phase 2 SA not acceptable

rmv72 · ‎03-25-2004

i want to connect to offices via VPN=>

First office - Router 3620

int fa1/1(A.B.C.D) - to ISP

int fa1/0(A.B.C.E) - to LAN

Firewall behind int fa1/0 ( A.B.C.G,10.10.4.1)

Second office - PIX 506E

out int -X.Y.Z.99

in int - 172.20.4.1

client behind PIX - 172.20.7.14 - i try to ping from that client to 10.10.4.1 - failed

----------------------

Configs:

3620

====

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ****** address X.Y.Z.99 no-xauth

!

crypto ipsec transform-set TUNNEL-TRANSFORM esp-des esp-md5-hmac

mode transport

!

crypto map VPN 1 ipsec-isakmp

set peer X.Y.Z.99

set transform-set TUNNEL-TRANSFORM

match address 111

!

interface Tunnel0

ip address 192.168.101.1 255.255.255.0

tunnel source FastEthernet1/0

tunnel destination X.Y.Z.99

crypto map VPN

!

ip route 172.0.0.0 255.0.0.0 Tunnel0

!

access-list 111 remark # traffic for encryption

access-list 111 permit gre host A.B.C.D host X.Y.Z.99

!

==============================================

PIX 506E

========

name 10.10.0.0 GalaktikaMinsk

access-list outside_cryptomap_20 permit ip 172.0.0.0 255.0.0.0 GalaktikaMinsk 255.255.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set VPNSecure esp-des esp-md5-hmac

crypto dynamic-map DynMap 10 set transform-set VPNSecure

crypto map VPNmap 20 ipsec-isakmp

crypto map VPNmap 20 match address outside_cryptomap_20

crypto map VPNmap 20 set peer A.B.C.D

crypto map VPNmap 20 set transform-set VPNSecure

crypto map VPNmap 65535 ipsec-isakmp dynamic DynMap

crypto map VPNmap client authentication LOCAL

crypto map VPNmap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address A.B.C.D netmask 255.255.255.255 no-xauth no-config-mode

===========================================

rmv72 · ‎03-25-2004

Here debug-

3620

====

1d: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at X.Y.Z.99

1w1d: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at X.Y.Z.99

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): processing HASH payload. message ID = 824022300

1w1d: ISAKMP (0:14): processing SA payload. message ID = 824022300

1w1d: ISAKMP (0:14): Checking IPSec proposal 1

1w1d: ISAKMP: transform 1, ESP_DES

1w1d: ISAKMP: attributes in transform:

1w1d: ISAKMP: encaps is 1

1w1d: ISAKMP: SA life type in seconds

1w1d: ISAKMP: SA life duration (basic) of 28800

1w1d: ISAKMP: SA life type in kilobytes

1w1d: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

1w1d: ISAKMP: authenticator is HMAC-MD5

1w1d: IPSEC(validate_proposal): invalid local address A.B.C.D

1w1d: ISAKMP (0:14): atts not acceptable. Next payload is 0

1w1d: ISAKMP (0:14): phase 2 SA not acceptable!

1w1d: ISAKMP (0:14): sending packet to X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): purging node 797600222

1w1d: ISAKMP (0:14): deleting node 824022300 error FALSE reason "IKMP_NO_ERR_NO_TRANS"

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead -271719268

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead 824022300

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead -271719268

1w1d: ISAKMP (0:13): purging node -1817931318

1w1d: ISAKMP (0:13): purging node -29250788

1w1d: ISAKMP (0:14): purging node 458308425

1w1d: ISAKMP (0:14): purging node -271719268

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead 824022300

rmv72 · ‎03-25-2004

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): processing HASH payload. message ID = -1448175660

1w1d: ISAKMP (0:14): processing SA payload. message ID = -1448175660

1w1d: ISAKMP (0:14): Checking IPSec proposal 1

1w1d: ISAKMP: transform 1, ESP_DES

1w1d: ISAKMP: attributes in transform:

1w1d: ISAKMP: encaps is 1

1w1d: ISAKMP: SA life type in seconds

1w1d: ISAKMP: SA life duration (basic) of 28800

1w1d: ISAKMP: SA life type in kilobytes

1w1d: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

1w1d: ISAKMP: authenticator is HMAC-MD5

1w1d: IPSEC(validate_proposal): invalid local address A.B.C.D

1w1d: ISAKMP (0:14): atts not acceptable. Next payload is 0

1w1d: ISAKMP (0:14): phase 2 SA not acceptable!

1w1d: ISAKMP (0:14): sending packet to X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): purging node 1878747710

1w1d: ISAKMP (0:14): deleting node -1448175660 error FALSE reason "IKMP_NO_ERR_NO_TRANS"

1w1d: ISAKMP (0:13): purging SA., sa=62830C18, delme=62830C18

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): processing HASH payload. message ID = 102085731

1w1d: ISAKMP (0:14): processing DELETE payload. message ID = 102085731

1w1d: ISAKMP (0:14): peer does not do paranoid keepalives.

1w1d: ISAKMP (0:14): deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer X.Y.Z.99) input queue 0

1w1d: ISAKMP (0:14): deleting node 102085731 error FALSE reason "P1 delete notify (in)"

=====================================

Strange message =

1w1d: IPSEC(validate_proposal): invalid local address A.B.C.D

rmv72 · ‎03-25-2004

=========================================

PIX506E

=======

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou

nt = 2,

(identity) local= X.Y.Z.99, remote= A.B.C.D,

local_proxy= 172.0.0.0/255.0.0.0/0/0 (type=4),

remote_proxy= GalaktikaMinsk/255.255.0.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1546992702:a3cac3c2IPSEC(key

_engine): got a queue event...

IPSEC(spi_response): getting spi 0xb0aaec49(2963991625) for SA

from A.B.C.D to X.Y.Z.99 for prot 3

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 2029493691IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with A.B.C.D

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2...

pixfirewall# IPSEC(key_engine): request timer fired: count = 2,

(identity) local= X.Y.Z.99, remote= A.B.C.D,

local_proxy= 172.0.0.0/255.0.0.0/0/0 (type=4),

remote_proxy= GalaktikaMinsk/255.255.0.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1807665318:9441375aIPSEC(key

_engine): got a queue event...

IPSEC(spi_response): getting spi 0x10985e20(278421024) for SA

from A.B.C.D to X.Y.Z.99 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:A.B.C.D/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:A.B.C.D/500 Ref cnt incremented to:1 Total VPN

Peers:1

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 3167843399IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with A.B.C.D

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou

nt = 1,

========================

Where i'm wrong?