Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6158
Views
0
Helpful
2
Replies

Unable to establish vpn session using aggressive mode

kalyanChakravarthy
Level 1
Level 1

‎02-28-2011 11:45 PM

Unable to establish vpn session using aggressive mode

help needed

R1:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2 
crypto isakmp key cisco123 address 10.1.12.2
!        
crypto isakmp peer address 10.1.12.2
set aggressive-mode password aggressive123
set aggressive-mode client-endpoint ipv4-address 10.1.12.2
!        
!        
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!        
crypto map map1 10 ipsec-isakmp
set peer 10.1.12.2
set transform-set myset
match address my-vpn
!        
!        
ip access-list extended my-vpn
permit ip host 1.1.1.1 host 2.2.2.2

R2:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2 
crypto isakmp key cisco123 address 10.1.12.1
!        
crypto isakmp peer address 10.1.12.1
set aggressive-mode password aggressive123
set aggressive-mode client-endpoint ipv4-address 10.1.12.1
!        
!        
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!        
crypto map map1 10 ipsec-isakmp
set peer 10.1.12.1
set transform-set myset
match address my-vpn
!        
ip access-list extended my-vpn
permit ip host 2.2.2.2 host 1.1.1.1

debug R1:
R1#ping 2.2.2.2 sou 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

*Mar  1 02:25:01.099: ISAKMP:(0): SA request profile is (NULL)
*Mar  1 02:25:01.099: ISAKMP: Created a peer struct for 10.1.12.2, peer port 500
*Mar  1 02:25:01.099: ISAKMP: New peer created peer = 0x6650D558 peer_handle = 0x8000000C
*Mar  1 02:25:01.099: ISAKMP: Locking peer struct 0x6650D558, refcount 1 for isakmp_initiator
*Mar  1 02:25:01.103: ISAKMP: local port 500, remote port 500
*Mar  1 02:25:01.103: ISAKMP: set new node 0 to QM_IDLE     
*Mar  1 02:25:01.103: insert sa successfully sa = 65F64520
*Mar  1 02:25:01.103: ISAKMP:(0):SA has tunnel attributes set.
*Mar  1 02:25:01.107: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  1 02:25:01.107: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  1 02:25:01.107: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  1 02:25:01.115: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 02:25:01.115: ISAKMP (0:0): ID payload
next-payload : 13
type         : 1
address      : 10.1.12.2
protocol     : 17
port         : 0
length       : 12
*Mar  1 02:25:01.115: ISAKMP:(0):Total payload length: 12
*Mar  1 02:25:01.119: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  1 02:25:01.119: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  1 02:25:01.123: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar  1 02:25:01.123: ISAKMP:(0): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 02:25:01.387: ISAKMP (0:0): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 02:25:01.391: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 02:25:01.391: ISAKMP:(0): processing ID payload. message ID = 0
*Mar  1 02:25:01.391: ISAKMP (0:0): ID payload
next-payload : 10
type         : 1
address      : 10.1.12.2
protocol     : 17
port         : 0
length       : 12
*Mar  1 02:25:01.395: ISAKMP:(0):: peer matches *none* of the profiles
*Mar  1 02:25:01.395: ISAKMP:(0):. processing vendor id payload
*Mar  1 02:25:01.395: ISAKMP:(0): vendor ID is Unity
*Mar  1 02:25:01.395: ISAKMP:(0): processing vendor id payload
*Mar  1 02:25:01.395: ISAKMP:(0): vendor ID is DPD
*Mar  1 02:25:01.399: ISAKMP:(0): processing vendor id payload
*Mar  1 02:25:01.399: ISAKMP:(0): speaking to another IOS box!
*Mar  1 02:25:01.399: ISAKMP:(0):SA using tunnel password as pre-shared key.
*Mar  1 02:25:01.403: ISAKMP:(0): local preshared key found
*Mar  1 02:25:01.403: ISAKMP : Scanning profiles for xauth ...
*Mar  1 02:25:01.403: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 02:25:01.403: ISAKMP:      encryption 3DES-CBC
*Mar  1 02:25:01.403: ISAKMP:      hash MD5
*Mar  1 02:25:01.403: ISAKMP:      default group 2
*Mar  1 02:25:01.407: ISAKMP:      auth pre-share
*Mar  1 02:25:01.407: ISAKMP:      life type in seconds
*Mar  1 02:25:01.407: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 02:25:01.407: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 02:25:01.411: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 02:25:01.411: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  1 02:25:01.495: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 02:25:01.495: ISAKMP:(0):SA using tunnel password as pre-shared key.
*Mar  1 02:25:01.499: ISAKMP:(1003): processing HASH payload. message ID = 0
*Mar  1 02:25:01.503: ISAKMP:(1003): Hash payload is incorrect!
*Mar  1 02:25:01.503: ISAKMP (0:1003): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_I_AM1
*Mar  1 02:25:01.503: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar  1 02:25:01.503: ISAKMP:(1003):Old State = IKE_I_AM1  New State = IKE_I_AM1

*Mar  1 02:25:01.507: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.1.12.2....
Success rate is 0 percent (0/5)
R1#
*Mar  1 02:25:11.399: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 02:25:11.399: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 10.1.12.2 was not encrypted and it should've been.
R1#
*Mar  1 02:25:11.403: ISAKMP (0:1003): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Mar  1 02:25:12.403: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:25:12.403: ISAKMP (0:1003): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 02:25:12.403: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 02:25:12.403: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
R1#
*Mar  1 02:25:12.987: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 02:25:12.987: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.
*Mar  1 02:25:12.991: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 588)
R1#
*Mar  1 02:25:22.995: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:25:22.995: ISAKMP (0:1003): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 02:25:22.995: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 02:25:22.999: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 02:25:22.999: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 02:25:23.003: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.
*Mar  1 02:25:23.003: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 4)
R1#
*Mar  1 02:25:31.095: ISAKMP: set new node 0 to QM_IDLE     
*Mar  1 02:25:31.099: ISAKMP:(1003):SA is still budding. Attached new ipsec request to it. (local 10.1.12.1, remote 10.1.12.2)
*Mar  1 02:25:31.099: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar  1 02:25:31.099: ISAKMP: Error while processing KMI message 0, error 2.
R1#
*Mar  1 02:25:33.003: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:25:33.003: ISAKMP (0:1003): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 02:25:33.003: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 02:25:33.007: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 02:25:33.579: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 02:25:33.579: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.
*Mar  1 02:25:33.583: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 576)
R1#
*Mar  1 02:25:43.583: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:25:43.583: ISAKMP (0:1003): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 02:25:43.587: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 02:25:43.587: ISAKMP:(1003): sending packet to 10.1.12.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 02:25:43.595: ISAKMP (0:1003): received packet from 10.1.12.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 02:25:43.595: ISAKMP:(1003): phase 1 packet is a duplicate of a previous packet.
*Mar  1 02:25:43.595: ISAKMP:(1003): retransmission skipped for phase 1 (time since last transmission 8)
R1#
*Mar  1 02:25:53.599: ISAKMP:(1003): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:25:53.599: ISAKMP:(1003):peer does not do paranoid keepalives.

*Mar  1 02:25:53.599: ISAKMP:(1003):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 10.1.12.2)
*Mar  1 02:25:53.607: ISAKMP:(1003):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 10.1.12.2)
*Mar  1 02:25:53.607: ISAKMP: Unlocking peer struct 0x6650D558 for isadb_mark_sa_deleted(), count 0
*Mar  1 02:25:53.607: ISAKMP: Deleting peer node by peer_reap for 10.1.12.2: 6650D558
*Mar  1 02:25:53.611: ISAKMP:(1003):deleting node -961419262 error FALSE reason "IKE deleted"
R1#
*Mar  1 02:25:53.611: ISAKMP:(1003):deleting node -2019420945 error FALSE reason "IKE deleted"
*Mar  1 02:25:53.615: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 02:25:53.615: ISAKMP:(1003):Old State = IKE_I_AM1  New State = IKE_DEST_SA

--------------------------------------
R2:

Mar  1 02:35:12.459: ISAKMP (0:0): received packet from 10.1.12.1 dport 500 sport 500 Global (N) NEW SA
*Mar  1 02:35:12.463: ISAKMP: Created a peer struct for 10.1.12.1, peer port 500
*Mar  1 02:35:12.463: ISAKMP: New peer created peer = 0x65F07414 peer_handle = 0x8000000E
*Mar  1 02:35:12.463: ISAKMP: Locking peer struct 0x65F07414, refcount 1 for crypto_isakmp_process_block
*Mar  1 02:35:12.463: ISAKMP: local port 500, remote port 500
*Mar  1 02:35:12.467: insert sa successfully sa = 659DE390
*Mar  1 02:35:12.467: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 02:35:12.467: ISAKMP:(0): processing ID payload. message ID = 0
*Mar  1 02:35:12.471: ISAKMP (0:0): ID payload
next-payload : 13
type         : 1
address      : 10.1.12.2
protocol     : 17
port         : 0
length       : 12
*Mar  1 02:35:12.471: ISAKMP:(0):: peer matches *none* of the profiles
*Mar  1 02:35:12.471: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:12.475: ISAKMP:
R2(config-if)#(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 02:35:12.475: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 02:35:12.475: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:12.475: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 02:35:12.475: ISAKMP:(0): vendor ID is NAT-T v3
*Mar  1 02:35:12.479: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:12.479: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 02:35:12.479: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  1 02:35:12.479: ISAKMP: no pre-shared key based on address 10.1.12.2!
*Mar  1 02:35:12.483: ISAKMP:(0):found peer pre-shared key matching 10.1.12.1
*Mar  1 02:35:12.483: ISAKMP:(0): local preshared key found
*Mar  1 02:35:12.483: ISAKMP : Scanning profiles for xauth ...
*Mar  1 02:35:12.483: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 02:35:12.483: ISAKMP:      encryption 3DES-CBC
*Mar  1 02:35:12.487: ISAKMP:      hash MD5
*Mar
R2(config-if)#  1 02:35:12.487: ISAKMP:      default group 2
*Mar  1 02:35:12.487: ISAKMP:      auth pre-share
*Mar  1 02:35:12.487: ISAKMP:      life type in seconds
*Mar  1 02:35:12.487: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 02:35:12.491: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 02:35:12.491: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:12.491: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 02:35:12.491: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 02:35:12.495: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:12.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 02:35:12.495: ISAKMP:(0): vendor ID is NAT-T v3
*Mar  1 02:35:12.495: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:12.499: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 02:35:12.499: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  1 02:35:12.499: ISAKMP:(0): processing KE payload. message ID = 0
*
R2(config-if)#Mar  1 02:35:12.587: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 02:35:12.591: ISAKMP: no pre-shared key based on address 10.1.12.2!
*Mar  1 02:35:12.591: ISAKMP:(0):found peer pre-shared key matching 10.1.12.1
*Mar  1 02:35:12.595: ISAKMP:(1004): processing vendor id payload
*Mar  1 02:35:12.595: ISAKMP:(1004): vendor ID is DPD
*Mar  1 02:35:12.595: ISAKMP:(1004): processing vendor id payload
*Mar  1 02:35:12.599: ISAKMP:(1004): vendor ID seems Unity/DPD but major 242 mismatch
*Mar  1 02:35:12.599: ISAKMP:(1004): vendor ID is XAUTH
*Mar  1 02:35:12.599: ISAKMP:(1004): processing vendor id payload
*Mar  1 02:35:12.599: ISAKMP:(1004): vendor ID is Unity
*Mar  1 02:35:12.603: ISAKMP:(1004): constructed NAT-T vendor-07 ID
*Mar  1 02:35:12.603: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 02:35:12.607: ISAKMP (0:1004): ID payload
next-payload : 10
type         : 1
address      : 10.1.12.2
protocol     :
R2(config-if)#17
port         : 0
length       : 12
*Mar  1 02:35:12.607: ISAKMP:(1004):Total payload length: 12
*Mar  1 02:35:12.611: ISAKMP:(1004): sending packet to 10.1.12.1 my_port 500 peer_port 500 ® AG_INIT_EXCH
*Mar  1 02:35:12.611: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar  1 02:35:12.615: ISAKMP:(1004):Old State = IKE_READY  New State = IKE_R_AM2

R2(config-if)#
*Mar  1 02:35:22.611: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:35:22.611: ISAKMP (0:1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 02:35:22.611: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 02:35:22.615: ISAKMP:(1004): sending packet to 10.1.12.1 my_port 500 peer_port 500 ® AG_INIT_EXCH
R2(config-if)#
*Mar  1 02:35:23.695: ISAKMP (0:1004): received packet from 10.1.12.1 dport 500 sport 500 Global ® AG_INIT_EXCH
*Mar  1 02:35:23.699: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
*Mar  1 02:35:23.699: ISAKMP:(1004): retransmitting due to retransmit phase 1
*Mar  1 02:35:24.199: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 02:35:24.199: ISAKMP (0:1004): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 02:35:24.199: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 02:35:24.199: ISAKMP:(1004): sending packet to 10.1.12.1 my_port 500 peer_port 500 ® AG_INIT_EXCH

Labels:
0 Helpful
2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

‎03-18-2011 01:59 AM

Hi

on R1,

 set aggressive-mode client-endpoint ipv4-address 10.1.12.2

should be

 set aggressive-mode client-endpoint ipv4-address 10.1.12.1

(and vice versa on R2).

This is your own ID that you specify here, not the remote peer's.

hth

Herbert

0 Helpful

kalyanChakravarthy
Level 1
Level 1
In response to Herbert Baerten

‎03-20-2011 07:17 AM

its not working even after the change

but I was able to find the problem

the problem is with command "crypto isakmp peer address xxxxx"  which is used to blocking the attempt to process all incoming ISAKMP aggressive mode security association (SA) connections

just removed it

problem solved

0 Helpful
Customers Also Viewed These Support Documents