[c-nsp] IKE authorisation. Stuck in IKE_P1_COMPLETE/IKE_CFG_REQUEST
Andriy A. Yerofyeyev
andriy.yerofyeyev at gmail.com
Wed Jan 24 10:15:56 EST 2007
hello,
Just wondering , what can be the reason for easy vpn server (7206vxr,
c7200-ik9s-mz.123-5b) silently deny in authorization to 1841 client ?
we doing rsa-sig autentication along with xauth (stored locally on 1841).
Easy VPN Remote RSA Signature Support document says " To enable the RSA
signatures, when you are configuring the Easy VPN remote and assigning
the configuration to the outgoing interface, you must omit the *group*
command. The content of the first Organizational Unit (OU) field will be
used as the group. "
I was tried group "default: and many combination of names , looks like
ou in certificate.
Here is the debug from 7206VXR :
Jan 24 2007 09:36:55: ISAKMP: life type in seconds
Jan 24 2007 09:36:55: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
0x9B
Jan 24 2007 09:36:55: ISAKMP (0:22): atts are acceptable. Next payload is 3
Jan 24 2007 09:36:55: ISAKMP (0:22): processing vendor id payload
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID seems Unity/DPD but major
245 mismatch
Jan 24 2007 09:36:55: ISAKMP (0:22): processing vendor id payload
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID seems Unity/DPD but major
157 mismatch
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID is NAT-T v3
Jan 24 2007 09:36:55: ISAKMP (0:22): processing vendor id payload
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID seems Unity/DPD but major
123 mismatch
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID is NAT-T v2
Jan 24 2007 09:36:55: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jan 24 2007 09:36:55: ISAKMP (0:22): Old State = IKE_R_MM1 New State =
IKE_R_MM1
Jan 24 2007 09:36:55: ISAKMP (0:22): constructed NAT-T vendor-03 ID
Jan 24 2007 09:36:55: ISAKMP (0:22): sending packet to 172.16.2.53
my_port 500 peer_port 500 (R) MM_SA_SETUP
Jan 24 2007 09:36:55: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Jan 24 2007 09:36:55: ISAKMP (0:22): Old State = IKE_R_MM1 New State =
IKE_R_MM2
Jan 24 2007 09:36:55: ISAKMP (0:22): received packet from 172.16.2.53
dport 500 sport 500 Global (R) MM_SA_SETUP
Jan 24 2007 09:36:55: ISAKMP (0:22): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 24 2007 09:36:55: ISAKMP (0:22): Old State = IKE_R_MM2 New State =
IKE_R_MM3
Jan 24 2007 09:36:55: ISAKMP (0:22): processing KE payload. message ID = 0
Jan 24 2007 09:36:55: ISAKMP (0:22): processing NONCE payload. message
ID = 0
Jan 24 2007 09:36:55: ISAKMP (0:22): SKEYID state generated
Jan 24 2007 09:36:55: ISAKMP (0:22): processing CERT_REQ payload.
message ID = 0
Jan 24 2007 09:36:55: ISAKMP (0:22): peer wants a CT_X509_SIGNATURE cert
Jan 24 2007 09:36:55: ISAKMP (0:22): peer want cert issued by
cn=acme.com,ou=SecurityDep,o=Acme Co,l=New York,st=New York
Jan 24 2007 09:36:55: ISAKMP (0:22): Choosing trustpoint as issuer
Jan 24 2007 09:36:55: ISAKMP (0:22): processing vendor id payload
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID is Unity
Jan 24 2007 09:36:55: ISAKMP (0:22): processing vendor id payload
Jan 24 2007 09:36:55: ISAKMP (0:22): vendor ID is DPD
Jan 24 2007 09:36:55: ISAKMP (0:22): processing vendor id payload
Jan 24 2007 09:36:55: ISAKMP (0:22): speaking to another IOS box!
Jan 24 2007 09:36:55: ISAKMP:received payload type 17
Jan 24 2007 09:36:55: ISAKMP:received payload type 17
Jan 24 2007 09:36:55: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jan 24 2007 09:36:55: ISAKMP (0:22): Old State = IKE_R_MM3 New State =
IKE_R_MM3
Jan 24 2007 09:36:55: ISAKMP (0:22): constructing CERT_REQ for issuer
cn=acme.com,ou=SecurityDep,o=Acme Co,l=New York,st=New York
Jan 24 2007 09:36:55: ISAKMP (0:22): sending packet to 172.16.2.53
my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 24 2007 09:36:55: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Jan 24 2007 09:36:55: ISAKMP (0:22): Old State = IKE_R_MM3 New State =
IKE_R_MM4
Jan 24 2007 09:36:56: ISAKMP (0:22): received packet from 172.16.2.53
dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 24 2007 09:36:56: ISAKMP (0:22): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 24 2007 09:36:56: ISAKMP (0:22): Old State = IKE_R_MM4 New State =
IKE_R_MM5
Jan 24 2007 09:36:56: ISAKMP (0:22): processing ID payload. message ID = 0
Jan 24 2007 09:36:56: ISAKMP (0:22): ID payload
next-payload : 6
type : 2
FQDN name : rtr-1.acme.com
protocol : 17
port : 500
length : 37
Jan 24 2007 09:36:56: ISAKMP (0:22): peer matches *none* of the profiles
Jan 24 2007 09:36:56: ISAKMP (0:22): processing CERT payload. message ID = 0
Jan 24 2007 09:36:56: ISAKMP (0:22): processing a CT_X509_SIGNATURE cert
Jan 24 2007 09:36:56: ISAKMP (0:22): peer's pubkey is cached
Jan 24 2007 09:36:56: ISAKMP (0:22): processing SIG payload. message ID = 0
Jan 24 2007 09:36:56: ISAKMP (0:22): processing NOTIFY INITIAL_CONTACT
protocol 1
spi 0, message ID = 0, sa = 671E6490
Jan 24 2007 09:36:56: ISAKMP (0:22): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.0.0.244 remote
172.16.2.53 remote port 500
Jan 24 2007 09:36:56: ISAKMP (0:22): SA has been authenticated with
172.16.2.53
Jan 24 2007 09:36:56: ISAKMP (0:22): IKE_DPD is enabled, initializing timers
Jan 24 2007 09:36:56: ISAKMP: Created a peer struct for 172.16.2.53,
peer port 500
Jan 24 2007 09:36:56: ISAKMP: Locking peer struct 0x66DEF304, IKE
refcount 1 for from crypto_ikmp_dpd_ike_init
Jan 24 2007 09:36:56: ISAKMP (0:22): peer matches *none* of the profiles
Jan 24 2007 09:36:56: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jan 24 2007 09:36:56: ISAKMP (0:22): Old State = IKE_R_MM5 New State =
IKE_R_MM5
Jan 24 2007 09:36:56: ISAKMP (0:22): SA is doing RSA signature
authentication using id type ID_DER_ASN1_DN
Jan 24 2007 09:36:56: ISAKMP (0:22): ID payload
next-payload : 6
type : 9
Dist. name : hostname=rtr-3.acme.com
protocol : 17
port : 500
length : 52
Jan 24 2007 09:36:56: ISAKMP (22): Total payload length: 52
Jan 24 2007 09:36:56: ISAKMP (0:22): constructing CERT payload for
hostname=rtr-3.acme.com
Jan 24 2007 09:36:56: ISAKMP (0:22): using the acme.com trustpoint's
keypair to sign
Jan 24 2007 09:36:56: ISAKMP (0:22): sending packet to 172.16.2.53
my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 24 2007 09:36:56: ISAKMP: set new node -1634461730 to QM_IDLE
Jan 24 2007 09:36:56: ISAKMP (0:22): sending packet to 172.16.2.53
my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 24 2007 09:36:56: ISAKMP (0:22): purging node -1634461730
Jan 24 2007 09:36:56: ISAKMP: Sending phase 1 responder lifetime 86400
Jan 24 2007 09:36:56: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Jan 24 2007 09:36:56: ISAKMP (0:22): Old State = IKE_R_MM5 New State =
IKE_P1_COMPLETE
Jan 24 2007 09:36:56: ISAKMP (0:22): Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
Jan 24 2007 09:36:56: ISAKMP (0:22): Old State = IKE_P1_COMPLETE New
State = IKE_P1_COMPLETE
Jan 24 2007 09:36:56: ISAKMP (0:22): received packet from 172.16.2.53
dport 500 sport 500 Global (R) QM_IDLE
Jan 24 2007 09:36:56: ISAKMP: set new node 821096916 to QM_IDLE
Jan 24 2007 09:36:56: ISAKMP (0:22): processing transaction payload from
172.16.2.53. message ID = 821096916
Jan 24 2007 09:36:56: ISAKMP: Config payload REQUEST
Jan 24 2007 09:36:56: ISAKMP (0:22): checking request:
Jan 24 2007 09:36:56: ISAKMP: IP4_ADDRESS
Jan 24 2007 09:36:56: ISAKMP: IP4_NETMASK
Jan 24 2007 09:36:56: ISAKMP: IP4_DNS
Jan 24 2007 09:36:56: ISAKMP: IP4_DNS
Jan 24 2007 09:36:56: ISAKMP: IP4_NBNS
Jan 24 2007 09:36:56: ISAKMP: IP4_NBNS
Jan 24 2007 09:36:56: ISAKMP: SPLIT_INCLUDE
Jan 24 2007 09:36:56: ISAKMP: UNKNOWN Unknown Attr: 0x7003
Jan 24 2007 09:36:56: ISAKMP: DEFAULT_DOMAIN
Jan 24 2007 09:36:56: ISAKMP: UNKNOWN Unknown Attr: 0x7001
Jan 24 2007 09:36:56: ISAKMP: UNKNOWN Unknown Attr: 0x7006
Jan 24 2007 09:36:56: ISAKMP: UNKNOWN Unknown Attr: 0x7007
Jan 24 2007 09:36:56: ISAKMP: UNKNOWN Unknown Attr: 0x7009
Jan 24 2007 09:36:56: ISAKMP: APPLICATION_VERSION
Jan 24 2007 09:36:56: ISAKMP (0:22): Input = IKE_MESG_FROM_PEER,
IKE_CFG_REQUEST
Jan 24 2007 09:36:56: ISAKMP (0:22): Old State = IKE_P1_COMPLETE New
State = IKE_P1_COMPLETE
Jan 24 2007 09:37:01: ISAKMP (0:22): received packet from 172.16.2.53
dport 500 sport 500 Global (R) CONF_ADDR
Jan 24 2007 09:37:01: ISAKMP (0:22): phase 2 packet is a duplicate of a
previous packet.
And thats all. 7206 will not send any responses to peer.
-
More information about the cisco-nsp
mailing list