Community discussions

MikroTik App
 
mrjohn
just joined
Topic Author
Posts: 10
Joined: Mon May 28, 2018 6:13 am

Phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

Sat Jun 03, 2023 3:29 pm

Hi everybody,

I'm trying to establish the tunnel Mikrotik - Cisco but I can't do that. In fact I read a lot articles about this but I still have some problems:

--- Side Cisco ---
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec profile MyProfile
set transform-set ESP-3DES-SHA


--- Side Mikrotik ---
add payload of len 16, next type 13
add payload of len 16, next type 0
sendmsg (Invalid argument)
sendfromto failed
phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500] 48234ee72dbe88a3:0000000000000000
failed to begin ISAKMP SA negotiation for peer: gre-tunnel
KA: xx.xx.xx.xx[4500]->xx.xx.xx.xx[4500]
1 times of 1 bytes message will be sent to xx.xx.xx.xx[4500]


In the firewall rules the ports 500,4500,1701 has been permitted because I have L2TP running.

More config:

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade log=no log-prefix=""

0 chain=srcnat action=accept log=no log-prefix="" ipsec-policy=out,ipsec

/ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024


Does someone know what's wrong?

Thanks for your time.

John
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

Mon Jun 05, 2023 8:28 am

Without seeing the complete configuration of the Mikrotik,
sendmsg (Invalid argument)
sendfromto failed
phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500] 48234ee72dbe88a3:0000000000000000
suggest that there is a routing issue, i.e. that the Mikrotik cannot find a route for the ISAKMP packet.

Can you ping the IP address of the Cisco from the Mikrotik? If yes, do you use any policy routing (routing marks etc.)?
 
oskarsk
MikroTik Support
MikroTik Support
Posts: 60
Joined: Mon May 13, 2019 9:41 am

Re: Phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

Mon Jun 05, 2023 9:36 am

Usually means that the local-address configured for the peer is not actually configured on the router, also this could be caused by firewall or NAT.

Who is online

Users browsing this forum: adimihaix and 81 guests