10-20-2010 04:05 PM
This is the fifth router that has been set up to work with a remote firewall for VPN service. All five routers have the exact same crypto configurations except for the IP differences. The remote firewall has the same settings for each router except for IP differences.
One router refuses to complete phase 1 for no discernable reason. It finds the peer with the pre-shared key. It accepts the attributes and then fails to make an SA. The remote firewall's logs just say the peer timed out. The only thing I see in debug is major 25 mismatch, major 237 mismatch, etc. What do the major mismatch debug lines mean?
Here is a sample of the debug:
processing vendor id payload
vendor ID seems Unity/DPD but major 38 mismatch
processing vendor id payload
vendor ID seems Unity/DPD but major 215 mismatch
Solved! Go to Solution.
10-28-2010 05:24 AM
do you mind sharing the router's config?
You also mention that it found the preshared key, can you please share the output of "show cry isa sa".
10-20-2010 05:49 PM
Is the remote firewall a Cisco firewall or other vendor firewall?
Also, are all the 5 routers running the same version of IOS?
Can you share the configuration pls?
10-27-2010 07:23 AM
The remote device is not a Cisco router/firewall.
All the routers are 1841s running the same IOS. They were all purchased at the same time even.
These are the crypto settings that all the routers have:
crypto isakmp policy 30
encr aes 256
hash sha
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ######### address 96.57.xxx.xxx
!
!
crypto ipsec transform-set VPNAES256 esp-aes 256 esp-sha-hmac
!
crypto map to_vpn 15 ipsec-isakmp
set peer 96.57.xxx.xxx
set transform-set VPNAES256
match address VPNCFC
ip access-list extended NAT
deny ip 192.168.2.0 0.0.0.255 10.11.0.0 0.0.255.255
deny ip 172.18.31.0 0.0.0.255 10.11.0.0 0.0.255.255
deny ip 172.18.31.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 172.18.31.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended VPNCFC
permit ip 172.18.31.0 0.0.0.255 192.168.254.0 0.0.0.255
The only difference between this router and the ones that work is this router has a bunch of static NATs. However, the only static NAT attached to the WAN interface is using TCP port 100 only.
10-28-2010 05:24 AM
do you mind sharing the router's config?
You also mention that it found the preshared key, can you please share the output of "show cry isa sa".
10-28-2010 09:37 AM
I'm a moron. Thanks to your suggestion of posting the full config, I found the problem. It was a routing issue. Thanks for the help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: