if you are using GNS you have to regenerate keys after restart , the name for key will be there in config some times but the actual key is not found Regrads
From: [email protected] To: [email protected]; [email protected] Date: Sun, 24 Jun 2012 10:53:31 +0200 CC: [email protected] Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Ben, This message “No Cert or pre-shared address key.” is there when you have no RSA keys on your router. Can you check this first? I know you have named keys assigned to the trustpoint but it seems like something isn’t right here. Regards, Piotr From: Ben Shaw Sent: Sunday, June 24, 2012 8:51 AM To: Imre Oszkar Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi All, I was under the impression that the application of the ISAKMP profile allows the trustpoint to be chosen and used to authenticate a peer based on the match commands configured in the profile. For this reason I had the understanding it was more about which trustpoint to compare a certificate received from an IPSec pair against, not for deciding which trustpoints ID certificate is to be sent to the peer when initiating an tunnel. Anyway, I have added the ISAKMP profile to the and still have the same issues. I first configured the following on R5 (which by the way is not the CA, the CA is another router - R1) R5(config)#crypto map cryptomap1 10 ipsec-isakmp R5(config-crypto-map)#set isakmp-profile isakmpprof1 The resulant configuration was as follows R5#show running-config Building configuration... Current configuration : 7300 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! boot-start-marker boot-end-marker ! enable password cisco ! no aaa new-model memory-size iomem 5 ip cef ! no ip domain lookup ip domain name cisco.com ! frame-relay switching multilink bundle-name authenticated ! parameter-map type inspect SMTP sessions maximum 2147483647 parameter-map type regex EMAIL pattern [email protected] ! crypto pki trustpoint myCA enrollment url http://10.1.1.1:80 fqdn R5.cisco.com ip-address 10.5.5.5 subject-name cn=R5 revocation-check none rsakeypair myCA-KEYS ! crypto pki certificate map certmap1 10 issuer-name co myca subject-name co asa2 ! crypto pki certificate chain myCA certificate 06 19311730 15060355 0403130E 6D794341 2E636973 636F2E63 6F6D301E 170D3132 quit certificate ca 01 3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 quit ! archive log config hidekeys ! crypto isakmp policy 11 encr aes group 5 crypto isakmp identity dn crypto isakmp profile isakmpprof1 self-identity fqdn ca trust-point myCA match certificate certmap1 ! crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac ! crypto map cryptomap1 local-address Loopback6 crypto map cryptomap1 10 ipsec-isakmp set peer 192.168.9.10 set transform-set aes-sha set isakmp-profile isakmpprof1 match address crypto1 ! ip tcp synwait-time 5 ! class-map type inspect match-all MAIL match protocol smtp class-map type inspect match-all ICMP match protocol icmp class-map type inspect match-all IP match access-group 100 class-map type inspect smtp match-any Large_Mail match data-length gt 10000000 class-map type inspect match-all ALL class-map type inspect match-all WEB match protocol http class-map type inspect match-any other match protocol telnet match protocol ssh class-map type inspect http match-all HTTP_Misuse match request port-misuse any ! policy-map type inspect http HTTP_pol class type inspect http HTTP_Misuse reset policy-map type inspect smtp SMTP_pol class type inspect smtp Large_Mail reset policy-map type inspect central_remote class type inspect IP inspect class class-default policy-map type inspect remote_central class type inspect ICMP inspect class type inspect other inspect class type inspect WEB inspect service-policy http HTTP_pol class type inspect MAIL inspect service-policy smtp SMTP_pol class class-default ! zone security CENTRAL zone security REMOTE zone-pair security central_remote source CENTRAL destination REMOTE service-policy type inspect central_remote zone-pair security remote_central source REMOTE destination CENTRAL service-policy type inspect remote_central ! interface Loopback0 ip address 10.5.5.5 255.255.255.0 ! interface Loopback5 ip address 10.55.55.55 255.255.255.255 ip nat inside ip virtual-reassembly ! interface Loopback6 ip address 192.168.55.5 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 192.168.35.5 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security REMOTE encapsulation ppp ip ospf network point-to-point no fair-queue clock rate 2000000 crypto map cryptomap1 ! interface FastEthernet0/1 ip address 192.168.11.10 255.255.255.0 duplex auto speed auto ntp broadcast ! interface Serial0/1 ip address 192.168.65.5 255.255.255.0 zone-member security CENTRAL encapsulation frame-relay ip ospf network point-to-point clock rate 2000000 frame-relay map ip 192.168.65.6 65 broadcast frame-relay intf-type dce crypto map cryptomap1 ! router ospf 1 log-adjacency-changes network 10.5.5.0 0.0.0.255 area 0 network 10.55.55.0 0.0.0.255 area 0 network 192.168.35.0 0.0.0.255 area 0 network 192.168.55.0 0.0.0.255 area 0 network 192.168.65.0 0.0.0.255 area 0 ! ip forward-protocol nd ! ip http server no ip http secure-server ip nat inside source route-map s0 interface Serial0/0 overload ip nat inside source route-map s1 interface Serial0/1 overload ! ip access-list extended crypto1 permit ip host 10.5.5.5 host 10.8.8.8 ! access-list 100 permit ip any any access-list 102 permit ip any host 10.55.55.55 ! route-map s1 permit 10 match ip address 102 match interface Serial0/1 ! route-map s0 permit 10 match ip address 102 match interface Serial0/0 ! control-plane ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! ntp authentication-key 1 md5 060506324F41 7 ntp authenticate ntp trusted-key 1 ntp clock-period 17181052 ntp source Loopback0 ntp server 10.1.1.1 key 1 ! end R5# I then got the same results in the debug as before. When trying to initiate the tunnel from the router I got the following R5#ping 10.8.8.8 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5 *Mar 1 00:18:15.768: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Mar 1 00:18:15.788: ISAKMP:(0): SA request profile is isakmpprof1 *Mar 1 00:18:15.792: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 *Mar 1 00:18:15.796: ISAKMP: New peer created peer = 0x66D65F88 peer_handle = 0x8000000E *Mar 1 00:18:15.796: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 for isakmp_initiator *Mar 1 00:18:15.800: ISAKMP: local port 500, remote port 500 *Mar 1 00:18:15.804: ISAKMP: set new node 0 to QM_IDLE *Mar 1 00:18:15.804: insert sa successfully sa = 677F9C40 *Mar 1 00:18:15.808: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Mar 1 00:18:15.812: ISAKMP:(0):Profile has no keyring, aborting key search *Mar 1 00:18:15.816: ISAKMP:(0):Profile has no keyring, aborting host key search *Mar 1 00:18:15.816: ISAKMP:(0): No Cert or pre-shared address key. *Mar 1 00:18:15.820: ISAKMP:(0): construct_initial_message: Can not start Main mode *Mar 1 00:18:15.820: ISAKMP: Unlocking peer struct 0x66D65F88 for isadb_unlock_peer_delete_sa(), count 0 *Mar 1 00:18:15.824: ISAKMP: Deleting peer node .by peer_reap for 192.168.9.10: 66D65F88 *Mar 1 00:18:15.828: ISAKMP:(0):purging SA., sa=677F9C40, delme=677F9C40 *Mar 1 00:18:15.832: ISAKMP:(0):purging node -439292819 *Mar 1 00:18:15.832: ISAKMP: Error while processing SA request: Failed to initialize SA *Mar 1 00:18:15.832: ISAKMP: Error while processing KMI message 0, error 2. *Mar 1 00:18:15.832: IPSEC(key_engine): got a queue event with 1 KMI message(s).... Success rate is 0 percent (0/5) R5# When initiating the tunnel from the ASA I get the following debugs on the router R5# *Mar 1 00:18:51.378: ISAKMP (0:0): received packet from 192.168.9.10 dport 500 sport 500 Global (N) NEW SA *Mar 1 00:18:51.382: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 *Mar 1 00:18:51.382: ISAKMP: New peer created peer = 0x66D65F88 peer_handle = 0x80000010 *Mar 1 00:18:51.386: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 for crypto_isakmp_process_block *Mar 1 00:18:51.390: ISAKMP: local port 500, remote port 500 *Mar 1 00:18:51.394: insert sa successfully sa = 677F9C40 *Mar 1 00:18:51.398: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:18:51.398: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Mar 1 00:18:51.414: ISAKMP:(0): processing SA payload. message ID = 0 *Mar 1 00:18:51.418: ISAKMP:(0): processing vendor id payload *Mar 1 00:18:51.422: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Mar 1 00:18:51.426: ISAKMP:(0): vendor ID is NAT-T v2 *Mar 1 00:18:51.426: ISAKMP:(0): processing vendor id payload *Mar 1 00:18:51.430: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Mar 1 00:18:51.430: ISAKMP:(0): vendor ID is NAT-T v3 *Mar 1 00:18:51.434: ISAKMP:(0): processing vendor id payload *Mar 1 00:18:51.438: ISAKMP:(0): processing IKE frag vendor id payload *Mar 1 00:18:51.438: ISAKMP:(0):Support for IKE Fragmentation not enabled *Mar 1 00:18:51.442: ISAKMP : Scanning profiles for xauth ... isakmpprof1 *Mar 1 00:18:51.446: ISAKMP:(0):Checking ISAKMP transform 1 against priority 11 policy *Mar 1 00:18:51.446: ISAKMP: default group 5 *Mar 1 00:18:51.450: ISAKMP: encryption AES-CBC *Mar 1 00:18:51.450: ISAKMP: keylength of 128 *Mar 1 00:18:51.450: ISAKMP: hash SHA *Mar 1 00:18:51.454: ISAKMP: auth RSA sig *Mar 1 00:18:51.454: ISAKMP: life type in seconds *Mar 1 00:18:51.458: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:18:51.462: ISAKMP:(0):RSA signature authentication offered but does not match policy! *Mar 1 00:18:51.466: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Mar 1 00:18:51.470: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy *Mar 1 00:18:51.470: ISAKMP: default group 5 *Mar 1 00:18:51.470: ISAKMP: encryption AES-CBC *Mar 1 00:18:51.474: ISAKMP: keylength of 128 *Mar 1 00:18:51.474: ISAKMP: hash SHA *Mar 1 00:18:51.478: ISAKMP: auth RSA sig *Mar 1 00:18:51.478: ISAKMP: life type in seconds *Mar 1 00:18:51.478: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:18:51.486: ISAKMP:(0):Encryption algorithm offered does not match policy! *Mar 1 00:18:51.490: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Mar 1 00:18:51.490: ISAKMP:(0):no offers accepted! *Mar 1 00:18:51.490: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.55.5 remote 192.168.9.10) *Mar 1 00:18:51.490: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init *Mar 1 00:18:51.490: ISAKMP:(0): sending packet to 192.168.9.10 my_port 500 peer_port 500 (R) MM_NO_STATE *Mar 1 00:18:51.494: ISAKMP:(0):Sending an IKE IPv4 Packet. *Mar 1 00:18:51.498: ISAKMP:(0):peer does not do paranoid keepalives. *Mar 1 00:18:51.502: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) *Mar 1 00:18:51.506: ISAKMP:(0): processing vendor id payload *Mar 1 00:18:51.506: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Mar 1 00:18:51.510: ISAKMP:(0): vendor ID is NAT-T v2 *Mar 1 00:18:51.514: ISAKMP:(0): processing vendor id payload *Mar 1 00:18:51.514: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Mar 1 00:18:51.518: ISAKMP:(0): vendor ID is NAT-T v3 *Mar 1 00:18:51.522: ISAKMP:(0): processing vendor id payload *Mar 1 00:18:51.522: ISAKMP:(0): processing IKE frag vendor id payload *Mar 1 00:18:51.526: ISAKMP:(0):Support for IKE Fragmentation not enabled *Mar 1 00:18:51.530: ISAKMP (0:0): FSM action returned error: 2 *Mar 1 00:18:51.530: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:18:51.534: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Mar 1 00:18:51.566: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) *Mar 1 00:18:51.566: ISAKMP: Unlocking peer struct 0x66D65F88 for isadb_mark_sa_deleted(), count 0 *Mar 1 00:18:51.570: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10: 66D65F88 *Mar 1 00:18:51.570: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Mar 1 00:18:51.574: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA *Mar 1 00:18:51.578: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 1 00:18:51.598: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 192.168.9.10) *Mar 1 00:18:51.602: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Mar 1 00:18:51.606: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA I then decided to make the ISAKMP profile more basic and did the following R5(config)# crypto isakmp profile isakmpprof1 R5(conf-isa-prof)# no self-identity fqdn R5(conf-isa-prof)# no match certificate certmap1 R5(conf-isa-prof)# match identity address 192.168.9.10 255.255.255.255 Pinging from the router side then produced what seems to be the same debug output below Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5 *Mar 1 00:15:10.239: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Mar 1 00:15:10.259: ISAKMP:(0): SA request profile is isakmpprof1 *Mar 1 00:15:10.263: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 *Mar 1 00:15:10.267: ISAKMP: New peer created peer = 0x66D65F88 peer_handle = 0x8000000B *Mar 1 00:15:10.267: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 for isakmp_initiator *Mar 1 00:15:10.271: ISAKMP: local port 500, remote port 500 *Mar 1 00:15:10.275: ISAKMP: set new node 0 to QM_IDLE *Mar 1 00:15:10.275: insert sa successfully sa = 66F836E4 *Mar 1 00:15:10.279: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Mar 1 00:15:10.283: ISAKMP:(0):Profile has no keyring, aborting key search *Mar 1 00:15:10.287: ISAKMP:(0):Profile has no keyring, aborting host key search *Mar 1 00:15:10.287: ISAKMP:(0): No Cert or pre-shared address key. *Mar 1 00:15:10.291: ISAKMP:(0): construct_initial_message: Can not start Main mode *Mar 1 00:15:10.291: ISAKMP: Unlocking peer struct 0x66D65F88 for isadb_unlock_peer_delete_sa(), count 0 *Mar 1 00:15:10.295: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10: 66D65F88. *Mar 1 00:15:10.299: ISAKMP:(0):purging SA., sa=66F836E4, delme=66F836E4 *Mar 1 00:15:10.303: ISAKMP:(0):purging node 1282500099 *Mar 1 00:15:10.307: ISAKMP: Error while processing SA request: Failed to initialize SA *Mar 1 00:15:10.311: ISAKMP: Error while processing KMI message 0, error 2. *Mar 1 00:15:10.311: IPSEC(key_engine): got a queue event with 1 KMI message(s).... Success rate is 0 percent (0/5) R5# Initiating from the ASA side gave the following output on the router *Mar 1 00:16:03.471: ISAKMP (0:0): received packet from 192.168.9.10 dport 500 sport 500 Global (N) NEW SA *Mar 1 00:16:03.475: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 *Mar 1 00:16:03.475: ISAKMP: New peer created peer = 0x66D65F88 peer_handle = 0x8000000D *Mar 1 00:16:03.479: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 for crypto_isakmp_process_block *Mar 1 00:16:03.483: ISAKMP: local port 500, remote port 500 *Mar 1 00:16:03.487: insert sa successfully sa = 66F836E4 *Mar 1 00:16:03.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:16:03.491: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Mar 1 00:16:03.511: ISAKMP:(0): processing SA payload. message ID = 0 *Mar 1 00:16:03.511: ISAKMP:(0): processing vendor id payload *Mar 1 00:16:03.515: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Mar 1 00:16:03.519: ISAKMP:(0): vendor ID is NAT-T v2 *Mar 1 00:16:03.519: ISAKMP:(0): processing vendor id payload *Mar 1 00:16:03.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Mar 1 00:16:03.527: ISAKMP:(0): vendor ID is NAT-T v3 *Mar 1 00:16:03.527: ISAKMP:(0): processing vendor id payload *Mar 1 00:16:03.531: ISAKMP:(0): processing IKE frag vendor id payload *Mar 1 00:16:03.535: ISAKMP:(0):Support for IKE Fragmentation not enabled *Mar 1 00:16:03.535: ISAKMP : Scanning profiles for xauth ... isakmpprof1 *Mar 1 00:16:03.539: ISAKMP:(0):Checking ISAKMP transform 1 against priority 11 policy *Mar 1 00:16:03.543: ISAKMP: default group 5 *Mar 1 00:16:03.543: ISAKMP: encryption AES-CBC *Mar 1 00:16:03.543: ISAKMP: keylength of 128 *Mar 1 00:16:03.547: ISAKMP: hash SHA *Mar 1 00:16:03.547: ISAKMP: auth RSA sig *Mar 1 00:16:03.551: ISAKMP: life type in seconds *Mar 1 00:16:03.551: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:16:03.555: ISAKMP:(0):RSA signature authentication offered but does not match policy! *Mar 1 00:16:03.559: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Mar 1 00:16:03.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy *Mar 1 00:16:03.563: ISAKMP: default group 5 *Mar 1 00:16:03.567: ISAKMP: encryption AES-CBC *Mar 1 00:16:03.567: ISAKMP: keylength of 128 *Mar 1 00:16:03.567: ISAKMP: hash SHA *Mar 1 00:16:03.567: ISAKMP: auth RSA sig *Mar 1 00:16:03.567: ISAKMP: life type in seconds *Mar 1 00:16:03.567: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:16:03.567: ISAKMP:(0):Encryption algorithm offered does not match policy! *Mar 1 00:16:03.567: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Mar 1 00:16:03.567: ISAKMP:(0):no offers accepted! *Mar 1 00:16:03.567: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.55.5 remote 192.168.9.10) *Mar 1 00:16:03.567: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init *Mar 1 00:16:03.567: ISAKMP:(0): sending packet to 192.168.9.10 my_port 500 peer_port 500 (R) MM_NO_STATE *Mar 1 00:16:03.567: ISAKMP:(0):Sending an IKE IPv4 Packet. *Mar 1 00:16:03.571: ISAKMP:(0):peer does not do paranoid keepalives. *Mar 1 00:16:03.575: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) *Mar 1 00:16:03.579: ISAKMP:(0): processing vendor id payload *Mar 1 00:16:03.583: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Mar 1 00:16:03.583: ISAKMP:(0): vendor ID is NAT-T v2 *Mar 1 00:16:03.587: ISAKMP:(0): processing vendor id payload *Mar 1 00:16:03.591: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Mar 1 00:16:03.591: ISAKMP:(0): vendor ID is NAT-T v3 *Mar 1 00:16:03.595: ISAKMP:(0): processing vendor id payload *Mar 1 00:16:03.599: ISAKMP:(0): processing IKE frag vendor id payload *Mar 1 00:16:03.599: ISAKMP:(0):Support for IKE Fragmentation not enabled *Mar 1 00:16:03.603: ISAKMP (0:0): FSM action returned error: 2 *Mar 1 00:16:03.607: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:16:03.607: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Mar 1 00:16:03.643: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) *Mar 1 00:16:03.643: ISAKMP: Unlocking peer struct 0x66D65F88 for isadb_mark_sa_deleted(), count 0 *Mar 1 00:16:03.647: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10: 66D65F88 *Mar 1 00:16:03.651: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Mar 1 00:16:03.655: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA *Mar 1 00:16:03.659: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 1 00:16:03.659: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 192.168.9.10) *Mar 1 00:16:03.659: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Mar 1 00:16:03.659: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA *Mar 1 00:16:10.251: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 192.168.55.5, remote= 192.168.9.10, local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1) *Mar 1 00:16:11.419: ISAKMP (0:0): received packet from 192.168.9.10 dport 500 sport 500 Global (R) MM_NO_STATE R5# R5# If anyone can shed some light on this or give some further suggestions I would appreciate it. Thanks Ben On Sun, Jun 24, 2012 at 1:43 AM, Imre Oszkar <[email protected]> wrote: Hi Ben Can you try this: crypto map cryptomap1 10 ipsec-isakmp set isakmp-profile isakmpprof1 Oszkar _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
