Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
1
Replies

Cisco 837 - Snapgear Pro

admin_2
Level 3
Level 3

‎02-24-2004 10:24 PM - edited ‎03-09-2019 06:32 AM

I am having some problems setting up an IPSEC VPN between a Cisco 837 ADSL Router and a Snapgear Pro ADSL router on another site.

Phase 1 Key exchange seems to happen OK, but then there seems to be a problem with the initiation of phase 2. Logs follow:

08:19:14: ISAKMP (0:255): sending packet to 20.20.20.20 my_port 500 peer_port 50

0 (R) MM_SA_SETUP

08:19:17: ISAKMP (0:255): SA is doing pre-shared key authentication using id typ

e ID_IPV4_ADDR

08:19:17: ISAKMP (255): ID payload

next-payload : 8

type : 1

addr : 30.30.30.30

protocol : 17

port : 0

length : 8

08:19:17: ISAKMP (255): Total payload length: 12

08:19:17: ISAKMP (0:255): sending packet to 20.20.20.20 my_port 500 peer_port 50

0 (R) MM_KEY_EXCH

08:19:17: ISAKMP (0:255): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

08:19:17: ISAKMP (0:255): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

08:19:17: ISAKMP (0:255): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

08:19:17: ISAKMP (0:255): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLE

TE

08:19:27: ISAKMP (0:255): received packet from 20.20.20.20 dport 500 sport 500 (

R) QM_IDLE

08:19:27: ISAKMP (0:255): phase 1 packet is a duplicate of a previous packet.

08:19:27: ISAKMP (0:255): retransmitting due to retransmit phase 1

08:19:27: ISAKMP (0:255): retransmitting phase 1 QM_IDLE ...

08:19:28: ISAKMP (0:255): retransmitting phase 1 QM_IDLE ...

08:19:28: ISAKMP (0:255): incrementing error counter on sa: retransmit phase 1

08:19:28: ISAKMP (0:255): no outgoing phase 1 packet to retransmit. QM_IDLE

08:19:47: ISAKMP (0:255): received packet from 20.20.20.20 dport 500 sport 500 (

R) QM_IDLE

08:19:47: ISAKMP (0:255): phase 1 packet is a duplicate of a previous packet.

08:19:47: ISAKMP (0:255): retransmitting due to retransmit phase 1

08:19:47: ISAKMP (0:255): retransmitting phase 1 QM_IDLE ...

08:19:48: ISAKMP (0:255): retransmitting phase 1 QM_IDLE ...

08:19:48: ISAKMP (0:255): incrementing error counter on sa: retransmit phase 1

08:19:48: ISAKMP (0:255): no outgoing phase 1 packet to retransmit. QM_IDLE

I have checked the Snapgear router and it is displaying the following message in the log:

Feb 25 06:21:32 Pluto[104]: "VPN-Connection" #50: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Feb 25 06:21:32 Pluto[104]: "VPN-Connection" #50: starting keying attempt 34 of an unlimited number

Feb 25 06:21:32 Pluto[104]: "VPN-Connection" #51: initiating Main Mode to replace #50

Feb 25 06:21:33 Pluto[104]: "VPN-Connection" #51: ignoring Vendor ID payload [Cisco-Unity]

Feb 25 06:21:33 Pluto[104]: "VPN-Connection" #51: received Vendor ID payload [Dead Peer Detection]

Feb 25 06:21:33 Pluto[104]: "VPN-Connection" #51: ignoring Vendor ID payload [ea35f8456a70f513...]

Feb 25 06:21:33 Pluto[104]: "VPN-Connection" #51: ignoring Vendor ID payload [XAUTH]

Feb 25 06:21:34 Pluto[104]: "VPN-Connection" #51: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

Any ideas would be greatly appreciated.

Regards,

Craig

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎03-01-2004 01:02 PM

Hi Craig,

Add a static route exclusively on concentrator and see if it works. If it works, the problem was most probably with the reachability only.

0 Helpful
Customers Also Viewed These Support Documents