misconfigured or not ready to accept the IKE initiation connection. You may want to check that the VPN peer is reachable. If it is, then review your configuration on that device to ensure that it is ready to at least recognize that IKE negotiations are occuring.

HTH,

-mrew-

New Member

Re: Can't get past IKE Phase 1

make sure that the remote peer is indeed set for

isakmp identity address

and

isakmp policy 10 group 2

VPN Peer:ISAKMP: Peer Info for 172.27.17.70/500 not found - peers:0 and

Embryonic : 1

i usually see that when the SA's don't match in between the devices (especially when DH group 1 is configured on the other side)

144
Views
0
Helpful
4
Replies
CreatePlease login to create content