cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
2
Replies

Problem site-to-site after IKE phase I

KronosNOC
Level 1
Level 1

Hi all,

Need some help from somebody with the same experience..

I have configured site-to-site IPSEC VPN for Cisco router (central site) - Netopia DSL router (remote site).

But I stuck on the IKE Phase I, it will not further to negotiate Phase II due to the following reason, you find a snapshot of the debug crypto isakmp:

Dec 2 18:52:58: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Dec 2 18:52:58: ISAKMP (0:2): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Dec 2 18:52:58: ISAKMP (0:2): Need config/address

Dec 2 18:52:58: ISAKMP (0:2): Need config/address

Dec 2 18:52:58: ISAKMP: set new node 1307474457 to CONF_ADDR

Dec 2 18:52:58: ISAKMP (0:2): No IP address pool defined for ISAKMP!

Dec 2 18:52:58: ISAKMP (0:2): peer does not do paranoid keepalives.

Dec 2 18:52:58: ISAKMP (0:2): deleting SA reason "Fail to allocate ip address" state (I) CONF_ADDR (peer x.x.x.x) input q

ueue 0

Dec 2 18:52:58: ISAKMP (0:2): deleting node 1307474457 error FALSE reason ""

Dec 2 18:52:58: ISAKMP (0:2): FSM action returned error: 2

Dec 2 18:52:58: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Dec 2 18:52:58: ISAKMP (0:2): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_SET_SENT

Dec 2 18:52:58: ISAKMP: set new node -98942500 to CONF_ADDR

Dec 2 18:52:58: ISAKMP (0:2): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_ADDR

Dec 2 18:52:58: ISAKMP (0:2): purging node -98942500

Dec 2 18:52:58: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Dec 2 18:52:58: ISAKMP (0:2): Old State = IKE_CONFIG_MODE_SET_SENT New State = IKE_DEST_SA

Dec 2 18:52:58: ISAKMP (0:2): deleting SA reason "" state (I) CONF_ADDR (peer x.x.x.x) input queue 0

Dec 2 18:52:58: ISAKMP: Unlocking IKE struct 0x62E1BC88 for isadb_mark_sa_deleted(), count 0

Dec 2 18:52:58: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 62E1BC88

Dec 2 18:52:58: ISAKMP (0:2): deleting node -2107720557 error FALSE reason ""

Dec 2 18:52:58: ISAKMP (0:2): deleting node 1307474457 error FALSE reason ""

Dec 2 18:52:58: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Dec 2 18:52:58: ISAKMP (0:2): Old State = IKE_DEST_SA New State = IKE_DEST_SA

P.S. I have changed the IP Address of the peer to x.x.x.x.

To be sure about my configuration on the Central cisco router I have defined a second remote site with a cisco router and it works fine..

Can somebody point me to some document why it says "need config/address" on the ISAKMP after the Phase I is connected?

Any help will be appreciated..

Regards,

H2T

2 Replies 2

mchin345
Level 6
Level 6

A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet. The basic configuration for this type of implementation has been covered in Chapter 6, "Configuring IPSec and Certification Authorities." This chapter provides examples of the following site-to-site VPN configurations:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

Hi,

Thanks for your response.. Yes I am aware of that all..

I have followed the documents very well but still stuck on perhaps interop issue between Cisco and Netopia gears.

So I wonder whether somebody has other experience than that!

For the clearness the Netopia that they are using is Netopia R3346 type router.

Honestly I can´t find any issue with that on the Internet but I am not able to setup an end to end IPSEC tunnel.

TIA

H2T