Re: [OSL | CCIE_Security] Analyzing ISAKMP debug.

Kingsley Charles Sat, 12 Sep 2009 07:41:47 -0700

Hi Simon

The following is where the issue starts:


*Sep 13 05:19:23.719: ISAKMP:(0):Input = IKE_MESG_FROM_AAA,
PRESHARED_KEY_REPLY
*Sep 13 05:19:23.719: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT  New
State = IKE_R_AM2
*Sep 13 05:19:23.731: ISAKMP (0): received packet from 192.1.49.100
dport 500 sport 1094 Global (R) AG_INIT_EXCH
*Sep 13 05:19:23.731: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from
192.1.49.100 was not encrypted and it should've been.



It is somewhere near the pre-shared key authentication. Can you please check
for AAA configurations, pre-shared key configuration.

Please send the server configuration and the client side parameters.





With regards
Kings

On Sat, Sep 12, 2009 at 7:05 PM, Simon Baumann <[email protected]>wrote:

> Hi,
> I just tried to configure r2 of my sec pod acting as an IPSec gateway.
> The XP workstation conencts withe the Cisco VPN Client. Here's the
> debug of r2 when trying to connect from XP.
>
>
> #--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
> *Sep 13 05:19:23.527: ISAKMP (0): received packet from 192.1.49.100
> dport 500 sport 1094 Global (N) NEW SA
> *Sep 13 05:19:23.527: ISAKMP: Created a peer struct for 192.1.49.100,
> peer port 1094
> *Sep 13 05:19:23.527: ISAKMP: New peer created peer = 0x70F5D13C
> peer_handle = 0x8000000E
> *Sep 13 05:19:23.527: ISAKMP: Locking peer struct 0x70F5D13C, refcount
> 1 for crypto_isakmp_process_block
> *Sep 13 05:19:23.527: ISAKMP:(0):Setting client config settings 70F5C430
> *Sep 13 05:19:23.527: ISAKMP:(0):(Re)Setting client xauth list  and
> state
> *Sep 13 05:19:23.527: ISAKMP/xauth: initializing AAA request
> *Sep 13 05:19:23.527: ISAKMP: local port 500, remote port 1094
> *Sep 13 05:19:23.527: ISAKMP: Find a dup sa in the avl tree during
> calling isadb_insert sa = 70F6F64C
> *Sep 13 05:19:23.527: ISAKMP:(0): processing SA payload. message ID = 0
> *Sep 13 05:19:23.527: ISAKMP:(0): processing ID payload. message ID = 0
> *Sep 13 05:19:23.527: ISAKMP (0): ID payload
>         next-payload : 13
>         type         : 11
>         group id     : vpnclients
>         protocol     : 17
>         port         : 500
>         length       : 18
> *Sep 13 05:19:23.527: ISAKMP:(0):: peer matches *none* of the profiles
> *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
> *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 215 mismatch
> *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is XAUTH
> *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
> *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is DPD
> *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
> *Sep 13 05:19:23.527: ISAKMP:(0): processing IKE frag vendor id payload
> *Sep 13 05:19:23.527: ISAKMP:(0):Support for IKE Fragmentation not
> enabled
> *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
> *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 123 mismatch
> *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is NAT-T v2
> *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload
> *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is Unity
> *Sep 13 05:19:23.527: ISAKMP:(0): Authentication by xauth preshared
> *Sep 13 05:19:23.527: ISAKMP:(0):Checking ISAKMP transform 1 against
> priority 1 policy
> *Sep 13 05:19:23.527: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.527: ISAKMP:      hash SHA
> *Sep 13 05:19:23.527: ISAKMP:      default group 2
> *Sep 13 05:19:23.527: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.527: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.527: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.527: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.527: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.527: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.527: ISAKMP:(0):Checking ISAKMP transform 2 against
> priority 1 policy
> *Sep 13 05:19:23.527: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.527: ISAKMP:      hash MD5
> *Sep 13 05:19:23.527: ISAKMP:      default group 2
> *Sep 13 05:19:23.527: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.527: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 3 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 4 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 5 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 6 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 7 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 8 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 9 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:2
> r2#3.531: ISAKMP:(0):Encryption algorithm offered does not match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 10 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 11 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:2 3.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 12 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 13 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Hash algorithm offered does not match
> policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 14 against
> priority 1 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in se
> r2#conds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Hash algorithm offered does not match
> policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 0
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 1 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 2 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 3 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23. 531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 4 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 256
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 5 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 6 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life tyundebupe in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 7 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> g all13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> All possible debugging has been turned off
> r2#
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 8 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption AES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:      keylength of 128
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 9 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 10 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 11 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash SHA
> *Sep 13 05:19:23.531: ISAKMP:      default group 2
> *Sep 13 05:19:23.531: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.531: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.531: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 12 against
> priority 3 policy
> *Sep 13 05:19:23.531: ISAKMP:      encryption 3DES-CBC
> *Sep 13 05:19:23.531: ISAKMP:      hash MD5
> *Sep 13 05:19:23.535: ISAKMP:      default group 2
> *Sep 13 05:19:23.535: ISAKMP:      auth pre-share
> *Sep 13 05:19:23.535: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.535: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.535: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> *Sep 13 05:19:23.535: ISAKMP:(0):atts are not acceptable. Next payload
> is 3
> *Sep 13 05:19:23.535: ISAKMP:(0):Checking ISAKMP transform 13 against
> priority 3 policy
> *Sep 13 05:19:23.535: ISAKMP:      encryption DES-CBC
> *Sep 13 05:19:23.535: ISAKMP:      hash MD5
> *Sep 13 05:19:23.535: ISAKMP:      default group 2
> *Sep 13 05:19:23.535: ISAKMP:      auth XAUTHInitPreShared
> *Sep 13 05:19:23.535: ISAKMP:      life type in seconds
> *Sep 13 05:19:23.535: ISAKMP:      life duration (VPI) of  0x0 0x20
> 0xC4 0x9B
> *Sep 13 05:19:23.535: ISAKMP:(0):atts are acceptable. Next payload is 3
> *Sep 13 05:19:23.535: ISAKMP:(0):Acceptable atts:actual life: 86400
> *Sep 13 05:19:23.535: ISAKMP:(0):Acceptable atts:life: 0
> *Sep 13 05:19:23.535: ISAKMP:(0):Fill atts in sa vpi_length:4
> *Sep 13 05:19:23.535: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
> *Sep 13 05:19:23.535: ISAKMP:(0):Returning Actual lifetime: 86400
> *Sep 13 05:19:23.535: ISAKMP:(0)::Started lifetime timer: 86400.
>
> *Sep 13 05:19:23.535: ISAKMP:(0): processing KE payload. message ID = 0
> *Sep 13 05:19:23.551: ISAKMP:(0): processing NONCE payload. message ID
> = 0
> *Sep 13 05:19:23.551: ISAKMP:(0): vendor ID is NAT-T v2
> *Sep 13 05:19:23.551: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
> *Sep 13 05:19:23.551: ISAKMP:(0):Old State = IKE_READY  New State =
> IKE_R_AM_AAA_AWAIT
>
> *Sep 13 05:19:23.719: ISAKMP:(0): constructed NAT-T vendor-02 ID
> *Sep 13 05:19:23.719: ISAKMP:(0):SA is doing pre-shared key
> authentication plus XAUTH using id type ID_FQDN
> *Sep 13 05:19:23.719: ISAKMP (0): ID payload
>         next-payload : 10
>         type         : 2
>         FQDN name    : r2
>         protocol     : 0
>         port         : 0
>         length       : 10
> *Sep 13 05:19:23.719: ISAKMP:(0):Total payload length: 10
> *Sep 13 05:19:23.719: ISAKMP:(0): sending packet to 192.1.49.100
> my_port 500 peer_port 1094 (R) AG_INIT_EXCH
> *Sep 13 05:19:23.719: ISAKMP:(0):Sending an IKE IPv4 Packet.
> *Sep 13 05:19:23.719: ISAKMP:(0):Input = IKE_MESG_FROM_AAA,
> PRESHARED_KEY_REPLY
> *Sep 13 05:19:23.719: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT  New
> State = IKE_R_AM2
>
> *Sep 13 05:19:23.731: ISAKMP (0): received packet from 192.1.49.100
> dport 500 sport 1094 Global (R) AG_INIT_EXCH
> *Sep 13 05:19:23.731: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from
> 192.1.49.100 was not encrypted and it should've been.
> *Sep 13 05:19:23.735: ISAKMP (0): incrementing error counter on sa,
> attempt 1 of 5: reset_retransmission
> *Sep 13 05:19:23.735: ISAKMP (0): received packet from 192.1.49.100
> dport 500 sport 1094 Global (R) AG_INIT_EXCH
> *Sep 13 05:19:23.735: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from
> 192.1.49.100 was not encrypted and it should've been.
> *Sep 13 05:19:23.735: ISAKMP (0): incrementing error counter on sa,
> attempt 2 of 5: reset_retransmission
> *Sep 13 05:19:24.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Sep 13 05:19:24.735: ISAKMP (0): incrementing error counter on sa,
> attempt 3 of 5: retransmit phase 1
> *Sep 13 05:19:24.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Sep 13 05:19:24.735: ISAKMP:(0): sending packet to 192.1.49.100
> my_port 500 peer_port 1094 (R) AG_INIT_EXCH
> *Sep 13 05:19:24.735: ISAKMP:(0):Sending an IKE IPv4 Packet.
> *Sep 13 05:19:24.955: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Sep 13 05:19:24.955: ISAKMP:(0):peer does not do paranoid keepalives.
>
> *Sep 13 05:19:24.955: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.49.100)
> *Sep 13 05:19:24.955: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.49.100)
> *Sep 13 05:19:24.955: ISAKMP: Unlocking peer struct 0x7043EBFC for
> isadb_mark_sa_deleted(), count 0
> *Sep 13 05:19:24.955: ISAKMP: Deleting peer node by peer_reap for
> 192.1.49.100: 7043EBFC
> *Sep 13 05:19:24.955: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> *Sep 13 05:19:24.955: ISAKMP:(0):Old State = IKE_R_AM2  New State =
> IKE_DEST_SA
>
> *Sep 13 05:19:34.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Sep 13 05:19:34.735: ISAKMP (0): incrementing error counter on sa,
> attempt 4 of 5: retransmit phase 1
> *Sep 13 05:19:34.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Sep 13 05:19:34.735: ISAKMP:(0): sending packet to 192.1.49.100
> my_port 500 peer_port 1094 (R) AG_INIT_EXCH
> *Sep 13 05:19:34.735: ISAKMP:(0):Sending an IKE IPv4 Packet.
> r2#
>
> #--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
>
> It looks like an problem withe the isakmp policy to me. What's your
> recommendation to check? TIA.
>
> Have a nice weekend
> Simon
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Re: [OSL | CCIE_Security] Analyzing ISAKMP debug.

Reply via email to