04-09-2007 04:31 PM
Two routers connected together.
IPSEC IKE failure with following error message
"%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer"
Cannot understand what is wrong with following configs.
Assistance PLEASE
Router1#show run
Building configuration...
Current configuration : 1157 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router1
!
memory-size iomem 10
ip subnet-zero
!
crypto isakmp policy 100
hash md5
authentication pre-share
crypto isakmp key test address 192.168.10.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Router1set esp-des esp-md5-hmac
!
crypto map Router1map 100 ipsec-isakmp
set peer 192.168.10.2
set transform-set Router1set
set pfs group1
match address 101
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
crypto map Router1map
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.10.0
!
ip classless
ip http server
!
access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-rep
ly
access-list 101 permit icmp any any echo
!
line con 0
line aux 0
line vty 0 4
login
!
end
Router2#show run
Building configuration...
Current configuration : 1201 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router2
!
memory-size iomem 10
ip subnet-zero
!
crypto isakmp policy 100
hash md5
authentication pre-share
crypto isakmp key test address 192.168.10.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Router2set esp-des esp-md5-hmac
!
crypto map Router2map 100 ipsec-isakmp
set peer 192.168.10.1
set transform-set Router2set
set pfs group1
match address 102
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface BRI0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.10.2 255.255.255.0
duplex auto
speed auto
crypto map Router2map
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.2.0
network 192.168.10.0
!
ip classless
ip http server
!
access-list 102 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-rep
ly
access-list 102 permit icmp any any echo
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
04-09-2007 11:43 PM
You could try to remove the following commands, as they are not necessary on VPN Tunnels between Cisco routers.
1) crypto ipsec security-association lifetime seconds 86400
2) crypto map Router2map 100 ipsec-isakmp
set pfs group1
Saving the configuration and restarting the routers could also help in some cases!
Hope this helps.
Regards,
Michael
04-10-2007 02:01 AM
Can you try adding a default route on the routers and also permit IP in the interesting traffic access list.
ALso clear the SA's after the changes are made by using the following commands.
clear crypto isakmp
clear crypto sa
04-10-2007 02:08 AM
a default route is not necessary in this case, as it is a test-situation; the routers are directly connected to eachtother.
The 'IP' in the access-list is a good idea, i didn't even notice that he only had icmp in the list.
04-18-2007 09:41 PM
There might be a problem with the preshare keys. Check out this site...
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801d55aa.shtml#s1a
Try this:
Router1:
crypto isakmp keytest address 192.168.10.2
Router2:
crypto isakmp keytest address 192.168.10.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide