Link to home
Start Free TrialLog in
Avatar of fgasimzade
fgasimzadeFlag for Azerbaijan

asked on

Can not create IPSec tunnel between 2 cisco routers.

I have read through previous topics, but no luck, unfortunately.

This is what I get in debug messages

*May 18 04:44:02.711: ISAKMP: received ke message (1/1)
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 04:44:02.711: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 04:44:02.711: ISAKMP: New peer created peer = 0x634D2614 peer_handle = 0
x80000009
*May 18 04:44:02.711: ISAKMP: Locking peer struct 0x634D2614, IKE refcount 1 for
 isakmp_initiator
*May 18 04:44:02.711: ISAKMP: local port 500, remote port 500
*May 18 04:44:02.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:02.711: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 635974D0
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 04:44:02.711: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_port 500 peer_port 500 (I) MM_NO_STATE...
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node 1507012599
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node -746186383..
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:18.135: ISAKMP:(0:0:N/A:0):purging SA., sa=633031E4, delme=633031E
4
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:32.711: ISAKMP: received ke message (1/1)
*May 18 04:44:32.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:32.711: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:45:02.711: ISAKMP: received ke message (3/1)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP: Unlocking IKE struct 0x634D2614 for isadb_mark_sa_
deleted(), count 0
*May 18 04:45:02.711: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 634D2614
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node 1666773402 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node -343583585 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_
DEST_SA

*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node 1666773402
*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node -343583585
*May 18 04:46:02.711: ISAKMP:(0:0:N/A:0):purging SA., sa=635974D0, delme=635974D
0


These are configs of both routers:

1. crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
 set peer 192.168.150.8
 set transform-set trans
 match address vpn

ip access-list extended vpn
 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
---------------------
2. !
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
 set peer 192.168.208.88
 set transform-set 3des-md5
 match address 101
!
interface Loopback240
 ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255

It looks like there is a problem with IKE phase 1, but can not get a solution for it.

Thank you in advance!

Avatar of Ilir Mitrushi
Ilir Mitrushi
Flag of United Kingdom of Great Britain and Northern Ireland image
It seems that you have a problem with acl defining interesting traffic for the crypto map. They should mirror each other.
on router 1 configure
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
on router e
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

I modified access lists, it didnt help, unfortunatelly
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

After I modified access lists, I receive the following error in debugs

*May 18 07:45:57.410: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmis
sion P1" state (I) MM_NO_STATE (peer *****)
Avatar of hau_it
hau_it
Flag of Greece image
are any of the peers behind a NAT device?
Maybe you should enable a port forwarding..

Avatar of Ilir Mitrushi
Ilir Mitrushi
Flag of United Kingdom of Great Britain and Northern Ireland image
can you post again relevant crypto configs and results from debug crypto isakmp on both sides? also do a clear crypto isakmp and clear crypto sa before trying again
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

Current config is:

Router1#
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
set peer 192.168.150.8
set transform-set trans
match address 101

interface FastEthernet0/0.241
 encapsulation dot1Q 241
 ip address 192.168.241.1 255.255.255.0
 no ip mroute-cache
!
interface FastEthernet0/1
 description vpn wan
 ip address 192.168.208.88 255.255.255.240
 duplex auto
 speed auto
 crypto map vpnmap


access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255


Router2#
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ***** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
set peer 192.168.208.88
set transform-set 3des-md5
match address 101
!
interface Loopback240
ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255

----------------
Debug crypto isakmp

*May 18 08:11:18.682: ISAKMP: received ke message (1/1)
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 08:11:18.682: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 08:11:18.682: ISAKMP: New peer created peer = 0x6342C960 peer_handle = 0
x80000021
*May 18 08:11:18.682: ISAKMP: Locking peer struct 0x6342C960, IKE refcount 1 for
 isakmp_initiator
*May 18 08:11:18.682: ISAKMP: local port 500, remote port 500
*May 18 08:11:18.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:18.682: insert sa successfully sa = 634DB204
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 08:11:18.682: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ
_MM
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_
I_MM1

*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
bak-swtravelvpn-rt#
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:48.682: ISAKMP: received ke message (1/1)
*May 18 08:11:48.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:48.682: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:18.682: ISAKMP: received ke message (3/1)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP: Unlocking IKE struct 0x6342C960 for isadb_mark_sa_
deleted(), count 0
*May 18 08:12:18.682: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 6342C960
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node 389727336 error FALSE rea
son "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node -285923049 error FALSE re
ason "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node 389727336
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node -285923049
*May 18 08:13:18.682: ISAKMP:(0:0:N/A:0):purging SA., sa=634DB204, delme=634DB20
4

The same on the other end..



ASKER CERTIFIED SOLUTION
Avatar of Ilir Mitrushi
Ilir Mitrushi
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

Thank you everyone for assistance, the issue is solved. Guys from the second peer forgot to add a route.