02-07-2012 12:27 PM
Hi there,
Looking for the help with resolving the isakmp phase1 issue.
There are two 2691 routers: R3 is hub, R1 is spoke.
I have Virtual-Template interface on R3 and Tunnel0 interface on R1.
I have the same key in "crypto isakmp key" on R1 and in "keyring address" on R3.
Here is the piece of debug from R3:
*Mar 1 03:07:05.167: ISAKMP:(1093): processing ID payload. message ID = 0
*Mar 1 03:07:05.167: ISAKMP (0:1093): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Mar 1 03:07:05.171: ISAKMP:(0):: peer matches VPN profile
*Mar 1 03:07:05.171: ISAKMP:(1093):Found ADDRESS key in keyring VPN
*Mar 1 03:07:05.171: ISAKMP:(1093):Key not found in keyrings of profile , aborting exchange
*Mar 1 03:07:05.171: ISAKMP (0:1093): FSM action returned error: 2
*Mar 1 03:07:05.171: ISAKMP:(1093):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 03:07:05.171: ISAKMP:(1093):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 1 03:07:05.175: ISAKMP:(1093):peer does not do paranoid keepalives.
*Mar 1 03:07:05.175: ISAKMP:(1093):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 192.168.1.1)
*Mar 1 03:07:05.175: ISAKMP (0:1093): FSM action returned error: 2
*Mar 1 03:07:05.175: ISAKMP:(1093):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Mar 1 03:07:05.175: ISAKMP:(1093):Old State = IKE_R_MM5 New State = IKE_R_MM4
Here is "sh crypto isakmp sa" payload from R3:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.2 192.168.1.1 MM_NO_STATE 1096 0 ACTIVE (deleted)
And here is isakmp sa state from R1:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.2 192.168.1.1 MM_KEY_EXCH 1093 0 ACTIVE
ISAKMP phase 1 stucks on this.
I will show router's running-config pieces in the next message.
Looking forward for your help.
02-07-2012 12:34 PM
R1 running-config:
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key 12345 address 10.10.10.2
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN
!
!
!
!
!
!
!
!
interface Tunnel0
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel destination 10.10.10.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
!
R3 running-config:
crypto keyring VPN
pre-shared-key address 192.168.1.1 key 12345
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key 12345 address 192.168.1.1
crypto isakmp profile VPN
keyring VPN
match identity address 192.168.1.1 255.255.255.255
match identity address 172.16.0.1 255.255.255.255
virtual-template 1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN
!
!
!
!
!
interface FastEthernet1/0
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide