Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
2
Replies

Crypto isakmp identity

pgasol
Level 1
Level 1

‎10-14-2003 02:24 PM - edited ‎03-09-2019 05:09 AM

I have 3 routers 837, each one of them with a VPN to the others.

I have authentication pre-share and crypto isakmp identity hostname (because I need VPN clients).

When I put debug crypto isakmp I got the next:

*Mar 1 00:14:16.231: ISAKMP: received ke message (1/1)

*Mar 1 00:14:16.231: ISAKMP (0:0): SA request profile is (NULL)

*Mar 1 00:14:16.231: ISAKMP: Created a peer struct for 23.96.48.22, peer port

500

*Mar 1 00:14:16.231: ISAKMP: Locking peer struct 0x8179BE5C, IKE refcount 1 for

crypto_ikmp_config_initialize_sa

*Mar 1 00:14:16.231: ISAKMP (0:0): Setting client config settings 8156AEE0

*Mar 1 00:14:16.231: ISAKMP (0:0): (Re)Setting client xauth list and state

*Mar 1 00:14:16.231: ISAKMP: local port 500, remote port 500

*Mar 1 00:14:16.235: ISAKMP: set new node 0 to CONF_XAUTH

*Mar 1 00:14:16.235: ISAKMP: insert sa successfully sa = 8156B30C

*Mar 1 00:14:16.235: ISAKMP (0:1): Can not start Aggressive mode, trying Main m

ode.

*Mar 1 00:14:16.235: ISAKMP: Looking for a matching key for 23.96.48.22 in de

fault

*Mar 1 00:14:16.235: ISAKMP (0:1): No pre-shared key with 23.96.48.22!

*Mar 1 00:14:16.235: ISAKMP (0:1): No Cert or pre-shared address key.

*Mar 1 00:14:16.235: ISAKMP (0:1): construct_initial_message: Can not start Mai

n mode

*Mar 1 00:14:16.235: ISAKMP (0:1): purging SA., sa=8156B30C, delme=8156B30C

*Mar 1 00:14:16.235: ISAKMP (0:1): purging node -1284547857

*Mar 1 00:14:16.239: ISAKMP: Unlocking IKE struct 0x8179BE5C for declare_sa_dea

d(), count 0

Both routers have this configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

I see this with sh crypto isakmp key

acabats#sh crypto isakmp key

Keyring Hostname/Address Preshared Key

default girona acabats

barcelona acalona

and the other

barcelona#sh crypto isakmp key

Hostname/Address Preshared Key

default acabats acalona : girona barcelona

But I don't know the meaning of the default.

Can anybody help me, please?

Labels:
0 Helpful
2 Replies 2

mshaw
Level 1
Level 1

‎10-15-2003 04:17 AM

It looks to me that your PreShared keys do not match.

Try setting all the routers with the same Preshared Key and (this isn't exactly the most secure method but it works) add this command

crypto isakmp key *insert preshared key here* address 0.0.0.0

There may be better ways of fixing this, but this is a fall back option.

0 Helpful

cgregg
Level 1
Level 1

‎10-16-2003 12:08 PM

What are your crypto access-lists?

Do you have the following statement(s)

isakmp key ***** address x.x.x.x netmask

isakmp identy address

The PIX has default ISAKMP Policy, if you do not specify certian isakmp options or the same options this the PIX will use its default. This might be what it is, but I'm not sure what acalona and girona are?

0 Helpful
Customers Also Viewed These Support Documents