[vpn-help] Unable to negotiate phase 1 parameters with Cisco 2611
Nikolaj Griščenko
n.griscenko at gmail.com
Sat Mar 13 10:59:10 CST 2010
Hello,
I can‘t establish an IPSec session between WinXP shrewsoft client 2.1.5 and
Cisco 2611 (12.4-1a IOS). Unable to negotiate phase 1 pre-shared key
authentication parameter. I configured Cisco to use isakmp client
configuration group „VPN“ and dynamic ipsec tunnels. Phase 1 parameters are:
Encryption: 3des
DH Group: 2
Hash: md5
Authentication: pre-shared key
Lifetime: 28800 s
(see cisco config below)
The same was configured on the client. I set the Key ID String as „VPN“ in
Local Identity, IP address as an identification type in Remote Identity
field and a pre-shared key in Credentials.
There‘s something wrong with pre-shared key authentication. I checked phase
1 parameters on both cisco and client side and they match.
Shrewsoft trace:
10/03/13 17:37:52 ## : IKE Daemon, ver 2.1.5
10/03/13 17:37:52 ## : Copyright 2009 Shrew Soft Inc.
10/03/13 17:37:52 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/03/13 17:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
10/03/13 17:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'
10/03/13 17:37:52 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-encrypt.cap'
10/03/13 17:37:52 ii : rebuilding vnet device list ...
10/03/13 17:37:52 ii : device ROOT\VNET\0000 disabled
10/03/13 17:37:52 ii : network process thread begin ...
10/03/13 17:37:52 ii : pfkey process thread begin ...
10/03/13 17:37:52 ii : ipc server process thread begin ...
10/03/13 17:37:57 ii : ipc client process thread begin ...
10/03/13 17:37:57 <A : peer config add message
10/03/13 17:37:57 DB : peer ref increment ( ref count = 1, obj count = 0 )
10/03/13 17:37:57 DB : peer added ( obj count = 1 )
10/03/13 17:37:57 ii : local address 192.168.0.2 selected for peer
10/03/13 17:37:57 DB : peer ref increment ( ref count = 2, obj count = 1 )
10/03/13 17:37:57 DB : tunnel ref increment ( ref count = 1, obj count = 0 )
10/03/13 17:37:57 DB : tunnel added ( obj count = 1 )
10/03/13 17:37:57 <A : proposal config message
10/03/13 17:37:57 <A : proposal config message
10/03/13 17:37:57 <A : client config message
10/03/13 17:37:57 <A : local id 'VPN' message
10/03/13 17:37:57 <A : preshared key message
10/03/13 17:37:57 <A : peer tunnel enable message
10/03/13 17:37:57 DB : tunnel ref increment ( ref count = 2, obj count = 1 )
10/03/13 17:37:57 DB : new phase1 ( ISAKMP initiator )
10/03/13 17:37:57 DB : exchange type is aggressive
10/03/13 17:37:57 DB : 192.168.0.2:500 <-> 172.16.0.1:500
10/03/13 17:37:57 DB : 8c9d42b1ad3ab4f4:0000000000000000
10/03/13 17:37:57 DB : phase1 ref increment ( ref count = 1, obj count = 0 )
10/03/13 17:37:57 DB : phase1 added ( obj count = 1 )
10/03/13 17:37:57 >> : security association payload
10/03/13 17:37:57 >> : - proposal #1 payload
10/03/13 17:37:57 >> : -- transform #1 payload
10/03/13 17:37:57 >> : key exchange payload
10/03/13 17:37:57 >> : nonce payload
10/03/13 17:37:57 >> : identification payload
10/03/13 17:37:57 >> : vendor id payload
10/03/13 17:37:57 ii : local supports FRAGMENTATION
10/03/13 17:37:57 >> : vendor id payload
10/03/13 17:37:57 ii : local is SHREW SOFT compatible
10/03/13 17:37:57 >> : vendor id payload
10/03/13 17:37:57 ii : local is NETSCREEN compatible
10/03/13 17:37:57 >> : vendor id payload
10/03/13 17:37:57 ii : local is SIDEWINDER compatible
10/03/13 17:37:57 >> : vendor id payload
10/03/13 17:37:57 ii : local is CISCO UNITY compatible
10/03/13 17:37:57 >= : cookies 8c9d42b1ad3ab4f4:0000000000000000
10/03/13 17:37:57 >= : message 00000000
10/03/13 17:37:57 -> : send IKE packet 192.168.0.2:500 -> 172.16.0.1:500 (
387 bytes )
10/03/13 17:37:57 DB : phase1 resend event scheduled ( ref count = 2 )
10/03/13 17:37:57 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
10/03/13 17:37:57 DB : tunnel ref increment ( ref count = 3, obj count = 1 )
10/03/13 17:37:57 <- : recv IKE packet 172.16.0.1:500 -> 192.168.0.2:500 (
96 bytes )
10/03/13 17:37:57 DB : phase1 found
10/03/13 17:37:57 DB : phase1 ref increment ( ref count = 2, obj count = 1 )
10/03/13 17:37:57 ii : processing informational packet ( 96 bytes )
10/03/13 17:37:57 =< : cookies 8c9d42b1ad3ab4f4:127c53b687dc01a1
10/03/13 17:37:57 =< : message 00000000
10/03/13 17:37:57 << : notification payload
10/03/13 17:37:57 ii : received peer NO-PROPOSAL-CHOSEN notification
10/03/13 17:37:57 ii : - 172.16.0.1:500 -> 192.168.0.2:500
10/03/13 17:37:57 ii : - isakmp spi = none
10/03/13 17:37:57 ii : - data size 56
10/03/13 17:37:57 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
10/03/13 17:38:02 -> : resend 1 phase1 packet(s) 192.168.0.2:500 ->
172.16.0.1:500
10/03/13 17:38:07 -> : resend 1 phase1 packet(s) 192.168.0.2:500 ->
172.16.0.1:500
10/03/13 17:38:12 -> : resend 1 phase1 packet(s) 192.168.0.2:500 ->
172.16.0.1:500
10/03/13 17:38:16 <A : peer tunnel disable message
10/03/13 17:38:16 ii : removing IPsec over DHCP policies
10/03/13 17:38:16 DB : policy not found
10/03/13 17:38:16 DB : policy not found
10/03/13 17:38:16 DB : tunnel stats event canceled ( ref count = 2 )
10/03/13 17:38:16 DB : removing tunnel config references
10/03/13 17:38:16 DB : removing tunnel phase2 references
10/03/13 17:38:16 DB : removing tunnel phase1 references
10/03/13 17:38:16 DB : phase1 ref increment ( ref count = 2, obj count = 1 )
10/03/13 17:38:16 DB : phase1 resend event canceled ( ref count = 1 )
10/03/13 17:38:16 ii : phase1 removal before expire time
10/03/13 17:38:16 DB : phase1 deleted ( obj count = 0 )
10/03/13 17:38:16 DB : tunnel ref decrement ( ref count = 1, obj count = 1 )
10/03/13 17:38:16 DB : tunnel deleted ( obj count = 0 )
10/03/13 17:38:17 DB : peer ref decrement ( ref count = 1, obj count = 1 )
10/03/13 17:38:17 DB : removing all peer tunnel refrences
10/03/13 17:38:17 DB : peer deleted ( obj count = 0 )
10/03/13 17:38:17 ii : ipc client process thread exit ...
Cisco 2611 debug:
*Mar 31 02:52:06.407: ISAKMP (0:0): received packet from 192.168.0.2 dport
500 sport 500 Global (N) NEW SA
*Mar 31 02:52:06.407: ISAKMP: Created a peer struct for 192.168.0.2, peer
port 500
*Mar 31 02:52:06.411: ISAKMP: New peer created peer = 0x82D7B14C peer_handle
= 0x80000012
*Mar 31 02:52:06.411: ISAKMP: Locking peer struct 0x82D7B14C, IKE refcount 1
for crypto_isakmp_process_block
*Mar 31 02:52:06.411: ISAKMP: local port 500, remote port 500
*Mar 31 02:52:06.415: insert sa successfully sa = 833DFB98
*Mar 31 02:52:06.415: ISAKMP:(0:0:N/A:0): processing SA payload. message ID
= 0
*Mar 31 02:52:06.415: ISAKMP:(0:0:N/A:0): processing ID payload. message ID
= 0
*Mar 31 02:52:06.415: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : VPN
protocol : 0
port : 0
length : 11
*Mar 31 02:52:06.419: ISAKMP:(0:0:N/A:0):: peer matches TEST profile
*Mar 31 02:52:06.419: ISAKMP:(0:0:N/A:0):Looking for a matching key for
192.168.0.2 in default
*Mar 31 02:52:06.419: ISAKMP:(0:0:N/A:0):Setting client config settings
8297826C
*Mar 31 02:52:06.423: ISAKMP:(0:0:N/A:0): Profile TEST assigned peer the
group named VPN
*Mar 31 02:52:06.423: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 31 02:52:06.423: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but
major 194 mismatch
*Mar 31 02:52:06.423: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 31 02:52:06.427: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but
major 237 mismatch
*Mar 31 02:52:06.427: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 31 02:52:06.427: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but
major 19 mismatch
*Mar 31 02:52:06.427: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 31 02:52:06.431: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but
major 83 mismatch
*Mar 31 02:52:06.431: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 31 02:52:06.431: ISAKMP:(0:0:N/A:0): vendor ID is Unity
*Mar 31 02:52:06.431: ISAKMP : Looking for xauth in profile TEST
*Mar 31 02:52:06.435: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against
priority 1 policy
*Mar 31 02:52:06.435: ISAKMP: encryption 3DES-CBC
*Mar 31 02:52:06.435: ISAKMP: hash MD5
*Mar 31 02:52:06.435: ISAKMP: default group 2
*Mar 31 02:52:06.435: ISAKMP: auth pre-share
*Mar 31 02:52:06.435: ISAKMP: life type in seconds
*Mar 31 02:52:06.435: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Mar 31 02:52:06.439: ISAKMP:(0:0:N/A:0):Preshared authentication offered
but does not match policy!
*Mar 31 02:52:06.439: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next
payload is 0
*Mar 31 02:52:06.439: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against
priority 65535 policy
*Mar 31 02:52:06.443: ISAKMP: encryption 3DES-CBC
*Mar 31 02:52:06.443: ISAKMP: hash MD5
*Mar 31 02:52:06.443: ISAKMP: default group 2
*Mar 31 02:52:06.443: ISAKMP: auth pre-share
*Mar 31 02:52:06.443: ISAKMP: life type in seconds
*Mar 31 02:52:06.443: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Mar 31 02:52:06.447: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does
not match policy!
*Mar 31 02:52:06.447: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next
payload is 0
*Mar 31 02:52:06.447: ISAKMP:(0:0:N/A:0):no offers accepted!
*Mar 31 02:52:06.451: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable!
(local 172.16.0.1 remote 192.168.0.2)
*Mar 31 02:52:06.451: ISAKMP:(0:0:N/A:0):incrementing error counter on sa:
construct_fail_ag_init
*Mar 31 02:52:06.451: ISAKMP:(0:0:N/A:0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (R) AG_NO_STATE
*Mar 31 02:52:06.455: ISAKMP:(0:0:N/A:0):peer does not do paranoid
keepalives.
*Mar 31 02:52:06.455: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA
policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.0.2)
*Mar 31 02:52:06.455: ISAKMP:(0:0:N/A:0): processing KE payload. message ID
= 0
*Mar 31 02:52:06.455: ISAKMP:(0:0:N/A:0): group size changed! Should be 0,
is 128
*Mar 31 02:52:06.459: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER,
IKE_AM_EXCH: state = IKE_READY
*Mar 31 02:52:06.459: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER,
IKE_AM_EXCH
*Mar 31 02:52:06.459: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State =
IKE_READY
*Mar 31 02:52:06.459: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive
mode failed with peer at 192.168.0.2
*Mar 31 02:52:06.467: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA
policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.0.2)
*Mar 31 02:52:06.467: ISAKMP: Unlocking IKE struct 0x82D7B14C for
isadb_mark_sa_deleted(), count 0
*Mar 31 02:52:06.467: ISAKMP: Deleting peer node by peer_reap for
192.168.0.2: 82D7B14C
*Mar 31 02:52:06.471: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*Mar 31 02:52:06.471: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State =
IKE_DEST_SA
*Mar 31 02:52:06.471: IPSEC(key_engine): got a queue event with 1 kei
messages
*Mar 31 02:52:11.403: ISAKMP (0:0): received packet from 192.168.0.2 dport
500 sport 500 Global (R) MM_NO_STATE
*Mar 31 02:52:16.407: ISAKMP (0:0): received packet from 192.168.0.2 dport
500 sport 500 Global (R) MM_NO_STATE
Cisco 2611 IPSec config:
!
username cisco privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp client configuration group VPN
key 6 cisco
dns 192.168.10.20
pool vpn
crypto isakmp profile TEST
match identity group VPN
client configuration address respond
client configuration group VPN
virtual-template 1
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto ipsec profile TEST
set transform-set XXX
!
!
!
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
half-duplex
!
interface Serial0/0
ip address 172.16.0.1 255.255.255.252
no fair-queue
!
!
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile TEST
!
!
ip local pool vpn 192.168.10.5 192.168.10.10
I also tried configuring shrewsoft without specifying a VPN group parameter,
and it passed the phase 1 successfully, but could not pass phase 2. Is it
something wrong with Cisco or Client config?
Nikolaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100313/eac7cda6/attachment-0001.html>
More information about the vpn-help
mailing list