No announcement yet.

cisco site to site vpn

  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco site to site vpn

    Hi first post on here so bear with me.

    Having issues with a new vpn setup on phase 2 IPSEC site-to-site and require some assistance as all the troubleshooting is getting me nowhere.

    Central hub in UK is a cisco ASA5510 and we're setting up a new office abroad using a cisco 1801/k9.

    Looking at the logs i'm getting the following error:

    %CRYTPO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer0.

    I'm also getting message about IPSE(ipsec_process_proposal): invalid source address

    Config for new office is attached.

    The vpn setup in UK properties (if i've set it up right) is as follows:

    Phase 1:

    PSK xxxxxx
    Encryption Scheme IKE
    Diffie-Helman Group 2
    Hashing Algorithm AES256
    Lifetime 1440

    Phase 2:

    Encapsulation ESP
    Encryption Algorithm AES128
    Authentication Algorithm MD5
    PFS - Yes
    Lifetime 28800
    Lifesize 10000

    Thanks for looking!
    Attached Files
    Last edited by marky9999; 12th May 2010, 12:58.

  • #2
    Re: cisco site to site vpn

    Check on both sides to make sure the parameters match, IE shared-keys, lifetime ,encryption, authentication etc.

    Also got this from Cisco:

    Error Message
    %CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

    Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

    Recommended Action Contact the remote peer and the administrator of the remote peer.

    Looks like you have some mismatching parameters.
    Last edited by auglan; 7th May 2010, 16:28.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: cisco site to site vpn


      Thanks for the reply. Been troubleshooting for 2 days now and no clearer to fixing it. Saw that info and I've re-created both ends from scratch, tried using different ways (ezvpn) and also copied a similar setup but still no joy and cant see any differences so needed a second opinion.

      I've attached the config for the uk end if this is any good?

      Attached Files


      • #4
        Re: cisco site to site vpn

        After looking at the relevant "crypto" parts of both configs, I do not see anything in phase 1, phase 2, transform-sets, tunnel-groups, etc... that would prevent the tunnel from coming up.

        But... on the router you have a static map that is mapping the outside address to the inside address. I would think this static map would cause the error message stated in your first post along with preventing the tunnel from coming up. Try removing the following line from the router config and see if the tunnel comes up.
        ip nat inside source static


        • #5
          Re: cisco site to site vpn

          Hi, thanks again for helping me.

          As a test I managed to borrow a sonic wall and replicated the settings which brought the tunnel straight up after showing me one mis-match on phase 2. there was an issue on the ASA uk end PFS that I couldnt see despite starting from scratch! I think i was copying the details every time that was wrong on the sheet I was given.

          After spending too long looking at it I think I just need to step back and sorted.

          Appreciate you replying.

          Now that it is setup i've now been told i've got to setup another vpn from the 1800 (new office) to another office in Dubai!

          Should I post another thread or continue with this one?
          Last edited by marky9999; 11th May 2010, 19:39.