SITE2SITE, PKI- simple topology- PROBLEMS

Wiadomość

kktm · #1

Mam problem z PKI. Zestawilem pomiedzy routerami B1 i B3 tunel vpn z preshared-key. Dziala. Teraz chchialem dac autentykacje RES-sig i niestety peery nie moga sie zautentykowac:( Moze ktos wyluka gdzie jest bug.

Wszedzie sa wygenerowane klucze rsa -512, jest ntp.
Trustpoint jest poprawne zautentykowaany, Router B0 jest skonfigurowany jako CA.
Poprawnie zostaly enrolowane certyfikaty B1 i B3 (debug crypto pki pki transaction i debug crypto pki pki message) pokazuja ze wszystko ok, Routery B1 i B3 maja wiec certyfikaty podpisane przez B0, data jest poprawna ale IKE 1 sie nie zestawia. Z debug crypto isakmp wynika ze IPSEC staje podczas autentykacji przy korzystaniu z certyfikatow.
Gdzie jest blad po stronie CA czy peerow

Stan dla ISAKMP to MM_NO_STATE- czyli diffii helman przeszedl. Blad podczas autentykacji.
Wyglada na problemy z certyfiaktami :

Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:53.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission[/b]
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:54.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase

Na routerze B1 cyklicznie dostaje komunikat:

Aug 16 13:19:00.359 UTC: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 10.2.13.2 was not encrypted and it should've been.

Piwo za pomoc

KONFIG ROUTERKA R1841_B_1

Kod: Zaznacz cały

version 12.4
!
hostname R1841_B_1
!
!
no ip domain lookup
ip domain name lab.com
ip host CA_IOS 192.168.114.20
ip host R1841_B_3 10.2.13.2
!
crypto pki trustpoint CA_IOS
 enrollment url http://CA_IOS:80
 serial-number none
 ip-address 10.2.11.2
 revocation-check none
!
!
crypto pki certificate chain CA_IOS
 certificate 14
  308201D3 3082013C A0030201 02020114 300D0609 2A864886 F70D0101 04050030
  18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
  38313631 31303034 325A170D 30373038 31363131 30303432 5A303A31 38301606
  092A8648 86F70D01 09081309 31302E32 2E31312E 32301E06 092A8648 86F70D01
  09021611 52313834 315F425F 312E6C61 622E636F 6D305C30 0D06092A 864886F7
  0D010101 0500034B 00304802 4100BE54 3B7884DC 53431874 819BA171 4B8F3795
  B62876CB E9E507C4 6206952F 18F81777 FD78C2BA 483862FD 43F6246D EA3E61F8
  5C462472 FC4B859B 4C5B3E03 DB930203 010001A3 4F304D30 0B060355 1D0F0404
  030205A0 301F0603 551D2304 18301680 144A28F1 46C91D91 308C33E6 F6DDD876
  1F65F590 9D301D06 03551D0E 04160414 B91A36DC 2EFF52AA F67A7126 3DA42CDB
  37E2D131 300D0609 2A864886 F70D0101 04050003 818100B1 36825294 C5978F26
  9BB74881 AAFBB515 F89AB91F DE23EEE6 72204A4E E97E0B1C 970D730F 53487D21
  3ECE2671 48E2FA0E 92DF4187 2CC36E0F DDAEA06D AC21915B A403196A 54F60234
  9F8611CE 2326A2C0 8D49E3E5 7E00CF06 79136569 96516BA0 4980F895 0282E245
  C8974718 AA59F501 57A49E88 DB63F0B8 FD3649D9 8F323D
  quit
 certificate ca 01
  30820209 30820172 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
  38313431 31313032 315A170D 31313038 31333131 31303231 5A301831 16301406
  03550403 140D4341 5F494F53 5F534552 56455230 819F300D 06092A86 4886F70D
  01010105 0003818D 00308189 02818100 B8833576 3A8F1D17 78BEBEC4 F4CBEAEF
  E4595301 07FE3BB2 FE7AAE86 DE3E7D49 59FCE9D7 6D9E0428 DAF37AE7 4BE7C8F7
  1CCF5DBC 1C708D01 E56EAB0F E6AA5F5F 365257D0 98A6CBFC 9A511C8C 9C1D7F1A
  00C39B76 1C94E7C1 92A7C45A F2777A42 5646EA27 DFD583FE 97B926A6 6AACD52F
  E0EE9CEB B7A4CCC4 8C3CFCA9 3D4FEB5D 02030100 01A36330 61300F06 03551D13
  0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D
  23041830 1680144A 28F146C9 1D91308C 33E6F6DD D8761F65 F5909D30 1D060355
  1D0E0416 04144A28 F146C91D 91308C33 E6F6DDD8 761F65F5 909D300D 06092A86
  4886F70D 01010405 00038181 007CB364 384EE490 51F1ACE5 15A19247 5CE1DC54
  C99CF6CB D9F1BAE5 F18B70F0 405E2098 8F0608AF D93E197D EB50B87C ED5563E7
  FF70E7E4 96D22F5E C1EEC6A4 AAD33C45 EE377B4D C3030E52 8ED606F7 F9CBA2E3
  4BBA38DB 7A09E805 5EBDE2A7 ED79A515 F286E3EC 1BE393F0 CBDBEF46 C89F3B34
  4360413F F1435CC8 801D6F08 CA
  quit
username lab privilege 15 secret 5 $1$ihqn$SIbZPD7LAadT4DS0hD/Eg.
!
!
!
crypto isakmp policy 10
 encr 3des
 group 2
crypto isakmp key haslo address 10.2.13.2
!
!
crypto ipsec transform-set TS_1 esp-aes 192 esp-sha-hmac
!
crypto map CM_VPN 10 ipsec-isakmp
 set peer 10.2.13.2
 set transform-set TS_1
 match address ACL_VPN
!
!
!
interface FastEthernet0/0
 ip address 169.0.0.121 255.255.255.0 secondary
 ip address 192.168.114.21 255.255.255.0
!
interface Serial0/0/0
 description "to_R1841_B_0 int ser0/1/0"
 ip address 10.2.11.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 crypto map CM_VPN
!
interface Serial0/0/1
 description "to_R1841_B_2 int ser0/0/1"
 ip address 10.2.12.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
!
ip route 0.0.0.0 0.0.0.0 192.168.114.1 220
ip route 10.2.13.0 255.255.255.0 10.2.11.1
ip route 10.2.150.0 255.255.255.0 10.2.11.1
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended ACL_VPN
 permit ip 10.2.12.0 0.0.0.255 10.2.150.0 0.0.0.255
!
ntp clock-period 17179846
ntp server 192.168.114.20
------------------------------------------------------------------------------

R1841_B_1#sh crypto isakmp sa
dst             src             state          conn-id slot status
10.2.13.2       10.2.11.2       MM_KEY_EXCH          3    0 ACTIVE
10.2.13.2       10.2.11.2       MM_NO_STATE          2    0 ACTIVE (deleted)
10.2.13.2       10.2.11.2       MM_NO_STATE          1    0 ACTIVE (deleted)

R1841_B_1#show clock
12:28:16.474 UTC Wed Aug 16 2006

R1841_B_1#sh crypto pki certificates CA_IOS
Certificate
  Status: Available
  Certificate Serial Number: 14
  Certificate Usage: General Purpose
  Issuer:
    cn=CA_IOS_SERVER
  Subject:
    Name: R1841_B_1.lab.com
    IP Address: 10.2.11.2
    ipaddress=10.2.11.2+hostname=R1841_B_1.lab.com
  Validity Date:
    start date: 11:00:42 UTC Aug 16 2006
    end   date: 11:00:42 UTC Aug 16 2007
  Associated Trustpoints: CA_IOS

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=CA_IOS_SERVER
  Subject:
    cn=CA_IOS_SERVER
  Validity Date:
    start date: 11:10:21 UTC Aug 14 2006
    end   date: 11:10:21 UTC Aug 13 2011
  Associated Trustpoints: CA_IOS


R1841_B_1(config)#crypto pki certificate validate CA_IOS
Chain has 2 certificates
Certificate chain for CA_IOS is valid

KONFIGURACJA ROUTERKA R1841_B_3

Kod: Zaznacz cały


hostname R1841_B_3
!
!
no ip domain lookup
ip domain name lab.com
ip host CA_IOS 192.168.114.20
ip host R1841_B_1 10.2.11.2
!
crypto pki trustpoint CA_IOS
 enrollment url http://CA_IOS:80
 serial-number none
 ip-address 10.2.13.2
 revocation-check none
!
!
crypto pki certificate chain CA_IOS
 certificate 1A
  308201F6 3082015F A0030201 0202011A 300D0609 2A864886 F70D0101 04050030
  18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
  38313631 32323235 335A170D 30373038 31363132 32323533 5A303A31 38301606
  092A8648 86F70D01 09081309 31302E32 2E31332E 32301E06 092A8648 86F70D01
  09021611 52313834 315F425F 332E6C61 622E636F 6D305C30 0D06092A 864886F7
  0D010101 0500034B 00304802 4100F12D B4ADAFFD E1C5D0E5 AC730BEA 9DDC0E63
  B98B4876 13F09B50 7D27D01C 6C5F1955 2FACB25A 32A9D9B6 97CD3681 0AC13778
  B9E28E48 77549C04 92CDAD13 EF370203 010001A3 72307030 21060355 1D1F041A
  30183016 A014A012 8610666C 6173683A 43415F49 4F532E63 726C300B 0603551D
  0F040403 0205A030 1F060355 1D230418 30168014 4A28F146 C91D9130 8C33E6F6
  DDD8761F 65F5909D 301D0603 551D0E04 160414BA 593007E6 B382AFAC 98CD2DD8
  DB1DC5B9 2CC17730 0D06092A 864886F7 0D010104 05000381 81000272 31E7DB5E
  899EB9A8 0BED8CB1 F6AB827F 05825935 3144F6A1 5A1A405E 59B261F6 E1E7123D
  6C368F80 EA950E02 380863DF 2ABA4A03 81450305 ABF00109 7F224EBD 71982E8A
  F4CFF031 FC0B252C 1AA20B9A 34A1C02A BC0CA911 DDC8CFE5 67020B17 4A2841A2
  19BB0E29 0EBED4BD 3E70082E 8F6DA06A 24A7FB65 2D106185 2721
  quit
 certificate ca 01
  30820209 30820172 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
  38313431 31313032 315A170D 31313038 31333131 31303231 5A301831 16301406
  03550403 140D4341 5F494F53 5F534552 56455230 819F300D 06092A86 4886F70D
  01010105 0003818D 00308189 02818100 B8833576 3A8F1D17 78BEBEC4 F4CBEAEF
  E4595301 07FE3BB2 FE7AAE86 DE3E7D49 59FCE9D7 6D9E0428 DAF37AE7 4BE7C8F7
  1CCF5DBC 1C708D01 E56EAB0F E6AA5F5F 365257D0 98A6CBFC 9A511C8C 9C1D7F1A
  00C39B76 1C94E7C1 92A7C45A F2777A42 5646EA27 DFD583FE 97B926A6 6AACD52F
  E0EE9CEB B7A4CCC4 8C3CFCA9 3D4FEB5D 02030100 01A36330 61300F06 03551D13
  0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D
  23041830 1680144A 28F146C9 1D91308C 33E6F6DD D8761F65 F5909D30 1D060355
  1D0E0416 04144A28 F146C91D 91308C33 E6F6DDD8 761F65F5 909D300D 06092A86
  4886F70D 01010405 00038181 007CB364 384EE490 51F1ACE5 15A19247 5CE1DC54
  C99CF6CB D9F1BAE5 F18B70F0 405E2098 8F0608AF D93E197D EB50B87C ED5563E7
  FF70E7E4 96D22F5E C1EEC6A4 AAD33C45 EE377B4D C3030E52 8ED606F7 F9CBA2E3
  4BBA38DB 7A09E805 5EBDE2A7 ED79A515 F286E3EC 1BE393F0 CBDBEF46 C89F3B34
  4360413F F1435CC8 801D6F08 CA
  quit
!
!
crypto isakmp policy 10
 encr 3des
 group 2
crypto isakmp key haslo address 10.2.11.2
!
crypto ipsec transform-set TS_1 esp-aes 192 esp-sha-hmac
!
crypto map CM_VPN 10 ipsec-isakmp
 set peer 10.2.11.2
 set transform-set TS_1
 match address ACL_VPN
!
!
!
interface FastEthernet0/0
 description "to_S2960_B_2 port F0/3"
 ip address 169.0.0.123 255.255.255.0 secondary
 ip address 192.168.114.23 255.255.255.0
!
interface Serial0/0/0
 description "to_R1841_B_0 int ser0/0/0"
 ip address 10.2.13.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 crypto map CM_VPN
!
ip route 0.0.0.0 0.0.0.0 192.168.114.1 220
ip route 10.2.11.0 255.255.255.0 10.2.13.1
ip route 10.2.12.0 255.255.255.0 10.2.13.1
!
!
ip access-list extended ACL_VPN
 permit ip 10.2.150.0 0.0.0.255 10.2.12.0 0.0.0.255
!
ntp clock-period 17179794
ntp server 192.168.114.20
-------------------------------------------------------------------------

R1841_B_3# sh crypto isakmp sa
dst             src             state          conn-id slot status
10.2.13.2       10.2.11.2       MM_KEY_EXCH         10    0 ACTIVE
10.2.13.2       10.2.11.2       MM_KEY_EXCH          9    0 ACTIVE
10.2.13.2       10.2.11.2       MM_NO_STATE          8    0 ACTIVE (deleted)
10.2.13.2       10.2.11.2       MM_NO_STATE          7    0 ACTIVE (deleted)

R1841_B_3#show clock
12:33:02.034 UTC Wed Aug 16 2006

R1841_B_3(config)#crypto pki certificate validate CA_IOS
Chain has 2 certificates
Certificate chain for CA_IOS is valid

KONFIGURACJA ROUTERKA R1841_B_0

Kod: Zaznacz cały

R1841_B_0#s
!
ip domain name ciscolab.comarch.pl
!
!
crypto pki server CA_IOS
 database level complete
 database url flash:
 database username lab password 7 045A190507224343
 issuer-name CN=CA_IOS_SERVER
 grant none
 lifetime ca-certificate 1825
 lifetime enrollment-request 1000
 cdp-url flash:CA_IOS.crl
!
crypto pki trustpoint CA_IOS
 revocation-check crl
 rsakeypair CA_IOS
!
!
crypto pki certificate chain CA_IOS
 certificate ca 01
  30820209 30820172 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
  38313431 31313032 315A170D 31313038 31333131 31303231 5A301831 16301406
  03550403 140D4341 5F494F53 5F534552 56455230 819F300D 06092A86 4886F70D
  01010105 0003818D 00308189 02818100 B8833576 3A8F1D17 78BEBEC4 F4CBEAEF
  E4595301 07FE3BB2 FE7AAE86 DE3E7D49 59FCE9D7 6D9E0428 DAF37AE7 4BE7C8F7
  1CCF5DBC 1C708D01 E56EAB0F E6AA5F5F 365257D0 98A6CBFC 9A511C8C 9C1D7F1A
  00C39B76 1C94E7C1 92A7C45A F2777A42 5646EA27 DFD583FE 97B926A6 6AACD52F
  E0EE9CEB B7A4CCC4 8C3CFCA9 3D4FEB5D 02030100 01A36330 61300F06 03551D13
  0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D
  23041830 1680144A 28F146C9 1D91308C 33E6F6DD D8761F65 F5909D30 1D060355
  1D0E0416 04144A28 F146C91D 91308C33 E6F6DDD8 761F65F5 909D300D 06092A86
  4886F70D 01010405 00038181 007CB364 384EE490 51F1ACE5 15A19247 5CE1DC54
  C99CF6CB D9F1BAE5 F18B70F0 405E2098 8F0608AF D93E197D EB50B87C ED5563E7
  FF70E7E4 96D22F5E C1EEC6A4 AAD33C45 EE377B4D C3030E52 8ED606F7 F9CBA2E3
  4BBA38DB 7A09E805 5EBDE2A7 ED79A515 F286E3EC 1BE393F0 CBDBEF46 C89F3B34
  4360413F F1435CC8 801D6F08 CA
  quit
!
interface FastEthernet0/0
 description "to_S2960_B_2 port F0/4"
 ip address 192.168.114.20 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.114.1
!

!
tftp-server flash:c1841-advipservicesk9-mz.124-8a.bin alias ios.bin
!
ntp master 1


R1841_B_3(config)#crypto pki certificate validate CA_IOS
Chain has 2 certificates
Certificate chain for CA_IOS is valid

R1841_B_0#sh crypto pki server
Certificate Server CA_IOS:
    Status: enabled
    Server's current state: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=CA_IOS_SERVER
    CA cert fingerprint: 76B91A9C 88021E1A 9B46C91B CB4E46E9
    Granting mode is: none
    Last certificate issued serial number: 0x1A
    CA certificate expiration timer: 11:10:21 UTC Aug 13 2011
    CRL NextUpdate timer: 17:10:22 UTC Aug 16 2006
    Current storage dir: flash:
    Database Level: Complete - all issued certs written as <serialnum>.cer

debug crypto isakmp na routerku B3 opdczas gdy host od strony B1 proboje nawiazac polaczenie z siecia 10.2150.2.2

Kod: Zaznacz cały

Aug 16 12:38:47.036 UTC: ISAKMP (0:0): received packet from 10.2.11.2 dport 500 sport 500 Global (N) NEW SA
Aug 16 12:38:47.036 UTC: ISAKMP: Created a peer struct for 10.2.11.2, peer port 500
Aug 16 12:38:47.036 UTC: ISAKMP: New peer created peer = 0x63B1725C peer_handle = 0x800001A4
Aug 16 12:38:47.036 UTC: ISAKMP: Locking peer struct 0x63B1725C, IKE refcount 1 for crypto_isakmp_process_block
Aug 16 12:38:47.036 UTC: ISAKMP: local port 500, remote port 500
Aug 16 12:38:47.036 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63D6DE28
Aug 16 12:38:47.036 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:47.036 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Aug 16 12:38:47.040 UTC: ISAKMP (0:0): vendor ID is NAT-T v7
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
Aug 16 12:38:47.040 UTC: ISAK
R1841_B_3#MP:(0:0:N/A:0): vendor ID is NAT-T v3
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
Aug 16 12:38:47.040 UTC: ISAKMP : Scanning profiles for xauth ...
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Aug 16 12:38:47.040 UTC: ISAKMP:      encryption 3DES-CBC
Aug 16 12:38:47.040 UTC: ISAKMP:      hash SHA
Aug 16 12:38:47.040 UTC: ISAKMP:      default group 2
Aug 16 12:38:47.040 UTC: ISAKMP:      auth RSA sig
Aug 16 12:38:47.040 UTC: ISAKMP:      life type in seconds
Aug 16 12:38:47.040 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
Aug 16 12:38:47.092 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Aug 16 12:38:47.096 UTC: ISAKMP (0:134217752): vendor ID is NAT-T v7
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID is NAT-T v3
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID is NAT-T v2
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): constructed NAT-T vendor-07 ID
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM1  New
R1841_B_3#State = IKE_R_MM2

Aug 16 12:38:47.160 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Aug 16 12:38:47.160 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:47.160 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

Aug 16 12:38:47.160 UTC: ISAKMP:(0:24:SW:1): processing KE payload. message ID = 0
Aug 16 12:38:47.228 UTC: ISAKMP:(0:24:SW:1): processing NONCE payload. message ID = 0
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1):SKEYID state generated
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): processing CERT_REQ payload. message ID = 0
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): peer wants a CT_X509_SIGNATURE cert
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): peer want cert issued by
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: Trust-Point CA_IOS picked up
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: locked trustpoint CA_IOS, refcount is 5
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): Choosing trustpoint CA_IOS as issuer
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: unlocked trustpoint CA_IOS, refcount is 4
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: locked trustpoint CA_IOS, refcount is 5
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): vendor ID is Unity
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): vendor ID is DPD
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1): speaking to another
R1841_B_3# IOS box!
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

Aug 16 12:38:47.352 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1): processing ID payload. message ID = 0
Aug 16 12:38:47.352 UTC: ISAKMP (0:134217752): ID payload
        next-payload : 9
        type         : 1
        address      : 10.2.11.2
        protocol     : 17
        port         : 500
        length       : 12
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1):: peer matches *none* of the profiles
[b]Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:47.356 UTC: ISAKMP:(0:24:SW:1): signature invalid![/b]
Aug 16 12:38:47.356 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:47.356 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

Aug 16 12:38:47.356 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmiss
R1841_B_3#ion
Aug 16 12:38:47.360 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:47.360 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM4

Aug 16 12:38:48.356 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:48.356 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 16 12:38:48.356 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:48.356 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:49.360 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:49.360 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:49.360 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

Aug 16 12:38:49.360 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:49.364 UTC: ISAKMP:(0:2
R1841_B_3#4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

Aug 16 12:38:49.364 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM4

Aug 16 12:38:50.364 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:50.364 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 16 12:38:50.364 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:50.364 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:50.868 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:50.868 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:50.868 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

Aug 16 12:38:50.868 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5
[b]
Aug 16 12:38:50.872 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission[/b]
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM4

Aug 16 12:38:51.872 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:51.872 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 16 12:38:51.872 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:51.872 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2
R1841_B_3# my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:52.376 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:52.376 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:52.376 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

Aug 16 12:38:52.376 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

Aug 16 12:38:52.380 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM4

[b]Aug 16 12:38:53.380 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:53.380 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1[/b]
Aug 16 12:38:53.380 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:53.380 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:53.884 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

[b]Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1): signature invalid![/b]
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

[b]Aug 16 12:38:53.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission[/b]
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM4

Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
[b]Aug 16 12:38:54.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1[/b]
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_po
R1841_B_3#rt 500 peer_port 500 (R) MM_KEY_EXCH

krisator · #2

w konfigach ruterow masz wpisane:
"crypto isakmp key haslo address 10.2.13.2" czyli w faize pierwszej rutery probuja sie uwierzytelnic haslem (pre-share).

proponuje sprobowac tego:
crypto isakmp identity dn --> Use the distinguished name of the router cert for the identity

moze pomoze... sprawdzic jak nie mam wiec to moj pierwszy pomysl
daj znac czy pomoglo

kktm · #3

krisator pisze:w konfigach ruterow masz wpisane:
"crypto isakmp key haslo address 10.2.13.2" czyli w faize pierwszej rutery probuja sie uwierzytelnic haslem (pre-share).

proponuje sprobowac tego:
crypto isakmp identity dn --> Use the distinguished name of the router cert for the identity

moze pomoze... sprawdzic jak nie mam wiec to moj pierwszy pomysl
daj znac czy pomoglo

Jasne ze sprawdze- ale jutro dopiero. Dzieki za wskazowke

co do preshared-key jednak to crypto isakmp policy 10 mowi ze autentykacja ma byc po rsa-sig (ustawienie domyslne- wiec sie nie wyswietlilo).
crypto isakmp key haslo address 10.2.13.2- to ustawienie z poprzedniej crypto isakmp policy- ktora weryfikowalem dzialanie ipsecka

krisiasty · #4

kktm pisze:
Mam problem z PKI. Zestawilem pomiedzy routerami B1 i B3 tunel vpn z preshared-key. Dziala. Teraz chchialem dac autentykacje RES-sig i niestety peery nie moga sie zautentykowac:( Moze ktos wyluka gdzie jest bug.

Wszedzie sa wygenerowane klucze rsa -512, jest ntp.

[...]

Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1): signature invalid!

jaką masz dokładnie wersję softu na tych routerach ?
być może trafiłeś na bug w 12.4.2T - CSCei50425 (co prawda piszą o 7200/7301, ale efekt podobny):

Symptoms: A Cisco 7200 series or Cisco 7301 that is equipped with a VAM, VAM2 or VAM2+ accelerator may refuse a valid RSA key and generate an error message such as the following:

% Error in generating keys: did not validate % Key pair import failed.

Conditions: This symptom is observed under rare circumstances when a valid RSA key is composed of unusually short or long prime numbers and coefficient.

When the VAM is deactivated during the importation of the RSA key, the router accepts the key but when the VAM, VAM2, or VAM2+ is inserted into the chassis, the router miscomputates the signature payload of the IKE/ISAKMP exchanges.

Workaround: Create a new RSA key.

Further Problem Description: The result of the wrong operation can be seen on the other side of the connection by activating the debug crypto engine and debug crypto isakmp commands. The following messages are related to the failure:
crypto_engine: public key verify
crypto_engine: public key verify, got error no available resources
ISAKMP:(0:2:HW:2): signature invalid!

spróbuj wygenerować dłuższe klucze - 1024 bit na wszystkich routerach (także tym z CA) i wystawić nowe certyfikaty. no i zrób upgrade softu jeśli masz jakiś wczesny 12.4 T

kktm · #5

krisiasty pisze:
jaką masz dokładnie wersję softu na tych routerach ?
być może trafiłeś na bug w 12.4.2T - CSCei50425 (co prawda piszą o 7200/7301, ale efekt podobny):

moj soft:
c1841-advipservicesk9-mz.124-8a.bin

krisiasty pisze: spróbuj wygenerować dłuższe klucze - 1024 bit na wszystkich routerach (także tym z CA) i wystawić nowe certyfikaty. no i zrób upgrade softu jeśli masz jakiś wczesny 12.4 T

wygenerowałem klucze 1024 i problem ten sam. Kombinowałem z kluczami general i ussage z labelami i bez- bez zmian

Oczywiscie wg wskazowek dalem komende

crypto isakmp identity dn

krisiasty · #6

wiesz co, odnoszę wrażenie że masz coś nieźle namieszane z routingiem i crypto-mapami.

na R1841_B_1 masz zapiętą crypto-mapę na s0/0/0 która ma szyfrować ruch z 10.2.12.0/24 do 10.2.150.0/24; routing do 10.2.150.0/24 masz przez s0/0/0 - tu jest ok.

na R1841_B_3 masz crypto-mapę na s0/0/0 która łapie ruch z 10.2.150.0/24 do 10.2.12.0/24, ale routingu do 10.2.150.0/24 nie masz - jest tylko default via 192.168.114.1 (czyli f0/0).
ustaw poprawnie routing na tym routerze i wtedy testuj.

kktm · #7

krisiasty pisze:wiesz co, odnoszę wrażenie że masz coś nieźle namieszane z routingiem i crypto-mapami.

na R1841_B_1 masz zapiętą crypto-mapę na s0/0/0 która ma szyfrować ruch z 10.2.12.0/24 do 10.2.150.0/24; routing do 10.2.150.0/24 masz przez s0/0/0 - tu jest ok.

na R1841_B_3 masz crypto-mapę na s0/0/0 która łapie ruch z 10.2.150.0/24 do 10.2.12.0/24, ale routingu do 10.2.150.0/24 nie masz - jest tylko default via 192.168.114.1 (czyli f0/0).
ustaw poprawnie routing na tym routerze i wtedy testuj.

Routing sie niestety nie wkleil w poscie, ale normalnie jest on ustawiony, w kazdym razie gratuluje spostrzegawczosci.

Kod: Zaznacz cały

R1841_B_3#show run | include ip route
ip route 0.0.0.0 0.0.0.0 192.168.114.1 220
ip route 10.2.11.0 255.255.255.0 10.2.13.1
ip route 10.2.12.0 255.255.255.0 10.2.13.1

ZNALAZLEM NATOMIAST PRZYCZYNE BLEDU:
z tym ze i tak na razie nie umiem tego usunac

Kod: Zaznacz cały

debug crypto engine ...

