Re: [OSL | CCIE_Security] GETVPN and two KS continued.... Need fresh pair of eyes

Mon, 16 Jul 2012 20:31:19 -0700 

Eugene,

You have your peer addresses defined like "141.1.123.x", and your crupto isakmp 
keys like "143.1.123.x".

Thats the reason because you dont have the association between your KS's

Regards,

Eduardo

Enviado desde mi iPhone

El 16/07/2012, a las 22:17, Eugene Pefti <[email protected]> escribió:

> After keys successful export/import I ran into a weird problem.
> There are two KS running in a coop mode.
> They can easily communicate between each other via IP/ICMP but can’t 
> establish GETVPN peer KS relationships.
>  
> I’m seeing the error:
> “*Jul 16 19:39:44: %GDOI-3-COOP_KS_UNREACH: Cooperative KS 141.1.123.9 
> Unreachable in group GETVPN-GR”
> And what is more important is that they can’t negotiate IKE policy:
>  
> *Jul 16 19:40:24: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy 
> was matched and is being used.
>  
> I have absolutely identical IKE policy setup on both KS servers:
>  
> R1:
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> crypto isakmp key CISCO123 address 143.1.123.0 255.255.255.0
> crypto isakmp keepalive 15 periodic
>  
> R9:
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> crypto isakmp key CISCO123 address 143.1.123.0 255.255.255.0
> crypto isakmp keepalive 15 periodic
>  
> I see that their running IKE policies match what I have configured:
>  
> R1:
> Global IKE policy
> Protection suite of priority 10
>         encryption algorithm:   Three key triple DES
>         hash algorithm:         Message Digest 5
>         authentication method:  Pre-Shared Key
>         Diffie-Hellman group:   #1 (768 bit)
>         lifetime:               86400 seconds, no volume limit
> Default protection suite
>         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
>         hash algorithm:         Secure Hash Standard
>         authentication method:  Rivest-Shamir-Adleman Signature
>         Diffie-Hellman group:   #1 (768 bit)
>         lifetime:               86400 seconds, no volume limit
>  
> R9:
> Global IKE policy
> Protection suite of priority 10
>         encryption algorithm:   Three key triple DES
>         hash algorithm:         Message Digest 5
>         authentication method:  Pre-Shared Key
>         Diffie-Hellman group:   #1 (768 bit)
>         lifetime:               86400 seconds, no volume limit
> Default protection suite
>         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
>         hash algorithm:         Secure Hash Standard
>         authentication method:  Rivest-Shamir-Adleman Signature
>         Diffie-Hellman group:   #1 (768 bit)
>         lifetime:               86400 seconds, no volume limit
>  
>  
> GDOI part on both routers is configured as follows:
>  
> R1:
> crypto gdoi group GETVPN-GR
> identity number 123
> server local
>   rekey address ipv4 REKEY-ACL
>   rekey lifetime seconds 400
>   rekey retransmit 10 number 2
>   rekey authentication mypubkey rsa GETVPN-KEYS
>   sa ipsec 1
>    profile GETVPN-IPSEC-PROF
>    match address ipv4 GETVPN-ICMP-ACL
>    replay counter window-size 64
>   address ipv4 141.1.123.1
>   redundancy
>    local priority 100
>    peer address ipv4 141.1.123.9
>  
> R9:
> crypto gdoi group GETVPN-GR
> identity number 123
> server local
>   rekey address ipv4 REKEY-ACL
>   rekey lifetime seconds 400
>   rekey retransmit 10 number 2
>   rekey authentication mypubkey rsa GETVPN-KEYS
>   sa ipsec 1
>    profile GETVPN-IPSEC-PROF
>    match address ipv4 GETVPN-ICMP-ACL
>    replay counter window-size 64
>   address ipv4 141.1.123.9
>   redundancy
>    local priority 50
>    peer address ipv4 141.1.123.1
>  
> And finally, when I debug ISAKMP on one of the routers I see that they indeed 
> don’t use ISAKMP policy 10. What drives me insane is that the router can’t 
> find the preshared key.
>  
> Jul 17 02:48:30.603: ISAKMP: Created a peer struct for 141.1.123.1, peer port 
> 848
> Jul 17 02:48:30.603: ISAKMP: New peer created peer = 0x641F4E4C peer_handle = 
> 0x80000009
> Jul 17 02:48:30.603: ISAKMP: Locking peer struct 0x641F4E4C, refcount 1 for 
> crypto_isakmp_process_block
> Jul 17 02:48:30.603: ISAKMP: local port 848, remote port 848
> Jul 17 02:48:30.603: ISAKMP: Find a dup sa in the avl tree during calling 
> isadb_insert sa = 6438DB5C
> Jul 17 02:48:30.603: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Jul 17 02:48:30.607: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
> Jul 17 02:48:30.607: ISAKMP:(0): processing SA payload. message ID = 0
> Jul 17 02:48:30.607: ISAKMP:(0):Switching to SW IKE SA: sa is 6438DB5C, ce_id 
> is 80000002
> Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 
> mismatch
> Jul 17 02:48:30.607: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
> Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 
> mismatch
> Jul 17 02:48:30.607: ISAKMP (0:0): vendor ID is NAT-T v7
> Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 
> mismatch
> Jul 17 02:48:30.607: ISAKMP:(0): vendor ID is NAT-T v3
> Jul 17 02:48:30.607: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.607: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 
> mismatch
> Jul 17 02:48:30.607: ISAKMP:(0): vendor ID is NAT-T v2
> Jul 17 02:48:30.607: ISAKMP:(0):No pre-shared key with 141.1.123.1!
> Jul 17 02:48:30.607: ISAKMP : Scanning profiles for xauth ...
> Jul 17 02:48:30.607: ISAKMP:(0):Checking ISAKMP transform 1 against priority 
> 10 policy
> Jul 17 02:48:30.607: ISAKMP:      encryption DES-CBC
> Jul 17 02:48:30.607: ISAKMP:      hash SHA
> Jul 17 02:48:30.607: ISAKMP:      default group 1
> Jul 17 02:48:30.607: ISAKMP:      auth RSA sig
> Jul 17 02:48:30.607: ISAKMP:      life type in seconds
> Jul 17 02:48:30.607: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
> Jul 17 02:48:30.607: ISAKMP:(0):Encryption algorithm offered does not match 
> policy!
> Jul 17 02:48:30.607: ISAKMP:(0):atts are not acceptable. Next payload is 0
> Jul 17 02:48:30.607: ISAKMP:(0):Checking ISAKMP transform 1 against priority 
> 65535 policy
> Jul 17 02:48:30.607: ISAKMP:      encryption DES-CBC
> Jul 17 02:48:30.607: ISAKMP:      hash SHA
> Jul 17 02:48:30.607: ISAKMP:      default group 1
> Jul 17 02:48:30.607: ISAKMP:      auth RSA sig
> Jul 17 02:48:30.611: ISAKMP:      life type in seconds
> Jul 17 02:48:30.611: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
> Jul 17 02:48:30.611: ISAKMP:(0):atts are acceptable. Next payload is 0
> Jul 17 02:48:30.611: ISAKMP:(0):Acceptable atts:actual life: 0
> Jul 17 02:48:30.611: ISAKMP:(0):Acceptable atts:life: 0
> Jul 17 02:48:30.611: ISAKMP:(0):Fill atts in sa vpi_length:4
> Jul 17 02:48:30.611: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
> Jul 17 02:48:30.611: ISAKMP:(0):Returning Actual lifetime: 86400
> Jul 17 02:48:30.611: ISAKMP:(0)::Started lifetime timer: 86400.
> Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 
> mismatch
> Jul 17 02:48:30.611: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
> Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 
> mismatch
> Jul 17 02:48:30.611: ISAKMP (0:0): vendor ID is NAT-T v7
> Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 
> mismatch
> Jul 17 02:48:30.611: ISAKMP:(0): vendor ID is NAT-T v3
> Jul 17 02:48:30.611: ISAKMP:(0): processing vendor id payload
> Jul 17 02:48:30.611: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 
> mismatch
> Jul 17 02:48:30.611: ISAKMP:(0): vendor ID is NAT-T v2
> Jul 17 02:48:30.611: ISAKMP:(0):Input = IKE_MESG_INTERNAL, 
> IKE_PROCESS_MAIN_MODE
> Jul 17 02:48:30.611: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
> Jul 17 02:48:30.615: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
> Jul 17 02:48:30.615: ISAKMP:(0): sending packet to 141.1.123.1 my_port 848 
> peer_port 848 (R) MM_SA_SETUP
> Jul 17 02:48:30.615: ISAKMP:(0):Sending an IKE IPv4 Packet.
> Jul 17 02:48:30.615: ISAKMP:(0):Input = IKE_MESG_INTERNAL, 
> IKE_PROCESS_COMPLETE
> Jul 17 02:48:30.615: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
> Jul 17 02:48:30.859: ISAKMP (0:0): received packet from 141.1.123.1 dport 848 
> sport 848 Global (R) MM_SA_SETUP
> Jul 17 02:48:30.859: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Jul 17 02:48:30.859: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
> Jul 17 02:48:30.859: ISAKMP:(0): processing KE payload. message ID = 0
> Jul 17 02:48:30.903: ISAKMP:(0): processing NONCE payload. message ID = 0
> Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
> Jul 17 02:48:30.903: ISAKMP:(1005): vendor ID is Unity
> Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
> Jul 17 02:48:30.903: ISAKMP:(1005): vendor ID is DPD
> Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
> Jul 17 02:48:30.903: ISAKMP:(1005): vendor ID is COOP
> Jul 17 02:48:30.903: ISAKMP:(1005): processing vendor id payload
> Jul 17 02:48:30.903: ISAKMP:(1005): speaking to another IOS box!
> Jul 17 02:48:30.903: ISAKMP:received payload type 20
> Jul 17 02:48:30.903: ISAKMP:received payload type 20
> Jul 17 02:48:30.903: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, 
> IKE_PROCESS_MAIN_MODE
> Jul 17 02:48:30.903: ISAKMP:(1005):Old State = IKE_R_MM3  New State = 
> IKE_R_MM3
> Jul 17 02:48:30.907: ISAKMP:(1005): sending packet to 141.1.123.1 my_port 848 
> peer_port 848 (R) MM_KEY_EXCH
> Jul 17 02:48:30.907: ISAKMP:(1005):Sending an IKE IPv4 Packet.
> Jul 17 02:48:30.907: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, 
> IKE_PROCESS_COMPLETE
> Jul 17 02:48:30.907: ISAKMP:(1005):Old State = IKE_R_MM3  New State = 
> IKE_R_MM4
> Jul 17 02:48:31.991: ISAKMP: set new node 0 to GDOI_IDLE     
> Jul 17 02:48:31.991: ISAKMP:(1004):Switching to SW IKE SA: sa is 6438CE08, 
> ce_id is 80000002
> Jul 17 02:48:31.991: ISAKMP:(1004):SA is still budding. Attached new ipsec 
> request to it. (local 141.1.123.9, remote 141.1.123.1)
> Jul 17 02:48:31.991: ISAKMP: Error while processing SA request: Failed to 
> initialize SA
> Jul 17 02:48:31.991: ISAKMP: Error while processing KMI message 0, error 2.
> Jul 17 02:48:31.991: ISAKMP:(1001):purging SA., sa=6471FCB8, delme=6471FCB8
> Jul 17 02:48:40.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH...
> Jul 17 02:48:40.907: ISAKMP (0:1005): incrementing error counter on sa, 
> attempt 1 of 5: retransmit phase 1
> Jul 17 02:48:40.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH
> Jul 17 02:48:40.907: ISAKMP:(1005): sending packet to 141.1.123.1 my_port 848 
> peer_port 848 (R) MM_KEY_EXCH
> Jul 17 02:48:40.907: ISAKMP:(1005):Sending an IKE IPv4 Packet.
> Jul 17 02:48:46.991: ISAKMP: quick mode timer expired.
> Jul 17 02:48:46.991: ISAKMP:(1004):src 141.1.123.9 dst 141.1.123.1, SA is not 
> authenticated
> Jul 17 02:48:46.991: ISAKMP:(1004):peer does not do paranoid keepalives.
> Jul 17 02:48:46.991: ISAKMP:(1004):deleting SA reason "QM_TIMER expired" 
> state (I) MM_KEY_EXCH (peer 141.1.123.1)
> Jul 17 02:48:46.991: ISAKMP:(1004):deleting SA reason "QM_TIMER expired" 
> state (I) MM_KEY_EXCH (peer 141.1.123.1)
> Jul 17 02:48:46.991: ISAKMP: Unlocking peer struct 0x649B6B18 for 
> isadb_mark_sa_deleted(), count 0
> Jul 17 02:48:46.991: ISAKMP: Deleting peer node by peer_reap for 141.1.123.1: 
> 649B6B18
> Jul 17 02:48:46.991: ISAKMP:(1004):deleting node -1613153694 error FALSE 
> reason "IKE deleted"
> Jul 17 02:48:46.991: ISAKMP:(1004):deleting node -1221654023 error FALSE 
> reason "IKE deleted"
> Jul 17 02:48:46.991: ISAKMP:(1004):deleting node 1999376160 error FALSE 
> reason "IKE deleted"
> Jul 17 02:48:46.991: ISAKMP:(1004):deleting node 136740611 error FALSE reason 
> "IKE deleted"
> Jul 17 02:48:46.991: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
> Jul 17 02:48:46.991: ISAKMP:(1004):Old State = IKE_I_MM5  New State = 
> IKE_DEST_SA
>  
> Jul 17 02:48:50.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH...
> Jul 17 02:48:50.907: ISAKMP (0:1005): incrementing error counter on sa, 
> attempt 2 of 5: retransmit phase 1
> Jul 17 02:48:50.907: ISAKMP:(1005): retransmitting phase 1 MM_KEY_EXCH
> Jul 17 02:48:50.907: ISAKMP:(1005): sending packet to 141.1.123.1 my_port 848 
> peer_port 848 (R) MM_KEY_EXCH
> Jul 17 02:48:50.907: ISAKMP:(1005):Sending an IKE IPv4 Packet.
> Jul 17 02:48:51.991: ISAKMP:(0): no idb in request
> Jul 17 02:48:51.991: ISAKMP:(0): SA request profile is (NULL)
>  
>  
>  
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com
> 
> Are you a CCNP or CCIE and looking for a job? Check out 
> www.PlatinumPlacement.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to