VPN under NAT - 2 routers same config. 1 works the other no

guibarati · ‎03-12-2008

I have two routers working with DMVPN, they are both connecting to a HUB vpn gateway. The spokes are both under NAT to access internet, the configuration is the same but in one the vpn works in the other no.

Here below is the output from the "bad" router. it goes all well until the end when it says "Old State=IKE_I_MM4 New State = IKE_I_MM5"

In the "good" router is says""Old State=IKE_I_MM4 New State = IKE_P1_COMPLETE"

All the other lines that come before that are the equals in debug.

Anyone know whats can be going on?

*Mar 12 13:22:44.080: ISAKMP:(1023):Send initial contact

*Mar 12 13:22:44.080: ISAKMP:(1023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 12 13:22:44.080: ISAKMP (0:1023): ID payload

next-payload : 8

type : 1

address : 192.168.201.100

protocol : 17

port : 0

length : 12

*Mar 12 13:22:44.084: ISAKMP:(1023):Total payload length: 12

*Mar 12 13:22:44.084: crypto_engine: Generate IKE hash

*Mar 12 13:22:44.084: crypto_engine: Encrypt IKE packet

*Mar 12 13:22:44.084: ISAKMP:(1023): sending packet to 189.39.4.132 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 12 13:22:44.084: ISAKMP:(1023):Sending an IKE IPv4 Packet.

*Mar 12 13:22:44.084: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 12 13:22:44.084: ISAKMP:(1023):Old State = IKE_I_MM4 New State = IKE_I_MM5

amritpatek · ‎03-18-2008

Use the "debug crypto isakmp" command to check for mismatch between tunnel parameters. Following link may help you

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

guibarati · ‎03-18-2008

Thanks, but I have already issued that and everything goes exactly the same until the last line, that changes the mmstate from 4 to 5 in the bad router, and from 4 to complete in the good router.