Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4299
Views
0
Helpful
3
Replies

VPN errors, not connecting

richmorrow624
Level 1
Level 1

‎08-09-2006 05:51 AM

I have a router that I am trying to put in place of a working VPN concentrator to a remote site.

The tunnel is up and working on the concentrator.

Can someone check my config to see if there are any glaring errors?

The concentrator is configure for the following:

Authentication: ESP/SHA/HMAC-160

Encryption: 3DES-168

IKE Proposal: IKE-3DES-SHA-PSK

when I put the router in place of the COncentrator I get the following errors from debug:

*Aug 9 12:28:26.147: ISAKMP: received ke message (3/1)

*Aug 9 12:28:26.147: ISAKMP: ignoring request to send delete notify (no ISAKMP

sa) src 4.7.6.2 dst 2.2.4.6 for SPI 0x140FA849

*Aug 9 12:28:31.147: ISAKMP: received ke message (3/1)

*Aug 9 12:28:31.147: ISAKMP: ignoring request to send delete notify (no ISAKMP

sa) src 4.7.6.2 dst 2.2.4.6 for SPI 0x140FA849

*Aug 9 12:28:36.147: ISAKMP: received ke message (3/1)

*Aug 9 12:28:36.147: ISAKMP: ignoring request to send delete notify (no ISAKMP

sa) src 4.7.6.2 dst 2.2.4.6 for SPI 0x140FA849

*Aug 9 12:28:41.147: ISAKMP: received ke message (3/1)

*Aug 9 12:28:41.147: ISAKMP: ignoring request to send delete notify (no ISAKMP sa)

*Aug 9 12:29:36.615: %CRYPTO-4-IKMP_NO_SA: IKE message from 2.2.4.6 has

no SA and is not an initialization offer

Labels:
Preview file
6 KB
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎08-09-2006 08:57 PM

Hi

Can you try keying in this command in your router conifg ?

crypto map map-name local-address interface-id

interface id will be your outside interface where you are applying the crypto map.

Also can you post the config of your pix firewall here so that the same can be checked.

regds

0 Helpful

mustafa_nbk
Level 1
Level 1
In response to spremkumar

‎09-05-2006 09:34 PM

Hi,

I am suspecting the problum is with authentication praposal. Please change MD5 from SHA in to both IKE and IPSec praposal at both side.

Thanks,

Mustafa

0 Helpful

ksudi
Level 1
Level 1

‎09-09-2006 08:45 PM

I believe that initial setup for Phase One is missing an acl for esp and isakmp:

access-list 110 permit udp host 2.2.4.6 host 4.7.6.2 eq isakmp

access-list 110 permit esp host 2.2.4.6 host 4.7.6.2

and adding ip access-group 110 in

under the external address.

Good luck

0 Helpful
Customers Also Viewed These Support Documents