06-02-2021 10:13 AM
i have a problem while configuring IPSEC VPN between one site and two others, i followed many example i found on the internet but i still have the same problem :
dst src state conn-id slot status
200.0.2.1 200.0.1.1 QM_IDLE 1019 0 ACTIVE
200.0.3.1 200.0.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)
i don't know if that's relevant but the number of routers between these sites is not the same.
06-02-2021 10:48 AM
Please provide more information.
What type of VPN, policy or routed based VPN?
Provide your configuration of all devices
Provide the ike debugs of the VPN tunnel that is not working.
06-02-2021 11:21 AM - edited 06-02-2021 03:24 PM
@Rob Ingram thank you for your time
Router 1:
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto isakmp enable
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key secretkey address 200.0.2.1
crypto isakmp key secretkey address 200.0.3.1
crypto ipsec transform-set VPN-ESP esp-aes 256 esp-sha-hmac
crypto map IPSEC-MAP 1 ipsec-isakmp
set peer 200.0.2.1
set transform-set VPN-ESP
match address 100
exit
crypto map IPSEC-MAP 2 ipsec-isakmp
set peer 200.0.3.1
set transform-set VPN-ESP
match address 101
exit
interface fa0/0
crypto map IPSEC-MAP
Router 2:
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp enable
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key secretkey address 200.0.1.1
crypto ipsec transform-set VPN-ESP esp-aes 256 esp-sha-hmac
crypto map IPSEC-MAP 1 ipsec-isakmp
set peer 200.0.1.1
set transform-set VPN-ESP
match address 100
exit
interface fa0/0
crypto map IPSEC-MAP
Router 4
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp enable
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key secretkey address 200.0.1.1
crypto ipsec transform-set VPN-ESP esp-aes 256 esp-sha-hmac
crypto map IPSEC-MAP11 1 ipsec-isakmp
set peer 200.0.1.1
set transform-set VPN-ESP
match address 100
exit
interface fa0/0
crypto map IPSEC-MAP11
Router#debug crypto ipsec
Crypto IPSEC debugging is on
IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Router#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: IPSEC-MAP, local addr 200.0.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 200.0.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 200.0.1.1, remote crypto endpt.:200.0.2.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x26137A10(638810640)
inbound esp sas:
spi: 0x13ED4A66(334318182)
transform: esp-aes 256 esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2000, flow_id: FPGA:1, crypto map: IPSEC-MAP
sa timing: remaining key lifetime (k/sec): (4525504/3101)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x26137A10(638810640)
transform: esp-aes 256 esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: IPSEC-MAP
sa timing: remaining key lifetime (k/sec): (4525504/3101)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 200.0.3.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.0.1.1, remote crypto endpt.:200.0.3.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
*** Also if i remove router 4 and configure the VPN on router 3 it would wotk perfectly **
here's my topology:
06-02-2021 01:23 PM
one idea here which is
in R1 please config one Password with address 0.0.0.0,
thy this way and see result.
the R1 will use password then it check the ip and see no match and refuse the IPSec, so we need to make it 0.0.0.0.
06-02-2021 02:06 PM
@MHM Cisco World still the same result!
i wanna add that if i remove router 4 and configure the VPN on router 3 it would wotk perfectly
06-02-2021 02:39 PM
just clear IPSec isakmp and session and see the result,
please notice I talk about R1,
R1 have one password for two different IP, just config one Password with one IP address which is 0.0.0.0, do clear iskamp & Session and see result.
06-02-2021 03:02 PM
@MHM Cisco World i can't find the command to clear isakmp & Session. what is the command and in which mode?
06-02-2021 03:41 PM - edited 06-02-2021 04:44 PM
clear crypto ipsec sa
clear crypto isakmp sa
06-02-2021 04:07 PM
06-02-2021 04:45 PM
sorry see above edit comment.
06-02-2021 04:51 PM
@MHM Cisco World same problem, here are the only options:
06-03-2021 11:59 AM
OK, "this limit of PT"
just re config the R1 again from zero, and config two password one for each branch.
06-03-2021 12:46 PM - edited 06-03-2021 12:47 PM
still the same problem!
i wanna add that if i ping PC0 then PC2 (from PC1) everything works just fine, i only have this problem if i ping PC2 first then PC0 second. i don't understand how the order of pings can cause such a problem
06-02-2021 04:59 PM
Same problem occurs for me and I really can't find the solution anywhere.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide