Hello,
I'm trying make a Fully Meshed VPN connections between 3 (Ra,Rb,Rc) routers
827-4V,
The used IOS is: c820-k8osv6y6-mz.122-2.T4.bin -> IP/FW/VOICE PLUS IPSEC 56
When I configure the VPN (Ra-Rb), the VPN it's established OK. But I
configure VPN (Ra-Rb and Ra-Rc), the system report a error with the peer Rc,
and the VPN it's not established between (Ra-Rc),however, the VPN (Ra-Rb) is
OK.
I had trying conjugations (Rb-Ra ,Rb-Rc) and (Rc-Ra,Rc-Rb) and
(Rb-Rc,Rb-Ra) and (Rc-Rb,Rc-Ra), and I had received the same ERROR.
The system error is:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with
peer at xxx.xxx.xxx.xxx
In Cisco I had see only this information:
Error Message
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of [chars] mode failed with peer at
[IP_address]
Explanation Negotiation with the remote peer has failed.
Recommended Action If this situation persists, contact the remote peer.
I had locked many documents in Cisco, but I don't know how to solve this
problem. I shearched a document in Cisco for this type VPN
http://www.cisco.com/warp/public/707/ios_meshed.html
Flash Configuration:
Ra: IP VPN: 100.100.100.170 IP LAN: 10.0.1.1
Rb: IP VPN: 100.100.100.169 IP LAN: 192.168.0.2
Rc: IP VPN: 100.100.100.249 IP LAN: 10.0.0.1
Debug Information router (Ra) when I try connect (Rc-Ra) (debug crypto
isakmp)
02:35:37: ISAKMP (0:0): received packet from 100.100.100.249 (N) NEW SA
02:35:37: ISAKMP: local port 500, remote port 500
02:35:37: ISAKMP (0:2): processing SA payload. message ID = 0
02:35:37: ISAKMP (0:2): found peer pre-shared key matching 100.100.100.249
02:35:37: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1
policy
02:35:37: ISAKMP: encryption DES-CBC
02:35:37: ISAKMP: hash MD5
02:35:37: ISAKMP: default group 1
02:35:37: ISAKMP: auth pre-share
02:35:37: ISAKMP (0:2): atts are acceptable. Next payload is 0
02:35:37: ISAKMP (0:2): SA is doing pre-shared key authentication using id
type ID_IPV4_ADDR
02:35:37: ISAKMP (0:2): sending packet to 100.100.100.249 (R) MM_SA_SETUP
02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R) MM_SA_SETUP
02:35:38: ISAKMP (0:2): processing KE payload. message ID = 0
02:35:38: ISAKMP (0:2): processing NONCE payload. message ID = 0
02:35:38: ISAKMP (0:2): found peer pre-shared key matching 100.100.100.249
02:35:38: ISAKMP (0:2): SKEYID state generated
02:35:38: ISAKMP (0:2): processing vendor id payload
02:35:38: ISAKMP (0:2): speaking to another IOS box!
02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R) MM_KEY_EXCH
02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R) MM_KEY_EXCH
02:35:38: ISAKMP (0:2): processing ID payload. message ID = 0
02:35:38: ISAKMP (0:2): processing HASH payload. message ID = 0
02:35:38: ISAKMP (0:2): SA has been authenticated with 100.100.100.249
02:35:38: ISAKMP (2): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
02:35:38: ISAKMP (2): Total payload length: 12
02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R) QM_IDLE
02:35:39: ISAKMP (0:2): received packet from 100.100.100.249 (R) QM_IDLE
02:35:39: ISAKMP (0:2): processing HASH payload. message ID = 1758794445
02:35:39: ISAKMP (0:2): processing SA payload. message ID = 1758794445
02:35:39: ISAKMP (0:2): Checking IPSec proposal 1
02:35:39: ISAKMP: transform 1, ESP_DES
02:35:39: ISAKMP: attributes in transform:
02:35:39: ISAKMP: encaps is 1
02:35:39: ISAKMP: SA life type in seconds
02:35:39: ISAKMP: SA life duration (basic) of 3600
02:35:39: ISAKMP: SA life type in kilobytes
02:35:39: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
02:35:39: ISAKMP: authenticator is HMAC-MD5
02:35:39: ISAKMP (0:2): atts are acceptable.
02:35:39: ISAKMP (0:2): IPSec policy invalidated proposal
02:35:39: ISAKMP (0:2): phase 2 SA not acceptable!
02:35:39: ISAKMP (0:2): sending packet to 100.100.100.249 (R) QM_IDLE
02:35:39: ISAKMP (0:2): purging node -1391497798
02:35:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with
peer at 100.100.100.249
02:35:39: ISAKMP (0:2): deleting node 1758794445 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"
DEBUG INFORMATION IN (Rc)
02:28:20: ISAKMP: received ke message (1/1)
02:28:20: ISAKMP: local port 500, remote port 500
02:28:20: ISAKMP (0:1): beginning Main Mode exchange
02:28:20: ISAKMP (0:1): sending packet to 100.100.100.170 (I) MM_NO_STATE
02:28:20: ISAKMP (0:1): received packet from 100.100.100.170 (I) MM_NO_STATE
02:28:20: ISAKMP (0:1): processing SA payload. message ID = 0
02:28:20: ISAKMP (0:1): found peer pre-shared key matching 212.64.161.170
02:28:20: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1
policy
02:28:20: ISAKMP: encryption DES-CBC
02:28:20: ISAKMP: hash MD5
02:28:20: ISAKMP: default group 1
02:28:20: ISAKMP: auth pre-share.
02:28:20: ISAKMP (0:1): atts are acceptable. Next payload is 0
02:28:20: ISAKMP (0:1): SA is doing pre-shared key authentication using id
type ID_IPV4_ADDR
02:28:20: ISAKMP (0:1): sending packet to 100.100.100.170 (I) MM_SA_SETUP
02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) MM_SA_SETUP
02:28:21: ISAKMP (0:1): processing KE payload. message ID = 0
02:28:21: ISAKMP (0:1): processing NONCE payload. message ID = 0
02:28:21: ISAKMP (0:1): found peer pre-shared key matching 100.100.100.170
02:28:21: ISAKMP (0:1): SKEYID state generated
02:28:21: ISAKMP (0:1): processing vendor id payload
02:28:21: ISAKMP (0:1): speaking to another IOS box!
02:28:21: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
02:28:21: ISAKMP (1): Total payload length: 12
02:28:21: ISAKMP (0:1): sending packet to 100.100.100.170 (I) MM_KEY_EXCH
02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) MM_KEY_EXCH
02:28:21: ISAKMP (0:1): processing ID payload. message ID = 0
02:28:21: ISAKMP (0:1): processing HASH payload. message ID = 0
02:28:21: ISAKMP (0:1): SA has been authenticated with 100.100.100.170
02:28:21: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1116135486
02:28:21: ISAKMP (0:1): sending packet to 100.100.100.170 (I) QM_IDLE
02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) QM_IDLE
02:28:21: ISAKMP (0:1): processing HASH payload. message ID = -792121744
02:28:21: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2370182913, message ID = -792121744, sa = 814AD8D0
02:28:21: ISAKMP (0:1): deleting spi 2370182913 message ID = -1116135486
02:28:21: ISAKMP (0:1): deleting node -1116135486 error TRUE reason
"delete_larval"
02:28:21: ISAKMP (0:1): deleting node -792121744 error FALSE reason
"informational (in) state 1"....
The IOS configuration are:
--- Router (Ra) ---
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Ra
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default local
enable secret 5 xxxxxxxxxxx
!
username root password 7 00000000000
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
call rsvp-sync
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key R.47 address 100.100.100.169
crypto isakmp key R.47 address 100.100.100.249
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 100.100.100.169
set transform-set rtpset
match address 102
crypto map vpn 20 ipsec-isakmp
set peer 100.100.100.249
set transform-set rtpset
match address 101
!
!
!
!
interface Ethernet0
ip address 10.0.1.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
hold-queue 32 in
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/16 ilmi
!
pvc 1/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp pap sent-username usuario password 7 00000000
crypto map vpn
!
ip classless
ip nat inside source list 110 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 any
access-list 102 permit ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 deny ip 10.0.1.0 0.0.0.255 any
access-list 110 deny ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
voice-port 1
cptone DE
!
voice-port 2
cptone DE
!
voice-port 3
cptone DE
!
voice-port 4
cptone DE
!
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password 7 000000000
!
scheduler max-task-time 5000
end
---- Router Rb ----
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key R.47 address 100.100.100.169
crypto isakmp key R.47 address 100.100.100.170
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 100.100.100.169
set transform-set rtpset
match address 102
crypto map vpn 20 ipsec-isakmp
set peer 100.100.100.170
set transform-set rtpset
match address 101
!
!
interface Ethernet0
ip address 10.0.0.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
hold-queue 32 in
!
!
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
