Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
1
Replies

site to site vpn problum..

mustafa.mail
Level 1
Level 1

‎04-03-2004 11:46 PM

Hi,

I am trying to configure site to site VPN between VPN Consentrator and cisco 2600 router. I configured following parameter on consentrator.

VPN Gateway IP address: x.x.x.x

VPN Parameters:

Authentication:ESP/MD5/HMAC-128

Encryption:3DES-168

IKE – Proposal: IKE-3DES-MD5-DH2

IPSec Parameters:

Encapsulation Mode: Tunnel

Life Time Measurement: Time

Time Life Time: 28800

IKE Proposal

Negotiation Mode: Main

Now I configured following configuration on router 2600.

crypto isakmp policy 110

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxx address x.x.x.x

!

!

crypto ipsec transform-set mine esp-3des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 10.200.1.5

set transform-set mine

match address 102

interface FastEthernet0/0

description Link to MTC

ip address 172.16.10.2 255.255.255.255

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.0.146 255.255.255.0

duplex auto

speed auto

crypto map mymap

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.10.1

access-list 102 permit ip host 10.200.1.5 host 172.16.10.2

access-list 102 permit tcp host 192.168.200.11 host 192.168.0.145 eq www

access-list 102 permit tcp host 192.168.0.145 host 192.168.200.11 eq www

access-list 102 permit ip host 172.16.10.2 host 10.200.1.5

Now,I chacked but tunnel is not able to intialize.I start the debug and found that it's not passing the Main mode.

debug is as follow:

06:20:07: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of -965948346

06:20:07: ISAKMP (0:2): sending packet to 10.200.1.5 (I) QM_IDLE

06:20:08: ISAKMP (0:2): received packet from 10.200.1.5 (I) QM_IDLE

06:20:08: ISAKMP (0:2): processing HASH payload. message ID = -1315122878

06:20:08: ISAKMP:received payload type 15

06:20:08: ISAKMP (0:2): processing DELETE_WITH_REASON payload, message ID = -1315122878, reason: Unknown delete reason!

06:20:08: ISAKMP (0:2): peer does not do paranoid keepalives.

06:20:08: ISAKMP (0:2): deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 10.200.1.5) input queue 0

06:20:08: ISAKMP (0:2): deleting node -965948346 error FALSE reason "P1 delete notify (in)"

06:20:08: ISAKMP (0:2): deleting node -1315122878 error FALSE reason "P1 delete notify (in)"

06:20:28: ISAKMP (0:1): purging node 567915527

06:20:28: ISAKMP (0:1): purging node 1955492785

what should be a problum?

Best regards,

banno

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎04-08-2004 12:31 PM

Mismatch of IKE phase II atts(check your ipsec transformset); Also, check the network list to match the exact networks defined on the access-list on the router and the logs of the concentrator.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents