vpn site to site issue

patnaik1010 · ‎07-14-2011

I am cofiguring site to site vpn, using 3640 router with ciso ios version Version 12.4(23) & image fil name is c3640-ik9o3s-mz.124-23.bin. Below is the error message i am getting on router R1 (CENTRAL LOCATIN) & R2 (REMOTE LOCATION)

*Mar 1 00:42:01.727: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=192.168.5.2 remote=192.168.10.2 spi=25DB5ED7 seqno=00000004

Router R1 config:

R1#show running-config
Building configuration...

Current configuration : 1415 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.10.2 255.255.255.0
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set test
match address 110
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip route 192.168.2.0 255.255.255.0 192.168.10.2
!
!
access-list 101 permit ahp host 192.168.5.2 host 192.168.10.2
access-list 101 permit esp host 192.168.5.2 host 192.168.10.2
access-list 101 permit udp host 192.168.5.2 host 192.168.10.2 eq isakmp
access-list 101 permit udp host 192.168.5.2 host 192.168.10.2 eq non500-isakmp
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane

!
line con 0
line aux 0
line vty 0 4
login
!
!
end

R1#

Router R3 config

R3#show running-config
Building configuration...

Current configuration : 1290 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.5.2 255.255.255.0
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 192.168.5.2
set transform-set test
match address 110
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.10.2 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip route 192.168.1.0 255.255.255.0 192.168.5.2
!
!
access-list 101 permit udp host 192.168.10.2 host 192.168.5.2 eq isakmp
access-list 101 permit udp host 192.168.10.2 host 192.168.5.2 eq non500-isakmp
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

R3#

show commands

R1#PING 192.168.2.1 SOurce 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 980/1168/1784 ms
R1#

R3#TRACeroute 192.168.1.1 SOurce 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.1.1

1 * * *
2 * *
*Mar 1 00:57:04.047: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=192.168.10.2 remote=192.168.5.2 spi=B8A3C99A seqno=00000009 *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * *

Please help in addressing the issue.

Thanks

Patnaik

Jennifer Halim · ‎07-15-2011

Looks like matching bugID: CSCsv43145

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv43145

It's cosmetic only, however, if you don't like to see those error messages, you can upgrade the router to the fixed version listed on the right hand side.