?
Solved

Can not create IPSec tunnel between 2 cisco routers.

Posted on 2009-05-17
8
Medium Priority
?
1,997 Views
Last Modified: 2012-05-07
I have read through previous topics, but no luck, unfortunately.

This is what I get in debug messages

*May 18 04:44:02.711: ISAKMP: received ke message (1/1)
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 04:44:02.711: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 04:44:02.711: ISAKMP: New peer created peer = 0x634D2614 peer_handle = 0
x80000009
*May 18 04:44:02.711: ISAKMP: Locking peer struct 0x634D2614, IKE refcount 1 for
 isakmp_initiator
*May 18 04:44:02.711: ISAKMP: local port 500, remote port 500
*May 18 04:44:02.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:02.711: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 635974D0
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 04:44:02.711: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_port 500 peer_port 500 (I) MM_NO_STATE...
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node 1507012599
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node -746186383..
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:18.135: ISAKMP:(0:0:N/A:0):purging SA., sa=633031E4, delme=633031E
4
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:32.711: ISAKMP: received ke message (1/1)
*May 18 04:44:32.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:32.711: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:45:02.711: ISAKMP: received ke message (3/1)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP: Unlocking IKE struct 0x634D2614 for isadb_mark_sa_
deleted(), count 0
*May 18 04:45:02.711: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 634D2614
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node 1666773402 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node -343583585 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_
DEST_SA

*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node 1666773402
*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node -343583585
*May 18 04:46:02.711: ISAKMP:(0:0:N/A:0):purging SA., sa=635974D0, delme=635974D
0


These are configs of both routers:

1. crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
 set peer 192.168.150.8
 set transform-set trans
 match address vpn

ip access-list extended vpn
 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
---------------------
2. !
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
 set peer 192.168.208.88
 set transform-set 3des-md5
 match address 101
!
interface Loopback240
 ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255

It looks like there is a problem with IKE phase 1, but can not get a solution for it.

Thank you in advance!

0
Comment
Question by:fgasimzade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24409530
It seems that you have a problem with acl defining interesting traffic for the crypto map. They should mirror each other.
on router 1 configure
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
on router e
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24409595
I modified access lists, it didnt help, unfortunatelly
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24409681
After I modified access lists, I receive the following error in debugs

*May 18 07:45:57.410: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmis
sion P1" state (I) MM_NO_STATE (peer *****)
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 7

Expert Comment

by:hau_it
ID: 24409750
are any of the peers behind a NAT device?
Maybe you should enable a port forwarding..

0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24409762
can you post again relevant crypto configs and results from debug crypto isakmp on both sides? also do a clear crypto isakmp and clear crypto sa before trying again
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24409808
Current config is:

Router1#
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
set peer 192.168.150.8
set transform-set trans
match address 101

interface FastEthernet0/0.241
 encapsulation dot1Q 241
 ip address 192.168.241.1 255.255.255.0
 no ip mroute-cache
!
interface FastEthernet0/1
 description vpn wan
 ip address 192.168.208.88 255.255.255.240
 duplex auto
 speed auto
 crypto map vpnmap


access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255


Router2#
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ***** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
set peer 192.168.208.88
set transform-set 3des-md5
match address 101
!
interface Loopback240
ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255

----------------
Debug crypto isakmp

*May 18 08:11:18.682: ISAKMP: received ke message (1/1)
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 08:11:18.682: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 08:11:18.682: ISAKMP: New peer created peer = 0x6342C960 peer_handle = 0
x80000021
*May 18 08:11:18.682: ISAKMP: Locking peer struct 0x6342C960, IKE refcount 1 for
 isakmp_initiator
*May 18 08:11:18.682: ISAKMP: local port 500, remote port 500
*May 18 08:11:18.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:18.682: insert sa successfully sa = 634DB204
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 08:11:18.682: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ
_MM
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_
I_MM1

*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
bak-swtravelvpn-rt#
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:48.682: ISAKMP: received ke message (1/1)
*May 18 08:11:48.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:48.682: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:18.682: ISAKMP: received ke message (3/1)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP: Unlocking IKE struct 0x6342C960 for isadb_mark_sa_
deleted(), count 0
*May 18 08:12:18.682: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 6342C960
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node 389727336 error FALSE rea
son "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node -285923049 error FALSE re
ason "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node 389727336
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node -285923049
*May 18 08:13:18.682: ISAKMP:(0:0:N/A:0):purging SA., sa=634DB204, delme=634DB20
4

The same on the other end..



0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 2000 total points
ID: 24410253
I don't see any problem with the config. You can make it even simpler if you remove the subnet mask from the preshared key command for example
crypto isakmp key ***** address 192.168.208.88

Usually the no state message error is related with connectivity issues. check connectivity between peers and make sure that udp port 500 is open on both sides.
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24410277
Thank you everyone for assistance, the issue is solved. Guys from the second peer forgot to add a route.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question