Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
1
Replies

Problem with Dynamic P2P VTI Tunnel

alexandr.safronov
Level 1
Level 1

‎02-07-2012 12:27 PM

Hi there,

Looking for the help with resolving the isakmp phase1 issue.

There are two 2691 routers: R3 is hub, R1 is spoke.

I have Virtual-Template interface on R3 and Tunnel0 interface on R1.

I have the same key in "crypto isakmp key" on R1 and in "keyring address" on R3.

Here is the piece of debug from R3:

*Mar  1 03:07:05.167: ISAKMP:(1093): processing ID payload. message ID = 0

*Mar  1 03:07:05.167: ISAKMP (0:1093): ID payload

        next-payload : 8

        type         : 1

        address      : 192.168.1.1

        protocol     : 17

        port         : 500

        length       : 12

*Mar  1 03:07:05.171: ISAKMP:(0):: peer matches VPN profile

*Mar  1 03:07:05.171: ISAKMP:(1093):Found ADDRESS key in keyring VPN

*Mar  1 03:07:05.171: ISAKMP:(1093):Key not found in keyrings of profile , aborting exchange

*Mar  1 03:07:05.171: ISAKMP (0:1093): FSM action returned error: 2

*Mar  1 03:07:05.171: ISAKMP:(1093):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 03:07:05.171: ISAKMP:(1093):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Mar  1 03:07:05.175: ISAKMP:(1093):peer does not do paranoid keepalives.

*Mar  1 03:07:05.175: ISAKMP:(1093):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 192.168.1.1)

*Mar  1 03:07:05.175: ISAKMP (0:1093): FSM action returned error: 2

*Mar  1 03:07:05.175: ISAKMP:(1093):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*Mar  1 03:07:05.175: ISAKMP:(1093):Old State = IKE_R_MM5  New State = IKE_R_MM4

Here is "sh crypto isakmp sa" payload from R3:


IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.10.10.2      192.168.1.1     MM_NO_STATE       1096    0 ACTIVE (deleted)

And here is isakmp sa state from R1:


IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.10.10.2      192.168.1.1     MM_KEY_EXCH       1093    0 ACTIVE


ISAKMP phase 1 stucks on this.

I will show router's running-config pieces in the next message.

Looking forward for your help.

Labels:
0 Helpful
1 Reply 1

alexandr.safronov
Level 1
Level 1

‎02-07-2012 12:34 PM

R1 running-config:

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key 12345 address 10.10.10.2

!

!

crypto ipsec transform-set VPN esp-aes esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set VPN

!

!

!

!

!

!

!

!

interface Tunnel0

ip unnumbered FastEthernet0/0

tunnel source FastEthernet0/0

tunnel destination 10.10.10.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.252

!

R3 running-config:

crypto keyring VPN

  pre-shared-key address 192.168.1.1 key 12345

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key 12345 address 192.168.1.1

crypto isakmp profile VPN

   keyring VPN

   match identity address 192.168.1.1 255.255.255.255

   match identity address 172.16.0.1 255.255.255.255

   virtual-template 1

!

!

crypto ipsec transform-set VPN esp-aes esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set VPN

!

!

!

!

!

interface FastEthernet1/0

ip address 10.10.10.2 255.255.255.252

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet1/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN


0 Helpful
Customers Also Viewed These Support Documents