Cisco ISAKMP IPSEC VPN tunnel not building

Posted on 2009-12-17
Medium Priority
Last Modified: 2012-05-08
I have two locations. The primary Cisco 2800 router currently hiolds 50-60 VPN's and it connects to Cisco 850/870 series routers for each of them. I have a new site with 3 tunnels terminating on 3 unique Cisco 850 routers. The 850's successfully build tunnels to a third location, however, none of them build to my primary location. I have attached a debug from one RemoteRouter and also its config (all 3 sites are identical, barring unique keys and address'). The caveates that may be pertinent are that the 3 routers/tunnels all are NAT's on the remote sites at one common firewall (each has it's own unique NAT address). The other unique issue is that the external address on my MainRouter and the external address of the customers firewall all reside on one ISP (QWEST). I am having difficulty seeing what is affecting my connection.  I have attached the debug info from RemoteRouter, the config from RemoteRouter, and the pertinent info from MainRouter.
Question by:rwboll

Accepted Solution

geergon earned 1500 total points
ID: 26077626
Hello !

Nat traversal or nat transparency should be enabled by default. (Anyway confirm if in the main router NAT-T is disabled)
*Mar  3 00:04:49.032: ISAKMP (0:0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  3 00:04:49.064: ISAKMP:(2037):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  3 00:04:49.064: ISAKMP:(2037):Old State = IKE_R_MM3  New State = IKE_R_MM4
*Mar  3 00:04:49.220: ISAKMP (0:2037): received packet from dport 4500 sport 4500 Global (R) MM_KEY_EXCH

As the logs saids it start to do the negotiation of the tunnel using port 500 main mode, after that, it changes to port 4500 and then the problem occurs....

Again try to verify if there is any command disabling NAT-T
Also configure the firewall ---> to permit ipsec passing through
PIX/ASA 7.x and Above IPsec Tunnel Pass Through a Security Appliance With use of Access List and MPF with NAT Configuration Example


Author Closing Comment

ID: 32769014
Traversal of a perimitter PIX was effecting the tunnel. Chnanges to the perimiter PIX alowwed the tunnel to build.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question