07-11-2004 09:33 PM - edited 03-09-2019 08:01 AM
Hi,
I am wondering if anyone can make any sense of the below debug cypto isakmp output:
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 43200
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:
500
VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:6
Regards
Lisbeth
07-12-2004 11:43 AM
The end result is that there is no pre-share key found on the local peer (the host that the debug info was generated on) for remote peer y.y.y.y.
The 1st part is the local peer has received and IKE packet (udp port 500) - this is the start of Phase 1 of IPSec. The local peer is comparing the IKE attributes that the remote is proposing against its set of proposals, it found a match (atts are acceptable) and will continue with phase 1.
There are notes about what attributes are speced, NAT-T and pre-share keys are among them. Then it tires to find its own pre-share key to run a hash to send the response but it cannot find it. The pre-share key is used to authen one peer against another.
At the local peer run a show cry isa key and see if you have an entry for the remote. if not add one, unless you are doing EZVPN.
07-12-2004 04:50 PM
There is a key...that's the odd thing
07-14-2004 10:17 AM
Please post the config that is relevant to the IPSec crypto map and isakmp keys/policies.
Also validate that the key value that you have matches what the remote has for you. Run a show crypto isa key command to view the keys in cleartext.
07-14-2004 04:51 PM
Hi,
The problem has been sorted. It turned out to be a routing problem on the external firewall. Thank you very much for your assistance.
Regards
Lisbeth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide