Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
Nomanworld

unable to troubleshoot aggressive mode vpn

Recommended Posts

R2:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 10.1.12.1

!

crypto isakmp peer address 10.1.12.1

set aggressive-mode password aggressive123

set aggressive-mode client-endpoint ipv4-address 10.1.12.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map map1 10 ipsec-isakmp

set peer 10.1.12.1

set transform-set myset

match address my-vpn

!

ip access-list extended my-vpn

permit ip host 2.2.2.2 host 1.1.1.1

 

R1:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 10.1.12.2

!

crypto isakmp peer address 10.1.12.2

set aggressive-mode password aggressive123

set aggressive-mode client-endpoint ipv4-address 10.1.12.2

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map map1 10 ipsec-isakmp

set peer 10.1.12.2

set transform-set myset

match address my-vpn

!

!

ip access-list extended my-vpn

permit ip host 1.1.1.1 host 2.2.2.2

 

 

debug R1:

R1#ping 2.2.2.2 sou 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

 

*Mar 1 02:25:01.099: ISAKMP:(0): SA request profile is (NULL)

*Mar 1 02:25:01.099: ISAKMP: Created a peer struct for 10.1.12.2, peer port 500

*Mar 1 02:25:01.099: ISAKMP: New peer created peer = 0x6650D558 peer_handle = 0x8000000C

*Mar 1 02:25:01.099: ISAKMP: Locking peer struct 0x6650D558, refcount 1 for isakmp_initiator

*Mar 1 02:25:01.103: ISAKMP: local port 500, remote port 500

*Mar 1 02:25:01.103: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 02:25:01.103: insert sa successfully sa = 65F64520

*Mar 1 02:25:01.103: ISAKMP:(0):SA has tunnel attributes set.

*Mar 1 02:25:01.107: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 1 02:25:01.107: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 1 02:25:01.107: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 1 02:25:01.115: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 1 02:25:01.115: ISAKMP (0:0): ID payload

next-payload : 13

type : 1

address : 10.1.12.2

protocol : 17

port : 0

length : 12

*Mar 1 02:25:01.115: ISAKMP:(0):Total payload length: 12

*Mar 1 02:25:01.119: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

*Mar 1 02:25:01.119: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1

 

*Mar 1 02:25:01.123: ISAKMP:(0): beginning Aggressive Mode exchange

*Mar 1 02:25:01.123: ISAKMP:(0): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 1 02:25:01.387: ISAKMP (0:0): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 02:25:01.391: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 1 02:25:01.391: ISAKMP:(0): processing ID payload. message ID = 0

*Mar 1 02:25:01.391: ISAKMP (0:0): ID payload

next-payload : 10

type : 1

address : 10.1.12.2

protocol : 17

port : 0

length : 12

*Mar 1 02:25:01.395: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 1 02:25:01.395: ISAKMP:(0):. processing vendor id payload

*Mar 1 02:25:01.395: ISAKMP:(0): vendor ID is Unity

*Mar 1 02:25:01.395: ISAKMP:(0): processing vendor id payload

*Mar 1 02:25:01.395: ISAKMP:(0): vendor ID is DPD

*Mar 1 02:25:01.399: ISAKMP:(0): processing vendor id payload

*Mar 1 02:25:01.399: ISAKMP:(0): speaking to another IOS box!

*Mar 1 02:25:01.399: ISAKMP:(0):SA using tunnel password as pre-shared key.

*Mar 1 02:25:01.403: ISAKMP:(0): local preshared key found

*Mar 1 02:25:01.403: ISAKMP : Scanning profiles for xauth ...

*Mar 1 02:25:01.403: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 02:25:01.403: ISAKMP: encryption 3DES-CBC

*Mar 1 02:25:01.403: ISAKMP: hash MD5

*Mar 1 02:25:01.403: ISAKMP: default group 2

*Mar 1 02:25:01.407: ISAKMP: auth pre-share

*Mar 1 02:25:01.407: ISAKMP: life type in seconds

*Mar 1 02:25:01.407: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 02:25:01.407: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar 1 02:25:01.411: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 02:25:01.411: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 1 02:25:01.495: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 1 02:25:01.495: ISAKMP:(0):SA using tunnel password as pre-shared key.

*Mar 1 02:25:01.499: ISAKMP:(1003): processing HASH payload. message ID = 0

*Mar 1 02:25:01.503: ISAKMP:(1003): Hash payload is incorrect!

*Mar 1 02:25:01.503: ISAKMP (0:1003): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_I_AM1

*Mar 1 02:25:01.503: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Mar 1 02:25:01.503: ISAKMP:(1003):Old State = IKE_I_AM1 New State = IKE_I_AM1

 

*Mar 1 02:25:01.507: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.1.12.2....

Success rate is 0 percent (0/5)

R1#

*Mar 1 02:25:11.399: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 02:25:11.399: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 10.1.12.2 was not encrypted and it should've been.

R1#

*Mar 1 02:25:11.403: ISAKMP (0:1003): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

*Mar 1 02:25:12.403: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:25:12.403: ISAKMP (0:1003): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 1 02:25:12.403: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 02:25:12.403: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

R1#

*Mar 1 02:25:12.987: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 02:25:12.987: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.

*Mar 1 02:25:12.991: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 588)

R1#

*Mar 1 02:25:22.995: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:25:22.995: ISAKMP (0:1003): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Mar 1 02:25:22.995: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 02:25:22.999: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 1 02:25:22.999: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 02:25:23.003: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.

*Mar 1 02:25:23.003: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 4)

R1#

*Mar 1 02:25:31.095: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 02:25:31.099: ISAKMP:(1003):SA is still budding. Attached new ipsec request to it. (local 10.1.12.1, remote 10.1.12.2)

*Mar 1 02:25:31.099: ISAKMP: Error while processing SA request: Failed to initialize SA

*Mar 1 02:25:31.099: ISAKMP: Error while processing KMI message 0, error 2.

R1#

*Mar 1 02:25:33.003: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:25:33.003: ISAKMP (0:1003): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Mar 1 02:25:33.003: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 02:25:33.007: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 1 02:25:33.579: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 02:25:33.579: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.

*Mar 1 02:25:33.583: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 576)

R1#

*Mar 1 02:25:43.583: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:25:43.583: ISAKMP (0:1003): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar 1 02:25:43.587: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 02:25:43.587: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 1 02:25:43.595: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 02:25:43.595: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.

*Mar 1 02:25:43.595: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 8)

R1#

*Mar 1 02:25:53.599: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:25:53.599: ISAKMP:(1003):peer does not do paranoid keepalives.

 

*Mar 1 02:25:53.599: ISAKMP:(1003):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 10.1.12.2)

*Mar 1 02:25:53.607: ISAKMP:(1003):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 10.1.12.2)

*Mar 1 02:25:53.607: ISAKMP: Unlocking peer struct 0x6650D558 for isadb_mark_sa_deleted(), count 0

*Mar 1 02:25:53.607: ISAKMP: Deleting peer node by peer_reap for 10.1.12.2: 6650D558

*Mar 1 02:25:53.611: ISAKMP:(1003):deleting node -961419262 error FALSE reason "IKE deleted"

R1#

*Mar 1 02:25:53.611: ISAKMP:(1003):deleting node -2019420945 error FALSE reason "IKE deleted"

*Mar 1 02:25:53.615: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 1 02:25:53.615: ISAKMP:(1003):Old State = IKE_I_AM1 New State = IKE_DEST_SA

 

--------------------------------------

R2:

 

Mar 1 02:35:12.459: ISAKMP (0:0): received packet from 10.1.12.1 dport 500 sport 500 Global (N) NEW SA

*Mar 1 02:35:12.463: ISAKMP: Created a peer struct for 10.1.12.1, peer port 500

*Mar 1 02:35:12.463: ISAKMP: New peer created peer = 0x65F07414 peer_handle = 0x8000000E

*Mar 1 02:35:12.463: ISAKMP: Locking peer struct 0x65F07414, refcount 1 for crypto_isakmp_process_block

*Mar 1 02:35:12.463: ISAKMP: local port 500, remote port 500

*Mar 1 02:35:12.467: insert sa successfully sa = 659DE390

*Mar 1 02:35:12.467: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 1 02:35:12.467: ISAKMP:(0): processing ID payload. message ID = 0

*Mar 1 02:35:12.471: ISAKMP (0:0): ID payload

next-payload : 13

type : 1

address : 10.1.12.2

protocol : 17

port : 0

length : 12

*Mar 1 02:35:12.471: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 1 02:35:12.471: ISAKMP:(0): processing vendor id payload

*Mar 1 02:35:12.475: ISAKMP:

R2(config-if)#(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 02:35:12.475: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 02:35:12.475: ISAKMP:(0): processing vendor id payload

*Mar 1 02:35:12.475: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 02:35:12.475: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 1 02:35:12.479: ISAKMP:(0): processing vendor id payload

*Mar 1 02:35:12.479: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 02:35:12.479: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 1 02:35:12.479: ISAKMP: no pre-shared key based on address 10.1.12.2!

*Mar 1 02:35:12.483: ISAKMP:(0):found peer pre-shared key matching 10.1.12.1

*Mar 1 02:35:12.483: ISAKMP:(0): local preshared key found

*Mar 1 02:35:12.483: ISAKMP : Scanning profiles for xauth ...

*Mar 1 02:35:12.483: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 02:35:12.483: ISAKMP: encryption 3DES-CBC

*Mar 1 02:35:12.487: ISAKMP: hash MD5

*Mar

R2(config-if)# 1 02:35:12.487: ISAKMP: default group 2

*Mar 1 02:35:12.487: ISAKMP: auth pre-share

*Mar 1 02:35:12.487: ISAKMP: life type in seconds

*Mar 1 02:35:12.487: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 02:35:12.491: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar 1 02:35:12.491: ISAKMP:(0): processing vendor id payload

*Mar 1 02:35:12.491: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 02:35:12.491: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 02:35:12.495: ISAKMP:(0): processing vendor id payload

*Mar 1 02:35:12.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 02:35:12.495: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 1 02:35:12.495: ISAKMP:(0): processing vendor id payload

*Mar 1 02:35:12.499: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 02:35:12.499: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 1 02:35:12.499: ISAKMP:(0): processing KE payload. message ID = 0

*

R2(config-if)#Mar 1 02:35:12.587: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 1 02:35:12.591: ISAKMP: no pre-shared key based on address 10.1.12.2!

*Mar 1 02:35:12.591: ISAKMP:(0):found peer pre-shared key matching 10.1.12.1

*Mar 1 02:35:12.595: ISAKMP:(1004): processing vendor id payload

*Mar 1 02:35:12.595: ISAKMP:(1004): vendor ID is DPD

*Mar 1 02:35:12.595: ISAKMP:(1004): processing vendor id payload

*Mar 1 02:35:12.599: ISAKMP:(1004): vendor ID seems Unity/DPD but major 242 mismatch

*Mar 1 02:35:12.599: ISAKMP:(1004): vendor ID is XAUTH

*Mar 1 02:35:12.599: ISAKMP:(1004): processing vendor id payload

*Mar 1 02:35:12.599: ISAKMP:(1004): vendor ID is Unity

*Mar 1 02:35:12.603: ISAKMP:(1004): constructed NAT-T vendor-07 ID

*Mar 1 02:35:12.603: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 1 02:35:12.607: ISAKMP (0:1004): ID payload

next-payload : 10

type : 1

address : 10.1.12.2

protocol :

R2(config-if)#17

port : 0

length : 12

*Mar 1 02:35:12.607: ISAKMP:(1004):Total payload length: 12

*Mar 1 02:35:12.611: ISAKMP:(1004): sending packet to 10.1.12.1 my_port 500 peer_port 500 ® AG_INIT_EXCH

*Mar 1 02:35:12.611: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Mar 1 02:35:12.615: ISAKMP:(1004):Old State = IKE_READY New State = IKE_R_AM2

 

R2(config-if)#

*Mar 1 02:35:22.611: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:35:22.611: ISAKMP (0:1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar 1 02:35:22.611: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 02:35:22.615: ISAKMP:(1004): sending packet to 10.1.12.1 my_port 500 peer_port 500 ® AG_INIT_EXCH

R2(config-if)#

*Mar 1 02:35:23.695: ISAKMP (0:1004): received packet from 10.1.12.1 dport 500 sport 500 Global ® AG_INIT_EXCH

*Mar 1 02:35:23.699: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.

*Mar 1 02:35:23.699: ISAKMP:(1004): retransmitting due to retransmit phase 1

*Mar 1 02:35:24.199: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 02:35:24.199: ISAKMP (0:1004): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 1 02:35:24.199: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 02:35:24.199: ISAKMP:(1004): sending packet to 10.1.12.1 my_port 500 peer_port 500 ® AG_INIT_EXCH

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×