IKE Aggressive mode vulnerability
Hello All,
I am currently working on a project to remove security vulnerability present in the network due to IKE Aggressive mode. Below is my understanding:
1. In aggressive mode, initiator and responder IDs are sent in clear text, as against main mode and this is the vulnerability we are trying to remove.
2. For Site to Site VPNs we can disable the aggressive mode, but this is not possible to achieve in Client to Site VPNs till we are using PSKs.
I am seeking help on below points based upon my understanding:
1. Validation of my understanding
2. In case we go for certificate based authentication instead of using PSKs, can we disable the aggressive mode and remove the vulnerability. If yes, is it a mandate to have a local CA server installed or can we go for a publicly hosted CA server.
Please advice.
Hi Vikas,
Your understanding is correct. More info on this...
http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html
If you go with certificate- yes you can mitigate the issue. Some firms go with practice of frequently changing & longer PSK.
Also, if you have second level authentication ex:RSA for successful authentication, this can be acceptable.
You can go with a local MS CA server-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml
You can as well use a IOS router as CA server.
Hth
MS
Similar Messages
-
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
Hi, I have 10 site-to-site VPN's, they consist of Cisco 837's and 877's. I run a security scan (Qualys vulnerability scanning) against the public IP of the routers and half of them come back with the vulnerability below. They are all using the latest IOS and all connect to a Cisco Concentrator.
Here is the vulnerability, that means nothing to me, is it anything to worry about, all pre-shared keys are 8 characters or more and have letters, numbers, and symbols and capital letters:
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
IMPACT:
Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.
SOLUTION:
IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.
Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
HTH
Rick -
Hi,
I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.
So far I cannot see how this can be done.
TAC engineer is not coming up with good answers as well.
Anyhow has an idea?
Thanks!
DavidI don't think you can make Remote Access VPN on
the Concentrator work with Main mode, unless
you decide to use Certificate instead of
pre-shared key:
"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters" -
We used to use IPSEC VPN, but now use Anyconnect SSL VPN. We have a third party scan our firewall externally, and they are recommending that we disable Aggressive Mode IKE. Is this only used for IPSec VPN's? Is it safe to remove this from our configuration on our ASA 5505?
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Thank You.Hi Bill,
The aggresive mode (3 pkt exchange) is only used for the IPsec remote access. The site to site VPN uses main mode (6 pkt exchange). If you do not have any site to site VPN you can disable these commands however if you do have site to site VPN then removing these will break them.
There is nothing called aggressive mode in Anyconnect. Anyconnect uses a totally different protocol called SSL (TCP/UDP port 443).
Hope this answers your question.
Thanks,
Vishnu Sharma -
Aggressive Mode and Encryption
Hi Everyone.
I read below
Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). It is not as secure as main mode.
Currently we have setup RA VPN without digital certs sp does it mean that pre shared keys which are exchanged between client and ASA are
clear text without any encryption.?
Regards
MAheshMahesh,
RFC answers those questions
start with
http://tools.ietf.org/html/rfc2409
Just to make a simple quote (a bit out of context, but here goes)
While the last roundtrip of Main Mode (and optionally the last
message of Aggressive Mode) is encrypted it is not, strictly
speaking, authenticated.
To encrypt you need to agree on a key. have a look at aggresive mode exchange :-)
M. -
Aggressive mode PSK hash attack
Hello All,
I am wondering if Aggressive Mode PSK hash attack can be applied to Main Mode negotiation while using wildacrd crypto IKE like:
crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0?
I know that using ike-scan tool there is a possibility of obtaining hashed PSK from remote peer while using aggressive mode for IKE, so wondering if the same applies for wildcard PSK, but using Main Mode.
Thanks!To exchange Identities (i.e. perform authnetication) you would need to have already SKEYID calculated, which requires PSK, and DH exchange.
Thus you cannot properly protect MM5 or MM6, if you had wrong PSK. Those are the only moments AFAIR where PSK is being used in exchange.
The weakness of using one wildcard PSK is that once it's compromised entire domain is at risk.
I don't see any practical means of getting PSK from MM exchange. -
How to verify ISAKMP Aggressive mode using show command only?
How to verify ISAKMP Aggressive mode using show command only?
Ah OK, my mistake. I was thinking ASA - I believe you are using an IOS-based VPN.
The state after establishment should be "QM Idle" (quick mode) - whether the Phase 1 was MM or AM.
I think you'll only see the AM in the debugs (like you have) or if you watch the output of the "show cry isa sa" command during establishment of the Phase 1 SA. If you're quick, you may see it cycle through as shown in this reference:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s3.html#wp5743341910 -
Phase I Main Mode Vs. Aggressive Mode
Hi,
I have a quick question; if I have site-to-site VPN and one side is configured for Phase I Main Mode and the other is configured for Aggressive mode, will the VPN work?
Regards,
HaithamHi Haitham
AFAIK no it should not work because aggresive mode uses just 3 packets in the exchange and main mode uses 6 packets so the information contained in the exchanges between the two peers would not match.
HTH
Jon -
We wanted to know if there is a way to disable âAggressive modeâ on the VPN concentrator.
For example, on the ASA, we can do it using the command âisakmp am-disableâ
On a router we can do it using the command âcrypto isakmp aggressive-mode disableâ.
Is there a similar command on the VPN concentrator ?
Your help is appriciated.Fadi,
Are you using Pre-Shared Keys or Certificates for Authentication. Please refer the below link for information on VPN Client AM and MM.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet090
0aecd801a9de9.html
Aggressive Mode is the default and the only mode available for Pre-shared key and Main Mode is only available for the Cert authentication.
So, it is my understanding that it is not possible for VPN clients to use main mode to authenticate to the VPN3000 with pre-shared keys.
Regards,
Arul
*Pls rate if it helps* -
I have a 5510 ASA with one site to site vpn and about 200 users on vpn client. I was curious if I remove Aggressive Mode or disable it. How will that effect the site to site and vpn clients? Will there be an outage by disabling? To my understanding the only thing i need to do on the firewall is add the crypto isakmp am-disable command. Do I need to reconfigure anything else or just disable aggressive mode? How will the change affect the end-users or network? Do I need to edit the PCF file on the client?
ASA Software
Device Manager Version 6.2(5) Cisco Adaptive Security Appliance Software Version 8.0(5)
VPN Client
5.0.0.7.0290You can disable the Aggressive mode for L2L tunnel however if you disable aggresive mode in Dynamic map as well then all VPN clients will fails since remote user can connect only in Aggressive mode only unless client is using Certificate based authentication. This is as per design.
Hope this helps.
Regards,
Anuj -
Hi
I have a client that i set up an IPSec VPN for remote access, but it seems their IPS is blocking me. The reason they gave was the IPS doesn't like the IKE agressive mode that we're using, and instead of opening a potential security risk, they've requested i switch to Main Mode. After looking around on google results, i havent found much of anything config wise for Main Mode except the command isakmp am-disable, which ends up killing the IPSec VPN.
The ASA is running 8.4.5
Any help is appreciated.
-SteveI ended up dropping the IP Sec remote access VPN in favor of an SSL VPN.
-
Recommendation of UDLD aggressive mode on the Basic VSS.
Hello
I would like to confirm the following informatino below.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1.0/Borderless_Campus_1.0_Design_Guide.pdf
(omit)
It is recommended to avoid implementing UDLD in aggressive mode as well as fast UDLD on the Cisco
Catalyst switches deployed with redundant supervisor modules.
According to this information, I think the UDLD mode above is not reconmeded the redundant SUP in one chassis.
However how about using Basic-VSS (not Quad-VSS) ? Is it also recomended to avoid UDLD aggressive mode and Fast UDLD?
Best Regards,
Masanobu HiyoshiVPN clients ONLY use aggressive mode. That's
just the way it is. If you want to use Main
Mode in remote access clients, use other
vendors besides Cisco -
Hi Cisco Experts,
Good day! We preparing to implement the Qualy Vulnerability Scanner to our VoIP network. However, we need to verify what Cisco UC devices are supported. The currently UC devices installed on our VoIP network are Cisco IP phones, Routers (2821/2811/2921) and Cisco Unified Communication Manager (CUCM).
Thank you.
Best regards,
RJThe description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
HTH
Rick -
Pre shared keys used in IKE Phase 1
Hi Everyone,
Need to confirm if we can use the Pre shared keys in Aggressive mode and also in Main mode during IKE Phase1
Regards
MAheshThe pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same pre-shared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the pre-shared key.
-
881 VPN fails after 24hrs/IKE key lifetime
Hi all,
This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.
We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.
Here is a brief list of things I've done.
- Checked configuration of central router (which is a Mikrotik RB800 btw)
- Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.
- I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.
- I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.
I've included the 881's config:
Building configuration...Current configuration : 7795 bytes
! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname <<removed>>
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M4.bin
boot-end-marker
logging buffered 102400
enable secret 4 <<removed>>
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki token default removal timeout 0
!no ip source-route
ip dhcp excluded-address 192.168.4.1 192.168.4.9
ip dhcp excluded-address 192.168.4.199 192.168.4.254
ip dhcp pool Main
network 192.168.4.0 255.255.255.0
dns-server 192.168.4.250 8.8.4.4
default-router 192.168.4.250
lease infinite
ip cef
ip domain lookup source-interface Dialer1
ip domain name <<removed>>
ip name-server 8.8.4.4
ip name-server 192.168.58.199
no ipv6 cef
password encryption aes!
object-group network SUBNET_DUITSLAND
description Hele subnet IC Duitsland
192.168.4.0 255.255.255.0
object-group network SUBNET_IC_ARNHEM
description Hele subnet IC Arnhem
192.168.58.0 255.255.255.0
object-group network WAN_IC_ARNHEM
description Het WAN IP adres van IC Arnhem
host <<removed>>
vtp mode transparent
username <<removed>> privilege 15 view root secret 4 <<removed>>
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all ccp-cls--1
match access-group name Outgoing
class-map type inspect match-all ccp-cls--2
match access-group name Incoming
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
zone security Inside
zone security Outside
zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
service-policy type inspect ccp-policy-ccp-cls--2
crypto logging ezvpn
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key <<removed>> address <<removed>>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to CO
set peer <<removed>>
set transform-set ESP-AES256-SHA
set pfs group5
match address 104
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description DeutscheTelekom$ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.4.250 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1412
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname <<removed>>
ppp chap password 7 <<removed>>
ppp pap sent-username <<removed>> password 7 <<removed>>
ppp ipcp dns request
ppp ipcp address accept
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip access-list extended Incoming
remark CCP_ACL Category=128
permit ip any object-group SUBNET_DUITSLAND
ip access-list extended Outgoing
remark CCP_ACL Category=128
permit ip object-group SUBNET_DUITSLAND any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit <<removed>>
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip host <<removed>> any
access-list 101 permit ip 192.168.58.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 103
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
password 7 <<removed>>
login local
transport input ssh
ntp update-calendar
ntp server de.pool.ntp.org prefer
end
Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):
.May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
.May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
.May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
.May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
.May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
.May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
.May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
.May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
.May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
.May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
.May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
.May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
.May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
.May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
.May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
.May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
.May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
.May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
.May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
.May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
Crypto ISAKMP debugging is off
IC-Deutschland#
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
Can anyone shed some light as what could be going on?
Much obliged!Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure.
Maybe you are looking for
-
When I try to send email from my iPad and iPhone it says that I have the wrong username and/or password, but I know they are correct. Can someone help me?
-
Returning old smartphone for Samsung 6
I recently took advantage of the exchanging my old smartphone for the Samsung 6. I'm just realizing now that I did not get any paperwork as to what to send along with the old phone and battery. I have the packaging, the pre-paid postage label but I
-
HP 2055d with windows 8.1
My HP printer 2055d works on windows 8.1 (64 bit) successfully, but it cannot print on the both sides. How can I solve this? In addition to that, I need the software that reveals the percentage of available ink in the cartridge. I have used HP suppor
-
How can I stop the screen movin so I can scroll through document?
I frequently access webpages that I need to scroll through. The page just rolls and doesn't allow me to scroll. Is there a way round this?
-
Library lost: recovery possible?
I recently found out that my entire itunes music library had been deleted somehow, nowhere to be found. Is it perhaps possible to "recover" my library back to the computer from my ipod, or will I have to purchase off itunes/burn all my music again? T