Tunnel Establishment Fails at Phase I

Tunnel Establishment Fails at Phase I

As discussed before, IPsec is established in two phasesPhase I and Phase II. So, the tunnel establishment might fail in either phase. You should execute show commands as discussed in the "Diagnostic Tools and Commands" section. First identify if it is a Phase I or Phase II failure. If the show crypto isakmp sa shows anything other than the QM_IDLE state as shown in Example 6-1, the problem is with Phase I. Run the debug commands as discussed in the "Diagnostic Tools and Commands" section and compare the output as shown in the preceding section for a successful tunnel negotiation. Work through the following steps to isolate any issues pertaining to Phase I tunnel establishment:

Step 1.
Correct connectivity problems between the peers.

You must make sure that tunnel end points (Dhaka and Doha routers) can ping to each other's public interfaces where the crypto map is applied. If they are unable to ping to each other, make sure you have the route defined for both (usually the defined default gateway if these are gateway routers). Remember that some ISPs may block the ICMP packet. Therefore ping may fail even with the proper connectivity. For IPsec tunnel to establish, you must have UDP/500 (ISAKMP) open in both directions of tunnel end points. A quick way to verify that would be to use the debug ip udp command, which will show if the initiator or the responder is getting any ISAKMP request or response or not.



Step 2.
Avoid configuration mismatches between the tunnel end points.

If the IP connectivity is tested and shown to be without problems, you must ensure the configuration on the tunnel end points. For Phase I, the ISAKMP policy must match, which gets exchanged in packet 1 and 2 of Phase I in Main Mode. Packet 1 sends all the configured ISAKMP proposals on the Initiator to the responder. Responder must match at least one ISKAMP policy as a whole to be able to successfully build up the Phase I. Packet 2 carries either a matching proposal or a failure message. If there is no match, the initiator tries the default policy of 65535, and if that does not match either, it fails ISAKMP negotiation. This occurrence outputs the debug message shown in Example 6-9, which shows the default policy on the router.