Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8130
Views
30
Helpful
18
Replies

IPSec GRE tunnel without a public IP address

Go to solution
fimonteiro
Level 1
Level 1

‎03-18-2019 07:19 AM

Hello,

 

Can an IPSec GRE tunnel be created without the public IP address on our router interface? So, one of the routers has a public IP address and the other router is behind the ISP router on a private subnet.

The ISP on one of our sites is telling us that they cannot configure their ADSL router in bridge mode. So the public IP address is not configured on our router dialer interface. Instead the ISP edge router has the public IP and they are suggesting to configure a one to one static NAT.

 

Will this work?

Is there any security risk?

 

Appreciate any help suggestions and solution for this scenario.

 

Labels:
0 Helpful
18 Replies 18

Go to solution
fimonteiro
Level 1
Level 1
In response to Richard Burts

‎03-28-2019 08:59 AM

Thank you for your support Richard :)

 

On Router2 I was indeed having an error with the pre-shared key. Not with the key itself but with the IP.

 

461180: Mar 28 16:23:52.581 UTC+2: ISAKMP-ERROR: (0):No pre-shared key with 111.111.111.111!

 

My mistake was that I had this:

crypto isakmp key PASSWORD address 192.168.1.2

Intead of this:

crypto isakmp key PASSWORD address 111.111.111.111

 

After fixing this we are now stuck in the MM_KEY_EXCH

 

ROUTER1#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
111.111.111.111 192.168.1.2 MM_KEY_EXCH 1509 ACTIVE
192.168.1.2 111.111.111.111 MM_KEY_EXCH 1510 ACTIVE
192.168.1.2 111.111.111.111 MM_NO_STATE 1508 ACTIVE (deleted)

 

ROUTER1 new debug:

416798: Mar 28 15:42:24.187 UTC: ISAKMP:(0): SA request profile is (NULL)
416799: Mar 28 15:42:24.187 UTC: ISAKMP: Created a peer struct for 222.222.222.222, peer port 500
416800: Mar 28 15:42:24.187 UTC: ISAKMP: New peer created peer = 0x2D13A9A8 peer_handle = 0x80000B19
416801: Mar 28 15:42:24.187 UTC: ISAKMP: Locking peer struct 0x2D13A9A8, refcount 1 for isakmp_initiator
416802: Mar 28 15:42:24.187 UTC: ISAKMP: local port 500, remote port 500
416803: Mar 28 15:42:24.187 UTC: ISAKMP: set new node 0 to QM_IDLE
416804: Mar 28 15:42:24.187 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 40CF3778
416805: Mar 28 15:42:24.187 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
416806: Mar 28 15:42:24.187 UTC: ISAKMP:(0):found peer pre-shared key matching 222.222.222.222
416807: Mar 28 15:42:24.187 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
416808: Mar 28 15:42:24.187 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
416809: Mar 28 15:42:24.187 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
416810: Mar 28 15:42:24.187 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
416811: Mar 28 15:42:24.187 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
416812: Mar 28 15:42:24.187 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

416813: Mar 28 15:42:24.187 UTC: ISAKMP:(0): beginning Main Mode exchange
416814: Mar 28 15:42:24.187 UTC: ISAKMP:(0): sending packet to 222.222.222.222 my_port 500 peer_port 500 (I) MM_NO_STATE
416815: Mar 28 15:42:24.187 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
416816: Mar 28 15:42:24.291 UTC: ISAKMP (0): received packet from 222.222.222.222 dport 500 sport 500 Global (I) MM_NO_STATE
416817: Mar 28 15:42:24.291 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
416818: Mar 28 15:42:24.291 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

416819: Mar 28 15:42:24.295 UTC: ISAKMP:(0): processing SA payload. message ID = 0
416820: Mar 28 15:42:24.295 UTC: ISAKMP:(0): processing vendor id payload
416821: Mar 28 15:42:24.295 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
416822: Mar 28 15:42:24.295 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
416823: Mar 28 15:42:24.295 UTC: ISAKMP:(0):found peer pre-shared key matching 222.222.222.222
416824: Mar 28 15:42:24.295 UTC: ISAKMP:(0): local preshared key found
416825: Mar 28 15:42:24.295 UTC: ISAKMP : Scanning profiles for xauth ...
416826: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
416827: Mar 28 15:42:24.295 UTC: ISAKMP: encryption AES-CBC
416828: Mar 28 15:42:24.295 UTC: ISAKMP: keylength of 256
416829: Mar 28 15:42:24.295 UTC: ISAKMP: hash SHA
416830: Mar 28 15:42:24.295 UTC: ISAKMP: default group 5
416831: Mar 28 15:42:24.295 UTC: ISAKMP: auth pre-share
416832: Mar 28 15:42:24.295 UTC: ISAKMP: life type in seconds
416833: Mar 28 15:42:24.295 UTC: ISAKMP: life duration (basic) of 28800
416834: Mar 28 15:42:24.295 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
416835: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
416836: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Acceptable atts:life: 0
416837: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Basic life_in_seconds:28800
416838: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Returning Actual lifetime: 28800
416839: Mar 28 15:42:24.295 UTC: ISAKMP:(0)::Started lifetime timer: 28800.

416840: Mar 28 15:42:24.295 UTC: ISAKMP:(0): processing vendor id payload
416841: Mar 28 15:42:24.295 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
416842: Mar 28 15:42:24.295 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
416843: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
416844: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

416845: Mar 28 15:42:24.295 UTC: ISAKMP:(0): sending packet to 222.222.222.222 my_port 500 peer_port 500 (I) MM_SA_SETUP
416846: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
416847: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
416848: Mar 28 15:42:24.295 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

416849: Mar 28 15:42:24.411 UTC: ISAKMP (0): received packet from 222.222.222.222 dport 500 sport 500 Global (I) MM_SA_SETUP
416850: Mar 28 15:42:24.411 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
416851: Mar 28 15:42:24.411 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

416852: Mar 28 15:42:24.411 UTC: ISAKMP:(0): processing KE payload. message ID = 0
416853: Mar 28 15:42:24.467 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
416854: Mar 28 15:42:24.467 UTC: ISAKMP:(0):found peer pre-shared key matching 222.222.222.222
416855: Mar 28 15:42:24.467 UTC: ISAKMP:(1501): processing vendor id payload
416856: Mar 28 15:42:24.467 UTC: ISAKMP:(1501): vendor ID is Unity
416857: Mar 28 15:42:24.467 UTC: ISAKMP:(1501): processing vendor id payload
416858: Mar 28 15:42:24.467 UTC: ISAKMP:(1501): vendor ID is DPD
416859: Mar 28 15:42:24.467 UTC: ISAKMP:(1501): processing vendor id payload
416860: Mar 28 15:42:24.467 UTC: ISAKMP:(1501): speaking to another IOS box!
416861: Mar 28 15:42:24.467 UTC: ISAKMP:received payload type 20
416862: Mar 28 15:42:24.471 UTC: ISAKMP (1501): NAT found, both nodes inside NAT
416863: Mar 28 15:42:24.471 UTC: ISAKMP:received payload type 20
416864: Mar 28 15:42:24.471 UTC: ISAKMP (1501): My hash no match - this node inside NAT
416865: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
416866: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Old State = IKE_I_MM4 New State = IKE_I_MM4

416867: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Send initial contact
416868: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
416869: Mar 28 15:42:24.471 UTC: ISAKMP (1501): ID payload
next-payload : 8
type : 1
address : 192.168.1.2
protocol : 17
port : 0
length : 12
416870: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Total payload length: 12
416871: Mar 28 15:42:24.471 UTC: ISAKMP:(1501): sending packet to 222.222.222.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
416872: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Sending an IKE IPv4 Packet.
416873: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

416874: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Old State = IKE_I_MM4 New State = IKE_I_MM5

416875: Mar 28 15:42:32.691 UTC: ISAKMP (0): received packet from 222.222.222.222 dport 500 sport 500 Global (N) NEW SA
416876: Mar 28 15:42:32.691 UTC: ISAKMP: Created a peer struct for 222.222.222.222, peer port 500
416877: Mar 28 15:42:32.691 UTC: ISAKMP: New peer created peer = 0xC1669420 peer_handle = 0x80000AE7
416878: Mar 28 15:42:32.691 UTC: ISAKMP: Locking peer struct 0xC1669420, refcount 1 for crypto_isakmp_process_block
416879: Mar 28 15:42:32.691 UTC: ISAKMP: local port 500, remote port 500
416880: Mar 28 15:42:32.691 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2CE84144
416881: Mar 28 15:42:32.691 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
416882: Mar 28 15:42:32.691 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

416883: Mar 28 15:42:32.691 UTC: ISAKMP:(0): processing SA payload. message ID = 0
416884: Mar 28 15:42:32.691 UTC: ISAKMP:(0): processing vendor id payload
416885: Mar 28 15:42:32.691 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
416886: Mar 28 15:42:32.691 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
416887: Mar 28 15:42:32.691 UTC: ISAKMP:(0): processing vendor id payload
416888: Mar 28 15:42:32.691 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
416889: Mar 28 15:42:32.691 UTC: ISAKMP (0): vendor ID is NAT-T v7
416890: Mar 28 15:42:32.691 UTC: ISAKMP:(0): processing vendor id payload
416891: Mar 28 15:42:32.691 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
416892: Mar 28 15:42:32.691 UTC: ISAKMP:(0): vendor ID is NAT-T v3
416893: Mar 28 15:42:32.691 UTC: ISAKMP:(0): processing vendor id payload
416894: Mar 28 15:42:32.691 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
416895: Mar 28 15:42:32.691 UTC: ISAKMP:(0): vendor ID is NAT-T v2
416896: Mar 28 15:42:32.691 UTC: ISAKMP:(0):found peer pre-shared key matching 222.222.222.222
416897: Mar 28 15:42:32.691 UTC: ISAKMP:(0): local preshared key found
416898: Mar 28 15:42:32.695 UTC: ISAKMP : Scanning profiles for xauth ...
416899: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
416900: Mar 28 15:42:32.695 UTC: ISAKMP: encryption AES-CBC
416901: Mar 28 15:42:32.695 UTC: ISAKMP: keylength of 256
416902: Mar 28 15:42:32.695 UTC: ISAKMP: hash SHA
416903: Mar 28 15:42:32.695 UTC: ISAKMP: default group 5
416904: Mar 28 15:42:32.695 UTC: ISAKMP: auth pre-share
416905: Mar 28 15:42:32.695 UTC: ISAKMP: life type in seconds
416906: Mar 28 15:42:32.695 UTC: ISAKMP: life duration (basic) of 28800
416907: Mar 28 15:42:32.695 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
416908: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
416909: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Acceptable atts:life: 0
416910: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Basic life_in_seconds:28800
416911: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Returning Actual lifetime: 28800
416912: Mar 28 15:42:32.695 UTC: ISAKMP:(0)::Started lifetime timer: 28800.

416913: Mar 28 15:42:32.695 UTC: ISAKMP:(0): processing vendor id payload
416914: Mar 28 15:42:32.695 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
416915: Mar 28 15:42:32.695 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
416916: Mar 28 15:42:32.695 UTC: ISAKMP:(0): processing vendor id payload
416917: Mar 28 15:42:32.695 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
416918: Mar 28 15:42:32.695 UTC: ISAKMP (0): vendor ID is NAT-T v7
416919: Mar 28 15:42:32.695 UTC: ISAKMP:(0): processing vendor id payload
416920: Mar 28 15:42:32.695 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
416921: Mar 28 15:42:32.695 UTC: ISAKMP:(0): vendor ID is NAT-T v3
416922: Mar 28 15:42:32.695 UTC: ISAKMP:(0): processing vendor id payload
416923: Mar 28 15:42:32.695 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
416924: Mar 28 15:42:32.695 UTC: ISAKMP:(0): vendor ID is NAT-T v2
416925: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
416926: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

416927: Mar 28 15:42:32.695 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
416928: Mar 28 15:42:32.695 UTC: ISAKMP:(0): sending packet to 222.222.222.222 my_port 500 peer_port 500 (R) MM_SA_SETUP
416929: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
416930: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
416931: Mar 28 15:42:32.695 UTC: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

416932: Mar 28 15:42:32.799 UTC: ISAKMP (0): received packet from 222.222.222.222 dport 500 sport 500 Global (R) MM_SA_SETUP
416933: Mar 28 15:42:32.799 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
416934: Mar 28 15:42:32.799 UTC: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

416935: Mar 28 15:42:32.799 UTC: ISAKMP:(0): processing KE payload. message ID = 0
416936: Mar 28 15:42:32.855 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
416937: Mar 28 15:42:32.855 UTC: ISAKMP:(0):found peer pre-shared key matching 222.222.222.222
416938: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): processing vendor id payload
416939: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): vendor ID is DPD
416940: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): processing vendor id payload
416941: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): speaking to another IOS box!
416942: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): processing vendor id payload
416943: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): vendor ID seems Unity/DPD but major 196 mismatch
416944: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): vendor ID is XAUTH
416945: Mar 28 15:42:32.855 UTC: ISAKMP:received payload type 20
416946: Mar 28 15:42:32.855 UTC: ISAKMP (1502): NAT found, both nodes inside NAT
416947: Mar 28 15:42:32.855 UTC: ISAKMP:received payload type 20
416948: Mar 28 15:42:32.855 UTC: ISAKMP (1502): My hash no match - this node inside NAT
416949: Mar 28 15:42:32.855 UTC: ISAKMP:(1502):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
416950: Mar 28 15:42:32.855 UTC: ISAKMP:(1502):Old State = IKE_R_MM3 New State = IKE_R_MM3

416951: Mar 28 15:42:32.855 UTC: ISAKMP:(1502): sending packet to 222.222.222.222 my_port 500 peer_port 500 (R) MM_KEY_EXCH

416952: Mar 28 15:42:32.855 UTC: ISAKMP:(1502):Sending an IKE IPv4 Packet.
416953: Mar 28 15:42:32.855 UTC: ISAKMP:(1502):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
416954: Mar 28 15:42:32.855 UTC: ISAKMP:(1502):Old State = IKE_R_MM3 New State = IKE_R_MM4


416955: Mar 28 15:42:34.411 UTC: ISAKMP (1501): received packet from 222.222.222.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
416956: Mar 28 15:42:34.411 UTC: ISAKMP:(1501): phase 1 packet is a duplicate of a previous packet.
416957: Mar 28 15:42:34.411 UTC: ISAKMP:(1501): retransmitting due to retransmit phase 1
416958: Mar 28 15:42:34.911 UTC: ISAKMP:(1501): retransmitting phase 1 MM_KEY_EXCH...
416959: Mar 28 15:42:34.911 UTC: ISAKMP (1501): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
416960: Mar 28 15:42:34.911 UTC: ISAKMP:(1501): retransmitting phase 1 MM_KEY_EXCH

416961: Mar 28 15:42:34.911 UTC: ISAKMP:(1501): sending packet to 222.222.222.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
416962: Mar 28 15:42:34.911 UTC: ISAKMP:(1501):Sending an IKE IPv4 Packet.

416963: Mar 28 15:42:42.855 UTC: ISAKMP:(1502): retransmitting phase 1 MM_KEY_EXCH...
416964: Mar 28 15:42:42.855 UTC: ISAKMP (1502): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
416965: Mar 28 15:42:42.855 UTC: ISAKMP:(1502): retransmitting phase 1 MM_KEY_EXCH
416966: Mar 28 15:42:42.855 UTC: ISAKMP:(1502): sending packet to 222.222.222.222 my_port 500 peer_port 500 (R) MM_KEY_EXCH
416967: Mar 28 15:42:42.855 UTC: ISAKMP:(1502):Sending an IKE IPv4 Packet.

