11-26-2009 08:57 AM
Hi all,
I am facing a peculiar issue with ISAKMP initialization.
I have configured Pre-shared keys in "derby" router to get registered with "KS" router.
Issue: "derby" is not able to initialie the SA saying "no pre-shared or cert key available for peer" though it's clearly there in the config.
I am pasting relevant configs of both routers as I could not able to upload the document.
--------
At Derby Router
ip host KS 19.1.1.1
!
!
ip vrf MBT
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf VC
rd 200:1
route-target export 200:1
route-target import 200:1
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 30
encr aes
authentication pre-share
group 2
lifetime 1200
crypto isakmp key Cisco address 19.1.1.1
crypto isakmp key Cisco hostname KS
crypto isakmp identity hostname
!
!
crypto ipsec transform-set rtpset-3des esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set test esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
crypto gdoi group getvpn
identity number 1234
server address ipv4 19.1.1.1
!
!
crypto map getvpn-map 10 gdoi
set group getvpn
!
--------
At KS Router
ip cef
ip host derby 210.1.1.1
!
!
ip vrf exit
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Cisco address 200.1.1.1
crypto isakmp key Cisco address 210.1.1.1
!
!
crypto ipsec transform-set mygdoi-trans esp-3des esp-sha-hmac
!
crypto ipsec profile gdoi-profile-getvpn
set security-association lifetime seconds 7200
set transform-set mygdoi-trans
!
crypto gdoi group getvpn
identity number 1234
server local
! Incomplete unicast rekey configuration
! Rekey address is not configured
rekey retransmit 40 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa receive-only
sa ipsec 1
profile gdoi-profile-getvpn
match address ipv4 199
replay time window-size 5
!
---------
It's giving the following message in "debug crypto isakmp" output.
derby#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.
Are you sure you want to proceed ? [yes/no]: y
mahindra_bt_derby#
*Mar 1 00:42:23.547: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group get
vpn may have expired/been cleared, or didn't go through. Re-register to KS.
*Mar 1 00:42:23.551: %CRYPTO-5-GM_REGSTER: Start registration to KS 19.1.1.1 fo
r group getvpn using address 210.1.1.1
*Mar 1 00:42:23.555: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 00:42:23.555: ISAKMP: Created a peer struct for 19.1.1.1, peer port 848
*Mar 1 00:42:23.555: ISAKMP: New peer created peer = 0x65D46EFC peer_handle = 0
x80000014
*Mar 1 00:42:23.555: ISAKMP: Locking peer struct 0x65D46EFC, refcount 1 for isa
kmp_initiator
*Mar 1 00:42:23.555: ISAKMP: local port 848, remote port 848
*Mar 1 00:42:23.559: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:42:23.559: ISAKMP:(0):Switching to SW IKE SA: sa is 668061FC, ce_id i
s 80000003
*Mar 1 00:42:23.559: insert sa successfully sa = 668061FC
*Mar 1 00:42:23.563: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Mar 1 00:42:23.563: ISAKMP:(0):No pre-shared key with 19.1.1.1!
*Mar 1 00:42:23.563: ISAKMP:(0): No Cert or pre-shared address key.
*Mar 1 00:42:23.563: ISAKMP:(0): construct_initial_message: Can not start Main
mode
*Mar 1 00:42:23.567: ISAKMP: Unlocking peer struct 0x65D46EFC for isadb_unlock_
peer_delete_sa(), count 0
*Mar 1 00:42:23.567: ISAKMP: Deleting peer node by peer_reap for 19.1.1.1: 65D4
6EFC
*Mar 1 00:42:23.567: ISAKMP:(0):purging SA., sa=668061FC, delme=668061FC
*Mar 1 00:42:23.571: ISAKMP:(0):purging node 514398065
*Mar 1 00:42:23.571: ISAKMP:(0):cleaning up GDOI node 514398065
*Mar 1 00:42:23.571: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Mar 1 00:42:23.575: ISAKMP: Error while processing KMI message 0, error 2.
derby#
I have attached the relevant configs attached.
I had spent a lot of time to figure out any issue with configurations but could not able to locate any. And, it's pretty strange why it's saying "no PSK" is available for peer 19.1.1.1 when it is explicitly configured in the config.
After a lot of search in Google, I have found similar issue & the solution was with "ip host" commands. Unfortunately, this solution also didn't work.
Can somebody through light on this about solution or how we can troubleshoot this issue to find root cause?
Regards...
-Ashok.
12-11-2009 06:19 AM
Hi, I had a similar problem, and it was related to unmatched vrfs.
Take a look at this link:
Restrictions for VRF-Aware IPSec
•The VRF-Aware IPSec feature does not allow IPSec tunnel mapping between VRFs. For example, it does not allow IPSec tunnel mapping from VRF vpn1 to VRF vpn2.
At the moment, I just unconfigured vrfs but I'm still investigating if the issue can be resolved, say, with pki.
Hope it helps.
-Pietro.
12-13-2009 09:36 PM
Hi all,
I could able to solve the issue by using VRF-specific key configuration.
crypto keyring key-MBT vrf MBT
pre-shared-key address 19.1.1.1 key Cisco
Regards...
-Ashok.
12-16-2009 04:48 AM
Hello Ashok,
you have been kind to provide feedback on this issue
Best Regards
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide