<div dir="ltr">Hi,<div><br></div><div>I am setting up a new site-site connection.  I have already established two working connections at other sites in the same config file;</div><div><br></div><div>I received the following status output for the connection that is failing.  It appears to be failing in phase 2. They are looking for tunnel mode, 3DES, SHA-1, DH Group 2. Anyone familiar with the error "STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT" ?</div>

<div><br></div><div>Thanks!</div><div>Mark</div><div><br></div><div><p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background:yellow">000 "xyz-0": <a href="http://10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---146.12.15.23[192.168.11.15]===172.16.1.52/32">10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---146.12.15.23[192.168.11.15]===172.16.1.52/32</a>; unrouted; eroute owner: #0</span><span style="font-family:Arial"></span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background:yellow">000 "xyz-0":   newest ISAKMP SA: #0; newest IPsec SA: #0;</span><span style="font-family:Arial"> </span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial"><br></span></p><p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background:yellow">000 #2: "xyz-0" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 1s</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background:yellow">000 #2: pending Phase 2 for "xyz-0" replacing #0</span></p><p class="MsoNormal" style="background-image:initial;background-repeat:initial">

<span style="font-family:Arial;background:yellow"><br></span></p><p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background:yellow"><br></span></p><p class="MsoNormal" style="background-image:initial;background-repeat:initial">

<span style="font-family:Arial;background-image:initial;background-color:rgb(255,255,255);background-repeat:initial">--- COMPLETE STATUS OUTPUT</span></p></div><div><br></div><div><div>
















<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="background-color:rgb(255,255,255)"><span style="font-family:Arial;background-image:initial;background-repeat:initial">000 "xyz-0":
<a href="http://10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---146.12.15.23[192.168.11.15]===172.16.1.52/32">10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---146.12.15.23[192.168.11.15]===172.16.1.52/32</a>;
unrouted; eroute owner: #0</span><span style="font-family:Arial"></span></span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="background-color:rgb(255,255,255)"><span style="font-family:Arial;background-image:initial;background-repeat:initial">000 "xyz-0":
  newest ISAKMP SA: #0; newest IPsec SA: #0;</span><span style="font-family:Arial"> </span></span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-color:rgb(255,255,255)">000 "abc-1": <a href="http://10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---210.4.6.18[192.168.51.51]===172.16.53.39/32">10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---210.4.6.18[192.168.51.51]===172.16.53.39/32</a>;
erouted; eroute owner: #3</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-color:rgb(255,255,255)">000 "abc-1":   newest ISAKMP SA: #0; newest IPsec
SA: #3; </span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-color:rgb(255,255,255)">000 "abc-2": <a href="http://10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---210.4.6.18[192.168.51.51]===172.16.53.40/32">10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---210.4.6.18[192.168.51.51]===172.16.53.40/32</a>;
erouted; eroute owner: #4</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-color:rgb(255,255,255)">000 "abc-2":   newest ISAKMP SA: #1; newest IPsec
SA: #4; </span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-color:rgb(255,255,255)">000 </span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-image:initial;background-color:rgb(255,255,255);background-repeat:initial">000 #2: "xyz-0"
STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 1s</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial;background-image:initial;background-color:rgb(255,255,255);background-repeat:initial">000 #2: pending Phase 2
for "xyz-0" replacing #0</span><span style="font-family:Arial"></span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial">000 #3: "abc-1" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 85430s; newest IPSEC; eroute owner</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial">000 #3: "abc-1" <a href="mailto:esp.86696df8@210.4.6.18">esp.86696df8@210.4.6.18</a> (0 bytes)
<a href="mailto:esp.c3632768@10.0.10.10">esp.c3632768@10.0.10.10</a> (0 bytes); tunnel</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial">000 #4: "abc-2" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 85640s; newest IPSEC; eroute owner</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial">000 #4: "abc-2" <a href="mailto:esp.43fedca7@210.4.6.18">esp.43fedca7@210.4.6.18</a> (0 bytes)
<a href="mailto:esp.ca27d679@10.0.10.10">esp.ca27d679@10.0.10.10</a> (0 bytes); tunnel</span></p>

<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-family:Arial">000 #1: "abc-2" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 85399s; newest ISAKMP</span></p>

</div><div>000 </div><div>Security Associations:</div><div>  none</div></div><div><br></div><div><br></div><div>CONFIG</div><div>
















<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">conn xyz-0</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">    #
Connection Security Parameters</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
type=tunnel</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
auth=esp</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">        ike=3des-md5-modp1024</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
esp=3des-sha1-modp1024</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
pfs=no</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
forceencaps=yes</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">        ikelifetime=28800s</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
keylife=28800s</span></p><p class="MsoNormal"><span style="color:black;font-family:'Menlo Regular';font-size:11pt">        # Left security gateway, subnet behind it, nexthop toward right.</span></p></div><div>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
left=10.0.10.10</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
leftid=50.60.11.50</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
leftsubnet=<a href="http://10.0.10.10/32">10.0.10.10/32</a> </span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
leftnexthop=%defaultroute</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
# Right security gateway, subnet behind it, nexthop toward left.</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
right=146.12.15.23</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">        rightid=192.168.11.15</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">        rightsubnet=<a href="http://172.16.1.52/32">172.16.1.52/32</a></span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
rightnexthop=%defaultroute</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
# To authorize this connection, but not actually start it,</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">       
# at startup, uncomment this.</span></p>

<p class="MsoNormal"><span style="font-size:11pt;font-family:'Menlo Regular';color:black">        auto=start</span></p>

</div><div><br></div></div>