aaa new-model aaa authentication login default none
aaa authentication login XAUTH local aaa authorization network EZ_POL local crypto isakmp profile ISA_PROF match identity group CCIE client authentication list XAUTH isakmp authorization list EZ_POL client configuration address respond virtual-template 2 Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Brandon Carroll [mailto:[email protected]] Sent: Wednesday, March 31, 2010 5:12 PM To: Terry Little (terlittl) Cc: CCIE Sec Subject: Re: [OSL | CCIE_Security] EZ-VPN w/PKI (lab4a sec. 4.6) What does your aaa and your isakmp profile look like? Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Mar 31, 2010, at 5:00 PM, Terry Little (terlittl) wrote: Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2) Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Brandon Carroll [mailto:[email protected]] Sent: Wednesday, March 31, 2010 5:00 PM To: Terry Little (terlittl) Cc: CCIE Sec Subject: Re: [OSL | CCIE_Security] EZ-VPN w/PKI (lab4a sec. 4.6) Terri, What code is R4 running? Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Mar 31, 2010, at 4:54 PM, Terry Little (terlittl) wrote: I am trying to get the ezvpn with pki to work and when I try an test from the test pci, I am able to get the vpn client enrolled and had no trouble getting the router enrolled. The problem starts when I try to connect to the router with the vpn client. I am getting the following error in the logs on the router: Mar 31 18:17:02.583: ISAKMP (1007): process_rsa_sig: Querying key pair failed. Any advice on this would be appreciated. The whole section is: Mar 31 18:17:00.931: ISAKMP:(0):atts are acceptable. Next payload is 3 Mar 31 18:17:00.931: ISAKMP:(0):Acceptable atts:actual life: 86400 Mar 31 18:17:00.931: ISAKMP:(0):Acceptable atts:life: 0 Mar 31 18:17:00.931: ISAKMP:(0):Fill atts in sa vpi_length:4 Mar 31 18:17:00.931: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 Mar 31 18:17:00.931: ISAKMP:(0):Returning Actual lifetime: 86400 Mar 31 18:17:00.931: ISAKMP:(0)::Started lifetime timer: 86400. Mar 31 18:17:00.931: ISAKMP:(0): vendor ID is NAT-T v2 Mar 31 18:17:00.931: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 31 18:17:00.931: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Mar 31 18:17:00.935: ISAKMP:(0): constructed NAT-T vendor-02 ID Mar 31 18:17:00.935: ISAKMP:(0): sending packet to 8.9.2.200 my_port 500 peer_port 1113 (R) MM_SA_SETUP Mar 31 18:17:00.935: ISAKMP:(0):Sending an IKE IPv4 Packet. Mar 31 18:17:00.935: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 31 18:17:00.935: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Mar 31 18:17:01.027: ISAKMP (0): received packet from 8.9.2.200 dport 500 sport 1113 Global (R) MM_SA_SETUP Mar 31 18:17:01.027: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 31 18:17:01.027: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Mar 31 18:17:01.367: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 31 18:17:01.367: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 31 18:17:01.367: ISAKMP (1007): incrementing error counter on sa, attempt 1 of 5: reset_retransmission Mar 31 18:17:01.367: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Mar 31 18:17:01.367: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM4 Mar 31 18:17:02.367: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:02.367: ISAKMP (1007): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Mar 31 18:17:02.567: ISAKMP (1007): received packet from 8.9.2.200 dport 500 sport 1113 Global (R) MM_KEY_EXCH Mar 31 18:17:02.571: ISAKMP:(1007):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 31 18:17:02.571: ISAKMP:(1007):Old State = IKE_R_MM4 New State = IKE_R_MM5 Mar 31 18:17:02.571: ISAKMP:(1007): processing CERT payload. message ID = 0 Mar 31 18:17:02.571: ISAKMP:(1007): processing a CT_X509_SIGNATURE cert Mar 31 18:17:02.571: ISAKMP:(1007): peer's pubkey isn't cached Mar 31 18:17:02.579: ISAKMP:(1007): OU = CCIE Mar 31 18:17:02.579: ISAKMP:(1007):Profile has no keyring, aborting key search Mar 31 18:17:02.583: ISAKMP (1007): process_rsa_sig: Querying key pair failed. Mar 31 18:17:02.583: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 31 18:17:02.583: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 31 18:17:02.587: ISAKMP (1007): incrementing error counter on sa, attempt 1 of 5: reset_retransmission Mar 31 18:17:02.587: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Mar 31 18:17:02.587: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM4 Mar 31 18:17:03.587: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:03.587: ISAKMP (1007): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Mar 31 18:17:03.587: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH Mar 31 18:17:03.587: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 peer_port 1113 (R) MM_KEY_EXCH Mar 31 18:17:03.587: ISAKMP:(1007):Sending an IKE IPv4 Packet. Mar 31 18:17:03.787: ISAKMP (1007): received packet from 8.9.2.200 dport 500 sport 1113 Global (R) MM_KEY_EXCH Mar 31 18:17:03.791: ISAKMP:(1007):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 31 18:17:03.803: ISAKMP (1007): process_rsa_sig: Querying key pair failed. Mar 31 18:17:03.803: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 31 18:17:03.803: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 31 18:17:03.807: ISAKMP (1007): incrementing error counter on sa, attempt 1 of 5: reset_retransmission Mar 31 18:17:03.807: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Mar 31 18:17:03.807: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM4 Mar 31 18:17:05.023: ISAKMP (1007): process_rsa_sig: Querying key pair failed. Mar 31 18:17:05.023: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 31 18:17:05.023: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 31 18:17:05.023: ISAKMP (1007): incrementing error counter on sa, attempt 1 of 5: reset_retransmission Mar 31 18:17:05.027: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Mar 31 18:17:05.027: ISAKMP:(1007):Old State = IKE_R_MM5 New State = IKE_R_MM4 Mar 31 18:17:06.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:06.091: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 8.9.2.200 to 8.9.50.4. Mar 31 18:17:16.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:16.023: ISAKMP (1007): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Mar 31 18:17:16.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH Mar 31 18:17:16.023: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 peer_port 1113 (R) MM_KEY_EXCH Mar 31 18:17:16.023: ISAKMP:(1007):Sending an IKE IPv4 Packet. Mar 31 18:17:26.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:26.023: ISAKMP (1007): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 Mar 31 18:17:26.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH Mar 31 18:17:26.023: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 peer_port 1113 (R) MM_KEY_EXCH Mar 31 18:17:26.023: ISAKMP:(1007):Sending an IKE IPv4 Packet. Mar 31 18:17:36.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:36.023: ISAKMP (1007): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 Mar 31 18:17:36.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH Mar 31 18:17:36.023: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 peer_port 1113 (R) MM_KEY_EXCH Mar 31 18:17:36.023: ISAKMP:(1007):Sending an IKE IPv4 Packet. R4(config)# R4(config)# Mar 31 18:17:46.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... Mar 31 18:17:46.023: ISAKMP:(1007):peer does not do paranoid keepalives. Mar 31 18:17:46.023: ISAKMP:(1007):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 8.9.2.200) Mar 31 18:17:46.023: ISAKMP:(1007):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 8.9.2.200) Mar 31 18:17:46.023: ISAKMP: Unlocking peer struct 0x4AC141F8 for isadb_mark_sa_deleted(), count 0 Mar 31 18:17:46.023: ISAKMP: Deleting peer node by peer_reap for 8.9.2.200: 4AC141F8 Mar 31 18:17:46.023: ISAKMP:(1007):deleting node -1145014546 error FALSE reason "IKE deleted" R4(config)# Mar 31 18:17:46.023: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Mar 31 18:17:46.023: ISAKMP:(1007):Old State = IKE_R_MM4 New State = IKE_DEST_SA Mar 31 18:17:46.027: IPSEC(key_engine): got a queue event with 1 KMI message(s) R4(config)# Mar 31 18:18:36.023: ISAKMP:(1007):purging node -1145014546 R4(config)# Mar 31 18:18:46.023: ISAKMP:(1007):purging SA., sa=498BDBF0, delme=498BDBF0 Terry Little [email protected] Phone: +1 425 468 1057 Mobile: +1 425 894 4109 Cisco Systems, Inc. Network Consulting Engineer World Wide Security Services Practice Cisco.com - http://www.cisco.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
