Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
142
Views
0
Helpful
1
Replies

IKEv1 L2L dynamic and static IP

Felixsson1
Beginner
Beginner

‎06-05-2023 05:25 AM

Hi,

I'm struggling with IKEv1 L2L. One router is configured with static public IP while other one is getting IP from DHCP so it must be a dynamic crypto map.

R1 (with static):

crypto keyring REMOTE-TEST
pre-shared-key address 0.0.0.0 0.0.0.0 key keyFORtest

crypto isakmp policy 20
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 3600

crypto isakmp profile TEST-PROF
keyring REMOTE-TEST
match identity address 0.0.0.0

crypto ipsec transform-set TS-TEST esp-aes 256 esp-sha256-hmac
mode tunnel

crypto dynamic-map DYNAMIC 10
set transform-set TS-TEST
set pfs group14
set isakmp-profile TEST-PROF
match address ACL-TEST

In ACL-TEST are IP addresses from loopbacks.

----------------------------------------

R2 (DHCP, dynamic)

crypto keyring REMOTE-TEST
pre-shared-key address -IP- key keyFORtest

crypto isakmp policy 20
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 3600

crypto isakmp profile TEST-PROF
keyring REMOTE-TEST
match identity address -STATIC IP OF PEER-

crypto ipsec transform-set TS-TEST esp-aes 256 esp-sha256-hmac
mode tunnel

crypto map CM_TEST 10 ipsec-isakmp
set peer -STATIC IP OF PEER-
set transform-set TS-TEST
set pfs group14
match address ACL-TEST

In ACL-TEST are IP addresses from loopbacks.

---------------------------------------

All time I'm getting error on "remote" site": %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at.......

I've checked and everything matches.

----------------------------------------

I'm failing at Phase 1. This is the debug from remote site:

Crypto ISAKMP debugging is on
Remote2#
*Jun 5 11:59:09.156: ISAKMP: (0):SA request profile is (NULL)
*Jun 5 11:59:09.156: ISAKMP: (0):Created a peer struct for -IP STATIC PEER-, peer port 500
*Jun 5 11:59:09.156: ISAKMP: (0):New peer created peer = 0x80007F33EC0CD518 peer_handle = 0x80000000400000C3
*Jun 5 11:59:09.156: ISAKMP: (0):Locking peer struct 0x80007F33EC0CD518, refcount 1 for isakmp_initiator
*Jun 5 11:59:09.156: ISAKMP: (0):local port 500, remote port 500
*Jun 5 11:59:09.156: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 11:59:09.156: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F33EC0F8740
*Jun 5 11:59:09.156: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Jun 5 11:59:09.156: ISAKMP: (0):found peer pre-shared key matching -IP STATIC PEER
*Jun 5 11:59:09.156: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jun 5 11:59:09.156: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Jun 5 11:59:09.156: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Jun 5 11:59:09.156: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Jun 5 11:59:09.156: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 5 11:59:09.156: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Jun 5 11:59:09.156: ISAKMP: (0):beginning Main Mode exchange
*Jun 5 11:59:09.156: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 11:59:09.156: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 11:59:10.361: ISAKMP: (0):purging SA., sa=80007F33E1B39C98, delme=80007F33E1B39C98
*Jun 5 11:59:19.156: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 11:59:19.156: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 5 11:59:19.156: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 11:59:19.156: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 11:59:19.156: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 11:59:29.156: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 11:59:29.156: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 5 11:59:29.156: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 11:59:29.156: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 11:59:29.157: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 11:59:39.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 11:59:39.157: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 5 11:59:39.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 11:59:39.157: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 11:59:39.157: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 11:59:39.174: ISAKMP-PAK: (0):received packet from -IP STATIC PEER dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 5 11:59:39.174: ISAKMP-ERROR: (0):Notify has no hash. Rejected.
*Jun 5 11:59:39.174: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Jun 5 11:59:39.175: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 5 11:59:39.175: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Jun 5 11:59:39.175: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at -IP STATIC PEER
*Jun 5 11:59:42.173: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 11:59:42.173: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote -IP STATIC PEER)
*Jun 5 11:59:42.173: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jun 5 11:59:42.173: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Jun 5 11:59:48.323: ISAKMP: (0):purging node 3005331665
*Jun 5 11:59:48.323: ISAKMP: (0):purging node 1281521341
*Jun 5 11:59:49.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 11:59:49.157: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jun 5 11:59:49.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 11:59:49.157: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 11:59:49.157: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 11:59:58.323: ISAKMP: (0):purging SA., sa=80007F33EC0F7998, delme=80007F33EC0F7998
*Jun 5 11:59:59.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 11:59:59.157: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jun 5 11:59:59.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 11:59:59.157: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 11:59:59.157: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:00:09.157: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:00:09.157: ISAKMP: (0):peer does not do paranoid keepalives.
*Jun 5 12:00:09.157: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer -IP STATIC PEER)
*Jun 5 12:00:09.157: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer -IP STATIC PEER)
*Jun 5 12:00:09.157: ISAKMP: (0):Unlocking peer struct 0x80007F33EC0CD518 for isadb_mark_sa_deleted(), count 0
*Jun 5 12:00:09.157: ISAKMP: (0):Deleting peer node by peer_reap for -IP STATIC PEER: 80007F33EC0CD518
*Jun 5 12:00:09.158: ISAKMP: (0):deleting node 652890598 error FALSE reason "IKE deleted"
*Jun 5 12:00:09.158: ISAKMP: (0):deleting node 940255627 error FALSE reason "IKE deleted"
*Jun 5 12:00:09.158: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 5 12:00:09.158: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Jun 5 12:00:12.173: ISAKMP: (0):SA request profile is (NULL)
*Jun 5 12:00:12.173: ISAKMP: (0):Created a peer struct for -IP STATIC PEER, peer port 500
*Jun 5 12:00:12.173: ISAKMP: (0):New peer created peer = 0x80007F33E189EBF0 peer_handle = 0x80000000400000C4
*Jun 5 12:00:12.173: ISAKMP: (0):Locking peer struct 0x80007F33E189EBF0, refcount 1 for isakmp_initiator
*Jun 5 12:00:12.173: ISAKMP: (0):local port 500, remote port 500
*Jun 5 12:00:12.173: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 12:00:12.173: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F33E1B39C98
*Jun 5 12:00:12.173: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Jun 5 12:00:12.173: ISAKMP: (0):found peer pre-shared key matching -IP STATIC PEER
*Jun 5 12:00:12.173: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jun 5 12:00:12.173: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Jun 5 12:00:12.173: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Jun 5 12:00:12.173: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Jun 5 12:00:12.173: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 5 12:00:12.173: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Jun 5 12:00:12.173: ISAKMP: (0):beginning Main Mode exchange
*Jun 5 12:00:12.173: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:00:12.173: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:00:22.173: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:00:22.173: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 5 12:00:22.173: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:00:22.173: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:00:22.173: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:00:32.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:00:32.174: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 5 12:00:32.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:00:32.174: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:00:32.174: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:00:42.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:00:42.174: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 5 12:00:42.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:00:42.174: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:00:42.174: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:00:46.670: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 12:00:46.670: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote -IP STATIC PEER)
*Jun 5 12:00:46.670: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jun 5 12:00:46.670: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Jun 5 12:00:52.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:00:52.174: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jun 5 12:00:52.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:00:52.174: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:00:52.174: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:00:59.158: ISAKMP: (0):purging node 652890598
*Jun 5 12:00:59.158: ISAKMP: (0):purging node 940255627
*Jun 5 12:01:02.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:01:02.174: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jun 5 12:01:02.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:01:02.174: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:01:02.174: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:01:09.158: ISAKMP: (0):purging SA., sa=80007F33EC0F8740, delme=80007F33EC0F8740
*Jun 5 12:01:12.174: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:01:12.174: ISAKMP: (0):peer does not do paranoid keepalives.
*Jun 5 12:01:12.174: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer -IP STATIC PEER)
*Jun 5 12:01:12.174: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer -IP STATIC PEER)
*Jun 5 12:01:12.174: ISAKMP: (0):Unlocking peer struct 0x80007F33E189EBF0 for isadb_mark_sa_deleted(), count 0
*Jun 5 12:01:12.174: ISAKMP: (0):Deleting peer node by peer_reap for -IP STATIC PEER: 80007F33E189EBF0
*Jun 5 12:01:12.175: ISAKMP: (0):deleting node 1841053512 error FALSE reason "IKE deleted"
*Jun 5 12:01:12.175: ISAKMP: (0):deleting node 334610732 error FALSE reason "IKE deleted"
*Jun 5 12:01:12.175: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 5 12:01:12.175: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Jun 5 12:01:16.670: ISAKMP: (0):SA request profile is (NULL)
*Jun 5 12:01:16.670: ISAKMP: (0):Created a peer struct for -IP STATIC PEER, peer port 500
*Jun 5 12:01:16.670: ISAKMP: (0):New peer created peer = 0x80007F33E189EBF0 peer_handle = 0x80000000400000C5
*Jun 5 12:01:16.670: ISAKMP: (0):Locking peer struct 0x80007F33E189EBF0, refcount 1 for isakmp_initiator
*Jun 5 12:01:16.670: ISAKMP: (0):local port 500, remote port 500
*Jun 5 12:01:16.670: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 12:01:16.670: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F33EC0F7998
*Jun 5 12:01:16.670: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Jun 5 12:01:16.671: ISAKMP: (0):found peer pre-shared key matching -IP STATIC PEER
*Jun 5 12:01:16.671: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jun 5 12:01:16.671: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Jun 5 12:01:16.671: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Jun 5 12:01:16.671: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Jun 5 12:01:16.671: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 5 12:01:16.672: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Jun 5 12:01:16.672: ISAKMP: (0):beginning Main Mode exchange
*Jun 5 12:01:16.672: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:01:16.672: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:01:26.672: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:01:26.672: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 5 12:01:26.672: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:01:26.672: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:01:26.672: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:01:36.672: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:01:36.672: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 5 12:01:36.672: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:01:36.672: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:01:36.672: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:01:46.672: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:01:46.672: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 5 12:01:46.672: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:01:46.672: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:01:46.672: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:01:54.545: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 12:01:54.546: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote -IP STATIC PEER)
*Jun 5 12:01:54.546: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jun 5 12:01:54.546: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Jun 5 12:01:56.673: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:01:56.673: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jun 5 12:01:56.673: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:01:56.673: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:01:56.673: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:02:02.175: ISAKMP: (0):purging node 1841053512
*Jun 5 12:02:02.176: ISAKMP: (0):purging node 334610732
*Jun 5 12:02:06.673: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:02:06.673: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jun 5 12:02:06.673: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:02:06.673: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:02:06.673: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:02:12.175: ISAKMP: (0):purging SA., sa=80007F33E1B39C98, delme=80007F33E1B39C98
*Jun 5 12:02:16.673: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:02:16.673: ISAKMP: (0):peer does not do paranoid keepalives.
*Jun 5 12:02:16.674: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer -IP STATIC PEER)
*Jun 5 12:02:16.674: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer -IP STATIC PEER)
*Jun 5 12:02:16.674: ISAKMP: (0):Unlocking peer struct 0x80007F33E189EBF0 for isadb_mark_sa_deleted(), count 0
*Jun 5 12:02:16.674: ISAKMP: (0):Deleting peer node by peer_reap for -IP STATIC PEER: 80007F33E189EBF0
*Jun 5 12:02:16.675: ISAKMP: (0):deleting node 2639593380 error FALSE reason "IKE deleted"
*Jun 5 12:02:16.675: ISAKMP: (0):deleting node 4292822115 error FALSE reason "IKE deleted"
*Jun 5 12:02:16.675: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 5 12:02:16.675: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Jun 5 12:02:24.545: ISAKMP: (0):SA request profile is (NULL)
*Jun 5 12:02:24.545: ISAKMP: (0):Created a peer struct for -IP STATIC PEER, peer port 500
*Jun 5 12:02:24.545: ISAKMP: (0):New peer created peer = 0x80007F33DDED7128 peer_handle = 0x80000000400000C6
*Jun 5 12:02:24.545: ISAKMP: (0):Locking peer struct 0x80007F33DDED7128, refcount 1 for isakmp_initiator
*Jun 5 12:02:24.545: ISAKMP: (0):local port 500, remote port 500
*Jun 5 12:02:24.545: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 12:02:24.545: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F33E1B39C98
*Jun 5 12:02:24.545: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Jun 5 12:02:24.545: ISAKMP: (0):found peer pre-shared key matching -IP STATIC PEER
*Jun 5 12:02:24.545: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jun 5 12:02:24.545: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Jun 5 12:02:24.545: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Jun 5 12:02:24.545: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Jun 5 12:02:24.545: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 5 12:02:24.545: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Jun 5 12:02:24.545: ISAKMP: (0):beginning Main Mode exchange
*Jun 5 12:02:24.545: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:02:24.545: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:02:34.545: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:02:34.545: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 5 12:02:34.545: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:02:34.545: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:02:34.545: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:02:44.546: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:02:44.546: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 5 12:02:44.546: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:02:44.546: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:02:44.546: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:02:54.547: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:02:54.547: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 5 12:02:54.547: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:02:54.547: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:02:54.547: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:03:02.546: ISAKMP: (0):set new node 0 to QM_IDLE
*Jun 5 12:03:02.546: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote -IP STATIC PEER)
*Jun 5 12:03:02.547: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jun 5 12:03:02.547: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Jun 5 12:03:04.548: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:03:04.548: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jun 5 12:03:04.548: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:03:04.548: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:03:04.548: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:03:06.675: ISAKMP: (0):purging node 2639593380
*Jun 5 12:03:06.675: ISAKMP: (0):purging node 4292822115
*Jun 5 12:03:14.548: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Jun 5 12:03:14.548: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jun 5 12:03:14.548: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Jun 5 12:03:14.548: ISAKMP-PAK: (0):sending packet to -IP STATIC PEER my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 5 12:03:14.548: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jun 5 12:03:16.675: ISAKMP: (0):purging SA., sa=80007F33EC0F7998, delme=80007F33EC0F7998
Remote2#un all

----------------------------------------------------

I'm guessing that I'm failing because of NAT. I'm connecting 2 ISR1100 and would definitely appreciate any help or guide.

Thanks!

Labels:
0 Helpful
1 Reply 1

MHM Cisco World
VIP
VIP

‎06-05-2023 05:30 AM

Configuring Router-to-Router Dynamic-to-Static IPSec with NAT - Cisco

the config is confuse me, so I share link how you can config IPsec between R-R one static and other is dynamic 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents