Get VPN-Strange ISAKMP initializing issue though pre-shared keys are there...

Unanswered Question
Nov 26th, 2009

Hi all,

I am facing a peculiar issue with ISAKMP initialization.

I have configured Pre-shared keys in "derby" router to get registered with "KS" router.

Issue: "derby" is not able to initialie the SA saying "no pre-shared or cert key available for peer" though it's clearly there in the config.

I am pasting relevant configs of both routers as I could not able to upload the document.

--------

At Derby Router

ip host KS 19.1.1.1

!

!

ip vrf MBT

rd 100:1

route-target export 100:1

route-target import 100:1

!

ip vrf VC

rd 200:1

route-target export 200:1

route-target import 200:1

!

multilink bundle-name authenticated

!


!

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 30

encr aes

authentication pre-share

group 2

lifetime 1200

crypto isakmp key Cisco address 19.1.1.1

crypto isakmp key Cisco hostname KS

crypto isakmp identity hostname

!

!

crypto ipsec transform-set rtpset-3des esp-3des esp-md5-hmac

mode transport

crypto ipsec transform-set test esp-3des esp-sha-hmac

mode transport

crypto ipsec df-bit clear

crypto gdoi group getvpn

identity number 1234

server address ipv4 19.1.1.1

!

!

crypto map getvpn-map 10 gdoi

set group getvpn

!

--------

At KS Router

ip cef

ip host derby 210.1.1.1

!

!

ip vrf exit

!

multilink bundle-name authenticated

!


!

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key Cisco address 200.1.1.1

crypto isakmp key Cisco address 210.1.1.1

!

!

crypto ipsec transform-set mygdoi-trans esp-3des esp-sha-hmac

!

crypto ipsec profile gdoi-profile-getvpn

set security-association lifetime seconds 7200

set transform-set mygdoi-trans

!

crypto gdoi group getvpn

identity number 1234

server local

  ! Incomplete unicast rekey configuration

  ! Rekey address is not configured

  rekey retransmit 40 number 2

  rekey authentication mypubkey rsa getvpn-export-general

  rekey transport unicast

  sa receive-only

  sa ipsec 1

   profile gdoi-profile-getvpn

   match address ipv4 199

   replay time window-size 5

!

---------

It's giving the following message in "debug crypto isakmp" output.

derby#clear crypto gdoi

% The Key Server and Group Member will destroy created and downloaded policies.

% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]: y

mahindra_bt_derby#

*Mar  1 00:42:23.547: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group get

vpn may have expired/been cleared, or didn't go through. Re-register to KS.

*Mar  1 00:42:23.551: %CRYPTO-5-GM_REGSTER: Start registration to KS 19.1.1.1 fo

r group getvpn using address 210.1.1.1

*Mar  1 00:42:23.555: ISAKMP:(0): SA request profile is (NULL)

*Mar  1 00:42:23.555: ISAKMP: Created a peer struct for 19.1.1.1, peer port 848

*Mar  1 00:42:23.555: ISAKMP: New peer created peer = 0x65D46EFC peer_handle = 0

x80000014

*Mar  1 00:42:23.555: ISAKMP: Locking peer struct 0x65D46EFC, refcount 1 for isa

kmp_initiator

*Mar  1 00:42:23.555: ISAKMP: local port 848, remote port 848

*Mar  1 00:42:23.559: ISAKMP: set new node 0 to QM_IDLE

*Mar  1 00:42:23.559: ISAKMP:(0):Switching to SW IKE SA: sa is 668061FC, ce_id i

s 80000003

*Mar  1 00:42:23.559: insert sa successfully sa = 668061FC

*Mar  1 00:42:23.563: ISAKMP:(0):Can not start Aggressive mode, trying Main mode

.

*Mar  1 00:42:23.563: ISAKMP:(0):No pre-shared key with 19.1.1.1!

*Mar  1 00:42:23.563: ISAKMP:(0): No Cert or pre-shared address key.

*Mar  1 00:42:23.563: ISAKMP:(0): construct_initial_message: Can not start Main

mode

*Mar  1 00:42:23.567: ISAKMP: Unlocking peer struct 0x65D46EFC for isadb_unlock_

peer_delete_sa(), count 0

*Mar  1 00:42:23.567: ISAKMP: Deleting peer node by peer_reap for 19.1.1.1: 65D4

6EFC

*Mar  1 00:42:23.567: ISAKMP:(0):purging SA., sa=668061FC, delme=668061FC

*Mar  1 00:42:23.571: ISAKMP:(0):purging node 514398065

*Mar  1 00:42:23.571: ISAKMP:(0):cleaning up GDOI node 514398065

*Mar  1 00:42:23.571: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Mar  1 00:42:23.575: ISAKMP: Error while processing KMI message 0, error 2.

derby#

I have attached the relevant configs attached.

I had spent a lot of time to figure out any issue with configurations but could not able to locate any. And, it's pretty strange why it's saying "no PSK" is available for peer 19.1.1.1 when it is explicitly configured in the config.

After a lot of search in Google, I have found similar issue & the solution was with "ip host" commands. Unfortunately, this solution also didn't work.


Can somebody through light on this about solution or how we can troubleshoot this issue to find root cause?

Regards...

-Ashok.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pietrolicata Fri, 12/11/2009 - 06:19

Hi, I had a similar problem, and it was related to unmatched vrfs.

Take a look at this link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm#wp1027175

Restrictions for VRF-Aware IPSec

The VRF-Aware IPSec feature does not allow IPSec tunnel mapping between VRFs. For example, it does not allow IPSec tunnel mapping from VRF vpn1 to VRF vpn2.

At the moment, I just unconfigured vrfs but I'm still investigating if the issue can be resolved, say, with pki.

Hope it helps.

-Pietro.

ashok_boin Sun, 12/13/2009 - 21:36

Hi all,


I could able to solve the issue by using VRF-specific key configuration.


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

crypto keyring key-MBT vrf MBT

  pre-shared-key address 19.1.1.1 key Cisco


Regards...

-Ashok.

Giuseppe Larosa Wed, 12/16/2009 - 04:48

Hello Ashok,

you have been kind to provide feedback on this issue

Best Regards

Giuseppe

Actions

This Discussion