Cisco Support Community
Community Member

Crypto error.


I configured an IOS VPN in cisco router 2821 with IOS 12.4(5) ADVSEC.

The other end VPN box is a third party box.

I have attached the debug results.

What is miss matching in my settings.

I have checked both ends VPN box and settings are same.

P.Q.R.S is the globalIP at my H.O VPN box, is LAN segment at my H.O side.

A.B.C.D is the globalIP of remote end VPN box, is the LAN segment of remote VPN box.

Cisco Employee

Re: Crypto error.

Looks like we receive the IKE packet from the remote end, confirm that the IKE parameters match, but also determine that there is a NAT box in between so we start doing NAT-T, meaning we start sending all packets encapsulated in UDP/4500 packets. From that point on we get no response from the other end.

Either the other end doesn't do NAT-T and drops the connection, or the UDP/4500 packets are filtered out somewhere in between and our packets never get to the other end.

Community Member

Re: Crypto error.

My othere end VPN box is WatchGuard Firebox.

In this box, there is 3 vpn tunnels to different ends and all other end is Cisco ISR router.

Off 3 VPN tunnel, two are working fine. Only one tunnel is showing problem.

This Firebox VPN box global address is private address and the ISP router is doing the NATing and port forwarding function.

But as othere thwo VPN are working fine, so I think the ISP router is doing the NATing and port forwarding correctly.

I would like to confirm, that in my debug messages, is the Phase I is showing problem or has the Phase I procuss completed.

From which point/message the Phase II procuss starts?

CreatePlease to create content