Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble bringing up VPN tunnel

I am trying to create a tunnel between a 2811 and a 7206. The 7200 is the headend with multiple circuits connected in the same broadcast domain.  The 7200 is 10.49.163.1 with at the moment 2 other circuits, 10.49.163.2 amd 10.49.163.3.  I need to encrypt certain traffic over this link, i have created a crypto map with multiple instances on the head end:

crypto map CRYPTOMAP 5 ipsec-isakmp
set peer 10.49.163.2
set transform-set CRYPTOSET
match address 101
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 10.49.163.3
set transform-set CRYPTOSET
match address 105

On the 10.49.163.2 router everything is working and passing traffic, on the .3 side is another story.  When doing a sh crypto ip sa  i get:

interface: FastEthernet0/1
    Crypto map tag: CRYPTOMAP, local addr 10.49.163.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.49.32.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   current_peer 10.49.163.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 53, #recv errors 0

Here is the debug from a "debug crypto ip and isa"

Jan 11 13:37:57.237: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xCA4CDD31(3394034993), conn_id= 0, keysize= 0, flags= 0x400A
Jan 11 13:37:57.241: ISAKMP: received ke message (1/1)
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jan 11 13:37:57.241: ISAKMP: Created a peer struct for 10.49.163.1, peer port 500
Jan 11 13:37:57.241: ISAKMP: New peer created peer = 0x470157B8 peer_handle = 0x80000010
Jan 11 13:37:57.241: ISAKMP: Locking peer struct 0x470157B8, IKE refcount 1 for isakmp_initiator
Jan 11 13:37:57.241: ISAKMP: local port 500, remote port 500
Jan 11 13:37:57.241: ISAKMP: set new node 0 to QM_IDLE
Jan 11 13:37:57.241: insert sa successfully sa = 4682CA58
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.241: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jan 11 13:37:57.245: ISAKMP:(0:0:N/A:0): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 11 13:37:57.269: ISAKMP (0:0): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 11 13:37:57.273: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0): local preshared key found
Jan 11 13:37:57.273: ISAKMP : Scanning profiles for xauth ...
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jan 11 13:37:57.273: ISAKMP:      encryption 3DES-CBC
Jan 11 13:37:57.273: ISAKMP:      hash MD5
Jan 11 13:37:57.273: ISAKMP:      default group 1
Jan 11 13:37:57.273: ISAKMP:      auth pre-share
Jan 11 13:37:57.273: ISAKMP:      life type in seconds
Jan 11 13:37:57.273: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jan 11 13:37:57.273: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Jan 11 13:37:57.297: ISAKMP (0:134217729): vendor ID is NAT-T v7
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.297: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.301: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Jan 11 13:37:57.341: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Jan 11 13:37:57.341: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 10.49.163.1
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):SKEYID state generated
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): vendor ID is Unity
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): vendor ID is DPD
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): processing vendor id payload
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1): speaking to another IOS box!
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Jan 11 13:37:57.373: ISAKMP:(0:1:SW:1):Send initial contact
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jan 11 13:37:57.377: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 10.49.163.3
        protocol     : 17
        port         : 500
        length       : 12
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Total payload length: 12
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.377: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Jan 11 13:37:57.409: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
Jan 11 13:37:57.413: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 10.49.163.1
        protocol     : 17
        port         : 500
        length       : 12
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):SA has been authenticated with 10.49.163.1
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):IKE_DPD is enabled, initializing timers
Jan 11 13:37:57.413: ISAKMP: Trying to insert a peer 10.49.163.3/10.49.163.1/500/,  and inserted successfully 470157B8.
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 11 13:37:57.413: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Jan 11 13:37:57.417: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 5768661
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Node 5768661, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 11 13:37:57.421: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 11 13:37:57.453: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) QM_IDLE
Jan 11 13:37:57.453: ISAKMP: set new node 334635566 to QM_IDLE
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 334635566
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 3394034993, message ID = 334635566, sa = 4682CA58
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1): deleting spi 3394034993 message ID = 5768661
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):deleting node 5768661 error TRUE reason "Delete Larval"
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):deleting node 334635566 error FALSE reason "Informational (in) state 1"
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 11 13:37:57.453: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jan 11 13:38:27.238: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
Jan 11 13:38:27.238: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x390CCAED(957139693), conn_id= 0, keysize= 0, flags= 0x400A
Jan 11 13:38:27.238: ISAKMP: received ke message (1/1)
Jan 11 13:38:27.238: ISAKMP: set new node 0 to QM_IDLE
Jan 11 13:38:27.238: ISAKMP:(0:1:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )
Jan 11 13:38:27.238: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -1471990271
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1):Node -1471990271, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 11 13:38:27.242: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jan 11 13:38:27.298: ISAKMP (0:134217729): received packet from 10.49.163.1 dport 500 sport 500 Global (I) QM_IDLE
Jan 11 13:38:27.298: ISAKMP: set new node -1557550641 to QM_IDLE
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1557550641
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 957139693, message ID = -1557550641, sa = 4682CA58
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1): deleting spi 957139693 message ID = -1471990271
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):deleting node -1471990271 error TRUE reason "Delete Larval"
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):deleting node -1557550641 error FALSE reason "Informational (in) state 1"
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 11 13:38:27.302: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 11 13:38:47.454: ISAKMP:(0:1:SW:1):purging node 5768661
Jan 11 13:38:47.454: ISAKMP:(0:1:SW:1):purging node 334635566
Jan 11 13:38:57.239: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.49.163.3, remote= 10.49.163.1,
    local_proxy= 10.49.32.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4)
Jan 11 13:38:57.239: ISAKMP: received ke message (3/1)
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 10.49.163.1)
Jan 11 13:38:57.239: ISAKMP: set new node 1934363591 to QM_IDLE
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1): sending packet to 10.49.163.1 my_port 500 peer_port 500 (I) QM_IDLE
Jan 11 13:38:57.239: ISAKMP:(0:1:SW:1):purging node 1934363591
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 10.49.163.1)
Jan 11 13:38:57.243: ISAKMP: Unlocking IKE struct 0x470157B8 for isadb_mark_sa_deleted(), count 0
Jan 11 13:38:57.243: ISAKMP: Deleting peer node by peer_reap for 10.49.163.1: 470157B8
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting node -1471990271 error FALSE reason "IKE deleted"
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):deleting node -1557550641 error FALSE reason "IKE deleted"
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 11 13:38:57.243: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Jan 11 13:38:57.243: IPSEC(key_engine): got a queue event with 1 kei messages

2 REPLIES
New Member

Re: Trouble bringing up VPN tunnel

As an update if I take off the first tunnel the 2nd tunnel comes up and passes traffic????  Is there something wrong with the router?  Or maybe the interface, it is a 4 port ethernet card.

New Member

Re: Trouble bringing up VPN tunnel

FIXED!  Add the command on the head-end 7206 interface: no ip route-cache

Tunnel came up and is now working, I would still like to know why I have to add this?

8281
Views
0
Helpful
2
Replies