Use the debug crypto isakmp command to troubleshoot this issue, as shown in Example 8-56.
Example 8-56. Responder Has No Preshared Key for the Initiator
Osaka#debug crypto isakmp Crypto ISAKMP debugging is on *May 13 16:57:07.283 GMT: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_READY New State = IKE_R_MM1 *May 13 16:57:07.283 GMT: ISAKMP (0:2): processing SA payload. message ID = 0 *May 13 16:57:07.283 GMT: ISAKMP (0:2): No pre-shared key with 172.16.5.1! *May 13 16:57:07.283 GMT: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy *May 13 16:57:07.283 GMT: ISAKMP: encryption DES-CBC *May 13 16:57:07.283 GMT: ISAKMP: hash MD5 *May 13 16:57:07.283 GMT: ISAKMP: default group 1 *May 13 16:57:07.283 GMT: ISAKMP: auth pre-share *May 13 16:57:07.283 GMT: ISAKMP: life type in seconds *May 13 16:57:07.283 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *May 13 16:57:07.283 GMT: ISAKMP (0:2): Preshared authentication offered but does not match policy! *May 13 16:57:07.283 GMT: ISAKMP (0:2): atts are not acceptable. Next payload is 0 *May 13 16:57:07.283 GMT: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 65535 policy *May 13 16:57:07.283 GMT: ISAKMP: encryption DES-CBC *May 13 16:57:07.283 GMT: ISAKMP: hash MD5 *May 13 16:57:07.283 GMT: ISAKMP: default group 1 *May 13 16:57:07.283 GMT: ISAKMP: auth pre-share *May 13 16:57:07.283 GMT: ISAKMP: life type in seconds *May 13 16:57:07.283 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *May 13 16:57:07.283 GMT: ISAKMP (0:2): Hash algorithm offered does not match policy! *May 13 16:57:07.287 GMT: ISAKMP (0:2): atts are not acceptable. Next payload is 0 *May 13 16:57:07.287 GMT: ISAKMP (0:2): no offers accepted! *May 13 16:57:07.287 GMT: ISAKMP (0:2): phase 1 SA not acceptable! *May 13 16:57:07.287 GMT: ISAKMP (0:2): incrementing error counter on sa: construct_fail_ag_init *May 13 16:57:07.287 GMT: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Old State = IKE_R_MM1 New State = IKE_R_MM1 *May 13 16:57:07.287 GMT: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Old State = IKE_R_MM1 New State = IKE_READY Osaka#In highlighted line 1, the IKE state changes from IKE_READY to IKE_R_MM1. Osaka has received the first message in the main mode exchange from router Tokyo. Note the R in the output here—it indicates that Osaka is the responder.
Osaka then begins to process the SA payload (highlighted line 2), but in highlighted line 3, it reports that it does not have a preshared key for the initiator.
Osaka continues to process the SA payload in the following lines, but in highlighted line 4, the IKE state changes back to IKE_READY, indicating that phase 1 negotiation has failed.
The reason for the failure was, of course, indicated in highlighted line 3. Osaka does not have a preshared key for Tokyo.
Osaka's configuration is then examined using the show running-config command as demonstrated in Example 8-57. Note that only the relevant portion of the output is shown.
Example 8-57. Osaka's Configuration
Osaka#show running-config Building configuration... ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 172.16.4.1 !As you can see, there is only one preshared key configured, and it is configured for peer 172.16.4.1. In fact, there is no such peer—it should be 172.16.5.1 (Tokyo).
The preshared key is then reconfigured, as shown in Example 8-58.
Example 8-58. Reconfiguration of the Preshared Key
Osaka#conf t Enter configuration commands, one per line. End with CNTL/Z. Osaka(config)#no crypto isakmp key cisco address 172.16.4.1 Osaka(config)#crypto isakmp key cisco address 172.16.5.1 Osaka(config)#exit Osaka#The highlighted lines show where the preshared key is reconfigured.
Once the preshared key has been reconfigured, IKE phase 1 negotiation is successful, as shown in Example 8-59.
Example 8-59. IKE Phase 1 Negotiation Succeeds
Osaka#show crypto isakmp sa dst src state conn-id slot 172.16.6.2 172.16.5.1 QM_IDLE 9 0 Osaka#
Комментариев нет:
Отправить комментарий