02-07-2012 12:27 PM
Hi there,
Looking for the help with resolving the isakmp phase1 issue.
There are two 2691 routers: R3 is hub, R1 is spoke.
I have Virtual-Template interface on R3 and Tunnel0 interface on R1.
I have the same key in "crypto isakmp key" on R1 and in "keyring address" on R3.
Here is the piece of debug from R3:
*Mar 1 03:07:05.167: ISAKMP:(1093): processing ID payload. message ID = 0
*Mar 1 03:07:05.167: ISAKMP (0:1093): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Mar 1 03:07:05.171: ISAKMP:(0):: peer matches VPN profile
*Mar 1 03:07:05.171: ISAKMP:(1093):Found ADDRESS key in keyring VPN
*Mar 1 03:07:05.171: ISAKMP:(1093):Key not found in keyrings of profile , aborting exchange
*Mar 1 03:07:05.171: ISAKMP (0:1093): FSM action returned error: 2
*Mar 1 03:07:05.171: ISAKMP:(1093):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 03:07:05.171: ISAKMP:(1093):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 1 03:07:05.175: ISAKMP:(1093):peer does not do paranoid keepalives.
*Mar 1 03:07:05.175: ISAKMP:(1093):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 192.168.1.1)
*Mar 1 03:07:05.175: ISAKMP (0:1093): FSM action returned error: 2
*Mar 1 03:07:05.175: ISAKMP:(1093):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Mar 1 03:07:05.175: ISAKMP:(1093):Old State = IKE_R_MM5 New State = IKE_R_MM4
Here is "sh crypto isakmp sa" payload from R3:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.2 192.168.1.1 MM_NO_STATE 1096 0 ACTIVE (deleted)
And here is isakmp sa state from R1:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.2 192.168.1.1 MM_KEY_EXCH 1093 0 ACTIVE
ISAKMP phase 1 stucks on this.
I will show router's running-config pieces in the next message.
Looking forward for your help.
02-07-2012 12:34 PM
R1 running-config:
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key 12345 address 10.10.10.2
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN
!
!
!
!
!
!
!
!
interface Tunnel0
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel destination 10.10.10.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
!
R3 running-config:
crypto keyring VPN
pre-shared-key address 192.168.1.1 key 12345
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key 12345 address 192.168.1.1
crypto isakmp profile VPN
keyring VPN
match identity address 192.168.1.1 255.255.255.255
match identity address 172.16.0.1 255.255.255.255
virtual-template 1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN
!
!
!
!
!
interface FastEthernet1/0
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: