Avatar of stepnharp
stepnharp
 asked on

Can I create a IPSEC connection without using a VPN Services Port Adapter on the Cisco 6513?

Hi,

I am not able to create a IPSEC connection between a cisco 6513 and a cisco ASR1004, via MPLS ckt.  I have 50 IPSEC/GRE connections so I am positive my config is correct (had 4 other eyes verify config).  This is the first IPSEC connection on the 6513.

The error  “ISAKMP: Unable to allocate IKE SA” is on the 6513.  This error is referring to the VPN Services Port Adapter (VSPA) http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmovw.html 

The 6513 does not have a VPN Services Port Adapter (VSPA).

Q:  Can I create a IPSEC connection without using a VPN Services Port Adapter on the 6513?

logging on the 6513 displays the following error:  
21w4d: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
21w4d: ISAKMP: Created a peer struct for 1.1.1.1 peer port 500
21w4d: ISAKMP: New peer created peer = 0x525E96B4 peer_handle = 0x80000150
21w4d: ISAKMP: Locking peer struct 0x525E96B4, refcount 1 for crypto_isakmp_process_block
21w4d: ISAKMP: local port 500, remote port 500
21w4d: ISAKMP: Unable to allocate IKE SA

logging on the ASR1004:
*May 15 04:13:51.500: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
    local_proxy= 10.1.200.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.1.62.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 256  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

*******************************

6513#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA


ASR1004#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
2.2.2.2    1.1.1.1    MM_NO_STATE          0 ACTIVE
2.2.2.2    1.1.1.1    MM_NO_STATE          0 ACTIVE (deleted)

*************************************

IOS are:
6513 = s72033-advipservicesk9_wan-mz.122-33.SXH4.bin
ASR1004  = asr1000rp1-adventerprisek9.03.04.02.S.151-3.S2.bin

Thanks for your time and effort, Scott
Internet Protocol SecurityNetworking Hardware-OtherRouters

Avatar of undefined
Last Comment
stepnharp

8/22/2022 - Mon
mikebernhardt

This "bug" relates to the ASR1000 but it may also relate to the 6500. What hash are you using?
Symptom:
On an ASR1000 series router, the CLI allows configuration of SHA-2 for ISAKMP, e.g.:
crypto isakmp policy 10
hash sha256

However, the VPN tunnel will not establish.
Crypto debugs indicate that phase 1 fails with "ISAKMP : Unable to allocate IKE SA " on the responder.

Please note that this is expected behavior, since SHA-2 is not supported yet on the ASR1000. Please refer to CSCtn18426.
This bug serves to remove the CLI commands that are not yet supported.

Workaround:
Use SHA-1.
stepnharp

ASKER
Mike,
We are using SHA-1.

Thanks for your reply.

Scott
ASKER CERTIFIED SOLUTION
stepnharp

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
stepnharp

ASKER
This is from Cisco Support.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23