cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
966
Views
0
Helpful
8
Replies

IPSec VPN

vignesh9304
Level 1
Level 1

HI,

 

Can anybody help me, We have configured Crypto ISAKMP VPN tunnel in router. But the tunnel is going down automatically and not coming up.

as searched and suggested in many discussions in support forums and others, we have enabled debug and found the below errors in loggings.

below is the debug information right now.

 

cking ISAKMP transform 7 against priority 65535 policy
005211: *Aug  7 21:35:42.149 UTC: ISAKMP:      encryption DES-CBC
005212: *Aug  7 21:35:42.149 UTC: ISAKMP:      hash SHA
005213: *Aug  7 21:35:42.149 UTC: ISAKMP:      auth pre-share
005214: *Aug  7 21:35:42.149 UTC: ISAKMP:      default group 1
005215: *Aug  7 21:35:42.149 UTC: ISAKMP:      life type in seconds
005216: *Aug  7 21:35:42.149 UTC: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
005217: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Authentication method offered does not match policy!
005218: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
005219: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against priority 65535 policy
005220: *Aug  7 21:35:42.149 UTC: ISAKMP:      encryption DES-CBC
005221: *Aug  7 21:35:42.149 UTC: ISAKMP:      hash MD5
005222: *Aug  7 21:35:42.149 UTC: ISAKMP:      auth pre-share
005223: *Aug  7 21:35:42.149 UTC: ISAKMP:      default group 1
005224: *Aug  7 21:35:42.149 UTC: ISAKMP:      life type in seconds
005225: *Aug  7 21:35:42.149 UTC: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
005226: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
005227: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
005228: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):no offers accepted!
005229: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local x.x.x.x remote x.x.x.x)
005230: *Aug  7 21:35:42.149 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
005231: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0): sending packet to x.x.x.x my_port 500 peer_port 60105 (R) MM_NO_STATE
005232: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

005233: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer x.x.x.x)
005234: *Aug  7 21:35:42.149 UTC: ISAKMP (0:0): FSM action returned error: 2
005235: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
005236: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1  New State = IKE_R_MM1

005237: *Aug  7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer x.x.x.x)
005238: *Aug  7 21:35:42.153 UTC: ISAKMP: Unlocking IKE struct 0x62F9757C for isadb_mark_sa_deleted(), count 0
005239: *Aug  7 21:35:42.153 UTC: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 62F9757C
005240: *Aug  7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
005241: *Aug  7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

005242: *Aug  7 21:35:42.153 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
005243: *Aug  7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer x.x.x.x)
005244: *Aug  7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
005245: *Aug  7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

005246: *Aug  7 21:36:42.153 UTC: ISAKMP:(0:0:N/A:0):purging SA., sa=63C576D4, delme=63C576D4
005247: *Aug  7 21:36:49.005 UTC: crypto_engine: generate public/private keypair
005248: *Aug  7 22:36:50.045 UTC: crypto_engine: generate public/private keypair
005249: *Aug  7 23:36:52.457 UTC: crypto_engine: generate public/private keypair
005250: *Aug  8 00:36:53.165 UTC: crypto_engine: generate public/private keypair
005251: *Aug  8 01:27:49.440 UTC: CRYPTO_ENGINE: key process suspended and continued
005252: *Aug  8 01:29:22.888 UTC: CRYPTO_ENGINE: key process suspended and continued
005253: *Aug  8 01:36:53.748 UTC: crypto_engine: generate public/private keypair
005254: *Aug  8 02:29:23.500 UTC: CRYPTO_ENGINE: key process suspended and continued

 

8 Replies 8

vignesh9304
Level 1
Level 1

Please help ASAP. This is bit urgent

Hi,

 

please find the attached config file details.

 

Note : Attached file is the previous running config before configure the ISAKMP.

 

please suggest us for the enable the ISAKMP in the same router also if required we will attach my another end router config file to close this ASAP.

Where is the config ?

usually both sides must agree on everything related to the tunnel.

Look at your ISAKMP Policy:

005229: *Aug  7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local x.x.x.x remote x.x.x.x)

 

> Please help ASAP. This is bit urgent

If it's urgent, it's probably better to ask Cisco TAC. They are available 24/7.

Hi Karsten,

 

Please help me to sort out the issue.

 

Below is the policy configured in both peers. There is no mismatch.

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               1440 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

 

> Below is the policy configured in both peers. There is no mismatch.

If they really match, then there must be a some other config that is conflicting. Hard to say without seeing the config.

Please help us to configure the crypto isakmp . configuration has attached already.

 

Looking forward hear from you.
 

> configuration has attached already.

Where is the config attached?