Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN between PIX and VPN 3000 fails phase 1

I am trying to setup a site-to-site VPN with pre-shared keys between a Cisco PIX 515-R running 6.3(1) and a VPN 3000 concentrator running ASA 7.0(5). However, phase 1 never completes and sh crypto isakmp sa displays the state MM_KEY_EXCH. I have successfully created other site-to-site VPNs on the PIX with other PIXen and Cisco routers but this VPN3000 is proving to be a problem. pfs group2 is not necessary is it?

Any ideas on how I can troubleshoot this are appreciated. Thanks.

PIX VPN config

access-list nonatinside permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list tositeX permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto ipsec transform-set newsite esp-3des esp-sha-hmac

crypto map mymap 12 ipsec-isakmp

crypto map mymap 12 match address tositeX

crypto map mymap 12 set peer 80.x.x.100

crypto map mymap 12 set transform-set newsite

crypto map mymap interface outside

isakmp key ***** address 80.x.x.100 netmask 255.255.255.255

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp identity address

VPN3000 VPN config

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list External_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map External_map 20 match address External_cryptomap

crypto map External_map 20 set connection-type originate-only

crypto map External_map 20 set peer 200.30.200.100

crypto map External_map 20 set transform-set ESP-3DES-SHA

crypto map External_map interface External

isakmp enable External

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group To_Cisco_PIX type ipsec-l2l

tunnel-group To_Cisco_PIX ipsec-attributes

pre-shared-key *

sh crypto isakmp sa

dst src state pending created

200.x.x.100 80.100.100.100 MM_KEY_EXCH 0 0

200.x.x.100 80.100.100.100 MM_KEY_EXCH 0 0

Debug log attached.

3 REPLIES
Cisco Employee

Re: Site-to-Site VPN between PIX and VPN 3000 fails phase 1

Steve,

Looks like your Pre-Shared Keys are not matching.

Re-Enter your Preshared Key on both the Sides and make sure they match.

I hope it helps.

Regards,

Arul

New Member

Re: Site-to-Site VPN between PIX and VPN 3000 fails phase 1

Thank you Arul. I will certainly do this when I can get hold of the admin of the VPN3000 who is not there at the moment. Are mismatched keys usually the problem when you get MM_KEY_EXCH errors? Thanks again.

Cisco Employee

Re: Site-to-Site VPN between PIX and VPN 3000 fails phase 1

Steve,

From my experience, Yes.

Typically, when an IPSEC Tunnel is stuck in Phase 1 and you see "MM_KEY_EXCH" when you do a "show crypto isakmp sa", then the issue is most likely related to Pre-Shared keys not matching.

I hope it helps.

Regards,

Arul

516
Views
0
Helpful
3
Replies