Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Unable to build Site to Site IPSEC VPN using 3rd Party PKI Opentrust
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
1072
Views
0
Helpful
0
Replies
Unable to build Site to Site IPSEC VPN using 3rd Party PKI Opentrust
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2015 01:58 AM - edited 02-21-2020 08:03 PM
Hi !
i've been struggling for a while on this topic and thus coming to ask questions here ..
I'm trying to build P2P IPSEC using certificates issued by Opentrust PKI.
Basically, the 2 CPEs are of an MPLS network that will use GETVPN, but for now i'm just trying to make RSA-SIG working between 2 devices (IOS routers)
i have first used on of the 2 devices to act as a CA and it worked fine...
but that's not the same story using Opentrust CA.
i've managed to fetch certificates from it but IPSEC Phase 1 doesn't work for some reason...
Here are my logs :
Router A
crypto pki trustpoint OPENTRUST_PKI
enrollment url http://10.100.4.80:80/cgi-bin/pkiclient.exe/NetworkDevices
serial-number
ip-address 192.168.16.187
revocation-check none
source interface Loopback0
auto-enroll 70
!
!
crypto pki certificate chain OPENTRUST_PKI
certificate 0F
308204F0 308202D8 A0030201 0202010F 300D0609 2A864886 F70D0101 0B050030
72310B30 09060355 04061302 47423121 301F0603 55040A0C 18434F4C 54205445
43484E4F 4C4F4759 20534552 56494345 53311030 0E060355 040B0C07 32343532
37333631 2E302C06 03550403 0C25434F 4C542050 72657072 6F647563 74696F6E
204E6574 776F726B 20446576 69636573 20434130 1E170D31 35303133 30313332
3634345A 170D3137 30313330 31333236 34345A30 5F310B30 09060355 04061302
44453121 301F0603 55040A0C 18436F6C 74205465 63686E6F 6C6F6779 20536572
76696365 73312D30 2B060355 04030C24 5349412D 4469436F 412D5349 4D554C41
544F522E 4652412E 6970632E 636F6C74 2E6E6574 30820122 300D0609 2A864886
F70D0101 01050003 82010F00 3082010A 02820101 00B8855D 879BAF88 A3B19359
45E6D0B4 EF7E613A BE95A881 D83911A3 A1A75A6D 8C5A9419 A4D256EC F6F3A4A5
E867B17D DABBB570 5C44E74E EA3A0D99 CC71855F 73264804 40A7DD83 6689BF26
487B6DF4 F1AB759F 75B735F5 96E0E2B6 1D75F065 64459347 C73EE96B CA6CBC62
B01AFB71 A7E93E23 D4600B2D 826A29C8 7400729D 0956ECD8 60273359 BBD23217
83EAF855 3BE1B132 87FD2A72 A70F2092 49A97BA8 7E89DA0D 507F6F38 25E38FD9
7F681D70 1F76164B DB66699B A26C838D 7AC68A35 E4D16470 D4DF108D 4533BCF0
9404D9AD D5DDDB57 3CB2789D 4CB223F5 2757A331 0BBE55CF 12C173A7 BCE7CA30
7727A018 31169DD8 78FFDC55 794EFA04 3CD96589 79020301 0001A381 A33081A0
301D0603 551D0E04 1604141F DB4FE20A B6C30CB5 8CA5645B 18EE8084 C89EC330
1F060355 1D230418 30168014 3464B048 9B49E3AF 384F2B06 4D625E30 CE525ECA
301D0603 551D2504 16301406 082B0601 05050703 0206082B 06010505 07030130
0E060355 1D0F0101 FF040403 0205A030 2F060355 1D110428 30268224 7369612D
6469636F 612D7369 6D756C61 746F722E 6672612E 6970632E 636F6C74 2E6E6574
300D0609 2A864886 F70D0101 0B050003 82020100 95591DBE CD79020A 0065605F
E27B249F 14A0D754 8F7F2778 4B00BBDC EBD04D53 F86B3558 7D19EAA8 4FC9D421
86FF5214 6261814B 38218363 B3191335 6924377F FC44393E 91FB7F73 AAF557D6
833206CE 1884660C B8731F30 80CF1514 08DF90A6 85582127 625573B0 B58331D0
3E78C054 97B7CF81 E250045F 04BEB7F1 C2DA7F00 307AD605 6ABC3426 0129D86D
B4949B7F EB9A020D E2D5D38A DD30A82D 8BA17504 BD41467C DD15B5A7 85E52A51
2B4FCE3E CC002E00 AB5F3F47 D781D85D E0ED6888 A253CB4B EBCC3C12 7E86C40B
B66E01A6 9DD64BF3 846B7580 D7BDC135 CA35284D B11E0822 DF1F1F34 0A44340E
08E07167 9203797D 093E4D97 A9A404C7 2C30DE64 95F13FC9 DA9BA6A9 80AAC7AD
F5BD3FCF 7DA6B5F1 6C805787 6A729649 27B430BD 1F6EBF10 CCDED0CD 3634615F
FF63ED0E 389476F2 641E17E8 1C32F8CC F50BA4BC 9CB30D6F 4EE08ED1 FDE18CB7
2B6FAF2F 74D2399A DA91B0BF 586875D4 446BFE27 D26F40FC 5DC2BFCD B8DAE764
A5912DD6 92F0604D 781F5C2E 3A1DA692 9E84EC18 129A7DEF AC944337 A79E9A8F
2781BFB7 6D1B2BC3 79997924 0A4A5159 2CF1B85A 71F36A8C B8BA6590 814C4F6A
A9B4D013 321FE9EC 2E79F9E5 AD8C32AC B057D30C 59D40109 5DFB0054 CD77F5DE
5C595BF7 1E7D3A15 B63DC7E0 B2556228 5B758BCD 2241CA8F BBCD5355 31FB962F
B5A4A902 4E1E290A 8F9447E7 21AD4E1E BC749658
quit
certificate ca 01
3082034C 30820234 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
3F311630 14060355 040A0C0D 4F70656E 54727573 7420504B 49312530 23060355
04030C1C 53434550 20436F6D 6D756E69 63617469 6F6E2041 7574686F 72697479
301E170D 31343035 32383135 30363138 5A170D32 34303532 35313530 3631385A
303F3116 30140603 55040A0C 0D4F7065 6E547275 73742050 4B493125 30230603
5504030C 1C534345 5020436F 6D6D756E 69636174 696F6E20 41757468 6F726974
79308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201
0100C46C A194D98C 3DFD4148 850251CC BF476BA2 2DBA2FB5 268AD2FF 5DBC7D70
30E7205A EBD2B713 A3B78946 F805B608 2F5B8B97 228C0E02 FA052063 E224CCDE
98D7A30B 27ED260D 28B42A28 0FFF43EF E9CF792B 392BD0F7 5191984E A2AA13DB
117DEA79 37D0D7F3 1103CA41 53ABB170 57A4D9F4 EC74A21E 8D7602DE DEE3C7E3
E068FD2D 0E720AFE DAAB68EB E887FB8A 46CDA0FC 24409D22 90E41613 10636F83
A871F699 9C4D808C EA914CF8 6C37D3BD 41BCE102 0D09795A 492AE605 FD28593D
4EB13936 698F9A92 C207A1BE CE15E34D 1F7A5DC1 F5A2DBDF 3E65D4C9 DA88AF87
29594E7B C19A2FD9 728ADAA3 C34E9357 D993A457 A6A75968 7172CBE3 F587A6DF
5EC90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301D0603
551D0E04 16041459 FD1BFEF4 B31DA13E B98B4D69 E9FEE9C5 600A6A30 1F060355
1D230418 30168014 59FD1BFE F4B31DA1 3EB98B4D 69E9FEE9 C5600A6A 300D0609
2A864886 F70D0101 05050003 82010100 81846D3F 96ABD245 7B7D7127 AD15FF2F
0EF39C2C AB7E8342 C67F5939 40F8B7B2 80E320CF A82919A2 F3EB4D2C 3FD1D8FE
07F7B0D4 DBC10937 409BDE77 1CC59798 89B7DA11 4D8E4CFF 60ED8351 A05C737F
3F1BBB97 0BDA7319 2DC332FF 2AA541B9 0A293430 FE79F707 C03AF885 6AA2C21C
86A145B7 8400DC66 7BE79AD7 938E69AF 11ECD436 D4D9706B 54E6C74D E9865104
DB84BEC3 AC61C9E6 EA0704CE 3F3BE64E 8856825D 8459C640 3681F838 BCB8A457
B92F0BF6 637FF283 76B1086C 0B9FCC14 3BB83054 B53D6BC4 78DB8433 DC682D3C
E2CFF429 BCC7BD32 AE4644F5 6E8D419C 968BB93D 7AE7F559 9ECB597F CDBF249A
6440EAD6 AA8C024A DFBC1772 42807208
quit
!
crypto isakmp policy 10
encr aes
group 2
!
!
crypto ipsec transform-set trans_COLT esp-aes esp-sha-hmac
!
crypto map TEST_CERT local-address Loopback0
crypto map TEST_CERT 10 ipsec-isakmp
set peer 192.168.16.188
set transform-set trans_COLT
match address 131
access-list 131 permit icmp host 10.107.150.1 host 10.107.57.1
access-list 131 permit ip host 10.107.150.1 host 10.107.57.1
interface Loopback0
description MGMT
ip address 192.168.16.187 255.255.255.255
interface FastEthernet0/1
ip address 172.22.45.178 255.255.255.252
crypto map TEST_CERT
interface FastEthernet0/0
description B2B to VPN-Terminator
ip address 10.107.150.1 255.255.255.0
SIA-DiCoA-SIMULATOR#sh crypto key mypubkey all
% Key pair was generated at: 13:19:09 UTC Jan 30 2015
Key name: SIA-DiCoA-SIMULATOR.FRA.ipc.colt.net
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B8855D 879BAF88 A3B19359 45E6D0B4 EF7E613A BE95A881 D83911A3 A1A75A6D
8C5A9419 A4D256EC F6F3A4A5 E867B17D DABBB570 5C44E74E EA3A0D99 CC71855F
73264804 40A7DD83 6689BF26 487B6DF4 F1AB759F 75B735F5 96E0E2B6 1D75F065
64459347 C73EE96B CA6CBC62 B01AFB71 A7E93E23 D4600B2D 826A29C8 7400729D
0956ECD8 60273359 BBD23217 83EAF855 3BE1B132 87FD2A72 A70F2092 49A97BA8
7E89DA0D 507F6F38 25E38FD9 7F681D70 1F76164B DB66699B A26C838D 7AC68A35
E4D16470 D4DF108D 4533BCF0 9404D9AD D5DDDB57 3CB2789D 4CB223F5 2757A331
0BBE55CF 12C173A7 BCE7CA30 7727A018 31169DD8 78FFDC55 794EFA04 3CD96589
79020301 0001
% Key pair was generated at: 08:25:03 UTC Feb 4 2015
Key name: SIA-DiCoA-SIMULATOR.FRA.ipc.colt.net.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CFC542 1BDFD7EB
E6AC20AF 4812C588 38F487DA 9F7B8886 1C663413 A6530B5A ACD7A38C 5C522687
835F175E F7637570 8619D370 8F79F787 34AFEF7D 89E7BE3E E472AC2E 8F832580
E320CAF8 8AE3BC73 9EAC4082 E79F07D5 2EBEF1DC D60AF2F8 91020301 0001
SIA-DiCoA-SIMULATOR#sh crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 0F
Certificate Usage: General Purpose
Issuer:
cn=COLT Preproduction Network Devices CA
ou=2452736
o=COLT TECHNOLOGY SERVICES
c=GB
Subject:
Name: SIA-DiCoA-SIMULATOR.FRA.ipc.colt.net
cn=SIA-DiCoA-SIMULATOR.FRA.ipc.colt.net
o=Colt Technology Services
c=DE
Validity Date:
start date: 13:26:44 UTC Jan 30 2015
end date: 13:26:44 UTC Jan 30 2017
renew date: 06:14:06 UTC Jun 25 2016
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 49F33785 77CC94E0 696BFDBC B4EE0BEB
Fingerprint SHA1: 10013062 65E5E6BB 26311E24 D20CD0C1 BCF992BB
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 1FDB4FE2 0AB6C30C B58CA564 5B18EE80 84C89EC3
X509v3 Subject Alternative Name:
sia-dicoa-simulator.fra.ipc.colt.net
X509v3 Authority Key ID: 3464B048 9B49E3AF 384F2B06 4D625E30 CE525ECA
Authority Info Access:
Associated Trustpoints: OPENTRUST_PKI
Key Label: SIA-DiCoA-SIMULATOR.FRA.ipc.colt.net
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=SCEP Communication Authority
o=OpenTrust PKI
Subject:
cn=SCEP Communication Authority
o=OpenTrust PKI
Validity Date:
start date: 15:06:18 UTC May 28 2014
end date: 15:06:18 UTC May 25 2024
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 702C0F2F 043AE866 8178BD19 C81B295B
Fingerprint SHA1: 9AB93B18 FFDC5D3B 89CF1861 4F9634E0 CE39B8CA
X509v3 extensions:
X509v3 Subject Key ID: 59FD1BFE F4B31DA1 3EB98B4D 69E9FEE9 C5600A6A
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 59FD1BFE F4B31DA1 3EB98B4D 69E9FEE9 C5600A6A
Authority Info Access:
Associated Trustpoints: OPENTRUST_PKI
===========================================================
Router B
crypto pki trustpoint OPENTRUST_PKI
enrollment url http://10.100.4.80:80/cgi-bin/pkiclient.exe/NetworkDevices
serial-number
ip-address 192.168.16.188
revocation-check none
source interface Loopback0
auto-enroll 70
!
!
crypto pki certificate chain OPENTRUST_PKI
certificate 10
308204DC 308202C4 A0030201 02020110 300D0609 2A864886 F70D0101 0B050030
72310B30 09060355 04061302 47423121 301F0603 55040A0C 18434F4C 54205445
43484E4F 4C4F4759 20534552 56494345 53311030 0E060355 040B0C07 32343532
37333631 2E302C06 03550403 0C25434F 4C542050 72657072 6F647563 74696F6E
204E6574 776F726B 20446576 69636573 20434130 1E170D31 35303133 30313333
3033305A 170D3137 30313330 31333330 33305A30 55310B30 09060355 04061302
49543121 301F0603 55040A0C 18436F6C 74205465 63686E6F 6C6F6779 20536572
76696365 73312330 21060355 04030C1A 4D494C30 34343132 352E4D49 4C2E6970
632E636F 6C742E6E 65743082 0122300D 06092A86 4886F70D 01010105 00038201
0F003082 010A0282 010100F4 8DE1C614 403EB5B3 B0508EDA 7AA1AAE2 346A517F
4F1923B1 CC2275EE C89ECAD6 3144190E 3C915D19 39BAE254 2B9C6837 45A46B5C
92889EE4 BC01BE85 F8CCAF3D CA2DE5B8 F888EAC8 73237885 2ECA4BB5 8539FB4A
BE6505ED 4C193A77 15C7321F 9CBC0C0D 7044DB99 F4A250EE A7DE204F 8B4D9990
38E58398 A4CE44DA 26957DF9 DDB436BC 1A7B07B4 F0A28982 F19C4A0C 9FBBAEFB
17A7DFC2 BC8C77B7 EE882E69 963CE40B F9F7CBE3 C2D35AF3 579DB027 B4B63B71
2984EF13 E8EBA480 905288F8 877A192C 96437C4D 8B2705F2 51437C71 9B770181
2027F9FD 43C709CB CF11CCA3 2B7EA12F ABCFCB9C E787419A 6D091D14 8DB167F2
56E6C562 E1F7D23A F40DE302 03010001 A3819930 8196301D 0603551D 0E041604
14224350 2BCF9372 221B3695 7E59C891 53981770 65301F06 03551D23 04183016
80143464 B0489B49 E3AF384F 2B064D62 5E30CE52 5ECA301D 0603551D 25041630
1406082B 06010505 07030206 082B0601 05050703 01300E06 03551D0F 0101FF04
04030205 A0302506 03551D11 041E301C 821A6D69 6C303434 3132352E 6D696C2E
6970632E 636F6C74 2E6E6574 300D0609 2A864886 F70D0101 0B050003 82020100
C3C52EF2 E44A34D3 79EC5649 2751DE37 0CC3E32B A5D0071A 52A8D079 578582A7
BB1E0CE7 FAC90850 DCAE0F6B 64726495 1FD25491 386C2044 4F2AA3E1 F76E438A
0DA5F223 607A1B84 A0809A86 D6E153A4 846BBCA1 4925ABBF 77B5279C CC762889
5A3B79A8 F1BA5B70 16A982CE E3FF08A3 A86F00BA 1229043D 6BE5BCF1 D4A14C89
A32CEBCF 07DB5B93 9F5E668C D3470552 ADC49D6F 9BFA35E4 49886033 228AD529
2E7BCE65 11DE7195 E5B3E71A 780C174A 6613ED4A A3BC3E8A 4BD88724 BCB505A1
9758800C D461ADC6 E0DF018B 48960185 416E14E0 06CF3901 204ABD8F D7CF1144
4622C0B7 1874E9B6 5766BF28 44CC51BF 25F12F95 E8D3D8BF BA7EA247 AC5A4BB3
461FE38B 34F93DDE C76FF165 E1F297E6 672E1306 70207314 0CA70F5A 000A8F20
0BB5B185 E3C10225 7A7518C5 043AC6E5 767C1AAA AB2112B9 81974F64 D3B4F898
149E0271 819B1B71 56516662 FF30A13E 7C94F4C8 D2F6B521 28CF1803 1870ED28
7CE1B019 BBBF87ED 2D27D728 915D84AA B69F5EFA 0884C7C0 7CA8C42D 181422E3
859A04E2 BEF25475 BB86C6F0 00521098 4011BBAC 75E46AB3 2CAD93E0 12BBF2B9
9D9AEFDA 96095CBC 07C959B6 3EB1823E BADFF9BF 7711C0C9 DD9963BC ABC0F42B
FAC0CD75 6C7F01B3 6D27EC2B DF0DA864 E708501C 752E34E0 9117C8C0 B150A801
E5989507 B2E22629 D9B6C4A1 25573F9B 45AED718 E5A48948 D82A08AA 0298F44B
quit
certificate ca 01
3082034C 30820234 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
3F311630 14060355 040A0C0D 4F70656E 54727573 7420504B 49312530 23060355
04030C1C 53434550 20436F6D 6D756E69 63617469 6F6E2041 7574686F 72697479
301E170D 31343035 32383135 30363138 5A170D32 34303532 35313530 3631385A
303F3116 30140603 55040A0C 0D4F7065 6E547275 73742050 4B493125 30230603
5504030C 1C534345 5020436F 6D6D756E 69636174 696F6E20 41757468 6F726974
79308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201
0100C46C A194D98C 3DFD4148 850251CC BF476BA2 2DBA2FB5 268AD2FF 5DBC7D70
30E7205A EBD2B713 A3B78946 F805B608 2F5B8B97 228C0E02 FA052063 E224CCDE
98D7A30B 27ED260D 28B42A28 0FFF43EF E9CF792B 392BD0F7 5191984E A2AA13DB
117DEA79 37D0D7F3 1103CA41 53ABB170 57A4D9F4 EC74A21E 8D7602DE DEE3C7E3
E068FD2D 0E720AFE DAAB68EB E887FB8A 46CDA0FC 24409D22 90E41613 10636F83
A871F699 9C4D808C EA914CF8 6C37D3BD 41BCE102 0D09795A 492AE605 FD28593D
4EB13936 698F9A92 C207A1BE CE15E34D 1F7A5DC1 F5A2DBDF 3E65D4C9 DA88AF87
29594E7B C19A2FD9 728ADAA3 C34E9357 D993A457 A6A75968 7172CBE3 F587A6DF
5EC90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301D0603
551D0E04 16041459 FD1BFEF4 B31DA13E B98B4D69 E9FEE9C5 600A6A30 1F060355
1D230418 30168014 59FD1BFE F4B31DA1 3EB98B4D 69E9FEE9 C5600A6A 300D0609
2A864886 F70D0101 05050003 82010100 81846D3F 96ABD245 7B7D7127 AD15FF2F
0EF39C2C AB7E8342 C67F5939 40F8B7B2 80E320CF A82919A2 F3EB4D2C 3FD1D8FE
07F7B0D4 DBC10937 409BDE77 1CC59798 89B7DA11 4D8E4CFF 60ED8351 A05C737F
3F1BBB97 0BDA7319 2DC332FF 2AA541B9 0A293430 FE79F707 C03AF885 6AA2C21C
86A145B7 8400DC66 7BE79AD7 938E69AF 11ECD436 D4D9706B 54E6C74D E9865104
DB84BEC3 AC61C9E6 EA0704CE 3F3BE64E 8856825D 8459C640 3681F838 BCB8A457
B92F0BF6 637FF283 76B1086C 0B9FCC14 3BB83054 B53D6BC4 78DB8433 DC682D3C
E2CFF429 BCC7BD32 AE4644F5 6E8D419C 968BB93D 7AE7F559 9ECB597F CDBF249A
6440EAD6 AA8C024A DFBC1772 42807208
quit
crypto isakmp policy 10
encr aes
group 2
!
!
crypto ipsec transform-set trans_COLT esp-aes esp-sha-hmac
!
crypto map TEST_CERT local-address Loopback0
crypto map TEST_CERT 10 ipsec-isakmp
set peer 192.168.16.187
set transform-set trans_COLT
match address 131
!
access-list 131 permit icmp host 10.107.57.1 host 10.107.150.1
access-list 131 permit ip host 10.107.57.1 host 10.107.150.1
interface Loopback0
description IfType[Management]
ip address 192.168.16.188 255.255.255.255
!
interface GigabitEthernet0/1
ip address 172.22.29.142 255.255.255.252
crypto map TEST_CERT
interface GigabitEthernet0/0
ip address 10.107.57.1 255.255.255.252
MIL044125#sh crypto key mypubkey all
% Key pair was generated at: 13:28:05 UTC Jan 30 2015
Key name: MIL044125.MIL.ipc.colt.net
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00F48DE1 C614403E B5B3B050 8EDA7AA1 AAE2346A 517F4F19 23B1CC22 75EEC89E
CAD63144 190E3C91 5D1939BA E2542B9C 683745A4 6B5C9288 9EE4BC01 BE85F8CC
AF3DCA2D E5B8F888 EAC87323 78852ECA 4BB58539 FB4ABE65 05ED4C19 3A7715C7
321F9CBC 0C0D7044 DB99F4A2 50EEA7DE 204F8B4D 999038E5 8398A4CE 44DA2695
7DF9DDB4 36BC1A7B 07B4F0A2 8982F19C 4A0C9FBB AEFB17A7 DFC2BC8C 77B7EE88
2E69963C E40BF9F7 CBE3C2D3 5AF3579D B027B4B6 3B712984 EF13E8EB A4809052
88F8877A 192C9643 7C4D8B27 05F25143 7C719B77 01812027 F9FD43C7 09CBCF11
CCA32B7E A12FABCF CB9CE787 419A6D09 1D148DB1 67F256E6 C562E1F7 D23AF40D
E3020301 0001
% Key pair was generated at: 08:28:20 UTC Feb 4 2015
Key name: MIL044125.MIL.ipc.colt.net.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009916FC 16EAFE30
09BF153A 64C034BF 71B3AF87 FEA32E0C C421D267 AB3E4B1A 3A744606 768D2C63
DB968E5F 0076187E DC7132BF 2996A157 CAD4A625 4A291172 043D3BD4 9F20C4DD
6345D82C 1D2A16CA 625EFE3A 05A447B1 80750D07 E68768C5 BD020301 0001
MIL044125#sh crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 10
Certificate Usage: General Purpose
Issuer:
cn=COLT Preproduction Network Devices CA
ou=2452736
o=COLT TECHNOLOGY SERVICES
c=GB
Subject:
Name: MIL044125.MIL.ipc.colt.net
cn=MIL044125.MIL.ipc.colt.net
o=Colt Technology Services
c=IT
Validity Date:
start date: 13:30:30 UTC Jan 30 2015
end date: 13:30:30 UTC Jan 30 2017
renew date: 06:18:30 UTC Jun 25 2016
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 71E37C68 0BE06B19 2C7A0B12 F31351F6
Fingerprint SHA1: C9B976FA FB452910 73A8A869 7F504DE7 BF214DF4
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 2243502B CF937222 1B36957E 59C89153 98177065
X509v3 Subject Alternative Name:
mil044125.mil.ipc.colt.net
X509v3 Authority Key ID: 3464B048 9B49E3AF 384F2B06 4D625E30 CE525ECA
Authority Info Access:
Associated Trustpoints: OPENTRUST_PKI
Key Label: MIL044125.MIL.ipc.colt.net
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=SCEP Communication Authority
o=OpenTrust PKI
Subject:
cn=SCEP Communication Authority
o=OpenTrust PKI
Validity Date:
start date: 15:06:18 UTC May 28 2014
end date: 15:06:18 UTC May 25 2024
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 702C0F2F 043AE866 8178BD19 C81B295B
Fingerprint SHA1: 9AB93B18 FFDC5D3B 89CF1861 4F9634E0 CE39B8CA
X509v3 extensions:
X509v3 Subject Key ID: 59FD1BFE F4B31DA1 3EB98B4D 69E9FEE9 C5600A6A
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 59FD1BFE F4B31DA1 3EB98B4D 69E9FEE9 C5600A6A
Authority Info Access:
Associated Trustpoints: OPENTRUST_PKI
=======================================================
ping from B LAN to A LAN
MIL044125#ping 10.107.150.1 source 10.107.57.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.107.150.1, timeout is 2 seconds:
Packet sent with a source address of 10.107.57.1
result is NOK
=======================================================
Router A debug
Feb 4 08:27:39.780: ISAKMP (0): received packet from 192.168.16.188 dport 500 sport 500 Global (N) NEW SA
Feb 4 08:27:39.780: ISAKMP: Created a peer struct for 192.168.16.188, peer port 500
Feb 4 08:27:39.780: ISAKMP: New peer created peer = 0x65C1075C peer_handle = 0x80000006
Feb 4 08:27:39.780: ISAKMP: Locking peer struct 0x65C1075C, refcount 1 for crypto_isakmp_process_block
Feb 4 08:27:39.780: ISAKMP: local port 500, remote port 500
Feb 4 08:27:39.780: ISAKMP:(0):insert sa successfully sa = 662144D4
Feb 4 08:27:39.780: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 4 08:27:39.780: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Feb 4 08:27:39.780: ISAKMP:(0): processing SA payload. message ID = 0
Feb 4 08:27:39.784: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.784: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 4 08:27:39.784: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 4 08:27:39.784: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.784: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 4 08:27:39.784: ISAKMP (0): vendor ID is NAT-T v7
Feb 4 08:27:39.784: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.784: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 4 08:27:39.784: ISAKMP:(0): vendor ID is NAT-T v3
Feb 4 08:27:39.784: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.784: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 4 08:27:39.784: ISAKMP:(0): vendor ID is NAT-T v2
Feb 4 08:27:39.784: ISAKMP : Scanning profiles for xauth ...
Feb 4 08:27:39.784: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 192.168.16.188)
Feb 4 08:27:39.784: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 192.168.16.188)
Feb 4 08:27:39.784: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 4 08:27:39.784: ISAKMP: encryption AES-CBC
Feb 4 08:27:39.784: ISAKMP: keylength of 128
Feb 4 08:27:39.784: ISAKMP: hash SHA
Feb 4 08:27:39.784: ISAKMP: default group 2
Feb 4 08:27:39.784: ISAKMP: auth RSA sig
Feb 4 08:27:39.784: ISAKMP: life type in seconds
Feb 4 08:27:39.784: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 4 08:27:39.784: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 4 08:27:39.784: ISAKMP:(0):Acceptable atts:actual life: 0
Feb 4 08:27:39.784: ISAKMP:(0):Acceptable atts:life: 0
Feb 4 08:27:39.784: ISAKMP:(0):Fill atts in sa vpi_length:4
Feb 4 08:27:39.784: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Feb 4 08:27:39.784: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 192.168.16.188)
Feb 4 08:27:39.788: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 192.168.16.188)
Feb 4 08:27:39.788: ISAKMP:(0):Returning Actual lifetime: 86400
Feb 4 08:27:39.788: ISAKMP:(0)::Started lifetime timer: 86400.
Feb 4 08:27:39.788: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.788: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 4 08:27:39.788: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 4 08:27:39.788: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.788: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 4 08:27:39.788: ISAKMP (0): vendor ID is NAT-T v7
Feb 4 08:27:39.788: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.788: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 4 08:27:39.788: ISAKMP:(0): vendor ID is NAT-T v3
Feb 4 08:27:39.788: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.788: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 4 08:27:39.788: ISAKMP:(0): vendor ID is NAT-T v2
Feb 4 08:27:39.788: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 4 08:27:39.788: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Feb 4 08:27:39.792: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 4 08:27:39.792: ISAKMP:(0): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_SA_SETUP
Feb 4 08:27:39.792: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 4 08:27:39.792: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 4 08:27:39.792: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Feb 4 08:27:39.832: ISAKMP (0): received packet from 192.168.16.188 dport 500 sport 500 Global (R) MM_SA_SETUP
Feb 4 08:27:39.832: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 4 08:27:39.832: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Feb 4 08:27:39.836: ISAKMP:(0): processing KE payload. message ID = 0
Feb 4 08:27:39.868: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 4 08:27:39.892: ISAKMP:(2005): processing CERT_REQ payload. message ID = 0
Feb 4 08:27:39.892: ISAKMP:(2005): peer wants a CT_X509_SIGNATURE cert
Feb 4 08:27:39.892: ISAKMP:(2005): peer wants cert issued by cn=SCEP Communication Authority,o=OpenTrust PKI
Feb 4 08:27:39.892: ISAKMP:(2005): issuer name is not a trusted root.
Feb 4 08:27:39.896: ISAKMP:(2005): processing vendor id payload
Feb 4 08:27:39.896: ISAKMP:(2005): vendor ID is DPD
Feb 4 08:27:39.896: ISAKMP:(2005): processing vendor id payload
Feb 4 08:27:39.896: ISAKMP:(2005): speaking to another IOS box!
Feb 4 08:27:39.896: ISAKMP:(2005): processing vendor id payload
Feb 4 08:27:39.896: ISAKMP:(2005): vendor ID seems Unity/DPD but major 156 mismatch
Feb 4 08:27:39.896: ISAKMP:(2005): vendor ID is XAUTH
Feb 4 08:27:39.896: ISAKMP:received payload type 20
Feb 4 08:27:39.896: ISAKMP (2005): His hash no match - this node outside NAT
Feb 4 08:27:39.896: ISAKMP:received payload type 20
Feb 4 08:27:39.896: ISAKMP (2005): No NAT Found for self or peer
Feb 4 08:27:39.896: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 4 08:27:39.896: ISAKMP:(2005):Old State = IKE_R_MM3 New State = IKE_R_MM3
Feb 4 08:27:39.896: ISAKMP:(2005): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 192.168.16.188)
Feb 4 08:27:39.896: ISAKMP:(2005): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 192.168.16.188)
Feb 4 08:27:39.900: ISAKMP:(2005): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 192.168.16.188)
Feb 4 08:27:39.900: ISAKMP:(2005): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 192.168.16.188)
Feb 4 08:27:39.900: ISAKMP (2005): constructing CERT_REQ for issuer cn=SCEP Communication Authority,o=OpenTrust PKI
Feb 4 08:27:39.900: ISAKMP:(2005): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 4 08:27:39.900: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Feb 4 08:27:39.900: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 4 08:27:39.900: ISAKMP:(2005):Old State = IKE_R_MM3 New State = IKE_R_MM4
Feb 4 08:27:39.936: ISAKMP (2005): received packet from 192.168.16.188 dport 500 sport 500 Global (R) MM_KEY_EXCH
Feb 4 08:27:39.936: ISAKMP: set new node -641540175 to QM_IDLE
Feb 4 08:27:39.936: ISAKMP (2005): received packet from 192.168.16.188 dport 500 sport 500 Global (R) MM_KEY_EXCH
Feb 4 08:27:39.936: ISAKMP (2005): received packet from 192.168.16.188 dport 500 sport 500 Global (R) MM_KEY_EXCH
Feb 4 08:27:39.936: ISAKMP (2005): received packet from 192.168.16.188 dport 500 sport 500 Global (R) MM_KEY_EXCH
Feb 4 08:27:39.940: ISAKMP (2005): received packet from 192.168.16.188 dport 500 sport 500 Global (R) MM_KEY_EXCH
Feb 4 08:27:39.940: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 192.168.16.188 to 192.168.16.187.
Feb 4 08:27:49.899: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH...
Feb 4 08:27:49.899: ISAKMP (2005): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 4 08:27:49.899: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH
Feb 4 08:27:49.899: ISAKMP:(2005): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 4 08:27:49.899: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Feb 4 08:27:59.898: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH...
Feb 4 08:27:59.898: ISAKMP (2005): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 4 08:27:59.898: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH
Feb 4 08:27:59.898: ISAKMP:(2005): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 4 08:27:59.898: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Feb 4 08:28:09.897: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH...
Feb 4 08:28:09.897: ISAKMP (2005): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Feb 4 08:28:09.897: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH
Feb 4 08:28:09.897: ISAKMP:(2005): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 4 08:28:09.897: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Feb 4 08:28:19.897: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH...
Feb 4 08:28:19.897: ISAKMP (2005): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Feb 4 08:28:19.897: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH
Feb 4 08:28:19.897: ISAKMP:(2005): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 4 08:28:19.897: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Feb 4 08:28:29.896: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH...
Feb 4 08:28:29.896: ISAKMP (2005): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Feb 4 08:28:29.896: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH
Feb 4 08:28:29.896: ISAKMP:(2005): sending packet to 192.168.16.188 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 4 08:28:29.896: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Feb 4 08:28:39.895: ISAKMP:(2005): retransmitting phase 1 MM_KEY_EXCH...
Feb 4 08:28:39.895: ISAKMP:(2005):peer does not do paranoid keepalives.
Feb 4 08:28:39.895: ISAKMP:(2005):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 192.168.16.188)
Feb 4 08:28:39.895: ISAKMP:(2005):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 192.168.16.188)
Feb 4 08:28:39.895: ISAKMP: Unlocking peer struct 0x65C1075C for isadb_mark_sa_deleted(), count 0
Feb 4 08:28:39.895: ISAKMP: Deleting peer node by peer_reap for 192.168.16.188: 65C1075C
Feb 4 08:28:39.895: ISAKMP:(2005):deleting node -641540175 error FALSE reason "IKE deleted"
Feb 4 08:28:39.895: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 4 08:28:39.895: ISAKMP:(2005): IKE->PKI End PKI Session state (R) MM_NO_STATE (peer 192.168.16.188)
Feb 4 08:28:39.895: ISAKMP:(2005): PKI->IKE Ended PKI Session state (R) MM_NO_STATE (peer 192.168.16.188)
Feb 4 08:28:39.899: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 4 08:28:39.899: ISAKMP:(2005):Old State = IKE_R_MM4 New State = IKE_DEST_SA
=======================================================
Router B LOG
Feb 4 08:27:39.770: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.16.188:500, remote= 192.168.16.187:500,
local_proxy= 10.107.57.1/255.255.255.255/1/0 (type=1),
remote_proxy= 10.107.150.1/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Feb 4 08:27:39.770: ISAKMP:(0): SA request profile is (NULL)
Feb 4 08:27:39.770: ISAKMP: Created a peer struct for 192.168.16.187, peer port 500
Feb 4 08:27:39.770: ISAKMP: New peer created peer = 0x135CB538 peer_handle = 0x80000006
Feb 4 08:27:39.770: ISAKMP: Locking peer struct 0x135CB538, refcount 1 for isakmp_initiator
Feb 4 08:27:39.770: ISAKMP: local port 500, remote port 500
Feb 4 08:27:39.770: ISAKMP: set new node 0 to QM_IDLE
Feb 4 08:27:39.770: ISAKMP:(0):insert sa successfully sa = 23DCDA0
Feb 4 08:27:39.770: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 4 08:27:39.770: ISAKMP:(0):No pre-shared key with 192.168.16.187!
Feb 4 08:27:39.770: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:27:39.770: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:27:39.770: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 4 08:27:39.770: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 4 08:27:39.770: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 4 08:27:39.770: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 4 08:27:39.770: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 4 08:27:39.770: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Feb 4 08:27:39.770: ISAKMP:(0): beginning Main Mode exchange
Feb 4 08:27:39.770: ISAKMP:(0): sending packet to 192.168.16.187 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 4 08:27:39.770: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 4 08:27:39.794: ISAKMP (0): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 4 08:27:39.794: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 4 08:27:39.794: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Feb 4 08:27:39.794: ISAKMP:(0): processing SA payload. message ID = 0
Feb 4 08:27:39.794: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 4 08:27:39.794: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 4 08:27:39.794: ISAKMP : Scanning profiles for xauth ...
Feb 4 08:27:39.794: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:27:39.794: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:27:39.794: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 4 08:27:39.794: ISAKMP: encryption AES-CBC
Feb 4 08:27:39.794: ISAKMP: keylength of 128
Feb 4 08:27:39.794: ISAKMP: hash SHA
Feb 4 08:27:39.794: ISAKMP: default group 2
Feb 4 08:27:39.794: ISAKMP: auth RSA sig
Feb 4 08:27:39.794: ISAKMP: life type in seconds
Feb 4 08:27:39.794: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 4 08:27:39.794: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 4 08:27:39.794: ISAKMP:(0):Acceptable atts:actual life: 0
Feb 4 08:27:39.794: ISAKMP:(0):Acceptable atts:life: 0
Feb 4 08:27:39.794: ISAKMP:(0):Fill atts in sa vpi_length:4
Feb 4 08:27:39.794: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Feb 4 08:27:39.794: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:27:39.794: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:27:39.794: ISAKMP:(0):Returning Actual lifetime: 86400
Feb 4 08:27:39.794: ISAKMP:(0)::Started lifetime timer: 86400.
Feb 4 08:27:39.794: ISAKMP:(0): processing vendor id payload
Feb 4 08:27:39.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 4 08:27:39.794: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 4 08:27:39.794: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 4 08:27:39.794: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Feb 4 08:27:39.798: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 192.168.16.187)
Feb 4 08:27:39.798: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 192.168.16.187)
Feb 4 08:27:39.798: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 192.168.16.187)
Feb 4 08:27:39.798: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 192.168.16.187)
Feb 4 08:27:39.798: ISAKMP (0): constructing CERT_REQ for issuer cn=SCEP Communication Authority,o=OpenTrust PKI
Feb 4 08:27:39.798: ISAKMP:(0): sending packet to 192.168.16.187 my_port 500 peer_port 500 (I) MM_SA_SETUP
Feb 4 08:27:39.798: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 4 08:27:39.798: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 4 08:27:39.798: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Feb 4 08:27:39.902: ISAKMP (0): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_SA_SETUP
Feb 4 08:27:39.902: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 4 08:27:39.902: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Feb 4 08:27:39.902: ISAKMP:(0): processing KE payload. message ID = 0
Feb 4 08:27:39.910: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 4 08:27:39.910: ISAKMP:(9005): processing CERT_REQ payload. message ID = 0
Feb 4 08:27:39.910: ISAKMP:(9005): peer wants a CT_X509_SIGNATURE cert
Feb 4 08:27:39.910: ISAKMP:(9005): peer wants cert issued by cn=SCEP Communication Authority,o=OpenTrust PKI
Feb 4 08:27:39.910: ISAKMP:(9005): issuer name is not a trusted root.
Feb 4 08:27:39.910: ISAKMP:(9005): processing vendor id payload
Feb 4 08:27:39.910: ISAKMP:(9005): vendor ID is Unity
Feb 4 08:27:39.910: ISAKMP:(9005): processing vendor id payload
Feb 4 08:27:39.910: ISAKMP:(9005): vendor ID is DPD
Feb 4 08:27:39.910: ISAKMP:(9005): processing vendor id payload
Feb 4 08:27:39.910: ISAKMP:(9005): speaking to another IOS box!
Feb 4 08:27:39.910: ISAKMP:received payload type 20
Feb 4 08:27:39.910: ISAKMP (9005): His hash no match - this node outside NAT
Feb 4 08:27:39.910: ISAKMP:received payload type 20
Feb 4 08:27:39.910: ISAKMP (9005): No NAT Found for self or peer
Feb 4 08:27:39.910: ISAKMP:(9005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 4 08:27:39.910: ISAKMP:(9005):Old State = IKE_I_MM4 New State = IKE_I_MM4
Feb 4 08:27:39.910: ISAKMP:(9005):Send initial contact
Feb 4 08:27:39.910: ISAKMP:(9005): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.16.187)
Feb 4 08:27:39.910: ISAKMP:(9005): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.16.187)
Feb 4 08:27:39.910: ISAKMP:(9005):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Feb 4 08:27:39.910: ISAKMP:(9005):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Feb 4 08:27:39.910: ISAKMP (9005): ID payload
next-payload : 6
type : 1
address : 192.168.16.188
protocol : 17
port : 500
length : 12
Feb 4 08:27:39.910: ISAKMP:(9005):Total payload length: 12
Feb 4 08:27:39.910: ISAKMP:(9005): no valid cert found to return
Feb 4 08:27:39.910: ISAKMP: set new node -641540175 to QM_IDLE
Feb 4 08:27:39.910: ISAKMP:(9005):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1
spi 0, message ID = 3653427121
Feb 4 08:27:39.910: ISAKMP:(9005): sending packet to 192.168.16.187 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Feb 4 08:27:39.910: ISAKMP:(9005):Sending an IKE IPv4 Packet.
Feb 4 08:27:39.910: ISAKMP:(9005):purging node -641540175
Feb 4 08:27:39.910: ISAKMP (9005): FSM action returned error: 2
Feb 4 08:27:39.910: ISAKMP:(9005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 4 08:27:39.910: ISAKMP:(9005):Old State = IKE_I_MM4 New State = IKE_I_MM5
.....
Success rate is 0 percent (0/5)
MIL044125#
Feb 4 08:27:49.798: ISAKMP:(9005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 4 08:27:49.902: ISAKMP (9005): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 4 08:27:49.902: ISAKMP:(9005): phase 1 packet is a duplicate of a previous packet.
Feb 4 08:27:49.902: ISAKMP:(9005): retransmitting due to retransmit phase 1
Feb 4 08:27:49.902: ISAKMP:(9005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 4 08:27:59.902: ISAKMP (9005): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 4 08:27:59.902: ISAKMP:(9005): phase 1 packet is a duplicate of a previous packet.
Feb 4 08:27:59.902: ISAKMP:(9005): retransmitting due to retransmit phase 1
Feb 4 08:27:59.902: ISAKMP:(9005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 4 08:28:09.771: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 192.168.16.188:0, remote= 192.168.16.187:0,
local_proxy= 10.107.57.1/255.255.255.255/1/0 (type=1),
remote_proxy= 10.107.150.1/255.255.255.255/1/0 (type=1)
Feb 4 08:28:09.771: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.16.188:500, remote= 192.168.16.187:500,
local_proxy= 10.107.57.1/255.255.255.255/1/0 (type=1),
remote_proxy= 10.107.150.1/255.255.255.255/1/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Feb 4 08:28:09.771: ISAKMP: set new node 0 to QM_IDLE
Feb 4 08:28:09.771: ISAKMP:(9005):SA is still budding. Attached new ipsec request to it. (local 192.168.16.188, remote 192.168.16.187)
Feb 4 08:28:09.771: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 4 08:28:09.771: ISAKMP: Error while processing KMI message 0, error 2.
Feb 4 08:28:09.903: ISAKMP (9005): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 4 08:28:09.903: ISAKMP:(9005): phase 1 packet is a duplicate of a previous packet.
Feb 4 08:28:09.903: ISAKMP:(9005): retransmitting due to retransmit phase 1
Feb 4 08:28:09.903: ISAKMP:(9005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 4 08:28:17.483: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.16.188, prot=50, spi=0xBB960DFB(3147173371), srcaddr=192.168.16.111, input interface=GigabitEthernet0/1
Feb 4 08:28:17.487: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 192.168.16.188 dst 192.168.16.111 for SPI 0xBB960DFB
Feb 4 08:28:19.899: ISAKMP (9005): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 4 08:28:19.899: ISAKMP:(9005): phase 1 packet is a duplicate of a previous packet.
Feb 4 08:28:19.899: ISAKMP:(9005): retransmitting due to retransmit phase 1
Feb 4 08:28:19.899: ISAKMP:(9005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 4 08:28:29.899: ISAKMP (9005): received packet from 192.168.16.187 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 4 08:28:29.899: ISAKMP:(9005): phase 1 packet is a duplicate of a previous packet.
Feb 4 08:28:29.899: ISAKMP:(9005): retransmitting due to retransmit phase 1
Feb 4 08:28:29.899: ISAKMP:(9005): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 4 08:28:39.771: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 192.168.16.188:0, remote= 192.168.16.187:0,
local_proxy= 10.107.57.1/255.255.255.255/1/0 (type=1),
remote_proxy= 10.107.150.1/255.255.255.255/1/0 (type=1)
Feb 4 08:28:54.771: ISAKMP: quick mode timer expired.
Feb 4 08:28:54.771: ISAKMP:(9005):src 192.168.16.188 dst 192.168.16.187, SA is not authenticated
Feb 4 08:28:54.771: ISAKMP:(9005):peer does not do paranoid keepalives.
Feb 4 08:28:54.771: ISAKMP:(9005):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 192.168.16.187)
Feb 4 08:28:54.771: ISAKMP:(9005):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 192.168.16.187)
Feb 4 08:28:54.771: ISAKMP: Unlocking peer struct 0x135CB538 for isadb_mark_sa_deleted(), count 0
Feb 4 08:28:54.771: ISAKMP: Deleting peer node by peer_reap for 192.168.16.187: 135CB538
Feb 4 08:28:54.771: ISAKMP:(9005):deleting node -1009811735 error FALSE reason "IKE deleted"
Feb 4 08:28:54.771: ISAKMP:(9005):deleting node -585479332 error FALSE reason "IKE deleted"
Feb 4 08:28:54.771: ISAKMP:(9005): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:28:54.771: ISAKMP:(9005): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 192.168.16.187)
Feb 4 08:28:54.771: ISAKMP:(9005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 4 08:28:54.771: ISAKMP:(9005):Old State = IKE_I_MM5 New State = IKE_DEST_SA
================================================
So it looks issue is due to Opentrust certificates but i can't say what... any ideas?
Thanks in advance for your support!
Labels:
- Labels:
-
IPSEC
0 Replies 0
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents