Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel Issues

here's a brief description , we have 2 routers that were working for at least 2 years sudenly a couple of days ago we got this message and the tunnel didnt pass any traffic.

%CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 268435457) unable to decrypt (w/RSA private key) packet

we removed the crypto map and everything is working now , the only config changed because a company requeriment was a line , one of the routers used to have no ip domain lookup and the change was setting to ip domain lookup nothing else was done , any ideas was caused the failure???

2 REPLIES
New Member

Re: Tunnel Issues

check if isakmp identity is hostname not address.

New Member

Re: Tunnel Issues

Thanks for the reply ¡ , this is before:

no ip domain-lookup

ip domain-name xxxxxxxxx.com

!

crypto isakmp policy 10

encr 3des

authentication rsa-encr

group 2

!

!

crypto ipsec transform-set xxxx-trans ah-sha-hmac esp-3des

crypto ipsec df-bit clear

!

crypto map xxxxxxx 10 ipsec-isakmp

set peer 1x.xxx.xx.x

set security-association level per-host

set transform-set xxxx-trans

match address xxxxxxxxxx

!

!

crypto key pubkey-chain rsa

addressed-key xx.xxx.xxx.xxx encryption

address 1x.xxx.xx.x

This is afeter:

ip domain-name xxxxx.com

!

crypto isakmp policy 10

encr 3des

authentication rsa-encr

group 2

!

!

crypto ipsec transform-set xxxx-trans ah-sha-hmac esp-3des

crypto ipsec df-bit clear

!

crypto map xxxxxx 10 ipsec-isakmp

set peer xx.xxx.xx.x set security-association level per-host

set transform-set xxxxx-trans

match address xxxxx

!

!

crypto key pubkey-chain rsa

addressed-key xx.xxx.xxx.xx encryption

address xx.xxx.x.x

key-string

Any more toughts?? how to check what you suggest me??

229
Views
0
Helpful
2
Replies