Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
0
Replies

Issue with Tunnel possible IPSec or Router issue

mathew.souza
Level 1
Level 1

‎02-25-2011 06:14 PM - edited ‎03-06-2019 03:46 PM

Hello,

1) These are the IKE logs for attempting to communicate between the two

machines (KamokilaNAS and NimitzAD)

The first one is initiating the communication from the NimitzAD side, where

the IPSec tunnel is built successfully.

2-25: 14:41:23:294:5f8 Acquire from driver: op=0000023C src=172.18.30.10.0 dst=172.18.36.202.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 0, TunnelEndpt=0.0.0.0 Inbound TunnelEndpt=0.0.0.0
2-25: 14:41:23:294:1448 Filter to match: Src 172.18.36.202 Dst 172.18.30.10
2-25: 14:41:23:294:1448 MM PolicyName: 4
2-25: 14:41:23:294:1448 MMPolicy dwFlags 2 SoftSAExpireTime 28800
2-25: 14:41:23:294:1448 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
2-25: 14:41:23:294:1448 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
2-25: 14:41:23:294:1448 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
2-25: 14:41:23:294:1448 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
2-25: 14:41:23:294:1448 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
2-25: 14:41:23:294:1448 MMOffer[2] Encrypt: DES CBC Hash: SHA
2-25: 14:41:23:294:1448 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
2-25: 14:41:23:294:1448 MMOffer[3] Encrypt: DES CBC Hash: MD5
2-25: 14:41:23:294:1448 Auth[0]:Kerberos
2-25: 14:41:23:294:1448 QM PolicyName: Require IPSEC dwFlags 0
2-25: 14:41:23:294:1448 QMOffer[0] LifetimeKBytes 100000 LifetimeSec 3600
2-25: 14:41:23:294:1448 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
2-25: 14:41:23:294:1448  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
2-25: 14:41:23:294:1448 Starting Negotiation: src = 172.18.30.10.0500, dst = 172.18.36.202.0500, proto = 00, context = 0000023C, ProxySrc = 172.18.30.10.0000, ProxyDst = 172.18.36.202.0000 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
2-25: 14:41:23:294:1448 constructing ISAKMP Header
2-25: 14:41:23:294:1448 constructing SA (ISAKMP)
2-25: 14:41:23:294:1448 Constructing Vendor MS NT5 ISAKMPOAKLEY
2-25: 14:41:23:294:1448 Constructing Vendor FRAGMENTATION
2-25: 14:41:23:294:1448 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
2-25: 14:41:23:294:1448 Constructing Vendor Vid-Initial-Contact
2-25: 14:41:23:294:1448
2-25: 14:41:23:294:1448 Sending: SA = 0x03DBA320 to 172.18.36.202:Type 2.500
2-25: 14:41:23:294:1448 ISAKMP Header: (V1.0), len = 500
2-25: 14:41:23:294:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:294:1448   R-COOKIE 0000000000000000
2-25: 14:41:23:294:1448   exchange: Oakley Main Mode
2-25: 14:41:23:294:1448   flags: 0
2-25: 14:41:23:294:1448   next payload: SA
2-25: 14:41:23:294:1448   message ID: 00000000
2-25: 14:41:23:294:1448 Ports S:f401 D:f401
2-25: 14:41:23:310:1448
2-25: 14:41:23:310:1448 Receive: (get) SA = 0x03dba320 from 172.18.36.202.500
2-25: 14:41:23:310:1448 ISAKMP Header: (V1.0), len = 208
2-25: 14:41:23:310:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:310:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:310:1448   exchange: Oakley Main Mode
2-25: 14:41:23:310:1448   flags: 0
2-25: 14:41:23:310:1448   next payload: SA
2-25: 14:41:23:310:1448   message ID: 00000000
2-25: 14:41:23:310:1448 processing payload SA
2-25: 14:41:23:310:1448 Received Phase 1 Transform 1
2-25: 14:41:23:310:1448      Encryption Alg Triple DES CBC(5)
2-25: 14:41:23:310:1448      Hash Alg SHA(2)
2-25: 14:41:23:310:1448      Oakley Group 2
2-25: 14:41:23:310:1448      Auth Method Kerberos (GSSAPI)(65001)
2-25: 14:41:23:310:1448      Life type in Seconds
2-25: 14:41:23:310:1448      Life duration of 28800
2-25: 14:41:23:310:1448      SSPI len=56
2-25: 14:41:23:310:1448 Phase 1 SA accepted: transform=1
2-25: 14:41:23:310:1448 SA - Oakley proposal accepted
2-25: 14:41:23:310:1448 processing payload VENDOR ID
2-25: 14:41:23:310:1448 Received VendorId MS NT5 ISAKMPOAKLEY
2-25: 14:41:23:310:1448 processing payload VENDOR ID
2-25: 14:41:23:310:1448 Received VendorId FRAGMENTATION
2-25: 14:41:23:310:1448 processing payload VENDOR ID
2-25: 14:41:23:310:1448 Received VendorId draft-ietf-ipsec-nat-t-ike-02
2-25: 14:41:23:310:1448 ClearFragList
2-25: 14:41:23:310:1448 constructing ISAKMP Header
2-25: 14:41:23:341:1448 constructing KE
2-25: 14:41:23:341:1448 constructing NONCE (ISAKMP)
2-25: 14:41:23:341:1448 constructing SSPI
2-25: 14:41:23:341:1448 InitializeSecurityContext returned 590610
2-25: 14:41:23:341:1448 Constructing NatDisc
2-25: 14:41:23:341:1448
2-25: 14:41:23:341:1448 Sending: SA = 0x03DBA320 to 172.18.36.202:Type 2.500
2-25: 14:41:23:341:1448 ISAKMP Header: (V1.0), len = 1447
2-25: 14:41:23:341:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:341:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:341:1448   exchange: Oakley Main Mode
2-25: 14:41:23:341:1448   flags: 0
2-25: 14:41:23:341:1448   next payload: KE
2-25: 14:41:23:341:1448   message ID: 00000000
2-25: 14:41:23:341:1448 Ports S:f401 D:f401
2-25: 14:41:23:450:1448
2-25: 14:41:23:450:1448 Receive: (get) SA = 0x03dba320 from 172.18.36.202.500
2-25: 14:41:23:450:1448 ISAKMP Header: (V1.0), len = 370
2-25: 14:41:23:450:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:450:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:450:1448   exchange: Oakley Main Mode
2-25: 14:41:23:450:1448   flags: 0
2-25: 14:41:23:450:1448   next payload: KE
2-25: 14:41:23:450:1448   message ID: 00000000
2-25: 14:41:23:450:1448 processing payload KE
2-25: 14:41:23:450:1448 processing payload NONCE
2-25: 14:41:23:450:1448 processing payload SSPI
2-25: 14:41:23:450:1448 InitSecCont status 0
2-25: 14:41:23:450:1448 AUTH - Phase I SSPI authentication accepted
2-25: 14:41:23:450:1448 processing payload NATDISC
2-25: 14:41:23:450:1448 Processing NatHash
2-25: 14:41:23:450:1448 Nat hash 2f28e283dd1c0d8d47187070ebbff0cc
2-25: 14:41:23:450:1448 d780dc00
2-25: 14:41:23:450:1448 SA StateMask2 e
2-25: 14:41:23:450:1448 processing payload NATDISC
2-25: 14:41:23:450:1448 Processing NatHash
2-25: 14:41:23:450:1448 Nat hash 74c25b865c4f984b188f8ef1caccf5ce
2-25: 14:41:23:450:1448 489e0cdb
2-25: 14:41:23:450:1448 SA StateMask2 8e
2-25: 14:41:23:450:1448 ClearFragList
2-25: 14:41:23:450:1448 constructing ISAKMP Header
2-25: 14:41:23:450:1448 constructing ID
2-25: 14:41:23:450:1448 MM ID Type 1
2-25: 14:41:23:450:1448 MM ID ac121e0a
2-25: 14:41:23:450:1448 constructing HASH
2-25: 14:41:23:466:1448
2-25: 14:41:23:466:1448 Sending: SA = 0x03DBA320 to 172.18.36.202:Type 2.500
2-25: 14:41:23:466:1448 ISAKMP Header: (V1.0), len = 116
2-25: 14:41:23:466:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:466:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:466:1448   exchange: Oakley Main Mode
2-25: 14:41:23:466:1448   flags: 1 ( encrypted )
2-25: 14:41:23:466:1448   next payload: ID
2-25: 14:41:23:466:1448   message ID: 00000000
2-25: 14:41:23:466:1448 Ports S:f401 D:f401
2-25: 14:41:23:497:1448
2-25: 14:41:23:497:1448 Receive: (get) SA = 0x03dba320 from 172.18.36.202.500
2-25: 14:41:23:497:1448 ISAKMP Header: (V1.0), len = 116
2-25: 14:41:23:497:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:497:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:497:1448   exchange: Oakley Main Mode
2-25: 14:41:23:497:1448   flags: 1 ( encrypted )
2-25: 14:41:23:497:1448   next payload: ID
2-25: 14:41:23:497:1448   message ID: 00000000
2-25: 14:41:23:497:1448 processing payload ID
2-25: 14:41:23:497:1448 processing payload HASH
2-25: 14:41:23:497:1448 AUTH: Phase I authentication accepted
2-25: 14:41:23:497:1448 ClearFragList
2-25: 14:41:23:497:1448 MM established.  SA: 03DBA320
2-25: 14:41:23:497:1448 Peer KerbID kamokilanas$@FOODGROUP.LOCAL
2-25: 14:41:23:497:1448 QM PolicyName: Require IPSEC dwFlags 0
2-25: 14:41:23:497:1448 QMOffer[0] LifetimeKBytes 100000 LifetimeSec 3600
2-25: 14:41:23:497:1448 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
2-25: 14:41:23:497:1448  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
2-25: 14:41:23:497:1448 GetSpi: src = 172.18.36.202.0000, dst = 172.18.30.10.0000, proto = 00, context = 0000023C, srcMask = 255.255.255.255, destMask = 255.255.255.255, TunnelFilter 0
2-25: 14:41:23:497:1448 Setting SPI  3675071726
2-25: 14:41:23:497:1448 constructing ISAKMP Header
2-25: 14:41:23:497:1448 constructing HASH (null)
2-25: 14:41:23:497:1448 constructing SA (IPSEC)
2-25: 14:41:23:497:1448 constructing QM KE
2-25: 14:41:23:528:1448 constructing NONCE (IPSEC)
2-25: 14:41:23:528:1448 constructing ID (proxy)
2-25: 14:41:23:528:1448 constructing ID (proxy)
2-25: 14:41:23:528:1448 constructing HASH (QM)
2-25: 14:41:23:528:1448
2-25: 14:41:23:544:1448 Sending: SA = 0x03DBA320 to 172.18.36.202:Type 2.500
2-25: 14:41:23:544:1448 ISAKMP Header: (V1.0), len = 300
2-25: 14:41:23:544:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:544:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:544:1448   exchange: Oakley Quick Mode
2-25: 14:41:23:544:1448   flags: 1 ( encrypted )
2-25: 14:41:23:544:1448   next payload: HASH
2-25: 14:41:23:544:1448   message ID: 326510b1
2-25: 14:41:23:544:1448 Ports S:f401 D:f401
2-25: 14:41:23:607:1448
2-25: 14:41:23:607:1448 Receive: (get) SA = 0x03dba320 from 172.18.36.202.500
2-25: 14:41:23:607:1448 ISAKMP Header: (V1.0), len = 300
2-25: 14:41:23:607:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:622:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:622:1448   exchange: Oakley Quick Mode
2-25: 14:41:23:622:1448   flags: 3 ( encrypted commit )
2-25: 14:41:23:622:1448   next payload: HASH
2-25: 14:41:23:622:1448   message ID: 326510b1
2-25: 14:41:23:622:1448 Received commit re-send
2-25: 14:41:23:622:1448 processing HASH (QM)
2-25: 14:41:23:622:1448 ClearFragList
2-25: 14:41:23:622:1448 processing payload KE
2-25: 14:41:23:622:1448 Quick Mode KE processed; Saved KE data
2-25: 14:41:23:622:1448 processing payload NONCE
2-25: 14:41:23:622:1448 processing payload ID
2-25: 14:41:23:622:1448 processing payload ID
2-25: 14:41:23:622:1448 processing payload SA
2-25: 14:41:23:622:1448 Negotiated Proxy ID: Src 172.18.30.10.0 Dst 172.18.36.202.0
2-25: 14:41:23:622:1448 Checking Proposal 1: Proto= ESP(3), num trans=1 Next=0
2-25: 14:41:23:622:1448 Checking Transform # 1: ID=Triple DES CBC(3)
2-25: 14:41:23:622:1448  SA life type in seconds
2-25: 14:41:23:622:1448   SA life duration 00000e10
2-25: 14:41:23:622:1448  SA life type in kilobytes
2-25: 14:41:23:622:1448   SA life duration 000186a0
2-25: 14:41:23:622:1448  tunnel mode is Transport Mode(2)
2-25: 14:41:23:622:1448  HMAC algorithm is SHA(2)
2-25: 14:41:23:622:1448  group description for PFS is 2
2-25: 14:41:23:622:1448 Phase 2 SA accepted: proposal=1 transform=1
2-25: 14:41:23:622:1448 constructing ISAKMP Header
2-25: 14:41:23:622:1448 constructing HASH (QM)
2-25: 14:41:23:622:1448 Adding QMs: src = 172.18.30.10.0000, dst = 172.18.36.202.0000, proto = 00, context = 0000023C, my tunnel = 0.0.0.0, peer tunnel = 0.0.0.0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags 100 Direction 2 EncapType 1
2-25: 14:41:23:622:1448  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
2-25: 14:41:23:622:1448  Algo[0] MySpi: 3675071726 PeerSpi: 3659516953
2-25: 14:41:23:622:1448 Encap Ports Src 500 Dst 500
2-25: 14:41:23:622:1448 Skipping Outbound SA add
2-25: 14:41:23:622:1448
2-25: 14:41:23:622:1448 Sending: SA = 0x03DBA320 to 172.18.36.202:Type 2.500
2-25: 14:41:23:622:1448 ISAKMP Header: (V1.0), len = 52
2-25: 14:41:23:622:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:622:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:622:1448   exchange: Oakley Quick Mode
2-25: 14:41:23:622:1448   flags: 3 ( encrypted commit )
2-25: 14:41:23:622:1448   next payload: HASH
2-25: 14:41:23:622:1448   message ID: 326510b1
2-25: 14:41:23:622:1448 Ports S:f401 D:f401
2-25: 14:41:23:653:1448
2-25: 14:41:23:653:1448 Receive: (get) SA = 0x03dba320 from 172.18.36.202.500
2-25: 14:41:23:653:1448 ISAKMP Header: (V1.0), len = 84
2-25: 14:41:23:653:1448   I-COOKIE 35fe273183ab0516
2-25: 14:41:23:653:1448   R-COOKIE e858ef3773d9e97f
2-25: 14:41:23:653:1448   exchange: Oakley Quick Mode
2-25: 14:41:23:653:1448   flags: 3 ( encrypted commit )
2-25: 14:41:23:653:1448   next payload: HASH
2-25: 14:41:23:653:1448   message ID: 326510b1
2-25: 14:41:23:653:1448 Received commit re-send
2-25: 14:41:23:653:1448 processing HASH (Notify/Delete)
2-25: 14:41:23:653:1448 ClearFragList
2-25: 14:41:23:653:1448 processing payload NOTIFY
2-25: 14:41:23:653:1448 Adding QMs: src = 172.18.30.10.0000, dst = 172.18.36.202.0000, proto = 00, context = 0000023C, my tunnel = 0.0.0.0, peer tunnel = 0.0.0.0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 3600 LifetimeKBytes 100000 dwFlags 100 Direction 3 EncapType 1
2-25: 14:41:23:653:1448  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
2-25: 14:41:23:653:1448  Algo[0] MySpi: 3675071726 PeerSpi: 3659516953
2-25: 14:41:23:653:1448 Encap Ports Src 500 Dst 500
2-25: 14:41:23:653:1448 Skipping Inbound SA add
2-25: 14:41:23:653:1448 Peer KerbID kamokilanas$@FOODGROUP.LOCAL
2-25: 14:41:23:653:1448 isadb_set_status sa:03DBA320 centry:03DDBF58 status 0
2-25: 14:41:23:653:1448 CE Dead. sa:03DBA320 ce:03DDBF58 status:0

This second one is initiating the communication from the KamokilaNAS side,

where it fails.

2-25: 14:39:20:683:1150 Acquire from driver: op=00002512 src=172.18.36.202.0 dst=172.18.30.10.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 0, TunnelEndpt=0.0.0.0 Inbound TunnelEndpt=0.0.0.0
2-25: 14:39:20:683:12c4 Filter to match: Src 172.18.30.10 Dst 172.18.36.202
2-25: 14:39:20:683:12c4 MM PolicyName: 5
2-25: 14:39:20:683:12c4 MMPolicy dwFlags 2 SoftSAExpireTime 28800
2-25: 14:39:20:683:12c4 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
2-25: 14:39:20:683:12c4 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
2-25: 14:39:20:683:12c4 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
2-25: 14:39:20:683:12c4 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
2-25: 14:39:20:683:12c4 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
2-25: 14:39:20:683:12c4 MMOffer[2] Encrypt: DES CBC Hash: SHA
2-25: 14:39:20:683:12c4 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
2-25: 14:39:20:683:12c4 MMOffer[3] Encrypt: DES CBC Hash: MD5
2-25: 14:39:20:683:12c4 Auth[0]:Kerberos
2-25: 14:39:20:683:12c4 QM PolicyName: Require IPSEC dwFlags 0
2-25: 14:39:20:683:12c4 QMOffer[0] LifetimeKBytes 100000 LifetimeSec 3600
2-25: 14:39:20:683:12c4 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
2-25: 14:39:20:683:12c4  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
2-25: 14:39:20:683:12c4 Starting Negotiation: src = 172.18.36.202.0500, dst = 172.18.30.10.0500, proto = 00, context = 00002512, ProxySrc = 172.18.36.202.0000, ProxyDst = 172.18.30.10.0000 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
2-25: 14:39:20:683:12c4 constructing ISAKMP Header
2-25: 14:39:20:683:12c4 constructing SA (ISAKMP)
2-25: 14:39:20:683:12c4 Constructing Vendor MS NT5 ISAKMPOAKLEY
2-25: 14:39:20:683:12c4 Constructing Vendor FRAGMENTATION
2-25: 14:39:20:683:12c4 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
2-25: 14:39:20:683:12c4 Constructing Vendor Vid-Initial-Contact
2-25: 14:39:20:683:12c4
2-25: 14:39:20:683:12c4 Sending: SA = 0x021005B8 to 172.18.30.10:Type 2.500
2-25: 14:39:20:683:12c4 ISAKMP Header: (V1.0), len = 516
2-25: 14:39:20:683:12c4   I-COOKIE 81f93546d372e6f2
2-25: 14:39:20:683:12c4   R-COOKIE 0000000000000000
2-25: 14:39:20:683:12c4   exchange: Oakley Main Mode
2-25: 14:39:20:683:12c4   flags: 0
2-25: 14:39:20:683:12c4   next payload: SA
2-25: 14:39:20:683:12c4   message ID: 00000000
2-25: 14:39:20:683:12c4 Ports S:f401 D:f401
2-25: 14:39:20:714:12c4
2-25: 14:39:20:714:12c4 Receive: (get) SA = 0x021005b8 from 172.18.30.10.500
2-25: 14:39:20:714:12c4 ISAKMP Header: (V1.0), len = 204
2-25: 14:39:20:714:12c4   I-COOKIE 81f93546d372e6f2
2-25: 14:39:20:714:12c4   R-COOKIE 43964549dd769e10
2-25: 14:39:20:714:12c4   exchange: Oakley Main Mode
2-25: 14:39:20:714:12c4   flags: 0
2-25: 14:39:20:714:12c4   next payload: SA
2-25: 14:39:20:714:12c4   message ID: 00000000
2-25: 14:39:20:714:12c4 processing payload SA
2-25: 14:39:20:714:12c4 Received Phase 1 Transform 1
2-25: 14:39:20:714:12c4      Encryption Alg Triple DES CBC(5)
2-25: 14:39:20:714:12c4      Hash Alg SHA(2)
2-25: 14:39:20:714:12c4      Oakley Group 2
2-25: 14:39:20:714:12c4      Auth Method Kerberos (GSSAPI)(65001)
2-25: 14:39:20:714:12c4      Life type in Seconds
2-25: 14:39:20:714:12c4      Life duration of 28800
2-25: 14:39:20:714:12c4      SSPI len=52
2-25: 14:39:20:714:12c4 Phase 1 SA accepted: transform=1
2-25: 14:39:20:714:12c4 SA - Oakley proposal accepted
2-25: 14:39:20:714:12c4 processing payload VENDOR ID
2-25: 14:39:20:714:12c4 Received VendorId MS NT5 ISAKMPOAKLEY
2-25: 14:39:20:714:12c4 processing payload VENDOR ID
2-25: 14:39:20:714:12c4 Received VendorId FRAGMENTATION
2-25: 14:39:20:714:12c4 processing payload VENDOR ID
2-25: 14:39:20:714:12c4 Received VendorId draft-ietf-ipsec-nat-t-ike-02
2-25: 14:39:20:714:12c4 ClearFragList
2-25: 14:39:20:714:12c4 constructing ISAKMP Header
2-25: 14:39:20:745:12c4 constructing KE
2-25: 14:39:20:745:12c4 constructing NONCE (ISAKMP)
2-25: 14:39:20:745:12c4 constructing SSPI
2-25: 14:39:21:652:1388 Retransmit failed to find SA
2-25: 14:39:22:652:1388 Retransmit failed to find SA
2-25: 14:39:23:652:1388 Retransmit failed to find SA
2-25: 14:39:24:652:1388 Retransmit failed to find SA
2-25: 14:39:25:652:1388 Retransmit failed to find SA
2-25: 14:39:26:652:1388 Retransmit failed to find SA

During those negotiations, I've run packet dumps.

When initiating from the NimitzAD side, you can see the AD starting

the communications and the NAS responding, and then the communications

going back and forth

14:52:05.338280 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 1 I ident

14:52:11.338571 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 2/others ? inf

14:52:12.117168 kamokilanas.foodgroup.local.isakmp > nimitzad.foodgroup.local.isakmp: isakmp: phase 1 R ident

14:52:12.153184 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 1 I ident

14:52:12.245230 kamokilanas.foodgroup.local.isakmp > nimitzad.foodgroup.local.isakmp: isakmp: phase 1 R ident

14:52:12.257469 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 1 I ident[E]

14:52:12.272466 kamokilanas.foodgroup.local.isakmp > nimitzad.foodgroup.local.isakmp: isakmp: phase 1 R ident[E]

14:52:12.308735 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 2/others I oakley-quick[E]

14:52:12.376844 kamokilanas.foodgroup.local.isakmp > nimitzad.foodgroup.local.isakmp: isakmp: phase 2/others R oakley-quick[EC]

14:52:12.389005 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 2/others I oakley-quick[EC]

14:52:12.396611 kamokilanas.foodgroup.local.isakmp > nimitzad.foodgroup.local.isakmp: isakmp: phase 2/others R oakley-quick[EC]

14:52:12.396792 nimitzad.foodgroup.local > kamokilanas.foodgroup.local: ESP(spi=0x8d68b077,seq=0x1)

14:52:12.405739 kamokilanas.foodgroup.local > nimitzad.foodgroup.local: ESP(spi=0xc4d0cb64,seq=0x1)

14:52:12.525632 nimitzad.foodgroup.local > kamokilanas.foodgroup.local: ESP(spi=0x8d68b077,seq=0x2)

14:52:12.544509 kamokilanas.foodgroup.local > nimitzad.foodgroup.local: ESP(spi=0xc4d0cb64,seq=0x2)

14:52:13.525547 nimitzad.foodgroup.local > kamokilanas.foodgroup.local: ESP(spi=0x8d68b077,seq=0x3)

14:52:13.540211 kamokilanas.foodgroup.local > nimitzad.foodgroup.local: ESP(spi=0xc4d0cb64,seq=0x3)

14:52:14.525512 nimitzad.foodgroup.local > kamokilanas.foodgroup.local: ESP(spi=0x8d68b077,seq=0x4)

14:52:14.534265 kamokilanas.foodgroup.local > nimitzad.foodgroup.local: ESP(spi=0xc4d0cb64,seq=0x4)

14:52:15.525527 nimitzad.foodgroup.local > kamokilanas.foodgroup.local: ESP(spi=0x8d68b077,seq=0x5)

14:52:15.547188 kamokilanas.foodgroup.local > nimitzad.foodgroup.local: ESP(spi=0xc4d0cb64,seq=0x5)

When inititating from the KamokilaNAS side, you can see the NAS starting the

communications, and the AD responding, but the NAS doesn't seem to acknowledge

the response

14:49:18.969779 kamokilanas.foodgroup.local.isakmp > nimitzad.foodgroup.local.isakmp: isakmp: phase 1 I ident

14:49:18.971185 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 1 R ident

14:49:20.343391 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 1 R ident

14:49:22.343321 nimitzad.foodgroup.local.isakmp > kamokilanas.foodgroup.local.isakmp: isakmp: phase 1 R ident

 

3) In the Event logs on the NAS, there are these Kerberos errors associated

with the problem.

IKE security association negotiation failed.

Mode:

Key Exchange Mode (Main Mode)

Filter:

Source IP Address 172.18.36.202

Source IP Address Mask 255.255.255.255

Destination IP Address 172.18.30.10

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0

IKE Local Addr 172.18.36.202

IKE Peer Addr 172.18.30.10

IKE Source Port 500

IKE Destination Port 500

Peer Private Addr

Peer Identity:

Kerberos based Identity: nimitzad$@FOODGROUP.LOCAL

Peer IP Address: 172.18.30.10

Failure Point:

Me

Failure Reason:

No authority could be contacted for authentication.

Extra Status:

Processed first (SA) payload

Initiator. Delta Time 63

0x0 0x0

If anyone has any suggestions as to why our tunnel keeps failing only in Kamakila please let me know. This setup worked fine for 4 years. The odd thing is if I ping the connection I can connect just fine if I do a constant ping. Without a constant ping I am unable to ever connect and upload to our NAS located in Kamakila.

Any help is greatly appreciated.

Thank You!

Mathew

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card