IPSEC Tunnel fails in Phase 1

niko.thome · ‎07-23-2007

Hello everybody,

(read fullstory.cfg with all Logs and configs, then you don't have to read this post ;-))

I've a Problem regarding a IPSEC-Tunnel.

It seems that Phase 1 will not be completed, but I can't find any errors.

This is the Log at the concentrator side:

---

*Jul 23 12:56:48.861 CEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy

*Jul 23 12:56:48.861 CEST: ISAKMP: encryption AES-CBC

*Jul 23 12:56:48.861 CEST: ISAKMP: keylength of 256

*Jul 23 12:56:48.861 CEST: ISAKMP: hash SHA

*Jul 23 12:56:48.861 CEST: ISAKMP: default group 5

*Jul 23 12:56:48.861 CEST: ISAKMP: auth RSA sig

*Jul 23 12:56:48.861 CEST: ISAKMP: life type in seconds

*Jul 23 12:56:48.861 CEST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Jul 23 12:56:48.861 CEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

*Jul 23 12:56:48.861 CEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

*Jul 23 12:56:48.861 CEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 65535 policy

*Jul 23 12:56:48.861 CEST: ISAKMP: encryption DES-CBC

*Jul 23 12:56:48.861 CEST: ISAKMP: hash SHA

*Jul 23 12:56:48.861 CEST: ISAKMP: default group 1

*Jul 23 12:56:48.861 CEST: ISAKMP: auth RSA sig

*Jul 23 12:56:48.861 CEST: ISAKMP: life type in seconds

*Jul 23 12:56:48.861 CEST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Jul 23 12:56:48.861 CEST: ISAKMP:(0:0:N/A:0):RSA signature authentication offered but does not match policy!

*Jul 23 12:56:48.861 CEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0):no offers accepted!

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 160.255.233.33 remote 160.255.233.46)

*Jul 23 12:56:48.865 CEST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): sending packet to 160.255.233.46 my_port 500 peer_port 500 (R) MM_NO_STATE

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 160.255.233.46)

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Jul 23 12:56:48.865 CEST: ISAKMP (0:0): vendor ID is NAT-T v7

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Jul 23 12:56:48.865 CEST: ISAKMP (0:0): FSM action returned error: 2

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 23 12:56:48.865 CEST: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1 New State = IKE_R_MM1

----

this is the relevant part of the clients log:

----

003664: Jul 23 2007 12:58:43.935 CEST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 160.255.233.33

----

The both boxes (1841) are in the same public IP Network for testing purposes.

Any help is appreciated.

niko

niko.thome · ‎07-23-2007

Yesterday evening I solved the problem.

The Solution is, to re-import the certificate on the concentrator.

There were old certificates in the certificate store with the same trustpoint name.

niko