tunnel-group *.*.*.* type ipsec-l2l tunnel-group *.*.*.* ipsec-attributes pre-shared-key *
I have another VPN setup and working on the PIX (IPSEC) using the isakmp policy 5 (I have created 10 for testing).
SRP527W config -
IKE policy -
Diffie-Hellman (DH) Group
Group 2 (1024 bit)
Auto Pre-Shared Key
Enable Dead Peer Detection
XAUTH client enable
IPSec Policy -
Local Group Type
IP Address & Subnet
Local Group IP Address
Local Group IP Subnet
Remote security gateway address
Remote security domain name
Remote group type
IP Address & Subnet
Remote group IP
Remote group Subnet Mask
Manual encryption key
Manual auth key
Key life time
Now using IKE police
The PIX is sat behind a router (Public/VPN address on outside interface) and the SRP527W dials the DSL (Router) and is the VPN gateway. Both have static public IP addresses.
If I ping from a device behind the SRP527W or the PIX the VPN tries to come up with a MSG6 error. If I test the VPN via the SRP527W (feature to test the link comes up) then on the PIX I can see MM_ACTIVE. I think this might be a false positive.
Usually when you get this error messge "MM_WAIT_MSG6", it points out to an issue with the pre shared key exhange, so there may be a mismatch:
MM_WAIT_MSG5 This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off.
MM_WAIT_MSG6 This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off. However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to MM_ACTIVE.
AM_ACTIVE / MM_ACTIVE The ISAKMP negotiations are complete. Phase 1 has successfully completed.
So It is either that the pre-shared key is incorrect, or the phase 2 is not matching up too.
Attach the following:
- show crypto isakmp sa detail
If after reviewing the pre-shared key and eveything matches up, please take the following outputs:
- debug crypto condition peer <peer IP address>
- debug crypto isakmp 250
- debug crypto ipsec 250
So we can define if it is either phase 1 or phase 2.
Configure DHCP WAN Settings on the RV34x Router
A Wide Area Network (WAN) is a network that covers a broad area. A user or network of users can connect to the Internet through an Internet Service Provider (ISP) who offer...
Configure Static IP WAN Settings on the RV34x Router
A Wide Area Network (WAN) is a network that covers a broad area. A user or network of users can connect to the Internet through an Internet Service Provider (ISP) who ...