my profile | register | search | faq | forum home

» Security Internetworking Experts   » Security   » General Security Forum   » Site to Site VPN Tunnel Using RSA-SIG

UBBFriend: Email this page to someone!

Author Topic: Site to Site VPN Tunnel Using RSA-SIG Mesmerisor Member Member # 17830 Rate Member posted June 23, 2006 06:45 AM                    hi, i am trying to form a VPN tunnel between two routers using rsa-sig as the authentication method defined in the IKE negotiation. The following is the error message which i receive on one of my router. -------------------------------------------------- Jun 23 07:44:11.102: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.3 failed its sanity check or is malformed.... -------------------------------------------------- Later, i ran debug on one of the two routers, and the following below is the debug crypto isakmp output. -------------------------------------------------- Rack1R2#debug crypto isakmp Crypto ISAKMP debugging is on Rack1R2# Jun 23 07:55:19.517: ISAKMP (0:0): received packet from 1.1.1.3 dport 500 sport 500 Global (N) NEW SA Jun 23 07:55:19.521: ISAKMP: local port 500, remote port 500 Jun 23 07:55:19.521: ISAKMP: insert sa successfully sa = 82F18CAC Jun 23 07:55:19.521: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 23 07:55:19.525: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1 Jun 23 07:55:19.525: ISAKMP (0:1): processing SA payload. message ID = 0 Jun 23 07:55:19.525: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:19.525: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 misma tch Jun 23 07:55:19.529: ISAKMP (0:1): vendor ID is NAT-T v3 Jun 23 07:55:19.529: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:19.529: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 misma tch Jun 23 07:55:19.529: ISAKMP (0:1): vendor ID is NAT-T v2 Jun 23 07:55:19.529: ISAKMP : Scanning profiles for xauth ... Jun 23 07:55:19.529: ISAKMP (0:1): Checking ISAKMP t Rack1R2# Translating "ccie1" ransform 1 against priority 65535 policy Jun 23 07:55:19.529: ISAKMP: encryption DES-CBC Jun 23 07:55:19.529: ISAKMP: hash SHA Jun 23 07:55:19.533: ISAKMP: default group 1 Jun 23 07:55:19.533: ISAKMP: auth RSA sig Jun 23 07:55:19.533: ISAKMP: life type in seconds Jun 23 07:55:19.533: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jun 23 07:55:19.533: ISAKMP (0:1): atts are acceptable. Next payload is 0 Jun 23 07:55:19.702: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:19.702: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 misma tch Jun 23 07:55:19.706: ISAKMP (0:1): vendor ID is NAT-T v3 Jun 23 07:55:19.706: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:19.706: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 misma tch Jun 23 07:55:19.706: ISAKMP (0:1): vendor ID is NAT-T v2 Jun 23 07:55:19.706: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_M ODE Jun 23 07:55:19.710: ISAKMP Rack1R2# (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1 Jun 23 07:55:19.710: ISAKMP (0:1): constructed NAT-T vendor-03 ID Jun 23 07:55:19.714: ISAKMP (0:1): sending packet to 1.1.1.3 my_port 500 peer_po rt 500 (R) MM_SA_SETUP Jun 23 07:55:19.714: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLE TE Jun 23 07:55:19.714: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2 Jun 23 07:55:19.902: ISAKMP (0:1): received packet from 1.1.1.3 dport 500 sport 500 Global (R) MM_SA_SETUP Jun 23 07:55:19.902: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 23 07:55:19.902: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM3 Jun 23 07:55:19.906: ISAKMP (0:1): processing KE payload. message ID = 0 Jun 23 07:55:20.114: ISAKMP (0:1): processing NONCE payload. message ID = 0 Jun 23 07:55:20.118: ISAKMP (0:1): SKEYID state generated Jun 23 07:55:20.118: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0 Jun 23 07:55:20.118: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert Jun 23 07:55:20.122: ISAKMP (0:1): peer want cert issued by CN = caserver Jun 23 07:55:20.122: ISAKMP (0:1): Choosing trustpoint ccie as default key issue r Jun 23 07:55:20.126: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:20.126: ISAKMP (0:1): vendor ID is Unity Jun 23 07:55:20.126: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:20.126: ISAKMP (0:1): vendor ID is DPD Jun 23 07:55:20.126: ISAKMP (0:1): processing vendor id payload Jun 23 07:55:20.130: ISAKMP (0:1): speaking to another IOS box! Jun 23 07:55:20.130: ISAKMP:received payload type 17 Jun 23 07:55:20.130: ISAKMP (0:1): Detected NAT-D payload Jun 23 07:55:20.130: ISAKMP (0:1): NAT match MINE hash Jun 23 07:55:20.130: ISAKMP:received payload type 17 Jun 23 07:55:20.130: ISAKMP (0:1): Detected NAT-D payload Jun 23 07:55:20.130: ISAKMP (0:1): NAT match HIS hash Jun 23 07:55:20.130: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_M ODE Jun 23 07:55:20.134: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM3 Jun 23 07:55:20.146: ISAKMP (0:1): constructed HIS NAT-D Jun 23 07:55:20.146: ISAKMP (0:1): constructed MINE NAT-D Jun 23 07:55:20.150: ISAKMP (0:1): sending packet to 1.1.1.3 my_port 500 peer_po rt 500 (R) MM_KEY_EXCH Jun 23 07:55:20.150: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLE TE Jun 23 07:55:20.150: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM4 Jun 23 07:55:20.679: ISAKMP (0:1): received packet from 1.1.1.3 dport 500 sport 500 Global (R) MM_KEY_EXCH Jun 23 07:55:20.683: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 23 07:55:20.683: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_R_MM5 Jun 23 07:55:20.687: ISAKMP (0:1): processing ID payload. message ID = 0 Jun 23 07:55:20.687: ISAKMP (1): Process ID payload type : 2 FQDN name : Rack1R3.cisco.com protocol : 17 port : 500 length : 17 Jun 23 07:55:20.687: ISAKMP (0:1): peer matches *none* of the profiles Jun 23 07:55:20.687: ISAKMP (0:1): processing CERT payload. message ID = 0 Jun 23 07:55:20.687: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert Jun 23 07:55:20.727: ISAKMP (0:1): peer's pubkey isn't cached Jun 23 07:55:21.897: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 1.1.1. 3 is bad: CA request failed! Jun 23 07:55:21.897: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_M ODE Jun 23 07:55:21.897: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5 Jun 23 07:55:21.901: ISAKMP (0:1): sending packet to 1.1.1.3 my_port 500 peer_po rt 500 (R) MM_KEY_EXCH Jun 23 07:55:21.901: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Jun 23 07:55:21.901: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM4 Jun 23 07:55:22.110: ISAKMP (0:1): received packet from 1.1.1.3 dport 500 sport 500 Global (R) MM_KEY_EXCH Jun 23 07:55:22.118: ISAKMP: reserved not zero on ID payload! Jun 23 07:55:22.118: -Traceback= 817A03CC 817A0520 81796D30 81798090 8044D634 Jun 23 07:55:22.118: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.3 failed its sanity check or is malformed Jun 23 07:55:22.118: ISKAMP: growing send buffer from 1024 to 3072 Jun 23 07:55:22.118: ISAKMP (0:1): incrementing error counter on sa: PAYLOAD_MAL FORMED Jun 23 07:55:22.122: ISAKMP (0:1): sending packet to 1.1.1.3 my_port 500 peer_po rt 500 (R) MM_KEY_EXCH Jun 23 07:55:22.126: ISAKMP (0:1): incrementing error counter on sa: reset_retra nsmission Jun 23 07:55:23.127: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... Jun 23 07:55:23.127: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 Jun 23 07:55:23.127: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. MM_ KEY_EXCH Posts: 39 | From: India | Registered: Dec 2005  |  IP: Logged

All times are Eastern Time

Printer-friendly view of this topic

Hop To: Select a Forum: Category: Security -------------------- CCIE Security Lab Forum CCIE Security Written Forum I passed my CCIE Lab!!! Other Cisco Security Certification Category: Private Class Forum -------------------- 12/13/10 - 12/17/10 - CCIE Security Mock Lab Boot Camp

Contact Us | Security Internetworking Experts