Re: Key exchange failure

network27 · ‎04-09-2007

Two routers connected together.

IPSEC IKE failure with following error message

"%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer"

Cannot understand what is wrong with following configs.

Assistance PLEASE

Router1#show run

Building configuration...

Current configuration : 1157 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router1

!

memory-size iomem 10

ip subnet-zero

!

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key test address 192.168.10.2

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Router1set esp-des esp-md5-hmac

!

crypto map Router1map 100 ipsec-isakmp

set peer 192.168.10.2

set transform-set Router1set

set pfs group1

match address 101

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

duplex auto

speed auto

crypto map Router1map

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

router rip

network 192.168.1.0

network 192.168.10.0

!

ip classless

ip http server

!

access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-rep

ly

access-list 101 permit icmp any any echo

!

line con 0

line aux 0

line vty 0 4

login

!

end

Router2#show run

Building configuration...

Current configuration : 1201 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router2

!

memory-size iomem 10

ip subnet-zero

!

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key test address 192.168.10.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Router2set esp-des esp-md5-hmac

!

crypto map Router2map 100 ipsec-isakmp

set peer 192.168.10.1

set transform-set Router2set

set pfs group1

match address 102

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface BRI0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.10.2 255.255.255.0

duplex auto

speed auto

crypto map Router2map

!

interface Serial0/1

no ip address

shutdown

!

router rip

network 192.168.2.0

network 192.168.10.0

!

ip classless

ip http server

!

access-list 102 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-rep

ly

access-list 102 permit icmp any any echo

!

line con 0

line aux 0

line vty 0 4

login

!

end

mfreijser · ‎04-09-2007

You could try to remove the following commands, as they are not necessary on VPN Tunnels between Cisco routers.

1) crypto ipsec security-association lifetime seconds 86400

2) crypto map Router2map 100 ipsec-isakmp

set pfs group1

Saving the configuration and restarting the routers could also help in some cases!

Hope this helps.

Regards,

Michael

amansin · ‎04-10-2007

Can you try adding a default route on the routers and also permit IP in the interesting traffic access list.

ALso clear the SA's after the changes are made by using the following commands.

clear crypto isakmp

clear crypto sa

mfreijser · ‎04-10-2007

a default route is not necessary in this case, as it is a test-situation; the routers are directly connected to eachtother.

The 'IP' in the access-list is a good idea, i didn't even notice that he only had icmp in the list.

talisman1310 · ‎04-18-2007

There might be a problem with the preshare keys. Check out this site...

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801d55aa.shtml#s1a

Try this:

Router1:

crypto isakmp keytest address 192.168.10.2

Router2:

crypto isakmp keytest address 192.168.10.1