10-14-2003 02:24 PM - edited 03-09-2019 05:09 AM
I have 3 routers 837, each one of them with a VPN to the others.
I have authentication pre-share and crypto isakmp identity hostname (because I need VPN clients).
When I put debug crypto isakmp I got the next:
*Mar 1 00:14:16.231: ISAKMP: received ke message (1/1)
*Mar 1 00:14:16.231: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 00:14:16.231: ISAKMP: Created a peer struct for 23.96.48.22, peer port
500
*Mar 1 00:14:16.231: ISAKMP: Locking peer struct 0x8179BE5C, IKE refcount 1 for
crypto_ikmp_config_initialize_sa
*Mar 1 00:14:16.231: ISAKMP (0:0): Setting client config settings 8156AEE0
*Mar 1 00:14:16.231: ISAKMP (0:0): (Re)Setting client xauth list and state
*Mar 1 00:14:16.231: ISAKMP: local port 500, remote port 500
*Mar 1 00:14:16.235: ISAKMP: set new node 0 to CONF_XAUTH
*Mar 1 00:14:16.235: ISAKMP: insert sa successfully sa = 8156B30C
*Mar 1 00:14:16.235: ISAKMP (0:1): Can not start Aggressive mode, trying Main m
ode.
*Mar 1 00:14:16.235: ISAKMP: Looking for a matching key for 23.96.48.22 in de
fault
*Mar 1 00:14:16.235: ISAKMP (0:1): No pre-shared key with 23.96.48.22!
*Mar 1 00:14:16.235: ISAKMP (0:1): No Cert or pre-shared address key.
*Mar 1 00:14:16.235: ISAKMP (0:1): construct_initial_message: Can not start Mai
n mode
*Mar 1 00:14:16.235: ISAKMP (0:1): purging SA., sa=8156B30C, delme=8156B30C
*Mar 1 00:14:16.235: ISAKMP (0:1): purging node -1284547857
*Mar 1 00:14:16.239: ISAKMP: Unlocking IKE struct 0x8179BE5C for declare_sa_dea
d(), count 0
Both routers have this configuration:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
I see this with sh crypto isakmp key
acabats#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default girona acabats
barcelona acalona
and the other
barcelona#sh crypto isakmp key
Hostname/Address Preshared Key
default acabats acalona : girona barcelona
But I don't know the meaning of the default.
Can anybody help me, please?
10-15-2003 04:17 AM
It looks to me that your PreShared keys do not match.
Try setting all the routers with the same Preshared Key and (this isn't exactly the most secure method but it works) add this command
crypto isakmp key *insert preshared key here* address 0.0.0.0
There may be better ways of fixing this, but this is a fall back option.
10-16-2003 12:08 PM
What are your crypto access-lists?
Do you have the following statement(s)
isakmp key ***** address x.x.x.x netmask
isakmp identy address
The PIX has default ISAKMP Policy, if you do not specify certian isakmp options or the same options this the PIX will use its default. This might be what it is, but I'm not sure what acalona and girona are?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide