NotoriousREV

I've configured a Cisco router to connect a VPN to another non-Cisco router. They've exchanged keys and ar happy with each others identity etc, however I can't route traffic over the VPN at all and am seeing lots of the following error messages:

00:07:46: %CRYPTO-4-IKMP_NO_SA: IKE message from [peer address] has no SA and is not an initialization offer

I beleive the problem is that the internal ip address range at the remote peer has been incorrectly numbered. They are using live ip addresses that belong to someone else (all hidden so it won't have any other side effects) but I think my router is having routing trouble, even though I've set a route to use the peer as the gateway for that address range.

Am I barking up the wrong tree? Have I missed something really basic?

scoob_dood

Have you tried punching the error message into the Cisco website ? That can be useful.

SiCotty

This is something to do with the IKE Security Association which is needed to setup the IPSec tunnel. You may have a configuration error at one end or the other. This is to do with the Keys used to encrypt the data.

Have not played with this in some time so sorry I can not be of any more use.

Si

Have a look at

http://www.cisco.com/warp/public/707/ipsec_debug.html

and the following for some config guides and examples

http://www.cisco.com/warp/public/707/#ipsec

[Edited by SiCotty - 9/25/2002 6:22:29 PM]

Jeff Wiltshire

It looks like the far end doesn't have your information correctly set-up in the SA. You need to associate the far network with the IKE SA so that it knows to use the tunnel correctly. This needs to be done at both ends. Apologies if this is teaching Grandma to suck eggs.....


Jeff