Re: site to site tunnel using CA - error

viveknathmangalat33 · ‎12-26-2013

Hello Everyone, I have been trying to set up a site to site tunnel using CA

and tunnel is not coming up, I am pasting the output of

debug crypto isakmp errors for your reference.

Please give some suggestions.

*Dec 26 18:54:19.071: ISAKMP:(0):No pre-shared key with 10.0.0.2!

*Dec 26 18:54:19.267: ISAKMP:(1056):My ID configured as IPv4 Addr, but Addr

not in Cert!

*Dec 26 18:54:19.267: ISAKMP:(1056):Using FQDN as My ID

r3(config)#

*Dec 26 18:54:30.087: ISAKMP (1056): FSM action returned error: 2

*Dec 26 18:54:30.091: ISAKMP:(1056):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

*Dec 26 18:54:30.095: ISAKMP (1056): FSM action returned error: 2

*Dec 26 18:54:30.095: ISAKMP:(1056):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

r3(config)#

*Dec 26 18:55:39.103: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.0.0.2 has

no SA and is not an initialization offer

r3(config)#

*Dec 26 18:55:49.063: ISAKMP:(0):No pre-shared key with 10.0.0.2!

*Dec 26 18:55:49.251: ISAKMP:(1057):My ID configured as IPv4 Addr, but Addr

not in Cert!

*Dec 26 18:55:49.251: ISAKMP:(1057):Using FQDN as My ID

*Dec 26 18:55:49.831: ISAKMP (1057): FSM action returned error: 2

*Dec 26 18:55:49.835: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode

failed with peer at 10.0.0.2

r3(config)#

*Dec 26 18:55:49.839: ISAKMP:(1057):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

*Dec 26 18:55:49.843: ISAKMP (1057): FSM action returned error: 2

*Dec 26 18:55:49.843: ISAKMP:(1057):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

viveknathmangalat33 · ‎12-26-2013

ok, i figured the problem

need to specify key, even if we are authenticating using CA

crypto isakmp key cisco123 address 10.0.0.2

--

ok, then i figured out the policy number that i m setting is 10

so i changed it to 1

made the authentication as res-sig

and deleted the key, shut and no shut the tunnel

now the tunnel is UP, but i get this error

*Dec 26 19:30:54.431: ISAKMP:(1083):Profile has no keyring, aborting key search

*Dec 26 19:30:54.455: ISAKMP:(1082):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 10.0.0.2)

*Dec 26 19:30:54.455: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

*Dec 26 19:30:54.475: ISAKMP:(1083):My ID configured as IPv4 Addr, but Addr not in Cert!

*Dec 26 19:30:54.475: ISAKMP:(1083):Using FQDN as My ID

*Dec 26 19:30:54.699: ISAKMP:(1082):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 10.0.0.2)

r3(config)#

and the SA state is below, not able to ping packets at the other end of the tunnel.

r3#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.0.0.1 10.0.0.2 QM_IDLE 1083 ACTIVE

IPv6 Crypto ISAKMP SA