IPSec using certificate authentication

Discussion in 'Cisco' started by dan, May 10, 2005.

  1. dan

    dan Guest

    Hi,

    sorry for the long post.

    I'm trying to establish a IPSec tunnel from a Win XP client to a Cisco
    router 1711 running IOS 12.2(15)ZL1. IPSec using a preshared key works
    fine. The CA is a MS Win 2003. I can enroll the router and import the
    CA certificate. Moreover, an IPSec certificate is installed in the
    computer's certificate store and the CA certificate is added to the
    trusted roots on the client's PC.

    I'm trying for days now, I just didn't get it working. The IKE
    negotiation fails in main mode. Thanks for any help.

    Here are the relevant parts of the config and the logs:

    ---------- Cisco Config ----------

    aaa new-model
    !
    aaa authentication login default local
    aaa authentication ppp vpdn group radius
    aaa authorization network default group radius
    aaa session-id common
    !
    vpdn enable
    !
    vpdn-group l2tpvpn
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    !
    no ftp-server write-enable
    !
    crypto ca trustpoint Networklab
    enrollment mode ra
    enrollment url http://172.16.4.1:80/certsrv/mscep/mscep.dll
    enrollment http-proxy 192.168.0.1 80
    serial-number
    fqdn none
    ip-address none
    password 7 00344B54250C759036076E685F4E534E56
    revocation-check crl
    rsakeypair SDM-RSAKey-1115712347000
    auto-enroll
    !
    crypto ca certificate chain Networklab
    certificate 67103CFF000000000011
    308205E1 .... 1D
    quit
    certificate ca 01AEF9A1448A34A441C09FBC00CC392D
    3082049E .... E5FE
    quit
    !
    crypto isakmp policy 1
    encr 3des
    group 2
    !
    crypto ipsec transform-set esp-3des-sha-tunnel esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynvpn 1
    set transform-set esp-3des-sha-tunnel
    set pfs group2
    match address 130
    !
    crypto map extmap 1 ipsec-isakmp dynamic dynvpn
    !
    access-list 130 permit udp host 2.2.2.2 eq 1701 any eq 1701
    access-list 130 permit udp any eq 1701 host 2.2.2.2 eq 1701



    ---------- Cisco ISAKMP Debug ----------

    005943: May 10 10:28:19.781 PCTime: ISAKMP (0:1): retransmitting phase
    1 MM_KEY_EXCH...
    005944: May 10 10:28:19.781 PCTime: ISAKMP (0:1): peer does not do
    paranoid keepalives.

    005945: May 10 10:28:19.781 PCTime: ISAKMP (0:1): deleting SA reason
    "death by retransmission P1" state (R) MM_KEY_EXCH (peer 10.0.0.2)
    input queue 0
    005946: May 10 10:28:19.781 PCTime: ISAKMP (0:1): deleting SA reason
    "death by retransmission P1" state (R) MM_KEY_EXCH (peer 10.0.0.2)
    input queue 0
    005947: May 10 10:28:19.781 PCTime: ISAKMP (0:1): deleting node
    -1771400485 error TRUE reason "death by retransmission P1"
    005948: May 10 10:28:19.781 PCTime: ISAKMP (0:1): Input =
    IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    005949: May 10 10:28:19.781 PCTime: ISAKMP (0:1): Old State = IKE_R_MM4
    New State = IKE_DEST_SA

    005950: May 10 10:28:24.253 PCTime: ISAKMP (0:0): received packet from
    10.0.0.2 dport 500 sport 500 Global (N) NEW SA
    005951: May 10 10:28:24.257 PCTime: ISAKMP: local port 500, remote port
    500
    005952: May 10 10:28:24.257 PCTime: ISAKMP: Find a dup sa in the avl
    tree during calling isadb_insert sa = 822C014C
    005953: May 10 10:28:24.257 PCTime: ISAKMP (0:2): Input =
    IKE_MESG_FROM_PEER, IKE_MM_EXCH
    005954: May 10 10:28:24.257 PCTime: ISAKMP (0:2): Old State = IKE_READY
    New State = IKE_R_MM1

    005955: May 10 10:28:24.257 PCTime: ISAKMP (0:2): processing SA
    payload. message ID = 0
    005956: May 10 10:28:24.257 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005957: May 10 10:28:24.257 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 228 mismatch
    005958: May 10 10:28:24.261 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005959: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 194 mismatch
    005960: May 10 10:28:24.261 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005961: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 123 mismatch
    005962: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID is NAT-T v2
    005963: May 10 10:28:24.261 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005964: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 184 mismatch
    005965: May 10 10:28:24.261 PCTime: ISAKMP : Scanning profiles for
    xauth ...
    005966: May 10 10:28:24.261 PCTime: ISAKMP (0:2): Checking ISAKMP
    transform 1 against priority 1 policy
    005967: May 10 10:28:24.261 PCTime: ISAKMP: encryption 3DES-CBC
    005968: May 10 10:28:24.261 PCTime: ISAKMP: hash SHA
    005969: May 10 10:28:24.261 PCTime: ISAKMP: default group 2
    005970: May 10 10:28:24.261 PCTime: ISAKMP: auth RSA sig
    005971: May 10 10:28:24.261 PCTime: ISAKMP: life type in seconds
    005972: May 10 10:28:24.261 PCTime: ISAKMP: life duration (VPI) of
    0x0 0x0 0x70 0x80
    005973: May 10 10:28:24.261 PCTime: ISAKMP (0:2): atts are acceptable.
    Next payload is 0
    005974: May 10 10:28:24.509 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005975: May 10 10:28:24.509 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 228 mismatch
    005976: May 10 10:28:24.509 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005977: May 10 10:28:24.509 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 194 mismatch
    005978: May 10 10:28:24.513 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005979: May 10 10:28:24.513 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 123 mismatch
    005980: May 10 10:28:24.513 PCTime: ISAKMP (0:2): vendor ID is NAT-T v2
    005981: May 10 10:28:24.513 PCTime: ISAKMP (0:2): processing vendor id
    payload
    005982: May 10 10:28:24.513 PCTime: ISAKMP (0:2): vendor ID seems
    Unity/DPD but major 184 mismatch
    005983: May 10 10:28:24.513 PCTime: ISAKMP (0:2): Input =
    IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    005984: May 10 10:28:24.513 PCTime: ISAKMP (0:2): Old State = IKE_R_MM1
    New State = IKE_R_MM1

    005985: May 10 10:28:24.513 PCTime: ISAKMP (0:2): constructed NAT-T
    vendor-02 ID
    005986: May 10 10:28:24.513 PCTime: ISAKMP (0:2): sending packet to
    10.0.0.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
    005987: May 10 10:28:24.517 PCTime: ISAKMP (0:2): Input =
    IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    005988: May 10 10:28:24.517 PCTime: ISAKMP (0:2): Old State = IKE_R_MM1
    New State = IKE_R_MM2

    005989: May 10 10:28:24.581 PCTime: ISAKMP (0:2): received packet from
    10.0.0.2 dport 500 sport 500 Global (R) MM_SA_SETUP
    005990: May 10 10:28:24.585 PCTime: ISAKMP (0:2): Input =
    IKE_MESG_FROM_PEER, IKE_MM_EXCH
    005991: May 10 10:28:24.585 PCTime: ISAKMP (0:2): Old State = IKE_R_MM2
    New State = IKE_R_MM3

    005992: May 10 10:28:24.585 PCTime: ISAKMP (0:2): processing KE
    payload. message ID = 0
    005993: May 10 10:28:24.833 PCTime: ISAKMP (0:2): processing NONCE
    payload. message ID = 0
    005994: May 10 10:28:24.869 PCTime: ISAKMP (0:2): SKEYID state
    generated
    005995: May 10 10:28:24.869 PCTime: ISAKMP:received payload type 17
    005996: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Detected NAT-D
    payload
    005997: May 10 10:28:24.869 PCTime: ISAKMP (0:2): NAT match MINE hash
    005998: May 10 10:28:24.869 PCTime: ISAKMP:received payload type 17
    005999: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Detected NAT-D
    payload
    006000: May 10 10:28:24.869 PCTime: ISAKMP (0:2): NAT match HIS hash
    006001: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Input =
    IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    006002: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Old State = IKE_R_MM3
    New State = IKE_R_MM3

    006003: May 10 10:28:24.873 PCTime: ISAKMP (0:2): constructed HIS NAT-D
    006004: May 10 10:28:24.873 PCTime: ISAKMP (0:2): constructed MINE
    NAT-D
    006005: May 10 10:28:24.873 PCTime: ISAKMP (0:2): sending packet to
    10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    006006: May 10 10:28:24.873 PCTime: ISAKMP (0:2): Input =
    IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    006007: May 10 10:28:24.873 PCTime: ISAKMP (0:2): Old State = IKE_R_MM3
    New State = IKE_R_MM4

    006008: May 10 10:28:34.873 PCTime: ISAKMP (0:2): retransmitting phase
    1 MM_KEY_EXCH...
    006009: May 10 10:28:34.873 PCTime: ISAKMP (0:2): incrementing error
    counter on sa: retransmit phase 1
    006010: May 10 10:28:34.873 PCTime: ISAKMP (0:2): retransmitting phase
    1 MM_KEY_EXCH
    006011: May 10 10:28:34.873 PCTime: ISAKMP (0:2): sending packet to
    10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    006012: May 10 10:28:44.873 PCTime: ISAKMP (0:2): retransmitting phase
    1 MM_KEY_EXCH...
    006013: May 10 10:28:44.873 PCTime: ISAKMP (0:2): incrementing error
    counter on sa: retransmit phase 1
    006014: May 10 10:28:44.873 PCTime: ISAKMP (0:2): retransmitting phase
    1 MM_KEY_EXCH
    006015: May 10 10:28:44.873 PCTime: ISAKMP (0:2): sending packet to
    10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    006016: May 10 10:28:54.873 PCTime: ISAKMP (0:2): retransmitting phase
    1 MM_KEY_EXCH...
    006017: May 10 10:28:54.873 PCTime: ISAKMP (0:2): incrementing error
    counter on sa: retransmit phase 1
    006018: May 10 10:28:54.873 PCTime: ISAKMP (0:2): retransmitting phase
    1 MM_KEY_EXCH
    006019: May 10 10:28:54.873 PCTime: ISAKMP (0:2): sending packet to
    10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH



    ---------- Win XP Security Log ----------

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 547
    Date: 5/10/2005
    Time: 10:27:04 AM
    User: NT AUTHORITY\NETWORK SERVICE
    Computer: CH-RD-C003-4
    Description:
    IKE security association negotiation failed.
    Mode:
    Key Exchange Mode (Main Mode)

    Filter:
    Source IP Address 10.0.0.2
    Source IP Address Mask 255.255.255.255
    Destination IP Address 2.2.2.2
    Destination IP Address Mask 255.255.255.255
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr 10.0.0.2
    IKE Peer Addr 2.2.2.2

    Peer Identity:
    Certificate based Identity.
    Peer Subject
    Peer SHA Thumbprint 0000000000000000000000000000000000000000
    Peer Issuing Certificate Authority
    Root Certificate Authority
    My Subject O=Networklab, CN=Remote Service Host
    My SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d2da737c4
    Peer IP Address: 2.2.2.2

    Failure Point:
    Me

    Failure Reason:
    General processing error

    Extra Status:
    0x80092004 0x0


    ---------- Win XP Oakley Debug ----------

    5-10: 10:26:48:328:1a90 Initialization OK
    5-10: 10:26:49:625:1c70
    5-10: 10:26:49:625:1c70 Receive: (get) SA = 0x00000000 from
    2.2.2.2.500
    5-10: 10:26:49:625:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:26:49:625:1c70 I-COOKIE 702ef665ca453b5f
    5-10: 10:26:49:625:1c70 R-COOKIE 6a59dabfd230297a
    5-10: 10:26:49:625:1c70 exchange: Oakley Main Mode
    5-10: 10:26:49:625:1c70 flags: 0
    5-10: 10:26:49:625:1c70 next payload: KE
    5-10: 10:26:49:625:1c70 message ID: 00000000
    5-10: 10:26:49:625:1c70 invalid cookie received
    5-10: 10:27:04:93:18f8 Acquire from driver: op=0000001F
    src=10.0.0.2.1701 dst=2.2.2.2.1701 proto = 17, SrcMask=255.255.255.255,
    DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=2.2.2.2 Inbound
    TunnelEndpt=10.0.0.2
    5-10: 10:27:04:93:1c70 Filter to match: Src 2.2.2.2 Dst 10.0.0.2
    5-10: 10:27:04:93:1c70 MM PolicyName: 1
    5-10: 10:27:04:93:1c70 MMPolicy dwFlags 2 SoftSAExpireTime 28800
    5-10: 10:27:04:93:1c70 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup
    2
    5-10: 10:27:04:93:1c70 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
    5-10: 10:27:04:93:1c70 Auth[0]:RSA Sig DC=local, DC=networklab,
    CN=Networklab AuthFlags 0
    5-10: 10:27:04:93:1c70 QM PolicyName: SecureNew dwFlags 1
    5-10: 10:27:04:93:1c70 QMOffer[0] LifetimeKBytes 0 LifetimeSec 0
    5-10: 10:27:04:93:1c70 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
    5-10: 10:27:04:93:1c70 Algo[0] Operation: ESP Algo: Triple DES CBC
    HMAC: SHA
    5-10: 10:27:04:93:1c70 Starting Negotiation: src = 10.0.0.2.0500, dst
    = 2.2.2.2.0500, proto = 17, context = 0000001F, ProxySrc =
    10.0.0.2.1701, ProxyDst = 2.2.2.2.1701 SrcMask = 255.255.255.255
    DstMask = 255.255.255.255
    5-10: 10:27:04:93:1c70 constructing ISAKMP Header
    5-10: 10:27:04:93:1c70 constructing SA (ISAKMP)
    5-10: 10:27:04:93:1c70 Constructing Vendor MS NT5 ISAKMPOAKLEY
    5-10: 10:27:04:93:1c70 Constructing Vendor FRAGMENTATION
    5-10: 10:27:04:93:1c70 Constructing Vendor
    draft-ietf-ipsec-nat-t-ike-02
    5-10: 10:27:04:93:1c70 Constructing Vendor Vid-Initial-Contact
    5-10: 10:27:04:93:1c70
    5-10: 10:27:04:93:1c70 Sending: SA = 0x00102FC8 to 2.2.2.2:Type 2.500
    5-10: 10:27:04:93:1c70 ISAKMP Header: (V1.0), len = 168
    5-10: 10:27:04:93:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:04:93:1c70 R-COOKIE 0000000000000000
    5-10: 10:27:04:93:1c70 exchange: Oakley Main Mode
    5-10: 10:27:04:93:1c70 flags: 0
    5-10: 10:27:04:93:1c70 next payload: SA
    5-10: 10:27:04:93:1c70 message ID: 00000000
    5-10: 10:27:04:93:1c70 Ports S:f401 D:f401
    5-10: 10:27:04:359:1c70
    5-10: 10:27:04:359:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:04:359:1c70 ISAKMP Header: (V1.0), len = 100
    5-10: 10:27:04:359:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:04:359:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:04:359:1c70 exchange: Oakley Main Mode
    5-10: 10:27:04:359:1c70 flags: 0
    5-10: 10:27:04:359:1c70 next payload: SA
    5-10: 10:27:04:359:1c70 message ID: 00000000
    5-10: 10:27:04:359:1c70 processing payload SA
    5-10: 10:27:04:359:1c70 Received Phase 1 Transform 1
    5-10: 10:27:04:359:1c70 Encryption Alg Triple DES CBC(5)
    5-10: 10:27:04:359:1c70 Hash Alg SHA(2)
    5-10: 10:27:04:359:1c70 Oakley Group 2
    5-10: 10:27:04:359:1c70 Auth Method RSA Signature with
    Certificates(3)
    5-10: 10:27:04:359:1c70 Life type in Seconds
    5-10: 10:27:04:359:1c70 Life duration of 28800
    5-10: 10:27:04:359:1c70 Phase 1 SA accepted: transform=1
    5-10: 10:27:04:359:1c70 SA - Oakley proposal accepted
    5-10: 10:27:04:359:1c70 processing payload VENDOR ID
    5-10: 10:27:04:359:1c70 Received VendorId
    draft-ietf-ipsec-nat-t-ike-02
    5-10: 10:27:04:359:1c70 ClearFragList
    5-10: 10:27:04:359:1c70 constructing ISAKMP Header
    5-10: 10:27:04:421:1c70 constructing KE
    5-10: 10:27:04:421:1c70 constructing NONCE (ISAKMP)
    5-10: 10:27:04:421:1c70 Constructing NatDisc
    5-10: 10:27:04:421:1c70
    5-10: 10:27:04:421:1c70 Sending: SA = 0x00102FC8 to 2.2.2.2:Type 2.500
    5-10: 10:27:04:421:1c70 ISAKMP Header: (V1.0), len = 232
    5-10: 10:27:04:421:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:04:421:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:04:421:1c70 exchange: Oakley Main Mode
    5-10: 10:27:04:421:1c70 flags: 0
    5-10: 10:27:04:421:1c70 next payload: KE
    5-10: 10:27:04:421:1c70 message ID: 00000000
    5-10: 10:27:04:421:1c70 Ports S:f401 D:f401
    5-10: 10:27:04:718:1c70
    5-10: 10:27:04:718:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:04:718:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:27:04:718:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:04:718:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:04:718:1c70 exchange: Oakley Main Mode
    5-10: 10:27:04:718:1c70 flags: 0
    5-10: 10:27:04:718:1c70 next payload: KE
    5-10: 10:27:04:718:1c70 message ID: 00000000
    5-10: 10:27:04:718:1c70 processing payload KE
    5-10: 10:27:04:734:1c70 processing payload NONCE
    5-10: 10:27:04:734:1c70 processing payload CRP
    5-10: 10:27:04:734:1c70 DC=local, DC=networklab, CN=Networklab
    5-10: 10:27:04:734:1c70 processing payload VENDOR ID
    5-10: 10:27:04:734:1c70 processing payload VENDOR ID
    5-10: 10:27:04:734:1c70 processing payload VENDOR ID
    5-10: 10:27:04:734:1c70 processing payload VENDOR ID
    5-10: 10:27:04:734:1c70 processing payload NATDISC
    5-10: 10:27:04:734:1c70 Processing NatHash
    5-10: 10:27:04:734:1c70 Nat hash 2651234ebd1e2623f23ef13e7361ef87
    5-10: 10:27:04:734:1c70 b73882cd
    5-10: 10:27:04:734:1c70 SA StateMask2 f
    5-10: 10:27:04:734:1c70 processing payload NATDISC
    5-10: 10:27:04:734:1c70 Processing NatHash
    5-10: 10:27:04:734:1c70 Nat hash a433da81781938fa3d193f9d4fa5f17a
    5-10: 10:27:04:734:1c70 986fcf69
    5-10: 10:27:04:734:1c70 SA StateMask2 8f
    5-10: 10:27:04:734:1c70 ClearFragList
    5-10: 10:27:04:734:1c70 constructing ISAKMP Header
    5-10: 10:27:04:734:1c70 constructing ID
    5-10: 10:27:04:734:1c70 Looking for IPSec only cert
    5-10: 10:27:04:734:1c70 Cert Trustes. 0 100
    5-10: 10:27:04:734:1c70 Cert SHA Thumbprint
    55883cf525a8e6cc0200459c931a2a4d
    5-10: 10:27:04:734:1c70 2da737c4
    5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with
    80092004
    5-10: 10:27:04:734:1c70 Failed to get key for cert
    5-10: 10:27:04:734:1c70 Looking for IPSec only cert
    5-10: 10:27:04:734:1c70 failed to get chain 80092004
    5-10: 10:27:04:734:1c70 Looking for any cert
    5-10: 10:27:04:734:1c70 Cert Trustes. 0 100
    5-10: 10:27:04:734:1c70 Cert SHA Thumbprint
    55883cf525a8e6cc0200459c931a2a4d
    5-10: 10:27:04:734:1c70 2da737c4
    5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with
    80092004
    5-10: 10:27:04:734:1c70 Failed to get key for cert
    5-10: 10:27:04:734:1c70 Looking for any cert
    5-10: 10:27:04:734:1c70 failed to get chain 80092004
    5-10: 10:27:04:734:1c70 Received no valid CRPs. Using all configured
    5-10: 10:27:04:734:1c70 Looking for IPSec only cert
    5-10: 10:27:04:734:1c70 Cert Trustes. 0 100
    5-10: 10:27:04:734:1c70 Cert SHA Thumbprint
    55883cf525a8e6cc0200459c931a2a4d
    5-10: 10:27:04:734:1c70 2da737c4
    5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with
    80092004
    5-10: 10:27:04:734:1c70 Failed to get key for cert
    5-10: 10:27:04:734:1c70 Looking for IPSec only cert
    5-10: 10:27:04:734:1c70 failed to get chain 80092004
    5-10: 10:27:04:734:1c70 Looking for any cert
    5-10: 10:27:04:734:1c70 Cert Trustes. 0 100
    5-10: 10:27:04:734:1c70 Cert SHA Thumbprint
    55883cf525a8e6cc0200459c931a2a4d
    5-10: 10:27:04:734:1c70 2da737c4
    5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with
    80092004
    5-10: 10:27:04:734:1c70 Failed to get key for cert
    5-10: 10:27:04:734:1c70 Looking for any cert
    5-10: 10:27:04:734:1c70 failed to get chain 80092004
    5-10: 10:27:04:734:1c70 ProcessFailure: sa:00102FC8 centry:00000000
    status:35ec
    5-10: 10:27:04:734:1c70 isadb_set_status sa:00102FC8 centry:00000000
    status 35ec
    5-10: 10:27:04:734:1c70 Key Exchange Mode (Main Mode)
    5-10: 10:27:04:734:1c70 Source IP Address 10.0.0.2 Source IP Address
    Mask 255.255.255.255 Destination IP Address 2.2.2.2 Destination IP
    Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination
    Port 0 IKE Local Addr 10.0.0.2 IKE Peer Addr 2.2.2.2
    5-10: 10:27:04:734:1c70 Certificate based Identity. Peer Subject
    Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer
    Issuing Certificate Authority Root Certificate Authority My Subject
    O=Networklab, CN=Remote Service Host My SHA Thumbprint
    55883cf525a8e6cc0200459c931a2a4d2da737c4 Peer IP Address: 2.2.2.2
    5-10: 10:27:04:734:1c70 Me
    5-10: 10:27:04:734:1c70 General processing error
    5-10: 10:27:04:734:1c70 0x80092004 0x0
    5-10: 10:27:04:734:1c70 ProcessFailure: sa:00102FC8 centry:00000000
    status:35ec
    5-10: 10:27:04:734:1c70 Not creating notify.
    5-10: 10:27:14:718:1c70
    5-10: 10:27:14:718:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:14:718:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:27:14:718:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:14:718:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:14:718:1c70 exchange: Oakley Main Mode
    5-10: 10:27:14:718:1c70 flags: 0
    5-10: 10:27:14:718:1c70 next payload: KE
    5-10: 10:27:14:718:1c70 message ID: 00000000
    5-10: 10:27:14:718:1c70 received an unencrypted packet when crypto
    active
    5-10: 10:27:14:718:1c70 GetPacket failed 35ec
    5-10: 10:27:24:718:1c70
    5-10: 10:27:24:718:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:24:718:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:27:24:718:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:24:718:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:24:718:1c70 exchange: Oakley Main Mode
    5-10: 10:27:24:718:1c70 flags: 0
    5-10: 10:27:24:718:1c70 next payload: KE
    5-10: 10:27:24:718:1c70 message ID: 00000000
    5-10: 10:27:24:718:1c70 received an unencrypted packet when crypto
    active
    5-10: 10:27:24:718:1c70 GetPacket failed 35ec
    5-10: 10:27:34:718:1c70
    5-10: 10:27:34:718:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:34:718:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:27:34:718:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:34:718:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:34:718:1c70 exchange: Oakley Main Mode
    5-10: 10:27:34:718:1c70 flags: 0
    5-10: 10:27:34:718:1c70 next payload: KE
    5-10: 10:27:34:718:1c70 message ID: 00000000
    5-10: 10:27:34:718:1c70 received an unencrypted packet when crypto
    active
    5-10: 10:27:34:718:1c70 GetPacket failed 35ec
    5-10: 10:27:44:718:1c70
    5-10: 10:27:44:718:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:44:718:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:27:44:718:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:44:718:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:44:718:1c70 exchange: Oakley Main Mode
    5-10: 10:27:44:718:1c70 flags: 0
    5-10: 10:27:44:718:1c70 next payload: KE
    5-10: 10:27:44:718:1c70 message ID: 00000000
    5-10: 10:27:44:718:1c70 received an unencrypted packet when crypto
    active
    5-10: 10:27:44:718:1c70 GetPacket failed 35ec
    5-10: 10:27:54:718:1c70
    5-10: 10:27:54:718:1c70 Receive: (get) SA = 0x00102fc8 from
    2.2.2.2.500
    5-10: 10:27:54:718:1c70 ISAKMP Header: (V1.0), len = 383
    5-10: 10:27:54:718:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:27:54:718:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:27:54:718:1c70 exchange: Oakley Main Mode
    5-10: 10:27:54:718:1c70 flags: 0
    5-10: 10:27:54:718:1c70 next payload: KE
    5-10: 10:27:54:718:1c70 message ID: 00000000
    5-10: 10:27:54:718:1c70 received an unencrypted packet when crypto
    active
    5-10: 10:27:54:718:1c70 GetPacket failed 35ec
    5-10: 10:29:03:328:1c70 SA Dead. sa:00102FC8 status:35f0
    5-10: 10:29:03:328:1c70 constructing ISAKMP Header
    5-10: 10:29:03:328:1c70 constructing HASH (null)
    5-10: 10:29:03:328:1c70 constructing DELETE. MM 00102FC8
    5-10: 10:29:03:328:1c70 constructing HASH (Notify/Delete)
    5-10: 10:29:03:328:1c70
    5-10: 10:29:03:328:1c70 Sending: SA = 0x00102FC8 to 2.2.2.2:Type 1.500
    5-10: 10:29:03:328:1c70 ISAKMP Header: (V1.0), len = 84
    5-10: 10:29:03:328:1c70 I-COOKIE 13328cf8c6e5a496
    5-10: 10:29:03:328:1c70 R-COOKIE 6a59dabf2c9eeb5d
    5-10: 10:29:03:328:1c70 exchange: ISAKMP Informational Exchange
    5-10: 10:29:03:328:1c70 flags: 1 ( encrypted )
    5-10: 10:29:03:328:1c70 next payload: HASH
    5-10: 10:29:03:328:1c70 message ID: 5b0f7561
    5-10: 10:29:03:328:1c70 Ports S:f401 D:f401
    5-10: 10:29:03:328:1c70 ClearFragList
    dan, May 10, 2005
    #1
    1. Advertising

  2. Is the WinXP client behind a NAT device? Does the NAT device support
    IPSEC/ESP NAT?
    Phillip Remaker, May 11, 2005
    #2
    1. Advertising

  3. dan

    dan Guest

    Phillip Remaker schrieb:
    > Is the WinXP client behind a NAT device? Does the NAT device support


    > IPSEC/ESP NAT?



    The same problem persists even if they are directly connected to each
    other. Another interesting point I forgot to mention might be that the
    first 4 ISAKMP packets pass as expected, but then the client does not
    initiate the final exchange (authentication) in main mode. A packet
    trace looks like this:

    ISAKMP 10.0.0.2 --> 2.2.2.2
    ISAKMP 2.2.2.2 --> 10.0.0.2
    ISAKMP 10.0.0.2 --> 2.2.2.2
    ISAKMP 2.2.2.2 --> 10.0.0.2

    ISAKMP 2.2.2.2 --> 10.0.0.2
    ISAKMP 2.2.2.2 --> 10.0.0.2
    dan, May 11, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shawn Westerhoff
    Replies:
    6
    Views:
    1,929
    Walter Roberson
    Oct 29, 2003
  2. Rafael
    Replies:
    1
    Views:
    3,190
  3. Krzysztof
    Replies:
    3
    Views:
    6,537
    Krzysztof
    May 17, 2005
  4. Johnny
    Replies:
    11
    Views:
    3,076
    Cerebrus
    Aug 4, 2006
  5. zillah
    Replies:
    0
    Views:
    714
    zillah
    Nov 9, 2006
Loading...

Share This Page