Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Negotiation tunell between AIX and 2651

This is the debug output for ipsec and isakmp on c2651. It seems aphase 2 is failing but I'm not able to guess why. Could anay body help me?

Could anybody tell me the meaning of "invalid proposal flags - 0x0"?

Thanks in advance..

VPN2651#debug crypto isakmp

Crypto ISAKMP debugging is on

VPN2651#debug crypto ipsec

Crypto IPSEC debugging is on

VPN2651#

01:35:30: ISAKMP (0:0): received packet from 172.16.21.228 (N) NEW SA

01:35:30: ISAKMP: local port 500, remote port 500

01:35:30: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_READY New State = IKE_R_MM1

01:35:30: ISAKMP (0:1): processing SA payload. message ID = 0

01:35:30: ISAKMP (0:1): found peer pre-shared key matching 172.16.21.228

01:35:30: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

01:35:30: ISAKMP: encryption DES-CBC

01:35:30: ISAKMP: hash MD5

01:35:30: ISAKMP: auth pre-share

01:35:30: ISAKMP: default group 1

01:35:30: ISAKMP: life type in seconds

VPN2651#

01:35:30: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

01:35:30: ISAKMP (0:1): atts are acceptable. Next payload is 0

01:35:30: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM1 New State = IKE_R_MM1

01:35:30: ISAKMP (0:1): sending packet to 172.16.21.228 (R) MM_SA_SETUP

01:35:30: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM1 New State = IKE_R_MM2

VPN2651#

01:35:38: ISAKMP (0:1): received packet from 172.16.21.228 (R) MM_SA_SETUP

01:35:38: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

01:35:38: ISAKMP (0:1): retransmitting due to retransmit phase 1

01:35:38: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

01:35:38: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

01:35:38: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

01:35:38: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

01:35:38: ISAKMP (0:1): sending packet to 172.16.21.228 (R) MM_SA_SETUP

01:35:38: ISAKMP (0:1): received packet from 172.16.21.228 (R) MM_SA_SETUP

01:35:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_R_MM2 New State = IKE_R_MM3

01:35:38: ISAKMP (0:1): processing KE payload. message ID = 0

01:35:39: ISAKMP (0:1): processing NONCE payload. message ID = 0

01:35:39: ISAKMP (0:1): found peer pre-shared key matching 172.16.21.228

01:35:39: ISAKMP (0:1): SKEYID state generated

VPN2651#01:35:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM3 New State = IKE_R_MM3

01:35:39: ISAKMP (0:1): sending packet to 172.16.21.228 (R) MM_KEY_EXCH

01:35:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM3 New State = IKE_R_MM4

01:35:39: ISAKMP (0:1): received packet from 172.16.21.228 (R) MM_KEY_EXCH

01:35:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_R_MM4 New State = IKE_R_MM5

01:35:39: ISAKMP (0:1): processing ID payload. message ID = 0

01:35:39: ISAKMP (0:1): processing HASH payload. message ID = 0

01:35:39: ISAKMP (0:1): SA has been authenticated with 172.16.21.228

01:35:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM5 New State = IKE_R_MM5

01:35:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

01:35:39: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

01:35:39: ISAKMP (1): Total payload length: 12

01:35:39: ISAKMP (0:1): sending packet to 172.16.21.228 (R) QM_IDLE

01:35:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

01:35:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

VPN2651#

VPN2651#

01:36:22: ISAKMP (0:1): received packet from 172.16.21.228 (R) QM_IDLE

01:36:22: ISAKMP (0:1): processing HASH payload. message ID = -1877728890

01:36:22: ISAKMP (0:1): processing SA payload. message ID = -1877728890

01:36:22: ISAKMP (0:1): Checking IPSec proposal 1

01:36:22: ISAKMP: transform 1, ESP_DES

01:36:22: ISAKMP: attributes in transform:

01:36:22: ISAKMP: SA life type in seconds

01:36:22: ISAKMP: SA life duration (basic) of 28800

01:36:22: ISAKMP: encaps is 2

01:36:22: ISAKMP: authenticator is HMAC-MD5

01:36:22: IPSEC(validate_proposal): invalid transform proposal flags -- 0x0

01:36:22: ISAKMP (0:1): atts not acceptable. Next payload is 0

01:36:22: ISAKMP (0:1): phase 2 SA not acceptable!

01:36:22: ISAKMP (0:1): sending packet to 172.16.21.228 (R) QM_IDLE

01:36:22: ISAKMP (0:1): purging node 314043992

01:36:22: ISAKMP (0:1): Unknown Input for node -1877728890: state = IKE_QM_READY, major = 0x00000001, minor = 0x0000000C

VPN2651#

01:36:22: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.16.21.228

VPN2651#

01:36:30: ISAKMP (0:1): received packet from 172.16.21.228 (R) QM_IDLE

01:36:30: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

01:36:30: ISAKMP (0:1): retransmitting due to retransmit phase 2

01:36:30: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1877728890 ...

01:36:30: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1877728890 ...

01:36:30: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

01:36:30: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

01:36:30: ISAKMP (0:1): no outgoing phase 2 packet to retransmit. -1877728890 QM_IDLE

VPN2651#

01:36:46: ISAKMP (0:1): received packet from 172.16.21.228 (R) QM_IDLE

01:36:46: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

01:36:46: ISAKMP (0:1): retransmitting due to retransmit phase 2

01:36:46: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1877728890 ...

01:36:46: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1877728890 ...

01:36:46: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

01:36:46: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

01:36:46: ISAKMP (0:1): no outgoing phase 2 packet to retransmit. -1877728890 QM_IDLE

VPN2651#

3 REPLIES
Cisco Employee

Re: Negotiation tunell between AIX and 2651

I haven't got the exact decode of the 0x0 proposal, but I would start on checking the defined transform proposal on the router against the peer, ie esp-des, esp-hmac-md5 and also the lifetime. Does the peer understand the lifetime in secs or only in kb, or both?

New Member

Re: Negotiation tunell between AIX and 2651

Thanks dor your reply...

As far as I know, peer is understanding lifetime both ways kb and seconds. I have requeswt more information from AIX specialists.

In any case, I understand that your first suggestion is to check with different proposals (as mentioned in other similar conversations); this is going to be dome tomorrow.

New Member

Re: Negotiation tunell between AIX and 2651

Hi again Cris,

first of all I will apologize for my spelling, I know it could be horrible for you...

.

We have tested again the tunnel an it works with no changes on C2651 config.

The only differences are:

AIX machine is another one, which has same system levels and fixes.

Some minor changes on AIX Phase 1 and Phase 2 params have been done (mainly lifetime values).

We are going to test again with the old Aix machine and will tell you the results...

In the other hand, we have been requested to get information about CA configuration between AIX and Cisco's routers. Could you give some feedback(supported or not, config samples, IOS required)?

Thanks for all your help

.

Iñaki.

108
Views
0
Helpful
3
Replies