VPN Debug Analysis

devildoc · ‎02-21-2003

Can someone tell me what does the attached debug output statement entail? I tried to configure a VPN connection from Windows 2000 client using the native L2TP/IPSec to connect to the PIX via transport mode. I also configured the PIX to use IKE with pre-share key, dynamic map to assign IP addresses to remote clients, and local authentication. I don't know where in the process did it fail to connect, and i was hoping someone can tell me from the debug statement. Was my phase 1 IKE successful or not? What about phase 2? How far did the VPN process go it terminated? Any help is greatly appreciated. Thanks.

Debug statement:

PIX#

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Added new peer: ip:206.100.100.1 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:1 Total VPN Peers:1

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

return status is IKMP_ERR_TRANS

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

ISADB: reaper checking SA 0x813d12e0, conn_id = 0

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

ISAKMP (0): deleting SA: src 206.100.100.1, dst 63.100.100.1

ISADB: reaper checking SA 0x813d12e0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:206.100.100.1 Total VPN peers:0

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

PIX#

gfullage · ‎02-25-2003

These two lines:

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

indicate your Phase 1 parameters don't match what the PC is sending, and therefore they failed. The PC is sending this:

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

which shows it's trying to use certs (RSA-SIG), not the pre-shared key that you might have setup. If you follow this (http://www.cisco.com/warp/public/471/vpn3k_l2tp.html) you'll see you have to make a registry change on the PC to force it to use the pre-shared key, even if you put it in its configuration. Note that this sample config is for L2TP/IPSec to a VPN3000, but the client setup is the same which seems to be where your problem lies at this point.