Hi All thanks for your help with this so far.
I have managed to get it working. I am not sure how it go to this point but I will explain what I found and what I did to get it working - I am running the R5 router on GNS3 so there as per Waleed's suggestion there were no keys there on the router - I recreated the keys and trustpoint and tried to re-enroll with the CA - I had issues with enrolling with the CA and found that control-plane protection was preventing HTTP access so had to allow this (this took me a couple of hours to work out the issue there) - Once I could re-enrol everything began working - The ISAKMP profile was not needed to get it working but obviously was required for the certificate map I was using and if I had more than one truestpoint on the router I think it could have been required to make trustpoint selection more precise even if there was no need for a certificte map. So I am have no idea how I was able to enrol before with the CA considering the control plane protection applied. I am not sure how that got there at is not in the original configs for the Lab. However from my output in previous ports it does show the router did have a certificate so I must have added it at some point after that. Anyhow, the situation begs the question - if keys are not stored across reboots how does what resolve that when using the public/private key pair for RSA authentication? Surely just recreating a key pair will not work considering it is the old public key that is bound to an ID cert and any new key pair will not match this. Thanks again Ben On Sun, Jun 24, 2012 at 6:53 PM, Piotr Matusiak <[email protected]> wrote: > Ben, > > This message “No Cert or pre-shared address key.” is there when you have > no RSA keys on your router. Can you check this first? > I know you have named keys assigned to the trustpoint but it seems like > something isn’t right here. > > Regards, > Piotr > > > > > *From:* Ben Shaw <[email protected]> > *Sent:* Sunday, June 24, 2012 8:51 AM > *To:* Imre Oszkar <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - > YusufLab 1 Q2.3 > > Hi All, > > I was under the impression that the application of the ISAKMP profile > allows the trustpoint to be chosen and used to authenticate a peer based on > the match commands configured in the profile. For this reason I had the > understanding it was more about which trustpoint to compare a certificate > received from an IPSec pair against, not for deciding which trustpoints ID > certificate is to be sent to the peer when initiating an tunnel. Anyway, I > have added the ISAKMP profile to the and still have the same issues. > > I first configured the following on R5 (which by the way is not the CA, > the CA is another router - R1) > > > R5(config)#crypto map cryptomap1 10 ipsec-isakmp > R5(config-crypto-map)#set isakmp-profile isakmpprof1 > > > The resulant configuration was as follows > > > R5#show running-config > Building configuration... > > Current configuration : 7300 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname R5 > ! > boot-start-marker > boot-end-marker > ! > enable password cisco > ! > no aaa new-model > memory-size iomem 5 > ip cef > ! > no ip domain lookup > ip domain name cisco.com > ! > frame-relay switching > multilink bundle-name authenticated > ! > parameter-map type inspect SMTP > sessions maximum 2147483647 > parameter-map type regex EMAIL > pattern [email protected] > ! > crypto pki trustpoint myCA > enrollment url http://10.1.1.1:80 > fqdn R5.cisco.com > ip-address 10.5.5.5 > subject-name cn=R5 > revocation-check none > rsakeypair myCA-KEYS > ! > crypto pki certificate map certmap1 10 > issuer-name co myca > subject-name co asa2 > ! > crypto pki certificate chain myCA > certificate 06 > 19311730 15060355 0403130E 6D794341 2E636973 636F2E63 6F6D301E 170D3132 > quit > certificate ca 01 > 3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 > quit > ! > archive > log config > hidekeys > ! > crypto isakmp policy 11 > encr aes > group 5 > crypto isakmp identity dn > crypto isakmp profile isakmpprof1 > self-identity fqdn > ca trust-point myCA > match certificate certmap1 > ! > crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac > ! > crypto map cryptomap1 local-address Loopback6 > crypto map cryptomap1 10 ipsec-isakmp > set peer 192.168.9.10 > set transform-set aes-sha > set isakmp-profile isakmpprof1 > match address crypto1 > ! > ip tcp synwait-time 5 > ! > class-map type inspect match-all MAIL > match protocol smtp > class-map type inspect match-all ICMP > match protocol icmp > class-map type inspect match-all IP > match access-group 100 > class-map type inspect smtp match-any Large_Mail > match data-length gt 10000000 > class-map type inspect match-all ALL > class-map type inspect match-all WEB > match protocol http > class-map type inspect match-any other > match protocol telnet > match protocol ssh > class-map type inspect http match-all HTTP_Misuse > match request port-misuse any > ! > policy-map type inspect http HTTP_pol > class type inspect http HTTP_Misuse > reset > policy-map type inspect smtp SMTP_pol > class type inspect smtp Large_Mail > reset > policy-map type inspect central_remote > class type inspect IP > inspect > class class-default > policy-map type inspect remote_central > class type inspect ICMP > inspect > class type inspect other > inspect > class type inspect WEB > inspect > service-policy http HTTP_pol > class type inspect MAIL > inspect > service-policy smtp SMTP_pol > class class-default > ! > zone security CENTRAL > zone security REMOTE > zone-pair security central_remote source CENTRAL destination REMOTE > service-policy type inspect central_remote > zone-pair security remote_central source REMOTE destination CENTRAL > service-policy type inspect remote_central > ! > interface Loopback0 > ip address 10.5.5.5 255.255.255.0 > ! > interface Loopback5 > ip address 10.55.55.55 255.255.255.255 > ip nat inside > ip virtual-reassembly > ! > interface Loopback6 > ip address 192.168.55.5 255.255.255.0 > ! > interface FastEthernet0/0 > no ip address > shutdown > duplex auto > speed auto > ! > interface Serial0/0 > ip address 192.168.35.5 255.255.255.0 > ip nat outside > ip virtual-reassembly > zone-member security REMOTE > encapsulation ppp > ip ospf network point-to-point > no fair-queue > clock rate 2000000 > crypto map cryptomap1 > ! > interface FastEthernet0/1 > ip address 192.168.11.10 255.255.255.0 > duplex auto > speed auto > ntp broadcast > ! > interface Serial0/1 > ip address 192.168.65.5 255.255.255.0 > zone-member security CENTRAL > encapsulation frame-relay > ip ospf network point-to-point > clock rate 2000000 > frame-relay map ip 192.168.65.6 65 broadcast > frame-relay intf-type dce > crypto map cryptomap1 > ! > router ospf 1 > log-adjacency-changes > network 10.5.5.0 0.0.0.255 area 0 > network 10.55.55.0 0.0.0.255 area 0 > network 192.168.35.0 0.0.0.255 area 0 > network 192.168.55.0 0.0.0.255 area 0 > network 192.168.65.0 0.0.0.255 area 0 > ! > ip forward-protocol nd > ! > ip http server > no ip http secure-server > ip nat inside source route-map s0 interface Serial0/0 overload > ip nat inside source route-map s1 interface Serial0/1 overload > ! > ip access-list extended crypto1 > permit ip host 10.5.5.5 host 10.8.8.8 > ! > access-list 100 permit ip any any > access-list 102 permit ip any host 10.55.55.55 > ! > route-map s1 permit 10 > match ip address 102 > match interface Serial0/1 > ! > route-map s0 permit 10 > match ip address 102 > match interface Serial0/0 > ! > control-plane > ! > line con 0 > exec-timeout 0 0 > password cisco > logging synchronous > login > line aux 0 > exec-timeout 0 0 > password cisco > logging synchronous > login > transport input telnet > line vty 0 4 > exec-timeout 0 0 > password cisco > logging synchronous > login > transport input telnet > ! > ntp authentication-key 1 md5 060506324F41 7 > ntp authenticate > ntp trusted-key 1 > ntp clock-period 17181052 > ntp source Loopback0 > ntp server 10.1.1.1 key 1 > ! > end > R5# > > > I then got the same results in the debug as before. When trying to > initiate the tunnel from the router I got the following > > > R5#ping 10.8.8.8 source loopback 0 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: > Packet sent with a source address of 10.5.5.5 > *Mar 1 00:18:15.768: IPSEC(sa_request): , > (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, > local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), > remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), > protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), > lifedur= 3600s and 4608000kb, > spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 > *Mar 1 00:18:15.788: ISAKMP:(0): SA request profile is isakmpprof1 > *Mar 1 00:18:15.792: ISAKMP: Created a peer struct for 192.168.9.10, peer > port 500 > *Mar 1 00:18:15.796: ISAKMP: New peer created peer = 0x66D65F88 > peer_handle = 0x8000000E > *Mar 1 00:18:15.796: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 > for isakmp_initiator > *Mar 1 00:18:15.800: ISAKMP: local port 500, remote port 500 > *Mar 1 00:18:15.804: ISAKMP: set new node 0 to QM_IDLE > *Mar 1 00:18:15.804: insert sa successfully sa = 677F9C40 > *Mar 1 00:18:15.808: ISAKMP:(0):Can not start Aggressive mode, trying > Main mode. > *Mar 1 00:18:15.812: ISAKMP:(0):Profile has no keyring, aborting key > search > *Mar 1 00:18:15.816: ISAKMP:(0):Profile has no keyring, aborting host key > search > *Mar 1 00:18:15.816: ISAKMP:(0): No Cert or pre-shared address key. > *Mar 1 00:18:15.820: ISAKMP:(0): construct_initial_message: Can not start > Main mode > *Mar 1 00:18:15.820: ISAKMP: Unlocking peer struct 0x66D65F88 for > isadb_unlock_peer_delete_sa(), count 0 > *Mar 1 00:18:15.824: ISAKMP: Deleting peer node .by peer_reap for > 192.168.9.10: 66D65F88 > *Mar 1 00:18:15.828: ISAKMP:(0):purging SA., sa=677F9C40, delme=677F9C40 > *Mar 1 00:18:15.832: ISAKMP:(0):purging node -439292819 > *Mar 1 00:18:15.832: ISAKMP: Error while processing SA request: Failed to > initialize SA > *Mar 1 00:18:15.832: ISAKMP: Error while processing KMI message 0, error > 2. > *Mar 1 00:18:15.832: IPSEC(key_engine): got a queue event with 1 KMI > message(s).... > Success rate is 0 percent (0/5) > R5# > > > When initiating the tunnel from the ASA I get the following debugs on the > router > > > R5# > *Mar 1 00:18:51.378: ISAKMP (0:0): received packet from 192.168.9.10 > dport 500 sport 500 Global (N) NEW SA > *Mar 1 00:18:51.382: ISAKMP: Created a peer struct for 192.168.9.10, peer > port 500 > *Mar 1 00:18:51.382: ISAKMP: New peer created peer = 0x66D65F88 > peer_handle = 0x80000010 > *Mar 1 00:18:51.386: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 > for crypto_isakmp_process_block > *Mar 1 00:18:51.390: ISAKMP: local port 500, remote port 500 > *Mar 1 00:18:51.394: insert sa successfully sa = 677F9C40 > *Mar 1 00:18:51.398: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > *Mar 1 00:18:51.398: ISAKMP:(0):Old State = IKE_READY New State = > IKE_R_MM1 > *Mar 1 00:18:51.414: ISAKMP:(0): processing SA payload. message ID = 0 > *Mar 1 00:18:51.418: ISAKMP:(0): processing vendor id payload > *Mar 1 00:18:51.422: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 > mismatch > *Mar 1 00:18:51.426: ISAKMP:(0): vendor ID is NAT-T v2 > *Mar 1 00:18:51.426: ISAKMP:(0): processing vendor id payload > *Mar 1 00:18:51.430: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 > mismatch > *Mar 1 00:18:51.430: ISAKMP:(0): vendor ID is NAT-T v3 > *Mar 1 00:18:51.434: ISAKMP:(0): processing vendor id payload > *Mar 1 00:18:51.438: ISAKMP:(0): processing IKE frag vendor id payload > *Mar 1 00:18:51.438: ISAKMP:(0):Support for IKE Fragmentation not enabled > *Mar 1 00:18:51.442: ISAKMP : Scanning profiles for xauth ... isakmpprof1 > *Mar 1 00:18:51.446: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 11 policy > *Mar 1 00:18:51.446: ISAKMP: default group 5 > *Mar 1 00:18:51.450: ISAKMP: encryption AES-CBC > *Mar 1 00:18:51.450: ISAKMP: keylength of 128 > *Mar 1 00:18:51.450: ISAKMP: hash SHA > *Mar 1 00:18:51.454: ISAKMP: auth RSA sig > *Mar 1 00:18:51.454: ISAKMP: life type in seconds > *Mar 1 00:18:51.458: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 > 0x80 > *Mar 1 00:18:51.462: ISAKMP:(0):RSA signature authentication offered but > does not match policy! > *Mar 1 00:18:51.466: ISAKMP:(0):atts are not acceptable. Next payload is 0 > *Mar 1 00:18:51.470: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 65535 policy > *Mar 1 00:18:51.470: ISAKMP: default group 5 > *Mar 1 00:18:51.470: ISAKMP: encryption AES-CBC > *Mar 1 00:18:51.474: ISAKMP: keylength of 128 > *Mar 1 00:18:51.474: ISAKMP: hash SHA > *Mar 1 00:18:51.478: ISAKMP: auth RSA sig > *Mar 1 00:18:51.478: ISAKMP: life type in seconds > *Mar 1 00:18:51.478: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 > 0x80 > *Mar 1 00:18:51.486: ISAKMP:(0):Encryption algorithm offered does not > match policy! > *Mar 1 00:18:51.490: ISAKMP:(0):atts are not acceptable. Next payload is 0 > *Mar 1 00:18:51.490: ISAKMP:(0):no offers accepted! > *Mar 1 00:18:51.490: ISAKMP:(0): phase 1 SA policy not acceptable! (local > 192.168.55.5 remote 192.168.9.10) > *Mar 1 00:18:51.490: ISAKMP (0:0): incrementing error counter on sa, > attempt 1 of 5: construct_fail_ag_init > *Mar 1 00:18:51.490: ISAKMP:(0): sending packet to 192.168.9.10 my_port > 500 peer_port 500 (R) MM_NO_STATE > *Mar 1 00:18:51.494: ISAKMP:(0):Sending an IKE IPv4 Packet. > *Mar 1 00:18:51.498: ISAKMP:(0):peer does not do paranoid keepalives. > *Mar 1 00:18:51.502: ISAKMP:(0):deleting SA reason "Phase1 SA policy > proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) > *Mar 1 00:18:51.506: ISAKMP:(0): processing vendor id payload > *Mar 1 00:18:51.506: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 > mismatch > *Mar 1 00:18:51.510: ISAKMP:(0): vendor ID is NAT-T v2 > *Mar 1 00:18:51.514: ISAKMP:(0): processing vendor id payload > *Mar 1 00:18:51.514: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 > mismatch > *Mar 1 00:18:51.518: ISAKMP:(0): vendor ID is NAT-T v3 > *Mar 1 00:18:51.522: ISAKMP:(0): processing vendor id payload > *Mar 1 00:18:51.522: ISAKMP:(0): processing IKE frag vendor id payload > *Mar 1 00:18:51.526: ISAKMP:(0):Support for IKE Fragmentation not enabled > *Mar 1 00:18:51.530: ISAKMP (0:0): FSM action returned error: 2 > *Mar 1 00:18:51.530: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > *Mar 1 00:18:51.534: ISAKMP:(0):Old State = IKE_R_MM1 New State = > IKE_R_MM1 > *Mar 1 00:18:51.566: ISAKMP:(0):deleting SA reason "Phase1 SA policy > proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) > *Mar 1 00:18:51.566: ISAKMP: Unlocking peer struct 0x66D65F88 for > isadb_mark_sa_deleted(), count 0 > *Mar 1 00:18:51.570: ISAKMP: Deleting peer node by peer_reap for > 192.168.9.10: 66D65F88 > *Mar 1 00:18:51.570: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL > *Mar 1 00:18:51.574: ISAKMP:(0):Old State = IKE_R_MM1 New State = > IKE_DEST_SA > *Mar 1 00:18:51.578: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > *Mar 1 00:18:51.598: ISAKMP:(0):deleting SA reason "No reason" state (R) > MM_NO_STATE (peer 192.168.9.10) > *Mar 1 00:18:51.602: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_ERROR > *Mar 1 00:18:51.606: ISAKMP:(0):Old State = IKE_DEST_SA New State = > IKE_DEST_SA > > > I then decided to make the ISAKMP profile more basic and did the following > > > R5(config)# crypto isakmp profile isakmpprof1 > R5(conf-isa-prof)# no self-identity fqdn > R5(conf-isa-prof)# no match certificate certmap1 > R5(conf-isa-prof)# match identity address 192.168.9.10 255.255.255.255 > > > Pinging from the router side then produced what seems to be the same debug > output below > > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: > Packet sent with a source address of 10.5.5.5 > > *Mar 1 00:15:10.239: IPSEC(sa_request): , > (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, > local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), > remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), > protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), > lifedur= 3600s and 4608000kb, > spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 > *Mar 1 00:15:10.259: ISAKMP:(0): SA request profile is isakmpprof1 > *Mar 1 00:15:10.263: ISAKMP: Created a peer struct for 192.168.9.10, peer > port 500 > *Mar 1 00:15:10.267: ISAKMP: New peer created peer = 0x66D65F88 > peer_handle = 0x8000000B > *Mar 1 00:15:10.267: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 > for isakmp_initiator > *Mar 1 00:15:10.271: ISAKMP: local port 500, remote port 500 > *Mar 1 00:15:10.275: ISAKMP: set new node 0 to QM_IDLE > *Mar 1 00:15:10.275: insert sa successfully sa = 66F836E4 > *Mar 1 00:15:10.279: ISAKMP:(0):Can not start Aggressive mode, trying > Main mode. > *Mar 1 00:15:10.283: ISAKMP:(0):Profile has no keyring, aborting key > search > *Mar 1 00:15:10.287: ISAKMP:(0):Profile has no keyring, aborting host key > search > *Mar 1 00:15:10.287: ISAKMP:(0): No Cert or pre-shared address key. > *Mar 1 00:15:10.291: ISAKMP:(0): construct_initial_message: Can not start > Main mode > *Mar 1 00:15:10.291: ISAKMP: Unlocking peer struct 0x66D65F88 for > isadb_unlock_peer_delete_sa(), count 0 > *Mar 1 00:15:10.295: ISAKMP: Deleting peer node by peer_reap for > 192.168.9.10: 66D65F88. > *Mar 1 00:15:10.299: ISAKMP:(0):purging SA., sa=66F836E4, delme=66F836E4 > *Mar 1 00:15:10.303: ISAKMP:(0):purging node 1282500099 > *Mar 1 00:15:10.307: ISAKMP: Error while processing SA request: Failed to > initialize SA > *Mar 1 00:15:10.311: ISAKMP: Error while processing KMI message 0, error > 2. > *Mar 1 00:15:10.311: IPSEC(key_engine): got a queue event with 1 KMI > message(s).... > Success rate is 0 percent (0/5) > R5# > > > Initiating from the ASA side gave the following output on the router > > > *Mar 1 00:16:03.471: ISAKMP (0:0): received packet from 192.168.9.10 > dport 500 sport 500 Global (N) NEW SA > *Mar 1 00:16:03.475: ISAKMP: Created a peer struct for 192.168.9.10, peer > port 500 > *Mar 1 00:16:03.475: ISAKMP: New peer created peer = 0x66D65F88 > peer_handle = 0x8000000D > *Mar 1 00:16:03.479: ISAKMP: Locking peer struct 0x66D65F88, refcount 1 > for crypto_isakmp_process_block > *Mar 1 00:16:03.483: ISAKMP: local port 500, remote port 500 > *Mar 1 00:16:03.487: insert sa successfully sa = 66F836E4 > *Mar 1 00:16:03.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > *Mar 1 00:16:03.491: ISAKMP:(0):Old State = IKE_READY New State = > IKE_R_MM1 > *Mar 1 00:16:03.511: ISAKMP:(0): processing SA payload. message ID = 0 > *Mar 1 00:16:03.511: ISAKMP:(0): processing vendor id payload > *Mar 1 00:16:03.515: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 > mismatch > *Mar 1 00:16:03.519: ISAKMP:(0): vendor ID is NAT-T v2 > *Mar 1 00:16:03.519: ISAKMP:(0): processing vendor id payload > *Mar 1 00:16:03.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 > mismatch > *Mar 1 00:16:03.527: ISAKMP:(0): vendor ID is NAT-T v3 > *Mar 1 00:16:03.527: ISAKMP:(0): processing vendor id payload > *Mar 1 00:16:03.531: ISAKMP:(0): processing IKE frag vendor id payload > *Mar 1 00:16:03.535: ISAKMP:(0):Support for IKE Fragmentation not enabled > *Mar 1 00:16:03.535: ISAKMP : Scanning profiles for xauth ... isakmpprof1 > *Mar 1 00:16:03.539: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 11 policy > *Mar 1 00:16:03.543: ISAKMP: default group 5 > *Mar 1 00:16:03.543: ISAKMP: encryption AES-CBC > *Mar 1 00:16:03.543: ISAKMP: keylength of 128 > *Mar 1 00:16:03.547: ISAKMP: hash SHA > *Mar 1 00:16:03.547: ISAKMP: auth RSA sig > *Mar 1 00:16:03.551: ISAKMP: life type in seconds > *Mar 1 00:16:03.551: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 > 0x80 > *Mar 1 00:16:03.555: ISAKMP:(0):RSA signature authentication offered but > does not match policy! > *Mar 1 00:16:03.559: ISAKMP:(0):atts are not acceptable. Next payload is 0 > *Mar 1 00:16:03.563: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 65535 policy > *Mar 1 00:16:03.563: ISAKMP: default group 5 > *Mar 1 00:16:03.567: ISAKMP: encryption AES-CBC > *Mar 1 00:16:03.567: ISAKMP: keylength of 128 > *Mar 1 00:16:03.567: ISAKMP: hash SHA > *Mar 1 00:16:03.567: ISAKMP: auth RSA sig > *Mar 1 00:16:03.567: ISAKMP: life type in seconds > *Mar 1 00:16:03.567: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 > 0x80 > *Mar 1 00:16:03.567: ISAKMP:(0):Encryption algorithm offered does not > match policy! > *Mar 1 00:16:03.567: ISAKMP:(0):atts are not acceptable. Next payload is 0 > *Mar 1 00:16:03.567: ISAKMP:(0):no offers accepted! > *Mar 1 00:16:03.567: ISAKMP:(0): phase 1 SA policy not acceptable! (local > 192.168.55.5 remote 192.168.9.10) > *Mar 1 00:16:03.567: ISAKMP (0:0): incrementing error counter on sa, > attempt 1 of 5: construct_fail_ag_init > *Mar 1 00:16:03.567: ISAKMP:(0): sending packet to 192.168.9.10 my_port > 500 peer_port 500 (R) MM_NO_STATE > *Mar 1 00:16:03.567: ISAKMP:(0):Sending an IKE IPv4 Packet. > *Mar 1 00:16:03.571: ISAKMP:(0):peer does not do paranoid keepalives. > *Mar 1 00:16:03.575: ISAKMP:(0):deleting SA reason "Phase1 SA policy > proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) > *Mar 1 00:16:03.579: ISAKMP:(0): processing vendor id payload > *Mar 1 00:16:03.583: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 > mismatch > *Mar 1 00:16:03.583: ISAKMP:(0): vendor ID is NAT-T v2 > *Mar 1 00:16:03.587: ISAKMP:(0): processing vendor id payload > *Mar 1 00:16:03.591: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 > mismatch > *Mar 1 00:16:03.591: ISAKMP:(0): vendor ID is NAT-T v3 > *Mar 1 00:16:03.595: ISAKMP:(0): processing vendor id payload > *Mar 1 00:16:03.599: ISAKMP:(0): processing IKE frag vendor id payload > *Mar 1 00:16:03.599: ISAKMP:(0):Support for IKE Fragmentation not enabled > *Mar 1 00:16:03.603: ISAKMP (0:0): FSM action returned error: 2 > *Mar 1 00:16:03.607: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > *Mar 1 00:16:03.607: ISAKMP:(0):Old State = IKE_R_MM1 New State = > IKE_R_MM1 > *Mar 1 00:16:03.643: ISAKMP:(0):deleting SA reason "Phase1 SA policy > proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) > *Mar 1 00:16:03.643: ISAKMP: Unlocking peer struct 0x66D65F88 for > isadb_mark_sa_deleted(), count 0 > *Mar 1 00:16:03.647: ISAKMP: Deleting peer node by peer_reap for > 192.168.9.10: 66D65F88 > *Mar 1 00:16:03.651: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL > *Mar 1 00:16:03.655: ISAKMP:(0):Old State = IKE_R_MM1 New State = > IKE_DEST_SA > *Mar 1 00:16:03.659: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > *Mar 1 00:16:03.659: ISAKMP:(0):deleting SA reason "No reason" state (R) > MM_NO_STATE (peer 192.168.9.10) > *Mar 1 00:16:03.659: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_ERROR > *Mar 1 00:16:03.659: ISAKMP:(0):Old State = IKE_DEST_SA New State = > IKE_DEST_SA > *Mar 1 00:16:10.251: IPSEC(key_engine): request timer fired: count = 2, > (identity) local= 192.168.55.5, remote= 192.168.9.10, > local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), > remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1) > *Mar 1 00:16:11.419: ISAKMP (0:0): received packet from 192.168.9.10 > dport 500 sport 500 Global (R) MM_NO_STATE > R5# > R5# > > > If anyone can shed some light on this or give some further suggestions I > would appreciate it. > > Thanks > Ben > > > > > > > > > > On Sun, Jun 24, 2012 at 1:43 AM, Imre Oszkar <[email protected]> wrote: > >> Hi Ben >> >> Can you try this: >> >> crypto map cryptomap1 10 ipsec-isakmp >> set isakmp-profile isakmpprof1 >> >> >> Oszkar >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > ------------------------------ > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
