Question

Locked

VPN with Cisco 871

By mehdi.talei ·
Hello,
I have a cellular modem, Airlink Raven X, connected to WAN port of Cisco router 871.
Neither site to site VPN nor EZVPN do come up.
The debug crypto isakmp gives me the following result:

*Apr 1 19:09:05.083: ISAKMP: Unlocking peer struct 0x84223770 for isadb_mark_sa
_deleted(), count 0
*Apr 1 19:09:05.083: ISAKMP: Deleting peer node by peer_reap for W.X.Y.Z: 8
4223770
*Apr 1 19:09:05.083: ISAKMP:(0):deleting node 102384373 error FALSE reason "IKE
deleted"
*Apr 1 19:09:05.083: ISAKMP:(0):deleting node -145314910 error FALSE reason "IK
E deleted"
*Apr 1 19:09:05.083: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 1 19:09:05.083: ISAKMP:(0)ld State = IKE_I_MM1 New State = IKE_DEST_SA

*Apr 1 19:09:09.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Apr 1 19:09:09.883: ISAKMP (0:0): incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Apr 1 19:09:09.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Apr 1 19:09:09.883: ISAKMP:(0): sending packet to A.B.C.D my_port 500 pe
er_port 500 (I) AG_INIT_EXCH
*Apr 1 19:09:09.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 1 19:09:19.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Apr 1 19:09:19.883: ISAKMP (0:0): incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Apr 1 19:09:19.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Apr 1 19:09:19.883: ISAKMP:(0): sending packet to A.B.C.D my_port 500 pe
er_port 500 (I) AG_INIT_EXCH
*Apr 1 19:09:19.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 1 19:09:29.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Apr 1 19:09:29.883: ISAKMP (0:0): incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Apr 1 19:09:29.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Apr 1 19:09:29.883: ISAKMP:(0): sending packet to A.B.C.D my_port 500 pe
er_port 500 (I) AG_INIT_EXCH
*Apr 1 19:09:29.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 1 19:09:35.083: ISAKMP:(0): SA request profile is (NULL)
*Apr 1 19:09:35.083: ISAKMP: Created a peer struct for W.X.Y.Z, peer port 5
00
*Apr 1 19:09:35.083: ISAKMP: New peer created peer = 0x8398F440 peer_handle = 0
x8000000A
*Apr 1 19:09:35.083: ISAKMP: Locking peer struct 0x8398F440, refcount 1 for isa
kmp_initiator
*Apr 1 19:09:35.083: ISAKMP: local port 500, remote port 500
*Apr 1 19:09:35.083: ISAKMP: set new node 0 to QM_IDLE
*Apr 1 19:09:35.083: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 83683FF4
*Apr 1 19:09:35.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Apr 1 19:09:35.083: ISAKMP:(0):found peer pre-shared key matching W.X.Y.Z
*Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 1 19:09:35.087: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 1 19:09:35.087: ISAKMP:(0)ld State = IKE_READY New State = IKE_I_MM1

*Apr 1 19:09:35.087: ISAKMP:(0): beginning Main Mode exchange
*Apr 1 19:09:35.087: ISAKMP:(0): sending packet to W.X.Y.Z my_port 500 peer
_port 500 (I) MM_NO_STATE
*Apr 1 19:09:35.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 1 19:09:38.651: ISAKMP:(0)urging SA., sa=842B12EC, delme=842B12EC
*Apr 1 19:09:39.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Apr 1 19:09:39.883: ISAKMP:(0)eer does not do paranoid keepalives.

*Apr 1 19:09:39.883: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) AG_INIT_EXCH (peer A.B.C.D)
*Apr 1 19:09:39.883: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vp
ngrp Client_public_addr=192.168.13.100 Server_public_addr=A.B.C.D
*Apr 1 19:09:39.883: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) AG_INIT_EXCH (peer A.B.C.D)
*Apr 1 19:09:39.883: ISAKMP: Unlocking peer struct 0x83CF266C for isadb_mark_sa
_deleted(), count 0

The interesting point is that when I connect the cable modem to the same router, it works fine, but with this cellular modem.
Any suggestion?
Thanks,
Mehdi

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Router config

by mehdi.talei In reply to VPN with Cisco 871

I forgot to attach my router config:

version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Raven-X
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-15.T1.bin
boot-end-marker
!
logging buffered 10000 debugging
no logging console
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
vpdn enable
!
!
file prompt quiet
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key <removed> address W.X.Y.Z
!
!
crypto ipsec transform-set CTtransform esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn bureau
connect auto
group vpngrp key <removed>
mode network-extension
peer A.B.C.D
acl 100
username <removed> password <removed>
xauth userid mode local
!
!
crypto map BBdynmap 15 ipsec-isakmp
set peer W.X.Y.Z
set transform-set CTtransform
set pfs group2
match address cryptoBBB
!
!
interface FastEthernet0
switchport mode trunk
no cdp enable
!
interface FastEthernet1
switchport mode trunk
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map BBdynmap
crypto ipsec client ezvpn bureau
!
interface Vlan1
ip address 10.132.29.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1392
crypto ipsec client ezvpn bureau inside
hold-queue 100 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip any any


ip access-list extended cryptoBBB
permit ip any any
dialer-list 1 protocol ip permit

line con 0
session-timeout 15
login authentication loginvty
no modem enable
stopbits 1
line aux 0
line vty 0 4
session-timeout 15
login authentication loginvty
!
scheduler max-task-time 5000
end

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums