• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2203
  • Last Modified:

Can not create IPSec tunnel between 2 cisco routers.

I have read through previous topics, but no luck, unfortunately.

This is what I get in debug messages

*May 18 04:44:02.711: ISAKMP: received ke message (1/1)
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 04:44:02.711: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 04:44:02.711: ISAKMP: New peer created peer = 0x634D2614 peer_handle = 0
x80000009
*May 18 04:44:02.711: ISAKMP: Locking peer struct 0x634D2614, IKE refcount 1 for
 isakmp_initiator
*May 18 04:44:02.711: ISAKMP: local port 500, remote port 500
*May 18 04:44:02.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:02.711: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 635974D0
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 04:44:02.711: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_port 500 peer_port 500 (I) MM_NO_STATE...
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node 1507012599
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node -746186383..
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:18.135: ISAKMP:(0:0:N/A:0):purging SA., sa=633031E4, delme=633031E
4
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:32.711: ISAKMP: received ke message (1/1)
*May 18 04:44:32.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:32.711: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:45:02.711: ISAKMP: received ke message (3/1)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP: Unlocking IKE struct 0x634D2614 for isadb_mark_sa_
deleted(), count 0
*May 18 04:45:02.711: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 634D2614
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node 1666773402 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node -343583585 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_
DEST_SA

*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node 1666773402
*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node -343583585
*May 18 04:46:02.711: ISAKMP:(0:0:N/A:0):purging SA., sa=635974D0, delme=635974D
0


These are configs of both routers:

1. crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
 set peer 192.168.150.8
 set transform-set trans
 match address vpn

ip access-list extended vpn
 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
---------------------
2. !
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
 set peer 192.168.208.88
 set transform-set 3des-md5
 match address 101
!
interface Loopback240
 ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255

It looks like there is a problem with IKE phase 1, but can not get a solution for it.

Thank you in advance!

0
fgasimzade
Asked:
fgasimzade
  • 4
  • 3
1 Solution
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
It seems that you have a problem with acl defining interesting traffic for the crypto map. They should mirror each other.
on router 1 configure
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
on router e
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
0
 
fgasimzadeAuthor Commented:
I modified access lists, it didnt help, unfortunatelly
0
 
fgasimzadeAuthor Commented:
After I modified access lists, I receive the following error in debugs

*May 18 07:45:57.410: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmis
sion P1" state (I) MM_NO_STATE (peer *****)
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
hau_itCommented:
are any of the peers behind a NAT device?
Maybe you should enable a port forwarding..

0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
can you post again relevant crypto configs and results from debug crypto isakmp on both sides? also do a clear crypto isakmp and clear crypto sa before trying again
0
 
fgasimzadeAuthor Commented:
Current config is:

Router1#
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
set peer 192.168.150.8
set transform-set trans
match address 101

interface FastEthernet0/0.241
 encapsulation dot1Q 241
 ip address 192.168.241.1 255.255.255.0
 no ip mroute-cache
!
interface FastEthernet0/1
 description vpn wan
 ip address 192.168.208.88 255.255.255.240
 duplex auto
 speed auto
 crypto map vpnmap


access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255


Router2#
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ***** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
set peer 192.168.208.88
set transform-set 3des-md5
match address 101
!
interface Loopback240
ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255

----------------
Debug crypto isakmp

*May 18 08:11:18.682: ISAKMP: received ke message (1/1)
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 08:11:18.682: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 08:11:18.682: ISAKMP: New peer created peer = 0x6342C960 peer_handle = 0
x80000021
*May 18 08:11:18.682: ISAKMP: Locking peer struct 0x6342C960, IKE refcount 1 for
 isakmp_initiator
*May 18 08:11:18.682: ISAKMP: local port 500, remote port 500
*May 18 08:11:18.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:18.682: insert sa successfully sa = 634DB204
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 08:11:18.682: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ
_MM
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_
I_MM1

*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
bak-swtravelvpn-rt#
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:48.682: ISAKMP: received ke message (1/1)
*May 18 08:11:48.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:48.682: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:18.682: ISAKMP: received ke message (3/1)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP: Unlocking IKE struct 0x6342C960 for isadb_mark_sa_
deleted(), count 0
*May 18 08:12:18.682: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 6342C960
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node 389727336 error FALSE rea
son "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node -285923049 error FALSE re
ason "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node 389727336
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node -285923049
*May 18 08:13:18.682: ISAKMP:(0:0:N/A:0):purging SA., sa=634DB204, delme=634DB20
4

The same on the other end..



0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I don't see any problem with the config. You can make it even simpler if you remove the subnet mask from the preshared key command for example
crypto isakmp key ***** address 192.168.208.88

Usually the no state message error is related with connectivity issues. check connectivity between peers and make sure that udp port 500 is open on both sides.
0
 
fgasimzadeAuthor Commented:
Thank you everyone for assistance, the issue is solved. Guys from the second peer forgot to add a route.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now