1. Home
  2. Cisco Systems
  3. IPSec using certificate authentication

IPSec using certificate authentication

Hi,

sorry for the long post.

I'm trying to establish a IPSec tunnel from a Win XP client to a Cisco router 1711 running IOS 12.2(15)ZL1. IPSec using a preshared key works fine. The CA is a MS Win 2003. I can enroll the router and import the CA certificate. Moreover, an IPSec certificate is installed in the computer's certificate store and the CA certificate is added to the trusted roots on the client's PC.

I'm trying for days now, I just didn't get it working. The IKE negotiation fails in main mode. Thanks for any help.

Here are the relevant parts of the config and the logs:

---------- Cisco Config ----------

aaa new-model ! aaa authentication login default local aaa authentication ppp vpdn group radius aaa authorization network default group radius aaa session-id common ! vpdn enable ! vpdn-group l2tpvpn ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! no ftp-server write-enable ! crypto ca trustpoint Networklab enrollment mode ra enrollment url http://172.16.4.1:80/certsrv/mscep/mscep.dll enrollment http-proxy 192.168.0.1 80 serial-number fqdn none ip-address none password 7 00344B54250C759036076E685F4E534E56 revocation-check crl rsakeypair SDM-RSAKey-1115712347000 auto-enroll ! crypto ca certificate chain Networklab certificate 67103CFF000000000011 308205E1 .... 1D quit certificate ca 01AEF9A1448A34A441C09FBC00CC392D 3082049E .... E5FE quit ! crypto isakmp policy 1 encr 3des group 2 ! crypto ipsec transform-set esp-3des-sha-tunnel esp-3des esp-sha-hmac ! crypto dynamic-map dynvpn 1 set transform-set esp-3des-sha-tunnel set pfs group2 match address 130 ! crypto map extmap 1 ipsec-isakmp dynamic dynvpn ! access-list 130 permit udp host 2.2.2.2 eq 1701 any eq 1701 access-list 130 permit udp any eq 1701 host 2.2.2.2 eq 1701

---------- Cisco ISAKMP Debug ----------

005943: May 10 10:28:19.781 PCTime: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... 005944: May 10 10:28:19.781 PCTime: ISAKMP (0:1): peer does not do paranoid keepalives.

005945: May 10 10:28:19.781 PCTime: ISAKMP (0:1): deleting SA reason "death by retransmission P1" state (R) MM_KEY_EXCH (peer 10.0.0.2) input queue 0

005946: May 10 10:28:19.781 PCTime: ISAKMP (0:1): deleting SA reason "death by retransmission P1" state (R) MM_KEY_EXCH (peer 10.0.0.2) input queue 0 005947: May 10 10:28:19.781 PCTime: ISAKMP (0:1): deleting node

-1771400485 error TRUE reason "death by retransmission P1"

005948: May 10 10:28:19.781 PCTime: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 005949: May 10 10:28:19.781 PCTime: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_DEST_SA

005950: May 10 10:28:24.253 PCTime: ISAKMP (0:0): received packet from

10.0.0.2 dport 500 sport 500 Global (N) NEW SA 005951: May 10 10:28:24.257 PCTime: ISAKMP: local port 500, remote port 500 005952: May 10 10:28:24.257 PCTime: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 822C014C 005953: May 10 10:28:24.257 PCTime: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 005954: May 10 10:28:24.257 PCTime: ISAKMP (0:2): Old State = IKE_READY New State = IKE_R_MM1

005955: May 10 10:28:24.257 PCTime: ISAKMP (0:2): processing SA payload. message ID = 0

005956: May 10 10:28:24.257 PCTime: ISAKMP (0:2): processing vendor id payload 005957: May 10 10:28:24.257 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 228 mismatch 005958: May 10 10:28:24.261 PCTime: ISAKMP (0:2): processing vendor id payload 005959: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 194 mismatch 005960: May 10 10:28:24.261 PCTime: ISAKMP (0:2): processing vendor id payload 005961: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 123 mismatch 005962: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID is NAT-T v2 005963: May 10 10:28:24.261 PCTime: ISAKMP (0:2): processing vendor id payload 005964: May 10 10:28:24.261 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 184 mismatch 005965: May 10 10:28:24.261 PCTime: ISAKMP : Scanning profiles for xauth ... 005966: May 10 10:28:24.261 PCTime: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 policy 005967: May 10 10:28:24.261 PCTime: ISAKMP: encryption 3DES-CBC 005968: May 10 10:28:24.261 PCTime: ISAKMP: hash SHA 005969: May 10 10:28:24.261 PCTime: ISAKMP: default group 2 005970: May 10 10:28:24.261 PCTime: ISAKMP: auth RSA sig 005971: May 10 10:28:24.261 PCTime: ISAKMP: life type in seconds 005972: May 10 10:28:24.261 PCTime: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 005973: May 10 10:28:24.261 PCTime: ISAKMP (0:2): atts are acceptable. Next payload is 0 005974: May 10 10:28:24.509 PCTime: ISAKMP (0:2): processing vendor id payload 005975: May 10 10:28:24.509 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 228 mismatch 005976: May 10 10:28:24.509 PCTime: ISAKMP (0:2): processing vendor id payload 005977: May 10 10:28:24.509 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 194 mismatch 005978: May 10 10:28:24.513 PCTime: ISAKMP (0:2): processing vendor id payload 005979: May 10 10:28:24.513 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 123 mismatch 005980: May 10 10:28:24.513 PCTime: ISAKMP (0:2): vendor ID is NAT-T v2 005981: May 10 10:28:24.513 PCTime: ISAKMP (0:2): processing vendor id payload 005982: May 10 10:28:24.513 PCTime: ISAKMP (0:2): vendor ID seems Unity/DPD but major 184 mismatch 005983: May 10 10:28:24.513 PCTime: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 005984: May 10 10:28:24.513 PCTime: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM1

005985: May 10 10:28:24.513 PCTime: ISAKMP (0:2): constructed NAT-T vendor-02 ID

005986: May 10 10:28:24.513 PCTime: ISAKMP (0:2): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_SA_SETUP 005987: May 10 10:28:24.517 PCTime: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 005988: May 10 10:28:24.517 PCTime: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM2

005989: May 10 10:28:24.581 PCTime: ISAKMP (0:2): received packet from

10.0.0.2 dport 500 sport 500 Global (R) MM_SA_SETUP 005990: May 10 10:28:24.585 PCTime: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 005991: May 10 10:28:24.585 PCTime: ISAKMP (0:2): Old State = IKE_R_MM2 New State = IKE_R_MM3

005992: May 10 10:28:24.585 PCTime: ISAKMP (0:2): processing KE payload. message ID = 0

005993: May 10 10:28:24.833 PCTime: ISAKMP (0:2): processing NONCE payload. message ID = 0 005994: May 10 10:28:24.869 PCTime: ISAKMP (0:2): SKEYID state generated 005995: May 10 10:28:24.869 PCTime: ISAKMP:received payload type 17 005996: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Detected NAT-D payload 005997: May 10 10:28:24.869 PCTime: ISAKMP (0:2): NAT match MINE hash 005998: May 10 10:28:24.869 PCTime: ISAKMP:received payload type 17 005999: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Detected NAT-D payload 006000: May 10 10:28:24.869 PCTime: ISAKMP (0:2): NAT match HIS hash 006001: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 006002: May 10 10:28:24.869 PCTime: ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM3

006003: May 10 10:28:24.873 PCTime: ISAKMP (0:2): constructed HIS NAT-D

006004: May 10 10:28:24.873 PCTime: ISAKMP (0:2): constructed MINE NAT-D 006005: May 10 10:28:24.873 PCTime: ISAKMP (0:2): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH 006006: May 10 10:28:24.873 PCTime: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 006007: May 10 10:28:24.873 PCTime: ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM4

006008: May 10 10:28:34.873 PCTime: ISAKMP (0:2): retransmitting phase

1 MM_KEY_EXCH... 006009: May 10 10:28:34.873 PCTime: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1 006010: May 10 10:28:34.873 PCTime: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH 006011: May 10 10:28:34.873 PCTime: ISAKMP (0:2): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH 006012: May 10 10:28:44.873 PCTime: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH... 006013: May 10 10:28:44.873 PCTime: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1 006014: May 10 10:28:44.873 PCTime: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH 006015: May 10 10:28:44.873 PCTime: ISAKMP (0:2): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH 006016: May 10 10:28:54.873 PCTime: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH... 006017: May 10 10:28:54.873 PCTime: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1 006018: May 10 10:28:54.873 PCTime: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH 006019: May 10 10:28:54.873 PCTime: ISAKMP (0:2): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

---------- Win XP Security Log ----------

Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 547 Date: 5/10/2005 Time: 10:27:04 AM User: NT AUTHORITY\NETWORK SERVICE Computer: CH-RD-C003-4 Description: IKE security association negotiation failed. Mode: Key Exchange Mode (Main Mode)

Filter: Source IP Address 10.0.0.2 Source IP Address Mask 255.255.255.255 Destination IP Address 2.2.2.2 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 10.0.0.2 IKE Peer Addr 2.2.2.2

Peer Identity: Certificate based Identity. Peer Subject Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer Issuing Certificate Authority Root Certificate Authority My Subject O=Networklab, CN=Remote Service Host My SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d2da737c4 Peer IP Address: 2.2.2.2

Failure Point: Me

Failure Reason: General processing error

Extra Status:

0x80092004 0x0

---------- Win XP Oakley Debug ----------

5-10: 10:26:48:328:1a90 Initialization OK 5-10: 10:26:49:625:1c70 5-10: 10:26:49:625:1c70 Receive: (get) SA = 0x00000000 from 2.2.2.2.500 5-10: 10:26:49:625:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:26:49:625:1c70 I-COOKIE 702ef665ca453b5f 5-10: 10:26:49:625:1c70 R-COOKIE 6a59dabfd230297a 5-10: 10:26:49:625:1c70 exchange: Oakley Main Mode 5-10: 10:26:49:625:1c70 flags: 0 5-10: 10:26:49:625:1c70 next payload: KE 5-10: 10:26:49:625:1c70 message ID: 00000000 5-10: 10:26:49:625:1c70 invalid cookie received 5-10: 10:27:04:93:18f8 Acquire from driver: op=0000001F src=10.0.0.2.1701 dst=2.2.2.2.1701 proto = 17, SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=2.2.2.2 Inbound TunnelEndpt=10.0.0.2 5-10: 10:27:04:93:1c70 Filter to match: Src 2.2.2.2 Dst 10.0.0.2 5-10: 10:27:04:93:1c70 MM PolicyName: 1 5-10: 10:27:04:93:1c70 MMPolicy dwFlags 2 SoftSAExpireTime 28800 5-10: 10:27:04:93:1c70 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2 5-10: 10:27:04:93:1c70 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA 5-10: 10:27:04:93:1c70 Auth[0]:RSA Sig DC=local, DC=networklab, CN=Networklab AuthFlags 0 5-10: 10:27:04:93:1c70 QM PolicyName: SecureNew dwFlags 1 5-10: 10:27:04:93:1c70 QMOffer[0] LifetimeKBytes 0 LifetimeSec 0 5-10: 10:27:04:93:1c70 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648 5-10: 10:27:04:93:1c70 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA 5-10: 10:27:04:93:1c70 Starting Negotiation: src = 10.0.0.2.0500, dst = 2.2.2.2.0500, proto = 17, context = 0000001F, ProxySrc = 10.0.0.2.1701, ProxyDst = 2.2.2.2.1701 SrcMask = 255.255.255.255 DstMask = 255.255.255.255 5-10: 10:27:04:93:1c70 constructing ISAKMP Header 5-10: 10:27:04:93:1c70 constructing SA (ISAKMP) 5-10: 10:27:04:93:1c70 Constructing Vendor MS NT5 ISAKMPOAKLEY 5-10: 10:27:04:93:1c70 Constructing Vendor FRAGMENTATION 5-10: 10:27:04:93:1c70 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02 5-10: 10:27:04:93:1c70 Constructing Vendor Vid-Initial-Contact 5-10: 10:27:04:93:1c70 5-10: 10:27:04:93:1c70 Sending: SA = 0x00102FC8 to 2.2.2.2:Type 2.500 5-10: 10:27:04:93:1c70 ISAKMP Header: (V1.0), len = 168 5-10: 10:27:04:93:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:04:93:1c70 R-COOKIE 0000000000000000 5-10: 10:27:04:93:1c70 exchange: Oakley Main Mode 5-10: 10:27:04:93:1c70 flags: 0 5-10: 10:27:04:93:1c70 next payload: SA 5-10: 10:27:04:93:1c70 message ID: 00000000 5-10: 10:27:04:93:1c70 Ports S:f401 D:f401 5-10: 10:27:04:359:1c70 5-10: 10:27:04:359:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:04:359:1c70 ISAKMP Header: (V1.0), len = 100 5-10: 10:27:04:359:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:04:359:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:04:359:1c70 exchange: Oakley Main Mode 5-10: 10:27:04:359:1c70 flags: 0 5-10: 10:27:04:359:1c70 next payload: SA 5-10: 10:27:04:359:1c70 message ID: 00000000 5-10: 10:27:04:359:1c70 processing payload SA 5-10: 10:27:04:359:1c70 Received Phase 1 Transform 1 5-10: 10:27:04:359:1c70 Encryption Alg Triple DES CBC(5) 5-10: 10:27:04:359:1c70 Hash Alg SHA(2) 5-10: 10:27:04:359:1c70 Oakley Group 2 5-10: 10:27:04:359:1c70 Auth Method RSA Signature with Certificates(3) 5-10: 10:27:04:359:1c70 Life type in Seconds 5-10: 10:27:04:359:1c70 Life duration of 28800 5-10: 10:27:04:359:1c70 Phase 1 SA accepted: transform=1 5-10: 10:27:04:359:1c70 SA - Oakley proposal accepted 5-10: 10:27:04:359:1c70 processing payload VENDOR ID 5-10: 10:27:04:359:1c70 Received VendorId draft-ietf-ipsec-nat-t-ike-02 5-10: 10:27:04:359:1c70 ClearFragList 5-10: 10:27:04:359:1c70 constructing ISAKMP Header 5-10: 10:27:04:421:1c70 constructing KE 5-10: 10:27:04:421:1c70 constructing NONCE (ISAKMP) 5-10: 10:27:04:421:1c70 Constructing NatDisc 5-10: 10:27:04:421:1c70 5-10: 10:27:04:421:1c70 Sending: SA = 0x00102FC8 to 2.2.2.2:Type 2.500 5-10: 10:27:04:421:1c70 ISAKMP Header: (V1.0), len = 232 5-10: 10:27:04:421:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:04:421:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:04:421:1c70 exchange: Oakley Main Mode 5-10: 10:27:04:421:1c70 flags: 0 5-10: 10:27:04:421:1c70 next payload: KE 5-10: 10:27:04:421:1c70 message ID: 00000000 5-10: 10:27:04:421:1c70 Ports S:f401 D:f401 5-10: 10:27:04:718:1c70 5-10: 10:27:04:718:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:04:718:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:27:04:718:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:04:718:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:04:718:1c70 exchange: Oakley Main Mode 5-10: 10:27:04:718:1c70 flags: 0 5-10: 10:27:04:718:1c70 next payload: KE 5-10: 10:27:04:718:1c70 message ID: 00000000 5-10: 10:27:04:718:1c70 processing payload KE 5-10: 10:27:04:734:1c70 processing payload NONCE 5-10: 10:27:04:734:1c70 processing payload CRP 5-10: 10:27:04:734:1c70 DC=local, DC=networklab, CN=Networklab 5-10: 10:27:04:734:1c70 processing payload VENDOR ID 5-10: 10:27:04:734:1c70 processing payload VENDOR ID 5-10: 10:27:04:734:1c70 processing payload VENDOR ID 5-10: 10:27:04:734:1c70 processing payload VENDOR ID 5-10: 10:27:04:734:1c70 processing payload NATDISC 5-10: 10:27:04:734:1c70 Processing NatHash 5-10: 10:27:04:734:1c70 Nat hash 2651234ebd1e2623f23ef13e7361ef87 5-10: 10:27:04:734:1c70 b73882cd 5-10: 10:27:04:734:1c70 SA StateMask2 f 5-10: 10:27:04:734:1c70 processing payload NATDISC 5-10: 10:27:04:734:1c70 Processing NatHash 5-10: 10:27:04:734:1c70 Nat hash a433da81781938fa3d193f9d4fa5f17a 5-10: 10:27:04:734:1c70 986fcf69 5-10: 10:27:04:734:1c70 SA StateMask2 8f 5-10: 10:27:04:734:1c70 ClearFragList 5-10: 10:27:04:734:1c70 constructing ISAKMP Header 5-10: 10:27:04:734:1c70 constructing ID 5-10: 10:27:04:734:1c70 Looking for IPSec only cert 5-10: 10:27:04:734:1c70 Cert Trustes. 0 100 5-10: 10:27:04:734:1c70 Cert SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d 5-10: 10:27:04:734:1c70 2da737c4 5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with 80092004 5-10: 10:27:04:734:1c70 Failed to get key for cert 5-10: 10:27:04:734:1c70 Looking for IPSec only cert 5-10: 10:27:04:734:1c70 failed to get chain 80092004 5-10: 10:27:04:734:1c70 Looking for any cert 5-10: 10:27:04:734:1c70 Cert Trustes. 0 100 5-10: 10:27:04:734:1c70 Cert SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d 5-10: 10:27:04:734:1c70 2da737c4 5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with 80092004 5-10: 10:27:04:734:1c70 Failed to get key for cert 5-10: 10:27:04:734:1c70 Looking for any cert 5-10: 10:27:04:734:1c70 failed to get chain 80092004 5-10: 10:27:04:734:1c70 Received no valid CRPs. Using all configured 5-10: 10:27:04:734:1c70 Looking for IPSec only cert 5-10: 10:27:04:734:1c70 Cert Trustes. 0 100 5-10: 10:27:04:734:1c70 Cert SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d 5-10: 10:27:04:734:1c70 2da737c4 5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with 80092004 5-10: 10:27:04:734:1c70 Failed to get key for cert 5-10: 10:27:04:734:1c70 Looking for IPSec only cert 5-10: 10:27:04:734:1c70 failed to get chain 80092004 5-10: 10:27:04:734:1c70 Looking for any cert 5-10: 10:27:04:734:1c70 Cert Trustes. 0 100 5-10: 10:27:04:734:1c70 Cert SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d 5-10: 10:27:04:734:1c70 2da737c4 5-10: 10:27:04:734:1c70 Get Certificate Context Property failed with 80092004 5-10: 10:27:04:734:1c70 Failed to get key for cert 5-10: 10:27:04:734:1c70 Looking for any cert 5-10: 10:27:04:734:1c70 failed to get chain 80092004 5-10: 10:27:04:734:1c70 ProcessFailure: sa:00102FC8 centry:00000000 status:35ec 5-10: 10:27:04:734:1c70 isadb_set_status sa:00102FC8 centry:00000000 status 35ec 5-10: 10:27:04:734:1c70 Key Exchange Mode (Main Mode) 5-10: 10:27:04:734:1c70 Source IP Address 10.0.0.2 Source IP Address Mask 255.255.255.255 Destination IP Address 2.2.2.2 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 10.0.0.2 IKE Peer Addr 2.2.2.2 5-10: 10:27:04:734:1c70 Certificate based Identity. Peer Subject Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer Issuing Certificate Authority Root Certificate Authority My Subject O=Networklab, CN=Remote Service Host My SHA Thumbprint 55883cf525a8e6cc0200459c931a2a4d2da737c4 Peer IP Address: 2.2.2.2 5-10: 10:27:04:734:1c70 Me 5-10: 10:27:04:734:1c70 General processing error 5-10: 10:27:04:734:1c70 0x80092004 0x0 5-10: 10:27:04:734:1c70 ProcessFailure: sa:00102FC8 centry:00000000 status:35ec 5-10: 10:27:04:734:1c70 Not creating notify. 5-10: 10:27:14:718:1c70 5-10: 10:27:14:718:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:14:718:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:27:14:718:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:14:718:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:14:718:1c70 exchange: Oakley Main Mode 5-10: 10:27:14:718:1c70 flags: 0 5-10: 10:27:14:718:1c70 next payload: KE 5-10: 10:27:14:718:1c70 message ID: 00000000 5-10: 10:27:14:718:1c70 received an unencrypted packet when crypto active 5-10: 10:27:14:718:1c70 GetPacket failed 35ec 5-10: 10:27:24:718:1c70 5-10: 10:27:24:718:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:24:718:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:27:24:718:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:24:718:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:24:718:1c70 exchange: Oakley Main Mode 5-10: 10:27:24:718:1c70 flags: 0 5-10: 10:27:24:718:1c70 next payload: KE 5-10: 10:27:24:718:1c70 message ID: 00000000 5-10: 10:27:24:718:1c70 received an unencrypted packet when crypto active 5-10: 10:27:24:718:1c70 GetPacket failed 35ec 5-10: 10:27:34:718:1c70 5-10: 10:27:34:718:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:34:718:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:27:34:718:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:34:718:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:34:718:1c70 exchange: Oakley Main Mode 5-10: 10:27:34:718:1c70 flags: 0 5-10: 10:27:34:718:1c70 next payload: KE 5-10: 10:27:34:718:1c70 message ID: 00000000 5-10: 10:27:34:718:1c70 received an unencrypted packet when crypto active 5-10: 10:27:34:718:1c70 GetPacket failed 35ec 5-10: 10:27:44:718:1c70 5-10: 10:27:44:718:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:44:718:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:27:44:718:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:44:718:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:44:718:1c70 exchange: Oakley Main Mode 5-10: 10:27:44:718:1c70 flags: 0 5-10: 10:27:44:718:1c70 next payload: KE 5-10: 10:27:44:718:1c70 message ID: 00000000 5-10: 10:27:44:718:1c70 received an unencrypted packet when crypto active 5-10: 10:27:44:718:1c70 GetPacket failed 35ec 5-10: 10:27:54:718:1c70 5-10: 10:27:54:718:1c70 Receive: (get) SA = 0x00102fc8 from 2.2.2.2.500 5-10: 10:27:54:718:1c70 ISAKMP Header: (V1.0), len = 383 5-10: 10:27:54:718:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:27:54:718:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:27:54:718:1c70 exchange: Oakley Main Mode 5-10: 10:27:54:718:1c70 flags: 0 5-10: 10:27:54:718:1c70 next payload: KE 5-10: 10:27:54:718:1c70 message ID: 00000000 5-10: 10:27:54:718:1c70 received an unencrypted packet when crypto active 5-10: 10:27:54:718:1c70 GetPacket failed 35ec 5-10: 10:29:03:328:1c70 SA Dead. sa:00102FC8 status:35f0 5-10: 10:29:03:328:1c70 constructing ISAKMP Header 5-10: 10:29:03:328:1c70 constructing HASH (null) 5-10: 10:29:03:328:1c70 constructing DELETE. MM 00102FC8 5-10: 10:29:03:328:1c70 constructing HASH (Notify/Delete) 5-10: 10:29:03:328:1c70 5-10: 10:29:03:328:1c70 Sending: SA = 0x00102FC8 to 2.2.2.2:Type 1.500 5-10: 10:29:03:328:1c70 ISAKMP Header: (V1.0), len = 84 5-10: 10:29:03:328:1c70 I-COOKIE 13328cf8c6e5a496 5-10: 10:29:03:328:1c70 R-COOKIE 6a59dabf2c9eeb5d 5-10: 10:29:03:328:1c70 exchange: ISAKMP Informational Exchange 5-10: 10:29:03:328:1c70 flags: 1 ( encrypted ) 5-10: 10:29:03:328:1c70 next payload: HASH 5-10: 10:29:03:328:1c70 message ID: 5b0f7561 5-10: 10:29:03:328:1c70 Ports S:f401 D:f401 5-10: 10:29:03:328:1c70 ClearFragList
Reply to
dan
Loading thread data ...

Is the WinXP client behind a NAT device? Does the NAT device support IPSEC/ESP NAT?

Reply to
Phillip Remaker

Phillip Remaker schrieb:

The same problem persists even if they are directly connected to each other. Another interesting point I forgot to mention might be that the first 4 ISAKMP packets pass as expected, but then the client does not initiate the final exchange (authentication) in main mode. A packet trace looks like this:

ISAKMP 10.0.0.2 --> 2.2.2.2 ISAKMP 2.2.2.2 --> 10.0.0.2 ISAKMP 10.0.0.2 --> 2.2.2.2 ISAKMP 2.2.2.2 --> 10.0.0.2

ISAKMP 2.2.2.2 --> 10.0.0.2 ISAKMP 2.2.2.2 --> 10.0.0.2

Reply to
dan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.