Re: OT:IKE Phase I Aggressive Mode Problem from Fabian Pucciarelli on 2010-10-08 (Ccielab archives 10/2010)

From: Fabian Pucciarelli <fabiangp_at_gmail.com>
Date: Fri, 8 Oct 2010 06:51:08 -0600

You need to use a match statement in your profile, for instance

match identity user domain custA.com Internet

match identity address 10.0.0.1 255.255.255.255

The message "cannot find key or cert" is kind of misleading.

Fabian

On Fri, Oct 8, 2010 at 6:00 AM, karim jamali <karim.jamali_at_gmail.com> wrote:

> Dear Experts,
>
> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles,
> however I am not able to get why it doesn't work when running the debugs I
> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert
> despite the fact that it exists. I would appreciate any input.
>
> crypto isakmp key CISCO hostname Rack1R2.INE.com
>
> crypto isakmp profile AGGRESSIVE
> ! This profile is incomplete (no match identity statement)
> keyring default
> self-identity fqdn
> initiate mode aggressive
> !
>
> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
> !
> crypto map R1R2 isakmp-profile AGGRESSIVE
> crypto map R1R2 10 ipsec-isakmp
> set peer 136.1.122.2
> set transform-set R1R2
> match address LO12
>
>
> interface FastEthernet0/0
> ip address 136.1.121.1 255.255.255.0
> duplex auto
> speed auto
> crypto map R1R2
>
>
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer
> port 500
> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 peer_handle
> = 0x80000010
> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 for
> isakmp_initiator
> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500
> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8
> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying Main
> mode.
> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start
> Main mode
> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
> isadb_unlock_peer_delete_sa(), count 0
> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
> 136.1.122.2:
> 83D50508
> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8
> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558
> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to
> initialize SA
> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error 2.
> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
> message(s)
>
> Thanks
>
> Best Regards
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Fabian Pucciarelli
Blogs and organic groups at http://www.ccie.net

Received on Fri Oct 08 2010 - 06:51:08 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART