12-01-2010 06:39 AM
Can anybody give me any pointers to resolve a problem with a 2821-2821 L2L VPN config please?
Router A has L2L config only.
Router B has L2L and VPN client profiles.
The VPN client part works fine. The L2L gives the following error on Router B when the tunnel is initiated from Router A:
044234: Dec 1 14:20:45.830: ISAKMP:(1572):Old State = IKE_R_MM4 New State = IKE_R_MM5
044235: Dec 1 14:20:45.830: ISAKMP:(1572): processing ID payload. message ID = 0
044236: Dec 1 14:20:45.830: ISAKMP (1572): ID payload
next-payload : 8
type : 1
address : a.b.c.d
protocol : 17
port : 500
length : 12
044237: Dec 1 14:20:45.834: ISAKMP:(0):: peer matches wup_l2l profile
044238: Dec 1 14:20:45.834: ISAKMP:(1572):Found ADDRESS key in keyring wup_l2l_keyring
044239: Dec 1 14:20:45.834: ISAKMP:(1572):Key not found in keyrings of profile , aborting exchange
044240: Dec 1 14:20:45.834: ISAKMP (1572): FSM action returned error: 2
044241: Dec 1 14:20:45.834: ISAKMP:(1572):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
044242: Dec 1 14:20:45.834: ISAKMP:(1572):Old State = IKE_R_MM5 New State = IKE_R_MM5
044243: Dec 1 14:20:45.854: ISAKMP:(1572):peer does not do paranoid keepalives.
044244: Dec 1 14:20:45.854: ISAKMP:(1572):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer a.b.c.d)
The configuration I have used is from the Cisco Press Complete Cisco VPN guide (Richard Deal)
I have verified keys on each side.
I have verified the config using other Cisco documents.
I have added host key definitions in addition to address key definitions.
As far as I can see the profiles match on each side.
I am at a loss to interpret the error as it has apparently found a key and then immediately not found a key.
I am working on securing and extracting the pertinent parts of my configs for posting but if anybody has any pointers now it would be much appreciated.
Thanks
Solved! Go to Solution.
12-06-2010 09:15 AM
Could you try removing the hostname pre-shared key from the Keyring and testing?
12-01-2010 08:41 AM
Do you have multiple keyrings and profiles on the router? It could be that it is hitting a keyring and profile with an address of 0.0.0.0 while you want it to hit the keyring with specific peer address. Thats when usually u would usually get this message. Could you post what your profile and keyring config is?
12-01-2010 10:15 AM
I do have an additional keyring for the vpn client users but I have removed that and I still get the same error for the L2L
12-01-2010 10:18 AM
You must have multiple profiles too for Vpn client and l2l right? Could you change the order in which it is configured?
12-01-2010 10:33 AM
Indeed I do. However, I just removed the vpn client profile and that results in the same error. I assume the profile was gone as the vpn client isakmp/ipsec debug output ceased.
Let me get the config posted in 10 minutes or so.
Thanks
12-01-2010 11:34 AM
RouterB config excerpt
ip domain name adomain.com
ip host routera.adomain.com a.b.c.d
!
crypto keyring wup_l2l_keyring
pre-shared-key address a.b.c.d key < b key>
pre-shared-key hostname routera key < b key>
crypto keyring vpnclient_users_keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key
crypto ctcp port 10000
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key < b key> address a.b.c.d no-xauth
crypto isakmp key < b key> hostname routera.adomain.com
!
crypto isakmp client configuration group
dns 10.5.1.10
domain adomain.com
pool VPN1
acl 101
netmask 255.255.255.0
crypto isakmp profile vpnclient_users
description remote access users profile
keyring vpnclient_users_keyring
client authentication list UserAuth
client configuration address respond
crypto isakmp profile wup_l2l
description wuppertal l2l tunnel
keyring wup_l2l_keyring
match identity address a.b.c.d 255.255.255.255
match identity host routera.adomain.com
keepalive 20 retry 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!
!
crypto dynamic-map seanmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclient_users
crypto dynamic-map seanmap 10
set transform-set l2l_transform
set isakmp-profile wup_l2l
!
!
crypto map staticmap 10 ipsec-isakmp dynamic seanmap
!
!
interface Serial0/0/0:0
crypto map staticmap
12-01-2010 11:52 AM
RouterA config excerpt
ip host routerb.adomain.com w.x.y.z
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key < b key> address w.x.y.z no-xauth
crypto isakmp key < b key> hostname routerb.adomain.com
!
!
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!
crypto map mapone 50 ipsec-isakmp
set peer w.x.y.z
set transform-set l2l_transform
match address traffic_list
12-02-2010 04:06 AM
IOS is 15.1(2)T1 on each router
12-06-2010 09:15 AM
Could you try removing the hostname pre-shared key from the Keyring and testing?
12-07-2010 02:36 AM
Hello,
That did not resolve the issue directly but stripping out all key definitions other than those in keyrings did the trick and the SA is established.
To summarise I now have an address key defined in the keyring and that is all.
I think I had a separate issue initially with the SA creation and that got me sidetracked adding additional key definitions.
Thanks for your help.
My configs are now:
ip domain name adomain.com
ip host routera.adomain.com a.b.c.d
!
crypto keyring wup_l2l_keyring
pre-shared-key address a.b.c.d key < b key>
crypto keyring vpnclient_users_keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key
crypto ctcp port 10000
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!
crypto isakmp client configuration group
key
dns 10.5.1.10
domain adomain.com
pool VPN1
acl 101
netmask 255.255.255.0
crypto isakmp profile vpnclient_users
description remote access users profile
keyring vpnclient_users_keyring
match identity group
client authentication list UserAuth
isakmp authorization list
client configuration address respond
crypto isakmp profile wup_l2l
description wuppertal l2l tunnel
keyring wup_l2l_keyring
match identity address a.b.c.d 255.255.255.255
match identity host routera.adomain.com
keepalive 20 retry 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!
!
crypto dynamic-map seanmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclient_users
crypto dynamic-map seanmap 10
set transform-set l2l_transform
set isakmp-profile wup_l2l
!
!
!
crypto map staticmap 10 ipsec-isakmp dynamic seanmap
!
!
!
interface Serial0/0/0:0
crypto map staticmap
and the other router:
ip host routerb.adomain.com w.x.y.z
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key < b key> address w.x.y.z no-xauth
!
!
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!
crypto map mapone 50 ipsec-isakmp
set peer w.x.y.z
set transform-set l2l_transform
match address traffic_list
Just like the VPN book says
Sean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide