Can not create IPSec tunnel between 2 cisco routers.

I have read through previous topics, but no luck, unfortunately.

This is what I get in debug messages

*May 18 04:44:02.711: ISAKMP: received ke message (1/1)
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 04:44:02.711: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 04:44:02.711: ISAKMP: New peer created peer = 0x634D2614 peer_handle = 0
x80000009
*May 18 04:44:02.711: ISAKMP: Locking peer struct 0x634D2614, IKE refcount 1 for
 isakmp_initiator
*May 18 04:44:02.711: ISAKMP: local port 500, remote port 500
*May 18 04:44:02.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:02.711: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 635974D0
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 04:44:02.711: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_port 500 peer_port 500 (I) MM_NO_STATE...
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node 1507012599
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node -746186383..
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:18.135: ISAKMP:(0:0:N/A:0):purging SA., sa=633031E4, delme=633031E
4
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:32.711: ISAKMP: received ke message (1/1)
*May 18 04:44:32.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:32.711: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:45:02.711: ISAKMP: received ke message (3/1)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP: Unlocking IKE struct 0x634D2614 for isadb_mark_sa_
deleted(), count 0
*May 18 04:45:02.711: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 634D2614
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node 1666773402 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node -343583585 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_
DEST_SA

*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node 1666773402
*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node -343583585
*May 18 04:46:02.711: ISAKMP:(0:0:N/A:0):purging SA., sa=635974D0, delme=635974D
0


These are configs of both routers:

1. crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
 set peer 192.168.150.8
 set transform-set trans
 match address vpn

ip access-list extended vpn
 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
---------------------
2. !
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
 set peer 192.168.208.88
 set transform-set 3des-md5
 match address 101
!
interface Loopback240
 ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255

It looks like there is a problem with IKE phase 1, but can not get a solution for it.

Thank you in advance!

LVL 18
fgasimzadeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
It seems that you have a problem with acl defining interesting traffic for the crypto map. They should mirror each other.
on router 1 configure
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
on router e
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
0
fgasimzadeAuthor Commented:
I modified access lists, it didnt help, unfortunatelly
0
fgasimzadeAuthor Commented:
After I modified access lists, I receive the following error in debugs

*May 18 07:45:57.410: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmis
sion P1" state (I) MM_NO_STATE (peer *****)
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

hau_itCommented:
are any of the peers behind a NAT device?
Maybe you should enable a port forwarding..

0
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
can you post again relevant crypto configs and results from debug crypto isakmp on both sides? also do a clear crypto isakmp and clear crypto sa before trying again
0
fgasimzadeAuthor Commented:
Current config is:

Router1#
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
set peer 192.168.150.8
set transform-set trans
match address 101

interface FastEthernet0/0.241
 encapsulation dot1Q 241
 ip address 192.168.241.1 255.255.255.0
 no ip mroute-cache
!
interface FastEthernet0/1
 description vpn wan
 ip address 192.168.208.88 255.255.255.240
 duplex auto
 speed auto
 crypto map vpnmap


access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255


Router2#
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ***** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
set peer 192.168.208.88
set transform-set 3des-md5
match address 101
!
interface Loopback240
ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255

----------------
Debug crypto isakmp

*May 18 08:11:18.682: ISAKMP: received ke message (1/1)
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 08:11:18.682: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 08:11:18.682: ISAKMP: New peer created peer = 0x6342C960 peer_handle = 0
x80000021
*May 18 08:11:18.682: ISAKMP: Locking peer struct 0x6342C960, IKE refcount 1 for
 isakmp_initiator
*May 18 08:11:18.682: ISAKMP: local port 500, remote port 500
*May 18 08:11:18.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:18.682: insert sa successfully sa = 634DB204
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 08:11:18.682: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ
_MM
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_
I_MM1

*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
bak-swtravelvpn-rt#
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:48.682: ISAKMP: received ke message (1/1)
*May 18 08:11:48.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:48.682: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:18.682: ISAKMP: received ke message (3/1)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP: Unlocking IKE struct 0x6342C960 for isadb_mark_sa_
deleted(), count 0
*May 18 08:12:18.682: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 6342C960
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node 389727336 error FALSE rea
son "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node -285923049 error FALSE re
ason "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node 389727336
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node -285923049
*May 18 08:13:18.682: ISAKMP:(0:0:N/A:0):purging SA., sa=634DB204, delme=634DB20
4

The same on the other end..



0
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I don't see any problem with the config. You can make it even simpler if you remove the subnet mask from the preshared key command for example
crypto isakmp key ***** address 192.168.208.88

Usually the no state message error is related with connectivity issues. check connectivity between peers and make sure that udp port 500 is open on both sides.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fgasimzadeAuthor Commented:
Thank you everyone for assistance, the issue is solved. Guys from the second peer forgot to add a route.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.