06-13-2006 06:56 PM - edited 02-21-2020 02:28 PM
Hi everyone,
I'm writing after I've troubleshooted and researched the web and Cisco website to hit a brick wall.
I'm trying to configure a simple vpn tunnel between a PIX 501 (6.2) -my side- and a VPN concentrator 3000.
The configuration on our side is straight forward, however it doesn't seem to work. I'm getting the below output from debug crypto isakmp:
VPN Peer: ISAKMP: Added new peer: ip:ReD-Prod-Peer Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:ReD-Prod-Peer Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1...
ISADB: reaper checking SA 0x80a7cb20, conn_id = 0
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src IDC-Outside-Int, dst ReD-Prod-Peer
ISADB: reaper checking SA 0x80a7cb20, conn_id = 0 DELETE IT!
On the remote site:
crypto_isakmp_process_block:src: xxx.xxx.xxx.xxx (my vpn peer), dest:yyy.yyy.yyy.yyy (remote vpn peer) spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0):
retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR
ISAKMP (0): deleting SA: xxx.xxx.xxx.xxx (my vpn peer), dest:yyy.yyy.yyy.yyy (remote vpn peer) ISAKMP (0):
retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (0)...
VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx (my vpn peer)/500 not found - peers:9
Does anyone have any idea about the above error line? the most I was able to find is on http://www.rick-thompson.com/misc/vpn-notes.html which says it has something to do with my nating.
But I've configured another tunnel with IDENTICAL configuration except different remote vpn peer and it works pretty well..
I'm really puzzled with this issue? I've wasted more than 20 hours trying to figure it out.
Regards,
Daniel
06-13-2006 11:35 PM
Daniel
Check to see if the crypto ACLs configured on both devices are correct also NAT0 / ISAKMP Key statements, take a look at the following document for troubleshooting:
Hope this helps and please rate post if it does!
Jay
06-14-2006 05:31 AM
can you post the relevent part of your configs for both sites, thanks
06-14-2006 01:27 PM
Thanks for your reply guys,
I'm enclosing the config. Unfortunately I don't have access to the remote end, so I'm pasting what they've provided me.
Please note that my inside interface is 192.168.1.1/24
and MyServerIP is in the same subnet as MyVPNPeerIP
access-list 111 permit ip host MyServerIP host TheirServerIP
static (inside,outside) MyServerIP 192.168.1.100 netmask 255.255.255.255 0 0
crypto ipsec transform-set MyMAPform esp-3des esp-md5-hmac
crypto map MAPam 21 ipsec-isakmp
crypto map MAPam 21 match address 111
crypto map MAPam 21 set peer TheirVPNPeerIP
crypto map MAPam 21 set transform-set MyMAPform
crypto map MAPam interface outside
isakmp key ******** address TheirVPNPeerIP netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
Remote end
access-list 330 permit ip host TheirServerIP host MyServerIP
crypto ipsec transform-set trip esp-3des esp-md5-hmac
crypto map ODMAP 240 ipsec-isakmp
crypto map ODMAP 240 match address 330
crypto map ODMAP 240 set peer MyVPNPeerIP
crypto map ODMAP 240 set transform-set trip trip587
isakmp key ******** address MyVPNPeerIP netmask 255.255.255.255
isakmp policy 40 authentication pre-share isakmp
policy 40 encryption 3des isakmp
policy 40 hash md5 isakmp
policy 40 group 2 isakmp
policy 40 lifetime 86400
Keep in mind that my configuration works fine with another VPNPeer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide