Looks like the devices aren't configured with same properties.
""Alfredo Pulido"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I'm trying make a Fully Meshed VPN connections between 3 (Ra,Rb,Rc) routers > 827-4V, > > The used IOS is: c820-k8osv6y6-mz.122-2.T4.bin -> IP/FW/VOICE PLUS IPSEC 56 > > When I configure the VPN (Ra-Rb), the VPN it's established OK. But I > configure VPN (Ra-Rb and Ra-Rc), the system report a error with the peer Rc, > and the VPN it's not established between (Ra-Rc),however, the VPN (Ra-Rb) is > OK. > > I had trying conjugations (Rb-Ra ,Rb-Rc) and (Rc-Ra,Rc-Rb) and > (Rb-Rc,Rb-Ra) and (Rc-Rb,Rc-Ra), and I had received the same ERROR. > > > > > The system error is: > > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with > peer at xxx.xxx.xxx.xxx > > In Cisco I had see only this information: > > > Error Message > > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of [chars] mode failed with peer at > [IP_address] > Explanation Negotiation with the remote peer has failed. > > Recommended Action If this situation persists, contact the remote peer. > > > > I had locked many documents in Cisco, but I don't know how to solve this > problem. I shearched a document in Cisco for this type VPN > http://www.cisco.com/warp/public/707/ios_meshed.html > > > Flash Configuration: > Ra: IP VPN: 100.100.100.170 IP LAN: 10.0.1.1 > Rb: IP VPN: 100.100.100.169 IP LAN: 192.168.0.2 > Rc: IP VPN: 100.100.100.249 IP LAN: 10.0.0.1 > > > Debug Information router (Ra) when I try connect (Rc-Ra) (debug crypto > isakmp) > > 02:35:37: ISAKMP (0:0): received packet from 100.100.100.249 (N) NEW SA > 02:35:37: ISAKMP: local port 500, remote port 500 > 02:35:37: ISAKMP (0:2): processing SA payload. message ID = 0 > 02:35:37: ISAKMP (0:2): found peer pre-shared key matching 100.100.100.249 > 02:35:37: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 > policy > 02:35:37: ISAKMP: encryption DES-CBC > 02:35:37: ISAKMP: hash MD5 > 02:35:37: ISAKMP: default group 1 > 02:35:37: ISAKMP: auth pre-share > 02:35:37: ISAKMP (0:2): atts are acceptable. Next payload is 0 > 02:35:37: ISAKMP (0:2): SA is doing pre-shared key authentication using id > type ID_IPV4_ADDR > 02:35:37: ISAKMP (0:2): sending packet to 100.100.100.249 (R) MM_SA_SETUP > 02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R) MM_SA_SETUP > 02:35:38: ISAKMP (0:2): processing KE payload. message ID = 0 > 02:35:38: ISAKMP (0:2): processing NONCE payload. message ID = 0 > 02:35:38: ISAKMP (0:2): found peer pre-shared key matching 100.100.100.249 > 02:35:38: ISAKMP (0:2): SKEYID state generated > 02:35:38: ISAKMP (0:2): processing vendor id payload > 02:35:38: ISAKMP (0:2): speaking to another IOS box! > 02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R) MM_KEY_EXCH > 02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R) MM_KEY_EXCH > 02:35:38: ISAKMP (0:2): processing ID payload. message ID = 0 > 02:35:38: ISAKMP (0:2): processing HASH payload. message ID = 0 > 02:35:38: ISAKMP (0:2): SA has been authenticated with 100.100.100.249 > 02:35:38: ISAKMP (2): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > 02:35:38: ISAKMP (2): Total payload length: 12 > 02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R) QM_IDLE > 02:35:39: ISAKMP (0:2): received packet from 100.100.100.249 (R) QM_IDLE > 02:35:39: ISAKMP (0:2): processing HASH payload. message ID = 1758794445 > 02:35:39: ISAKMP (0:2): processing SA payload. message ID = 1758794445 > 02:35:39: ISAKMP (0:2): Checking IPSec proposal 1 > 02:35:39: ISAKMP: transform 1, ESP_DES > 02:35:39: ISAKMP: attributes in transform: > 02:35:39: ISAKMP: encaps is 1 > 02:35:39: ISAKMP: SA life type in seconds > 02:35:39: ISAKMP: SA life duration (basic) of 3600 > 02:35:39: ISAKMP: SA life type in kilobytes > 02:35:39: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > 02:35:39: ISAKMP: authenticator is HMAC-MD5 > 02:35:39: ISAKMP (0:2): atts are acceptable. > 02:35:39: ISAKMP (0:2): IPSec policy invalidated proposal > 02:35:39: ISAKMP (0:2): phase 2 SA not acceptable! > 02:35:39: ISAKMP (0:2): sending packet to 100.100.100.249 (R) QM_IDLE > 02:35:39: ISAKMP (0:2): purging node -1391497798 > 02:35:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with > peer at 100.100.100.249 > 02:35:39: ISAKMP (0:2): deleting node 1758794445 error FALSE reason > "IKMP_NO_ERR_NO_TRANS" > > > > DEBUG INFORMATION IN (Rc) > > > 02:28:20: ISAKMP: received ke message (1/1) > 02:28:20: ISAKMP: local port 500, remote port 500 > 02:28:20: ISAKMP (0:1): beginning Main Mode exchange > 02:28:20: ISAKMP (0:1): sending packet to 100.100.100.170 (I) MM_NO_STATE > 02:28:20: ISAKMP (0:1): received packet from 100.100.100.170 (I) MM_NO_STATE > 02:28:20: ISAKMP (0:1): processing SA payload. message ID = 0 > 02:28:20: ISAKMP (0:1): found peer pre-shared key matching 212.64.161.170 > 02:28:20: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 > policy > 02:28:20: ISAKMP: encryption DES-CBC > 02:28:20: ISAKMP: hash MD5 > 02:28:20: ISAKMP: default group 1 > 02:28:20: ISAKMP: auth pre-share. > 02:28:20: ISAKMP (0:1): atts are acceptable. Next payload is 0 > 02:28:20: ISAKMP (0:1): SA is doing pre-shared key authentication using id > type ID_IPV4_ADDR > 02:28:20: ISAKMP (0:1): sending packet to 100.100.100.170 (I) MM_SA_SETUP > 02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) MM_SA_SETUP > 02:28:21: ISAKMP (0:1): processing KE payload. message ID = 0 > 02:28:21: ISAKMP (0:1): processing NONCE payload. message ID = 0 > 02:28:21: ISAKMP (0:1): found peer pre-shared key matching 100.100.100.170 > 02:28:21: ISAKMP (0:1): SKEYID state generated > 02:28:21: ISAKMP (0:1): processing vendor id payload > 02:28:21: ISAKMP (0:1): speaking to another IOS box! > 02:28:21: ISAKMP (1): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > 02:28:21: ISAKMP (1): Total payload length: 12 > 02:28:21: ISAKMP (0:1): sending packet to 100.100.100.170 (I) MM_KEY_EXCH > 02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) MM_KEY_EXCH > 02:28:21: ISAKMP (0:1): processing ID payload. message ID = 0 > 02:28:21: ISAKMP (0:1): processing HASH payload. message ID = 0 > 02:28:21: ISAKMP (0:1): SA has been authenticated with 100.100.100.170 > 02:28:21: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1116135486 > 02:28:21: ISAKMP (0:1): sending packet to 100.100.100.170 (I) QM_IDLE > 02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) QM_IDLE > 02:28:21: ISAKMP (0:1): processing HASH payload. message ID = -792121744 > 02:28:21: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 > spi 2370182913, message ID = -792121744, sa = 814AD8D0 > 02:28:21: ISAKMP (0:1): deleting spi 2370182913 message ID = -1116135486 > 02:28:21: ISAKMP (0:1): deleting node -1116135486 error TRUE reason > "delete_larval" > 02:28:21: ISAKMP (0:1): deleting node -792121744 error FALSE reason > "informational (in) state 1".... > > > > The IOS configuration are: > > --- Router (Ra) --- > > version 12.2 > no parser cache > no service single-slot-reload-enable > no service pad > service timestamps debug uptime > service timestamps log uptime > service password-encryption > ! > hostname Ra > ! > logging rate-limit console 10 except errors > aaa new-model > aaa authentication login default local > enable secret 5 xxxxxxxxxxx > ! > username root password 7 00000000000 > ip subnet-zero > ! > ip ssh time-out 120 > ip ssh authentication-retries 3 > no ip dhcp-client network-discovery > call rsvp-sync > ! > ! > ! > ! > ! > ! > crypto isakmp policy 1 > hash md5 > authentication pre-share > crypto isakmp key R.47 address 100.100.100.169 > crypto isakmp key R.47 address 100.100.100.249 > ! > ! > crypto ipsec transform-set rtpset esp-des esp-md5-hmac > ! > crypto map vpn 10 ipsec-isakmp > set peer 100.100.100.169 > set transform-set rtpset > match address 102 > crypto map vpn 20 ipsec-isakmp > set peer 100.100.100.249 > set transform-set rtpset > match address 101 > ! > ! > ! > ! > interface Ethernet0 > ip address 10.0.1.1 255.255.255.0 > ip nat inside > no ip route-cache > no ip mroute-cache > hold-queue 32 in > ! > interface ATM0 > no ip address > no atm ilmi-keepalive > pvc 0/16 ilmi > ! > pvc 1/32 > encapsulation aal5mux ppp dialer > dialer pool-member 1 > ! > bundle-enable > dsl operating-mode auto > ! > interface Dialer0 > ip address negotiated > ip nat outside > encapsulation ppp > no ip route-cache > no ip mroute-cache > dialer pool 1 > dialer-group 1 > ppp pap sent-username usuario password 7 00000000 > crypto map vpn > ! > ip classless > ip nat inside source list 110 interface Dialer0 overload > ip route 0.0.0.0 0.0.0.0 Dialer0 > no ip http server > ! > access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 > access-list 101 deny ip 10.0.1.0 0.0.0.255 any > access-list 102 permit ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > access-list 102 deny ip 10.0.1.0 0.0.0.255 any > access-list 110 deny ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 > access-list 110 permit ip 10.0.1.0 0.0.0.255 any > dialer-list 1 protocol ip permit > ! > ! > voice-port 1 > cptone DE > ! > voice-port 2 > cptone DE > ! > voice-port 3 > cptone DE > ! > voice-port 4 > cptone DE > ! > ! > ! > line con 0 > exec-timeout 120 0 > stopbits 1 > line vty 0 4 > exec-timeout 0 0 > password 7 000000000 > ! > scheduler max-task-time 5000 > end > > > > > ---- Router Rb ---- > > ! > ! > crypto isakmp policy 1 > hash md5 > authentication pre-share > crypto isakmp key R.47 address 100.100.100.169 > crypto isakmp key R.47 address 100.100.100.170 > ! > ! > crypto ipsec transform-set rtpset esp-des esp-md5-hmac > ! > crypto map vpn 10 ipsec-isakmp > set peer 100.100.100.169 > set transform-set rtpset > match address 102 > crypto map vpn 20 ipsec-isakmp > set peer 100.100.100.170 > set transform-set rtpset > match address 101 > ! > ! > interface Ethernet0 > ip address 10.0.0.1 255.255.255.0 > ip nat inside > no ip route-cache > no ip mroute-cache > hold-queue 32 in > ! > ! > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44432&t=44374 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
