Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site Cisco IOS 805 and Contivity

I'm trying to configure an IPSec tunnel between a Contivity and a Cisco IOS router 805 (IOS 12.1 or 12.2) but I had no success. I got the message in the cisco debug ( %CRYPTO-6-IKMP_NOT_ENCRYPTED) Does anyone had already faced this problem and could help me?

Thanks.

5 REPLIES
New Member

Re: Site-to-Site Cisco IOS 805 and Contivity

Need more information to do further troubleshooting.

See following URL helps or not.

http://www.cisco.com/warp/customer/471/vpn_pppoe.html

If it is still not working, please upload your router's config, take off credential information and we will work out what is wrong in there.

Best Regards,

New Member

Re: Site-to-Site Cisco IOS 805 and Contivity

Message

00:07:21: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 20.20.20.1 was not encrypted and it should've been.

Configuration

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname c1721

!

logging buffered 4096 debugging

enable secret 5 -- moderator edit --

enable password 7 -- moderator edit --

!

clock timezone BRA -3

ip subnet-zero

no ip source-route

!

!

no ip ftp passive

no ip domain lookup

ip domain name rj.telemar

!

ip dhcp pool localpool

import all

network 192.168.134.0 255.255.255.0

default-router 192.168.134.1

!

no ip bootp server

ip audit notify log

ip audit po max-events 100

ip cef

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 4

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

encr 3des

authentication rsa-encr

!

crypto isakmp policy 6

encr 3des

hash md5

authentication rsa-encr

!

crypto isakmp policy 7

encr 3des

hash md5

!

crypto isakmp policy 8

encr 3des

crypto isakmp key telemar address 20.20.20.1 no-xauth

crypto isakmp identity hostname

!

crypto ipsec transform-set nortel esp-3des esp-sha-hmac

!

crypto map mode 4 ipsec-isakmp

set peer 20.20.20.1

set transform-set nortel

match address 111

!

!

interface FastEthernet0

ip address 192.168.134.1 255.255.255.0

speed auto

!

interface Serial0

no ip address

no ip mroute-cache

shutdown

no fair-queue

!

interface Serial1

ip address 30.30.30.1 255.255.255.0

encapsulation ppp

no ip mroute-cache

load-interval 30

autodetect encapsulation ppp

fair-queue 4096 16 0

serial restart_delay 0

clockrate 512000

invert txclock

crypto map mode

!

interface Serial2

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 30.30.30.2

no ip http server

ip pim bidir-enable

!

!

access-list 111 permit ip 192.168.134.0 0.0.0.255 192.168.133.0 0.0.0.255

!

!

line con 0

exec-timeout 0 0

password 7 -- moderator edit --

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 -- moderator edit --

login

!

end

New Member

Re: Site-to-Site Cisco IOS 805 and Contivity

This is a debug output, the same problem to other router

01:06:47: ISAKMP: received ke message (1/1)

01:06:47: ISAKMP: local port 500, remote port 500

01:06:47: ISAKMP (0:42): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

01:06:47: ISAKMP (0:42): Old State = IKE_READY New State = IKE_I_MM1

01:06:47: ISAKMP (0:42): beginning Main Mode exchange

01:06:47: ISAKMP (0:42): sending packet to 30.30.30.2 (I) MM_NO_STATE

01:06:47: ISAKMP (0:42): received packet from 30.30.30.2 (I) MM_NO_STATE

01:06:47: ISAKMP (0:42): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

01:06:47: ISAKMP (0:42): Old State = IKE_I_MM1 New State = IKE_I_MM2

01:06:47: ISAKMP (0:42): processing SA payload. message ID = 0

01:06:47: ISAKMP (0:42): found peer pre-shared key matching 30.30.30.2

01:06:47: ISAKMP (0:42): Checking ISAKMP transform 1 against priority 3 policy

01:06:47: ISAKMP: encryption DES-CBC

01:06:47: ISAKMP: hash SHA

01:06:47: ISAKMP: default group 1

01:06:47: ISAKMP: auth pre-share

01:06:47: ISAKMP: life type in seconds

01:06:47: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

01:06:47: ISAKMP (0:42): atts are acceptable. Next payload is 0

01:06:47: ISAKMP (0:42): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

01:06:47: ISAKMP (0:42): Old State = IKE_I_MM2 New State = IKE_I_MM2

01:06:47: ISAKMP (0:42): sending packet to 30.30.30.2 (I) MM_SA_SETUP

01:06:47: ISAKMP (0:42): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

01:06:47: ISAKMP (0:42): Old State = IKE_I_MM2 New State = IKE_I_MM3

01:06:48: ISAKMP (0:42): received packet from 30.30.30.2 (I) MM_SA_SETUP

01:06:48: ISAKMP (0:42): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

01:06:48: ISAKMP (0:42): Old State = IKE_I_MM3 New State = IKE_I_MM4

01:06:48: ISAKMP (0:42): processing KE payload. message ID = 0

01:06:48: ISAKMP (0:42): processing NONCE payload. message ID = 0

01:06:48: ISAKMP (0:42): found peer pre-shared key matching 30.30.30.2

01:06:48: ISAKMP (0:42): SKEYID state generated

01:06:48: ISAKMP (0:42): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

01:06:48: ISAKMP (0:42): Old State = IKE_I_MM4 New State = IKE_I_MM4

01:06:48: ISAKMP (0:42): Send initial contact

01:06:48: ISAKMP (0:42): SA is doing pre-shared key authentication using id type ID_FQDN

01:06:48: ISAKMP (42): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 20

01:06:48: ISAKMP (42): Total payload length: 24

01:06:48: ISAKMP (0:42): sending packet to 30.30.30.2 (I) MM_KEY_EXCH

01:06:48: ISAKMP (0:42): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

01:06:48: ISAKMP (0:42): Old State = IKE_I_MM4 New State = IKE_I_MM5

01:06:48: ISAKMP (0:42): received packet from 30.30.30.2 (I) MM_KEY_EXCH

01:06:48: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 30.30.30.2 was not encrypted and it should've been.

01:06:48: ISAKMP (0:42): incrementing error counter on sa: reset_retransmission

01:06:49: ISAKMP (0:42): retransmitting phase 1 MM_KEY_EXCH...

01:06:49: ISAKMP (0:42): incrementing error counter on sa: retransmit phase 1

01:06:49: ISAKMP (0:42): retransmitting phase 1 MM_KEY_EXCH

01:06:49: ISAKMP (0:42): sending packet to 30.30.30.2 (I) MM_KEY_EXCH

01:06:49: ISAKMP (0:42): received packet from 30.30.30.2 (I) MM_KEY_EXCH

01:06:49: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 30.30.30.2 was not encrypted and it should've been.

01:06:49: ISAKMP (0:42): incrementing error counter on sa: reset_retransmission

01:06:50: ISAKMP (0:42): retransmitting phase 1 MM_KEY_EXCH...

01:06:50: ISAKMP (0:42): incrementing error counter on sa: retransmit phase 1

01:06:50: ISAKMP (0:42): retransmitting phase 1 MM_KEY_EXCH

01:06:50: ISAKMP (0:42): sending packet to 30.30.30.2 (I) MM_KEY_EXCH

01:06:50: ISAKMP (0:42): received packet from 30.30.30.2 (I) MM_KEY_EXCH

01:06:50: ISAKMP (0:42): phase 1 packet is a duplicate of a previous packet.

01:06:50: ISAKMP (0:42): retransmission skipped for phase 1 (time since last transmission 4)

Cisco Employee

Re: Site-to-Site Cisco IOS 805 and Contivity

Hi,

Looking from the debugs we see that IOS Router is looking for an encrypted packet at this stage from the peer which its not getting, did you try changing the code on the Contivity side? What error message does it show on their side?

Regards,

Aamir

-=-=-

New Member

Re: Site-to-Site Cisco IOS 805 and Contivity

Hi,

I found the problem. The crypto isakmp identity hostname command was the problem, when I changed it for the crypto isakmp identity address command everything was solved. Contivity was looking for IP address identity and not hostname...

Thanks,

Willians

329
Views
0
Helpful
5
Replies