Hello people, I have solutioned the problem for connect VPN Fully Meshed.
The solution: You have to add all peers in all "crypto map " Sample:
BAD CONFIGURATION
crypto map vpn 10 ipsec-isakmp
set peer 100.100.100.249
set transform-set rtpset
match address 102
crypto map vpn 20 ipsec-isakmp
set peer 100.100.100.170
set transform-set rtpset
match address 101
GOOD CONFIGURATION
crypto map vpn 10 ipsec-isakmp
set peer 100.100.100.249
-> set peer 100.100.100.170
set transform-set rtpset
match address 102
crypto map vpn 20 ipsec-isakmp
set peer 100.100.100.170
-> set peer 100.100.100.249
set transform-set rtpset
match address 101
Now the VPN between A-B,A-C and B-C is OK.
With this solutions, seemingly the next error it's solutioned, so that
"peer address xxx.xxx.xxx.xxx not found" now is found.
11:32:20: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 100.100.100.249, src= 100.100.100.169,
dest_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
11:32:20: IPSEC(validate_transform_proposal): peer address 100.100.100.169
not found
11:32:20: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with
peer at 100.100.100.169
Thanks for you help.
--
--
Alfredo Pulido [EMAIL PROTECTED]
Dept. Sistemas, IdecNet S.A.
Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria,
Las Palmas // SPAIN
Tel: +34 828 111 000 Fax: +34 828 111 112
http://www.idecnet.com/
--
""Steven A. Ridder"" escribis en el mensaje
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Looks like the devices aren't configured with same properties.
>
>
> ""Alfredo Pulido"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hello,
> >
> > I'm trying make a Fully Meshed VPN connections between 3 (Ra,Rb,Rc)
> routers
> > 827-4V,
> >
> > The used IOS is: c820-k8osv6y6-mz.122-2.T4.bin -> IP/FW/VOICE PLUS IPSEC
> 56
> >
> > When I configure the VPN (Ra-Rb), the VPN it's established OK. But I
> > configure VPN (Ra-Rb and Ra-Rc), the system report a error with the peer
> Rc,
> > and the VPN it's not established between (Ra-Rc),however, the VPN
(Ra-Rb)
> is
> > OK.
> >
> > I had trying conjugations (Rb-Ra ,Rb-Rc) and (Rc-Ra,Rc-Rb) and
> > (Rb-Rc,Rb-Ra) and (Rc-Rb,Rc-Ra), and I had received the same ERROR.
> >
> >
> >
> >
> > The system error is:
> >
> > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed
with
> > peer at xxx.xxx.xxx.xxx
> >
> > In Cisco I had see only this information:
> >
> >
> > Error Message
> >
> > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of [chars] mode failed with peer
> at
> > [IP_address]
> > Explanation Negotiation with the remote peer has failed.
> >
> > Recommended Action If this situation persists, contact the remote
peer.
> >
> >
> >
> > I had locked many documents in Cisco, but I don't know how to solve this
> > problem. I shearched a document in Cisco for this type VPN
> > http://www.cisco.com/warp/public/707/ios_meshed.html
> >
> >
> > Flash Configuration:
> > Ra: IP VPN: 100.100.100.170 IP LAN: 10.0.1.1
> > Rb: IP VPN: 100.100.100.169 IP LAN: 192.168.0.2
> > Rc: IP VPN: 100.100.100.249 IP LAN: 10.0.0.1
> >
> >
> > Debug Information router (Ra) when I try connect (Rc-Ra) (debug crypto
> > isakmp)
> >
> > 02:35:37: ISAKMP (0:0): received packet from 100.100.100.249 (N) NEW SA
> > 02:35:37: ISAKMP: local port 500, remote port 500
> > 02:35:37: ISAKMP (0:2): processing SA payload. message ID = 0
> > 02:35:37: ISAKMP (0:2): found peer pre-shared key matching
100.100.100.249
> > 02:35:37: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1
> > policy
> > 02:35:37: ISAKMP: encryption DES-CBC
> > 02:35:37: ISAKMP: hash MD5
> > 02:35:37: ISAKMP: default group 1
> > 02:35:37: ISAKMP: auth pre-share
> > 02:35:37: ISAKMP (0:2): atts are acceptable. Next payload is 0
> > 02:35:37: ISAKMP (0:2): SA is doing pre-shared key authentication using
id
> > type ID_IPV4_ADDR
> > 02:35:37: ISAKMP (0:2): sending packet to 100.100.100.249 (R)
MM_SA_SETUP
> > 02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R)
> MM_SA_SETUP
> > 02:35:38: ISAKMP (0:2): processing KE payload. message ID = 0
> > 02:35:38: ISAKMP (0:2): processing NONCE payload. message ID = 0
> > 02:35:38: ISAKMP (0:2): found peer pre-shared key matching
100.100.100.249
> > 02:35:38: ISAKMP (0:2): SKEYID state generated
> > 02:35:38: ISAKMP (0:2): processing vendor id payload
> > 02:35:38: ISAKMP (0:2): speaking to another IOS box!
