Understanding, IKE Phase I and II

Hi, I've been through the concept of a lot of time, but what confuses me, is encryption algorithm and a key to the DH, how they go hand in hand in IKE phase II.  I understand phase I authenticates the vpn peers and negotiates policy ISAKMP which includes Exchange Diffie-Hellman and symmetric encryption example WITH or TDES.  What I don't understand is what Exchange Diffie-Hellman (key derived from the public/private function) is used for, it encrypts the exchange of IKE2 already encrypted with DES/TDES/AES.

Also if m do not use PFS in Phase II, would I by using the same key DH derived at the time of the phase I, if yes which is secure enough?

Another issue is when the peers authenticate each other and then the protocol IKE phase I policy are exchanged, happens in clear text?

Could someone please explain the process step by step in the two phases stressing precisely on the Diffie-Hellman exchange and how it is used with encryption algorithms.

Concerning

Sonu

Sonu,

Looks like you want to go back to RFC to take a peek. We have also a series of documents explaining IKEv1 and goes with debugging.

What you miss is that in IKEv1 (main mode), messages, 5 and 6 are already encyrpted, while the previous, including Diffie-Hellman exchange are not.

MM5 MM6 is when we exchange their identities. Those who must be protected, where the DH before negotiating.

Phase 2 is a separate Exchange protected with the result of the phase 1. The role of DH for the phase 2 is to ensure that the encryption keys are not from previous key material.

Start here:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a0080094203.shtml

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bce100.shtml

https://supportforums.Cisco.com/docs/doc-18522

M.

Tags: Cisco Security

Similar Questions

  • Configuration of VPN - IKE phase 1...

    I have some confusion in the VPN configuration... In my ASA below mentioned IKE phase 1 already configured setting.

    crypto ISAKMP policy 1

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 43200

    crypto ISAKMP policy 9

    preshared authentication

    the Encryption

    md5 hash

    Group 1

    life 86400

    crypto ISAKMP policy 10

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 86400

    Crypto isakmp nat-traversal 20

    Last week, I configured a new L2L VPN. For IPSec phase, I have added the below mentioned lines...

    card crypto toremote 20 match address remotevpn2

    card crypto toremote 20 peers set x.x.x.x

    toremote 20 set transformation-strong crypto card

    life safety association set card crypto toremote 20 28800 seconds

    Now my question is the seq n20 crypto map is not matched with any IKE phase 1 seq no (1,9,10,30) that is already configured. But the VPN is up and working fine. How it associate a particular phase of IKE IPsec?

    If you want to configure a new virtual private network with different parameters in the IKE phase 1like 3DES, SHA1, life 86400, what are the configuration that I have to do in phase 1 of IKE?

    Kind regards

    SOM

    isakmp policy number and the number of ipsec policy do not match your ASA or with the other end. They are two distinct phases of negotiation. The ASA will compare your policy at the other end, starting with the smallest number of policies, until a match is found.

    I usually put safer policies first (i.e. with the lowest number of the police).

    To create a new policy, just add it with a new policy number, anywhere where you want in the order.

  • Ports used in IKE Phase 1

    Hello world

    He had to confirm IKE Phase 1

    We use port UDP 500

    IKE Phase 2, we use ports

    ESP - 50

    NAT - T UDP 4500

    ESP TCP-1000-50
    NAT - T UDP 4500
    TCP-1000

    Concerning

    Mahesh

    IKE phase 1 (main mode/aggressive mode) is udp src and dst 500

    Phase 2 of IKE could be:

    • Protocol IP 50 (ESP)
    • NAT - T is udp src (customer) ephemeral dst (server) udp 4500
    • In former VPN clients tcp encapsulation was CBC (customer), ephemeral dst (server) tcp 10000 (10,000 in US) and 10,000 in most of the other countries

  • Pre shared keys used in IKE Phase 1

    Hello world

    Need to confirm if we use the buttons pre shared during IKE Phase 1 main mode and aggressive mode

    Concerning

    MAhesh

    The pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same preshared key is configured on each IPSec peer. IKE peers authenticate each other computer and sending a hash key data that includes the pre-shared key.

  • ASDM IKE Phase 2 parameters

    Hello.

    I'll put up the part remote site VPN and you can't find IKE Phase 1 settings in ASDM.  Can someone tell me where I can find the phase 2 settings?  Thank you.

    If this is the case, by ASDM 6.3 above, you can use link below to verify:

    Go to the Configuration > VPN Site to Site > advanced > Crypto Maps pane.

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080b9b90a.shtml#asdmconfig

  • How can I do a phase shift and amplitude change on wavefile which is read in

    Hello all

    I have a wavefile which has two channels, left and right, I would make a phase

    SHIFT and amplitude change on one of the channels.  Can I split each channel

    in the tables, but I don't know how to do a phase shift and amplitude change on the

    Table to get the new signal.

    TIA sal22

    Hi Sal,

    Here's a way to implement the phase change:

    In regards to the change of amplitude, you could just multiply all of the table with the desired value.

  • Understanding buffered i/o and direct i/o

    Oracle documentation, it seems that direct i/o is recommended compare with buffer I/O

    http://download.Oracle.com/docs/CD/E10530_01/doc/EPM.931/html_esb_dbag/frameset.htm?dstcache.htm

    Understanding buffered i/o and direct i/o

    The nucleus of Essbase uses buffer IO (input/output) by default, but direct i/o is available on most operating systems and file systems that support the Essbase. For the list of supported platforms, see the Hyperion Essbase - 9 Installation Guide.

    I/O buffering uses the file system buffer cache.

    Direct i/o bypasses the file system buffer cache and is able to perform the asynchronous i/o, overlapped. The following services are provided:

    * More rapid response time. A user waiting less time for Essbase return data.
    * Scalability and predictability. Essbase allows you to customize sizes optimal cache for its databases.

    http://download.Oracle.com/docs/CD/E10530_01/doc/EPM.931/html_esb_dbag/frameset.htm?dstcache.htm
    If you use direct i/o, generally the largest index cache that the system resources allow. If you use I/O in the buffer, making the cache index as small as possible.

    http://download.Oracle.com/docs/CD/E10530_01/doc/EPM.931/html_esb_techref/config/indexcachesize.htm
    * An integer expressed in bytes (B), in kilobytes (KB), Mo (M), or gigabytes (G)
    * Minimum value: 1 megabyte (1 M)
    * Maximum value: 2 gigabytes (2 G)
    * Default value: 10 MB (10 M)
    * If a value is given without qualifier B, K, M, or G, it is assumed that the value is in bytes.
    * The qualifier can be uppercase or lowercase, and can be entered adjacent value (10M) or separated by one space (10 M).

    We are now using I/O buffers, so it's average must be set to the size of the key cache as small as possible? that is 1 MB?

    I know we have a thread going on index caches elsewhere but I will repeat what I heard and seen - almost no one uses direct i/o. I will also pass on this - I heard that in some cases he peut be faster, but yet once, it is not commonly used.

    This is the default for awhile (Essbase 6 x, I think) and was so buggy, misunderstood, etc, etc, he's got a reputation contaminated. Of course, Hyperion/Oracle have had enough time to solve the problems and I don't think that buggy is the problem any longer, but again, this is not the default mode.

    Re your index caches sizing - if it was my task, I would determine that a collection representative of the calculations can be, compare their times with the current of the cache, the cache of low index settings, stop the db, restart the db, reference again, and then do the same for all (or like) the index in memory long live. <--That is="" the="" true="" path="" to="" index="" size="" enlightenment.="" i="" would="" do="" the="" above="" for=""> each cache setting and I do for each database - they are all different.

    BTW, this is for the world of the OSB.

    Kind regards

    Cameron Lackpour

  • VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

    We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.

    It is a vpn L2L, I wonder if the guy saying user is related to the issue?

    ASA_Initiator

    IKE Peer: 71.13.xxx.xxx
    Type: user role: initiator
    Generate a new key: no State: MM_WAIT_MSG2

    ASA_Receiving

    # show crypto isakmp his

    There is no isakmp sas

    Hey,.

    is the remote end ASA as well?

    If so, the capture below on the ASA:

    capture capout match udp host host interface

    The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:

    1 either a problem with the policies of the phase 1 of the remote end or

    2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.

    Concerning

  • IKE Phase 2 SA expires immediately - site 2 site ipsec over gre

    Hello

    I'm migrating a config site to IPsec for a new 'face', a ASR1001 router VPN (ipsec-tools + racoon) Linux machine.

    As the Debian Linux does not VTI, I use a card encryption.

    The config of work is given below, with corresponding newspapers, with Linux.

    When I try to apply what worked before config for the ASR1001, I get the following error:

    000855: * 18:28:21.859 Dec 12 UTC: % ACE-3-TRANSERR: IOSXE-ESP (14): IKEA trans 0 x 1350; opcode 0 x 60; Param 0x2EE; error 0 x 5; Retry cnt 0

    Suspicion about the error code 0 x 5?

    The newspapers aside Linux show sync issues...

    12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: new phase 1 opening of negotiation: 194.214.196.2 [500]<=>130.120.124.8 [500]

    12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: mode of Identity Protection.

    12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY

    12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD

    12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

    12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: ISAKMP - ITS established 194.214.196.2 [500] - 130.120.124.8 [500] spi: 5f8e6339fb954d45:e513d25e42e19d11

    12 Dec 18:50:20 FALSE-AUCH-GW racoon: INFO: new phase 2 negotiation opening: 194.214.196.2 [500]<=>130.120.124.8 [500]

    12 Dec 18:50:39 FAKE-AUCH-GW racoon: INFO: answer for negotiation of the new phase 2: 194.214.196.2 [500]<=>130.120.124.8 [500]

    12 Dec 18:50:50 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

    12 Dec 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: ESP/Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 30866420 (0x1d6fbf4)

    12 Dec 18:50:50 FAKE-AUCH-GW racoon: WARNING: EXPIRES PF_KEY message received from core for SA under negotiation. Judgment of the negotiations.

    12 Dec 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: AH / Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 258959 (0x3f38f)

    12 Dec 18:50:59 FAKE-AUCH-GW racoon: INFO: new phase 2 negotiation opening: 194.214.196.2 [500]<=>130.120.124.8 [500]

    12 Dec 18:51 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

    12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: ESP/Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 95427747 (0x5b01ca3)

    12 Dec 18:51:09 FAKE-AUCH-GW racoon: WARNING: EXPIRES PF_KEY message received from core for SA under negotiation. Judgment of the negotiations.

    12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: AH / Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 159198575 (0x97d2d6f)

    12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: answer for negotiation of the new phase 2: 194.214.196.2 [500]<=>130.120.124.8 [500]

    12 Dec 18:51:10 FALSE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

    !###########################################

    ! Config of IOS running

    !

    crypto ISAKMP policy 10

    BA aes 256

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key MY-0WN-T3RR1F1C-PR35H4R3D-K3Y address 192.0.2.66 No.-xauth

    !

    !

    Crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp - aes 256 esp-md5-hmac

    transport mode

    !

    card crypto ipsec-isakmp MY-0WN-map 1

    defined peer 192.0.2.66

    game of transformation-MY-0WN-TS-MD5

    PFS group2 Set

    match address 120

    !

    interface Tunnel0

    bandwidth 45000

    IP 198.51.100.1 255.255.255.252

    no ip redirection

    no ip proxy-arp

    IP 1400 MTU

    IP virtual-reassembly in

    IP tcp adjust-mss 1360

    source of tunnel GigabitEthernet0/0

    tunnel destination 192.0.2.66

    tunnel path-mtu-discovery

    bandwidth tunnel pass 45000

    bandwidth tunnel receive 45000

    !

    interface GigabitEthernet0/0

    IP 192.0.2.34 255.255.255.224

    no ip redirection

    no ip proxy-arp

    IP virtual-reassembly in

    full duplex

    Speed 1000

    GBIC media type

    auto negotiation

    Crypto map MY-0WN-map

    ###########################################

    Newspapers aside Linux

    Dec 12 08:18:30 racoon GLA: INFO: ISAKMP Security Association expired 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49ea8ffe38:e568a2dd27cbec5d

    Dec 12 08:18:30 racoon GLA: INFO: ISAKMP Security Association deleted 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49ea8ffe38:e568a2dd27cbec5d

    Dec 12 08:18:31 racoon GLA: INFO: respond new phase 1 negotiation: 192.0.2.66 [500]<=>192.0.2.34 [500]

    Dec 12 08:18:31 racoon GLA: INFO: mode of Identity Protection.

    Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: RFC 3947

    Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

    Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

    Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012

    Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: DPD

    Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

    Dec 12 08:18:31 racoon GLA: [192.0.2.34] INFO: received INITIAL-CONTACT

    Dec 12 08:18:31 racoon GLA: INFO: ISAKMP - HIS established 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49e027808c:b17ba35c5b7f1e82

    Dec 12 08:18:31 racoon GLA: INFO: answer for negotiation of the new phase 2: 192.0.2.66 [500]<=>192.0.2.34 [500]

    [[Dec 12 08:18:31 racoon GLA: INFO: update generated politics: 192.0.2.34/32[0] 192.0.2.66/32[0] proto = all dir = in

    Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: AH / Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 88493238 (0x5464cb6)

    Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: ESP/Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 21367141(0x1460965)

    Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: AH / Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 1579505880 (0x5e2558d8)

    Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: ESP/Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 838280164 (0x31f723e4)

    Could adjust your game of transformation?

    Right now you have: crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp - aes 256 esp-md5-hmac

    Could you change strictly cela ESP or AH on both sides rather than mix them.

    There is a known issue with the ASR and the mixture AH / ESP in ipsec configuration. I'll post below:

    CSCtb60545 / CSCsv96390

    Mixing protocols AH and ESP in transformation defined on ASR may not work. This is an enhancement request who will introduce support for this.

    Symptoms:

    Router can display as a result of messages to the console:
    % 3-ACE-TRANSERR: ASR1000-ESP (14): IKEA trans 0x27E; opcode 0 x 60; Param 0x2A.
    error 0 x 5; Retry cnt 0
    Conditions:
    This symptom is observed on a Cisco ASR1000 series router when works as an IPSec
    final point, and when nested transformation is applied, such as:
    Crypto ipsec transform-set transform-1 ah-sha-hmac esp-3des esp-md5-hmac
    Crypto ipsec transform-set transform-1 ah-md5-hmac esp-3des esp-md5-hmac
    Workaround solution:
    Remove the unsupported configuration.

  • Understand fax failure oregano and corrects the prejudices of the solution or alternatives

    I have problems sending a fax failed after that analyses a number of revenue and then transfer them into a MS Word Document in a Word format. I have some basic questions based on fax trying to figure why faxes fail and how to prevent them from doing.

    Using Microsoft word 2007, running Windows 7 on my model # KN904UA #ABA HP Pavilion dv9700 notebook PC computer phone fax on a color HP LaserJet Pro CM1415 MPF series all in one printer. I tried faxing multiple documents several times to see that it gets to the next to the last page and fails. These documents are 15, 18, 19, and some even 21 pages long. And I wonder if one of the following solutions would work, tell me what you think? 1. cut the faxes in the half and passing the final part of the fax only, 2. By saving the document faxes in PDF and fax to PDF MS Word verses. 3. selection of the target destination Fax either from the AddressBook menu Fax (before frequently used saved fax number), or the fax number entering manually every time when sending a fax.

    Can someone help me answer a few basic questions base of fax or understand why they fail? :

    If I save a document in Word, click on print, choose to fax in the print options, the fax saves the file in the memory of the coil first before, it fires the fax process to start fax? In the affirmative when the file is saved in the coil of the memory, can I turn off my laptop and then the fax will continue Fax fax fax memory of coil? The fax data transfer rate is equal to a 14/4 Baud rate modem?

    I can't fax anything longer than 10 pages. A 21 page document must be divided into 3 segments: name 1 file name page, page 2, and page 3 of the file file name.  I hope this helps others with the same problem and inquierrie. Chris

  • WHEN NEGOTAITE ISAKMP IN FASHION MAIN IKE PHASE 1

    WHEN THE ISAKMP NEGOTIATION BEGINS IN IKE, SEARCH ISAKMP MAIN MODE IDENTICAL ON BOTH PEERS ISAKMP POLICY.

    PLEASE INFORM PEERS ARE RESPONCIPLE FOR MATCHING POLICIES?

    Hello

    It will be the device that initiates Phase I proceeded. He will check the remote peer on the corresponding policy. The remote peer, on the other hand, will also be verufy corresponding strategy.

    Rgds,

    AK

  • Understanding Pragma Init Exception and others then exception...

    Hi gurus,

    I understand that using the pragma init exception, allows you to associate the user with valid error plsql code defined error message.

    But can not be managed using so that other then an exception? Using sqlerrm and sqlerrcode, we can display error messages and log them.

    Could you please help me understand this?

    Thank you

    I understand that using the pragma init exception, allows you to associate the user with valid error plsql code defined error message.

    Correct - the doc of the PL/SQL language

    http://docs.Oracle.com/CD/E11882_01/AppDev.112/e25519/exceptioninit_pragma.htm

    The EXCEPTION_INIT pragma associates a name of the exception defined by the user with an error code.

    . . .

    Error_code

    Error code for being associated to exception . error_code may be 100 (digital code for "no data found" this 'function SQLCODE' return) or any negative integer greater than-10000000 except-1403 (another digital code for "no data found").

    This doc link also has examples of using the pragma

    But can not be managed using so that other then an exception? Using sqlerrm and sqlerrcode, we can display error messages and log them.

    Could you please help me understand this?

    First – understand this: If you do not go to 'manage' exception you shouldn't use an exception handler initially. Let the exception propagate up to the appellant.

    Second - you should NOT use THEN than OTHERS as a replacement for an appropriate exception handler.

    Which of them do you find easier to read, understand and maintain?

    1-60

    2 DEADLOCK_DETECTED

    Don't you think that ANYONE, no matter how expert, recalled all of the Oracle error codes? The names are much easier to understand than a number.

    The pragma is used so that you can explicitly declare an exception handler for one of the unnamed Oracle error codes.

    New - see the documentation

    http://docs.Oracle.com/CD/B19306_01/AppDev.102/b14261/errors.htm#BABGIIBI

    To handle error conditions (generally ORA- messages) who do not have predefined name, you must use the OTHERS Manager or the pragma EXCEPTION_INIT .

    A pragma is a compiler directive which is processed at the time of compilation, not running.

    In PL/SQL, the pragma EXCEPTION_INIT tells the compiler to associate a name of the exception to an Oracle error number. Allows you to make reference to any inner exception by name, write a specific handler for it. When you see an error in the cell, or sequence of error messages, one on top is that you can intercept and manage.

    The pragma is used to catch an exception that "should" occur in the execution. Then, this exception can be handled. If it is NOT handled (for example if you just connect it) the exception handler should re - raise the exception rather than just swallowing it.

  • Noob question - help to understand what variables public and private?

    As far as I understand public variable can be used in other classes. But how? I try this without a success:

    Create a class:

    package {}
    public class MyClass {}
    public var myVariable:Number = 5;
    public function MyClass() {}
    trace (myVariable);
    }
    }
    }

    Then, create another class:

    package {}
    public class TryThis {}
    public var myResult:Number = $myvariable;
    public void TryThis() {}
    trace (myResult);
    }
    }
    }

    and I got an error "undefined property myVariable" using this in the Flash file:

    var niceTry:TryThis = new TryThis();

    You will greatly appreciate your help.

    use:

    package {}
    public class myClass {}
    public var myVariable:Number = 5;
    public function myClass() {}
    trace (myVariable);
    }
    }
    }

    Then, create another class:

    package {}

    Import myClass;
    public class TryThis {}
    public var myResult:Number;
    public void TryThis() {}

    var mc:myClass = new myClass();

    Ditto = mc.myVariable;

    trace (myResult);
    }
    }
    }

  • I get windows install not installed correctly message and I tried everything 2 understand/can't download and install anything like microsoft fixit

    Windows install not installed correctly

    Hi, Itsme18wheels,

    Start > type CMD

    Right click on CMD and select run as administrator

    Type sfc/scannow

    Press enter

    Note: There is a space between sfc and / scannow

    You might your Windows Setup support replace missing or corrupt files

    New attempt to update.  If failure once again, download/install the latest program Windows installation (for your operating system):
    Windows6. 0-KB942288-v2-x 86.msu:

    http://www.Microsoft.com/en-US/Download/details.aspx?ID=8483
    (Download and save it to your desktop, run it.)

    Reset.

    -Or-

    Reset your Windows with this FixIt components update:
    How to reset the Windows Update components?

  • VPN - failure IKE Phase 1

    Hi all

    IM challenges with a site to site vpn where it cannot be initiated/based on one side of the VPN.

    For 1 side of the vpn, I could ping everywhere without problems and vpn tunnel is established successfully, but when I try it the other side of the vpn it never sets and the State is stuck in MM_KEY_EXCH.

    I have verfied configurations at both ends and everything seems to be going well (see below), also, please find an isakmp crypto debugging attached to the router that does not seem to establish the vpn - no idea why this is a failure?

    VPN is set up on a C837 to a C857.

    ***

    crypto ISAKMP policy 10

    the BA
    md5 hash
    preshared authentication
    Group 2
    secret key crypto ISAKMP address 81.140.73.140 No.-xauth
    !
    life 3000 seconds crypto ipsec security association
    !
    Crypto ipsec transform-set esp course - esp-md5-hmac
    !
    vpn 10 ipsec-isakmp crypto map
    defined by peer 81.140.73.140
    secure Set transform-set
    match address VPN-traffic

    ***

    Thank you very much

    That could very well be causing this problem.

    If you have the static configuration to the dynamic for IPsec between two routers, please make sure that you have this configuration:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093f86.shtml

    You see that the dynamic IP site has a normal static encryption card, but the side static IP has a dynamic encryption card.

    This example assumes that you do NAT too.

    With this configuration, the tunnel can only be started from the dynamic side.

    It will be useful.

    Federico.

Maybe you are looking for