[OSL | CCIE_Security] Analyzing ISAKMP debug.

Simon Baumann Sat, 12 Sep 2009 06:35:48 -0700

Hi,
I just tried to configure r2 of my sec pod acting as an IPSec gateway.  
The XP workstation conencts withe the Cisco VPN Client. Here's the  
debug of r2 when trying to connect from XP.


#--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
*Sep 13 05:19:23.527: ISAKMP (0): received packet from 192.1.49.100  
dport 500 sport 1094 Global (N) NEW SA
*Sep 13 05:19:23.527: ISAKMP: Created a peer struct for 192.1.49.100,  
peer port 1094
*Sep 13 05:19:23.527: ISAKMP: New peer created peer = 0x70F5D13C  
peer_handle = 0x8000000E
*Sep 13 05:19:23.527: ISAKMP: Locking peer struct 0x70F5D13C, refcount  
1 for crypto_isakmp_process_block
*Sep 13 05:19:23.527: ISAKMP:(0):Setting client config settings 70F5C430
*Sep 13 05:19:23.527: ISAKMP:(0):(Re)Setting client xauth list  and  
state
*Sep 13 05:19:23.527: ISAKMP/xauth: initializing AAA request
*Sep 13 05:19:23.527: ISAKMP: local port 500, remote port 1094
*Sep 13 05:19:23.527: ISAKMP: Find a dup sa in the avl tree during  
calling isadb_insert sa = 70F6F64C
*Sep 13 05:19:23.527: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 13 05:19:23.527: ISAKMP:(0): processing ID payload. message ID = 0
*Sep 13 05:19:23.527: ISAKMP (0): ID payload
         next-payload : 13
         type         : 11
         group id     : vpnclients
         protocol     : 17
         port         : 500
         length       : 18
*Sep 13 05:19:23.527: ISAKMP:(0):: peer matches *none* of the profiles
*Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
*Sep 13 05:19:23.527: ISAKMP:(0): vendor ID seems Unity/DPD but major  
215 mismatch
*Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is XAUTH
*Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
*Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is DPD
*Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
*Sep 13 05:19:23.527: ISAKMP:(0): processing IKE frag vendor id payload
*Sep 13 05:19:23.527: ISAKMP:(0):Support for IKE Fragmentation not  
enabled
*Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
*Sep 13 05:19:23.527: ISAKMP:(0): vendor ID seems Unity/DPD but major  
123 mismatch
*Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
*Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is Unity
*Sep 13 05:19:23.527: ISAKMP:(0): Authentication by xauth preshared
*Sep 13 05:19:23.527: ISAKMP:(0):Checking ISAKMP transform 1 against  
priority 1 policy
*Sep 13 05:19:23.527: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.527: ISAKMP:      hash SHA
*Sep 13 05:19:23.527: ISAKMP:      default group 2
*Sep 13 05:19:23.527: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.527: ISAKMP:      life type in seconds
*Sep 13 05:19:23.527: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.527: ISAKMP:      keylength of 256
*Sep 13 05:19:23.527: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.527: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.527: ISAKMP:(0):Checking ISAKMP transform 2 against  
priority 1 policy
*Sep 13 05:19:23.527: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.527: ISAKMP:      hash MD5
*Sep 13 05:19:23.527: ISAKMP:      default group 2
*Sep 13 05:19:23.527: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.527: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 3 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 4 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 5 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 6 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 7 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 8 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 9 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:2
r2#3.531: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 10 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 11 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:2 3.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 12 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 13 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Hash algorithm offered does not match  
policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 14 against  
priority 1 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in se
r2#conds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Hash algorithm offered does not match  
policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 0
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 1 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 2 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 3 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23. 531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 4 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 256
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 5 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 6 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life tyundebupe in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 7 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
g all13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
All possible debugging has been turned off
r2#
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 8 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:      keylength of 128
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 9 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 10 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 11 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash SHA
*Sep 13 05:19:23.531: ISAKMP:      default group 2
*Sep 13 05:19:23.531: ISAKMP:      auth pre-share
*Sep 13 05:19:23.531: ISAKMP:      life type in seconds
*Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 12 against  
priority 3 policy
*Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
*Sep 13 05:19:23.531: ISAKMP:      hash MD5
*Sep 13 05:19:23.535: ISAKMP:      default group 2
*Sep 13 05:19:23.535: ISAKMP:      auth pre-share
*Sep 13 05:19:23.535: ISAKMP:      life type in seconds
*Sep 13 05:19:23.535: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.535: ISAKMP:(0):Encryption algorithm offered does not  
match policy!
*Sep 13 05:19:23.535: ISAKMP:(0):atts are not acceptable. Next payload  
is 3
*Sep 13 05:19:23.535: ISAKMP:(0):Checking ISAKMP transform 13 against  
priority 3 policy
*Sep 13 05:19:23.535: ISAKMP:      encryption DES-CBC
*Sep 13 05:19:23.535: ISAKMP:      hash MD5
*Sep 13 05:19:23.535: ISAKMP:      default group 2
*Sep 13 05:19:23.535: ISAKMP:      auth XAUTHInitPreShared
*Sep 13 05:19:23.535: ISAKMP:      life type in seconds
*Sep 13 05:19:23.535: ISAKMP:      life duration (VPI) of  0x0 0x20  
0xC4 0x9B
*Sep 13 05:19:23.535: ISAKMP:(0):atts are acceptable. Next payload is 3
*Sep 13 05:19:23.535: ISAKMP:(0):Acceptable atts:actual life: 86400
*Sep 13 05:19:23.535: ISAKMP:(0):Acceptable atts:life: 0
*Sep 13 05:19:23.535: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 13 05:19:23.535: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Sep 13 05:19:23.535: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 13 05:19:23.535: ISAKMP:(0)::Started lifetime timer: 86400.

*Sep 13 05:19:23.535: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 13 05:19:23.551: ISAKMP:(0): processing NONCE payload. message ID  
= 0
*Sep 13 05:19:23.551: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 13 05:19:23.551: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Sep 13 05:19:23.551: ISAKMP:(0):Old State = IKE_READY  New State =  
IKE_R_AM_AAA_AWAIT

*Sep 13 05:19:23.719: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Sep 13 05:19:23.719: ISAKMP:(0):SA is doing pre-shared key  
authentication plus XAUTH using id type ID_FQDN
*Sep 13 05:19:23.719: ISAKMP (0): ID payload
         next-payload : 10
         type         : 2
         FQDN name    : r2
         protocol     : 0
         port         : 0
         length       : 10
*Sep 13 05:19:23.719: ISAKMP:(0):Total payload length: 10
*Sep 13 05:19:23.719: ISAKMP:(0): sending packet to 192.1.49.100  
my_port 500 peer_port 1094 (R) AG_INIT_EXCH
*Sep 13 05:19:23.719: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 13 05:19:23.719: ISAKMP:(0):Input = IKE_MESG_FROM_AAA,  
PRESHARED_KEY_REPLY
*Sep 13 05:19:23.719: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT  New  
State = IKE_R_AM2

*Sep 13 05:19:23.731: ISAKMP (0): received packet from 192.1.49.100  
dport 500 sport 1094 Global (R) AG_INIT_EXCH
*Sep 13 05:19:23.731: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from  
192.1.49.100 was not encrypted and it should've been.
*Sep 13 05:19:23.735: ISAKMP (0): incrementing error counter on sa,  
attempt 1 of 5: reset_retransmission
*Sep 13 05:19:23.735: ISAKMP (0): received packet from 192.1.49.100  
dport 500 sport 1094 Global (R) AG_INIT_EXCH
*Sep 13 05:19:23.735: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from  
192.1.49.100 was not encrypted and it should've been.
*Sep 13 05:19:23.735: ISAKMP (0): incrementing error counter on sa,  
attempt 2 of 5: reset_retransmission
*Sep 13 05:19:24.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Sep 13 05:19:24.735: ISAKMP (0): incrementing error counter on sa,  
attempt 3 of 5: retransmit phase 1
*Sep 13 05:19:24.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Sep 13 05:19:24.735: ISAKMP:(0): sending packet to 192.1.49.100  
my_port 500 peer_port 1094 (R) AG_INIT_EXCH
*Sep 13 05:19:24.735: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 13 05:19:24.955: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Sep 13 05:19:24.955: ISAKMP:(0):peer does not do paranoid keepalives.

*Sep 13 05:19:24.955: ISAKMP:(0):deleting SA reason "Death by  
retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.49.100)
*Sep 13 05:19:24.955: ISAKMP:(0):deleting SA reason "Death by  
retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.49.100)
*Sep 13 05:19:24.955: ISAKMP: Unlocking peer struct 0x7043EBFC for  
isadb_mark_sa_deleted(), count 0
*Sep 13 05:19:24.955: ISAKMP: Deleting peer node by peer_reap for  
192.1.49.100: 7043EBFC
*Sep 13 05:19:24.955: ISAKMP:(0):Input = IKE_MESG_INTERNAL,  
IKE_PHASE1_DEL
*Sep 13 05:19:24.955: ISAKMP:(0):Old State = IKE_R_AM2  New State =  
IKE_DEST_SA

*Sep 13 05:19:34.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Sep 13 05:19:34.735: ISAKMP (0): incrementing error counter on sa,  
attempt 4 of 5: retransmit phase 1
*Sep 13 05:19:34.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Sep 13 05:19:34.735: ISAKMP:(0): sending packet to 192.1.49.100  
my_port 500 peer_port 1094 (R) AG_INIT_EXCH
*Sep 13 05:19:34.735: ISAKMP:(0):Sending an IKE IPv4 Packet.
r2#
#--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#

It looks like an problem withe the isakmp policy to me. What's your  
recommendation to check? TIA.

Have a nice weekend
Simon

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

[OSL | CCIE_Security] Analyzing ISAKMP debug.

Reply via email to