ISAKMP Problems

[tschouten]

For some reason I can't wrap my head around this issue.

I have one of several site to site vpns that I can't get to negotiate properly. It is supposed to use sha but keeps saying it only has md5. I have set policies for both. The below is what I see when I run a debug.

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:205.141.218.148, dest:216.143.11.6 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:205.141.218.148, dest:216.143.11.6 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 27
ISAKMP (0): Total payload length: 31
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 216.143.11.6, dst 205.141.218.148
ISADB: reaper checking SA 0x15d6394, conn_id = 0
ISADB: reaper checking SA 0x1390fbc, conn_id = 0
ISADB: reaper checking SA 0x14f734c, conn_id = 0
ISADB: reaper checking SA 0x1439234, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 205.141.218.148/500 not found - peers:2

ISADB: reaper checking SA 0x15d6394, conn_id = 0
ISADB: reaper checking SA 0x1390fbc, conn_id = 0
ISADB: reaper checking SA 0x14f734c, conn_id = 0VPN Peer:ISAKMP: Peer Info for 205.141.218.148/500 not fo$

This is what I have configured:

access-list mers-crypto permit ip object-group mers-fhlb-group host 205.141.209.154
access-list nonat permit ip any 205.141.209.154 255.255.255.255


crypto ipsec transform-set MERS esp-3des esp-sha-hmac

crypto map outside 15 ipsec-isakmp
crypto map outside 15 match address mers-crypto
crypto map outside 15 set peer xxx.yyy.xxx.zzz
crypto map outside 15 set transform-set MERS

isakmp key ******** address xxx.yyy.zzz.xxx netmask 255.255.255.255 no-xauth no-config-mode

This is current isakmp policy:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

For some reason I cannot see my error (I say mine because more often than not it is).

Anyone see what I am doing wrong here?

 

[tschouten]

Yes...before someone makes comment I started to scrub out ip's then forgot the rest. Hey it happens when you get asked a thouand questions from people and you are trying to post at the same time.

 

[tschouten]

I still can't see anything wrong with my configuration. The more I look at the information the less clear the problem seems.

Would love it if anyone could shed some light here.

 

[tschouten]

Nevermind after contacting the company we were setting the tunnel up with I found they had supplied the wrong ip to my firewall in their firewall. Which completely explains what I was seeing. Duhhhhh....