Lab 2.24 IOS ezVPN Remote: Digital Signatures

Hi,

I am having another problem with Lab 2.24 IOS ezVPN Remote: Digital Signatures. I even put INE's solution in word-by-word manner but R1 (Client Router) cannot establish IPSec SA with R3 (Server Router). The following are the debugging result, so sorry for its extreme length!

I hope that someone could help me. Thanks!

On R1 (Client router)

Rack1R1(config)#do crypto ipsec cli ez co EZVPN_CLIENT
May 15 08:27:32.100: EZVPN(EZVPN_CLIENT): Current State: CONNECT_REQUIRED
May 15 08:27:32.104: EZVPN(EZVPN_CLIENT): Event: CONNECT
May 15 08:27:32.104: EZVPN(EZVPN_CLIENT): ezvpn_connect_request
May 15 08:27:32.108: EZVPN(EZVPN_CLIENT): Found valid peer 136.1.123.3
May 15 08:27:32.108: EzVPN(EZVPN_CLIENT): sleep jitter delay 1351
Rack1R1(config)#do crypto ipsec cli ez co            
May 15 08:27:33.464: EZVPN(EZVPN_CLIENT): Route exists for 136.1.123.3 via 136.1.121.12,FastEthernet0/0.121 in IP DEFAULT TABLE
May 15 08:27:33.468: EZVPN(EZVPN_CLIENT): New State: READY
May 15 08:27:34.556: EZVPN(EZVPN_CLIENT): Current State: READY
May 15 08:27:34.556: EZVPN(EZVPN_CLIENT): Event: IKE_PFS
May 15 08:27:34.556: EZVPN(EZVPN_CLIENT): No state change
May 15 08:27:34.572: EZVPN(EZVPN_CLIENT): Current State: READY
May 15 08:27:34.572: EZVPN(EZVPN_CLIENT): Event: CONN_UP
May 15 08:27:34.572: EZVPN(EZVPN_CLIENT): ezvpn_conn_up 7C24D9C2 942AD568 4FF056FD A27E9B40
May 15 08:27:34.572: EZVPN(EZVPN_CLIENT): No state change
Rack1R1(config)#do crypto ipsec cli ez xa
May 15 08:27:39.380: EZVPN(EZVPN_CLIENT): Current State: READY
May 15 08:27:39.384: EZVPN(EZVPN_CLIENT): Event: XAUTH_REQUEST
May 15 08:27:39.384: EZVPN(EZVPN_CLIENT): ezvpn_xauth_request
May 15 08:27:39.388: EZVPN(EZVPN_CLIENT): ezvpn_parse_xauth_msg
May 15 08:27:39.388: EZVPN: Attributes sent in xauth request message:
May 15 08:27:39.392:         XAUTH_USER_NAME_V2(EZVPN_CLIENT):
May 15 08:27:39.392:         XAUTH_USER_PASSWORD_V2(EZVPN_CLIENT):
May 15 08:27:39.396: EZVPN(EZVPN_CLIENT): New State: XAUTH_REQ
Rack1R1(config)#do crypto ipsec cli ez xa
May 15 08:27:40.392: EZVPN(EZVPN_CLIENT): Pending XAuth Request, Please enter the following command:
May 15 08:27:40.396: EZVPN: crypto ipsec client ezvpn xauth

Rack1R1(config)#do crypto ipsec cli ez xa
Username: CISC
May 15 08:27:42.516: EZVPN(EZVPN_CLIENT): Current State: XAUTH_REQ
May 15 08:27:42.520: EZVPN(EZVPN_CLIENT): Event: XAUTH_PROMPTING
May 15 08:27:42.520: EZVPN(EZVPN_CLIENT): New State: XAUTH_PROMPT
CISCO
Password:
Rack1R1(config)#
EZVPN(EZVPN_CLIENT): IPSec connection terminated
May 15 08:27:46.708: EZVPN(EZVPN_CLIENT): Current State: XAUTH_PROMPT
May 15 08:27:46.712: EZVPN(EZVPN_CLIENT): Event: XAUTH_REQ_INFO_READY
May 15 08:27:46.712: EZVPN(EZVPN_CLIENT): ezvpn_xauth_reply
May 15 08:27:46.716:         XAUTH_USER_NAME_V2(EZVPN_CLIENT): CISCO
May 15 08:27:46.716:         XAUTH_USER_PASSWORD_V2(EZVPN_CLIENT): <omitted>
May 15 08:27:46.720: EZVPN(EZVPN_CLIENT): New State: XAUTH_REPLIED
May 15 08:27:46.860: EZVPN(EZVPN_CLIENT): Current State: XAUTH_REPLIED
May 15 08:27:46.860: EZVPN(EZVPN_CLIENT): Event: XAUTH_STATUS
May 15 08:27:46.864: EZVPN(EZVPN_CLIENT): xauth status received: Success
May 15 08:27:46.864: EZVPN(EZVPN_CLIENT): New State: READY
May 15 08:27:47.424: EZVPN(EZVPN_CLIENT): Current State: READY
May 15 08:27:47.428: EZVPN(EZVPN_CLIENT): Event: CONN_DOWN
May 15 08:27:47.428: EZVPN(EZVPN_CLIENT): ezvpn_close
May 15 08:27:47.432: EZVPN(EZVPN_CLIENT): VPN Route Deleted 0.0.0.0 0.0.0.0 via
Rack1R1(config)#Virtual-Access2 in IP DEFAULT TABLE
May 15 08:27:47.432: EZVPN(EZVPN_CLIENT): nulling context
May 15 08:27:47.440: EZVPN(EZVPN_CLIENT): No preshared key to delete.
May 15 08:27:47.440: EZVPN(EZVPN_CLIENT): No Connect ACL checking status change
May 15 08:27:47.444: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=  Server_public_addr=136.1.123.3 
May 15 08:27:47.452: EZVPN(EZVPN_CLIENT): New State: CONNECT_REQUIRED

On R3 (Server router)

May 15 08:27:33.450: ISAKMP (0:0): received packet from 136.1.121.1 dport 500 sport 500 Global (N) NEW SA
May 15 08:27:33.458: ISAKMP: Created a peer struct for 136.1.121.1, peer port 500
May 15 08:27:33.462: ISAKMP: New peer created peer = 0x63AF0CD0 peer_handle = 0x80000006
May 15 08:27:33.462: ISAKMP: Locking peer struct 0x63AF0CD0, refcount 1 for crypto_isakmp_process_block
May 15 08:27:33.466: ISAKMP: local port 500, remote port 500
May 15 08:27:33.470: insert sa successfully sa = 63AF1988
May 15 08:27:33.474: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 15 08:27:33.478: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

May 15 08:27:33.494: ISAKMP:(0): processing SA payload. message ID = 0
May 15 08:27:33.494: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.498: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 15 08:27:33.498: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
May 15 08:27:33.502: ISAKMP:(0): processing vendor id pa
Rack1R3(config)#yload
May 15 08:27:33.506: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 15 08:27:33.506: ISAKMP (0:0): vendor ID is NAT-T v7
May 15 08:27:33.506: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.506: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 15 08:27:33.506: ISAKMP:(0): vendor ID is NAT-T v3
May 15 08:27:33.506: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.506: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 15 08:27:33.506: ISAKMP:(0): vendor ID is NAT-T v2
May 15 08:27:33.506: ISAKMP : Scanning profiles for xauth ... ISAPROF_EZVPN
May 15 08:27:33.506: ISAKMP:(0): Authentication by xauth preshared
May 15 08:27:33.506: ISAKMP:(0):Checking ISAKMP transform 1 against priority 16 policy
May 15 08:27:33.506: ISAKMP:      encryption AES-CBC
May 15 08:27:33.506: ISAKMP:      keylength of 128
May 15 08:27:33.506: ISAKMP:      hash SHA
May 15 08:27:33.506: ISAKMP:      default group 2
May 15 08:27:
Rack1R3(config)#33.506: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.506: ISAKMP:      life type in seconds
May 15 08:27:33.506: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.506: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.506: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.506: ISAKMP:(0):Checking ISAKMP transform 2 against priority 16 policy
May 15 08:27:33.506: ISAKMP:      encryption AES-CBC
May 15 08:27:33.506: ISAKMP:      keylength of 128
May 15 08:27:33.506: ISAKMP:      hash MD5
May 15 08:27:33.506: ISAKMP:      default group 2
May 15 08:27:33.506: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.506: ISAKMP:      life type in seconds
May 15 08:27:33.506: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.506: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.506: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.506: ISAK
Rack1R3(config)#MP:(0):Checking ISAKMP transform 3 against priority 16 policy
May 15 08:27:33.510: ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 192
May 15 08:27:33.510: ISAKMP:      hash SHA
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.510: ISAKMP:      life type in seconds
May 15 08:27:33.510: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.510: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.510: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.510: ISAKMP:(0):Checking ISAKMP transform 4 against priority 16 policy
May 15 08:27:33.510: ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 192
May 15 08:27:33.510: ISAKMP:      hash MD5
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.510: ISAKMP:      life type
Rack1R3(config)#in seconds
May 15 08:27:33.510: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.510: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.510: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.510: ISAKMP:(0):Checking ISAKMP transform 5 against priority 16 policy
May 15 08:27:33.510: ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 256
May 15 08:27:33.510: ISAKMP:      hash SHA
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.510: ISAKMP:      life type in seconds
May 15 08:27:33.510: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.510: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.510: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.510: ISAKMP:(0):Checking ISAKMP transform 6 against priority 16 policy
May 15 08:27:33.510:
Rack1R3(config)#ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 256
May 15 08:27:33.510: ISAKMP:      hash MD5
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.510: ISAKMP:      life type in seconds
May 15 08:27:33.510: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.510: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.510: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.510: ISAKMP:(0):Checking ISAKMP transform 7 against priority 16 policy
May 15 08:27:33.510: ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 128
May 15 08:27:33.510: ISAKMP:      hash SHA
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth RSA sig
May 15 08:27:33.510: ISAKMP:      life type in seconds
May 15 08:27:33.510: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Rack1R3(config)#
May 15 08:27:33.510: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.510: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.510: ISAKMP:(0):Checking ISAKMP transform 8 against priority 16 policy
May 15 08:27:33.510: ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 128
May 15 08:27:33.510: ISAKMP:      hash MD5
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth RSA sig
May 15 08:27:33.510: ISAKMP:      life type in seconds
May 15 08:27:33.510: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.510: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.510: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.510: ISAKMP:(0):Checking ISAKMP transform 9 against priority 16 policy
May 15 08:27:33.510: ISAKMP:      encryption AES-CBC
May 15 08:27:33.510: ISAKMP:      keylength of 192
May 15 08
Rack1R3(config)#:27:33.510: ISAKMP:      hash SHA
May 15 08:27:33.510: ISAKMP:      default group 2
May 15 08:27:33.510: ISAKMP:      auth RSA sig
May 15 08:27:33.510: ISAKMP:      life type in seconds
May 15 08:27:33.514: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.514: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.514: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.514: ISAKMP:(0):Checking ISAKMP transform 10 against priority 16 policy
May 15 08:27:33.514: ISAKMP:      encryption AES-CBC
May 15 08:27:33.514: ISAKMP:      keylength of 192
May 15 08:27:33.514: ISAKMP:      hash MD5
May 15 08:27:33.514: ISAKMP:      default group 2
May 15 08:27:33.514: ISAKMP:      auth RSA sig
May 15 08:27:33.514: ISAKMP:      life type in seconds
May 15 08:27:33.514: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.514: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:2
Rack1R3(config)#7:33.514: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.514: ISAKMP:(0):Checking ISAKMP transform 11 against priority 16 policy
May 15 08:27:33.514: ISAKMP:      encryption AES-CBC
May 15 08:27:33.514: ISAKMP:      keylength of 256
May 15 08:27:33.514: ISAKMP:      hash SHA
May 15 08:27:33.514: ISAKMP:      default group 2
May 15 08:27:33.514: ISAKMP:      auth RSA sig
May 15 08:27:33.514: ISAKMP:      life type in seconds
May 15 08:27:33.514: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.514: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.514: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.514: ISAKMP:(0):Checking ISAKMP transform 12 against priority 16 policy
May 15 08:27:33.514: ISAKMP:      encryption AES-CBC
May 15 08:27:33.514: ISAKMP:      keylength of 256
May 15 08:27:33.514: ISAKMP:      hash MD5
May 15 08:27:33.514: ISAKMP:      default group 2
May 15 08:
Rack1R3(config)#27:33.514: ISAKMP:      auth RSA sig
May 15 08:27:33.514: ISAKMP:      life type in seconds
May 15 08:27:33.514: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.514: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 15 08:27:33.514: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.514: ISAKMP:(0):Checking ISAKMP transform 13 against priority 16 policy
May 15 08:27:33.514: ISAKMP:      encryption 3DES-CBC
May 15 08:27:33.514: ISAKMP:      hash SHA
May 15 08:27:33.514: ISAKMP:      default group 2
May 15 08:27:33.514: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.514: ISAKMP:      life type in seconds
May 15 08:27:33.514: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.514: ISAKMP:(0):Hash algorithm offered does not match policy!
May 15 08:27:33.514: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 15 08:27:33.514: ISAKMP:(0):Checking ISAKMP transform 14 against priority 16 po
Rack1R3(config)#licy
May 15 08:27:33.514: ISAKMP:      encryption 3DES-CBC
May 15 08:27:33.514: ISAKMP:      hash MD5
May 15 08:27:33.514: ISAKMP:      default group 2
May 15 08:27:33.514: ISAKMP:      auth XAUTHInitRSA
May 15 08:27:33.514: ISAKMP:      life type in seconds
May 15 08:27:33.514: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May 15 08:27:33.518: ISAKMP:(0):atts are acceptable. Next payload is 3
May 15 08:27:33.518: ISAKMP:(0):Acceptable atts:actual life: 86400
May 15 08:27:33.518: ISAKMP:(0):Acceptable atts:life: 0
May 15 08:27:33.518: ISAKMP:(0):Fill atts in sa vpi_length:4
May 15 08:27:33.518: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
May 15 08:27:33.518: ISAKMP:(0):Returning Actual lifetime: 86400
May 15 08:27:33.518: ISAKMP:(0)::Started lifetime timer: 86400.

May 15 08:27:33.518: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.518: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 15 08:27:33.518: ISAKMP (0:0): vendor ID
Rack1R3(config)#is NAT-T RFC 3947
May 15 08:27:33.518: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.518: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 15 08:27:33.518: ISAKMP (0:0): vendor ID is NAT-T v7
May 15 08:27:33.518: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.518: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 15 08:27:33.518: ISAKMP:(0): vendor ID is NAT-T v3
May 15 08:27:33.518: ISAKMP:(0): processing vendor id payload
May 15 08:27:33.518: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 15 08:27:33.518: ISAKMP:(0): vendor ID is NAT-T v2
May 15 08:27:33.518: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 15 08:27:33.518: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

May 15 08:27:33.526: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
May 15 08:27:33.526: ISAKMP:(0): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 15 08:27:33.526: ISAKMP:(0):S
Rack1R3(config)#ending an IKE IPv4 Packet.
May 15 08:27:33.530: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 15 08:27:33.530: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

May 15 08:27:33.622: ISAKMP (0:0): received packet from 136.1.121.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 15 08:27:33.626: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 15 08:27:33.630: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

May 15 08:27:33.642: ISAKMP:(0): processing KE payload. message ID = 0
May 15 08:27:33.698: ISAKMP:(0): processing NONCE payload. message ID = 0
May 15 08:27:33.702: ISAKMP:(1005): processing CERT_REQ payload. message ID = 0
May 15 08:27:33.702: ISAKMP:(1005): peer wants a CT_X509_SIGNATURE cert
May 15 08:27:33.706: ISAKMP:(1005): peer wants cert issued by cn=CCIE26930
May 15 08:27:33.706: CRYPTO_PKI: Trust-Point CCIE26930 picked up
May 15 08:27:33.710:  Choosing trustpoint CCIE26930 as issuer
May 15 08:27:33.714: CRYPTO_PKI: unlo
Rack1R3(config)#cked trustpoint CCIE26930, refcount is 0
May 15 08:27:33.714: CRYPTO_PKI: locked trustpoint CCIE26930, refcount is 1
May 15 08:27:33.718: ISAKMP:(1005): processing vendor id payload
May 15 08:27:33.718: ISAKMP:(1005): vendor ID is Unity
May 15 08:27:33.718: ISAKMP:(1005): processing vendor id payload
May 15 08:27:33.718: ISAKMP:(1005): vendor ID is DPD
May 15 08:27:33.718: ISAKMP:(1005): processing vendor id payload
May 15 08:27:33.718: ISAKMP:(1005): speaking to another IOS box!
May 15 08:27:33.718: ISAKMP:received payload type 20
May 15 08:27:33.718: ISAKMP:received payload type 20
May 15 08:27:33.718: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 15 08:27:33.722: ISAKMP:(1005):Old State = IKE_R_MM3  New State = IKE_R_MM3

May 15 08:27:33.730: ISAKMP (0:1005): constructing CERT_REQ for issuer cn=CCIE26930
May 15 08:27:33.730: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 15 08:27:33.730: ISAKMP:(1005):
Rack1R3(config)#Sending an IKE IPv4 Packet.
May 15 08:27:33.734: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 15 08:27:33.734: ISAKMP:(1005):Old State = IKE_R_MM3  New State = IKE_R_MM4

May 15 08:27:33.950: ISAKMP (0:1005): received packet from 136.1.121.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
May 15 08:27:33.958: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 15 08:27:33.962: ISAKMP:(1005):Old State = IKE_R_MM4  New State = IKE_R_MM5

May 15 08:27:33.978: ISAKMP:(1005): processing ID payload. message ID = 0
May 15 08:27:33.982: ISAKMP (0:1005): ID payload
        next-payload : 6
        type         : 9
        Dist. name   : hostname=Rack1R1.ine.com
        protocol     : 17
        port         : 500
        length       : 42
May 15 08:27:33.994: ISAKMP:(0):: UNITY's identity FQDN but no group info
May 15 08:27:33.994: ISAKMP:(0):: peer matches *none* of the profiles
May 15 08:27:33.994: ISAKMP:(1005): processing CERT payload. message ID = 0
May 15 08:27:33.994: ISAKMP:(1005
Rack1R3(config)#): processing a CT_X509_SIGNATURE cert
May 15 08:27:33.994: CRYPTO_PKI: Adding peer certificate
May 15 08:27:34.006: CRYPTO_PKI: Added x509 peer certificate - (1003) bytes
May 15 08:27:34.006: CRYPTO_PKI: Certificate data
     30 82 03 E7 30 82 02 CF A0 03 02 01 02 02 0A 16
     07 94 8E 00 00 00 00 00 13 30 0D 06 09 2A 86 48
     86 F7 0D 01 01 05 05 00 30 14 31 12 30 10 06 03
     55 04 03 13 09 43 43 49 45 32 36 39 33 30 30 1E
     17 0D 31 31 30 35 31 35 30 38 30 33 34 39 5A 17
     0D 31 32 30 35 31 35 30 38 31 33 34 39 5A 30 20
     31 1E 30 1C 06 09 2A 86 48 86 F7 0D 01 09 02 13
     0F 52 61 63 6B 31 52 31 2E 69 6E 65 2E 63 6F 6D
     30 7C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05
     00 03 6B 00 30 68 02 61 00 AA 6B 01 6C 9B 7B AA
     3B 65 05 2F 57 DD 78 8A D8 12 24 41 9C F3 6A F4
     66 F9 8F 16 FC 83 E2 14 95 40 AF D5 96 5E DC 60
     E1 B3 EF 30 F7 45 9C 09 4F 4E D1 72 90 DE DE CB
     0F 22 EC B4 2F 6E 29 74 C1 96 FD 12 6B 7F 98 42
 
Rack1R3(config)#   F9 5C EC 0F 9F 0A 8F 1D 8A 18 D8 DE 9B 31 6C 7D
     08 48 6C 82 44 90 64 26 D7 02 03 01 00 01 A3 82
     01 D5 30 82 01 D1 30 0B 06 03 55 1D 0F 04 04 03
     02 05 A0 30 1D 06 03 55 1D 0E 04 16 04 14 43 13
     D0 B3 4C 9E 66 9A 5C 75 7F 08 BB AB CB 89 35 D0
     3B 50 30 1F 06 03 55 1D 23 04 18 30 16 80 14 26
     E6 4E E2 DA 8D B0 05 BF 80 24 B5 06 97 95 0B F6
     D4 EC C7 30 73 06 03 55 1D 1F 04 6C 30 6A 30 68
     A0 66 A0 64 86 2F 68 74 74 70 3A 2F 2F 63 69 73
     63 6F 2D 75 72 68 31 65 69 37 66 6A 2F 43 65 72
     74 45 6E 72 6F 6C 6C 2F 43 43 49 45 32 36 39 33
     30 2E 63 72 6C 86 31 66 69 6C 65 3A 2F 2F 5C 5C
     63 69 73 63 6F 2D 75 72 68 31 65 69 37 66 6A 5C
     43 65 72 74 45 6E 72 6F 6C 6C 5C 43 43 49 45 32
     36 39 33 30 2E 63 72 6C 30 81 AC 06 08 2B 06 01
     05 05 07 01 01 04 81 9F 30 81 9C 30 4B 06 08 2B
     06 01 05 05 07 30 02 86 3F 68 74 74 70 3A 2F 2F
     63 69 73 63 6F 2D 75 72 68 31 65 69 37 66 6A 2F
     43 65
Rack1R3(config)#72 74 45 6E 72 6F 6C 6C 2F 63 69 73 63 6F
     2D 75 72 68 31 65 69 37 66 6A 5F 43 43 49 45 32
     36 39 33 30 2E 63 72 74 30 4D 06 08 2B 06 01 05
     05 07 30 02 86 41 66 69 6C 65 3A 2F 2F 5C 5C 63
     69 73 63 6F 2D 75 72 68 31 65 69 37 66 6A 5C 43
     65 72 74 45 6E 72 6F 6C 6C 5C 63 69 73 63 6F 2D
     75 72 68 31 65 69 37 66 6A 5F 43 43 49 45 32 36
     39 33 30 2E 63 72 74 30 1D 06 03 55 1D 11 01 01
     FF 04 13 30 11 82 0F 52 61 63 6B 31 52 31 2E 69
     6E 65 2E 63 6F 6D 30 3F 06 09 2B 06 01 04 01 82
     37 14 02 04 32 1E 30 00 49 00 50 00 53 00 45 00
     43 00 49 00 6E 00 74 00 65 00 72 00 6D 00 65 00
     64 00 69 00 61 00 74 00 65 00 4F 00 66 00 66 00
     6C 00 69 00 6E 00 65 30 0D 06 09 2A 86 48 86 F7
     0D 01 01 05 05 00 03 82 01 01 00 2A 50 91 9C 48
     E8 66 5F E7 1C 15 04 C7 29 06 F8 F3 9C 42 7E D7
     E9 E9 21 CE 7F 29 5F BD 0D E0 D5 5E 04 C6 C2 B0
     2A 6F 58 22 AF 8D 51 F3 00 27 67 22 DD 31 B1 39
     2A B0 D2 E9 87
Rack1R3(config)#3F 9F CB F8 F3 FB 31 E2 09 74 90
     7B A5 BC 7D 6E 5C EE B6 3D AB CA 5F 12 35 5B A5
     B5 5F EC 4D FA 1A A5 38 2C FE AA 11 03 93 DF 5E
     83 99 45 F7 DC CA D0 D0 0E 6B F1 C5 7C C3 6A 29
     9C C5 99 BF EC CE C8 CC 7B 25 22 3B F0 22 54 60
     FD CC 28 02 E8 B1 22 98 E3 D7 AB 73 75 9F 20 51
     BD AB F5 F7 16 4F 60 82 B7 DE 74 5A 56 56 07 C3
     AC 43 C4 49 20 13 2D 67 DD E0 D5 69 96 F8 DC 44
     A0 DB 66 45 46 EA F9 CB 59 D8 D9 51 75 63 11 07
     5D 1C 6A 37 8F 8F CC CB C3 A0 FE 64 3C E7 D6 1D
     A4 E0 EE B7 2A 63 C2 BF 49 99 2C DA 3D 7A 17 C5
     01 BC 63 CA 81 FE 08 BB 70 17 9E 3A 2B DD BF 9F
     28 F0 D5 A4 62 DA C3 52 B6 45 8C               

May 15 08:27:34.022: ISAKMP:(1005): peer's pubkey isn't cached
May 15 08:27:34.026: CRYPTO_PKI: validation path has 1 certs

May 15 08:27:34.026: CRYPTO_PKI: Check for identical certs
May 15 08:27:34.026: CRYPTO_PKI: Create a list of suitable trustpoints
May 15 08:27:34.026: CRYPTO_PKI: Found a i
Rack1R3(config)#ssuer match
May 15 08:27:34.026: CRYPTO_PKI: Suitable trustpoints are: CCIE26930,
May 15 08:27:34.026: CRYPTO_PKI: Attempting to validate certificate using CCIE26930
May 15 08:27:34.026: CRYPTO_PKI: Using CCIE26930 to validate certificate
May 15 08:27:34.074: CRYPTO_PKI: Certificate is verified
May 15 08:27:34.078: CRYPTO_PKI: Certificate validated without revocation check
May 15 08:27:34.078: CRYPTO_PKI: Selected AAA username: 'Rack1R1.ine.com'
May 15 08:27:34.082: CRYPTO_PKI: chain cert was anchored to trustpoint CCIE26930, and chain validation result was: CRYPTO_VALID_CERT_WITH_WARNING
May 15 08:27:34.082: CRYPTO_PKI: Validation TP is CCIE26930
May 15 08:27:34.082: CRYPTO_PKI: Certificate validation succeeded
May 15 08:27:34.086: ISAKMP:(1005): Unable to get DN from certificate!
May 15 08:27:34.086: ISAKMP:(1005): Cert presented by peer contains no OU field.
May 15 08:27:34.094: ISAKMP:(0): certificate map matches ISAPROF_EZVPN profile
May 15 08:27:34.094: ISAKMP:(0):
Rack1R3(config)#Trying to re-validate CERT using new profile
May 15 08:27:34.094: ISAKMP:(0): CERT validity confirmed.
May 15 08:27:34.094: ISAKMP:(1005):Profile has no keyring, aborting key search
May 15 08:27:34.098: ISAKMP:(1005):Setting client config settings 648DBE10
May 15 08:27:34.098: ISAKMP:(1005):(Re)Setting client xauth list  and state
May 15 08:27:34.098: ISAKMP/xauth: initializing AAA request
May 15 08:27:34.118: ISAKMP:(1005): processing SIG payload. message ID = 0
May 15 08:27:34.130: ISAKMP:(1005): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 63AF1988
May 15 08:27:34.134: ISAKMP:(1005):SA authentication status:
        authenticated
May 15 08:27:34.134: ISAKMP:(1005):SA has been authenticated with 136.1.121.1
May 15 08:27:34.134: ISAKMP:(1005):SA authentication status:
        authenticated
May 15 08:27:34.134: ISAKMP:(1005): Process initial contact,
bring down existing phase 1 and 2 SA's with local 136.1.123.3 remote 136.1.121.1 remote port 500
May 15 0
Rack1R3(config)#8:27:34.134: ISAKMP:(1005):returning IP addr to the address pool
May 15 08:27:34.146: ISAKMP: Trying to insert a peer 136.1.123.3/136.1.121.1/500/,  and inserted successfully 63AF0CD0.
May 15 08:27:34.150: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 15 08:27:34.154: ISAKMP:(1005):Old State = IKE_R_MM5  New State = IKE_R_MM5

May 15 08:27:34.186: ISAKMP:(1005):My ID configured as IPv4 Addr, but Addr not in Cert!
May 15 08:27:34.190: ISAKMP:(1005):Using FQDN as My ID
May 15 08:27:34.190: ISAKMP:(1005):SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN
May 15 08:27:34.190: ISAKMP (0:1005): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : Rack1R3.ine.com
        protocol     : 17
        port         : 500
        length       : 23
May 15 08:27:34.194: ISAKMP:(1005):Total payload length: 23
May 15 08:27:34.214: ISAKMP (0:1005): constructing CERT payload for hostname=Rack1R3.ine.com
May 15 08:27:34.214: ISKAMP: growing send buff
Rack1R3(config)#er from 1024 to 3072
May 15 08:27:34.214: ISAKMP:(1005): using the CCIE26930 trustpoint's keypair to sign
May 15 08:27:34.250: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 15 08:27:34.250: ISAKMP:(1005):Sending an IKE IPv4 Packet.
May 15 08:27:34.254: ISAKMP:(1005):Returning Actual lifetime: 86400
May 15 08:27:34.258: ISAKMP: set new node -1459908322 to CONF_XAUTH  
May 15 08:27:34.262: ISAKMP:(1005):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 1692159448, message ID = -1459908322
May 15 08:27:34.266: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 15 08:27:34.270: ISAKMP:(1005):Sending an IKE IPv4 Packet.
May 15 08:27:34.270: ISAKMP:(1005):purging node -1459908322
May 15 08:27:34.274: ISAKMP: Sending phase 1 responder lifetime 86400

May 15 08:27:34.278: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 15 08:27:34.278: ISAKMP:(1005):Old State = IKE_R_MM5  New
Rack1R3(config)#State = IKE_P1_COMPLETE

May 15 08:27:34.290: ISAKMP:(1005):Need XAUTH
May 15 08:27:34.294: ISAKMP: set new node 2022680176 to CONF_XAUTH  
May 15 08:27:34.298: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
May 15 08:27:34.298: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
May 15 08:27:34.302: ISAKMP:(1005): initiating peer config to 136.1.121.1. ID = 2022680176
May 15 08:27:34.302: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) CONF_XAUTH  
May 15 08:27:34.302: ISAKMP:(1005):Sending an IKE IPv4 Packet.
May 15 08:27:34.302: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 15 08:27:34.302: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

May 15 08:27:39.302: ISAKMP:(1005): retransmitting phase 2 CONF_XAUTH    2022680176 ...
May 15 08:27:39.302: ISAKMP (0:1005): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 15 08:27:39.302: ISAKMP (0:1005): incrementing erro
Rack1R3(config)#r counter on sa, attempt 1 of 5: retransmit phase 2
May 15 08:27:39.302: ISAKMP:(1005): retransmitting phase 2 2022680176 CONF_XAUTH  
May 15 08:27:39.306: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) CONF_XAUTH  
May 15 08:27:39.306: ISAKMP:(1005):Sending an IKE IPv4 Packet.
May 15 08:27:46.666: ISAKMP (0:1005): received packet from 136.1.121.1 dport 500 sport 500 Global (R) CONF_XAUTH  
May 15 08:27:46.674: ISAKMP:(1005):processing transaction payload from 136.1.121.1. message ID = 2022680176
May 15 08:27:46.678: ISAKMP: Config payload REPLY
May 15 08:27:46.678: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
May 15 08:27:46.678: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
May 15 08:27:46.686: ISAKMP:(1005):deleting node 2022680176 error FALSE reason "Done with xauth request/reply exchange"
May 15 08:27:46.690: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
May 15 08:27:46.694: ISAKMP:(1005):Old State = IKE_XAUTH_REQ_SEN
Rack1R3(config)#T  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

May 15 08:27:46.714: ISAKMP: set new node -1509423753 to CONF_XAUTH  
May 15 08:27:46.718: ISAKMP:(1005): initiating peer config to 136.1.121.1. ID = -1509423753
May 15 08:27:46.722: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) CONF_XAUTH  
May 15 08:27:46.726: ISAKMP:(1005):Sending an IKE IPv4 Packet.
May 15 08:27:46.730: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
May 15 08:27:46.730: ISAKMP:(1005):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

May 15 08:27:46.818: ISAKMP (0:1005): received packet from 136.1.121.1 dport 500 sport 500 Global (R) CONF_XAUTH  
May 15 08:27:46.826: ISAKMP:(1005):processing transaction payload from 136.1.121.1. message ID = -1509423753
May 15 08:27:46.830: ISAKMP: Config payload ACK
May 15 08:27:46.834: ISAKMP:(1005):       XAUTH ACK Processed
May 15 08:27:46.834: ISAKMP:(1005):deleting node -1509423753 error FALSE r
Rack1R3(config)#eason "Transaction mode done"
May 15 08:27:46.838: ISAKMP:(1005):Talking to a Unity Client
May 15 08:27:46.842: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
May 15 08:27:46.842: ISAKMP:(1005):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

May 15 08:27:46.886: CRYPTO_PKI: unlocked trustpoint CCIE26930, refcount is 0
May 15 08:27:46.890: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 15 08:27:46.894: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

May 15 08:27:46.898: ISAKMP (0:1005): received packet from 136.1.121.1 dport 500 sport 500 Global (R) QM_IDLE     
May 15 08:27:46.902: ISAKMP: set new node -969631311 to QM_IDLE     
May 15 08:27:46.906: ISAKMP:(1005):processing transaction payload from 136.1.121.1. message ID = -969631311
May 15 08:27:46.910: ISAKMP: Config payload REQUEST
May 15 08:27:46.914: ISAKMP:(1005):checking request:
May 15 08:27:46.914: ISAKMP:    IP4_ADDRESS
May 15 08:27:46.918: ISA
Rack1R3(config)#KMP:    IP4_NETMASK
May 15 08:27:46.918: ISAKMP:    MODECFG_CONFIG_URL
May 15 08:27:46.918: ISAKMP:    MODECFG_CONFIG_VERSION
May 15 08:27:46.922: ISAKMP:    IP4_DNS
May 15 08:27:46.922: ISAKMP:    IP4_DNS
May 15 08:27:46.922: ISAKMP:    IP4_NBNS
May 15 08:27:46.926: ISAKMP:    IP4_NBNS
May 15 08:27:46.926: ISAKMP:    SPLIT_INCLUDE
May 15 08:27:46.926: ISAKMP:    SPLIT_DNS
May 15 08:27:46.930: ISAKMP:    DEFAULT_DOMAIN
May 15 08:27:46.930: ISAKMP:    MODECFG_SAVEPWD
May 15 08:27:46.930: ISAKMP:    INCLUDE_LOCAL_LAN
May 15 08:27:46.934: ISAKMP:    PFS
May 15 08:27:46.934: ISAKMP:    BACKUP_SERVER
May 15 08:27:46.934: ISAKMP:    APPLICATION_VERSION
May 15 08:27:46.938: ISAKMP:    MODECFG_BANNER
May 15 08:27:46.938: ISAKMP:    MODECFG_IPSEC_INT_CONF
May 15 08:27:46.942: ISAKMP:    MODECFG_HOSTNAME
May 15 08:27:46.946: ISAKMP/author: Author request for group successfully sent to AAA
May 15 08:27:46.950: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
May 15 0
Rack1R3(config)#8:27:46.954: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

May 15 08:27:47.122: AAA/AUTHOR/IKMP/LOCAL: group  does not exist
May 15 08:27:47.126: %CRYPTO-6-VPN_TUNNEL_STATUS: Group:  does not exist
May 15 08:27:47.226: ISAKMP:(1005):AAA returned a policy error. Sending empty reply.
May 15 08:27:47.230: ISAKMP:(1005):deleting node -969631311 error FALSE reason "No Error"
May 15 08:27:47.230: ISAKMP:(1005):peer does not do paranoid keepalives.

May 15 08:27:47.234: ISAKMP:(1005):peer does not do paranoid keepalives.

May 15 08:27:47.234: ISAKMP:(1005):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) CONF_ADDR     (peer 136.1.121.1)
May 15 08:27:47.234: ISAKMP (0:1005): FSM action returned error: 2
May 15 08:27:47.234: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
May 15 08:27:47.234: ISAKMP:(1005):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

May 15 08:27:47.270: ISAKMP: set new node -13695481
Rack1R3(config)#80 to QM_IDLE     
May 15 08:27:47.274: ISAKMP:(1005): sending packet to 136.1.121.1 my_port 500 peer_port 500 (R) CONF_ADDR   
May 15 08:27:47.278: ISAKMP:(1005):Sending an IKE IPv4 Packet.
May 15 08:27:47.282: ISAKMP:(1005):purging node -1369548180
May 15 08:27:47.286: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 15 08:27:47.286: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

May 15 08:27:47.310: ISAKMP:(1005):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) CONF_ADDR     (peer 136.1.121.1)
May 15 08:27:47.314: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
May 15 08:27:47.314: ISAKMP: Unlocking peer struct 0x63AF0CD0 for isadb_mark_sa_deleted(), count 0
May 15 08:27:47.322: ISAKMP: Deleting peer node by peer_reap for 136.1.121.1: 63AF0CD0
May 15 08:27:47.334: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 15 08:27:47.334: ISAKMP:(1005):Old State = IKE_DEST_SA  New Stat
Rack1R3(config)#e = IKE_DEST_SA

May 15 08:27:47.574: ISAKMP (0:1005): received packet from 136.1.121.1 dport 500 sport 500 Global (R) MM_NO_STATE

Comments

  • Hi,

     

    The following line in the debugs indicate the issue:

    May 15 08:27:47.122: AAA/AUTHOR/IKMP/LOCAL: group  does not exist

     

    The AAA server sent a negative message, I believe some configuration of the AAA is missing

     

    Thank you. 

  • Hi,

       Most of the times the following message "May 15 08:27:47.234: ISAKMP:(1005):peer does not do paranoid keepalives." means there is a pre-shared-key mismatch. However in your case, the following message "May 15 08:27:47.122: AAA/AUTHOR/IKMP/LOCAL: group does not exist" says (i guess in here) there is something wrong with your authorization list (which is used for IKE Phase 1.5, config mode).

    Good luck!

Sign In or Register to comment.