Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC PHASE 2 Problem

H everybody,

I have a problem with my ipsec phase 2 connexion, the phase 1 is active but phase 2 no, below are the output of some command like sh crypto session detail and sh crypto isakmp sa; please help me to troubleshoot this problem.

router#sh crypto session

Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 81.192.103.150 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 81.192.103.150
      Desc: (none)
  IKE SA: local 41.205.80.45/500 remote 81.192.103.150/500 Active
          Capabilities:(none) connid:1 lifetime:23:59:48
  IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.20.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 75 life (KB/Sec) 0/0

router#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.192.100.50  41.200.90.45    MM_SA_SETUP          1    0 ACTIVE

router#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.192.100.50  41.200.90.45    QM_IDLE              1    0 ACTIVE

Everyone's tags (1)
8 REPLIES
Cisco Employee

Re: IPSEC PHASE 2 Problem

Can you do the following?

show cry isa sa

In the output above you will see the conn id for the SA

clear cry isa


term mon

debug cry isa

debug cry ipsec

Run the debugs so we can see what is being passed. Also, do you have the configs for both end devices? Was this tunnel ever working? Make sure the transform-set and match ACL matches on both ends.

New Member

Re: IPSEC PHASE 2 Problem

thank you very much for your reply,

the attached documents are my confir, the peer config (our partner) and the output of the debug command.

this tunnel has never work before we are setting it up now.

thank you once more

Cisco Employee

Re: IPSEC PHASE 2 Problem

crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac

!

crypto map vpnregeo 50 ipsec-isakmp

description tunel-to-M2M

set peer xxx.xxx.xxx.xxx

set transform-set vpn

match address 118

Your config appears to have an issue. You are reference TS Set VPN when you have VPN1 configured. Make the following changes.

crypto map vpnregeo 50 ipsec-isakmp

no set transform-set vpn

set transform-set vpn1

Try again and see if this works.

Thanks,

Joe

New Member

Re: IPSEC PHASE 2 Problem

Thanks,

I have tried what you ask me to do, but the problem remaining.

New Member

Re: IPSEC PHASE 2 Problem

Excuse me Joe

if the peer router is not a CISCO router, do I have a particular thing to do in my CISCO router?

Cisco Employee

Re: IPSEC PHASE 2 Problem

Sorry,

The TSet in your config reads

crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac

should be

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac

New Member

Re: IPSEC PHASE 2 Problem

THANK YOU vey much Joe

that was the mistake, but see that the peer router is not a CISCO router, Ihave also set the lifetime for the two phases as it is set in the peer router, the two phases are up now.

Thanks to CISCO for such a plateform.

Cisco Employee

Re: IPSEC PHASE 2 Problem

Excellent! No problem glad I could help.

14806
Views
0
Helpful
8
Replies