12-13-2004 05:24 PM
The lab is set up with Central and Remote enrolling with CA. Both successfully obtained their respective digital cert from the CA. However, both failed during the IKE negotiation. The debug is as below:
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.1.21 failed its sanity check or is malformed
03:26:09: ISAKMP (0:1): sending packet to 192.168.1.21 my_port 500 peer_port 500 (I) MM_KEY_EXCH
03:26:09: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
03:26:09: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM5
03:26:10: ISAKMP (0:1): received packet from 192.168.1.21 dport 500 sport 500 Global (I) MM_KEY_EXCH
03:26:10: ISAKMP (0:1): Notify has no hash. Rejected.
03:26:10: ISAKMP (0:1): Unknown Input: state = IKE_I_MM5, major, minor = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
03:26:10: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.1.21
The Central has int s0/0 as the dirty interface with IP 192.168.1.21 while the Remote int s0/0 connected to the Central is 192.168.1.25.
Thanks in advance.
12-14-2004 07:36 AM
Hello,
did you check the time settings ? The certificates contain information about the first and the last point of time where they are valid. In case the VPN endpoints' local times are not within that time frame the certificates are rejected.
Please let me know if that resolves your issue.
Best regards,
Bernd
12-15-2004 12:48 AM
Hi,
Yes i've checked the time settings and ensured that both sides are configured for the same time frame. It may however differ by only maybe a few seconds. But overall the certificates are valid. By the way, both routers got their certificates from the same CA.
Thanks in advance!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: