I am trying to test the IOS IKE aggressive mode but keep getting this error
on the initiator (BB2) which is behind the ASA.
It fails even though I have a keyring defined and applied on the isakmp
request profile and applied on the crypto map.
config posted below.
BB2(config-if)#do ping 150.10.1.1 so loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.10.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
*Mar 1 01:40:01.271: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 192.1.49.1,
local_proxy= 150.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 150.10.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 1 01:40:01.275: ISAKMP:(0): SA request profile is ISAPROF
*Mar 1 01:40:01.279: ISAKMP: Created a peer struct for 192.1.49.1, peer
port 500
*Mar 1 01:40:01.283: ISAKMP: New peer created peer = 0x665594DC
peer_handle = 0x80000011
*Mar 1 01:40:01.283: ISAKMP: Locking peer struct 0x665594DC, refcount 1
for isakmp_initiator
*Mar 1 01:40:01.287: ISAKMP: local port 500, remote port 500
*Mar 1 01:40:01.287: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:40:01.287: insert sa successfully sa = 66A1BEFC....
**Mar 1 01:40:10.307: ISAKMP:(0):Can not start Aggressive mode, trying
Main mode.*
**Mar 1 01:40:10.311: ISAKMP:(0): No Cert or pre-shared address key. *
*Mar 1 01:40:10.311: ISAKMP:(0): construct_initial_message: Can not start
Main mode
*Mar 1 01:40:10.315: ISAKMP: Unlocking peer struct 0x665594DC for
isadb_unlock_peer_delete_sa(), count 0
*Mar 1 01:40:10.319: ISAKMP: Deleting peer node by peer_reap for 192.1.49.1:
665594DC
*Mar 1 01:40:10.323: ISAKMP:(0):purging SA., sa=66A1BEFC, delme=66A1BEFC
*Mar 1 01:40:10.327: ISAKMP:(0):purging node 2115757260
*Mar 1 01:40:10.327: ISAKMP: Error while processing SA request: Failed to
initialize SA.
Success rate is 0 percent (0/5)
BB2(config-if)#
*Mar 1 01:40:10.331: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 1 01:40:10.339: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
*Mar 1 01:40:31.271: IPSEC(key_engine): request timer fired: count = 1,
*Initiator Config*
*=================*
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BB2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip domain name ine.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
crypto keyring KEYR
pre-shared-key hostname R1.ine.com key cisco
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
*crypto isakmp profile ISAPROF*
*! This profile is incomplete (no match identity statement)*
* keyring default*
* keyring KEYR*
* self-identity fqdn*
* initiate mode aggressive*
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
*crypto map MYMAP isakmp-profile ISAPROF*
*crypto map MYMAP 1 ipsec-isakmp *
* set peer 192.1.49.1*
* set transform-set ESP-3DES-MD5 *
* match address 101*
* reverse-route static*
!
!
!
!
!
!
!
interface Loopback0
ip address 150.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 150.1.1.0 0.0.0.255 150.10.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end
*Responder Config*
*=======================*
Building configuration...
Current configuration : 1782 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip domain name ine.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
*crypto isakmp key cisco hostname BB2.ine.com*
crypto isakmp nat keepalive 10
*crypto isakmp profile ISAPROF*
* keyring default*
* self-identity fqdn*
* match identity host BB2.ine.com*
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYN 1
set transform-set ESP-3DES-MD5
set isakmp-profile ISAPROF
reverse-route remote-peer
!
!
*crypto map MYMAP 65535 ipsec-isakmp dynamic DYN *
!
!
!
!
!
!
!
interface Loopback0
ip address 150.10.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.1.49.1 255.255.255.0
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 192.1.49.1 0.0.0.0 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 101 permit ip 150.10.1.0 0.0.0.255 150.1.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
