cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
88
Views
0
Helpful
2
Replies
Highlighted
Beginner

Site-to-Site VPN stuck at MM_WAIT_MSG4

EDIT: Thanks for the help! I fixed the configuration and all has been fixed.

1 ACCEPTED SOLUTION

Accepted Solutions
RJI Collaborator
Collaborator

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
2 REPLIES
RJI Collaborator
Collaborator

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
RJI Collaborator
Collaborator

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,

My first reply was marked as spam for some reason!

 

The configuration of the crypto maps are different, you need to make sure they match. I'd recommend removing "ikev1 phase1-mode aggressive" command from the FW2 firewall and add "pfs" to the FW1 configuration.

 

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

 

HTH

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers