Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site vpn problum..

Hi,

I am trying to configure site to site VPN between VPN Consentrator and cisco 2600 router. I configured following parameter on consentrator.

VPN Gateway IP address: x.x.x.x

VPN Parameters:

Authentication:ESP/MD5/HMAC-128

Encryption:3DES-168

IKE – Proposal: IKE-3DES-MD5-DH2

IPSec Parameters:

Encapsulation Mode: Tunnel

Life Time Measurement: Time

Time Life Time: 28800

IKE Proposal

Negotiation Mode: Main

Now I configured following configuration on router 2600.

crypto isakmp policy 110

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxx address x.x.x.x

!

!

crypto ipsec transform-set mine esp-3des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 10.200.1.5

set transform-set mine

match address 102

interface FastEthernet0/0

description Link to MTC

ip address 172.16.10.2 255.255.255.255

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.0.146 255.255.255.0

duplex auto

speed auto

crypto map mymap

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.10.1

access-list 102 permit ip host 10.200.1.5 host 172.16.10.2

access-list 102 permit tcp host 192.168.200.11 host 192.168.0.145 eq www

access-list 102 permit tcp host 192.168.0.145 host 192.168.200.11 eq www

access-list 102 permit ip host 172.16.10.2 host 10.200.1.5

Now,I chacked but tunnel is not able to intialize.I start the debug and found that it's not passing the Main mode.

debug is as follow:

06:20:07: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of -965948346

06:20:07: ISAKMP (0:2): sending packet to 10.200.1.5 (I) QM_IDLE

06:20:08: ISAKMP (0:2): received packet from 10.200.1.5 (I) QM_IDLE

06:20:08: ISAKMP (0:2): processing HASH payload. message ID = -1315122878

06:20:08: ISAKMP:received payload type 15

06:20:08: ISAKMP (0:2): processing DELETE_WITH_REASON payload, message ID = -1315122878, reason: Unknown delete reason!

06:20:08: ISAKMP (0:2): peer does not do paranoid keepalives.

06:20:08: ISAKMP (0:2): deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 10.200.1.5) input queue 0

06:20:08: ISAKMP (0:2): deleting node -965948346 error FALSE reason "P1 delete notify (in)"

06:20:08: ISAKMP (0:2): deleting node -1315122878 error FALSE reason "P1 delete notify (in)"

06:20:28: ISAKMP (0:1): purging node 567915527

06:20:28: ISAKMP (0:1): purging node 1955492785

what should be a problum?

Best regards,

banno

1 REPLY
Silver

Re: site to site vpn problum..

Mismatch of IKE phase II atts(check your ipsec transformset); Also, check the network list to match the exact networks defined on the access-list on the router and the logs of the concentrator.

179
Views
0
Helpful
1
Replies
CreatePlease login to create content