Cisco Support Community

VPN under NAT - 2 routers same config. 1 works the other no

I have two routers working with DMVPN, they are both connecting to a HUB vpn gateway. The spokes are both under NAT to access internet, the configuration is the same but in one the vpn works in the other no.

Here below is the output from the "bad" router. it goes all well until the end when it says "Old State=IKE_I_MM4 New State = IKE_I_MM5"

In the "good" router is says""Old State=IKE_I_MM4 New State = IKE_P1_COMPLETE"

All the other lines that come before that are the equals in debug.

Anyone know whats can be going on?

*Mar 12 13:22:44.080: ISAKMP:(1023):Send initial contact

*Mar 12 13:22:44.080: ISAKMP:(1023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 12 13:22:44.080: ISAKMP (0:1023): ID payload

next-payload : 8

type : 1

address :

protocol : 17

port : 0

length : 12

*Mar 12 13:22:44.084: ISAKMP:(1023):Total payload length: 12

*Mar 12 13:22:44.084: crypto_engine: Generate IKE hash

*Mar 12 13:22:44.084: crypto_engine: Encrypt IKE packet

*Mar 12 13:22:44.084: ISAKMP:(1023): sending packet to my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 12 13:22:44.084: ISAKMP:(1023):Sending an IKE IPv4 Packet.

*Mar 12 13:22:44.084: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 12 13:22:44.084: ISAKMP:(1023):Old State = IKE_I_MM4 New State = IKE_I_MM5


Re: VPN under NAT - 2 routers same config. 1 works the other no

Use the "debug crypto isakmp" command to check for mismatch between tunnel parameters. Following link may help you


Re: VPN under NAT - 2 routers same config. 1 works the other no

Thanks, but I have already issued that and everything goes exactly the same until the last line, that changes the mmstate from 4 to 5 in the bad router, and from 4 to complete in the good router.

CreatePlease to create content