troubleshooting Question

cisco vpn phase 1 negotiation failing

Avatar of chillicom
chillicomFlag for United States of America asked on
Software FirewallsVPN
2 Comments1 Solution1036 ViewsLast Modified:
I am having an issue with phase 1 negotiation between 2 cisco routers. Any suggestions would be most welcome ! I do not have access to the client router but I have enclosed config of my router (changed ip) and the description of the customers setup.

my router:
!
!
!
ip cef

!
multilink bundle-name authenticated
!
!
!
!

archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share

crypto isakmp key t3st address 145.146.147.148
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP3-DES-MD5 esp-3des esp-md5-hmac
!

crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to
 set peer 145.146.147.148
 set transform-set ESP3-DES-MD5
 set pfs group1
 match address 101
!

!
!
!
!
!
interface FastEthernet0/0
 bandwidth 100000
 ip address 192.168.20.1 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
!
interface FastEthernet0/1
 bandwidth 100000
 ip address 192.168.21.33 255.255.255.0
 ip flow ingress
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username jkh password 0 7
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.11.0 255.255.255.0 192.168.21.1
ip route 192.168.22.0 255.255.255.0 192.168.21.1
ip route 192.168.25.0 255.255.255.0 192.168.21.1

ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.21.251 2055
!
ip nat inside source static tcp 192.168.20.27 5900 interface Dialer0 5900
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.200 3389 1.1.1.1 3389 route-map SDM_RMAP_1 extendable
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 101 deny   ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 permit ip 192.168.20.0 0.0.0.255 192.168.25.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!

end point router:

Given below the details from ac side
The VPN parameters are :

ac VPN device: Cisco 7206

ac Peer IP: 145.146.147.148

ac Encryption Domain: 150.2.0.0/16

ISAKMP Hash: MD5

ISAKMP Encryption: 3DES

ISAKMP DH Group: Group 2

ISAKMP Key Mode: Main Mode

ISAKMP Key Lifetime: 86400 secs

Perfect Forward Secrecy: Off

IPSEC Encapsulation: Tunnel Mode

IPSEC Protocol Type: ESP

IPSEC Cipher Algorithm: 3DES

IPSEC Authentication: HMAC-MD5

IPSEC Lifetime: 3600 sec


Port details:

"Customer to :  

ICMP: echo and echo reply

FTP: TCP20
HTTP: TCP8002, 80

GEMS diags: TCP 7979
X-windows: TCP6000-6200
 

 

 to Customer:  

ICMP: echo and echo reply

FTP: TCP21

ssh: TCP22

Telnet: TCP23, 2327, 2328

HTTP: TCP80, 8080

Rexec: TCP512

VNC: TCP5800, 5900

MR firmware diagnostics: TCP8100"

tests#show cry isa sa | sec 1.1.1.1
1.1.1.1   145.146.147.148  MM_NO_STATE          0    0 ACTIVE
1.1.1.1   145.146.147.148  MM_NO_STATE          0    0 ACTIVE (deleted)

ASKER CERTIFIED SOLUTION
crouthamela

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros