Re: [OSL | CCIE_Security] Site to site VPN using CA

parvez ahmad Mon, 10 Oct 2011 01:31:26 -0700

Hi,

I changed static route as suggested by Piotr. Still packets are  not
encrypting and decrypting. Below is the output:


R3#ping 1.1.1.1 source lo3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3

Oct 10 10:20:27.299: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1,
    local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Oct 10 10:20:27.307: ISAKMP:(0): SA request profile is (NULL)
Oct 10 10:20:27.307: ISAKMP: Created a peer struct for 10.1.1.1, peer port
500
Oct 10 10:20:27.307: ISAKMP: New peer created peer = 0x66161B68 peer_handle
= 0x80000006
Oct 10 10:20:27.307: ISAKMP: Locking peer struct 0x66161B68, refcount 1 for
isakmp_initiator
Oct 10 10:20:27.311: ISAKMP: local port 500, remote port 500
Oct 10 10:20:27.311: ISAKMP: set new node 0 to QM_IDLE
Oct 10 10:20:27.311: insert sa successfully sa = 66BDF730
Oct 10 10:20:27.311: ISAKMP:(0):Can not start Aggressive mode, trying Main
mode.
Oct 10 10:20:27.315: ISAKMP:(.0):No pre-shared key with 10.1.1.1!
Oct 10 10:20:27.315: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 10 10:20:27.319: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 10 10:20:27.323: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Oct 10 10:20:27.323: ISAKMP:(0): beginning Main Mode exchange
Oct 10 10:20:27.323: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500
peer_port 500 (I) MM_NO_STATE
Oct 10 10:20:27.327: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 10 10:20:27.695: ISAKMP (0:0): received packet from 10.1.1.1 dport 500
sport 500 Global (I) MM_NO_STATE
Oct 10 10:20:27.699: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 10 10:20:27.699: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 10 10:20:27.707: ISAKMP:(0): processing SA payload. message ID = 0
Oct 10 10:20:27.707: ISAKMP:(0): processing vendor id payload
Oct 10 10:20:27.707: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
mismatch
Oct 10 10:20:27.707: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 10 10:20:27.711: ISAKMP : Scanning profiles for xauth ...
Oct 10 10:20:27.711: ISAKMP:(0):Checking ISAKMP transform 1 against priority
10 policy
Oct 10 10:20:27.711: ISAKMP:      encryption AES-CBC
Oct 10 10:20:27.711: ISAKMP:      keylength of 128
Oct 10 10:20:27.711: ISAKMP:      hash SHA
Oct 10 10:20:27.715: ISAKMP:      default group 2
Oct 10 10:20:27.715: ISAKMP:      auth RSA sig
Oct 10 10:20:27.715: ISAKMP:      life type in seconds
Oct 10 10:20:27.715: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 10 10:20:27.719: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:life: 0
Oct 10 10:20:27.719: ISAKMP:(0):Fill atts. in sa vpi_length:4
Oct 10 10:20:27.723: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 10 10:20:27.723: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 10 10:20:27.723: ISAKMP:(0)::Started lifetime timer: 86400.

Oct 10 10:20:27.723: ISAKMP:(0): processing vendor id payload
Oct 10 10:20:27.723: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
mismatch
Oct 10 10:20:27.727: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 10 10:20:27.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 10 10:20:27.727: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 10 10:20:27.739: ISAKMP (0:0): constructing CERT_REQ for issuer cn=R2 CA
Server,l=London,st=MI
Oct 10 10:20:27.743: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500
peer_port 500 (I) MM_SA_SETUP
Oct 10 10:20:27.743: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 10 10:20:27.747: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Oct 10 10:20:27.747: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 10 10:20:28.239: ISAKMP (0:0): received packet from 10.1.1.1 dport 500
sport 500 Global (I) MM_SA_SETUP
Oct 10 10:20:28.243: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 10 10:20:28.243: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 10 10:20:28.247: ISAKMP:(0): processing KE payload. message ID = 0
Oct 10 10:20:28.335: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 10 10:20:28.339: ISAKMP:(1005): processing CERT_REQ payload. message ID
= 0
Oct 10 10:20:28.339: ISAKMP:(1005): peer wants a CT_X509_SIGNATURE cert
Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA
Server,l=London,st=MI
Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root.
Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload
Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is Unity
Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload
Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is DPD
Oct. 10 10:20:28.351: ISAKMP:(1005): processing vendor id payload
Oct 10 10:20:28.351: ISAKMP:(1005): speaking to another IOS box!
Oct 10 10:20:28.351: ISAKMP:received payload type 20
Oct 10 10:20:28.351: ISAKMP:received payload type 20
Oct 10 10:20:28.355: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 10 10:20:28.355: ISAKMP:(1005):Old State = IKE_I_MM4  New State =
IKE_I_MM4

Oct 10 10:20:28.415: ISAKMP:(1005):Send initial contact
Oct 10 10:20:28.415: ISAKMP:(1005):Unable to get router cert or routerdoes
not have a cert: needed to find DN!
Oct 10 10:20:28.415: ISAKMP(0:1005): Unable to get our DN from cert, using
my FQDN as identity
Oct 10 10:20:28.419: ISAKMP:(1005):SA is doing RSA signature authentication
using id type ID_FQDN
Oct 10 10:20:28.419: ISAKMP (0:1005): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R3
        protocol     : 17
        port         : 500
        length       : 10
Oct 10 10:20:28.423: ISAKMP:(1005):Total payload length: 10
Oct 10 10:20:28.423: ISAKMP:(1005): no valid cert found to return
Oct 10 10:20:28.423: ISAKMP: set new node 645628590 to QM_IDLE
Oct 10 10:20:28.427: ISAKMP:(1005):Sending NOTIFY CERTIFICATE_UNAVAILABLE
protocol 1
        spi 0, message ID = 645628590
Oct 10 10:20:28.431: ISAKMP:(1005): sending packet to 10.1.1.1 my_port 500
peer_port 500 (I) MM_KEY_EXCH
Oct 10 10:20:28.431: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Oct 10 10:20:28.431: ISAKMP:(1005):purging node 645628590
Oct 10 10:20:28.435: ISAKMP (0:1005): FSM action returned error: 2
Oct 10 10:20:28.435: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Oct 10 10:20:28.435: ISAKMP:(1005):Old State = IKE_I_MM4  New State =
IKE_I_MM5
..
Success rate is 0 percent (0/5)
R3#
Oct 10 10:20:37.744: ISAKMP:(1005): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH
Oct 10 10:20:38.136: ISAKMP (0:1005): received packet from 10.1.1.1 dport
500 sport 500 Global (I) MM_KEY_EXCH
Oct 10 10:20:38.136: ISAKMP:(1005): phase 1 packet is a duplicate of a
previous packet.
Oct 10 10:20:38.136: ISAKMP:(1005): retransmitting due to retransmit phase 1
Oct 10 10:20:38.140: ISAKMP:(1005): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH
Oct 10 10:20:48.148: ISAKMP (0:1005): received packet from 10.1.1.1 dport
500 sport 500 Global (I) MM_KEY_EXCH
Oct 10 10:20:48.148: ISAKMP:(1005): phase 1 packet is a duplicate of a
previous packet.
Oct 10 10:20:48.148: ISAKMP:(1005): retransmitting due to retransmit phase 1
Oct 10 10:20:48.152: ISAKMP:(1005): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH
Oct 10 10:20:57.300: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 20.1.1.1, remote= 10.1.1.1,
    local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1)
Oct 10 10:20:57.304: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1,
    local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Oct 10 10:20:57.308: ISAKMP: set new node 0 to QM_IDLE
Oct 10 10:20:57.312: ISAKMP:(1005):SA is still budding. Attached new ipsec
request to it. (local 20.1.1.1, remote 10.1.1.1)
Oct 10 10:20:57.312: ISAKMP: Error while processing SA request: Failed to
initialize SA
Oct 10 10:20:57.312: ISAKMP: Error while processing KMI message 0, error 2.
Oct 10 10:20:58.152: ISAKMP (0:1005): received packet from 10.1.1.1 dport
500 sport 500 Global (I) MM_KEY_EXCH
Oct 10 10:20:58.156: ISAKMP:(1005): phase 1 packet is a duplicate of a
previous packet.
Oct 10 10:20:58.156: ISAKMP:(1005): retransmitting due to retransmit phase 1
Oct 10 10:20:58.156: ISAKMP:(1005): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH
Oct 10 10:21:08.153: ISAKMP (0:1005): received packet from 10.1.1.1 dport
500 sport 500 Global (I) MM_KEY_EXCH
Oct 10 10:21:08.157: ISAKMP:(1005): phase 1 packet is a duplicate of a
previous packet.
Oct 10 10:21:08.157: ISAKMP:(1005): retransmitting due to retransmit phase 1
Oct 10 10:21:08.157: ISAKMP:(1005): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH
Oct 10 10:21:18.138: ISAKMP (0:1005): received packet from 10.1.1.1 dport
500 sport 500 Global (I) MM_KEY_EXCH
Oct 10 10:21:18.138: ISAKMP:(1005): phase 1 packet is a duplicate of a
previous packet.
Oct 10 10:21:18.138: ISAKMP:(1005): retransmitting due to retransmit phase 1
Oct 10 10:21:18.142: ISAKMP:(1005): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH
Oct 10 10:21:27.302: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 20.1.1.1, remote= 10.1.1.1,
    local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1)
Oct 10 10:21:42.315: ISAKMP: quick mode timer expired.
Oct 10 10:21:42.315: ISAKMP:(1005):src 20.1.1.1 dst 10.1.1.1, SA is not
authenticated
Oct 10 10:21:42.315: ISAKMP:(1005):peer does not do paranoid keepalives.

Oct 10 10:21:42.319: ISAKMP:(1005):deleting SA reason "QM_TIMER expired"
state (I) MM_KEY_EXCH (peer 10.1.1.1)
Oct 10 10:21:42.323: ISAKMP:(1005):deleting SA reason "QM_TIMER expired"
state (I) MM_KEY_EXCH (peer 10.1.1.1)
Oct 10 10:21:42.323: ISAKMP: Unlocking peer struct 0x66161B68 for
isadb_mark_sa_deleted(), count 0
Oct 10 10:21:42.327: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1:
66161B68
Oct 10 10:21:42.327: ISAKMP:(1005):deleting node -723389659 error FALSE
reason "IKE deleted"
Oct 10 10:21:42.327: ISAKMP:(1005):deleting node 467977890 error FALSE
reason "IKE deleted"
Oct 10 10:21:42.331: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 10 10:21:42.331: ISAKMP:(1005):Old State = IKE_I_MM5  New State =
IKE_DEST_SA

Oct 10 10:21:42.335: IPSEC(key_engine): got a queue event with 1 KMI
message(s)^Z
R3#un all


On Mon, Oct 10, 2011 at 1:12 AM, Piotr Matusiak <[email protected]> wrote:

> Hi,
>
> You have wrong static routes configured on R1 and R3. IP address 1.1.1.1 is
> local on R1, there should be static configured for 3.3.3.3. same on R3.
>
> Regards,
> Piotr
>
>
>
> 2011/10/9 parvez ahmad <[email protected]>
>
>> Hi All,
>>
>>
>>
>> Network Diagram,
>>
>> *
>> lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3
>> *
>> *                                  loop2 for NTP Server*
>>
>>
>> I am creating site to site tunnel between R1 and R3 by using CA.but it is
>> not working.
>>
>> where loop1 and loop3 are the intresting traffic with respected routers.
>> R1 and R3 are authenticated and enrolled with CA server lo2.
>>
>>
>>
>>
>>
>> -----------------------------------------------------------------------------------
>> R1 config
>>
>> ---------------------------------------------------------------------------------------
>>
>>
>> crypto pki trustpoint R3
>>  enrollment url http://2.2.2.2:80
>>  subject-name CN = R3.cisco.com
>>   revocation-check crl
>>  rsakeypair R3.cisco.com
>>
>> crypto pki certificate chain R3
>>  certificate ca 01
>>   30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>>
>>         quit
>>
>>
>> crypto isakmp policy 10
>>  encr aes
>>  group 2
>> crypto isakmp identity dn
>> !
>> !
>> crypto ipsec transform-set TSET esp-aes esp-sha-hmac
>> !
>> crypto map MAP 10 ipsec-isakmp
>>  set peer 20.1.1.1
>>  set transform-set TSET
>>  match address ACS
>> !
>> !
>> !
>> ip ssh version 1
>> !
>>  !
>> !
>> !
>> interface Loopback1
>>  ip address 1.1.1.1 255.255.255.0
>> !
>> interface FastEthernet0/0
>>  ip address 10.1.1.1 255.255.255.0
>>  duplex auto
>>  speed auto
>>  crypto map MAP
>>
>> router eigrp 1
>>  network 10.0.0.0
>>  no auto-summary
>> !
>> ip forward-protocol nd
>> ip route 1.1.1.0 255.255.255.0 10.1.1.2
>> !
>> !
>> ip http server
>> no ip http secure-server
>> !
>> ip access-list extended ACS
>>  permit ip host 1.1.1.1 host 3.3.3.3
>>
>>
>> ntp authentication-key 1 md5 13061E010803 7
>> ntp authenticate
>> ntp trusted-key 1
>> ntp clock-period 17179880
>> ntp server 2.2.2.2
>> -----------------------------------------------------------------------
>> R2 Config
>> -----------------------------------------------------------------------
>>
>> crypto pki server R2
>>  database level complete
>>  database archive pem password 7 060506324F41584B56
>>  issuer-name CN = R2 CA Server,L = London,ST = MI
>>  cdp-url http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL
>>  database url flash:
>> !
>> crypto pki trustpoint R2
>>  revocation-check crl
>>  rsakeypair R2.cisco.com
>>
>> !
>> crypto pki certificate chain R2
>>   certificate ca 01
>>   30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>>
>>         quit
>>
>>
>> interface FastEthernet0/0
>>  ip address 10.1.1.2 255.255.255.0
>>  duplex auto
>>  speed auto
>> !
>> interface FastEthernet0/1
>>  ip address 20.1.1.2 255.255.255.0
>>  duplex auto
>>  speed auto
>> !
>> router eigrp 1
>>   network 2.0.0.0
>>  network 10.0.0.0
>>  network 20.0.0.0
>>  no auto-summary
>> !
>> ip forward-protocol nd
>> !
>> !
>> ip http server
>> no ip http secure-server
>>
>>
>> ntp authentication-key 1 md5 14141B180F0B 7
>> ntp authenticate
>> ntp trusted-key 1
>> ntp source Loopback0
>> ntp master 2
>>
>> --------------------------------------------------------------------
>> R3 Config
>> --------------------------------------------------------------------
>>
>> crypto pki trustpoint R3
>>  enrollment url http://2.2.2.2:80
>>  subject-name CN = R3.cisco.com
>>  revocation-check crl
>>  rsakeypair R3.cisco.com
>>
>> crypto pki certificate chain R3
>>  certificate ca 01
>>   30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>>
>>   4B201CC6 E7
>>         quit
>>
>>
>> crypto isakmp policy 10
>>  encr aes
>>  group 2
>> crypto isakmp identity dn
>> !
>> !
>> crypto ipsec transform-set TSET esp-aes esp-sha-hmac
>> !
>> crypto map MAP 10 ipsec-isakmp
>>  set peer 10.1.1.1
>>  set transform-set TSET
>>  match address ACS
>>
>> interface Loopback3
>>  ip address 3.3.3.3 255.255.255.0
>> !
>> interface FastEthernet0/0
>>  no ip address
>>  shutdown
>>  duplex auto
>>  speed auto
>> !
>> interface FastEthernet0/1
>>  ip address 20.1.1.1 255.255.255.0
>>  duplex auto
>>  speed auto
>>  crypto map MAP
>> !
>> router eigrp 1
>>  network 20.0.0.0
>>  no auto-summary
>> !
>> ip forward-protocol nd
>> ip route 3.3.3.0 255.255.255.0 20.1.1.2
>> !
>> !
>> ip http server
>> no ip http secure-server
>> !
>> ip access-list extended ACS
>>  permit ip host 3.3.3.3 host 1.1.1.1
>>
>> ntp authentication-key 1 md5 00071A150754 7
>> ntp authenticate
>> ntp trusted-key 1
>> ntp clock-period 17179821
>> ntp server 2.2.2.2
>> !
>>
>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Re: [OSL | CCIE_Security] Site to site VPN using CA

Reply via email to