416968: Mar 28 15:42:44.415 UTC: ISAKMP (1501): received packet from 222.222.222.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
416969: Mar 28 15:42:44.415 UTC: ISAKMP:(1501): phase 1 packet is a duplicate of a previous packet.
416970: Mar 28 15:42:44.415 UTC: ISAKMP:(1501): retransmitting due to retransmit phase 1
416971: Mar 28 15:42:44.735 UTC: ISAKMP:(1499):purging node 2131907374
416972: Mar 28 15:42:44.735 UTC: ISAKMP:(1499):purging node -694504605
416973: Mar 28 15:42:44.735 UTC: ISAKMP:(1499):purging node -1389775573
416974: Mar 28 15:42:44.915 UTC: ISAKMP:(1501): retransmitting phase 1 MM_KEY_EXCH...

416975: Mar 28 15:42:44.915 UTC: ISAKMP (1501): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
416976: Mar 28 15:42:44.915 UTC: ISAKMP:(1501): retransmitting phase 1 MM_KEY_EXCH
416977: Mar 28 15:42:44.915 UTC: ISAKMP:(1501): sending packet to 222.222.222.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
416978: Mar 28 15:42:44.915 UTC: ISAKMP:(1501):Sending an IKE IPv4 Packet.

416979: Mar 28 15:42:52.855 UTC: ISAKMP:(1502): retransmitting phase 1 MM_KEY_EXCH...
416980: Mar 28 15:42:52.855 UTC: ISAKMP (1502): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
416981: Mar 28 15:42:52.855 UTC: ISAKMP:(1502): retransmitting phase 1 MM_KEY_EXCH
416982: Mar 28 15:42:52.855 UTC: ISAKMP:(1502): sending packet to 222.222.222.222 my_port 500 peer_port 500 (R) MM_KEY_EXCH
416983: Mar 28 15:42:52.855 UTC: ISAKMP:(1502):Sending an IKE IPv4 Packet.

416984: Mar 28 15:42:54.187 UTC: ISAKMP: set new node 0 to QM_IDLE
416985: Mar 28 15:42:54.187 UTC: ISAKMP:(1501):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 222.222.222.222)
416986: Mar 28 15:42:54.187 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
416987: Mar 28 15:42:54.187 UTC: ISAKMP: Error while processing KMI message 0, error 2.
416988: Mar 28 15:42:54.415 UTC: ISAKMP (1501): received packet from 222.222.222.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
416989: Mar 28 15:42:54.415 UTC: ISAKMP:(1501): phase 1 packet is a duplicate of a previous packet.

416990: Mar 28 15:42:54.415 UTC: ISAKMP:(1501): retransmitting due to retransmit phase 1
416991: Mar 28 15:42:54.735 UTC: ISAKMP:(1499):purging SA., sa=2D13C670, delme=2D13C670
416992: Mar 28 15:42:54.915 UTC: ISAKMP:(1501): retransmitting phase 1 MM_KEY_EXCH...
416993: Mar 28 15:42:54.915 UTC: ISAKMP (1501): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
416994: Mar 28 15:42:54.915 UTC: ISAKMP:(1501): retransmitting phase 1 MM_KEY_EXCH
416995: Mar 28 15:42:54.915 UTC: ISAKMP:(1501): sending packet to 222.222.222.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
416996: Mar 28 15:42:54.915 UTC: ISAKMP:(1501):Sending an IKE IPv4 Packet.

 

ROUTER2 new debug:

461886: Mar 28 16:53:35.247 UTC+2: ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH...
461887: Mar 28 16:53:35.247 UTC+2: ISAKMP: (1075):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
461888: Mar 28 16:53:35.247 UTC+2: ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH
461889: Mar 28 16:53:35.247 UTC+2: ISAKMP-PAK: (1075):sending packet to 111.111.111.111 my_port 500 peer_port 500 (R) MM_KEY_EXCH
461890: Mar 28 16:53:35.247 UTC+2: ISAKMP: (1075):Sending an IKE IPv4 Packet.

