Here is the full config and debug output from R1 which is the receiving
router. As you can see there is no dns, or ip host configured. All the
phase1/2 related configs were done using IP addresses.
Thanks!
Building configuration...
Current configuration : 1888 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
memory-size iomem 15
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!voice-card 0
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp identity hostname
!
crypto isakmp peer address 8.9.11.7
set aggressive-mode password cisco
set aggressive-mode client-endpoint user-fqdn R1
!
!
crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 8.9.11.7
set transform-set ESP3DES
match address l2l
!
interface Loopback0
ip address 10.11.11.11 255.255.255.0
interface FastEthernet0/0
ip address 8.9.11.1 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
ip address 136.1.121.1 255.255.255.0
duplex auto
speed auto
router ospf 1
log-adjacency-changes
network 8.9.11.0 0.0.0.255 area 0
network 10.11.11.0 0.0.0.255 area 0
network 136.1.121.0 0.0.0.255 area 0
!
ip access-list extended l2l
permit ip 10.11.11.0 0.0.0.255 10.7.7.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*Jun 19 10:38:39.811: ISAKMP (0): received packet from 8.9.11.7 dport 500
sport 500 Global (N) NEW SA
*Jun 19 10:38:39.811: ISAKMP: Created a peer struct for 8.9.11.7, peer port
500
*Jun 19 10:38:39.811: ISAKMP: New peer created peer = 0x67AB2618
peer_handle = 0x80000003
*Jun 19 10:38:39.811: ISAKMP: Locking peer struct 0x67AB2618, refcount 1
for crypto_isakmp_process_block
*Jun 19 10:38:39.811: ISAKMP: local port 500, remote port 500
*Jun 19 10:38:39.811: ISAKMP:(0):insert sa successfully sa = 6829A524
*Jun 19 10:38:39.811: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 19 10:38:39.811: ISAKMP:(0): processing ID payload. message ID = 0
*Jun 19 10:38:39.811: ISAKMP (0): ID payload
next-payload : 13
type : 3
USER FQDN : R7
protocol : 17
port : 0
length : 10
*Jun 19 10:38:39.811: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 19 10:38:39.811: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.811: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
mismatch
*Jun 19 10:38:39.811: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 19 10:38:39.811: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.811: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
*Jun 19 10:38:39.811: ISAKMP (0): vendor ID is NAT-T v7
*Jun 19 10:38:39.811: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.811: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
*Jun 19 10:38:39.811: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 19 10:38:39.811: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.811: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
*Jun 19 10:38:39.811: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 19 10:38:39.811: ISAKMP:(0):SA using tunnel password as pre-shared key.
*Jun 19 10:38:39.815: ISAKMP:(0): local preshared key found
*Jun 19 10:38:39.815: ISAKMP : Scanning profiles for xauth ...
*Jun 19 10:38:39.815: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 10 policy
*Jun 19 10:38:39.815: ISAKMP: encryption 3DES-CBC
*Jun 19 10:38:39.815: ISAKMP: hash SHA
*Jun 19 10:38:39.815: ISAKMP: default group 2
*Jun 19 10:38:39.815: ISAKMP: auth pre-share
*Jun 19 10:38:39.815: ISAKMP: life type in seconds
*Jun 19 10:38:39.815: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
0x80
*Jun 19 10:38:39.815: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 19 10:38:39.815: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 19 10:38:39.815: ISAKMP:(0):Acceptable atts:life: 0
*Jun 19 10:38:39.815: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 19 10:38:39.815: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 19 10:38:39.815: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 19 10:38:39.815: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 19 10:38:39.871: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.871: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
mismatch
*Jun 19 10:38:39.871: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 19 10:38:39.871: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.871: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
*Jun 19 10:38:39.871: ISAKMP (0): vendor ID is NAT-T v7
*Jun 19 10:38:39.871: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.871: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
*Jun 19 10:38:39.871: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 19 10:38:39.871: ISAKMP:(0): processing vendor id payload
*Jun 19 10:38:39.871: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
*Jun 19 10:38:39.871: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 19 10:38:39.871: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 19 10:38:39.943: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 19 10:38:39.943: ISAKMP:(0):SA using tunnel password as pre-shared key.
*Jun 19 10:38:39.943: ISAKMP:(1001): processing vendor id payload
*Jun 19 10:38:39.943: ISAKMP:(1001): vendor ID is DPD
*Jun 19 10:38:39.943: ISAKMP:(1001): processing vendor id payload
*Jun 19 10:38:39.943: ISAKMP:(1001): vendor ID seems Unity/DPD but major
242 mismatch
*Jun 19 10:38:39.943: ISAKMP:(1001): vendor ID is XAUTH
*Jun 19 10:38:39.943: ISAKMP:(1001): processing vendor id payload
*Jun 19 10:38:39.943: ISAKMP:(1001): vendor ID is Unity
*Jun 19 10:38:39.943: ISAKMP:(1001): constructed NAT-T vendor-rfc3947 ID
*Jun 19 10:38:39.943: ISAKMP:(1001):SA is doing pre-shared key
authentication using id type ID_FQDN
*Jun 19 10:38:39.943: ISAKMP (1001): ID payload
next-payload : 10
type : 2
FQDN name : R1
protocol : 0
port : 0
length : 10
*Jun 19 10:38:39.943: ISAKMP:(1001):Total payload length: 10
*Jun 19 10:38:39.947: ISAKMP:(1001): sending packet to 8.9.11.7 my_port 500
peer_port 500 (R) AG_INIT_EXCH
*Jun 19 10:38:39.947: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 19 10:38:39.947: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 19 10:38:39.947: ISAKMP:(1001):Old State = IKE_READY New State =
IKE_R_AM2
*Jun 19 10:38:40.019: ISAKMP (1001): received packet from 8.9.11.7 dport
500 sport 500 Global (R) AG_INIT_EXCH
*Jun 19 10:38:40.019: ISAKMP:(1001): processing HASH payload. message ID = 0
*Jun 19 10:38:40.019: ISAKMP:received payload type 20
*Jun 19 10:38:40.019: ISAKMP (1001): His hash no match - this node outside
NAT
*Jun 19 10:38:40.019: ISAKMP:received payload type 20
*Jun 19 10:38:40.019: ISAKMP (1001): No NAT Found for self or peer
*Jun 19 10:38:40.019: ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT
protocol 1
spi 0, message ID = 0, sa = 6829A524
*Jun 19 10:38:40.019: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 19 10:38:40.019: ISAKMP:(1001):SA has been authenticated with 8.9.11.7
*Jun 19 10:38:40.019: ISAKMP:(1001):SA authentication status:
authenticated
*Jun 19 10:38:40.019: ISAKMP:(1001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 8.9.11.1 remote 8.9.11.7
remote port 500
*Jun 19 10:38:40.023: ISAKMP: Trying to insert a peer 8.9.11.1/8.9.11.7/500/,
and inserted successfully 67AB2618.
*Jun 19 10:38:40.023: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 19 10:38:40.023: ISAKMP:(1001):Old State = IKE_R_AM2 New State =
IKE_P1_COMPLETE
*Jun 19 10:38:40.023: ISAKMP (1001): received packet from 8.9.11.7 dport
500 sport 500 Global (R) QM_IDLE
*Jun 19 10:38:40.023: ISAKMP: set new node -1201657660 to QM_IDLE
*Jun 19 10:38:40.027: ISAKMP:(1001): processing HASH payload. message ID =
-1201657660
*Jun 19 10:38:40.027: ISAKMP:(1001): processing SA payload. message ID =
-1201657660
*Jun 19 10:38:40.027: ISAKMP:(1001):Checking IPSec proposal 1
*Jun 19 10:38:40.027: ISAKMP: transform 1, ESP_3DES
*Jun 19 10:38:40.027: ISAKMP: attributes in transform:
*Jun 19 10:38:40.027: ISAKMP: encaps is 1 (Tunnel)
*Jun 19 10:38:40.027: ISAKMP: SA life type in seconds
*Jun 19 10:38:40.027: ISAKMP: SA life duration (basic) of 3600
*Jun 19 10:38:40.027: ISAKMP: SA life type in kilobytes
*Jun 19 10:38:40.027: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50
0x0
*Jun 19 10:38:40.027: ISAKMP: authenticator is HMAC-SHA
*Jun 19 10:38:40.027: ISAKMP:(1001):atts are acceptable.
*Jun 19 10:38:40.027: ISAKMP:(1001): processing NONCE payload. message ID =
-1201657660
*Jun 19 10:38:40.027: ISAKMP:(1001): processing ID payload. message ID =
-1201657660
*Jun 19 10:38:40.027: ISAKMP:(1001): processing ID payload. message ID =
-1201657660
*Jun 19 10:38:40.031: ISAKMP:(1001):QM Responder gets spi
*Jun 19 10:38:40.031: ISAKMP:(1001):Node -1201657660, Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 19 10:38:40.031: ISAKMP:(1001):Old State = IKE_QM_READY New State =
IKE_QM_SPI_STARVE
*Jun 19 10:38:40.031: ISAKMP:(1001): Creating IPSec SAs
*Jun 19 10:38:40.031: inbound SA from 8.9.11.7 to 8.9.11.1 (f/i)
0/ 0
(proxy 10.7.7.0 to 10.11.11.0)
*Jun 19 10:38:40.031: has spi 0xB92582C7 and conn_id 0
*Jun 19 10:38:40.031: lifetime of 3600 seconds
*Jun 19 10:38:40.035: lifetime of 4608000 kilobytes
*Jun 19 10:38:40.035: outbound SA from 8.9.11.1 to 8.9.11.7 (f/i)
0/0
(proxy 10.11.11.0 to 10.7.7.0)
*Jun 19 10:38:40.035: has spi 0xE82D36E1 and conn_id 0
*Jun 19 10:38:40.035: lifetime of 3600 seconds
*Jun 19 10:38:40.035: lifetime of 4608000 kilobytes
*Jun 19 10:38:40.035: ISAKMP:(1001): sending packet to 8.9.11.7 my_port 500
peer_port 500 (R) QM_IDLE
*Jun 19 10:38:40.035: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 19 10:38:40.035: ISAKMP:(1001):Node -1201657660, Input =
IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jun 19 10:38:40.035: ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New
State = IKE_QM_R_QM2
*Jun 19 10:38:40.039: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Jun 19 10:38:40.039: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State
= IKE_P1_COMPLETE
*Jun 19 10:38:40.039: ISAKMP (1001): received packet from 8.9.11.7 dport
500 sport 500 Global (R) QM_IDLE
*Jun 19 10:38:40.043: ISAKMP:(1001):deleting node -1201657660 error FALSE
reason "QM done (await)"
*Jun 19 10:38:40.043: ISAKMP:(1001):Node -1201657660, Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 19 10:38:40.043: ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State =
IKE_QM_PHASE2_COMPLETE
R1#sh crypto session detail
Interface: FastEthernet0/0
Uptime: 00:01:27
Session status: UP-ACTIVE
Peer: 8.9.11.7 port 500 fvrf: (none) ivrf: (none)
Phase1_id: R7
Desc: (none)
IKE SA: local 8.9.11.1/500 remote 8.9.11.7/500 Active
Capabilities:(none) connid:1001 lifetime:23:58:32
IPSEC FLOW: permit ip 10.11.11.0/255.255.255.0 10.7.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4495627/3512
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4495627/3512
On Mon, Jun 18, 2012 at 9:42 PM, Eugene Pefti <[email protected]>wrote:
> Well, this was not my question, Bruno ;)****
>
> It was Imre who started this thread and I tried to understand what was
> going on.****
>
> Imre, what do you have in your crypto map for the peer? I’m almost
> positive it’s an IP address and as he stated there’s neither DNS server nor
> IP host mapping configured****
>
> ** **
>
> Eugene****
>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
