Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
4
Replies

Looping in phase 1

lisbeth.jacobsen
Level 1
Level 1

‎07-11-2004 09:33 PM - edited ‎03-09-2019 08:01 AM

Hi,

I am wondering if anyone can make any sense of the below debug cypto isakmp output:

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 43200

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:6

Regards

Lisbeth

Labels:
0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎07-12-2004 11:43 AM

The end result is that there is no pre-share key found on the local peer (the host that the debug info was generated on) for remote peer y.y.y.y.

The 1st part is the local peer has received and IKE packet (udp port 500) - this is the start of Phase 1 of IPSec. The local peer is comparing the IKE attributes that the remote is proposing against its set of proposals, it found a match (atts are acceptable) and will continue with phase 1.

There are notes about what attributes are speced, NAT-T and pre-share keys are among them. Then it tires to find its own pre-share key to run a hash to send the response but it cannot find it. The pre-share key is used to authen one peer against another.

At the local peer run a show cry isa key and see if you have an entry for the remote. if not add one, unless you are doing EZVPN.

0 Helpful

lisbeth.jacobsen
Level 1
Level 1
In response to ehirsel

‎07-12-2004 04:50 PM

There is a key...that's the odd thing

0 Helpful

ehirsel
Level 6
Level 6
In response to lisbeth.jacobsen

‎07-14-2004 10:17 AM

Please post the config that is relevant to the IPSec crypto map and isakmp keys/policies.

Also validate that the key value that you have matches what the remote has for you. Run a show crypto isa key command to view the keys in cleartext.

0 Helpful

lisbeth.jacobsen
Level 1
Level 1
In response to ehirsel

‎07-14-2004 04:51 PM

Hi,

The problem has been sorted. It turned out to be a routing problem on the external firewall. Thank you very much for your assistance.

Regards

Lisbeth

0 Helpful
Customers Also Viewed These Support Documents