Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1623
Views
0
Helpful
1
Replies

Site 2 Site VPN

chike2much
Level 1
Level 1

‎01-12-2023 07:58 AM

Hi Guys, 

     I have been having some issues with site to site VPN .. Ok my topology goes like this TopologyTopology

 

 

 

 

I have ospf running both internal Lan and point 2 point routers which has site 2 site VPN connect established successfully now for fail overs,  i'm configured a default static route via the internet router (HQ-TX --- INTERNET ROUTER --- NV BRANCH...) I can reach both Lans using static routing... but after i configure site to site vpn on interfaces i lose connectivity.  i debugged this is what i got . 

HQ-- TX Router

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

ISAKMP:(0): processing KE payload. message ID = 0

ISAKMP:(0): processing NONCE payload. message ID = 0

ISAKMP:(0):found peer pre-shared key matching 80.80.86.10

ISAKMP:(1016): processing vendor id payload

ISAKMP:(1016): vendor ID is Unity

ISAKMP:(1016): processing vendor id payload

ISAKMP:(1016): vendor ID is DPD

ISAKMP:(1016): processing vendor id payload

ISAKMP:(1016): speaking to another IOS box!

ISAKMP:received payload type 20

ISAKMP (1016): His hash no match - this node outside NAT

ISAKMP:received payload type 20

ISAKMP (1016): No NAT Found for self or peer

ISAKMP:(1016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1016):Old State = IKE_I_MM4 New State = IKE_I_MM4

ISAKMP:(1016):Send initial contact

ISAKMP:(1016):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:1016): ID payload

next-payload : 8

type : 1

address : 80.80.86.1

protocol : 17

port : 500

length : 12

ISAKMP:(1016):Total payload length: 12

ISAKMP:(1016): sending packet to 80.80.86.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH

ISAKMP:(1016):Sending an IKE IPv4 Packet.

ISAKMP:(1016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1016):Old State = IKE_I_MM4 New State = IKE_I_MM5

ISAKMP (0:1016): received packet from 80.80.86.10 dport 500 sport 500 Global (I) MM_KEY_EXCH

ISAKMP:(1016): processing ID payload. message ID = 0

ISAKMP (0:1016): ID payload

next-payload : 8

type : 1

address : 80.80.86.10

protocol : 17

port : 500

length : 12

ISAKMP:(0):: peer matches *none* of the profiles

ISAKMP:(1016): processing HASH payload. message ID = 0

ISAKMP:(1016):SA authentication status:

authenticated

ISAKMP:(1016):SA has been authenticated with 80.80.86.10

ISAKMP: Trying to insert a peer 80.80.86.1/80.80.86.10/500/, and inserted successfully 47CA9F80.

ISAKMP:(1016):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(1016):Old State = IKE_I_MM5 New State = IKE_I_MM6

ISAKMP:(1016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1016):Old State = IKE_I_MM6 New State = IKE_I_MM6

ISAKMP:(1016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1016):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

ISAKMP:(1016):beginning Quick Mode exchange, M-ID of 69859174

ISAKMP:(1016):QM Initiator gets spi

ISAKMP:(1016): sending packet to 80.80.86.10 my_port 500 peer_port 500 (I) QM_IDLE

ISAKMP:(1016):Sending an IKE IPv4 Packet.

ISAKMP:(1016):Node 69859174, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

ISAKMP:(1016):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

ISAKMP:(1016):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

ISAKMP:(1016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

 ---- Please What can i do to establish connection between both sites via INTERNET ROUTER i have configured different crypto maps on both serial interfaces using the same isakmp policy i created for my point to point(PRIVATE WAN) running ospf. I'll appreciate all the help.

~Chike

Labels:
0 Helpful
1 Reply 1

marce1000
VIP
VIP

‎01-21-2023 02:19 AM

 

 - The debug information you provided shows that the ISAKMP process is encountering a problem with NAT, specifically that "His hash no match - this node outside NAT" and "No NAT Found for self or peer." You may have  a problem with your NAT configuration on the routers. I would recommend checking your NAT configuration and making sure that it is set up correctly for the VPN connection. Additionally, ensure that the correct pre-shared key is configured on both ends of the VPN connection, and that the IP addresses used for the VPN match on both ends.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents