cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
36258
Views
0
Helpful
10
Replies
harsha senaratna
Beginner

cannot establish Site to Site VPN....

hi all,

It is required to setup site to site vpn between cisco 7200 and checkpoint firewall.
But tunnel won't establish and following error occured. It's difficult to troubleshoot because other end managed
by different party. In our side udp port 500 opened.

debug crypto isakmp output :

Jul 30 09:50:15.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:15.291: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 30 09:50:15.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:15.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:15.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 30 09:50:25.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:25.291: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 30 09:50:25.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:25.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:25.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 30 09:50:35.287: ISAKMP: set new node 0 to CONF_XAUTH
Jul 30 09:50:35.287: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <local-ip>, remote <peer-public-ip>)
Jul 30 09:50:35.287: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 30 09:50:35.287: ISAKMP: Error while processing KMI message 0, error 2.
Jul 30 09:50:35.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:35.291: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 30 09:50:35.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:35.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:35.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 30 09:50:45.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:45.291: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 30 09:50:45.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:45.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:45.291: ISAKMP:(0):Sending an IKE IPv4 Packet.


7200 config used :

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp key <key> address <peer-public-ip>

crypto ipsec transform-set test-s2s-transform esp-3des esp-sha-hmac

crypto map test-s2s 5 ipsec-isakmp
set peer <peer-public-ip>
set transform-set test-s2s-transform
match address 100

access-list 100 <source-ip> <destination-ip>


int gi 0/1
  crypto map test-s2s


please provide me a way to solve this problem.

Thanks

10 REPLIES 10
mkdccie
Beginner

Hi harsha,

Can both ends reach each other?

Regards,

MKD