09-22-2011 09:32 AM
I am getting the following errow message while trying to create a VPN tunnel between an ASA5520 and a 2921 router. Config attached. Please help
Error Message
Sep 22 16:28:48.150: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 63.240.91.172 was not encrypted and it should've been..
Solved! Go to Solution.
09-22-2011 10:55 AM
Hi !
on the router side there is no encryption defined in the isakmp policy :
crypto isakmp policy 2
authentication pre-share
crypto isakmp key xxxx address 63.240.91.172
On the ASA's side you have :
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
You need to configure encryption, hash, group and lifetine on router side too.
Regards.
09-22-2011 10:55 AM
Hi !
on the router side there is no encryption defined in the isakmp policy :
crypto isakmp policy 2
authentication pre-share
crypto isakmp key xxxx address 63.240.91.172
On the ASA's side you have :
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
You need to configure encryption, hash, group and lifetine on router side too.
Regards.
09-22-2011 11:08 AM
Thank you....However I am getting a new message
Sep 22 18:07:28.082: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 63.240.91.172.....
09-22-2011 11:13 AM
Another thing I noticed, when I change the config on the router, it doesnt stay there. It alwayd go back to what you were viewing.
09-22-2011 11:52 AM
Hi !
CRYPTO-6-IKMP_MODE_FAILURE means a isakmp policy mismatch ( that's we're trying ) and/or pre-shared key.
Ok, try to reconfigure the isakmp policy :
conf t
!
crypto isakmp policy 2
encr des
authentication pre-share
group 1
!
Clear phase 1 tunnels and try to force traffic in both sides.
clear isakmp sa
ping < 10.50.X.X > source 192.168.140.3
or
ping < 10.50.X.X > source-interface GigabitEthernet0/1
Debugging is also your friend :-)
debug crypto isakmp
debug crypto ipsec
Good luck
regards
09-22-2011 11:53 AM
Hi!
also you can try another encryption. Remember to change it in both sides.
Regards
09-22-2011 12:40 PM
Good and bad news.
Good news is that ther tunnel came up. the bad news is I cannot ping the IPs from one end to the other.
Any idea?
09-22-2011 01:10 PM
Hi !
you must bypass nat overload on router to remote network.
You have a rule that translates all your 192.168.0.0/24 to the wan interface
ip nat inside source list NAT-ADDRESSES interface GigabitEthernet0/2 overload
ip access-list standard NAT-ADDRESSES
permit 192.168.140.0
permit 10.10.10.0 0.0.0.255
You also have a route map to bypass it but it's no applied :
route-map NO-NAT permit 10
match ip address 110
access-list 110 deny ip 192.168.140.0 0.0.0.255 10.50.0.0 0.0.255.255
The route map is not applied in any nat statement.
Regards
09-22-2011 01:15 PM
Hello a yussuf
1. The Combination of Encryption DES and Hashing algorithm SHA is known to have issues on cisco platform
so insted of using it use any other combination like md5 des or sha 3des
2. If the tunnel is up and not passing traffic, Verify that cryto access-list is a mirror image of each other.
3. The Direction of crypto access-list should always be from local network to remote network.
4. Also an appropriate nat exempt should be configured for the same on asa and router
If this does not help
Further
1) I would like to review the configuration of your device and the Remote Device, please send me the output of command sh tech so that I can analyze the configuration of the device.
2) Apart from this please run these commands with a time lag of 30 seconds at least 5 times) send the output of below listed commands, so that we can review counters for encapsulated and de-capsulated packets
A) On Local Side
a) Sh Crypto isakmp sa
b) Sh Crypto ipsec sa
B) On Remote Side
a) Sh Crypto isakmp sa
b) Sh Crypto ipsec sa
3) For further investigation Please run the below listed debugs on Local and Remote Devices.
a)Debug Crypto Isakmp
b)Debug Crypto Ipsec
c) Debug crypto condition peer < Peer address or hostname>
Regards
Rahul Ilwadhi
09-23-2011 06:36 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide