Solved: Re: IOS VPN: Key not found in keyrings of profile , aborting exc

ruttersean · ‎12-01-2010

Can anybody give me any pointers to resolve a problem with a 2821-2821 L2L VPN config please?

Router A has L2L config only.

Router B has L2L and VPN client profiles.

The VPN client part works fine. The L2L gives the following error on Router B when the tunnel is initiated from Router A:

044234: Dec 1 14:20:45.830: ISAKMP:(1572):Old State = IKE_R_MM4 New State = IKE_R_MM5

044235: Dec 1 14:20:45.830: ISAKMP:(1572): processing ID payload. message ID = 0
044236: Dec 1 14:20:45.830: ISAKMP (1572): ID payload
    next-payload : 8
    type         : 1
    address      : a.b.c.d
    protocol     : 17
    port         : 500
    length       : 12
044237: Dec 1 14:20:45.834: ISAKMP:(0):: peer matches wup_l2l profile
044238: Dec 1 14:20:45.834: ISAKMP:(1572):Found ADDRESS key in keyring wup_l2l_keyring
044239: Dec 1 14:20:45.834: ISAKMP:(1572):Key not found in keyrings of profile , aborting exchange
044240: Dec 1 14:20:45.834: ISAKMP (1572): FSM action returned error: 2
044241: Dec 1 14:20:45.834: ISAKMP:(1572):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
044242: Dec 1 14:20:45.834: ISAKMP:(1572):Old State = IKE_R_MM5 New State = IKE_R_MM5

044243: Dec 1 14:20:45.854: ISAKMP:(1572):peer does not do paranoid keepalives.

044244: Dec 1 14:20:45.854: ISAKMP:(1572):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer a.b.c.d)

The configuration I have used is from the Cisco Press Complete Cisco VPN guide (Richard Deal)

I have verified keys on each side.

I have verified the config using other Cisco documents.

I have added host key definitions in addition to address key definitions.

As far as I can see the profiles match on each side.

I am at a loss to interpret the error as it has apparently found a key and then immediately not found a key.

I am working on securing and extracting the pertinent parts of my configs for posting but if anybody has any pointers now it would be much appreciated.

Thanks

rahgovin · ‎12-06-2010

Could you try removing the hostname pre-shared key from the Keyring and testing?

View solution in original post

rahgovin · ‎12-01-2010

Do you have multiple keyrings and profiles on the router? It could be that it is hitting a keyring and profile with an address of 0.0.0.0 while you want it to hit the keyring with specific peer address. Thats when usually u would usually get this message. Could you post what your profile and keyring config is?

ruttersean · ‎12-01-2010

I do have an additional keyring for the vpn client users but I have removed that and I still get the same error for the L2L

rahgovin · ‎12-01-2010

You must have multiple profiles too for Vpn client and l2l right? Could you change the order in which it is configured?

ruttersean · ‎12-01-2010

Indeed I do. However, I just removed the vpn client profile and that results in the same error. I assume the profile was gone as the vpn client isakmp/ipsec debug output ceased.

Let me get the config posted in 10 minutes or so.

Thanks

ruttersean · ‎12-01-2010

RouterB config excerpt

ip domain name adomain.com

ip host routera.adomain.com a.b.c.d

!

crypto keyring wup_l2l_keyring

pre-shared-key address a.b.c.d key

pre-shared-key hostname routera key

crypto keyring vpnclient_users_keyring

pre-shared-key address 0.0.0.0 0.0.0.0 key

crypto ctcp port 10000

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp key address a.b.c.d no-xauth

crypto isakmp key hostname routera.adomain.com

!

crypto isakmp client configuration group

key

dns 10.5.1.10

domain adomain.com

pool VPN1

acl 101

netmask 255.255.255.0

crypto isakmp profile vpnclient_users

description remote access users profile

keyring vpnclient_users_keyring

match identity group

client authentication list UserAuth

isakmp authorization list

client configuration address respond

crypto isakmp profile wup_l2l

description wuppertal l2l tunnel

keyring wup_l2l_keyring

match identity address a.b.c.d 255.255.255.255

match identity host routera.adomain.com

keepalive 20 retry 3

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac

!

crypto dynamic-map seanmap 5

set transform-set ESP-3DES-SHA

set isakmp-profile vpnclient_users

crypto dynamic-map seanmap 10

set transform-set l2l_transform

set isakmp-profile wup_l2l

!

crypto map staticmap 10 ipsec-isakmp dynamic seanmap

!

interface Serial0/0/0:0

crypto map staticmap

ruttersean · ‎12-01-2010

RouterA config excerpt

ip host routerb.adomain.com w.x.y.z

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp key address w.x.y.z no-xauth

crypto isakmp key hostname routerb.adomain.com
!
!
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!
crypto map mapone 50 ipsec-isakmp
set peer w.x.y.z
set transform-set l2l_transform
match address traffic_list

ruttersean · ‎12-02-2010

IOS is 15.1(2)T1 on each router

rahgovin · ‎12-06-2010

Could you try removing the hostname pre-shared key from the Keyring and testing?

ruttersean · ‎12-07-2010

Hello,

That did not resolve the issue directly but stripping out all key definitions other than those in keyrings did the trick and the SA is established.

To summarise I now have an address key defined in the keyring and that is all.

I think I had a separate issue initially with the SA creation and that got me sidetracked adding additional key definitions.

Thanks for your help.

My configs are now:

ip domain name adomain.com
ip host routera.adomain.com a.b.c.d

!
crypto keyring wup_l2l_keyring
pre-shared-key address a.b.c.d key

crypto keyring vpnclient_users_keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key

crypto ctcp port 10000
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!

!
crypto isakmp client configuration group
key
dns 10.5.1.10
domain adomain.com
pool VPN1
acl 101
netmask 255.255.255.0

crypto isakmp profile vpnclient_users
   description remote access users profile
   keyring vpnclient_users_keyring
   match identity group
   client authentication list UserAuth
   isakmp authorization list
   client configuration address respond

crypto isakmp profile wup_l2l
   description wuppertal l2l tunnel
   keyring wup_l2l_keyring
   match identity address a.b.c.d 255.255.255.255
   match identity host routera.adomain.com
   keepalive 20 retry 3
!
!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!

!
crypto dynamic-map seanmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclient_users
crypto dynamic-map seanmap 10
set transform-set l2l_transform
set isakmp-profile wup_l2l
!
!

!
crypto map staticmap 10 ipsec-isakmp dynamic seanmap
!
!
!
interface Serial0/0/0:0
crypto map staticmap

and the other router:

ip host routerb.adomain.com w.x.y.z

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp key address w.x.y.z no-xauth

!
!
crypto ipsec transform-set l2l_transform esp-3des esp-sha-hmac
!
crypto map mapone 50 ipsec-isakmp
set peer w.x.y.z
set transform-set l2l_transform
match address traffic_list

Just like the VPN book says

Sean

IOS VPN: Key not found in keyrings of profile , aborting exchange