Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN SITE to SITE (RV520-FE-K9 TO RV042)

Hello Everyboddy,

I got some issues here, so i hope you can help me out.

What i´m tryin to do is seting up a vpn betwen these two routers, so i´ve checked the configuration many times but i didn´t find the problem.

PS: Sorry for hiding the public addresses and info is just that my company does not want to share them.

Here´s the debug from the SR520:

Mar  3 16:06:12.359: ISAKMP (0:0): received packet from xxxx.xxxx.xxxx.xxxx dport 50

0 sport 500 Global (N) NEW SA

*Mar  3 16:06:12.359: ISAKMP: Created a peer struct for 1xxxx.xxxx.xxxx.xxxx, peer por

t 500

*Mar  3 16:06:12.359: ISAKMP: New peer created peer = 0x83B94084 peer_handle = 0

x8000000B

*Mar  3 16:06:12.359: ISAKMP: Locking peer struct 0x83B94084, refcount 1 for cry

pto_isakmp_process_block

*Mar  3 16:06:12.359: ISAKMP: local port 500, remote port 500

*Mar  3 16:06:12.359: insert sa successfully sa = 847E3DB8

*Mar  3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:06:12.363: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  3 16:06:12.363: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  3 16:06:12.363: ISAKMP:(0):No pre-shared key with xxxx.xxxx.xxxx.xxxx!

*Mar  3 16:06:12.363: ISAKMP : Scanning profiles for xauth ...

*Mar  3 16:06:12.363: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1

policy

*Mar  3 16:06:12.363: ISAKMP:      life type in seconds

*Mar  3 16:06:12.363: ISAKMP:      life duration (basic) of 28800

*Mar  3 16:06:12.363: ISAKMP:      encryption DES-CBC

*Mar  3 16:06:12.363: ISAKMP:      hash MD5

*Mar  3 16:06:12.363: ISAKMP:      auth pre-share

*Mar  3 16:06:12.363: ISAKMP:      default group 1

*Mar  3 16:06:12.363: ISAKMP:(0):Preshared authentication offered but does not m

atch policy!

*Mar  3 16:06:12.363: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar  3 16:06:12.363: ISAKMP:(0):no offers accepted!

*Mar  3 16:06:12.363: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx.xxxx.xxxx.xxxx
remote 1xxxx.xxxx.xxxx.xxxx)

*Mar  3 16:06:12.363: ISAKMP (0:0): incrementing error counter on sa, attempt 1

of 5: construct_fail_ag_init

*Mar  3 16:06:12.363: ISAKMP:(0): sending packet to xxxx.xxxx.xxxx.xxxx my_port 500 p

eer_port 500 (R) MM_NO_STATE

*Mar  3 16:06:12.363: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  3 16:06:12.363: ISAKMP:(0):peer does not do paranoid keepalives.

ot accepted" state (R) MM_NO_STATE (peer 1xxxx.xxxx.xxxx.xxxx)

*Mar  3 16:06:12.363: ISAKMP (0:0): FSM action returned error: 2

*Mar  3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD

E

*Mar  3 16:06:12.363: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar  3 16:06:12.367: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n

ot accepted" state (R) MM_NO_STATE (peer xxxx.xxxx.xxxx.xxxx)

*Mar  3 16:06:12.367: ISAKMP: Unlocking peer struct 0x83B94084 for isadb_mark_sa

_deleted(), count 0

*Mar  3 16:06:12.367: ISAKMP: Deleting peer node by peer_reap for xxxx.xxxx.xxxx.xxxx

: 83B94084

*Mar  3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar  3 16:06:12.367: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

*Mar  3 16:06:12.367: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  3 16:06:12.367: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_

STATE (peer 190.75.132.212)

*Mar  3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*Mar  3 16:06:12.367: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_S

A

HERE´S THE CONFIGURATION SR520:

Current configuration : 5091 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SR520_LEBRUN

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$UuTx$Y.koYevk4/LPbBf64zkuS0

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login tango_authen_login line local

aaa authorization exec default local

aaa authorization exec tango_author_exec if-authenticated

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-3291959072

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3291959072

revocation-check none

rsakeypair TP-self-signed-3291959072

!

!

crypto pki certificate chain TP-self-signed-3291959072

certificate self-signed 01

  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323931 39353930 3732301E 170D3032 30333032 32313534

  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393139

  35393037 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BBD5 6B0E11F1 D03D650E 22115792 E4CBC7A1 F2B744E6 AE965A32 36220A4B

  42BC3422 2291666D D013575C E56640E5 59327E55 F9DE394E 4AC4F9EF 6C25D0ED

  15F402F3 E2CDFEC5 B4E5CC55 CEC08A98 98EAEDCD 3A6C6D97 329FBC31 21502310

  DF5E553A F158389E 555BE050 81E888C0 261E0E86 BE3498D7 71991DBF 68250D68

  BCAF0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603

  551D1104 1F301D82 1B535235 32305F4C 45425255 4E2E6C65 6272756E 5F6E6370

  2E636F6D 301F0603 551D2304 18301680 14E61EB4 559D8ACF 0A51400E E47A2A17

  1D85DAF7 A6301D06 03551D0E 04160414 E61EB455 9D8ACF0A 51400EE4 7A2A171D

  85DAF7A6 300D0609 2A864886 F70D0101 04050003 81810031 A3CB3462 64797A5B

  81BBC615 0044A2A4 4E392911 FB79B865 63E51183 A4DDC805 DBD9C8AD 3199C6FE

  8791B246 E94D2CE5 59D7288B 6D72A231 FB9E4EFE 67167CF2 822145EB 372E666E

  8289DE17 3187B72E 620BE58E C864F8B3 D84308A0 29995603 A19A9F94 79955C6F

  666491F6 226F2546 02DDE1D8 112DCF7A 1DC9F003 635972

        quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.2.1

!

ip dhcp pool 1

   import all

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   domain-name labrun_ncp.com

   dns-server 200.44.32.12 200.11.248.12

!

!

ip cef

ip domain name lebrun_ncp.com

ip ddns update method sdm_ddns1

HTTP

  add http://xxxx.xxxx.xxxx.xxxx@members.dyndns.org/nic/update?system=dyn

dns&hostname=<h>&myip=<a>

  remove http://xxxx.xxxx.xxxx.xxxx@members.dyndns.org/nic/update?system=

dyndns&hostname=<h>&myip=<a>

interval maximum 2 0 0 0

interval minimum 1 0 0 0

!

no vlan accounting input

!

no ipv6 cef

multilink bundle-name authenticated

!

!

username Admin privilege 15 secret 5 $1$cixn$hZS19piuPlZSX9vDLPCbK1

!

!

crypto isakmp policy 1

encryp des

hash md5

authentication pre-share

lifetime 28800

crypto isakmp key xxxxxxx address 192.168.4.0 255.255.255.0

!

crypto ipsec security-association idle-time 300

!

crypto ipsec transform-set VPN_LEBRUN_TIMON esp-des esp-md5-hmac

!

crypto map LEBRU_TIMON 1 ipsec-isakmp

set peer xxxx.xxxx.dyndns.org

set transform-set VPN_LEBRUN_TIMON

match address 110

!

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

description INTERFACE DIRECTLY CONNECTED TO IPPX KX-NCP1000

switchport access vlan 2

!

interface FastEthernet1

description INTERFACE DIRECTLY CONNECTED TO RECORDING SERVER POLTYS

POLTYS_NCP

switchport access vlan 2

!

interface FastEthernet2

description FREE

switchport access vlan 2

!

interface FastEthernet3

description FREE

switchport access vlan 2

!

interface FastEthernet4

description INTERFACE DIRECTLY CONNECTED TO MODEM ADLS NETOPIA 2246n-XG

ip dhcp client update dns server none

ip ddns update hostname xxxx.xxxx.dyndns.org

ip ddns update sdm_ddns1

ip address dhcp client-id FastEthernet4

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map LEBRU_TIMON

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip default-gateway 192.168.2.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

ip http server

ip http secure-server

ip http client username Admin

ip http client password 0 xxxx.xxxx

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source list 115 interface FastEthernet4 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 115 deny   ip 0.0.2.0 192.168.4.0 any

access-list 115 permit ip 192.168.2.0 0.0.0.255 any

!

!

!

!

!

control-plane

!

banner login ^COUTE^C

banner motd ^COUTE^C

!

line con 0

password telguer001

no modem enable

line aux 0

line vty 0 4

authorization exec tango_author_exec

login authentication tango_authen_login

!

scheduler max-task-time 5000

end

RV042 CONFIG:

rv042 config.JPG

Everyone's tags (6)
827
Views
0
Helpful
0
Replies
CreatePlease to create content