IKEv1 TS 1 - Phase1 and pre-shared key mismatch

1. Phase I parameter (encryption, hash or group) mismatch

lifetime doesn't have to be matched between ASAs

Initiator

Buffer log:

Jan 20 2020 15:38:40: %ASA-4-713903: IP = 10.0.0.2, Information Exchange processing failed

Jan 20 2020 15:38:48: %ASA-4-713903: IP = 10.0.0.2, Information Exchange processing failed

Jan 20 2020 15:39:12: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = MAP. Map Sequence Number = 10.

Jan 20 2020 15:39:12: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MAP. Map Sequence Number = 10.

Debug:

ASAv1# Dec 23 17:25:59 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (MAP)

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ISAKMP SA payload

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 03 payload

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver RFC payload

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing Fragmentation VID + extended capabilities payload

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Dec 23 17:25:59 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, Information Exchange processing failed

Initiator stuck at MSG2

ASAv1# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 10.0.0.2

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

There are no IKEv2 SAs

ASAv1#

Responder:

Buffer log:
Jan 20 2020 15:38:40: %ASA-3-713048: IP = 10.0.0.1, Error processing payload: Payload ID: 1

Jan 20 2020 15:38:48: %ASA-3-713048: IP = 10.0.0.1, Error processing payload: Payload ID: 1

Debug:
ASAv2# Dec 23 17:25:59 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, processing SA payload

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, All SA proposals found unacceptable

Dec 23 17:25:59 [IKEv1]IP = 10.0.0.1, Error processing payload: Payload ID: 1

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, IKE MM Responder FSM error history (struct &0x00007f48d93d5820) , : MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, IKE SA MM:ac9d3dca terminating: flags 0x01000002, refcnt 0, tuncnt 0

Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, sending delete/delete with reason message

Responder doesn't show anything.
ASAv2# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASAv2#

Pre-shared key mismatch

validate at packet 5 and 6

Initiator

Buffer Log:

Jan 20 2020 15:49:12: %ASA-4-713903: Group = 10.0.0.2, IP = 10.0.0.2, Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.

Jan 20 2020 15:49:12: %ASA-4-713903: Group = 10.0.0.2, IP = 10.0.0.2, Information Exchange processing failed

Jan 20 2020 15:49:20: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = MAP. Map Sequence Number = 10.

Jan 20 2020 15:49:20: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MAP. Map Sequence Number = 10.

Debug:

ASAv1# Dec 23 17:43:22 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (MAP)

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ISAKMP SA payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 03 payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver RFC payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing Fragmentation VID + extended capabilities payload

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Dec 23 17:43:22 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing SA payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Oakley proposal is acceptable

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received NAT-Traversal RFC VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received Fragmentation VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ke payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing nonce payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing Cisco Unity VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing xauth V6 VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Send IOS VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Discovery payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Discovery payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304

Dec 23 17:43:22 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing ke payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing ISA_KE payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing nonce payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received Cisco Unity client VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received xauth V6 VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing NAT-Discovery payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing NAT-Discovery payload

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2

Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, Generating keys for Initiator...

Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing ID payload

Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing hash payload

Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, Computing hash for ISAKMP

Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.

Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing dpd vid payload

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96

Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Dec 23 17:43:22 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40

Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Received an un-encrypted PAYLOAD_MALFORMED notify message, dropping

Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.

Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Information Exchange processing failed

Dec 23 17:43:30 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Duplicate Phase 1 packet detected. Retransmitting last packet.

Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, P1 Retransmit msg dispatched to MM FSM

Dec 23 17:43:30 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Duplicate Phase 1 packet detected. Retransmitting last packet.

Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, P1 Retransmit msg dispatched to MM FSM

Dec 23 17:43:30 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Duplicate Phase 1 packet detected. Retransmitting last packet.

Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, P1 Retransmit msg dispatched to MM FSM

Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, IKE MM Initiator FSM error history (struct &0x00007f6f994ab5e0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_RESEND_MSG-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG

Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, IKE SA MM:eb258b2c terminating: flags 0x0100c022, refcnt 0, tuncnt 0

Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, sending delete/delete with reason message

Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing blank hash payload

Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing IKE delete payload

Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing qm hash payload

Dec 23 17:43:30 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=6373ab0c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Dec 23 17:43:38 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500

Dec 23 17:43:38 [IKEv1]IP = 10.0.0.2, Received encrypted packet with no matching SA, dropping

Initiator stucks at MSG6

ASAv1# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 10.0.0.2

Type : L2L Role : initiator

Rekey : no State : MM_WAIT_MSG6

There are no IKEv2 SAs

Responder:

Buffer log:

Jan 20 2020 15:49:12: %ASA-4-713903: Group = 10.0.0.1, IP = 10.0.0.1, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

Debug:

ASAv2# Dec 23 17:43:23 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing SA payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Oakley proposal is acceptable

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received NAT-Traversal ver 02 VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received NAT-Traversal ver 03 VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received NAT-Traversal RFC VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received Fragmentation VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing IKE SA payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing ISAKMP SA payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing NAT-Traversal VID ver RFC payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing Fragmentation VID + extended capabilities payload

Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Dec 23 17:43:23 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing ke payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing ISA_KE payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing nonce payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received Cisco Unity client VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received xauth V6 VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received Altiga/Cisco VPN3000/Cisco ASA GW VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing NAT-Discovery payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing NAT-Discovery payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing ke payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing nonce payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing Cisco Unity VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing xauth V6 VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Send IOS VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing VID payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing NAT-Discovery payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing NAT-Discovery payload

Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash

Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, Connection landed on tunnel_group 10.0.0.1

Dec 23 17:43:23 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, Generating keys for Responder...

Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304

Dec 23 17:43:23 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:23 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0

Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40

Dec 23 17:43:23 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Duplicate Phase 1 packet detected. Retransmitting last packet.

Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, P1 Retransmit msg dispatched to MM FSM

Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Duplicate Phase 1 packet detected. Retransmitting last packet.

Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, P1 Retransmit msg dispatched to MM FSM

Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Duplicate Phase 1 packet detected. Retransmitting last packet.

Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, P1 Retransmit msg dispatched to MM FSM

Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500

Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, IKE MM Responder FSM error history (struct &0x00007f48d93d5820) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG

Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, IKE SA MM:ce3b8de9 terminating: flags 0x0104c002, refcnt 0, tuncnt 0

Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, sending delete/delete with reason message

Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, constructing blank hash payload

Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, constructing IKE delete payload

Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, constructing qm hash payload

Dec 23 17:43:39 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=17825a31) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Responder stucks at MSG5
ASAv2# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 10.0.0.1
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5

There are no IKEv2 SAs

Net Worker World

Search This Blog