Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7594
Views
0
Helpful
3
Replies

VPN tunnel issue

takhellnadmin
Level 1
Level 1

‎06-15-2011 10:39 PM - edited ‎03-04-2019 12:43 PM

Hi,

 

I'm facing an issue with VPN tunnel.

 

 

Side 1: checkpoint

 

Phase 2:
   phase2ikealgs aes128/sha1
   phase2exptime 28800
   phase2dhgroup group2

Phase 1:
   phase1ikealgs aes128/md5
   phase1exptime 1440
   phase1dhgroup group2

 

Side 2: Cisco

 

crypto map extranet-vpn 250 ipsec-isakmp

set peer x.x.x.x.

set security-association lifetime seconds 28800

set transform-set extranet-vpn-aes128

set pfs group2

 

 

crypto map extranet-vpn 250 ipsec-isakmp

set peer x.x.x.x.x

 

set security-association lifetime seconds 28800

set transform-set extranet-vpn-aes128

set pfs group2

match address vpn-cccc-Prod

 

Access list is also right.

 

 

Log error

 

7556837: May 31 03:48:27.019: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556838: May 31 03:50:27.846: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556839: May 31 03:51:57.431: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556840: May 31 03:53:57.274: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556841: May 31 03:55:27.648: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556842: May 31 03:57:27.163: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556843: May 31 03:58:57.860: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

7556838: May 31 03:50:27.846: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 
7556839: May 31 03:51:57.431: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 
7556840: May 31 03:53:57.274: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 
7556841: May 31 03:55:27.648: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 
7556842: May 31 03:57:27.163: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 
7556843: May 31 03:58:57.860: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 
7556844: May 31 04:00:57.291: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.87.31.253 

 

Debug is attached. I have tried with multiple people with no outcome. Hoping o get some answer here.

 

Thanks

 

Nirvan

1 person had this problem
Labels:
0 Helpful
3 Replies 3

ashok_boin
Level 5
Level 5

‎06-15-2011 11:47 PM

Hi Nirvan,

You have incompatible policy issue. Please check transform set.

This link may help you out..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801d55aa.shtml

Regards...

-Ashok.


With best regards...
Ashok
0 Helpful

takhellnadmin
Level 1
Level 1
In response to ashok_boin

‎06-16-2011 12:07 AM

transform set is as below; It is correct considering the debug output. 

crypto ipsec transform-set extranet-vpn-aes128 esp-aes esp-sha-hmac

May 31 03:41:57.664: ISAKMP: transform 1, ESP_AES

7556553: May 31 03:41:57.664: ISAKMP:   attributes in transform:

7556554: May 31 03:41:57.664: ISAKMP:      SA life type in seconds

7556555: May 31 03:41:57.664: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0x70 0x80

7556556: May 31 03:41:57.664: ISAKMP:      group is 2

7556557: May 31 03:41:57.664: ISAKMP:      encaps is 1 (Tunnel)

7556558: May 31 03:41:57.664: ISAKMP:      authenticator is HMAC-SHA

7556559: May 31 03:41:57.664: ISAKMP:      key length is 128

7556560: May 31 03:41:57.664: ISAKMP (0:703): atts are acceptable.

7556561: May 31 03:41:57.664: ISAKMP (0:703): IPSec policy invalidated proposal

7556562: May 31 03:41:57.664: ISAKMP (0:703): phase 2 SA policy not acceptable! (local 202.2.57.190 remote 210.87.31.253)

7556563: May 31 03:41:57.664: ISAKMP: set new node 1100023420 to QM_IDLE     

7556564: May 31 03:41:57.664: ISAKMP (0:703): sending packet to 210.87.31.253 my_port 500 peer_port 500 (R) QM_IDLE     

7556565: May 31 03:41:57.664: ISAKMP (0:703): purging node 1100023420

7556566: May 31 03:41:57.664: ISAKMP (0:703): deleting node 543734380 error TRUE reason "quick mode rejected"

7556567: May 31 03:41:57.664: ISAKMP (0:703): Unknown Input for node 543734380: state = IKE_QM_READY, major = 0x00000001, minor = 0x0000000C May 31 03:41:57.664: ISAKMP: transform 1, ESP_AES

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to takhellnadmin

‎06-16-2011 03:23 AM

Hi Nirvan,

What state you are able to see with your remote peer?
Please past the "sh cry isa sa" output here.

As per the log it seems there was no ISAKMP policy match between the two endpoints.

Please check the pre-shared key which should be same at both end points.

If the preshared secrets are not the sameon both sides, the negotiation will fail


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents