GET VPN error

gizbri · ‎04-17-2012

GET VPN - pre-shared keys - ver. 15.1.M4

Attempting to get 1st group member connected to the key server; Receiving the following error:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer 10.100.1.3

Any ideas?

Configs are:

KS - 10.100.1.3

crypto isakmp policy 10

encr aes

group 2

crypto isakmp key Cisco address 192.168.252.166

!

crypto ipsec transform-set new-trans esp-aes esp-sha-hmac

!

crypto ipsec profile gdoi-profile-getvpn

set security-association lifetime seconds 900

set transform-set new-trans

!

crypto gdoi group getvpn

identity number 10

server local

rekey retransmit 10 number 2

rekey authentication mypubkey rsa getvpn-export-general

rekey transport unicast

sa ipsec 1

profile gdoi-profile-getvpn

match address ipv4 getvpn-acl

replay time window-size 5

address ipv4 10.100.1.3

!

ip access-list extended getvpn-acl

deny tcp any any eq 848

deny tcp any eq 848 any

remark ACL policies to be pushed to GMs

deny tcp any any eq 22

deny tcp any eq 22 any

deny tcp any any eq bgp

deny tcp any eq bgp any

permit ip any any

!

GM - 192.168.252.166

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key Cisco address 10.100.1.3

!

crypto gdoi group getvpn

identity number 10

server address ipv4 10.100.1.3

!

crypto map getvpn-map 10 gdoi

set group getvpn

!

interface Multilink1

ip address 192.168.252.166 255.255.255.252

no peer neighbor-route

ppp chap hostname 122344

ppp multilink

ppp multilink links minimum 1

ppp multilink group 1

ppp multilink fragment disable

no cdp enable

crypto map getvpn-map

Debugs from GM

Apr 17 11:22:11.034: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.100.1.3 for group getvpn using address 152.187.252.166

Apr 17 11:22:11.034: ISAKMP:(0): SA request profile is (NULL)

Apr 17 11:22:11.034: ISAKMP: Created a peer struct for 10.100.1.3, peer port 848

Apr 17 11:22:11.034: ISAKMP: New peer created peer = 0x12F820C8 peer_handle = 0x8000000D

Apr 17 11:22:11.034: ISAKMP: Locking peer struct 0x12F820C8, refcount 1 for isakmp_initiator

Apr 17 11:22:11.034: ISAKMP: local port 848, remote port 848

Apr 17 11:22:11.034: ISAKMP: set new node 0 to QM_IDLE

Apr 17 11:22:11.034: ISAKMP:(0):insert sa successfully sa = 1024CA4

Apr 17 11:22:11.034: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Apr 17 11:22:11.034: ISAKMP:(0):found peer pre-shared key matching 10.100.1.3

Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-07 ID

Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-03 ID

Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-02 ID

Apr 17 11:22:11.034: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Apr 17 11:22:11.034: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Apr 17 11:22:11.034: ISAKMP:(0): beginning Main Mode exchange

Apr 17 11:22:11.034: ISAKMP:(0): sending packet to 10.100.1.3 my_port 848 peer_port 848 (I) MM_NO_STATE

Apr 17 11:22:11.034: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 17 11:22:11.038: ISAKMP (0): received packet from 10.100.1.3 dport 848 sport 848 Global (I) MM_NO_STATE

Apr 17 11:22:11.038: ISAKMP:(0):Notify has no hash. Rejected.

Apr 17 11:22:11.038: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

Apr 17 11:22:11.038: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Apr 17 11:22:11.038: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

HQ-2951-WAN#

Apr 17 11:22:11.038: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.1.3

HQ-2951-WAN#

Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 17 11:22:21.034: ISAKMP (0): incrementing error counter on sa, attempt 1 of 3: retransmit phase 1

Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Mohammad Abazeed · ‎04-20-2012

Are you sure that your KS uses pre-shared key for authentication ?

This is your config on the KS:

crypto isakmp policy 10

encr aes

group 2

By default it will use RSA sig for authentication.

Can you double check that one for me please?

HTH,

Mo