> > 02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R)
MM_KEY_EXCH
> > 02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R)
> MM_KEY_EXCH
> > 02:35:38: ISAKMP (0:2): processing ID payload. message ID = 0
> > 02:35:38: ISAKMP (0:2): processing HASH payload. message ID = 0
> > 02:35:38: ISAKMP (0:2): SA has been authenticated with 100.100.100.249
> > 02:35:38: ISAKMP (2): ID payload
> > next-payload : 8
> > type : 1
> > protocol : 17
> > port : 500
> > length : 8
> > 02:35:38: ISAKMP (2): Total payload length: 12
> > 02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R) QM_IDLE
> > 02:35:39: ISAKMP (0:2): received packet from 100.100.100.249 (R) QM_IDLE
> > 02:35:39: ISAKMP (0:2): processing HASH payload. message ID = 1758794445
> > 02:35:39: ISAKMP (0:2): processing SA payload. message ID = 1758794445
> > 02:35:39: ISAKMP (0:2): Checking IPSec proposal 1
> > 02:35:39: ISAKMP: transform 1, ESP_DES
> > 02:35:39: ISAKMP: attributes in transform:
> > 02:35:39: ISAKMP: encaps is 1
> > 02:35:39: ISAKMP: SA life type in seconds
> > 02:35:39: ISAKMP: SA life duration (basic) of 3600
> > 02:35:39: ISAKMP: SA life type in kilobytes
> > 02:35:39: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
> > 02:35:39: ISAKMP: authenticator is HMAC-MD5
> > 02:35:39: ISAKMP (0:2): atts are acceptable.
> > 02:35:39: ISAKMP (0:2): IPSec policy invalidated proposal
> > 02:35:39: ISAKMP (0:2): phase 2 SA not acceptable!
> > 02:35:39: ISAKMP (0:2): sending packet to 100.100.100.249 (R) QM_IDLE
> > 02:35:39: ISAKMP (0:2): purging node -1391497798
> > 02:35:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed
> with
> > peer at 100.100.100.249
> > 02:35:39: ISAKMP (0:2): deleting node 1758794445 error FALSE reason
> > "IKMP_NO_ERR_NO_TRANS"
> >
> >
> >
> > DEBUG INFORMATION IN (Rc)
> >
> >
> > 02:28:20: ISAKMP: received ke message (1/1)
> > 02:28:20: ISAKMP: local port 500, remote port 500
> > 02:28:20: ISAKMP (0:1): beginning Main Mode exchange
> > 02:28:20: ISAKMP (0:1): sending packet to 100.100.100.170 (I)
MM_NO_STATE
> > 02:28:20: ISAKMP (0:1): received packet from 100.100.100.170 (I)
> MM_NO_STATE
> > 02:28:20: ISAKMP (0:1): processing SA payload. message ID = 0
> > 02:28:20: ISAKMP (0:1): found peer pre-shared key matching
212.64.161.170
> > 02:28:20: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1
> > policy
> > 02:28:20: ISAKMP: encryption DES-CBC
> > 02:28:20: ISAKMP: hash MD5
> > 02:28:20: ISAKMP: default group 1
> > 02:28:20: ISAKMP: auth pre-share.
> > 02:28:20: ISAKMP (0:1): atts are acceptable. Next payload is 0
> > 02:28:20: ISAKMP (0:1): SA is doing pre-shared key authentication using
id
> > type ID_IPV4_ADDR
> > 02:28:20: ISAKMP (0:1): sending packet to 100.100.100.170 (I)
MM_SA_SETUP
> > 02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I)
> MM_SA_SETUP
> > 02:28:21: ISAKMP (0:1): processing KE payload. message ID = 0
> > 02:28:21: ISAKMP (0:1): processing NONCE payload. message ID = 0
> > 02:28:21: ISAKMP (0:1): found peer pre-shared key matching
100.100.100.170
> > 02:28:21: ISAKMP (0:1): SKEYID state generated
> > 02:28:21: ISAKMP (0:1): processing vendor id payload
> > 02:28:21: ISAKMP (0:1): speaking to another IOS box!
> > 02:28:21: ISAKMP (1): ID payload
> > next-payload : 8
> > type : 1
> > protocol : 17
> > port : 500
> > length : 8
> > 02:28:21: ISAKMP (1): Total payload length: 12
> > 02:28:21: ISAKMP (0:1): sending packet to 100.100.100.170 (I)
MM_KEY_EXCH
> > 02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I)
> MM_KEY_EXCH
> > 02:28:21: ISAKMP (0:1): processing ID payload. message ID = 0
> > 02:28:21: ISAKMP (0:1): processing HASH payload. message ID = 0
> > 02:28:21: ISAKMP (0:1): SA has been authenticated with 100.100.100.170
> > 02:28:21: ISAKMP (0:1): beginning Quick Mode exchange, M-ID
of -1116135486
> > 02:28:21: ISAKMP (0:1): sending packet to 100.100.100.170 (I) QM_IDLE
> > 02:28:21: ISAKMP (0:1): received packet from 100.100.100.170 (I) QM_IDLE
> > 02:28:21: ISAKMP (0:1): processing HASH payload. message ID = -792121744
> > 02:28:21: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
> > spi 2370182913, message ID = -792121744, sa = 814AD8D0
> > 02:28:21: ISAKMP (0:1): deleting spi 2370182913 message ID = -1116135486
> > 02:28:21: ISAKMP (0:1): deleting node -1116135486 error TRUE reason
> > "delete_larval"
> > 02:28:21: ISAKMP (0:1): deleting node -792121744 error FALSE reason
> > "informational (in) state 1"....
> >
> >
> >
> > The IOS configuration are:
> >
> > --- Router (Ra) ---
> >
> > version 12.2
> > no parser cache
> > no service single-slot-reload-enable
> > no service pad
> > service timestamps debug uptime
> > service timestamps log uptime
> > service password-encryption
> > !
> > hostname Ra
> > !
> > logging rate-limit console 10 except errors
> > aaa new-model
> > aaa authentication login default local
> > enable secret 5 xxxxxxxxxxx
> > !
> > username root password 7 00000000000
> > ip subnet-zero
> > !
> > ip ssh time-out 120
> > ip ssh authentication-retries 3
> > no ip dhcp-client network-discovery
> > call rsvp-sync
> > !
> > !
> > !
> > !
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key R.47 address 100.100.100.169
> > crypto isakmp key R.47 address 100.100.100.249
> > !
> > !
> > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
> > !
> > crypto map vpn 10 ipsec-isakmp
> > set peer 100.100.100.169
> > set transform-set rtpset
> > match address 102
> > crypto map vpn 20 ipsec-isakmp
> > set peer 100.100.100.249
> > set transform-set rtpset
> > match address 101
> > !
> > !
> > !
> > !
> > interface Ethernet0
> > ip address 10.0.1.1 255.255.255.0
> > ip nat inside
> > no ip route-cache
> > no ip mroute-cache
> > hold-queue 32 in
> > !
> > interface ATM0
> > no ip address
> > no atm ilmi-keepalive
> > pvc 0/16 ilmi
> > !
> > pvc 1/32
> > encapsulation aal5mux ppp dialer
> > dialer pool-member 1
> > !
> > bundle-enable
> > dsl operating-mode auto
> > !
> > interface Dialer0
> > ip address negotiated
> > ip nat outside
> > encapsulation ppp
> > no ip route-cache
> > no ip mroute-cache
> > dialer pool 1
> > dialer-group 1
> > ppp pap sent-username usuario password 7 00000000
> > crypto map vpn
> > !
> > ip classless
> > ip nat inside source list 110 interface Dialer0 overload
> > ip route 0.0.0.0 0.0.0.0 Dialer0
> > no ip http server
> > !
> > access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
> > access-list 101 deny ip 10.0.1.0 0.0.0.255 any
> > access-list 102 permit ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255
> > access-list 102 deny ip 10.0.1.0 0.0.0.255 any
> > access-list 110 deny ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.0.255
> > access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
> > access-list 110 permit ip 10.0.1.0 0.0.0.255 any
> > dialer-list 1 protocol ip permit
> > !
> > !
> > voice-port 1
> > cptone DE
> > !
> > voice-port 2
> > cptone DE
> > !
> > voice-port 3
> > cptone DE
> > !
> > voice-port 4
> > cptone DE
> > !
> > !
> > !
> > line con 0
> > exec-timeout 120 0
> > stopbits 1
> > line vty 0 4
> > exec-timeout 0 0
> > password 7 000000000
> > !
> > scheduler max-task-time 5000
> > end
> >
> >
> >
> >
> > ---- Router Rb ----
> >
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key R.47 address 100.100.100.169
> > crypto isakmp key R.47 address 100.100.100.170
> > !
> > !
> > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
> > !
> > crypto map vpn 10 ipsec-isakmp
> > set peer 100.100.100.169
> > set transform-set rtpset
> > match address 102
> > crypto map vpn 20 ipsec-isakmp
> > set peer 100.100.100.170
> > set transform-set rtpset
> > match address 101
> > !
> > !
> > interface Ethernet0
> > ip address 10.0.0.1 255.255.255.0
> > ip nat inside
> > no ip route-cache
> > no ip mroute-cache
> > hold-queue 32 in
> > !
> > !
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44695&t=44374
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
