Hello,
we are trying to setup the tunnel between ISR and vMX but it is not even passing the phase1. anyone here who has done it.
here is our config done at ISR side:
crypto isakmp policy 10
encr aes256
hash sha256
authentication pre-share
group 14
**************************
Preshared key
crypto isakmp key secret_key address vMX_public IP
***********************
Apply crypto map to the public interface
//////////////////////////////////////////////////////
ip access-list extended Azure-meraki-tarffic
permit ip 172.17.76.0 0.0.0.255 10.249.1.0 0.0.0.255
////////////////////////////
(ISAKMP Phase 2 Policy)
crypto ipsec transform-set vMX-Azure esp-aes 256 esp-sha256-hmac
/////////////////////////
Crypto Map
***************************
crypto map CMAP 10 ipsec-isakmp
set peer vMX_public IP
set transform-set vMX-Azure
match address Azure-meraki-tarffic
///////////////////////////////
interface GigabitEthernet0/0/0
crypto map CMAP
Solved! Go to solution.
@KarstenI Issue was with the script where local-address was missing and mode tunnel and exempt subnet in NAT-acl
What does "debug crypto isakmp" on the ISR give you and is anything in the vMX event log? Have you confirmed you have IP connectivity?
debug crypto isakmp doesnt show any thing and also no event log in vMX. I have pinged vMX public IP from router and it is pingable.
here is what i get on on router #sh logging
Jan 4 09:18:49.200: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:18:49.200: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:18:49.200: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588
Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:18:59.234: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:18:59.235: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:18:59.235: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:20:59.012: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:20:59.013: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:20:59.013: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588
Jan 4 09:20:59.013: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:20:59.013: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:20:59.013: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:20:59.013: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588
Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:21:07.979: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:21:07.979: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:21:07.979: ISAKMP-ERROR: (0):No peer struct to get peer description
Jan 4 09:22:06.221: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:22:06.222: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
Jan 4 09:22:06.222: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588
Jan 4 09:22:06.222: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320
172.17.76.0/24 is the network behind the router and 10.249.1.0/24 is the Azure network? If not, your ACL Azure-meraki-tarffic needs to be reversed.
@KarstenI Issue was with the script where local-address was missing and mode tunnel and exempt subnet in NAT-acl