Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA Server,l=London,st=MI
Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root. I think the problem is here , u must authenticate with the CA server R2 and enroll certificate for ur router too crypto ca trustpoint R2 enroll url http://{R2 IP address} crypto ca authenticae R2 crypto ca enroll R2 Regards Date: Mon, 10 Oct 2011 12:48:16 +0530 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Site to site VPN using CA Hi, I changed static route as suggested by Piotr. Still packets are not encrypting and decrypting. Below is the output: R3#ping 1.1.1.1 source lo3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 3.3.3.3 Oct 10 10:20:27.299: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1, local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Oct 10 10:20:27.307: ISAKMP:(0): SA request profile is (NULL) Oct 10 10:20:27.307: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500 Oct 10 10:20:27.307: ISAKMP: New peer created peer = 0x66161B68 peer_handle = 0x80000006 Oct 10 10:20:27.307: ISAKMP: Locking peer struct 0x66161B68, refcount 1 for isakmp_initiator Oct 10 10:20:27.311: ISAKMP: local port 500, remote port 500 Oct 10 10:20:27.311: ISAKMP: set new node 0 to QM_IDLE Oct 10 10:20:27.311: insert sa successfully sa = 66BDF730 Oct 10 10:20:27.311: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Oct 10 10:20:27.315: ISAKMP:(.0):No pre-shared key with 10.1.1.1! Oct 10 10:20:27.315: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-07 ID Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-03 ID Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-02 ID Oct 10 10:20:27.319: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Oct 10 10:20:27.323: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 Oct 10 10:20:27.323: ISAKMP:(0): beginning Main Mode exchange Oct 10 10:20:27.323: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE Oct 10 10:20:27.327: ISAKMP:(0):Sending an IKE IPv4 Packet. Oct 10 10:20:27.695: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE Oct 10 10:20:27.699: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Oct 10 10:20:27.699: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Oct 10 10:20:27.707: ISAKMP:(0): processing SA payload. message ID = 0 Oct 10 10:20:27.707: ISAKMP:(0): processing vendor id payload Oct 10 10:20:27.707: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Oct 10 10:20:27.707: ISAKMP (0:0): vendor ID is NAT-T RFC 3947 Oct 10 10:20:27.711: ISAKMP : Scanning profiles for xauth ... Oct 10 10:20:27.711: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Oct 10 10:20:27.711: ISAKMP: encryption AES-CBC Oct 10 10:20:27.711: ISAKMP: keylength of 128 Oct 10 10:20:27.711: ISAKMP: hash SHA Oct 10 10:20:27.715: ISAKMP: default group 2 Oct 10 10:20:27.715: ISAKMP: auth RSA sig Oct 10 10:20:27.715: ISAKMP: life type in seconds Oct 10 10:20:27.715: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Oct 10 10:20:27.719: ISAKMP:(0):atts are acceptable. Next payload is 0 Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:actual life: 0 Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:life: 0 Oct 10 10:20:27.719: ISAKMP:(0):Fill atts. in sa vpi_length:4 Oct 10 10:20:27.723: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 Oct 10 10:20:27.723: ISAKMP:(0):Returning Actual lifetime: 86400 Oct 10 10:20:27.723: ISAKMP:(0)::Started lifetime timer: 86400. Oct 10 10:20:27.723: ISAKMP:(0): processing vendor id payload Oct 10 10:20:27.723: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Oct 10 10:20:27.727: ISAKMP (0:0): vendor ID is NAT-T RFC 3947 Oct 10 10:20:27.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Oct 10 10:20:27.727: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 Oct 10 10:20:27.739: ISAKMP (0:0): constructing CERT_REQ for issuer cn=R2 CA Server,l=London,st=MI Oct 10 10:20:27.743: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP Oct 10 10:20:27.743: ISAKMP:(0):Sending an IKE IPv4 Packet. Oct 10 10:20:27.747: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 10 10:20:27.747: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 Oct 10 10:20:28.239: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP Oct 10 10:20:28.243: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Oct 10 10:20:28.243: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 Oct 10 10:20:28.247: ISAKMP:(0): processing KE payload. message ID = 0 Oct 10 10:20:28.335: ISAKMP:(0): processing NONCE payload. message ID = 0 Oct 10 10:20:28.339: ISAKMP:(1005): processing CERT_REQ payload. message ID = 0 Oct 10 10:20:28.339: ISAKMP:(1005): peer wants a CT_X509_SIGNATURE cert Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA Server,l=London,st=MI Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root. Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is Unity Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is DPD Oct. 10 10:20:28.351: ISAKMP:(1005): processing vendor id payload Oct 10 10:20:28.351: ISAKMP:(1005): speaking to another IOS box! Oct 10 10:20:28.351: ISAKMP:received payload type 20 Oct 10 10:20:28.351: ISAKMP:received payload type 20 Oct 10 10:20:28.355: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Oct 10 10:20:28.355: ISAKMP:(1005):Old State = IKE_I_MM4 New State = IKE_I_MM4 Oct 10 10:20:28.415: ISAKMP:(1005):Send initial contact Oct 10 10:20:28.415: ISAKMP:(1005):Unable to get router cert or routerdoes not have a cert: needed to find DN! Oct 10 10:20:28.415: ISAKMP(0:1005): Unable to get our DN from cert, using my FQDN as identity Oct 10 10:20:28.419: ISAKMP:(1005):SA is doing RSA signature authentication using id type ID_FQDN Oct 10 10:20:28.419: ISAKMP (0:1005): ID payload next-payload : 6 type : 2 FQDN name : R3 protocol : 17 port : 500 length : 10 Oct 10 10:20:28.423: ISAKMP:(1005):Total payload length: 10 Oct 10 10:20:28.423: ISAKMP:(1005): no valid cert found to return Oct 10 10:20:28.423: ISAKMP: set new node 645628590 to QM_IDLE Oct 10 10:20:28.427: ISAKMP:(1005):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1 spi 0, message ID = 645628590 Oct 10 10:20:28.431: ISAKMP:(1005): sending packet to 10.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH Oct 10 10:20:28.431: ISAKMP:(1005):Sending an IKE IPv4 Packet. Oct 10 10:20:28.431: ISAKMP:(1005):purging node 645628590 Oct 10 10:20:28.435: ISAKMP (0:1005): FSM action returned error: 2 Oct 10 10:20:28.435: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 10 10:20:28.435: ISAKMP:(1005):Old State = IKE_I_MM4 New State = IKE_I_MM5 .. Success rate is 0 percent (0/5) R3# Oct 10 10:20:37.744: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH Oct 10 10:20:38.136: ISAKMP (0:1005): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH Oct 10 10:20:38.136: ISAKMP:(1005): phase 1 packet is a duplicate of a previous packet. Oct 10 10:20:38.136: ISAKMP:(1005): retransmitting due to retransmit phase 1 Oct 10 10:20:38.140: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH Oct 10 10:20:48.148: ISAKMP (0:1005): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH Oct 10 10:20:48.148: ISAKMP:(1005): phase 1 packet is a duplicate of a previous packet. Oct 10 10:20:48.148: ISAKMP:(1005): retransmitting due to retransmit phase 1 Oct 10 10:20:48.152: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH Oct 10 10:20:57.300: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 20.1.1.1, remote= 10.1.1.1, local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1) Oct 10 10:20:57.304: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1, local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Oct 10 10:20:57.308: ISAKMP: set new node 0 to QM_IDLE Oct 10 10:20:57.312: ISAKMP:(1005):SA is still budding. Attached new ipsec request to it. (local 20.1.1.1, remote 10.1.1.1) Oct 10 10:20:57.312: ISAKMP: Error while processing SA request: Failed to initialize SA Oct 10 10:20:57.312: ISAKMP: Error while processing KMI message 0, error 2. Oct 10 10:20:58.152: ISAKMP (0:1005): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH Oct 10 10:20:58.156: ISAKMP:(1005): phase 1 packet is a duplicate of a previous packet. Oct 10 10:20:58.156: ISAKMP:(1005): retransmitting due to retransmit phase 1 Oct 10 10:20:58.156: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH Oct 10 10:21:08.153: ISAKMP (0:1005): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH Oct 10 10:21:08.157: ISAKMP:(1005): phase 1 packet is a duplicate of a previous packet. Oct 10 10:21:08.157: ISAKMP:(1005): retransmitting due to retransmit phase 1 Oct 10 10:21:08.157: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH Oct 10 10:21:18.138: ISAKMP (0:1005): received packet from 10.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH Oct 10 10:21:18.138: ISAKMP:(1005): phase 1 packet is a duplicate of a previous packet. Oct 10 10:21:18.138: ISAKMP:(1005): retransmitting due to retransmit phase 1 Oct 10 10:21:18.142: ISAKMP:(1005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH Oct 10 10:21:27.302: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 20.1.1.1, remote= 10.1.1.1, local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1) Oct 10 10:21:42.315: ISAKMP: quick mode timer expired. Oct 10 10:21:42.315: ISAKMP:(1005):src 20.1.1.1 dst 10.1.1.1, SA is not authenticated Oct 10 10:21:42.315: ISAKMP:(1005):peer does not do paranoid keepalives. Oct 10 10:21:42.319: ISAKMP:(1005):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 10.1.1.1) Oct 10 10:21:42.323: ISAKMP:(1005):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 10.1.1.1) Oct 10 10:21:42.323: ISAKMP: Unlocking peer struct 0x66161B68 for isadb_mark_sa_deleted(), count 0 Oct 10 10:21:42.327: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 66161B68 Oct 10 10:21:42.327: ISAKMP:(1005):deleting node -723389659 error FALSE reason "IKE deleted" Oct 10 10:21:42.327: ISAKMP:(1005):deleting node 467977890 error FALSE reason "IKE deleted" Oct 10 10:21:42.331: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Oct 10 10:21:42.331: ISAKMP:(1005):Old State = IKE_I_MM5 New State = IKE_DEST_SA Oct 10 10:21:42.335: IPSEC(key_engine): got a queue event with 1 KMI message(s)^Z R3#un all On Mon, Oct 10, 2011 at 1:12 AM, Piotr Matusiak <[email protected]> wrote: Hi, You have wrong static routes configured on R1 and R3. IP address 1.1.1.1 is local on R1, there should be static configured for 3.3.3.3. same on R3. Regards, Piotr 2011/10/9 parvez ahmad <[email protected]> Hi All, Network Diagram, lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3 loop2 for NTP Server I am creating site to site tunnel between R1 and R3 by using CA.but it is not working. where loop1 and loop3 are the intresting traffic with respected routers. R1 and R3 are authenticated and enrolled with CA server lo2. -----------------------------------------------------------------------------------R1 config--------------------------------------------------------------------------------------- crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN = R3.cisco.com revocation-check crl rsakeypair R3.cisco.com crypto pki certificate chain R3 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit crypto isakmp policy 10 encr aes group 2crypto isakmp identity dn!!crypto ipsec transform-set TSET esp-aes esp-sha-hmac !crypto map MAP 10 ipsec-isakmp set peer 20.1.1.1 set transform-set TSET match address ACS!!!ip ssh version 1! !!!interface Loopback1 ip address 1.1.1.1 255.255.255.0!interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP router eigrp 1 network 10.0.0.0 no auto-summary!ip forward-protocol ndip route 1.1.1.0 255.255.255.0 10.1.1.2 !!ip http serverno ip http secure-server!ip access-list extended ACS permit ip host 1.1.1.1 host 3.3.3.3 ntp authentication-key 1 md5 13061E010803 7 ntp authenticatentp trusted-key 1ntp clock-period 17179880ntp server 2.2.2.2-----------------------------------------------------------------------R2 Config ----------------------------------------------------------------------- crypto pki server R2 database level complete database archive pem password 7 060506324F41584B56 issuer-name CN = R2 CA Server,L = London,ST = MI cdp-url http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL database url flash: !crypto pki trustpoint R2 revocation-check crl rsakeypair R2.cisco.com !crypto pki certificate chain R2 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 ip address 20.1.1.2 255.255.255.0 duplex auto speed auto!router eigrp 1 network 2.0.0.0 network 10.0.0.0 network 20.0.0.0 no auto-summary!ip forward-protocol nd!!ip http serverno ip http secure-server ntp authentication-key 1 md5 14141B180F0B 7ntp authenticatentp trusted-key 1ntp source Loopback0ntp master 2 -------------------------------------------------------------------- R3 Config-------------------------------------------------------------------- crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN = R3.cisco.com revocation-check crl rsakeypair R3.cisco.com crypto pki certificate chain R3 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 4B201CC6 E7 quit crypto isakmp policy 10 encr aes group 2crypto isakmp identity dn!!crypto ipsec transform-set TSET esp-aes esp-sha-hmac!crypto map MAP 10 ipsec-isakmp set peer 10.1.1.1 set transform-set TSET match address ACS interface Loopback3 ip address 3.3.3.3 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1 ip address 20.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP !router eigrp 1 network 20.0.0.0 no auto-summary!ip forward-protocol ndip route 3.3.3.0 255.255.255.0 20.1.1.2!!ip http server no ip http secure-server!ip access-list extended ACS permit ip host 3.3.3.3 host 1.1.1.1 ntp authentication-key 1 md5 00071A150754 7ntp authenticate ntp trusted-key 1ntp clock-period 17179821ntp server 2.2.2.2! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
