RE: *Mar 1 01:38:13.295: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE

You can do what Sadiq said or simply doing

no crypto isakmp key keynya address 20.0.0.5 255.255.255.0
no crypto isakmp key kuncikunci address 20.0.0.6 255.255.255.255
crypto isakmp key kuncikunci address 20.0.0.6 255.255.255.255
crypto isakmp key keynya address 20.0.0.0 255.255.255.0

Crypto keys are processed in order. Both keys are set to match 20.0.0.0/24

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Dwi
Chandra
Sent: Monday, July 05, 2010 1:46 PM
To: Sadiq Yakasai
Cc: Taufik Kurniawan; Cisco certification; cisco_at_groupstudy.com
Subject: Re: *Mar 1 01:38:13.295: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message
from 20.0.0.6 failed its sanity check or is malformed

Doesn't peer address just the host IP?
Any idea why do you use subnet mask in your peer-address ?

Try removing the subnet mask ;)

Cheers,

DC

On Mon, Jul 5, 2010 at 9:56 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> On R4, can you make these more specific (/32 and not /24)?
>
>
> crypto isakmp key keynya address 20.0.0.5 255.255.255.255
> crypto isakmp key kuncikunci address 20.0.0.6 255.255.255.255
>
> Let us know what happens...
>
> HTH,
> Sadiq
>
> On Mon, Jul 5, 2010 at 5:34 PM, Taufik Kurniawan <ktaufik_at_gmail.com>
> wrote:
>
> > Can anybody help why ?
> >
> >
> > R4
> >
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > !
> > crypto isakmp policy 2
> > encr aes 256
> > authentication pre-share
> > group 5
> > crypto isakmp key keynya address 20.0.0.5 255.255.255.0
> > crypto isakmp key kuncikunci address 20.0.0.6 255.255.255.0
> > !
> > !
> > crypto ipsec transform-set transetnya esp-3des esp-sha-hmac
> > crypto ipsec transform-set transet3 esp-aes 256 esp-sha-hmac
> > !
> > crypto ipsec profile profile3
> > set transform-set transet3
> > !
> > crypto ipsec profile profilenya
> > set transform-set transetnya
> > !
> > interface Loopback0
> > ip address 202.155.40.1 255.255.255.0
> > !
> > interface Tunnel45
> > ip address 202.155.0.9 255.255.255.252
> > tunnel source FastEthernet0/0
> > tunnel destination 20.0.0.5
> > tunnel mode ipsec ipv4
> > tunnel protection ipsec profile profilenya
> > !
> > interface Tunnel46
> > ip address 202.155.0.13 255.255.255.252
> > tunnel source FastEthernet0/0
> > tunnel destination 20.0.0.6
> > tunnel mode ipsec ipv4
> > tunnel protection ipsec profile profile3
> > !
> > interface FastEthernet0/0
> > ip address 20.0.0.4 255.255.255.0
> > duplex auto
> > speed auto
> > !
> >
> >
> > R5
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > crypto isakmp key keynya address 20.0.0.4 255.255.255.0
> > !
> > !
> > crypto ipsec transform-set transetnya esp-3des esp-sha-hmac
> > !
> > crypto ipsec profile profilenya
> > set transform-set transetnya
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 202.155.50.1 255.255.255.0
> > !
> > interface Tunnel0
> > ip address 202.155.0.10 255.255.255.252
> > tunnel source FastEthernet0
> > tunnel destination 20.0.0.4
> > tunnel mode ipsec ipv4
> > tunnel protection ipsec profile profilenya
> > !
> >
> > R6
> >
> > !
> > crypto isakmp policy 2
> > encr aes 256
> > authentication pre-share
> > group 5
> > crypto isakmp key kuncikunci address 20.0.0.4 255.255.255.0
> > !
> > !
> > crypto ipsec transform-set transet3 esp-aes 256 esp-sha-hmac
> > !
> > crypto ipsec profile profile3
> > set transform-set transet3
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Tunnel0
> > ip address 202.155.0.14 255.255.255.252
> > tunnel source FastEthernet0
> > tunnel destination 20.0.0.4
> > tunnel mode ipsec ipv4
> > tunnel protection ipsec profile profile3
> > !
> > interface Ethernet0
> > no ip address
> > shutdown
> > half-duplex
> > !
> > interface FastEthernet0
> > ip address 20.0.0.6 255.255.255.0
> > speed auto
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Jul 05 2010 - 14:12:05 ART