After keys successful export/import I ran into a weird problem.
There are two KS running in a coop mode.
They can easily communicate between each other via IP/ICMP but can't establish
GETVPN peer KS relationships.
I'm seeing the error:
"*Jul 16 19:39:44: %GDOI-3-COOP_KS_UNREACH: Cooperative KS 141.1.123.9
Unreachable in group GETVPN-GR"
And what is more important is that they can't negotiate IKE policy:
*Jul 16 19:40:24: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was
matched and is being used.
I have absolutely identical IKE policy setup on both KS servers:
R1:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO123 address 143.1.123.0 255.255.255.0
crypto isakmp keepalive 15 periodic
R9:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO123 address 143.1.123.0 255.255.255.0
crypto isakmp keepalive 15 periodic
I see that their running IKE policies match what I have configured:
R1:
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R9:
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
GDOI part on both routers is configured as follows:
R1:
crypto gdoi group GETVPN-GR
identity number 123
server local
rekey address ipv4 REKEY-ACL
rekey lifetime seconds 400
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEYS
sa ipsec 1
profile GETVPN-IPSEC-PROF
match address ipv4 GETVPN-ICMP-ACL
replay counter window-size 64
address ipv4 141.1.123.1
redundancy
local priority 100
peer address ipv4 141.1.123.9
R9:
crypto gdoi group GETVPN-GR
identity number 123
server local
rekey address ipv4 REKEY-ACL
rekey lifetime seconds 400
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEYS
sa ipsec 1
profile GETVPN-IPSEC-PROF
match address ipv4 GETVPN-ICMP-ACL
replay counter window-size 64
address ipv4 141.1.123.9
redundancy
local priority 50
peer address ipv4 141.1.123.1
And finally, when I debug ISAKMP on one of the routers I see that they indeed
don't use ISAKMP policy 10. What drives me insane is that the router can't find
the preshared key.
Jul 17 02:48:30.603: ISAKMP: Created a peer struct for 141.1.123.1, peer port
848
Jul 17 02:48:30.603: ISAKMP: New peer created peer = 0x641F4E4C peer_handle =
0x80000009
Jul 17 02:48:30.603: ISAKMP: Locking peer struct 0x641F4E4C, refcount 1 for
crypto_isakmp_process_block
Jul 17 02:48:30.603: ISAKMP: local port 848, remote port 848
Jul 17 02:48:30.603: ISAKMP: Find a dup sa in the avl tree during calling
isadb_insert sa = 6438DB5C
Jul 17 02:48:30.603: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 17 02:48:30.607: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 17 02:48:30.607: ISAKMP:(0): processing SA payload. message ID = 0
Jul 17 02:48:30.607: ISAKMP:(0):Switching to SW IKE SA: sa is 6438DB5C, ce_id
is 80000002
Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 17 02:48:30.607: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
Jul 17 02:48:30.607: ISAKMP (0:0): vendor ID is NAT-T v7
Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jul 17 02:48:30.607: ISAKMP:(0): vendor ID is NAT-T v3
Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jul 17 02:48:30.607: ISAKMP:(0): vendor ID is NAT-T v2
Jul 17 02:48:30.607: ISAKMP:(0):No pre-shared key with 141.1.123.1!
Jul 17 02:48:30.607: ISAKMP : Scanning profiles for xauth ...
Jul 17 02:48:30.607: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10
policy
Jul 17 02:48:30.607: ISAKMP: encryption DES-CBC
Jul 17 02:48:30.607: ISAKMP: hash SHA
Jul 17 02:48:30.607: ISAKMP: default group 1
Jul 17 02:48:30.607: ISAKMP: auth RSA sig
Jul 17 02:48:30.607: ISAKMP: life type in seconds
Jul 17 02:48:30.607: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 17 02:48:30.607: ISAKMP:(0):Encryption algorithm offered does not match
policy!
Jul 17 02:48:30.607: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 17 02:48:30.607: ISAKMP:(0):Checking ISAKMP transform 1 against priority
65535 policy
Jul 17 02:48:30.607: ISAKMP: encryption DES-CBC
Jul 17 02:48:30.607: ISAKMP: hash SHA
Jul 17 02:48:30.607: ISAKMP: default group 1
Jul 17 02:48:30.607: ISAKMP: auth RSA sig
Jul 17 02:48:30.611: ISAKMP: life type in seconds
Jul 17 02:48:30.611: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 17 02:48:30.611: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 17 02:48:30.611: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 17 02:48:30.611: ISAKMP:(0):Acceptable atts:life: 0
Jul 17 02:48:30.611: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 17 02:48:30.611: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 17 02:48:30.611: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 17 02:48:30.611: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 17 02:48:30.611: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
mismatch
Jul 17 02:48:30.611: ISAKMP (0:0): vendor ID is NAT-T v7
Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jul 17 02:48:30.611: ISAKMP:(0): vendor ID is NAT-T v3
Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jul 17 02:48:30.611: ISAKMP:(0): vendor ID is NAT-T v2
Jul 17 02:48:30.611: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 17 02:48:30.611: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 17 02:48:30.615: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 17 02:48:30.615: ISAKMP:(0): sending packet to 141.1.123.1 my_port 848
peer_port 848 (R) MM_SA_SETUP
Jul 17 02:48:30.615: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 17 02:48:30.615: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 17 02:48:30.615: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 17 02:48:30.859: ISAKMP (0:0): received packet from 141.1.123.1 dport 848
sport 848 Global (R) MM_SA_SETUP
Jul 17 02:48:30.859: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 17 02:48:30.859: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Jul 17 02:48:30.859: ISAKMP:(0): processing KE payload. message ID = 0
Jul 17 02:48:30.903: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
Jul 17 02:48:30.903: ISAKMP:(1005): vendor ID is Unity
Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
Jul 17 02:48:30.903: ISAKMP:(1005): vendor ID is DPD
Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
Jul 17 02:48:30.903: ISAKMP:(1005): vendor ID is COOP
Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
Jul 17 02:48:30.903: ISAKMP:(1005): speaking to another IOS box!
Jul 17 02:48:30.903: ISAKMP:received payload type 20
Jul 17 02:48:30.903: ISAKMP:received payload type 20
Jul 17 02:48:30.903: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jul 17 02:48:30.903: ISAKMP:(1005):Old State = IKE_R_MM3 New State = IKE_R_MM3
Jul 17 02:48:30.907: ISAKMP:(1005): sending packet to 141.1.123.1 my_port 848
peer_port 848 (R) MM_KEY_EXCH
Jul 17 02:48:30.907: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Jul 17 02:48:30.907: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Jul 17 02:48:30.907: ISAKMP:(1005):Old State = IKE_R_MM3 New State = IKE_R_MM4
Jul 17 02:48:31.991: ISAKMP: set new node 0 to GDOI_IDLE
Jul 17 02:48:31.991: ISAKMP:(1004):Switching to SW IKE SA: sa is 6438CE08,
ce_id is 80000002
Jul 17 02:48:31.991: ISAKMP:(1004):SA is still budding. Attached new ipsec
request to it. (local 141.1.123.9, remote 141.1.123.1)
Jul 17 02:48:31.991: ISAKMP: Error while processing SA request: Failed to
initialize SA
Jul 17 02:48:31.991: ISAKMP: Error while processing KMI message 0, error 2.
Jul 17 02:48:31.991: ISAKMP:(1001):purging SA., sa=6471FCB8, delme=6471FCB8
Jul 17 02:48:40.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH...
Jul 17 02:48:40.907: ISAKMP (0:1005): incrementing error counter on sa, attempt
1 of 5: retransmit phase 1
Jul 17 02:48:40.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH
Jul 17 02:48:40.907: ISAKMP:(1005): sending packet to 141.1.123.1 my_port 848
peer_port 848 (R) MM_KEY_EXCH
Jul 17 02:48:40.907: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Jul 17 02:48:46.991: ISAKMP: quick mode timer expired.
Jul 17 02:48:46.991: ISAKMP:(1004):src 141.1.123.9 dst 141.1.123.1, SA is not
authenticated
Jul 17 02:48:46.991: ISAKMP:(1004):peer does not do paranoid keepalives.
Jul 17 02:48:46.991: ISAKMP:(1004):deleting SA reason "QM_TIMER expired" state
(I) MM_KEY_EXCH (peer 141.1.123.1)
Jul 17 02:48:46.991: ISAKMP:(1004):deleting SA reason "QM_TIMER expired" state
(I) MM_KEY_EXCH (peer 141.1.123.1)
Jul 17 02:48:46.991: ISAKMP: Unlocking peer struct 0x649B6B18 for
isadb_mark_sa_deleted(), count 0
Jul 17 02:48:46.991: ISAKMP: Deleting peer node by peer_reap for 141.1.123.1:
649B6B18
Jul 17 02:48:46.991: ISAKMP:(1004):deleting node -1613153694 error FALSE reason
"IKE deleted"
Jul 17 02:48:46.991: ISAKMP:(1004):deleting node -1221654023 error FALSE reason
"IKE deleted"
Jul 17 02:48:46.991: ISAKMP:(1004):deleting node 1999376160 error FALSE reason
"IKE deleted"
Jul 17 02:48:46.991: ISAKMP:(1004):deleting node 136740611 error FALSE reason
"IKE deleted"
Jul 17 02:48:46.991: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 17 02:48:46.991: ISAKMP:(1004):Old State = IKE_I_MM5 New State =
IKE_DEST_SA
Jul 17 02:48:50.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH...
Jul 17 02:48:50.907: ISAKMP (0:1005): incrementing error counter on sa, attempt
2 of 5: retransmit phase 1
Jul 17 02:48:50.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH
Jul 17 02:48:50.907: ISAKMP:(1005): sending packet to 141.1.123.1 my_port 848
peer_port 848 (R) MM_KEY_EXCH
Jul 17 02:48:50.907: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Jul 17 02:48:51.991: ISAKMP:(0): no idb in request
Jul 17 02:48:51.991: ISAKMP:(0): SA request profile is (NULL)
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
