05-20-2012 03:22 AM
Hello Everyboddy,
I got some issues here, so i hope you can help me out.
What i´m tryin to do is seting up a vpn betwen these two routers, so i´ve checked the configuration many times but i didn´t find the problem.
PS: Sorry for hiding the public addresses and info is just that my company does not want to share them.
Here´s the debug from the SR520:
Mar 3 16:06:12.359: ISAKMP (0:0): received packet from xxxx.xxxx.xxxx.xxxx dport 50
0 sport 500 Global (N) NEW SA
*Mar 3 16:06:12.359: ISAKMP: Created a peer struct for 1xxxx.xxxx.xxxx.xxxx, peer por
t 500
*Mar 3 16:06:12.359: ISAKMP: New peer created peer = 0x83B94084 peer_handle = 0
x8000000B
*Mar 3 16:06:12.359: ISAKMP: Locking peer struct 0x83B94084, refcount 1 for cry
pto_isakmp_process_block
*Mar 3 16:06:12.359: ISAKMP: local port 500, remote port 500
*Mar 3 16:06:12.359: insert sa successfully sa = 847E3DB8
*Mar 3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 16:06:12.363: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 3 16:06:12.363: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 3 16:06:12.363: ISAKMP:(0):No pre-shared key with xxxx.xxxx.xxxx.xxxx!
*Mar 3 16:06:12.363: ISAKMP : Scanning profiles for xauth ...
*Mar 3 16:06:12.363: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1
policy
*Mar 3 16:06:12.363: ISAKMP: life type in seconds
*Mar 3 16:06:12.363: ISAKMP: life duration (basic) of 28800
*Mar 3 16:06:12.363: ISAKMP: encryption DES-CBC
*Mar 3 16:06:12.363: ISAKMP: hash MD5
*Mar 3 16:06:12.363: ISAKMP: auth pre-share
*Mar 3 16:06:12.363: ISAKMP: default group 1
*Mar 3 16:06:12.363: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
*Mar 3 16:06:12.363: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 3 16:06:12.363: ISAKMP:(0):no offers accepted!
*Mar 3 16:06:12.363: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx.xxxx.xxxx.xxxx
remote 1xxxx.xxxx.xxxx.xxxx)
*Mar 3 16:06:12.363: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
*Mar 3 16:06:12.363: ISAKMP:(0): sending packet to xxxx.xxxx.xxxx.xxxx my_port 500 p
eer_port 500 (R) MM_NO_STATE
*Mar 3 16:06:12.363: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 3 16:06:12.363: ISAKMP:(0):peer does not do paranoid keepalives.
ot accepted" state (R) MM_NO_STATE (peer 1xxxx.xxxx.xxxx.xxxx)
*Mar 3 16:06:12.363: ISAKMP (0:0): FSM action returned error: 2
*Mar 3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
*Mar 3 16:06:12.363: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 3 16:06:12.367: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer xxxx.xxxx.xxxx.xxxx)
*Mar 3 16:06:12.367: ISAKMP: Unlocking peer struct 0x83B94084 for isadb_mark_sa
_deleted(), count 0
*Mar 3 16:06:12.367: ISAKMP: Deleting peer node by peer_reap for xxxx.xxxx.xxxx.xxxx
: 83B94084
*Mar 3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 3 16:06:12.367: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Mar 3 16:06:12.367: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 3 16:06:12.367: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 190.75.132.212)
*Mar 3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Mar 3 16:06:12.367: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_S
A
HERE´S THE CONFIGURATION SR520:
Current configuration : 5091 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SR520_LEBRUN
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$UuTx$Y.koYevk4/LPbBf64zkuS0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login tango_authen_login line local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3291959072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3291959072
revocation-check none
rsakeypair TP-self-signed-3291959072
!
!
crypto pki certificate chain TP-self-signed-3291959072
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323931 39353930 3732301E 170D3032 30333032 32313534
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393139
35393037 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBD5 6B0E11F1 D03D650E 22115792 E4CBC7A1 F2B744E6 AE965A32 36220A4B
42BC3422 2291666D D013575C E56640E5 59327E55 F9DE394E 4AC4F9EF 6C25D0ED
15F402F3 E2CDFEC5 B4E5CC55 CEC08A98 98EAEDCD 3A6C6D97 329FBC31 21502310
DF5E553A F158389E 555BE050 81E888C0 261E0E86 BE3498D7 71991DBF 68250D68
BCAF0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B535235 32305F4C 45425255 4E2E6C65 6272756E 5F6E6370
2E636F6D 301F0603 551D2304 18301680 14E61EB4 559D8ACF 0A51400E E47A2A17
1D85DAF7 A6301D06 03551D0E 04160414 E61EB455 9D8ACF0A 51400EE4 7A2A171D
85DAF7A6 300D0609 2A864886 F70D0101 04050003 81810031 A3CB3462 64797A5B
81BBC615 0044A2A4 4E392911 FB79B865 63E51183 A4DDC805 DBD9C8AD 3199C6FE
8791B246 E94D2CE5 59D7288B 6D72A231 FB9E4EFE 67167CF2 822145EB 372E666E
8289DE17 3187B72E 620BE58E C864F8B3 D84308A0 29995603 A19A9F94 79955C6F
666491F6 226F2546 02DDE1D8 112DCF7A 1DC9F003 635972
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool 1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name labrun_ncp.com
dns-server 200.44.32.12 200.11.248.12
!
!
ip cef
ip domain name lebrun_ncp.com
ip ddns update method sdm_ddns1
HTTP
add http://xxxx.xxxx.xxxx.xxxx@members.dyndns.org/nic/update?system=dyn
dns&hostname=<h>&myip=<a>
remove http://xxxx.xxxx.xxxx.xxxx@members.dyndns.org/nic/update?system=
dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
!
no vlan accounting input
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username Admin privilege 15 secret 5 $1$cixn$hZS19piuPlZSX9vDLPCbK1
!
!
crypto isakmp policy 1
encryp des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key xxxxxxx address 192.168.4.0 255.255.255.0
!
crypto ipsec security-association idle-time 300
!
crypto ipsec transform-set VPN_LEBRUN_TIMON esp-des esp-md5-hmac
!
crypto map LEBRU_TIMON 1 ipsec-isakmp
set peer xxxx.xxxx.dyndns.org
set transform-set VPN_LEBRUN_TIMON
match address 110
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description INTERFACE DIRECTLY CONNECTED TO IPPX KX-NCP1000
switchport access vlan 2
!
interface FastEthernet1
description INTERFACE DIRECTLY CONNECTED TO RECORDING SERVER POLTYS
POLTYS_NCP
switchport access vlan 2
!
interface FastEthernet2
description FREE
switchport access vlan 2
!
interface FastEthernet3
description FREE
switchport access vlan 2
!
interface FastEthernet4
description INTERFACE DIRECTLY CONNECTED TO MODEM ADLS NETOPIA 2246n-XG
ip dhcp client update dns server none
ip ddns update hostname xxxx.xxxx.dyndns.org
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map LEBRU_TIMON
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 192.168.2.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http secure-server
ip http client username Admin
ip http client password 0 xxxx.xxxx
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 115 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 115 deny ip 0.0.2.0 192.168.4.0 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
banner login ^COUTE^C
banner motd ^COUTE^C
!
line con 0
password telguer001
no modem enable
line aux 0
line vty 0 4
authorization exec tango_author_exec
login authentication tango_authen_login
!
scheduler max-task-time 5000
end
RV042 CONFIG:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide