05-15-2023 06:59 PM
I am trying to configure a router for site2site vpn to a sophos router using ikev1. Attached are the protocols along with my cisco cli configs. I feel like I have everything right, but won't pass phase 1. I have Hashed out ip addresses and pre-shared key, but those are set correctly. any help?
crypto isakmp policy 1
hash sha256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key (redacted) address (redacted)
crypto ipsec transform-set compulink esp-aes 256 esp-sha256-hmac
mode tunnel
crypto map vpnmap 1 ipsec-isakmp
set peer (redacted)
set transform-set compulink
match address 164
access-list 164 permit ip host 192.168.7.6 host 10.36.14.225
interface GigabitEthernet0/1
description TWC Primary
ip address (redacted) 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
crypto map vpnmap
mecgol1921#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.7.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.36.14.225/255.255.255.255/0/0)
current_peer (redacted) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: (redacted), remote crypto endpt.: (redacted)
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Interface: GigabitEthernet0/1 #this verifies that the tunnel is down.
Session status: DOWN
Peer: (redacted) port 500
IPSEC FLOW: permit ip host 192.168.7.6 host 10.36.14.225
Active SAs: 0, origin: crypto map
Solved! Go to Solution.
06-05-2023 06:33 AM
If you doing NAT translation in that case put a nat exemption (no nat) for your interesting traffic on access-list which is married to nat overload.
ip access-list extended 888
10 deny host 192.168.7.6 host 10.36.14.255
20 permit ip any any
!
ip nat inside source list 888 interface GigabitEthernet0/1 overload
!
access-list 164 permit ip host 192.168.7.6 host 10.36.14.225
!
crypto map CMAP 1 ipsec-isakmp
set peer (redacted)
set transform-set compulink
match address 164
!
interface GigabitEthernet0/1
description TWC Primary
ip address (redacted) 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
crypto map CMAP
05-17-2023 01:50 PM
what is the output of "show crypto isakmp sa detail" as output you showed earlier the vpn is down it could be you might failing on MM_5 means could be pre-shared key either wrong on your end or on remote end. but we not sure. show the output of the command as mentioned above then we can take lead from it.
05-22-2023 06:06 PM
thanks for you help. Attached is the results of the command "show crypto isakmp sa detail". As you can see below, the only thing it shows is an already exisiting vpn to a different ip address. The vpn im attempting to set up does not even show at all. Any ideas? Could this vpn being active be the issue of why I can't the new one running?
cgol1921#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1018 70.63.158.114 174.99.226.133 ACTIVE 3des sha512 psk 2 17:16:33
Engine-id:Conn-id = SW:18
IPv6 Crypto ISAKMP SA
mecgol1921#$e I-VRF Status Encr Hash Auth DH Lifetime Cap.
dfasC-id Local Remote I-VRF Status Encr Hash Auth DH Life ^time Cap.
05-23-2023 01:43 AM
have to try to sent the ping to remote side.
ping 192.168.7.6 source gigx/x 10.36.14.225
whats the cisco router model? basically, we need to see the debug to see whats happening on this.
debug cry condition peer <>
debug crypto isakmp
debug crypt engine
debug crypto ipsec
06-05-2023 06:33 AM
If you doing NAT translation in that case put a nat exemption (no nat) for your interesting traffic on access-list which is married to nat overload.
ip access-list extended 888
10 deny host 192.168.7.6 host 10.36.14.255
20 permit ip any any
!
ip nat inside source list 888 interface GigabitEthernet0/1 overload
!
access-list 164 permit ip host 192.168.7.6 host 10.36.14.225
!
crypto map CMAP 1 ipsec-isakmp
set peer (redacted)
set transform-set compulink
match address 164
!
interface GigabitEthernet0/1
description TWC Primary
ip address (redacted) 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
crypto map CMAP
05-23-2023 04:33 AM
Hello
It seems the match on the traffic of interest is failing. Try to add the access list like this
access-list 164 permit ip 192.168.7.0 255.255.255.0 10.36.14.0 255.255.255.0
And make sure both ends match the exactly same traffic.
The other end should be
access-list 164 permit ip 10.36.14.0 255.255.255.0 192.168.7.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide