Mam problem z PKI. Zestawilem pomiedzy routerami B1 i B3 tunel vpn z preshared-key. Dziala. Teraz chchialem dac autentykacje RES-sig i niestety peery nie moga sie zautentykowac:( Moze ktos wyluka gdzie jest bug.
Wszedzie sa wygenerowane klucze rsa -512, jest ntp.
Trustpoint jest poprawne zautentykowaany, Router B0 jest skonfigurowany jako CA.
Poprawnie zostaly enrolowane certyfikaty B1 i B3 (debug crypto pki pki transaction i debug crypto pki pki message) pokazuja ze wszystko ok, Routery B1 i B3 maja wiec certyfikaty podpisane przez B0, data jest poprawna ale IKE 1 sie nie zestawia. Z debug crypto isakmp wynika ze IPSEC staje podczas autentykacji przy korzystaniu z certyfikatow.
Gdzie jest blad po stronie CA czy peerow
Stan dla ISAKMP to MM_NO_STATE- czyli diffii helman przeszedl. Blad podczas autentykacji.
Wyglada na problemy z certyfiaktami :
Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:53.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission[/b]
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:54.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase
Na routerze B1 cyklicznie dostaje komunikat:
Aug 16 13:19:00.359 UTC: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 10.2.13.2 was not encrypted and it should've been.
Piwo za pomoc
KONFIG ROUTERKA R1841_B_1
Kod: Zaznacz cały
version 12.4
!
hostname R1841_B_1
!
!
no ip domain lookup
ip domain name lab.com
ip host CA_IOS 192.168.114.20
ip host R1841_B_3 10.2.13.2
!
crypto pki trustpoint CA_IOS
enrollment url http://CA_IOS:80
serial-number none
ip-address 10.2.11.2
revocation-check none
!
!
crypto pki certificate chain CA_IOS
certificate 14
308201D3 3082013C A0030201 02020114 300D0609 2A864886 F70D0101 04050030
18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
38313631 31303034 325A170D 30373038 31363131 30303432 5A303A31 38301606
092A8648 86F70D01 09081309 31302E32 2E31312E 32301E06 092A8648 86F70D01
09021611 52313834 315F425F 312E6C61 622E636F 6D305C30 0D06092A 864886F7
0D010101 0500034B 00304802 4100BE54 3B7884DC 53431874 819BA171 4B8F3795
B62876CB E9E507C4 6206952F 18F81777 FD78C2BA 483862FD 43F6246D EA3E61F8
5C462472 FC4B859B 4C5B3E03 DB930203 010001A3 4F304D30 0B060355 1D0F0404
030205A0 301F0603 551D2304 18301680 144A28F1 46C91D91 308C33E6 F6DDD876
1F65F590 9D301D06 03551D0E 04160414 B91A36DC 2EFF52AA F67A7126 3DA42CDB
37E2D131 300D0609 2A864886 F70D0101 04050003 818100B1 36825294 C5978F26
9BB74881 AAFBB515 F89AB91F DE23EEE6 72204A4E E97E0B1C 970D730F 53487D21
3ECE2671 48E2FA0E 92DF4187 2CC36E0F DDAEA06D AC21915B A403196A 54F60234
9F8611CE 2326A2C0 8D49E3E5 7E00CF06 79136569 96516BA0 4980F895 0282E245
C8974718 AA59F501 57A49E88 DB63F0B8 FD3649D9 8F323D
quit
certificate ca 01
30820209 30820172 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
38313431 31313032 315A170D 31313038 31333131 31303231 5A301831 16301406
03550403 140D4341 5F494F53 5F534552 56455230 819F300D 06092A86 4886F70D
01010105 0003818D 00308189 02818100 B8833576 3A8F1D17 78BEBEC4 F4CBEAEF
E4595301 07FE3BB2 FE7AAE86 DE3E7D49 59FCE9D7 6D9E0428 DAF37AE7 4BE7C8F7
1CCF5DBC 1C708D01 E56EAB0F E6AA5F5F 365257D0 98A6CBFC 9A511C8C 9C1D7F1A
00C39B76 1C94E7C1 92A7C45A F2777A42 5646EA27 DFD583FE 97B926A6 6AACD52F
E0EE9CEB B7A4CCC4 8C3CFCA9 3D4FEB5D 02030100 01A36330 61300F06 03551D13
0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D
23041830 1680144A 28F146C9 1D91308C 33E6F6DD D8761F65 F5909D30 1D060355
1D0E0416 04144A28 F146C91D 91308C33 E6F6DDD8 761F65F5 909D300D 06092A86
4886F70D 01010405 00038181 007CB364 384EE490 51F1ACE5 15A19247 5CE1DC54
C99CF6CB D9F1BAE5 F18B70F0 405E2098 8F0608AF D93E197D EB50B87C ED5563E7
FF70E7E4 96D22F5E C1EEC6A4 AAD33C45 EE377B4D C3030E52 8ED606F7 F9CBA2E3
4BBA38DB 7A09E805 5EBDE2A7 ED79A515 F286E3EC 1BE393F0 CBDBEF46 C89F3B34
4360413F F1435CC8 801D6F08 CA
quit
username lab privilege 15 secret 5 $1$ihqn$SIbZPD7LAadT4DS0hD/Eg.
!
!
!
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp key haslo address 10.2.13.2
!
!
crypto ipsec transform-set TS_1 esp-aes 192 esp-sha-hmac
!
crypto map CM_VPN 10 ipsec-isakmp
set peer 10.2.13.2
set transform-set TS_1
match address ACL_VPN
!
!
!
interface FastEthernet0/0
ip address 169.0.0.121 255.255.255.0 secondary
ip address 192.168.114.21 255.255.255.0
!
interface Serial0/0/0
description "to_R1841_B_0 int ser0/1/0"
ip address 10.2.11.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
crypto map CM_VPN
!
interface Serial0/0/1
description "to_R1841_B_2 int ser0/0/1"
ip address 10.2.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
ip route 0.0.0.0 0.0.0.0 192.168.114.1 220
ip route 10.2.13.0 255.255.255.0 10.2.11.1
ip route 10.2.150.0 255.255.255.0 10.2.11.1
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended ACL_VPN
permit ip 10.2.12.0 0.0.0.255 10.2.150.0 0.0.0.255
!
ntp clock-period 17179846
ntp server 192.168.114.20
------------------------------------------------------------------------------
R1841_B_1#sh crypto isakmp sa
dst src state conn-id slot status
10.2.13.2 10.2.11.2 MM_KEY_EXCH 3 0 ACTIVE
10.2.13.2 10.2.11.2 MM_NO_STATE 2 0 ACTIVE (deleted)
10.2.13.2 10.2.11.2 MM_NO_STATE 1 0 ACTIVE (deleted)
R1841_B_1#show clock
12:28:16.474 UTC Wed Aug 16 2006
R1841_B_1#sh crypto pki certificates CA_IOS
Certificate
Status: Available
Certificate Serial Number: 14
Certificate Usage: General Purpose
Issuer:
cn=CA_IOS_SERVER
Subject:
Name: R1841_B_1.lab.com
IP Address: 10.2.11.2
ipaddress=10.2.11.2+hostname=R1841_B_1.lab.com
Validity Date:
start date: 11:00:42 UTC Aug 16 2006
end date: 11:00:42 UTC Aug 16 2007
Associated Trustpoints: CA_IOS
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=CA_IOS_SERVER
Subject:
cn=CA_IOS_SERVER
Validity Date:
start date: 11:10:21 UTC Aug 14 2006
end date: 11:10:21 UTC Aug 13 2011
Associated Trustpoints: CA_IOS
R1841_B_1(config)#crypto pki certificate validate CA_IOS
Chain has 2 certificates
Certificate chain for CA_IOS is valid
Kod: Zaznacz cały
hostname R1841_B_3
!
!
no ip domain lookup
ip domain name lab.com
ip host CA_IOS 192.168.114.20
ip host R1841_B_1 10.2.11.2
!
crypto pki trustpoint CA_IOS
enrollment url http://CA_IOS:80
serial-number none
ip-address 10.2.13.2
revocation-check none
!
!
crypto pki certificate chain CA_IOS
certificate 1A
308201F6 3082015F A0030201 0202011A 300D0609 2A864886 F70D0101 04050030
18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
38313631 32323235 335A170D 30373038 31363132 32323533 5A303A31 38301606
092A8648 86F70D01 09081309 31302E32 2E31332E 32301E06 092A8648 86F70D01
09021611 52313834 315F425F 332E6C61 622E636F 6D305C30 0D06092A 864886F7
0D010101 0500034B 00304802 4100F12D B4ADAFFD E1C5D0E5 AC730BEA 9DDC0E63
B98B4876 13F09B50 7D27D01C 6C5F1955 2FACB25A 32A9D9B6 97CD3681 0AC13778
B9E28E48 77549C04 92CDAD13 EF370203 010001A3 72307030 21060355 1D1F041A
30183016 A014A012 8610666C 6173683A 43415F49 4F532E63 726C300B 0603551D
0F040403 0205A030 1F060355 1D230418 30168014 4A28F146 C91D9130 8C33E6F6
DDD8761F 65F5909D 301D0603 551D0E04 160414BA 593007E6 B382AFAC 98CD2DD8
DB1DC5B9 2CC17730 0D06092A 864886F7 0D010104 05000381 81000272 31E7DB5E
899EB9A8 0BED8CB1 F6AB827F 05825935 3144F6A1 5A1A405E 59B261F6 E1E7123D
6C368F80 EA950E02 380863DF 2ABA4A03 81450305 ABF00109 7F224EBD 71982E8A
F4CFF031 FC0B252C 1AA20B9A 34A1C02A BC0CA911 DDC8CFE5 67020B17 4A2841A2
19BB0E29 0EBED4BD 3E70082E 8F6DA06A 24A7FB65 2D106185 2721
quit
certificate ca 01
30820209 30820172 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
38313431 31313032 315A170D 31313038 31333131 31303231 5A301831 16301406
03550403 140D4341 5F494F53 5F534552 56455230 819F300D 06092A86 4886F70D
01010105 0003818D 00308189 02818100 B8833576 3A8F1D17 78BEBEC4 F4CBEAEF
E4595301 07FE3BB2 FE7AAE86 DE3E7D49 59FCE9D7 6D9E0428 DAF37AE7 4BE7C8F7
1CCF5DBC 1C708D01 E56EAB0F E6AA5F5F 365257D0 98A6CBFC 9A511C8C 9C1D7F1A
00C39B76 1C94E7C1 92A7C45A F2777A42 5646EA27 DFD583FE 97B926A6 6AACD52F
E0EE9CEB B7A4CCC4 8C3CFCA9 3D4FEB5D 02030100 01A36330 61300F06 03551D13
0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D
23041830 1680144A 28F146C9 1D91308C 33E6F6DD D8761F65 F5909D30 1D060355
1D0E0416 04144A28 F146C91D 91308C33 E6F6DDD8 761F65F5 909D300D 06092A86
4886F70D 01010405 00038181 007CB364 384EE490 51F1ACE5 15A19247 5CE1DC54
C99CF6CB D9F1BAE5 F18B70F0 405E2098 8F0608AF D93E197D EB50B87C ED5563E7
FF70E7E4 96D22F5E C1EEC6A4 AAD33C45 EE377B4D C3030E52 8ED606F7 F9CBA2E3
4BBA38DB 7A09E805 5EBDE2A7 ED79A515 F286E3EC 1BE393F0 CBDBEF46 C89F3B34
4360413F F1435CC8 801D6F08 CA
quit
!
!
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp key haslo address 10.2.11.2
!
crypto ipsec transform-set TS_1 esp-aes 192 esp-sha-hmac
!
crypto map CM_VPN 10 ipsec-isakmp
set peer 10.2.11.2
set transform-set TS_1
match address ACL_VPN
!
!
!
interface FastEthernet0/0
description "to_S2960_B_2 port F0/3"
ip address 169.0.0.123 255.255.255.0 secondary
ip address 192.168.114.23 255.255.255.0
!
interface Serial0/0/0
description "to_R1841_B_0 int ser0/0/0"
ip address 10.2.13.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
crypto map CM_VPN
!
ip route 0.0.0.0 0.0.0.0 192.168.114.1 220
ip route 10.2.11.0 255.255.255.0 10.2.13.1
ip route 10.2.12.0 255.255.255.0 10.2.13.1
!
!
ip access-list extended ACL_VPN
permit ip 10.2.150.0 0.0.0.255 10.2.12.0 0.0.0.255
!
ntp clock-period 17179794
ntp server 192.168.114.20
-------------------------------------------------------------------------
R1841_B_3# sh crypto isakmp sa
dst src state conn-id slot status
10.2.13.2 10.2.11.2 MM_KEY_EXCH 10 0 ACTIVE
10.2.13.2 10.2.11.2 MM_KEY_EXCH 9 0 ACTIVE
10.2.13.2 10.2.11.2 MM_NO_STATE 8 0 ACTIVE (deleted)
10.2.13.2 10.2.11.2 MM_NO_STATE 7 0 ACTIVE (deleted)
R1841_B_3#show clock
12:33:02.034 UTC Wed Aug 16 2006
R1841_B_3(config)#crypto pki certificate validate CA_IOS
Chain has 2 certificates
Certificate chain for CA_IOS is valid
KONFIGURACJA ROUTERKA R1841_B_0
Kod: Zaznacz cały
R1841_B_0#s
!
ip domain name ciscolab.comarch.pl
!
!
crypto pki server CA_IOS
database level complete
database url flash:
database username lab password 7 045A190507224343
issuer-name CN=CA_IOS_SERVER
grant none
lifetime ca-certificate 1825
lifetime enrollment-request 1000
cdp-url flash:CA_IOS.crl
!
crypto pki trustpoint CA_IOS
revocation-check crl
rsakeypair CA_IOS
!
!
crypto pki certificate chain CA_IOS
certificate ca 01
30820209 30820172 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
18311630 14060355 0403140D 43415F49 4F535F53 45525645 52301E17 0D303630
38313431 31313032 315A170D 31313038 31333131 31303231 5A301831 16301406
03550403 140D4341 5F494F53 5F534552 56455230 819F300D 06092A86 4886F70D
01010105 0003818D 00308189 02818100 B8833576 3A8F1D17 78BEBEC4 F4CBEAEF
E4595301 07FE3BB2 FE7AAE86 DE3E7D49 59FCE9D7 6D9E0428 DAF37AE7 4BE7C8F7
1CCF5DBC 1C708D01 E56EAB0F E6AA5F5F 365257D0 98A6CBFC 9A511C8C 9C1D7F1A
00C39B76 1C94E7C1 92A7C45A F2777A42 5646EA27 DFD583FE 97B926A6 6AACD52F
E0EE9CEB B7A4CCC4 8C3CFCA9 3D4FEB5D 02030100 01A36330 61300F06 03551D13
0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D
23041830 1680144A 28F146C9 1D91308C 33E6F6DD D8761F65 F5909D30 1D060355
1D0E0416 04144A28 F146C91D 91308C33 E6F6DDD8 761F65F5 909D300D 06092A86
4886F70D 01010405 00038181 007CB364 384EE490 51F1ACE5 15A19247 5CE1DC54
C99CF6CB D9F1BAE5 F18B70F0 405E2098 8F0608AF D93E197D EB50B87C ED5563E7
FF70E7E4 96D22F5E C1EEC6A4 AAD33C45 EE377B4D C3030E52 8ED606F7 F9CBA2E3
4BBA38DB 7A09E805 5EBDE2A7 ED79A515 F286E3EC 1BE393F0 CBDBEF46 C89F3B34
4360413F F1435CC8 801D6F08 CA
quit
!
interface FastEthernet0/0
description "to_S2960_B_2 port F0/4"
ip address 192.168.114.20 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.114.1
!
!
tftp-server flash:c1841-advipservicesk9-mz.124-8a.bin alias ios.bin
!
ntp master 1
R1841_B_3(config)#crypto pki certificate validate CA_IOS
Chain has 2 certificates
Certificate chain for CA_IOS is valid
R1841_B_0#sh crypto pki server
Certificate Server CA_IOS:
Status: enabled
Server's current state: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA_IOS_SERVER
CA cert fingerprint: 76B91A9C 88021E1A 9B46C91B CB4E46E9
Granting mode is: none
Last certificate issued serial number: 0x1A
CA certificate expiration timer: 11:10:21 UTC Aug 13 2011
CRL NextUpdate timer: 17:10:22 UTC Aug 16 2006
Current storage dir: flash:
Database Level: Complete - all issued certs written as <serialnum>.cer
debug crypto isakmp na routerku B3 opdczas gdy host od strony B1 proboje nawiazac polaczenie z siecia 10.2150.2.2
Kod: Zaznacz cały
Aug 16 12:38:47.036 UTC: ISAKMP (0:0): received packet from 10.2.11.2 dport 500 sport 500 Global (N) NEW SA
Aug 16 12:38:47.036 UTC: ISAKMP: Created a peer struct for 10.2.11.2, peer port 500
Aug 16 12:38:47.036 UTC: ISAKMP: New peer created peer = 0x63B1725C peer_handle = 0x800001A4
Aug 16 12:38:47.036 UTC: ISAKMP: Locking peer struct 0x63B1725C, IKE refcount 1 for crypto_isakmp_process_block
Aug 16 12:38:47.036 UTC: ISAKMP: local port 500, remote port 500
Aug 16 12:38:47.036 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63D6DE28
Aug 16 12:38:47.036 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:47.036 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Aug 16 12:38:47.040 UTC: ISAKMP (0:0): vendor ID is NAT-T v7
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
Aug 16 12:38:47.040 UTC: ISAK
R1841_B_3#MP:(0:0:N/A:0): vendor ID is NAT-T v3
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
Aug 16 12:38:47.040 UTC: ISAKMP : Scanning profiles for xauth ...
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Aug 16 12:38:47.040 UTC: ISAKMP: encryption 3DES-CBC
Aug 16 12:38:47.040 UTC: ISAKMP: hash SHA
Aug 16 12:38:47.040 UTC: ISAKMP: default group 2
Aug 16 12:38:47.040 UTC: ISAKMP: auth RSA sig
Aug 16 12:38:47.040 UTC: ISAKMP: life type in seconds
Aug 16 12:38:47.040 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 16 12:38:47.040 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
Aug 16 12:38:47.092 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Aug 16 12:38:47.096 UTC: ISAKMP (0:134217752): vendor ID is NAT-T v7
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID is NAT-T v3
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): vendor ID is NAT-T v2
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): constructed NAT-T vendor-07 ID
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 16 12:38:47.096 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM1 New
R1841_B_3#State = IKE_R_MM2
Aug 16 12:38:47.160 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Aug 16 12:38:47.160 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:47.160 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
Aug 16 12:38:47.160 UTC: ISAKMP:(0:24:SW:1): processing KE payload. message ID = 0
Aug 16 12:38:47.228 UTC: ISAKMP:(0:24:SW:1): processing NONCE payload. message ID = 0
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1):SKEYID state generated
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): processing CERT_REQ payload. message ID = 0
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): peer wants a CT_X509_SIGNATURE cert
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): peer want cert issued by
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: Trust-Point CA_IOS picked up
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: locked trustpoint CA_IOS, refcount is 5
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): Choosing trustpoint CA_IOS as issuer
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: unlocked trustpoint CA_IOS, refcount is 4
Aug 16 12:38:47.232 UTC: CRYPTO_PKI: locked trustpoint CA_IOS, refcount is 5
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): vendor ID is Unity
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.232 UTC: ISAKMP:(0:24:SW:1): vendor ID is DPD
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1): processing vendor id payload
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1): speaking to another
R1841_B_3# IOS box!
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 16 12:38:47.236 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
Aug 16 12:38:47.352 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1): processing ID payload. message ID = 0
Aug 16 12:38:47.352 UTC: ISAKMP (0:134217752): ID payload
next-payload : 9
type : 1
address : 10.2.11.2
protocol : 17
port : 500
length : 12
Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1):: peer matches *none* of the profiles
[b]Aug 16 12:38:47.352 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:47.356 UTC: ISAKMP:(0:24:SW:1): signature invalid![/b]
Aug 16 12:38:47.356 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:47.356 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Aug 16 12:38:47.356 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmiss
R1841_B_3#ion
Aug 16 12:38:47.360 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:47.360 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
Aug 16 12:38:48.356 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:48.356 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 16 12:38:48.356 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:48.356 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:49.360 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:49.360 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:49.360 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
Aug 16 12:38:49.360 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:49.364 UTC: ISAKMP:(0:2
R1841_B_3#4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Aug 16 12:38:49.364 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:49.364 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
Aug 16 12:38:50.364 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:50.364 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 16 12:38:50.364 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:50.364 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:50.868 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:50.868 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:50.868 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
Aug 16 12:38:50.868 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
[b]
Aug 16 12:38:50.872 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission[/b]
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:50.872 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
Aug 16 12:38:51.872 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:51.872 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 16 12:38:51.872 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:51.872 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2
R1841_B_3# my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:52.376 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:52.376 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:52.376 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
Aug 16 12:38:52.376 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1): signature invalid!
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Aug 16 12:38:52.380 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:52.380 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
[b]Aug 16 12:38:53.380 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 16 12:38:53.380 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1[/b]
Aug 16 12:38:53.380 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:53.380 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Aug 16 12:38:53.884 UTC: ISAKMP (0:134217752): received packet from 10.2.11.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
[b]Aug 16 12:38:53.884 UTC: ISAKMP:(0:24:SW:1): processing SIG payload. message ID = 0
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1): signature invalid![/b]
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
[b]Aug 16 12:38:53.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 1 of 5: reset_retransmission[/b]
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Aug 16 12:38:53.888 UTC: ISAKMP:(0:24:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH...
[b]Aug 16 12:38:54.888 UTC: ISAKMP (0:134217752): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1[/b]
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 16 12:38:54.888 UTC: ISAKMP:(0:24:SW:1): sending packet to 10.2.11.2 my_po
R1841_B_3#rt 500 peer_port 500 (R) MM_KEY_EXCH