04-17-2012 08:24 AM
GET VPN - pre-shared keys - ver. 15.1.M4
Attempting to get 1st group member connected to the key server; Receiving the following error:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer 10.100.1.3
Any ideas?
Configs are:
KS - 10.100.1.3
crypto isakmp policy 10
encr aes
group 2
crypto isakmp key Cisco address 192.168.252.166
!
!
crypto ipsec transform-set new-trans esp-aes esp-sha-hmac
!
crypto ipsec profile gdoi-profile-getvpn
set security-association lifetime seconds 900
set transform-set new-trans
!
crypto gdoi group getvpn
identity number 10
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa ipsec 1
profile gdoi-profile-getvpn
match address ipv4 getvpn-acl
replay time window-size 5
address ipv4 10.100.1.3
!
ip access-list extended getvpn-acl
deny tcp any any eq 848
deny tcp any eq 848 any
remark ACL policies to be pushed to GMs
deny tcp any any eq 22
deny tcp any eq 22 any
deny tcp any any eq bgp
deny tcp any eq bgp any
permit ip any any
!
GM - 192.168.252.166
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Cisco address 10.100.1.3
!
!
crypto gdoi group getvpn
identity number 10
server address ipv4 10.100.1.3
!
!
crypto map getvpn-map 10 gdoi
set group getvpn
!
interface Multilink1
ip address 192.168.252.166 255.255.255.252
no peer neighbor-route
ppp chap hostname 122344
ppp multilink
ppp multilink links minimum 1
ppp multilink group 1
ppp multilink fragment disable
no cdp enable
crypto map getvpn-map
Debugs from GM
Apr 17 11:22:11.034: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.100.1.3 for group getvpn using address 152.187.252.166
Apr 17 11:22:11.034: ISAKMP:(0): SA request profile is (NULL)
Apr 17 11:22:11.034: ISAKMP: Created a peer struct for 10.100.1.3, peer port 848
Apr 17 11:22:11.034: ISAKMP: New peer created peer = 0x12F820C8 peer_handle = 0x8000000D
Apr 17 11:22:11.034: ISAKMP: Locking peer struct 0x12F820C8, refcount 1 for isakmp_initiator
Apr 17 11:22:11.034: ISAKMP: local port 848, remote port 848
Apr 17 11:22:11.034: ISAKMP: set new node 0 to QM_IDLE
Apr 17 11:22:11.034: ISAKMP:(0):insert sa successfully sa = 1024CA4
Apr 17 11:22:11.034: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 17 11:22:11.034: ISAKMP:(0):found peer pre-shared key matching 10.100.1.3
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 17 11:22:11.034: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 17 11:22:11.034: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 17 11:22:11.034: ISAKMP:(0): beginning Main Mode exchange
Apr 17 11:22:11.034: ISAKMP:(0): sending packet to 10.100.1.3 my_port 848 peer_port 848 (I) MM_NO_STATE
Apr 17 11:22:11.034: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 17 11:22:11.038: ISAKMP (0): received packet from 10.100.1.3 dport 848 sport 848 Global (I) MM_NO_STATE
Apr 17 11:22:11.038: ISAKMP:(0):Notify has no hash. Rejected.
Apr 17 11:22:11.038: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Apr 17 11:22:11.038: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 17 11:22:11.038: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
HQ-2951-WAN#
Apr 17 11:22:11.038: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.1.3
HQ-2951-WAN#
Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 17 11:22:21.034: ISAKMP (0): incrementing error counter on sa, attempt 1 of 3: retransmit phase 1
Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
04-20-2012 11:46 AM
Are you sure that your KS uses pre-shared key for authentication ?
This is your config on the KS:
crypto isakmp policy 10
encr aes
group 2
By default it will use RSA sig for authentication.
Can you double check that one for me please?
HTH,
Mo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide