We're getting the following message in the logs when we ry to connect:
encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
One of the router is a V2 and the other is a V4 if that makes any difference. Can someone tell me what exactly that message means?
This means there is an issue with your phase 1 negotiation. The phase 1 negotiaties parameters to establish the ISAKMP SA. In turn, the ISAKMP SA is then used to protect the future IKE exchanges.
Double check both IKE policies to ensure completely match.
Yes, I have double checked the settings. They are exactly the same on both. This is the second tunnel for both routers. Do we need to use different settings for each tunnel perhaps?
Hi Tom, each tunnel should have their own policy.
We're essentially using the same encryption settings for both tunnels. So, when you say we should use another policy, can that simply mean using a different shared key? Or is it something more complex than that?
You can use all the same setting, I'd recommend a different password.
Just need to make separate policies for each tunnel pointing respectively to the correct subnets and WAN IP's
Ok, so keeping in mind that I am a software guy, not an IT guy and this is new to me, are you saying that, for example if I used 192.168.1.0 255.255.255.0 as the local group settings for the first tunnel, that I should use something different for the second tunnel?
Hi Tom, Please reference this picture below.
The router on the top is 192.168.1.0, let's say this is the main router.
You should have 2 IKE and VPN policies.
The local group for the first router will always be the 192.168.1.0 network. The remote groups will be that of the respective router.
For VPN 1, the local group is 192.168.1.0, remote group is 192.168.2.0. The 'main' router of course will point to the WAN ip of the 192.168.2.0 router.
For VPN 2, the same thing, local group is 192.168.1.0, remote group to be 192.168.3.0. The 'main' router will point to the WAN ip of the 192.168.3.0 router.
You need to create the policy to be unique to each router wan / local subnet.
Yes, so it looks like we have the basic setup correct. I'm not sure I understand what you mean when you refer to "policy".
When you navigate vpn and create gateway to gateway connection, this page encompasses to facets of information. The IKE policy and IPSEC policy.
Anyway, for each connection, you need to define the properties for each unique VPN tunnel between sites.