Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Crypto isakmp identity

I have 3 routers 837, each one of them with a VPN to the others.

I have authentication pre-share and crypto isakmp identity hostname (because I need VPN clients).

When I put debug crypto isakmp I got the next:

*Mar 1 00:14:16.231: ISAKMP: received ke message (1/1)

*Mar 1 00:14:16.231: ISAKMP (0:0): SA request profile is (NULL)

*Mar 1 00:14:16.231: ISAKMP: Created a peer struct for 23.96.48.22, peer port

500

*Mar 1 00:14:16.231: ISAKMP: Locking peer struct 0x8179BE5C, IKE refcount 1 for

crypto_ikmp_config_initialize_sa

*Mar 1 00:14:16.231: ISAKMP (0:0): Setting client config settings 8156AEE0

*Mar 1 00:14:16.231: ISAKMP (0:0): (Re)Setting client xauth list and state

*Mar 1 00:14:16.231: ISAKMP: local port 500, remote port 500

*Mar 1 00:14:16.235: ISAKMP: set new node 0 to CONF_XAUTH

*Mar 1 00:14:16.235: ISAKMP: insert sa successfully sa = 8156B30C

*Mar 1 00:14:16.235: ISAKMP (0:1): Can not start Aggressive mode, trying Main m

ode.

*Mar 1 00:14:16.235: ISAKMP: Looking for a matching key for 23.96.48.22 in de

fault

*Mar 1 00:14:16.235: ISAKMP (0:1): No pre-shared key with 23.96.48.22!

*Mar 1 00:14:16.235: ISAKMP (0:1): No Cert or pre-shared address key.

*Mar 1 00:14:16.235: ISAKMP (0:1): construct_initial_message: Can not start Mai

n mode

*Mar 1 00:14:16.235: ISAKMP (0:1): purging SA., sa=8156B30C, delme=8156B30C

*Mar 1 00:14:16.235: ISAKMP (0:1): purging node -1284547857

*Mar 1 00:14:16.239: ISAKMP: Unlocking IKE struct 0x8179BE5C for declare_sa_dea

d(), count 0

Both routers have this configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

I see this with sh crypto isakmp key

acabats#sh crypto isakmp key

Keyring Hostname/Address Preshared Key

default girona acabats

barcelona acalona

and the other

barcelona#sh crypto isakmp key

Hostname/Address Preshared Key

default acabats acalona : girona barcelona

But I don't know the meaning of the default.

Can anybody help me, please?

2 REPLIES
New Member

Re: Crypto isakmp identity

It looks to me that your PreShared keys do not match.

Try setting all the routers with the same Preshared Key and (this isn't exactly the most secure method but it works) add this command

crypto isakmp key *insert preshared key here* address 0.0.0.0

There may be better ways of fixing this, but this is a fall back option.

New Member

Re: Crypto isakmp identity

What are your crypto access-lists?

Do you have the following statement(s)

isakmp key ***** address x.x.x.x netmask

isakmp identy address

The PIX has default ISAKMP Policy, if you do not specify certian isakmp options or the same options this the PIX will use its default. This might be what it is, but I'm not sure what acalona and girona are?

253
Views
0
Helpful
2
Replies