Solved: Re: ASR to 8200 for site to site vpn is not working

mmercald · ‎08-28-2024

I currently am trying to connect my hub ASR router to a user's home router that is behind a fortigate(we do not manage the fortigate so we cannot connect to it). The home router is a C8200. On the fortigate the techs have natted UDP 500, 4500, protocols ESP, AH, and GRE to the 8200. The issue is that I am unable to connect the 2 together, they appear to be erroring out on the ipsec request.

HUB ROUTER

Interface Gi0/0/0
ip address 3.3.3.3 255.255.255.0

crypto keyring spoke-key
pre-shared-key address 4.4.4.4 key aaaaaaa

crypto isakmp profile SPOKE
keyring spoke-key
match identity host spoke.router.com

crypto ipsec profile svti-spoke
set transform-set aes-sha
set isakmp-profile spoke
responder-only

int tunnel12
tunnel mode ipsec ipv4
tunnel source Gi0/0/0
tunnel destination 4.4.4.4
tunnel protection ipsec profile svti-spoke
tunnel destination 192.168.1.1 255.255.255.252

Spoke Router (public is 4.4.4.4)

Interface Gi0/0/0
ip address 172.25.1.1 255.255.255.0

hostname spoke
ip domain name router.com

crypto keyring hub-key
pre-shared-key address 3.3.3.3 key aaaaaaa

crypto isakmp profile HUB
keyring hub-key
self-identity fqdn
match identity address 3.3.3.3

crypto ipsec profile svti-hub
set transform-set aes-sha
set isakmp-profile HUB

int tunnel12
tunnel mode ipsec ipv4
tunnel source Gi0/0/0
tunnel destination 3.3.3.3
tunnel protection ipsec profile svti-hub
tunnel destination 192.168.1.2 255.255.255.252

The error I am getting is this:

Aug 28 17:51:57.653: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Aug 28 17:51:57.653: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

Any idea what I need to do to get this tunnel working?

MHM Cisco World · ‎08-28-2024

crypto keyring spoke-key <<- use instead crypto Isakmp key 0<password> address <0.0.0.0>
pre-shared-key address 4.4.4.4 key aaaaaaa

crypto isakmp profile SPOKE<<- remove
keyring spoke-key
match identity host spoke.router.com

crypto ipsec profile svti-spoke
set transform-set aes-sha
set isakmp-profile spoke <<-remove
responder-only

That it

MHM

View solution in original post

Rob Ingram · ‎08-28-2024

@mmercald

Can you provide the full isakmp debugs from both routers please, that will provide more of a clue as to where the problem is.

If the router is behind a fortinet, I assume they have permitted the relevant traffic - udp/500 and udp/4500?

mmercald · ‎08-28-2024

It was already verified that the nats are being hit

Attached are the logs

Rob Ingram · ‎08-28-2024

@mmercald the clock on those debugs are hours out, are they from the same time and same test?

Check your crypto configuration on both routers.

SPOKE

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), esn= FALSE,

HUB

protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),

Either way you can see that the connections are matching the ISAKMP profiles ok - "Aug 28 13:27:36.476 EST: ISAKMP:(0): SA request profile is SPOKE" - I don't think changing will make much different here.

MHM Cisco World · ‎08-28-2024

Only remove Isakmp profile and it will work

MHM

mmercald · ‎08-28-2024

what do you mean remove the isakmp profile? How will the authentication occur?

MHM Cisco World · ‎08-28-2024

crypto keyring spoke-key <<- use instead crypto Isakmp key 0<password> address <0.0.0.0>
pre-shared-key address 4.4.4.4 key aaaaaaa

crypto isakmp profile SPOKE<<- remove
keyring spoke-key
match identity host spoke.router.com

crypto ipsec profile svti-spoke
set transform-set aes-sha
set isakmp-profile spoke <<-remove
responder-only

That it

MHM