Aug 17 07:47:28.906 UTC: CryptoEngine0: generating alg parameter for connid 70
Aug 17 07:47:28.958 UTC: CRYPTO_ENGINE: Dh phase 1 status: 0
Aug 17 07:47:28.958 UTC: CRYPTO_ENGINE: Dh phase 1 status: OK
Aug 17 07:47:29.022 UTC: CryptoEngine0: generating alg parameter for connid 0
Aug 17 07:47:29.094 UTC: CryptoEngine0: calculate pkey hmac for conn id 70
Aug 17 07:47:29.094 UTC: CryptoEngine0: create ISAKMP SKEYID for conn id 70
Aug 17 07:47:29.342 UTC: CryptoEngine0: generate hmac context for conn id 70
Aug 17 07:47:29.342 UTC: crypto_engine: public key verify
Aug 17 07:47:29.346 UTC: crypto_engine: public key verify, got error no available resources

no available resources- tylko, ktore? - pamiec i cpu jest praktycznie wolne, zadnych innych ficzerow nie odpalalem.

W bugtoolkicie nie ma nic na ten temat napisane.

Probowalem zmieniac wszystkie parametry crypto engine i nic to nie daje. Jeszcze sprobuje zdegradowac soft.

Czy ktos z Was odpalal pki na routerkach serii 1800.
Mam tez problemy z autentykacja rsa-enc. Za pomoca copy-paste udaje mi sie przenosic publiczne klucze pod warunkiem ze wygenerowalem czysty general key.

Podczas generacji klucza z labelem i/lub usage key routery tez nie moga sie zautentykowac, klucze nie tylko wkleilem na sasiadow ale i sprawdzilem bit po bicie

awo · #8

Robiles testy z wylaczonym HW engine? (tylko soft)
Mozesz pokazac statystyki HW engine'a?

Proponuje od razu upgrade do najnowszego 12.4.6T a najlepiej 12.4.9T.

krisiasty · #9

Czy ktos z Was odpalal pki na routerkach serii 1800.
Mam tez problemy z autentykacja rsa-enc. Za pomoca copy-paste udaje mi sie przenosic publiczne klucze pod warunkiem ze wygenerowalem czysty general key.

u jednego z klientów mamy zestawionego vpn-a pomiędzy 2811/1841/871 z użyciem certyfikatów (komercyjnych). wcześniej chodziła tam też autentykacja rsa-enc.
na 1841 pracuje soft 12.4.5, na 2811 - 12.4.6T

spróbuj faktycznie zrobić downgrade softu, albo upgrade do 12.4T jak sugerował awo.

jeśli nic to nie da, to wyłącz też wbudowany akcelerator sprzętowy.

aha, zobacz też czy buforów nie brakuje... (show buffers ...)

Aug 17 07:47:29.346 UTC: crypto_engine: public key verify, got error no available resources

to znowu nas prowadzi do wspomnianego już przeze mnie błędu CSCei50425.
w opisie sugerują że błąd objawia się nie na routerze który ma źle wygenerowane klucze, ale na drugim który próbuje to deszyfrować.

kktm · #10

W sumie konfiguracja pki jest na tyle prosta ze imho nie da sie tam nic spier.....ć ze pomyslalem ze zamienie routerek. Szkoda ze wpadlem na to dopiero po 3 dniach

TADA ZACZELO SMIGAC:)

ale na innym routerz

Tzn dokladnie ta sama konfiguracja, ten sam soft (ba ta sama dostawa routerkow)

Definitywnie wina routera- jednego tego na ktorym pojawialy sie dziwne debugi dla crypto engine.

ZawiSh · #11

kktm pisze:
Czy ktos z Was odpalal pki na routerkach serii 1800.

Ja odpalałem, wszystko działała, 1841 wykorzystywaem też jako CA w konfiguracji z ASA'mi - też działa. Poniżej info na temat tego co udało mi sie zrobić...

pisałem pół godziny ... oczywiście ciesze się że rozwiązałes probl... no cóż szkoda zaśmiecać forum ... delete

pozdr

CCIE.pl

SITE2SITE, PKI- simple topology- PROBLEMS

SITE2SITE, PKI- simple topology- PROBLEMS

Re: SITE2SITE, PKI- simple topology- PROBLEMS

Re: SITE2SITE, PKI- simple topology- PROBLEMS

Re: SITE2SITE, PKI- simple topology- PROBLEMS

Re: SITE2SITE, PKI- simple topology- PROBLEMS

Re: SITE2SITE, PKI- simple topology- PROBLEMS

Re: SITE2SITE, PKI- simple topology- PROBLEMS