12-19-2013 06:47 PM
Hi Guys
can you help on this?
I have setup a VPN connection but the tunnel shows as status: up and protocol description: down.
debug is on and shows following-
SA has outstanding requests (local xx.xx.xx.xx port 500, remote xx.xx.xx.xx port 500)
Dec 20 02:39:26.762: ISAKMP:(2142): sitting IDLE. Starting QM immediately (QM_IDLE )
Dec 20 02:39:26.762: ISAKMP:(2142):beginning Quick Mode exchange, M-ID of 3357871564
Dec 20 02:39:26.762: ISAKMP:(2142):QM Initiator gets spi
Dec 20 02:39:26.762: ISAKMP:(2142): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (I) QM_IDLE
Dec 20 02:39:26.762: ISAKMP:(2142):Sending an IKE IPv4 Packet.
Dec 20 02:39:26.762: ISAKMP:(2142):Node 3357871564, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Dec 20 02:39:26.762: ISAKMP:(2142):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Dec 20 02:39:26.794: ISAKMP (2142): received packet from xx.xx.xx.xx dport 500 sport 500 Global (I) QM_IDLE
Dec 20 02:39:26.794: ISAKMP: set new node -419503660 to QM_IDLE
Dec 20 02:39:26.794: ISAKMP:(2142): processing HASH payload. message ID = 3875463636
Dec 20 02:39:26.794: ISAKMP:(2142): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2561284360, message ID = 3875463636, sa = 0x87D0CFC8
Dec 20 02:39:26.794: ISAKMP:(2142): deleting spi 2561284360 message ID = 3357871564
Dec 20 02:39:26.794: ISAKMP:(2142):deleting node -937095732 error TRUE reason "Delete Larval"
Dec 20 02:39:26.794: ISAKMP:(2142):deleting node -419503660 error FALSE reason "Informational (in) state 1"
Dec 20 02:39:26.794: ISAKMP:(2142):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 20 02:39:26.794: ISAKMP:(2142):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 20 02:39:46.798: ISAKMP:(2142):purging node -1177810765
Dec 20 02:39:46.798: ISAKMP:(2142):purging node -138734109
Dec 20 02:39:56.763: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 2 packets
Dec 20 02:39:56.763: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= xx.xx.xx.xx:0, remote= xx.xx.xx.xx:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
the config is following-
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile tech
set transform-set vpnset
!
!
crypto map my-map 20 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set vpnset
match address 155
Solved! Go to Solution.
12-23-2013 11:13 AM
Hello,
As to your question, you cant have more than 1 crypto map on the interface.
However, you can use the same crypto map for multiple policies. You can change the my-map to vpnmap.
This way both are enabled on the same interface, with one having a higher priority than the other.
So if a packet is coming from the inside interface, the first crypto ACL will be checked and then the next and so on. The first match it finds is chosen for the IPsec negotioation.
12-20-2013 12:45 AM
You are not compatible with the other side. What's the config of the peer?
Do you also have an IPsec-Tunnel-Interface on this router that the other side does not have?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-20-2013 03:41 PM
Hello,
I agree with Karsten. It seems that ISAKMP negotiations are fine. Phase 1 is coming up just fine but Phase 2 is not.
Make sure that the Crypto map settings on both sides match. Meaning they both should have the same encryption and hashing methods. Also the ACL must be the exactly the same on the peer only mirrored.
Also, make sure that the crypto map is enabled on the outside on both peers.
12-22-2013 06:59 PM
Thanks for looking into it guys, I dont have control over the peer config but I am guessing that is correct as we have other VPN connections running to the same one.
now a question that Zaid's comment raises- "the crypto map is enabled on the outside on both peers".
can I put multiple crypto map on one interface? I have only one WAN IP and currently has a different crypto map.
see:
crypto map my-map 20 ipsec-isakmp
set peer 202.x.x.x
set transform-set vpnset
match address 155
!
crypto map vpnmap 10 ipsec-isakmp
set peer 202.x.x.x
set transform-set vpnset
match address 150
WAN interface:
interface Ethernet0.10
encapsulation ......
ip address 202..x.x.x 255.255.255.0
ip access-group 101 in
no ip proxy-arp
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
crypto map vpnmap
now do I have to have crypto map my-map on the interface Ethernet0.10? if yes then how do I assign two crypto maps on one single interface?
Thanks
12-23-2013 12:52 AM
What is this my-map for? It's not shownb in your first post. And what is the content of your crypto-ACLs (150 and 155).
And for the crypto-ACL: Does your ACL mirror the content of the other side?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-23-2013 12:04 PM
Hi Karsten
currently a VPN connection is already in place on the router, crypto map vpnmap. which is working without any problem. now I have setup a new VPN connection for another site which has no joy so far.
the access list contents are as following-
Extended IP access list 155
permit ip 10.0.0.0 0.0.0.255 10.1.1.32 0.0.0.31
permit ip host 202.x.x.x host 202.x.x.x
yes the ACL is mirrored on other side.
12-23-2013 11:13 AM
Hello,
As to your question, you cant have more than 1 crypto map on the interface.
However, you can use the same crypto map for multiple policies. You can change the my-map to vpnmap.
This way both are enabled on the same interface, with one having a higher priority than the other.
So if a packet is coming from the inside interface, the first crypto ACL will be checked and then the next and so on. The first match it finds is chosen for the IPsec negotioation.
12-23-2013 12:05 PM
Hi Zaid
I have configured it according to you suggestion, I will see if its working now.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide