Solved

Can not create IPSec tunnel between 2 cisco routers.

Posted on 2009-05-17
8
1,738 Views
Last Modified: 2012-05-07
I have read through previous topics, but no luck, unfortunately.

This is what I get in debug messages

*May 18 04:44:02.711: ISAKMP: received ke message (1/1)
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 04:44:02.711: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 04:44:02.711: ISAKMP: New peer created peer = 0x634D2614 peer_handle = 0
x80000009
*May 18 04:44:02.711: ISAKMP: Locking peer struct 0x634D2614, IKE refcount 1 for
 isakmp_initiator
*May 18 04:44:02.711: ISAKMP: local port 500, remote port 500
*May 18 04:44:02.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:02.711: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 635974D0
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 04:44:02.711: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 04:44:02.711: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_port 500 peer_port 500 (I) MM_NO_STATE...
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node 1507012599
*May 18 04:44:08.135: ISAKMP:(0:0:N/A:0):purging node -746186383..
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:12.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:18.135: ISAKMP:(0:0:N/A:0):purging SA., sa=633031E4, delme=633031E
4
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:22.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:32.711: ISAKMP: received ke message (1/1)
*May 18 04:44:32.711: ISAKMP: set new node 0 to QM_IDLE
*May 18 04:44:32.711: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:32.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:42.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 04:44:52.715: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 04:45:02.711: ISAKMP: received ke message (3/1)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 04:45:02.711: ISAKMP: Unlocking IKE struct 0x634D2614 for isadb_mark_sa_
deleted(), count 0
*May 18 04:45:02.711: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 634D2614
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node 1666773402 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):deleting node -343583585 error FALSE re
ason "IKE deleted"
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 04:45:02.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_
DEST_SA

*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node 1666773402
*May 18 04:45:52.711: ISAKMP:(0:0:N/A:0):purging node -343583585
*May 18 04:46:02.711: ISAKMP:(0:0:N/A:0):purging SA., sa=635974D0, delme=635974D
0


These are configs of both routers:

1. crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
 set peer 192.168.150.8
 set transform-set trans
 match address vpn

ip access-list extended vpn
 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
---------------------
2. !
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
 set peer 192.168.208.88
 set transform-set 3des-md5
 match address 101
!
interface Loopback240
 ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255

It looks like there is a problem with IKE phase 1, but can not get a solution for it.

Thank you in advance!

0
Comment
Question by:fgasimzade
  • 4
  • 3
8 Comments
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
It seems that you have a problem with acl defining interesting traffic for the crypto map. They should mirror each other.
on router 1 configure
access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255
on router e
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
I modified access lists, it didnt help, unfortunatelly
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
After I modified access lists, I receive the following error in debugs

*May 18 07:45:57.410: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmis
sion P1" state (I) MM_NO_STATE (peer *****)
0
 
LVL 7

Expert Comment

by:hau_it
Comment Utility
are any of the peers behind a NAT device?
Maybe you should enable a port forwarding..

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
can you post again relevant crypto configs and results from debug crypto isakmp on both sides? also do a clear crypto isakmp and clear crypto sa before trying again
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
Current config is:

Router1#
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 192.168.150.8 255.255.255.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map vpnmap 100 ipsec-isakmp
set peer 192.168.150.8
set transform-set trans
match address 101

interface FastEthernet0/0.241
 encapsulation dot1Q 241
 ip address 192.168.241.1 255.255.255.0
 no ip mroute-cache
!
interface FastEthernet0/1
 description vpn wan
 ip address 192.168.208.88 255.255.255.240
 duplex auto
 speed auto
 crypto map vpnmap


access-list 101 permit ip 192.168.241.0 0.0.0.255 192.168.240.0 0.0.0.255


Router2#
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ***** address 192.168.208.88 255.255.255.240
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto map VPN_SW_208 1 ipsec-isakmp
set peer 192.168.208.88
set transform-set 3des-md5
match address 101
!
interface Loopback240
ip address 192.168.240.1 255.255.255.0
!
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.241.0 0.0.0.255

----------------
Debug crypto isakmp

*May 18 08:11:18.682: ISAKMP: received ke message (1/1)
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May 18 08:11:18.682: ISAKMP: Created a peer struct for 192.168.150.8, peer port
 500
*May 18 08:11:18.682: ISAKMP: New peer created peer = 0x6342C960 peer_handle = 0
x80000021
*May 18 08:11:18.682: ISAKMP: Locking peer struct 0x6342C960, IKE refcount 1 for
 isakmp_initiator
*May 18 08:11:18.682: ISAKMP: local port 500, remote port 500
*May 18 08:11:18.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:18.682: insert sa successfully sa = 634DB204
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying M
ain mode.
*May 18 08:11:18.682: ISAKMP: Looking for a matching key for 192.168.150.8 in de
fault : success
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.
168.150.8
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ
_MM
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_
I_MM1

*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*May 18 08:11:18.682: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
bak-swtravelvpn-rt#
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:28.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:38.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:48.682: ISAKMP: received ke message (1/1)
*May 18 08:11:48.682: ISAKMP: set new node 0 to QM_IDLE
*May 18 08:11:48.682: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec
 request to it. (local 192.168.208.88, remote 192.168.150.8)
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:48.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:11:58.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retra
nsmit phase 1
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*May 18 08:12:08.686: ISAKMP:(0:0:N/A:0): sending packet to 192.168.150.8 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*May 18 08:12:18.682: ISAKMP: received ke message (3/1)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (i
n)" state (I) MM_NO_STATE (peer 192.168.150.8)
*May 18 08:12:18.682: ISAKMP: Unlocking IKE struct 0x6342C960 for isadb_mark_sa_
deleted(), count 0
*May 18 08:12:18.682: ISAKMP: Deleting peer node by peer_reap for 192.168.150.8:
 6342C960
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node 389727336 error FALSE rea
son "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):deleting node -285923049 error FALSE re
ason "IKE deleted"
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*May 18 08:12:18.682: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node 389727336
*May 18 08:13:08.682: ISAKMP:(0:0:N/A:0):purging node -285923049
*May 18 08:13:18.682: ISAKMP:(0:0:N/A:0):purging SA., sa=634DB204, delme=634DB20
4

The same on the other end..



0
 
LVL 7

Accepted Solution

by:
mitrushi earned 500 total points
Comment Utility
I don't see any problem with the config. You can make it even simpler if you remove the subnet mask from the preshared key command for example
crypto isakmp key ***** address 192.168.208.88

Usually the no state message error is related with connectivity issues. check connectivity between peers and make sure that udp port 500 is open on both sides.
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
Thank you everyone for assistance, the issue is solved. Guys from the second peer forgot to add a route.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now