We help IT Professionals succeed at work.

cisco vpn phase 1 negotiation failing

chillicom
chillicom asked
on
1,001 Views
Last Modified: 2012-05-09
I am having an issue with phase 1 negotiation between 2 cisco routers. Any suggestions would be most welcome ! I do not have access to the client router but I have enclosed config of my router (changed ip) and the description of the customers setup.

my router:
!
!
!
ip cef

!
multilink bundle-name authenticated
!
!
!
!

archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share

crypto isakmp key t3st address 145.146.147.148
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP3-DES-MD5 esp-3des esp-md5-hmac
!

crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to
 set peer 145.146.147.148
 set transform-set ESP3-DES-MD5
 set pfs group1
 match address 101
!

!
!
!
!
!
interface FastEthernet0/0
 bandwidth 100000
 ip address 192.168.20.1 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
!
interface FastEthernet0/1
 bandwidth 100000
 ip address 192.168.21.33 255.255.255.0
 ip flow ingress
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username jkh password 0 7
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.11.0 255.255.255.0 192.168.21.1
ip route 192.168.22.0 255.255.255.0 192.168.21.1
ip route 192.168.25.0 255.255.255.0 192.168.21.1

ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.21.251 2055
!
ip nat inside source static tcp 192.168.20.27 5900 interface Dialer0 5900
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.200 3389 1.1.1.1 3389 route-map SDM_RMAP_1 extendable
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 deny   ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 permit ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!

end point router:

Given below the details from ac side
The VPN parameters are :

ac VPN device: Cisco 7206

ac Peer IP: 145.146.147.148

ac Encryption Domain: 150.2.0.0/16

ISAKMP Hash: MD5

ISAKMP Encryption: 3DES

ISAKMP DH Group: Group 2

ISAKMP Key Mode: Main Mode

ISAKMP Key Lifetime: 86400 secs

Perfect Forward Secrecy: Off

IPSEC Encapsulation: Tunnel Mode

IPSEC Protocol Type: ESP

IPSEC Cipher Algorithm: 3DES

IPSEC Authentication: HMAC-MD5

IPSEC Lifetime: 3600 sec


Port details:

"Customer to :  

ICMP: echo and echo reply

FTP: TCP20
HTTP: TCP8002, 80

GEMS diags: TCP 7979
X-windows: TCP6000-6200
 

 

 to Customer:  

ICMP: echo and echo reply

FTP: TCP21

ssh: TCP22

Telnet: TCP23, 2327, 2328

HTTP: TCP80, 8080

Rexec: TCP512

VNC: TCP5800, 5900

MR firmware diagnostics: TCP8100"

tests#show cry isa sa | sec 1.1.1.1
1.1.1.1   145.146.147.148  MM_NO_STATE          0    0 ACTIVE
1.1.1.1   145.146.147.148  MM_NO_STATE          0    0 ACTIVE (deleted)

Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Excellent - thank you very much - worked perfectly!!!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.