461926: Mar 28 16:53:43.138 UTC+2: ISAKMP-PAK: (1076):received packet from 111.111.111.111 dport 500 sport 500 Global (I) MM_KEY_EXCH
461927: Mar 28 16:53:43.138 UTC+2: ISAKMP: (1076):phase 1 packet is a duplicate of a previous packet.
461928: Mar 28 16:53:43.138 UTC+2: ISAKMP: (1076):retransmitting due to retransmit phase 1
461929: Mar 28 16:53:43.637 UTC+2: ISAKMP: (1076):retransmitting phase 1 MM_KEY_EXCH...
461930: Mar 28 16:53:43.637 UTC+2: ISAKMP: (1076):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
461931: Mar 28 16:53:43.638 UTC+2: ISAKMP: (1076):retransmitting phase 1 MM_KEY_EXCH

461934: Mar 28 16:53:45.248 UTC+2: ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH...
461935: Mar 28 16:53:45.248 UTC+2: ISAKMP: (1075):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
461936: Mar 28 16:53:45.248 UTC+2: ISAKMP: (1075):retransmitting phase 1 MM_KEY_EXCH
461937: Mar 28 16:53:45.248 UTC+2: ISAKMP-PAK: (1075):sending packet to 111.111.111.111 my_port 500 peer_port 500 (R) MM_KEY_EXCH
461938: Mar 28 16:53:45.248 UTC+2: ISAKMP: (1075):Sending an IKE IPv4 Packet.

461965: Mar 28 16:53:53.137 UTC+2: ISAKMP-PAK: (1076):received packet from 111.111.111.111 dport 500 sport 500 Global (I) MM_KEY_EXCH
461966: Mar 28 16:53:53.137 UTC+2: ISAKMP: (1076):phase 1 packet is a duplicate of a previous packet.
461967: Mar 28 16:53:53.137 UTC+2: ISAKMP: (1076):retransmitting due to retransmit phase 1

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to fimonteiro

‎03-28-2019 09:44 AM

Thanks for the debug output. I see in the debug from the first router that it progresses through stages MM1 to MM2 to MM3 to MM4 to MM5 where it starts over with MM1 to MM2 to MM3 to MM4 where it starts over again. It appears that the starting over again may be due to something that router 2 is sending. I am not seeing anything in the debug from router 2 that would explain this.

 

Unless there is something else you want to try I would suggest that you save the configs on both routers, reboot both routers, and run the debugs again and see if anything changes.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Etienne Buxin
Level 1
Level 1
In response to fimonteiro

‎01-22-2022 07:28 AM

It looks like everything goes fine until R1 receives MM4 on udp 500. Then, since R1 has detected the NAT device between the routers, it sends MM5 on udp 4500:

416871: Mar 28 15:42:24.471 UTC: ISAKMP:(1501): sending packet to 222.222.222.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
416872: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Sending an IKE IPv4 Packet.
416873: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

416874: Mar 28 15:42:24.471 UTC: ISAKMP:(1501):Old State = IKE_I_MM4 New State = IKE_I_MM5

 

After that it looks like MM6 is not received, and 8 seconds later a new MM1 is sent...

Something is probably blocking UDP/4500 on the path between the routers.

 

0 Helpful

Go to solution
RinatSharifov
Level 1
Level 1
In response to Deepak Kumar

‎09-09-2019 05:53 AM - edited ‎09-09-2019 05:57 AM

Hi, Deepak Kumar, i need help:

I have 2 offices. Head office GM and branch office PL. These include site to site vpn and everything works great. I now have a new office called PL2 in another building. I want to connect my PL2 office to that local network in any way and let PL2 access the internet with the PL office public ip. In short, I want the PL2 router to work seamlessly with GM and PL, just as the PL router works with GM

Assume that PL2 and PL are the same office, PL2 should see both PL and GM

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card