Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ipsec site to site vpn help!!

I im doing a site to site vpn for the first time on a 891 to a rv 120 (gui) but it doesnt connect. I thinking it might be my access list on the 891. the error that i get in the rv120 is

012-08-02 18:15:35: [rv120w][IKE] ERROR:  Phase 1 negotiation failed due to time up for xx.xx.xx.xx[500]. ea65b6c91b9e73de:0000000000000000

2012-08-02 18:16:11: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.xx.

2012-08-02 18:16:11: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

2012-08-02 18:16:11: [rv120w][IKE] INFO:  Beginning Identity Protection mode.

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8

2012-08-02 18:16:11: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9

2012-08-02 18:16:11: [rv120w][IKE] ERROR:  Ignore information because the message has no hash payload.

2012-08-02 18:16:42: [rv120w][IKE] ERROR:  Invalid SA protocol type: 0

2012-08-02 18:16:42: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.

2012-08-02 18:17:00: [rv120w][IKE] INFO:  accept a request to establish IKE-SA: 71.32.110.24

2012-08-02 18:17:00: [rv120w][IKE] WARNING:  schedular is already scheduled for SA creation for remote: "xx.xx.xx.xx"2012-08-02 18:17:00: [rv120w][IKE] ERROR:  Failed to attach schedSaCreate in IKE configuraion

891 config

=====================================================

ip dhcp pool test

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 8.8.8.8 8.8.4.4

!

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.xxx

!

!

crypto ipsec transform-set test1 ah-md5-hmac esp-3des

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set test1

match address 100

!

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

!

interface Vlan1

description quest

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

=======================================================================

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ipsec site to site vpn help!!

Hi Manny,

Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?

int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto sa

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa

Sent from Cisco Technical Support iPhone App

19 REPLIES

ipsec site to site vpn help!!

Hello Manny,

Can you change the nat configuration:

ip access-list extended nat

deny ip  10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

no ip nat inside source list 1 interface Dialer1 overload

ip nat inside source list nat interface Dialer1 overload

Also can you do the following on the router after you generate traffic for the VPN

sh crypto isakmp sa

debug crypto isakmp

debug crypto ipsec

And provide us the results.

The configuration on the Remote site related to the VPN stuff will be a plus.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

ipsec site to site vpn help!!

nat configurations changed.....still not working.. thanks for the help

891 router

==============================================

crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

xx.xx.xx.24    xx.xx.xx.134   QM_IDLE           2057 ACTIVE

IPv6 Crypto ISAKMP SA

==================================================

Re: ipsec site to site vpn help!!

Hi Manny,

Could you re-configure your IKE phase 1 and 2 policies on the 891 as below?

crypto isakmp policy 1

hash md5

no crypto ipsec transform-set test1 ah-md5-hmac esp-3des

crypto ipsec transform-set test1 esp-md5-hmac esp-3des

Sent from Cisco Technical Support iPhone App

Community Member

Re: ipsec site to site vpn help!!

Changes made but still nothing...

=========================

Current running config 891

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.134

!

!

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

!        

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxxx

!

ip nat inside source list nat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended nat

deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

=============================

=========================================================

RV 120 log

2012-08-03 17:56:23: [rv120w][IKE] WARNING:  schedular is already scheduled for SA creation for remote: "xx.xx.xx.24"2012-08-03 17:56:23: [rv120w][IKE] ERROR:  Failed to attach schedSaCreate in IKE configuraion

2012-08-03 17:56:52: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.24.

2012-08-03 17:56:52: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: xx.xx.xx.134[500]<=>xx.xx.xx.24[500]

2012-08-03 17:56:52: [rv120w][IKE] INFO:  Beginning Identity Protection mode.

2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 4

2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 8

2012-08-03 17:56:52: [rv120w][IKE] INFO:   [ident_i1send:184]: XXX: setting vendorid: 9

2012-08-03 17:56:52: [rv120w][IKE] ERROR:  Ignore information because the message has no hash payload.

2012-08-03 17:57:23: [rv120w][IKE] ERROR:  Invalid SA protocol type: 0

2012-08-03 17:57:23: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.

2012-08-03 17:57:37: [rv120w][IKE] INFO:  accept a request to establish IKE-SA: xx.xx.xx.24

===========================================================

ROUTER 891

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

71.32.110.24    97.77.166.134   MM_NO_STATE          0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

-------------------------------------------------------

debug crypto isakmp

Crypto ISAKMP debugging is on

-------------------------------------------------------

debug crypto ipsec

Crypto IPSEC debugging is on

But nothing else comes out and dont know how to see the log for 891 to see the errors

Re: ipsec site to site vpn help!!

Hi Manny,

Could you do:

int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto isakmp sa

Ping from an internal host/PC behind the 891 and post your results.

Sent from Cisco Technical Support iPhone App

Community Member

Re: ipsec site to site vpn help!!

changes where made...

891 router

ping 192.168.1.1 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-------------------------------------------------------------------

host

PING 192.168.1.1 (192.168.1.1): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

^C

--- 192.168.1.1 ping statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

thanks you guys i apreciate the help....

--------------------

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

--------------------

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxx

crypto map maptest1

----------------------

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

Re: ipsec site to site vpn help!!

Hi Manny,

Thanks for the update! Could you roll back your config and put back the crypto map under FE8 and post again your complete show run (hide sensitive info)?

Sent from Cisco Technical Support iPhone App

Community Member

Re: ipsec site to site vpn help!!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

!

ip source-route

!

!

!

ip dhcp pool test

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 8.8.8.8 8.8.4.4

!

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key Testingkey address xx.xx.xx.134

!

!

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

!

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map maptest1

!

interface GigabitEthernet0

description roadrunner connection

no ip address

shutdown

duplex auto

speed auto

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description quest

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description roadrunner

no ip address

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list nat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended nat

deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

!

!

control-plane

here is my current sh run...thanks john

Re: ipsec site to site vpn help!!

Hi Manny,

Thanks for the update! I'm suspecting the issue might be on the RV router which hinders IKE phase 1 from establishing.

Could check whether it has PFS (Perfect Forward Secrecy) enabled?

Sent from Cisco Technical Support iPhone App

Community Member

Re: ipsec site to site vpn help!!

Yes it is enabled

Re: ipsec site to site vpn help!!

Could you disable/uncheck it on the RV router and try to generate VPN traffic from internal hosts?

Sent from Cisco Technical Support iPhone App

Community Member

Re: ipsec site to site vpn help!!

John

it didn't work. Do I need to do something additional to the cisco 891 router when i disable psf on the RV router?

Re: ipsec site to site vpn help!!

hi manny,

could you add this on the 891:

crypto isakmp policy 1

encryption 3des

kindly perform VPN testing this time from behind the RV router by pinging from a host on the 192.168.1.0/24 subnet and post the following results from the 891 router:

cleary crypto isakmp sa

show crypto isakmp sa

debug crypto isakmp

Community Member

Re: ipsec site to site vpn help!!

chages made...

---------------------------------------------------

RV router log

2012-08-08 16:12:33: [rv120w][IKE] INFO:  Configuration found for xx.xx.xx.24.

2012-08-08 16:12:33: [rv120w][IKE] INFO:  Initiating new phase 2 negotiation: xx.xx.xx.134[500]<=>xx.xx.xx.24[0]

2012-08-08 16:12:33: [rv120w][IKE] ERROR:  Unknown notify message from xx.xx.xx.24[500].No phase2 handle found.

2012-08-08 16:13:33: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up. 3ac11d27fb281bf1:6b11f2ee9470918b:e4bbd59c

2012-08-08 16:13:33: [rv120w][IKE] INFO:  an undead schedule has been deleted: 'quick_i1prep'.

-----------------------------------------------------------------------------

host 10.10.10.6

PING 192.168.1.100 (192.168.1.100): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

Request timeout for icmp_seq 6

----------------------------------------------------------------------------

cisco router

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

xx.xx.xx.24    xx.xx.xx.134   QM_IDLE           2059 ACTIVE

IPv6 Crypto ISAKMP SA

#ping 192.168.1.1     

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

#ping 192.168.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-----------------------------------------------------------------------------

host 192.168.1.100

Pinging 10.10.10.6 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 10.10.10.6:

Packets: Sent = 4, Received = 0, Lost = 4 (100% Loss),

-------------------------------------------------------------------------------

Crypto ISAKMP debugging is on

but nothing happen even if I ping while ISAKMP debugging is on… any suggestions on how can I see the debugging??

Re: ipsec site to site vpn help!!

Hi Manny,

You'll need to issue the 'terminal monitor' command in privilege exec if you're connected via Telnet. Do test again and post the requested show and debug output.

Sent from Cisco Technical Support iPhone App

Community Member

ipsec site to site vpn help!!

*Aug  8 17:56:28.646: ISAKMP:(2063):purging node -457497600

*Aug  8 17:56:29.838: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP: set new node -589351332 to QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP:(2063): processing HASH payload. message ID = -589351332

*Aug  8 17:56:29.838: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = -589351332, sa = 0x86E939E0

*Aug  8 17:56:29.838: ISAKMP:(2063):deleting node -589351332 error FALSE reason "Informational (in) state 1"

*Aug  8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Aug  8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug  8 17:56:29.838: ISAKMP:(2063):DPD/R_U_THERE received from peer xx.xx.xx.134, sequence 0xAA2

*Aug  8 17:56:29.838: ISAKMP: set new node 681130243 to QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP:(2063):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2250945376, message ID = 681130243

*Aug  8 17:56:29.838: ISAKMP:(2063): seq. no 0xAA2

*Aug  8 17:56:29.838: ISAKMP:(2063): sending packet to xx.xx.xx.134 my_port 500 peer_port 500 (R) QM_IDLE     

*Aug  8 17:56:29.838: ISAKMP:(2063):Sending an IKE IPv4 Packet.

*Aug  8 17:56:29.838: ISAKMP:(2063):purging node 681130243

*Aug  8 17:56:29.838: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Aug  8 17:56:29.838: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug  8 17:56:32.142: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP: set new node -1197739227 to QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP:(2063): processing HASH payload. message ID = -1197739227

*Aug  8 17:56:32.142: ISAKMP:(2063): processing SA payload. message ID = -1197739227

*Aug  8 17:56:32.142: ISAKMP:(2063):Checking IPSec proposal 1

*Aug  8 17:56:32.142: ISAKMP: transform 1, ESP_3DES

*Aug  8 17:56:32.142: ISAKMP:   attributes in transform:

*Aug  8 17:56:32.142: ISAKMP:      SA life type in seconds

*Aug  8 17:56:32.142: ISAKMP:      SA life duration (basic) of 28800

*Aug  8 17:56:32.142: ISAKMP:      encaps is 1 (Tunnel)

*Aug  8 17:56:32.142: ISAKMP:      authenticator is HMAC-MD5

*Aug  8 17:56:32.142: ISAKMP:      group is 2

*Aug  8 17:56:32.142: ISAKMP:(2063):atts are acceptable.

*Aug  8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1

*Aug  8 17:56:32.142: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= xx.xx.xx.24:0, remote= xx.xx.xx.134:0,

    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Aug  8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24

*Aug  8 17:56:32.142: ISAKMP:(2063): IPSec policy invalidated proposal with error 8

*Aug  8 17:56:32.142: ISAKMP:(2063): phase 2 SA policy not acceptable! (local xx.xx.xx.24 remote xx.xx.xx.134)

*Aug  8 17:56:32.142: ISAKMP: set new node -1934182771 to QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP:(2063):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2250944296, message ID = -1934182771

*Aug  8 17:56:32.142: ISAKMP:(2063): sending packet to 97.77.166.134 my_port 500 peer_port 500 (R) QM_IDLE     

*Aug  8 17:56:32.142: ISAKMP:(2063):Sending an IKE IPv4 Packet.

*Aug  8 17:56:32.142: ISAKMP:(2063):purging node -1934182771

*Aug  8 17:56:32.142: ISAKMP:(2063):deleting node -1197739227 error TRUE reason "QM rejected"

*Aug  8 17:56:32.142: ISAKMP:(2063):Node -1197739227, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Aug  8 17:56:32.142: ISAKMP:(2063):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Aug  8 17:56:33.774: ISAKMP:(2063):purging node -1856223832

*Aug  8 17:56:35.322: ISAKMP (2063): received packet from xx.xx.xx.134 dport 500 sport 500 Global (R) QM_IDLE     

*Aug  8 17:56:35.322: ISAKMP: set new node -685236136 to QM_IDLE     

*Aug  8 17:56:35.322: ISAKMP:(2063): processing HASH payload. message ID = -685236136

*Aug  8 17:56:35.322: ISAKMP:(2063): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = -685236136, sa = 0x86E939E0

*Aug  8 17:56:35.322: ISAKMP:(2063):deleting node -685236136 error FALSE reason "Informational (in) state 1"

*Aug  8 17:56:35.322: ISAKMP:(2063):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Aug  8 17:56:35.322: ISAKMP:(2063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Re: ipsec site to site vpn help!!

Hi Manny,

Thanks for the debug output! I believe we're making some progress and was able to establish IKE phase 1. The problem now is to establish IPsec SA or an IKE phase 2. Could you do the following again one more time and post the results?

int f8

no crypto map maptest1

int d1

crypto map maptest1

clear crypto sa

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa

Sent from Cisco Technical Support iPhone App

Community Member

ipsec site to site vpn help!!

Its working... I wonder why it didnt work the last time we did

int f8

no crypto map maptest1

int d1

crypto map maptest1

it worked with the pfs enable...maybe it was the

crypto isakmp policy 1

encryption 3des

Thanks everyone for the help... Thank you john

ipsec site to site vpn help!!

hi manny,

thanks for the update and nice rating! i'm glad it's finally resolved.

let me dissect on how your IPsec VPN connection was resolved. for IKE phase 1, your RV router is using MD5 hashing and we need to specify the same on the 891 since the default is SHA-1. i thought 3DES was the default but it's probably a different encryption type for the 891, so we need to hardcode that:

crypto isakmp policy 1

encryption 3des

hash md5

for IKE phase 2, both devices were using different encryption and hashing for the transform set so we've fixed also that. the 891 doesn't have PFS or additional DH key exchange enabled so we need to disable that on the RV router.

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

crypto map maptest1 2 ipsec-isakmp

set peer xx.xx.xx.134

set transform-set test1

match address 100

lastly based from the 891 debug, the IPsec SA wasn't forming due a crypto map that was applied on the wrong WAN interface. it should be applied dialer interface.

*Aug 8 17:56:32.142: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.24

I would also give credit to jcarvaja for the initial amendment of the NAT and crypto ACL (+5 for him).

19441
Views
5
Helpful
19
Replies
CreatePlease to create content