SW1#ping 10.0.0.2 source 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.10.1
.....
Success rate is 0 percent (0/5)
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5)
The configuration is simple and straightforward, see below:
R1#sh crypto map tag VPN
Crypto Map "VPN" 200 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list ACL
access-list ACL permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
SET,
}
Interfaces using crypto map VPN:
FastEthernet0/0
SW1#sh crypto map tag VPN
Crypto Map "VPN" 100 ipsec-isakmp
Peer = 192.168.1.2
Extended IP access list ACL
access-list ACL permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
Current peer: 192.168.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
SET,
}
Interfaces using crypto map VPN:
FastEthernet1/1
#sh run | section router
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
See crypto configurations:
SW1#sh run | section crypto
crypto isakmp policy 20
authentication pre-share
crypto isakmp key cisco address 192.168.1.2
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 100 ipsec-isakmp
set peer 192.168.1.2
set transform-set SET
match address ACL
crypto map VPN
R1#sh run | section crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 192.168.1.1
crypto ipsec transform-set SET esp-des esp-sha-hmac
crypto map VPN 200 ipsec-isakmp
set peer 192.168.1.1
set transform-set SET
match address ACL
crypto map VPN
And interfaces:
SW1#sh run int f1/1
Building configuration...
Current configuration : 102 bytes
!
interface FastEthernet1/1
no switchport
ip address 192.168.1.1 255.255.255.0
crypto map VPN
end
R1#sh run int f0/0
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
crypto map VPN
end
From R1 routing seems to be correct:
R1#sh ip route
10.0.0.0/24 is subnetted, 2 subnets
R 10.0.10.0 [120/1] via 192.168.1.1, 00:00:07, FastEthernet0/0
C 10.0.0.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
I cannot ping SW1 loopback from R1 loopback:
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.....
Success rate is 0 percent (0/5)
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 MM_KEY_EXCH 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
*Mar 1 00:42:59.127: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 00:42:59.131: ISAKMP: Created a peer struct for 192.168.1.1, peer port 500
*Mar 1 00:42:59.135: ISAKMP: New peer created peer = 0x63B01638 peer_handle = 0x80000005
*Mar 1 00:42:59.139: ISAKMP: Locking peer struct 0x63B01638, refcount 1 for isakmp_initiator
*Mar 1 00:42:59.139: ISAKMP: local port 500, remote port 500
*Mar 1 00:42:59.143: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:42:59.147: insert sa successfully sa = 64D7851C
*Mar 1 00:42:59.147: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:42:59.151: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar 1 00:42:59.155: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 00:42:59.159: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 00:42:59.163: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 00:42:59.167: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:42:59.167: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:42:59.171: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 00:42:59.175: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:42:59.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 00:42:59.287: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 00:42:59.295: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:42:59.295: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:42:59.347: ISAKMP:(0): processing SA payload. message ID. = 0
*Mar 1 00:42:59.347: ISAKMP:(0): processing vendor id payload
*Mar 1 00:42:59.351: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 1 00:42:59.351: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 1 00:42:59.355: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar 1 00:42:59.355: ISAKMP:(0): local preshared key found
*Mar 1 00:42:59.355: ISAKMP : Scanning profiles for xauth ...
*Mar 1 00:42:59.355: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:42:59.355: ISAKMP: encryption DES-CBC
*Mar 1 00:42:59.355: ISAKMP: hash SHA
*Mar 1 00:42:59.355: ISAKMP: default group 1
*Mar 1 00:42:59.355: ISAKMP: auth pre-share
*Mar 1 00:42:59.355: ISAKMP: life type in seconds
*Mar 1 00:42:59.355: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 00:42:59.355: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 00:42:59.355: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 00:42:59.355: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 00:42:59.355: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 1 00:42:59.359: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 1 00:42:59.359: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 1 00:42:59.363: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 1 00:42:59.363: ISAKMP:(0): processing vendor id payload
*Mar 1 00:42:59.367: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 1 00:42:59.371: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 1 00:42:59.371: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:42:59.371: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 00:42:59.371: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 00:42:59.371: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 00:42:59.375: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:42:59.375: ISAKMP:(0):Old State = IKE_I_M.M2 New State = IKE_I_MM3
*Mar 1 00:42:59.523: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 00:42:59.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:42:59.531: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 00:42:59.543: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 00:42:59.635: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 00:42:59.635: ISAKMP:(0):found peer pre-shared key matching 192.168.1.1
*Mar 1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar 1 00:42:59.635: ISAKMP:(1004): vendor ID is Unity
*Mar 1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar 1 00:42:59.635: ISAKMP:(1004): vendor ID is DPD
*Mar 1 00:42:59.635: ISAKMP:(1004): processing vendor id payload
*Mar 1 00:42:59.635: ISAKMP:(1004): speaking to another IOS box!
*Mar 1 00:42:59.635: ISAKMP:received payload type 20
*Mar 1 00:42:59.635: ISAKMP:received payload type 20
*Mar 1 00:42:59.635: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:42:59.635: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 00:42:59.635: ISAKMP:(1004):Send initial contact
*Mar 1 00:42:59.635: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 00:42:59.635: ISAKMP (0:1004): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 500
length : 12
*Mar 1 00:42:59.635: ISAKMP:(1004):Total payload length: 12
*Mar 1 00:42:59.635: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:42:59.635: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:42:59.639: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 00:42:59.639: ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 00:43:00.743: ISAKMP (0:1004): received packe.t from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:00.747: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
*Mar 1 00:43:00.751: ISAKMP:(1004): retransmitting due to retransmit phase 1
*Mar 1 00:43:01.251: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:01.251: ISAKMP (0:1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:43:01.255: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:01.259: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:01.263: ISAKMP:(1004):Sending an IKE IPv4 Packet...
Success rate is 0 percent (0/5)
R1#
*Mar 1 00:43:11.267: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:11.271: ISAKMP (0:1004): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 00:43:11.271: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:11.275: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:11.279: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:43:11.879: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:11.883: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar 1 00:43:11.887: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 600)
R1#
*Mar 1 00:43:21.283: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:21.287: ISAKMP (0:1004): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 00:43:21.287: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:21.291: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:21.295: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:43:21.927: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:21.931: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar 1 00:43:21.935: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 632)
R1#
*Mar 1 00:43:29.127: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:43:29.131: ISAKMP:(1004):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.1)
*Mar 1 00:43:29.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 1 00:43:29.135: ISAKMP: Error while processing KMI message 0, error 2.
R1#
*Mar 1 00:43:31.299: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:31.303: ISAKMP (0:1004): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 00:43:31.303: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:31.307: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:31.311: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Mar 1 00:43:31.851: ISAKMP (0:1004): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 00:43:31.855: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
R1#
*Mar 1 00:43:31.859: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 540)
R1#
*Mar 1 00:43:41.315: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 00:43:41.319: ISAKMP (0:1004): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 1 00:43:41.319: ISAKMP:(1004): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 00:43:41.323: ISAKMP:(1004): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 00:43:41.327: ISAKMP:(1004):Sending an IKE IPv4 Packet.
R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no crypto isakmp key cisco address 192.168.1.1
R1(config)#crypto isakmp key "cisco" address 192.168.1.1
R1#ping 10.0.10.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 92/173/252 ms
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 1006 0 ACTIVE
192.168.1.1 192.168.1.2 MM_NO_STATE 1005 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
So it’s working now
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)