Hi Jimmy, *Mar 16 21:04:03.597: ISAKMP:(0):: peer matches *none* of the profiles
You tried another ISAKMP policy? Cheers Simon Am 16.03.2010 um 22:04 schrieb ccie_security-requ...@onlinestudylist.com: > Send CCIE_Security mailing list submissions to > ccie_security@onlinestudylist.com > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > ccie_security-requ...@onlinestudylist.com > > You can reach the person managing the list at > ccie_security-ow...@onlinestudylist.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. problem protecting gre-tunnel with ipsec profile (Jimmy Larsson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 16 Mar 2010 22:04:34 +0100 > From: Jimmy Larsson <ji...@kvistofta.nu> > Subject: [OSL | CCIE_Security] problem protecting gre-tunnel with > ipsec profile > To: ccie_security@onlinestudylist.com > Message-ID: > <4ad050741003161404g745b4acg54f7d8d8609a3...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi there > > In my home lab I?ve setup a GRE-tunnel between two routers. It works fine > until I apply the protection of the tunnel-interface. The the tunnel goes > down without me finding out why. > > Any idea? The configs looks like this: > > R1: > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key cisco address 10.10.30.3 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile IPSECPROF > set transform-set TSET > set pfs group2 > ! > interface Tunnel0 > ip address 10.99.99.1 255.255.255.0 > keepalive 2 3 > tunnel source FastEthernet0.11 > tunnel destination 10.10.30.3 > ! > > R3: > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key cisco address 10.10.11.1 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile IPSECPROF > set transform-set TSET > set pfs group2 > ! > interface Tunnel0 > ip address 10.99.99.3 255.255.255.0 > keepalive 2 3 > tunnel source FastEthernet0.30 > tunnel destination 10.10.11.1 > ! > > This happens when I add the "tunnel prot ipsec prof IPSECPROF" on both > routers: > > r1(config-if)#tunnel protection ipsec profile IPSECPROF > r1(config-if)# > *Mar 16 21:04:03.501: insert of map into mapdb AVL failed, map + ace pair > already exists on the mapdb > *Mar 16 21:04:03.505: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON > *Mar 16 21:04:03.505: IPSEC(recalculate_mtu): reset sadb_root 84106DF0 mtu > to 1500 > *Mar 16 21:04:03.505: IPSEC(sa_request): , > (key eng. msg.) OUTBOUND local= 10.10.11.1, remote= 10.10.30.3, > local_proxy= 10.10.11.1/255.255.255.255/47/0 (type=1), > remote_proxy= 10.10.30.3/255.255.255.255/47/0 (type=1), > protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), > lifedur= 3600s and 4608000kb, > spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 > *Mar 16 21:04:03.505: ISAKMP:(0): SA request profile is (NULL) > *Mar 16 21:04:03.505: ISAKMP: Created a peer struct for 10.10.30.3, peer > port 500 > *Mar 16 21:04:03.505: ISAKMP: New peer created peer = 0x855B6B34 peer_handle > = 0x8000000B > *Mar 16 21:04:03.505: ISAKMP: Locking peer struct 0x855B6B34, refcount 1 for > isakmp_initiator > *Mar 16 21:04:03.505: ISAKMP: local port 500, remote port 500 > *Mar 16 21:04:03.505: ISAKMP: set new node 0 to QM_IDLE > *Mar 16 21:04:03.505: ISAKMP: Find a dup sa in the avl tree during calling > isadb_insert sa = 8510B76C > *Mar 16 21:04:03.505: ISAKMP:(0):Can not start Aggressive mode, trying Main > mode. > *Mar 16 21:04:03.505: ISAKMP:(0):found peer pre-shared key matching > 10.10.30.3 > *Mar 16 21:04:03.505: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID > *Mar 16 21:04:03.505: ISAKMP:(0): constructed NAT-T vendor-07 ID > *Mar 16 21:04:03.505: ISAKMP:(0): constructed NAT-T vendor-03 ID > *Mar 16 21:04:03.505: ISAKMP:(0): constructed NAT-T vendor-02 ID > *Mar 16 21:04:03.505: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM > *Mar 16 21:04:03.505: ISAKMP:(0):Old State = IKE_READY New State = > IKE_I_MM1 > > *Mar 16 21:04:03.505: ISAKMP:(0): beginning Main Mode exchange > *Mar 16 21:04:03.505: ISAKMP:(0): sending packet to 10.10.30.3 my_port 500 > peer_port 500 (I) MM_NO_STATE > *Mar 16 21:04:03.505: ISAKMP:(0):Sending an IKE IPv4 Packet. > *Mar 16 21:04:03.513: ISAKMP (0): received packet from 10.10.30.3 dport 500 > sport 500 Global (I) MM_NO_STATE > *Mar 16 21:04:03.513: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > *Mar 16 21:04:03.513: ISAKMP:(0):Old State = IKE_I_MM1 New State = > IKE_I_MM2 > > *Mar 16 21:04:03.517: ISAKMP:(0): processing SA payload. message ID = 0 > *Mar 16 21:04:03.517: ISAKMP:(0): processing vendor id payload > *Mar 16 21:04:03.517: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 > mismatch > *Mar 16 21:04:03.517: ISAKMP (0): vendor ID is NAT-T RFC 3947 > *Mar 16 21:04:03.517: ISAKMP:(0):found peer pre-shared key matching > 10.10.30.3 > *Mar 16 21:04:03.517: ISAKMP:(0): local preshared key found > *Mar 16 21:04:03.517: ISAKMP : Scanning profiles for xauth ... > *Mar 16 21:04:03.517: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 10 policy > *Mar 16 21:04:03.517: ISAKMP: encryption AES-CBC > *Mar 16 21:04:03.517: ISAKMP: keylength of 128 > *Mar 16 21:04:03.517: ISAKMP: hash SHA > *Mar 16 21:04:03.517: ISAKMP: default group 2 > *Mar 16 21:04:03.517: ISAKMP: auth pre-share > *Mar 16 21:04:03.517: ISAKMP: life type in seconds > *Mar 16 21:04:03.517: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 > 0x80 > *Mar 16 21:04:03.517: ISAKMP:(0):atts are acceptable. Next payload is 0 > *Mar 16 21:04:03.517: ISAKMP:(0):Acceptable atts:actual life: 0 > *Mar 16 21:04:03.517: ISAKMP:(0):Acceptable atts:life: 0 > *Mar 16 21:04:03.517: ISAKMP:(0):Fill atts in sa vpi_length:4 > *Mar 16 21:04:03.517: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 > *Mar 16 21:04:03.517: ISAKMP:(0):Returning Actual lifetime: 86400 > *Mar 16 21:04:03.517: ISAKMP:(0)::Started lifetime timer: 86400. > > *Mar 16 21:04:03.517: ISAKMP:(0): processing vendor id payload > *Mar 16 21:04:03.517: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 > mismatch > *Mar 16 21:04:03.517: ISAKMP (0): vendor ID is NAT-T RFC 3947 > *Mar 16 21:04:03.517: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > *Mar 16 21:04:03.517: ISAKMP:(0):Old State = IKE_I_MM2 New State = > IKE_I_MM2 > > *Mar 16 21:04:03.517: ISAKMP:(0): sending packet to 10.10.30.3 my_port 500 > peer_port 500 (I) MM_SA_SETUP > *Mar 16 21:04:03.517: ISAKMP:(0):Sending an IKE IPv4 Packet. > *Mar 16 21:04:03.517: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_COMPLETE > *Mar 16 21:04:03.517: ISAKMP:(0):Old State = IKE_I_MM2 New State = > IKE_I_MM3 > > *Mar 16 21:04:03.553: ISAKMP (0): received packet from 10.10.30.3 dport 500 > sport 500 Global (I) MM_SA_SETUP > *Mar 16 21:04:03.553: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > *Mar 16 21:04:03.553: ISAKMP:(0):Old State = IKE_I_MM3 New State = > IKE_I_MM4 > > *Mar 16 21:04:03.553: ISAKMP:(0): processing KE payload. message ID = 0 > *Mar 16 21:04:03.585: ISAKMP:(0): processing NONCE payload. message ID = 0 > *Mar 16 21:04:03.585: ISAKMP:(0):found peer pre-shared key matching > 10.10.30.3 > *Mar 16 21:04:03.585: ISAKMP:(2006): processing vendor id payload > *Mar 16 21:04:03.585: ISAKMP:(2006): vendor ID is Unity > *Mar 16 21:04:03.585: ISAKMP:(2006): processing vendor id payload > *Mar 16 21:04:03.589: ISAKMP:(2006): vendor ID is DPD > *Mar 16 21:04:03.589: ISAKMP:(2006): processing vendor id payload > *Mar 16 21:04:03.589: ISAKMP:(2006): speaking to another IOS box! > *Mar 16 21:04:03.589: ISAKMP:received payload type 20 > *Mar 16 21:04:03.589: ISAKMP (2006): His hash no match - this node outside > NAT > *Mar 16 21:04:03.589: ISAKMP:received payload type 20 > *Mar 16 21:04:03.589: ISAKMP (2006): No NAT Found for self or peer > *Mar 16 21:04:03.589: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > *Mar 16 21:04:03.589: ISAKMP:(2006):Old State = IKE_I_MM4 New State = > IKE_I_MM4 > > *Mar 16 21:04:03.589: ISAKMP:(2006):Send initial contact > *Mar 16 21:04:03.589: ISAKMP:(2006):SA is doing pre-shared key > authentication using id type ID_IPV4_ADDR > *Mar 16 21:04:03.589: ISAKMP (2006): ID payload > next-payload : 8 > type : 1 > address : 10.10.11.1 > protocol : 17 > port : 500 > length : 12 > *Mar 16 21:04:03.589: ISAKMP:(2006):Total payload length: 12 > *Mar 16 21:04:03.589: ISAKMP:(2006): sending packet to 10.10.30.3 my_port > 500 peer_port 500 (I) MM_KEY_EXCH > *Mar 16 21:04:03.589: ISAKMP:(2006):Sending an IKE IPv4 Packet. > *Mar 16 21:04:03.589: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_COMPLETE > *Mar 16 21:04:03.589: ISAKMP:(2006):Old State = IKE_I_MM4 New State = > IKE_I_MM5 > > *Mar 16 21:04:03.597: ISAKMP (2006): received packet from 10.10.30.3 dport > 500 sport 500 Global (I) MM_KEY_EXCH > *Mar 16 21:04:03.597: ISAKMP:(2006): processing ID payload. message ID = 0 > *Mar 16 21:04:03.597: ISAKMP (2006): ID payload > next-payload : 8 > type : 1 > address : 10.10.30.3 > protocol : 17 > port : 500 > length : 12 > *Mar 16 21:04:03.597: ISAKMP:(0):: peer matches *none* of the profiles > *Mar 16 21:04:03.597: ISAKMP:(2006): processing HASH payload. message ID = 0 > *Mar 16 21:04:03.597: ISAKMP:(2006):SA authentication status: > authenticated > *Mar 16 21:04:03.597: ISAKMP:(2006):SA has been authenticated with > 10.10.30.3 > *Mar 16 21:04:03.597: ISAKMP: Trying to insert a peer > 10.10.11.1/10.10.30.3/500/, and inserted successfully 855B6B34. > *Mar 16 21:04:03.597: ISAKMP:(2006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > *Mar 16 21:04:03.597: ISAKMP:(2006):Old State = IKE_I_MM5 New State = > IKE_I_MM6 > > *Mar 16 21:04:03.597: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > *Mar 16 21:04:03.597: ISAKMP:(2006):Old State = IKE_I_MM6 New State = > IKE_I_MM6 > > *Mar 16 21:04:03.597: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_COMPLETE > *Mar 16 21:04:03.597: ISAKMP:(2006):Old State = IKE_I_MM6 New State = > IKE_P1_COMPLETE > > *Mar 16 21:04:03.601: ISAKMP:(2006):beginning Quick Mode exchange, M-ID of > -1148211798 > *Mar 16 21:04:03.601: ISAKMP:(2006):QM Initiator gets spi > *Mar 16 21:04:03.601: ISAKMP:(2006): sending packet to 10.10.30.3 my_port > 500 peer_port 500 (I) QM_IDLE > *Mar 16 21:04:03.601: ISAKMP:(2006):Sending an IKE IPv4 Packet. > *Mar 16 21:04:03.601: ISAKMP:(2006):Node -1148211798, Input = > IKE_MESG_INTERNAL, IKE_INIT_QM > *Mar 16 21:04:03.601: ISAKMP:(2006):Old State = IKE_QM_READY New State = > IKE_QM_I_QM1 > *Mar 16 21:04:03.601: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, > IKE_PHASE1_COMPLETE > *Mar 16 21:04:03.601: ISAKMP:(2006):Old State = IKE_P1_COMPLETE New State = > IKE_P1_COMPLETE > > *Mar 16 21:04:03.637: ISAKMP (2006): received packet from 10.10.30.3 dport > 500 sport 500 Global (I) QM_IDLE > *Mar 16 21:04:03.637: ISAKMP:(2006): processing HASH payload. message ID = > -1148211798 > *Mar 16 21:04:03.637: ISAKMP:(2006): processing SA payload. message ID = > -1148211798 > *Mar 16 21:04:03.637: ISAKMP:(2006):Checking IPSec proposal 1 > *Mar 16 21:04:03.637: ISAKMP: transform 1, ESP_AES > *Mar 16 21:04:03.637: ISAKMP: attributes in transform: > *Mar 16 21:04:03.637: ISAKMP: encaps is 2 (Transport) > *Mar 16 21:04:03.637: ISAKMP: SA life type in seconds > *Mar 16 21:04:03.637: ISAKMP: SA life duration (basic) of 3600 > *Mar 16 21:04:03.637: ISAKMP: SA life type in kilobytes > *Mar 16 21:04:03.637: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 > 0x0 > *Mar 16 21:04:03.637: ISAKMP: authenticator is HMAC-SHA > *Mar 16 21:04:03.637: ISAKMP: key length is 128 > *Mar 16 21:04:03.637: ISAKMP: group is 2 > *Mar 16 21:04:03.637: ISAKMP:(2006):atts are acceptable. > *Mar 16 21:04:03.641: IPSEC(validate_proposal_request): proposal part #1 > *Mar 16 21:04:03.641: IPSEC(validate_proposal_request): proposal part #1, > (key eng. msg.) INBOUND local= 10.10.11.1, remote= 10.10.30.3, > local_proxy= 10.10.11.1/255.255.255.255/47/0 (type=1), > remote_proxy= 10.10.30.3/255.255.255.255/47/0 (type=1), > protocol= ESP, transform= NONE (Transport), > lifedur= 0s and 0kb, > spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 > *Mar 16 21:04:03.641: Crypto mapdb : proxy_match > src addr : 10.10.11.1 > dst addr : 10.10.30.3 > protocol : 47 > src port : 0 > dst port : 0 > *Mar 16 21:04:03.641: ISAKMP:(2006): processing NONCE payload. message ID = > -1148211798 > *Mar 16 21:04:03.641: ISAKMP:(2006): processing KE payload. message ID = > -1148211798 > *Mar 16 21:04:03.669: ISAKMP:(2006): processing ID payload. message ID = > -1148211798 > *Mar 16 21:04:03.669: ISAKMP:(2006): processing ID payload. message ID = > -1148211798 > *Mar 16 21:04:03.669: ISAKMP:(2006): Creating IPSec SAs > *Mar 16 21:04:03.673: inbound SA from 10.10.30.3 to 10.10.11.1 (f/i) > 0/ 0 > (proxy 10.10.30.3 to 10.10.11.1) > *Mar 16 21:04:03.673: has spi 0x8581A7C2 and conn_id 0 > *Mar 16 21:04:03.673: lifetime of 3600 seconds > *Mar 16 21:04:03.673: lifetime of 4608000 kilobytes > *Mar 16 21:04:03.673: outbound SA from 10.10.11.1 to 10.10.30.3 > (f/i) 0/0 > (proxy 10.10.11.1 to 10.10.30.3) > *Mar 16 21:04:03.673: has spi 0xD04390C8 and conn_id 0 > *Mar 16 21:04:03.673: lifetime of 3600 seconds > *Mar 16 21:04:03.673: lifetime of 4608000 kilobytes > *Mar 16 21:04:03.673: ISAKMP:(2006): sending packet to 10.10.30.3 my_port > 500 peer_port 500 (I) QM_IDLE > *Mar 16 21:04:03.673: ISAKMP:(2006):Sending an IKE IPv4 Packet. > *Mar 16 21:04:03.673: ISAKMP:(2006):deleting node -1148211798 error FALSE > reason "No Error" > *Mar 16 21:04:03.673: ISAKMP:(2006):Node -1148211798, Input = > IKE_MESG_FROM_PEER, IKE_QM_EXCH > *Mar 16 21:04:03.673: ISAKMP:(2006):Old State = IKE_QM_I_QM1 New State = > IKE_QM_PHASE2_COMPLETE > *Mar 16 21:04:03.673: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > *Mar 16 21:04:03.673: Crypto mapdb : proxy_match > src addr : 10.10.11.1 > dst addr : 10.10.30.3 > protocol : 47 > src port : 0 > dst port : 0 > *Mar 16 21:04:03.673: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting > with the same proxies and peer 10.10.30.3 > *Mar 16 21:04:03.673: IPSEC(policy_db_add_ident): src 10.10.11.1, dest > 10.10.30.3, dest_port 0 > > *Mar 16 21:04:03.673: IPSEC(create_sa): sa created, > (sa) sa_dest= 10.10.11.1, sa_proto= 50, > sa_spi= 0x8581A7C2(2239866818), > sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 11 > sa_lifetime(k/sec)= (4605417/3600) > *Mar 16 21:04:03.673: IPSEC(create_sa): sa created, > (sa) sa_dest= 10.10.30.3, sa_proto= 50, > sa_spi= 0xD04390C8(3494088904), > sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 12 > sa_lifetime(k/sec)= (4605417/3600) > *Mar 16 21:04:03.673: IPSEC(update_current_outbound_sa): updated peer > 10.10.30.3 current outbound sa to SPI D04390C8 > *Mar 16 21:04:03.673: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): > updating Tunnel0 ident 8410B0B4 with tun_decap_oce 840BA250 > *Mar 16 21:04:05.021: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an > IPSEC packet. (ip) vrf/dest_addr= /10.10.11.1, src_addr= 10.10.30.3, prot= > 47 > *Mar 16 21:04:07.025: ISAKMP:(2005):purging node 1766298552 > *Mar 16 21:04:07.029: ISAKMP:(2005):purging node -679064078 > *Mar 16 21:04:12.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Tunnel0, changed state to down > *Mar 16 21:04:12.025: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 11: Neighbor 10.99.99.3 > (Tunnel0) is down: interface down > *Mar 16 21:04:13.017: ISAKMP:(0):purging node 1244832784 > *Mar 16 21:04:17.029: ISAKMP:(2005):purging SA., sa=84D96844, delme=84D96844 > *Mar 16 21:04:23.017: ISAKMP:(0):purging SA., sa=8510ADA8, delme=8510ADA8 > *Mar 16 21:04:41.697: ISAKMP (2006): received packet from 10.10.30.3 dport > 500 sport 500 Global (I) QM_IDLE > *Mar 16 21:04:41.697: ISAKMP: set new node 119284 to QM_IDLE > *Mar 16 21:04:41.697: ISAKMP:(2006): processing HASH payload. message ID = > 119284 > *Mar 16 21:04:41.697: ISAKMP:(2006): processing DELETE payload. message ID = > 119284 > *Mar 16 21:04:41.697: ISAKMP:(2006):peer does not do paranoid keepalives. > > *Mar 16 21:04:41.697: ISAKMP:(2006):deleting node 119284 error FALSE reason > "Informational (in) state 1" > *Mar 16 21:04:41.697: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > *Mar 16 21:04:41.697: IPSEC(key_engine_delete_sas): rec'd delete notify from > ISAKMP > *Mar 16 21:04:41.697: IPSEC(key_engine_delete_sas): delete SA with spi > 0xD04390C8 proto 50 for 10.10.30.3 > *Mar 16 21:04:41.701: IPSEC(delete_sa): deleting SA, > (sa) sa_dest= 10.10.11.1, sa_proto= 50, > sa_spi= 0x8581A7C2(2239866818), > sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 11 > sa_lifetime(k/sec)= (4605417/3600), > (identity) local= 10.10.11.1, remote= 10.10.30.3, > local_proxy= 10.10.11.1/255.255.255.255/47/0 (type=1), > remote_proxy= 10.10.30.3/255.255.255.255/47/0 (type=1) > *Mar 16 21:04:41.701: IPSEC(update_current_outbound_sa): updated peer > 10.10.30.3 current outbound sa to SPI 0 > *Mar 16 21:04:41.701: IPSEC(delete_sa): deleting SA, > (sa) sa_dest= 10.10.30.3, sa_proto= 50, > sa_spi= 0xD04390C8(3494088904), > sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 12 > sa_lifetime(k/sec)= (4605417/3600), > (identity) local= 10.10.11.1, remote= 10.10.30.3, > local_proxy= 10.10.11.1/255.255.255.255/47/0 (type=1), > remote_proxy= 10.10.30.3/255.255.255.255/47/0 (type=1) > *Mar 16 21:04:41.701: ISAKMP (2006): received packet from 10.10.30.3 dport > 500 sport 500 Global (I) QM_IDLE > *Mar 16 21:04:41.701: ISAKMP: set new node 542896453 to QM_IDLE > *Mar 16 21:04:41.701: ISAKMP:(2006): processing HASH payload. message ID = > 542896453 > *Mar 16 21:04:41.701: ISAKMP:received payload type 18 > *Mar 16 21:04:41.701: ISAKMP:(2006):Processing delete with reason payload > *Mar 16 21:04:41.701: ISAKMP:(2006):delete doi = 1 > *Mar 16 21:04:41.701: ISAKMP:(2006):delete protocol id = 1 > *Mar 16 21:04:41.701: ISAKMP:(2006):delete spi_size = 16 > *Mar 16 21:04:41.701: ISAKMP:(2006):delete num spis = 1 > *Mar 16 21:04:41.701: ISAKMP:(2006):delete_reason = 6 > *Mar 16 21:04:41.701: ISAKMP:(2006): processing DELETE_WITH_REASON payload, > message ID = 542896453, reason: Unknown delete reason! > *Mar 16 21:04:41.701: ISAKMP:(2006):peer does not do paranoid keepalives. > > *Mar 16 21:04:41.701: ISAKMP:(2006):deleting SA reason "P1 delete notify > (in)" state (I) QM_IDLE (peer 10.10.30.3) > *Mar 16 21:04:41.701: ISAKMP:(2006):deleting node 542896453 error FALSE > reason "Informational (in) state 1" > *Mar 16 21:04:41.705: ISAKMP: set new node 1544040584 to QM_IDLE > *Mar 16 21:04:41.705: ISAKMP:(2006): sending packet to 10.10.30.3 my_port > 500 peer_port 500 (I) QM_IDLE > *Mar 16 21:04:41.705: ISAKMP:(2006):Sending an IKE IPv4 Packet. > *Mar 16 21:04:41.705: ISAKMP:(2006):purging node 1544040584 > *Mar 16 21:04:41.705: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, > IKE_PHASE1_DEL > *Mar 16 21:04:41.705: ISAKMP:(2006):Old State = IKE_P1_COMPLETE New State = > IKE_DEST_SA > > *Mar 16 21:04:41.705: ISAKMP:(2006):deleting SA reason "P1 delete notify > (in)" state (I) QM_IDLE (peer 10.10.30.3) > *Mar 16 21:04:41.705: ISAKMP:(0):Can't decrement IKE Call Admission Control > stat outgoing_active since it's already 0. > *Mar 16 21:04:41.705: ISAKMP: Unlocking peer struct 0x855B6B34 for > isadb_mark_sa_deleted(), count 0 > *Mar 16 21:04:41.705: ISAKMP: Deleting peer node by peer_reap for 10.10.30.3: > 855B6B34 > *Mar 16 21:04:41.705: ISAKMP:(2006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > *Mar 16 21:04:41.705: ISAKMP:(2006):Old State = IKE_DEST_SA New State = > IKE_DEST_SA > > *Mar 16 21:04:41.705: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > *Mar 16 21:04:42.021: IPSEC(cleanup_tun_decap_oce): unlock and null out > tun_decap_oce 840BA250 from ident 8410B0B4 > *Mar 16 21:04:42.021: del_node src 10.10.11.1:500 dst 10.10.30.3:500 fvrf > 0x0, ivrf 0x0 > *Mar 16 21:04:42.021: ISAKMP:(2006):peer does not do paranoid keepalives. > > *Mar 16 21:04:42.021: del_node src 10.10.11.1:500 dst 10.10.30.3:500 fvrf > 0x0, ivrf 0x0 > *Mar 16 21:04:42.021: ISAKMP:(2006):peer does not do paranoid keepalives. > > *Mar 16 21:04:42.021: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF > > As far as I can see phase1 goes fine (QM_IDLE) anf ipsec debugging does?nt > show me anything bad. In fact it takes a few seconds before the tunnel goes > down. But why? What am I doing wrong? > > Full configs are attached... > > Br Jimmy > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100316/a0a98372/attachment.htm > > -------------- next part -------------- > r1#sh run > Building configuration... > > Current configuration : 1984 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname r1 > ! > boot-start-marker > boot-end-marker > ! > logging message-counter syslog > ! > no aaa new-model > ! > ! > dot11 syslog > ip source-route > ! > ! > ! > ! > ip cef > no ip domain lookup > ip domain name kvistofta.nu > no ipv6 cef > ! > multilink bundle-name authenticated > ! > ! > ! > ! > ! > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key cisco address 10.10.30.3 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile IPSECPROF > set transform-set TSET > set pfs group2 > ! > archive > log config > hidekeys > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.1 255.255.255.255 > ! > interface Tunnel0 > ip address 10.99.99.1 255.255.255.0 > keepalive 2 3 > tunnel source FastEthernet0.11 > tunnel destination 10.10.30.3 > tunnel protection ipsec profile IPSECPROF > ! > interface FastEthernet0 > no ip address > duplex auto > speed auto > ! > interface FastEthernet0.10 > encapsulation dot1Q 10 > ip address 10.10.10.2 255.255.255.0 > ! > interface FastEthernet0.11 > encapsulation dot1Q 11 > ip address 10.10.11.1 255.255.255.0 > ! > interface FastEthernet1 > no ip address > shutdown > duplex auto > speed auto > ! > interface FastEthernet2 > ! > interface FastEthernet3 > ! > interface FastEthernet4 > ! > interface FastEthernet5 > ! > interface FastEthernet6 > ! > interface FastEthernet7 > ! > interface FastEthernet8 > ! > interface FastEthernet9 > ! > interface Vlan1 > no ip address > ! > interface Async1 > no ip address > encapsulation slip > ! > router eigrp 11 > network 10.10.10.0 0.0.0.255 > network 10.99.99.0 0.0.0.255 > no auto-summary > ! > ip forward-protocol nd > ip route 10.10.30.3 255.255.255.255 10.10.11.2 > no ip http server > no ip http secure-server > ! > ! > ! > ! > ! > ! > ! > ! > ! > control-plane > ! > alias exec siib sh ip int brie | excl unset|unassigned > alias exec srs sh run | sect > ! > line con 0 > line 1 > modem InOut > stopbits 1 > speed 115200 > flowcontrol hardware > line aux 0 > line vty 0 4 > login > ! > end > > r1# > -------------- next part -------------- > r3#sh run > Building configuration... > > Current configuration : 2117 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname r3 > ! > boot-start-marker > boot-end-marker > ! > logging message-counter syslog > ! > no aaa new-model > clock timezone gmt+1 1 > ! > ! > dot11 syslog > ip source-route > ! > ! > ! > ! > ip cef > no ip domain lookup > no ipv6 cef > ! > multilink bundle-name authenticated > ! > ! > ! > ! > ! > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key cisco address 10.10.11.1 > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > mode transport > ! > crypto ipsec profile IPSECPROF > set transform-set TSET > set pfs group2 > ! > crypto ipsec profile PROF1 > ! > archive > log config > hidekeys > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.3.3.3 255.255.255.255 > ! > interface Tunnel0 > ip address 10.99.99.3 255.255.255.0 > keepalive 2 3 > tunnel source FastEthernet0.30 > tunnel destination 10.10.11.1 > tunnel protection ipsec profile IPSECPROF > ! > interface FastEthernet0 > no ip address > duplex auto > speed auto > ! > interface FastEthernet0.30 > encapsulation dot1Q 30 > ip address 10.10.30.3 255.255.255.0 > ! > interface FastEthernet1 > no ip address > shutdown > duplex auto > speed auto > ! > interface FastEthernet2 > ! > interface FastEthernet3 > ! > interface FastEthernet4 > ! > interface FastEthernet5 > ! > interface FastEthernet6 > ! > interface FastEthernet7 > ! > interface FastEthernet8 > ! > interface FastEthernet9 > ! > interface Vlan1 > no ip address > ! > interface Async1 > no ip address > encapsulation slip > ! > router eigrp 11 > network 10.3.3.3 0.0.0.0 > network 10.99.99.0 0.0.0.255 > no auto-summary > ! > ip forward-protocol nd > ip route 10.10.11.1 255.255.255.255 10.10.30.1 > no ip http server > no ip http secure-server > ! > ! > ! > ! > ! > ! > ! > ! > ! > control-plane > ! > alias exec siib sh ip int brie | excl unset|unassigned > alias exec srs sh run | sect > ! > line con 0 > line 1 > modem InOut > stopbits 1 > speed 115200 > flowcontrol hardware > line aux 0 > line vty 0 4 > login > ! > ntp authentication-key 1 md5 12495247315954510C7F007865 7 > ntp authenticate > ntp trusted-key 1 > ntp server 192.168.1.6 key 1 > ! > webvpn context Default_context > ssl authenticate verify all > ! > no inservice > ! > end > > r3# > > End of CCIE_Security Digest, Vol 45, Issue 68 > ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
