Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
3
Replies

VPN Tunnel between 1751v and pix501...strange problem?

jasonhumes
Level 1
Level 1

‎02-16-2005 01:22 PM

Hi

SO I'v setup many vpn tunnels between IOS routers and pix firewalls and never had this issue before. I've got basic configs on the pix which I've triple checked the details on to make sure they match the router and they do...yet I keep on getting the same error message from the router and the tunnel does not come up....

QMP1751#

QMP1751#ping

Protocol [ip]:

Target IP address: 192.168.63.101

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.60.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.63.101, timeout is 2 seconds:

Packet sent with a source address of 192.168.60.1

*Mar 1 03:49:14.283 UTC: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 216.8.167.63, remote= xxx.202.68.241,

local_proxy= 192.168.60.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.63.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x6549A67(106207847), conn_id= 0, keysize= 0, flags= 0x400A

*Mar 1 03:49:14.283 UTC: ISAKMP: received ke message (1/1)

*Mar 1 03:49:14.287 UTC: ISAKMP (0:0): SA request profile is (NULL)

*Mar 1 03:49:14.287 UTC: ISAKMP: local port 500, remote port 500

*Mar 1 03:49:14.287 UTC: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 03:49:14.287 UTC: ISAKMP: insert sa successfully sa = 8209CFD8

*Mar 1 03:49:14.287 UTC: ISAKMP (0:1): Can not start Aggressive mode, trying Ma

in mode.

*Mar 1 03:49:14.287 UTC: ISAKMP: Looking for a matching key for xxx.202.68.241

in default : success

*Mar 1 03:49:14.287 UTC: ISAKMP (0:1): found peer pre-shared key matching xxx.2

02.68.241

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): constructed NAT-T vendor-07 ID

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): constructed NAT-T vendor-03 ID

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): constructed NAT-T vendor-02 ID

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_

MM

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I

_MM1

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): beginning Main Mode exchange

*Mar 1 03:49:14.291 UTC: ISAKMP (0:1): sending packet to xxx.202.68.241 my_port

500 peer_port 500 (I) MM_NO_STATE.....

Success rate is 0 percent (0/5)

QMP1751#

I never see it trying to exchange attributes or anything...I've also talked with the upstream ISP and they claim that they are NOT blocking anything...hrmmm...any ideas. I've got some complex nat on the router, but that should not impact the ipsec tunnel stuff. Anyone...thanks.

jason

Labels:
0 Helpful
3 Replies 3

thisisshanky
Level 11
Level 11

‎02-16-2005 08:51 PM

Can I take a look at your configs ??

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

jasonhumes
Level 1
Level 1
In response to thisisshanky

‎02-17-2005 05:13 AM

Here is the configs for the pix and router.

What do you think? Thanks again

Jason

Preview file
8 KB
0 Helpful

ppoulin
Level 1
Level 1
In response to jasonhumes

‎02-21-2005 07:41 AM

Hi,

Try this command:

no crypto ipsec nat-transparency udp-encaps

If you are running 12.3T, read the following:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

PL

0 Helpful
Customers Also Viewed These Support Documents