Re: [OSL | CCIE_Security] IOS IKE Aggressive mode

Sat, 01 Sep 2012 09:48:17 -0700 

Most likely, you must add local host to IP mapping as you’re using hostname 
based keys.

Regards,
Piotr


From: GuardGrid 
Sent: Saturday, September 01, 2012 5:19 PM
To: ccie_security 
Subject: [OSL | CCIE_Security] IOS IKE Aggressive mode

I am trying to test the IOS IKE aggressive mode but keep getting this error on 
the initiator (BB2) which is behind the ASA. 
It fails even though I have a keyring defined and applied on the isakmp request 
profile and applied on the crypto map.

config posted below.

BB2(config-if)#do ping 150.10.1.1 so loo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.10.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1 

*Mar  1 01:40:01.271: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 192.1.49.1, 
    local_proxy= 150.1.1.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 150.10.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar  1 01:40:01.275: ISAKMP:(0): SA request profile is ISAPROF
*Mar  1 01:40:01.279: ISAKMP: Created a peer struct for 192.1.49.1, peer port 
500
*Mar  1 01:40:01.283: ISAKMP: New peer created peer = 0x665594DC peer_handle = 
0x80000011
*Mar  1 01:40:01.283: ISAKMP: Locking peer struct 0x665594DC, refcount 1 for 
isakmp_initiator
*Mar  1 01:40:01.287: ISAKMP: local port 500, remote port 500
*Mar  1 01:40:01.287: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 01:40:01.287: insert sa successfully sa = 66A1BEFC....
*Mar  1 01:40:10.307: ISAKMP:(0):Can not start Aggressive mode, trying Main 
mode.
*Mar  1 01:40:10.311: ISAKMP:(0): No Cert or pre-shared address key. 
*Mar  1 01:40:10.311: ISAKMP:(0): construct_initial_message: Can not start Main 
mode
*Mar  1 01:40:10.315: ISAKMP: Unlocking peer struct 0x665594DC for 
isadb_unlock_peer_delete_sa(), count 0
*Mar  1 01:40:10.319: ISAKMP: Deleting peer node by peer_reap for 192.1.49.1: 
665594DC
*Mar  1 01:40:10.323: ISAKMP:(0):purging SA., sa=66A1BEFC, delme=66A1BEFC
*Mar  1 01:40:10.327: ISAKMP:(0):purging node 2115757260
*Mar  1 01:40:10.327: ISAKMP: Error while processing SA request: Failed to 
initialize SA.
Success rate is 0 percent (0/5)
BB2(config-if)#
*Mar  1 01:40:10.331: ISAKMP: Error while processing KMI message 0, error 2.
*Mar  1 01:40:10.339: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar  1 01:40:31.271: IPSEC(key_engine): request timer fired: count = 1,


Initiator Config
=================
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BB2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip domain name ine.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
  hidekeys
! 
crypto keyring KEYR 
  pre-shared-key hostname R1.ine.com key cisco
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile ISAPROF
! This profile is incomplete (no match identity statement)
   keyring default
   keyring KEYR
   self-identity fqdn
   initiate mode aggressive
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
!
crypto map MYMAP isakmp-profile ISAPROF
crypto map MYMAP 1 ipsec-isakmp 
set peer 192.1.49.1
set transform-set ESP-3DES-MD5 
match address 101
reverse-route static
!
!
!
!
!
!
!
interface Loopback0
ip address 150.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 150.1.1.0 0.0.0.255 150.10.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!         
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end

Responder Config
=======================
Building configuration...

Current configuration : 1782 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip domain name ine.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
  hidekeys
! 
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco hostname BB2.ine.com
crypto isakmp nat keepalive 10
crypto isakmp profile ISAPROF
   keyring default
   self-identity fqdn
   match identity host BB2.ine.com
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
!
crypto dynamic-map DYN 1
set transform-set ESP-3DES-MD5 
set isakmp-profile ISAPROF
reverse-route remote-peer
!
!
crypto map MYMAP 65535 ipsec-isakmp dynamic DYN 
!
!
!
!
!         
!
!
interface Loopback0
ip address 150.10.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.1.49.1 255.255.255.0
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 192.1.49.1 0.0.0.0 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!         
!
logging alarm informational
access-list 101 permit ip 150.10.1.0 0.0.0.255 150.1.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end



--------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to