- Cisco Community
- Technology and Support
- Security
- VPN
- Not able to estabislt phase1 of site-to-site VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2014 10:12 AM
Hi Experts,
Site-B(router)------Modem------Internet--------Site-A(router)
I'm trying to create a Ipsec Site-to-stie VPN between cisco2900 & cisco 861 and below is the scenario. kindly find the connectivity diagram in attached files.
The issue is there is a modem provided by ISP on Site-B and cisco 861 router is connected back to that modem and the connection is given through RJ11 and there is no ADSL port available on Site-B router.
Based on above mentioned scenario here is config
Site B:-
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CITDENjan2014 address 80.227.xx.xx
crypto ipsec transform-set ETH-to-Dxb esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 80.227.xx.xx
set transform-set ETH-to-Dxb
match address 110
interface fa 4
ip address 192.168.1.254 255.255.255.0
crypto map VPN
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip access-list ext 110
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
Kindly find screenshots of ADSL modem for below information
Configuration on LAN interface of ADSL modem with dual ip address
i have done port forwarding on modem, though i haven't done port forwarding before so i'm not sure it's correct or not.
Site-A router Config:-
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CITDENjan2014 address 197.156.xx.xx
crypto ipsec transform-set Dxb-to-ETH esp-3des esp-md5-hmac
mode tunnel
crypto map Dxb-to-Nigeria 20 ipsec-isakmp
set peer 197.156.xx.xx
set transform-set Dxb-to-ETH
match address 120
interface GigabitEthernet0/1
ip address 80.227.xx.xx 255.255.255.252
crypto map Dxb-to-Nigeria
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
route-map SDM_RMAP_1 permit 1
match ip address 101
Logs on Site-B router:-
*Apr 16 13:02:06.735: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (N) NEW SA
*Apr 16 13:02:06.735: ISAKMP: Created a peer struct for 80.227.xx.xx, peer port 1
*Apr 16 13:02:06.735: ISAKMP: New peer created peer = 0x886B0310 peer_handle = 0x8000001D
*Apr 16 13:02:06.735: ISAKMP: Locking peer struct 0x886B0310, refcount 1 for crypto_isakmp_process_block
*Apr 16 13:02:06.735: ISAKMP: local port 500, remote port 1
*Apr 16 13:02:06.735: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88776A88
*Apr 16 13:02:06.735: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:02:06.735: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Apr 16 13:02:06.735: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 16 13:02:06.735: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:02:06.735: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16
ETH-CIT# 13:02:06.735: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
*Apr 16 13:02:06.739: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
*Apr 16 13:02:06.739: ISAKMP:(0): local preshared key found
*Apr 16 13:02:06.739: ISAKMP : Scanning profiles for xauth ...
*Apr 16 13:02:06.739: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 16 13:02:06.739: ISAKMP: encryption 3DES-CBC
*Apr 16 13:02:06.739: ISAKMP: hash MD5
*Apr 16 13:02:06.739: ISAKMP: default group 2
*Apr 16 13:02:06.739: ISAKMP: auth pre-share
*Apr 16 13:02:06.739: ISAKMP: life type in seconds
*Apr 16 13:02:06.739: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 16 13:02:06.739: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:life: 0
*Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Apr 16 13:02:06.739: ISAKMP:(0):Returning Actual lifetime: 86400
*Apr 16 13:02:06.739: ISAKMP:(0)::Started lifetime timer: 86400.
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
*Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Apr 16 13:02:06.739: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 16 13:02:06.739: ISAKMP:(0): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_SA_SETUP
*Apr 16 13:02:06.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Apr 16 13:02:06.995: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
*Apr 16 13:02:06.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:02:06.999: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Apr 16 13:02:06.999: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 16 13:02:07.027: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 16 13:02:07.027: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is DPD
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): speaking to another IOS box!
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID seems Unity/DPD but major 241 mismatch
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is XAUTH
*Apr 16 13:02:07.027: ISAKMP:received payload type 20
*Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
*Apr 16 13:02:07.027: ISAKMP:received payload type 20
*Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
*Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Apr 16 13:02:07.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
*Apr 16 13:02:07.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
*Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3 New State = IKE_R_MM4
ETH-CIT#
ETH-CIT#
*Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:02:17.027: ISAKMP (2028): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:02:17.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
*Apr 16 13:02:17.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
Logs on Site-A router:-
*Apr 16 13:15:28.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:15:28.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:15:28.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
*Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:28.609: ISAKMP (1263): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:15:28.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:15:28.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
DXB-CIT#
*Apr 16 13:15:38.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:15:38.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:15:38.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
*Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:38.609: ISAKMP (1263): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:15:38.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:15:38.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
DXB-CIT#
*Apr 16 13:15:47.593: ISAKMP: set new node 0 to QM_IDLE
*Apr 16 13:15:47.593: ISAKMP:(1263):SA is still budding. Attached new ipsec request to it. (local 80.227.xx.xx, remote 197.156.xx.xx)
*Apr 16 13:15:47.593: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 16 13:15:47.593: ISAKMP: Error while processing KMI message 0, error 2.
*Apr 16 13:15:48.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:48.609: ISAKMP:(1263):peer does not do paranoid keepalives.
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
*Apr 16 13:15:48.609: ISAKMP: Unlocking peer struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
*Apr 16 13:15:48.609: ISAKMP: Deleting peer node by peer_reap for 197.156.xx.xx: 23193AD4
DXB-CIT#
DXB-CIT#
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1134682361 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 680913363 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1740991762 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 16 13:15:48.609: ISAKMP:(1263):Old State = IKE_I_MM5 New State = IKE_DEST_SA
DXB-CIT#
DXB-CIT#shoc cry
DXB-CIT#sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
197.156.xx.xx 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
*Apr 16 13:16:17.593: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.227.xx.xx:0, remote= 197.156.xx.xx:0,
local_proxy= 192.168.10.0/255.255.255.0/256/0,
remote_proxy= 192.168.1.0/255.255.255.0/256/0
*Apr 16 13:16:17.609: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.227.xx.xx:500, remote= 197.156.xx.xx:500,
local_proxy= 192.168.10.0/255.255.255.0/256/0,
remote_proxy= 192.168.1.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Apr 16 13:16:17.609: ISAKMP:(0): SA request profile is (NULL)
*Apr 16 13:16:17.609: ISAKMP: Created a peer struct for 197.156.xx.xx, peer port 500
*Apr 16 13:16:17.609: ISAKMP: New peer created peer = 0x23193AD4 peer_handle = 0x80001862
*Apr 16 13:16:17.609: ISAKMP: Locking peer struct 0x23193AD4, refcount 1 for isakmp_initiator
*Apr 16 13:16:17.609: ISAKMP: local port 500, remote port 500
*Apr 16 13:16:17.609: ISAKMP: set new node 0 to QM_IDLE
*Apr 16 13:16:17.609: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 270A2FD0
*Apr 16 13:16:17.609: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 16 13:16:17.609: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 16 13:16:17.609: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 16 13:16:17.609: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Apr 16 13:16:17.609: ISAKMP:(0): beginning Main Mode exchange
*Apr 16 13:16:17.609: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 16 13:16:17.609: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:16:17.865: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 16 13:16:17.865: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:16:17.865: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Apr 16 13:16:17.865: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
*Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:16:17.869: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:17.869: ISAKMP:(0): local preshared key found
*Apr 16 13:16:17.869: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
*Apr 16 13:16:17.869: ISAKMP:(0): Authentication by xauth preshared
*Apr 16 13:16:17.869: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 16 13:16:17.869: ISAKMP: encryption 3DES-CBC
*Apr 16 13:16:17.869: ISAKMP: hash MD5
*Apr 16 13:16:17.869: ISAKMP: default group 2
*Apr 16 13:16:17.869: ISAKMP: auth pre-share
*Apr 16 13:16:17.869: ISAKMP: life type in seconds
*Apr 16 13:16:17.869: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 16 13:16:17.869: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:life: 0
*Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Apr 16 13:16:17.869: ISAKMP:(0):Returning Actual lifetime: 86400
*Apr 16 13:16:17.869: ISAKMP:(0)::Started lifetime timer: 86400.
*Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
*Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Apr 16 13:16:17.869: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_SA_SETUP
*Apr 16 13:16:17.869: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Apr 16 13:16:18.157: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_SA_SETUP
*Apr 16 13:16:18.157: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:16:18.157: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Apr 16 13:16:18.157: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 16 13:16:18.181: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 16 13:16:18.181: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is Unity
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is DPD
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.185: ISAKMP:(1264): speaking to another IOS box!
*Apr 16 13:16:18.185: ISAKMP:received payload type 20
*Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
*Apr 16 13:16:18.185: ISAKMP:received payload type 20
*Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
*Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Apr 16 13:16:18.185: ISAKMP:(1264):Send initial contact
*Apr 16 13:16:18.185: ISAKMP:(1264):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 16 13:16:18.185: ISAKMP (1264): ID payload
next-payload : 8
type : 1
address : 80.227.xx.xx
protocol : 17
port : 0
length : 12
*Apr 16 13:16:18.185: ISAKMP:(1264):Total payload length: 12
*Apr 16 13:16:18.185: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:16:18.185: ISAKMP:(1264):Sending an IKE IPv4 Packet.
*Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4 New State = IKE_I_MM5
DXB-CIT#
*Apr 16 13:16:28.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:16:28.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:16:28.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
*Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:16:28.657: ISAKMP (1264): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:16:28.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
DXB-CIT#
*Apr 16 13:16:28.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#u all
All possible debugging has been turned off
DXB-CIT#
DXB-CIT#
*Apr 16 13:16:38.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:16:38.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:16:38.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1134682361
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 680913363
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1740991762
*Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:16:38.657: ISAKMP (1264): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
*Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:16:38.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:16:38.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2014 12:51 PM
Hi,
your configuration seems correct. Just wondering that nat work fine, because i dont see ip nat inside and ip nat outside configured on router A.
Please chceck if protocol ESP(50) is permited(probably VPN passthrough) by Modem and also try to enable UDP 4500 (IPSEC NAT-T).
Best regards,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2014 12:51 PM
Hi,
your configuration seems correct. Just wondering that nat work fine, because i dont see ip nat inside and ip nat outside configured on router A.
Please chceck if protocol ESP(50) is permited(probably VPN passthrough) by Modem and also try to enable UDP 4500 (IPSEC NAT-T).
Best regards,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2014 01:05 PM
Hey fanhanes23,
Thanks for the reply
sorry i forgot to mention ip nat inside and outside command over here but its already there on router-A.
Also need clarification on below,
1- i have done the port forwarding correctly on modem??? as i have already mentioned that its my first time i have done port forwarding.
2- Do i need to enable ESP(50) with TCP or UDP???
3- Do i need to run this command on router-B crypto ipsec nat-transparency udp-encapsulation??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2014 04:06 AM
Hello salman.abid,
its hard to troubleshoot if there is some 3th party device in way. I tried your config in my lab and I established IPSec successfuly.
So it seems that modem would do some problems during IPSec establishment.
Basically if you are configuring L2L IPSec VPN so there is few things what have to match
1. check cryptomap, transform sets etc. if they match on both sides. Especially preshared keys.
2. permit protocol ESP, ISAKMP (UDP 500), and NAT-T (UDP 4500) if applicable.
3. check default GW is configured properly
4. check NAT configuration
Regarding crypto ipsec nat-transparency udp-encapsulation it could help you but also enable UDP/4500 port.
HTH
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2014 05:19 AM
Hi Fanhanes,
Issue got resolved just after i enabled port forwarding for ESP & NAT-T.
Thanks for the suggestion
regards
salman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2014 05:01 AM
HI,
your configuration looks good.
but here the issue is because of the modem.
please let us know the make and model number of the Modem.
you will have to bridge the modem so that you can assign public ip directly to the router interface.(now i can see your router SiteB is having private ip address which is provided by the modem DHCP or may be you would have manaully configured from the DHCP range)
if you do not know how to bridge the modem, ISP technician should be able to help you out.
if you give the make and model number of the modem i might be able to help you out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide