GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IKE with RSA sig and CA Server posted 01/15/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


You can use different time zones, as long as relative to UTC, all times are
correct.  The valid from and valid until dates are all specified in UTC.

-----Original Message-----
From: Brian T. Albert [mailto:brian.albert@worldnet.att.net] 
Sent: Wednesday, January 15, 2003 5:04 AM
To: Keyur Shah; security@groupstudy.com
Subject: RE: IKE with RSA sig and CA Server


RE: IKE with RSA sig and CA ServerThis morning it is working fine. So here
are my questions:

The CA server and the Chicago router (the pingee) are set to CST -6 and the
Toronto router (the pinger) is set to EST -5. Chicago is a NTP server for
Toronto, and Chicago is getting it's time from an NTP master set to the same
time zone as Chicago.

Should all routers be set to UTC? If so, should the CA server be set to UTC?
Does military time or not need to be set on the CA Server?

If this is a time problem, I assume I need to correct that and reissue
certificates. Is that correct?

Basically, what are the best practices for setting up time in a scenario
like this?

Here are the debugs and show items you guys requested:

toronto#sh cry ca cert
Certificate
  Status: Available
  Certificate Serial Number: 1188CE98000000000007
  Key Usage: Encryption
  Issuer:
    CN = MMICA
     O = mmi.com
     L = Chicago
     ST = IL
     C = US
     EA =<16> caadmin@mmi.com
  Subject Name Contains:
    Name: toronto.mmi.com
    IP Address: 220.220.220.2
    Serial Number: 06065745
  CRL Distribution Point:

ldap:///CN=MMICA,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Con
figuration,DC=mmi,DC=com?certificateRevocationList?base?objectclass=cRLDistr
ibut
ionPoint
  Validity Date:
    start date: 18:42:49 EST Jan 13 2003
    end   date: 18:52:49 EST Jan 13 2004

Certificate
  Status: Available
  Certificate Serial Number: 1188C3CA000000000006
  Key Usage: Signature
  Issuer:
    CN = MMICA
     O = mmi.com
     L = Chicago
     ST = IL
     C = US
     EA =<16> caadmin@mmi.com
  Subject Name Contains:
    Name: toronto.mmi.com
    IP Address: 220.220.220.2
    Serial Number: 06065745
  CRL Distribution Point:

ldap:///CN=MMICA,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Con
figuration,DC=mmi,DC=com?certificateRevocationList?base?objectclass=cRLDistr
ibut
ionPoint
  Validity Date:
    start date: 18:42:46 EST Jan 13 2003
    end   date: 18:52:46 EST Jan 13 2004

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 61662DE5000000000002
  Key Usage: Signature
  Issuer:
    CN = MMICA
     O = mmi.com
     L = Chicago
     ST = IL
     C = US
     EA =<16> caadmin@mmi.com
  Subject Name:
    CN = MMIRA
     OU = Systems
     O = MMI
     L = Chicago
     ST = IL
     C = US
     EA =<16> raadmin@mmi.com
  CRL Distribution Point:

ldap:///CN=MMICA,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Con
figuration,DC=mmi,DC=com?certificateRevocationList?base?objectclass=cRLDistr
ibut
ionPoint
  Validity Date:
    start date: 21:53:14 EST Jan 12 2003
    end   date: 22:03:14 EST Jan 12 2004

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 61662F4D000000000003
  Key Usage: Encryption
  Issuer:
    CN = MMICA
     O = mmi.com
     L = Chicago
     ST = IL
     C = US
     EA =<16> caadmin@mmi.com
  Subject Name:
    CN = MMIRA
     OU = Systems
     O = MMI
     L = Chicago
     ST = IL
     C = US
     EA =<16> raadmin@mmi.com
  CRL Distribution Point:

ldap:///CN=MMICA,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Con
figuration,DC=mmi,DC=com?certificateRevocationList?base?objectclass=cRLDistr
ibut
ionPoint
  Validity Date:
    start date: 21:53:15 EST Jan 12 2003
    end   date: 22:03:15 EST Jan 12 2004

CA Certificate
  Status: Available
  Certificate Serial Number: 45203BE3232D438C4301620F702B476F
  Key Usage: General Purpose
  Issuer:
    CN = MMICA
     O = mmi.com
     L = Chicago
     ST = IL
     C = US
     EA =<16> caadmin@mmi.com
  Subject Name:
    CN = MMICA
     O = mmi.com
     L = Chicago
     ST = IL
     C = US
     EA =<16> caadmin@mmi.com
  CRL Distribution Point:

ldap:///CN=MMICA,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Con
figuration,DC=mmi,DC=com?certificateRevocationList?base?objectclass=cRLDistr
ibut
ionPoint
  Validity Date:
    start date: 21:14:01 EST Jan 12 2003
    end   date: 21:14:01 EST Jan 12 2008

Here is debug cry pki trans from pinging side now that it is working.

toronto#debug cry pki tran
Crypto PKI Trans debugging is on
toronto#ping
Protocol [ip]:
Target IP address: 12.144.107.2
Repeat count [5]: 20
Datagram size [100]:
Timeout in seconds [2]: 1
Extended commands [n]: y
Source address or interface: 12.146.79.193
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 12.144.107.2, timeout is 1 seconds:
............... Jan 14 15:39:59.838: CRYPTO_PKI: status = 0: crl check
ignored Jan 14 15:40:00.134: CRYPTO_PKI: WARNING: Certificate, private key
or CRL was no t found while selecting CRL

Jan 14 15:40:00.150: CRYPTO_PKI: cert revocation status unknown......
Success rate is 0 percent (0/20)

Here is same debug from pinged side.

Jan 14 15:39:55.666: CRYPTO_PKI: status = 0: crl check ignored Jan 14
15:39:55.962: CRYPTO_PKI: WARNING: Certificate, private key or CRL was no t
found while selecting CRL

Jan 14 15:39:55.978: CRYPTO_PKI: cert revocation status unknown.

Here is a debug from the pingee side when it is working:


[Resuming connection 5 to r5 ... ]

Jan 14 15:50:19.525: ISAKMP (0): received packet from 220.220.220.2 (N) NEW
SA Jan 14 15:50:19.529: ISAKMP: local port 500, remote port 500 Jan 14
15:50:19.537: ISAKMP (0:1): processing SA payload. message ID = 0 Jan 14
15:50:19.541: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10
policy
Jan 14 15:50:19.545: ISAKMP:      encryption DES-CBC
Jan 14 15:50:19.545: ISAKMP:      hash SHA
Jan 14 15:50:19.549: ISAKMP:      default group 1
Jan 14 15:50:19.549: ISAKMP:
chicago#sh log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: level debugging, 154 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 154 messages logged
    Trap logging: level informational, 45 message lines logged
        Logging to 12.144.104.100, 45 message lines logged

Log Buffer (4096 bytes):
 = -1547785957
Jan 14 15:50:34.952: ISAKMP (0:1): Checking IPSec proposal 1 Jan 14
15:50:34.956: ISAKMP: transform 1, ESP_DES
Jan 14 15:50:34.956: ISAKMP:   attributes in transform:
Jan 14 15:50:34.956: ISAKMP:      encaps is 1
Jan 14 15:50:34.960: ISAKMP:      SA life type in seconds
Jan 14 15:50:34.960: ISAKMP:      SA life duration (basic) of 3600
Jan 14 15:50:34.964: ISAKMP:      SA life type in kilobytes
Jan 14 15:50:34.964: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50
0x0
Jan 14 15:50:34.968: ISAKMP:      authenticator is HMAC-SHA
Jan 14 15:50:34.972: ISAKMP:      group is 1
Jan 14 15:50:34.976: ISAKMP (0:1): atts are acceptable.
Jan 14 15:50:34.980: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 220.220.220.5, src= 220.220.220.2,
    dest_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4),
    src_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
Jan 14 15:50:36.604: ISAKMP (0:1): processing NONCE payload. message ID =
-15477 85957 Jan 14 15:50:36.608: ISAKMP (0:1): processing KE payload.
message ID = -15477859 57 Jan 14 15:50:38.712: ISAKMP (0:1): processing ID
payload. message ID = -15477859 57 Jan 14 15:50:38.716: ISAKMP (1):
ID_IPV4_ADDR_SUBNET src 12.146.79.192/255.255.2 55.224 prot 0 port 0 Jan 14
15:50:38.720: ISAKMP (0:1): processing ID payload. message ID = -15477859 57
Jan 14 15:50:38.724: ISAKMP (1): ID_IPV4_ADDR_SUBNET dst
12.144.107.0/255.255.25 5.192 prot 0 port 0 Jan 14 15:50:38.728: ISAKMP
(0:1): asking for 1 spis from ipsec Jan 14 15:50:38.732: IPSEC(key_engine):
got a queue event... Jan 14 15:50:38.736: IPSEC(spi_response): getting spi
310057253 for SA
        from 220.220.220.2   to 220.220.220.5   for prot 3
Jan 14 15:50:38.744: ISAKMP: received ke message (2/1)
Jan 14 15:50:39.000: ISAKMP (1): sending packet to 220.220.220.2 (R) QM_IDLE

Jan 14 15:50:41.224: ISAKMP (1): received packet from 220.220.220.2 (R)
QM_IDLE

Jan 14 15:50:41.280: ISAKMP (0:1): Creating IPSec SAs
Jan 14 15:50:41.280:         inbound SA from 220.220.220.2   to
220.220.220.5
(proxy 12.146.79.192   to 12.144.107.0   )
Jan 14 15:50:41.288:         has spi 310057253 and conn_id 2000 and flags 15
Jan 14 15:50:41.288:         lifetime of 3600 seconds
Jan 14 15:50:41.292:         lifetime of 4608000 kilobytes
Jan 14 15:50:41.292:         outbound SA from 220.220.220.5   to
220.220.220.2
 (proxy 12.144.107.0    to 12.146.79.192  )
Jan 14 15:50:41.300:         has spi 161225818 and conn_id 2001 and flags 15
Jan 14 15:50:41.304:         lifetime of 3600 seconds
Jan 14 15:50:41.304:         lifetime of 4608000 kilobytes
Jan 14 15:50:41.308: ISAKMP (0:1): deleting node -1547785957 error FALSE
reason "quick mode done (await()" Jan 14 15:50:41.312: IPSEC(key_engine):
got a queue event... Jan 14 15:50:41.312: IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 220.220.220.5, src= 220.220.220.2,
    dest_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4),
    src_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x127B1925(310057253), conn_id= 2000, keysize= 0, flags= 0x15 Jan
14 15:50:41.328: IPSEC(initialize_sas): ,
  (key eng. msg.) src= 220.220.220.5, dest= 220.220.220.2,
    src_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4),
    dest_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x99C1C5A(161225818), conn_id= 2001, keysize= 0, flags= 0x15 Jan 14
15:50:41.344: IPSEC(create_sa): sa created,
  (sa) sa_dest= 220.220.220.5, sa_prot= 50,
    sa_spi= 0x127B1925(310057253),
    sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2000
Jan 14 15:50:41.348: IPSEC(create_sa): sa created,
  (sa) sa_dest= 220.220.220.2, sa_prot= 50,
    sa_spi= 0x99C1C5A(161225818),
    sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001
Jan 14 15:51:31.305: ISAKMP (0:1): purging node -1547785957

  -----Original Message-----
  From: Keyur Shah [mailto:kshah@hellocomputers.com]
  Sent: Monday, January 13, 2003 10:42 PM
  To: 'Brian T. Albert'; security@groupstudy.com
  Subject: RE: IKE with RSA sig and CA Server


  Brian,

  can you debug crypto pki transactions and paste the log? also, can you try
isakmp identity address and see if it still does not work?

  -Keyur Shah-
  CCIE# 4799 (Security;R/S)
  "Say Hello to Your Future!"
  http://www.hellocomputers.com
  Toll-Free: 1.877.79.HELLO



  -----Original Message-----
  From: Brian T. Albert [mailto:brian.albert@worldnet.att.net]
  Sent: Monday, January 13, 2003 7:38 PM
  To: security@groupstudy.com
  Subject: IKE with RSA sig and CA Server



  Group,

  I am trying to set up IPSEC using a CA server. Authenticating with the CA
  and enrolling seems to be fine. I'm having problems establishing a IKE SA
  between 2 routers. It looks like Main Mode fails, here is the debug:

  CAREFUL, LONG DEBUG ! !

  toronto#ping
  Protocol [ip]:
  Target IP address: 12.144.107.2
  Repeat count [5]: 20
  Datagram size [100]:
  Timeout in seconds [2]: 1
  Extended commands [n]: y
  Source address or interface: 12.146.79.193
  Type of service [0]:
  Set DF bit in IP header? [no]:
  Validate reply data? [no]:
  Data pattern [0xABCD]:
  Loose, Strict, Record, Timestamp, Verbose[none]:
  Sweep range of sizes [n]:
  Type escape sequence to abort.
  Sending 20, 100-byte ICMP Echos to 12.144.107.2, timeout is 1 seconds:
  .
  Jan 14 03:02:37.853: IPSEC(sa_request): ,
    (key eng. msg.) src= 220.220.220.2, dest= 220.220.220.5,
      src_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
      dest_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4),
      protocol= ESP, transform= esp-des esp-sha-hmac ,
      lifedur= 3600s and 4608000kb,
      spi= 0x1A5C1ECF(442244815), conn_id= 0, keysize= 0, flags= 0x4005
  Jan 14 03:02:37.869: ISAKMP: received ke message (1/1)
  Jan 14 03:02:37.873: ISAKMP: local port 500, remote port 500
  Jan 14 03:02:37.889: ISAKMP (0:1): beginning Main Mode exchange
  Jan 14 03:02:37.893: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_NO_STATE
  ..
  Jan 14 03:02:39.581: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_NO_ST
  ATE
  Jan 14 03:02:39.585: ISAKMP (0:1): processing SA payload. message ID = 0
  Jan 14 03:02:39.593: ISAKMP (0:1): Checking ISAKMP transform 1 against
  priority
  10 policy
  Jan 14 03:02:39.597: ISAKMP:      encryption DES-CBC
  Jan 14 03:02:39.597: ISAKMP:      hash SHA
  Jan 14 03:02:39.597: ISAKMP:      default group 1
  Jan 14 03:02:39.601: ISAKMP:      auth RSA sig
  Jan 14 03:02:39.601: ISAKMP:      life type in seconds
  Jan 14 03:02:39.605: ISAKMP:      life duration (basic) of 14400
  Jan 14 03:02:39.605: ISAKMP (0:1): atts are acceptable. Next payload is 0
  Jan 14 03:02:41.205: ISAKMP (0:1): SA is doing RSA signature
authentication
  Jan 14 03:02:41.205: ISAKMP (1): SA is doing RSA signature authentication
  using
  id type ID_FQDN
  Jan 14 03:02:41.269: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_SA_SETUP
  ......
  Jan 14 03:02:43.565: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_SA_SE
  TUP
  Jan 14 03:02:43.569: ISAKMP (0:1): processing KE payload. message ID = 0
  Jan 14 03:02:45.576: ISAKMP (0:1): processing NONCE payload. message ID =
0
  Jan 14 03:02:45.604: ISAKMP (0:1): SKEYID state generated
  Jan 14 03:02:45.608: ISAKMP (1): processing CERT_REQ payload. message ID =
0
  Jan 14 03:02:45.608: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
  Jan 14 03:02:45.632: ISAKMP (1): peer want cert issued by CN = MMICA, O =
  mmi.co
  m, L = Chicago, ST = IL, C = US, EA =<16> caadmin@mmi.com
  Jan 14 03:02:45.724: ISAKMP (0:1): processing vendor id payload
  Jan 14 03:02:45.728: ISAKMP (0:1): speaking to another IOS box!
  Jan 14 03:02:45.728: ISAKMP (1): ID payload
          next-payload : 6
          type         : 2
          protocol     : 17
          port         : 500
          length       : 19
  Jan 14 03:02:45.732: ISAKMP (1): Total payload length: 23..
  Jan 14 03:02:48.804: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH

  Jan 14 03:02:50.348: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:02:50.352: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from
  220.220.220.5
     was not encrypted and it should've been..
  Jan 14 03:02:50.356: ISAKMP (0:1): incrementing error counter on sa:
  reset_retra
  nsmission
  Jan 14 03:02:51.360: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:51.360: ISAKMP (0:1): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:02:51.364: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH
  ...
  Jan 14 03:02:52.908: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:02:52.912: ISAKMP (0:1): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:02:52.916: ISAKMP (0:1): retransmitting due to retransmit phase
1
  Jan 14 03:02:52.920: ISAKMP (0:1): time remaining never
  Jan 14 03:02:52.920: ISAKMP (0:1): current time 00:00:00
  Jan 14 03:02:52.924: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:53.424: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:53.424: ISAKMP (0:1): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:02:53.428: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH
  ..
  Jan 14 03:02:54.996: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:02:55.000: ISAKMP (0:1): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:02:55.000: ISAKMP (0:1): retransmitting due to retransmit phase
1
  Jan 14 03:02:55.004: ISAKMP (0:1): time remaining never
  Jan 14 03:02:55.008: ISAKMP (0:1): current time 00:00:00
  Jan 14 03:02:55.008: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:55.512: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:55.512: ISAKMP (0:1): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:02:55.516: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH
  ..
  Jan 14 03:02:57.072: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:02:57.076: ISAKMP (0:1): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:02:57.076: ISAKMP (0:1): retransmitting due to retransmit phase
1
  Jan 14 03:02:57.080: ISAKMP (0:1): time remaining never
  Jan 14 03:02:57.084: ISAKMP (0:1): current time 00:00:00
  Jan 14 03:02:57.084: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:57.588: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:57.588: ISAKMP (0:1): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:02:57.592: ISAKMP (1): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH
  .
  Success rate is 0 percent (0/20)
  toronto#
  Jan 14 03:02:59.152: ISAKMP (1): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:02:59.156: ISAKMP (0:1): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:02:59.156: ISAKMP (0:1): retransmitting due to retransmit phase
1
  Jan 14 03:02:59.160: ISAKMP (0:1): time remaining never
  Jan 14 03:02:59.164: ISAKMP (0:1): current time 00:00:00
  Jan 14 03:02:59.164: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:59.668: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:02:59.668: ISAKMP (0:1): phase 1 going away; let's be paranoid.
  Jan 14 03:02:59.672: ISAKMP (0:1): Bring down phase 2's
  toronto#
  Jan 14 03:02:59.672: ISAKMP (0:1): That phase 1 was the last one of its
  kind. Ta
  king phase 2's with us.
  Jan 14 03:02:59.676: ISAKMP (0:1): peer does not do paranoid keepalives.

  Jan 14 03:02:59.680: ISAKMP (0:1): deleting SA reason "death by
  retransmission P
  1" state (I) MM_KEY_EXCH (peer 220.220.220.5) input queue 0
  Jan 14 03:02:59.684: ISAKMP (0:1): deleting node -2014295024 error TRUE
  reason "
  death by retransmission P1"
  Jan 14 03:02:59.688: IPSEC(key_engine): got a queue event...
  Jan 14 03:02:59.692: IPSEC(key_engine_delete_sas): rec'd delete notify
from
  ISAK
  MP
  Jan 14 03:02:59.692: IPSEC(key_engine_delete_sas): delete all SAs shared
  with 22
  0.220.220.5
  toronto#
  Jan 14 03:03:07.851: IPSEC(key_engine): request timer fired: count = 1,
    (identity) local= 220.220.220.2, remote= 220.220.220.5,
      local_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
      remote_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4)
  Jan 14 03:03:07.863: IPSEC(sa_request): ,
    (key eng. msg.) src= 220.220.220.2, dest= 220.220.220.5,
      src_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
      dest_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4),
      protocol= ESP, transform= esp-des esp-sha-hmac ,
      lifedur= 3600s and 4608000kb,
      spi= 0x230E0792(588122002), conn_id= 0, keysize= 0, flags= 0x4005
  toronto#
  Jan 14 03:03:07.875: ISAKMP: received ke message (1/1)
  Jan 14 03:03:07.879: ISAKMP: local port 500, remote port 500
  Jan 14 03:03:07.895: ISAKMP (0:2): beginning Main Mode exchange
  Jan 14 03:03:07.899: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_NO_STATE

  toronto#
  Jan 14 03:03:09.591: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_NO_ST
  ATE
  Jan 14 03:03:09.595: ISAKMP (0:2): processing SA payload. message ID = 0
  Jan 14 03:03:09.603: ISAKMP (0:2): Checking ISAKMP transform 1 against
  priority
  10 policy
  Jan 14 03:03:09.603: ISAKMP:      encryption DES-CBC
  Jan 14 03:03:09.607: ISAKMP:      hash SHA
  Jan 14 03:03:09.607: ISAKMP:      default group 1
  Jan 14 03:03:09.611: ISAKMP:      auth RSA sig
  Jan 14 03:03:09.611: ISAKMP:      life type in seconds
  Jan 14 03:03:09.611: ISAKMP:      life duration (basic) of 14400
  Jan 14 03:03:09.615: ISAKMP (0:2): atts are acceptable. Next payload is 0
  Jan 14 03:03:11.263: ISAKMP (0:2): SA is doing RSA signature
authentication
  Jan 14 03:03:11.267: ISAKMP (2): SA is doing RSA signature authentication
  using
  id type ID_FQDN
  Jan 14 03:03:11.359: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_SA_SETUP

  toronto#
  Jan 14 03:03:13.671: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_SA_SE
  TUP
  Jan 14 03:03:13.679: ISAKMP (0:2): processing KE payload. message ID = 0
  Jan 14 03:03:15.686: ISAKMP (0:2): processing NONCE payload. message ID =
0
  Jan 14 03:03:15.710: ISAKMP (0:2): SKEYID state generated
  Jan 14 03:03:15.714: ISAKMP (2): processing CERT_REQ payload. message ID =
0
  Jan 14 03:03:15.718: ISAKMP (2): peer wants a CT_X509_SIGNATURE cert
  Jan 14 03:03:15.734: ISAKMP (2): peer want cert issued by CN = MMICA, O =
  mmi.co
  m, L = Chicago, ST = IL, C = US, EA =<16> caadmin@mmi.com
  Jan 14 03:03:15.826: ISAKMP (0:2): processing vendor id payload
  Jan 14 03:03:15.830: ISAKMP (0:2): speaking to another IOS box!
  Jan 14 03:03:15.834: ISAKMP (2): ID payload
          next-payload : 6
          type         : 2
          protocol     : 17
          port         : 500
          length       : 19
  Jan 14 03:03:15.838: ISAKMP (2): Total payload length: 23
  toronto#
  Jan 14 03:03:18.782: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH

  toronto#
  Jan 14 03:03:20.330: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:03:20.334: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from
  220.220.220.5
     was not encrypted and it should've been.
  toronto#
  Jan 14 03:03:20.338: ISAKMP (0:2): incrementing error counter on sa:
  reset_retra
  nsmission
  Jan 14 03:03:21.342: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:21.342: ISAKMP (0:2): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:03:21.346: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH

  toronto#
  Jan 14 03:03:22.894: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:03:22.898: ISAKMP (0:2): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:03:22.898: ISAKMP (0:2): retransmitting due to retransmit phase
1
  Jan 14 03:03:22.902: ISAKMP (0:2): time remaining never
  Jan 14 03:03:22.906: ISAKMP (0:2): current time 00:00:00
  Jan 14 03:03:22.906: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:23.410: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:23.410: ISAKMP (0:2): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:03:23.414: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH

  toronto#
  Jan 14 03:03:24.962: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:03:24.966: ISAKMP (0:2): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:03:24.966: ISAKMP (0:2): retransmitting due to retransmit phase
1
  Jan 14 03:03:24.970: ISAKMP (0:2): time remaining never
  Jan 14 03:03:24.974: ISAKMP (0:2): current time 00:00:00
  Jan 14 03:03:24.974: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:25.478: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:25.478: ISAKMP (0:2): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:03:25.482: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH

  toronto#
  Jan 14 03:03:27.038: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:03:27.046: ISAKMP (0:2): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:03:27.046: ISAKMP (0:2): retransmitting due to retransmit phase
1
  Jan 14 03:03:27.050: ISAKMP (0:2): time remaining never
  Jan 14 03:03:27.054: ISAKMP (0:2): current time 00:00:00
  Jan 14 03:03:27.054: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:27.558: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:27.558: ISAKMP (0:2): incrementing error counter on sa:
  retransmit
  phase 1
  Jan 14 03:03:27.562: ISAKMP (2): sending packet to 220.220.220.5 (I)
  MM_KEY_EXCH

  toronto#
  Jan 14 03:03:29.110: ISAKMP (2): received packet from 220.220.220.5 (I)
  MM_KEY_E
  XCH
  Jan 14 03:03:29.114: ISAKMP (0:2): phase 1 packet is a duplicate of a
  previous p
  acket.
  Jan 14 03:03:29.114: ISAKMP (0:2): retransmitting due to retransmit phase
1
  Jan 14 03:03:29.118: ISAKMP (0:2): time remaining never
  Jan 14 03:03:29.122: ISAKMP (0:2): current time 00:00:00
  Jan 14 03:03:29.122: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:29.626: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
  Jan 14 03:03:29.626: ISAKMP (0:2): phase 1 going away; let's be paranoid.
  Jan 14 03:03:29.630: ISAKMP (0:2): Bring down phase 2's
  toronto#
  Jan 14 03:03:29.630: ISAKMP (0:2): That phase 1 was the last one of its
  kind. Ta
  king phase 2's with us.
  Jan 14 03:03:29.634: ISAKMP (0:2): peer does not do paranoid keepalives.

  Jan 14 03:03:29.638: ISAKMP (0:2): deleting SA reason "death by
  retransmission P
  1" state (I) MM_KEY_EXCH (peer 220.220.220.5) input queue 0
  Jan 14 03:03:29.642: ISAKMP (0:2): deleting node -1997754357 error TRUE
  reason "
  death by retransmission P1"
  Jan 14 03:03:29.646: IPSEC(key_engine): got a queue event...
  Jan 14 03:03:29.646: IPSEC(key_engine_delete_sas): rec'd delete notify
from
  ISAK
  MP
  Jan 14 03:03:29.650: IPSEC(key_engine_delete_sas): delete all SAs shared
  with 22
  0.220.220.5
  toronto#
  Jan 14 03:03:37.857: IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= 220.220.220.2, remote= 220.220.220.5,
      local_proxy= 12.146.79.192/255.255.255.224/0/0 (type=4),
      remote_proxy= 12.144.107.0/255.255.255.192/0/0 (type=4)
  Jan 14 03:03:37.869: ISAKMP: received ke message (3/1)
  Jan 14 03:03:37.873: ISAKMP: ignoring request to send delete notify (no
  ISAKMP s
  a) src 220.220.220.2 dst 220.220.220.5 for SPI 0x0
  toronto#
  Jan 14 03:03:49.680: ISAKMP (0:1): purging node -2014295024
  toronto#
  Jan 14 03:03:59.680: ISAKMP (0:1): purging SA.
  toronto#
  Jan 14 03:04:19.638: ISAKMP (0:2): purging node -1997754357
  toronto#
  Jan 14 03:04:29.638: ISAKMP (0:2): purging SA

  Here is partial config from one of the routers:

  Building configuration...

  Current configuration : 17255 bytes
  !
  ! Last configuration change at 21:49:11 EST Sun Jan 13 2002 by brian
  ! NVRAM config last updated at 21:49:14 EST Sun Jan 13 2002 by brian
  !
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  !
  hostname toronto
  !
  !
  clock timezone EST -5
  clock summer-time EDT recurring
  ip subnet-zero
  ip domain-name mmi.com
  ip name-server 12.144.106.100
  !
  !
  !
  crypto ca identity mmica
   enrollment mode ra
   enrollment url http://dc1:80/certsrv/mscep/mscep.dll

   crl optional
  crypto ca certificate chain mmica
   certificate ca 45203BE3232D438C4301620F702B476F
    30820333 308202DD A0030201 02021045 203BE323 2D438C43 01620F70 2B476F30
    0D06092A 864886F7 0D010105 0500306E 311E301C 06092A86 4886F70D 01090116
    0F636161 646D696E 406D6D69 2E636F6D 310B3009 06035504 06130255 53310B30
   --More--
   quit
   certificate ra-encrypt 61662F4D000000000003
    308204BE 30820468 A0030201 02020A61 662F4D00 00000000 03300D06 092A8648
    86F70D01 01050500 306E311E 301C0609 2A864886 F70D0109 01160F63 6161646D
  --More--
   quit
   certificate ra-sign 61662DE5000000000002
    308204BE 30820468 A0030201 02020A61 662DE500 00000000 02300D06 092A8648
    86F70D01 01050500 306E311E 301C0609 2A864886 F70D0109 01160F63 6161646D
  --More--
   quit
   certificate 1188C3CA000000000006
    3082049D 30820447 A0030201 02020A11 88C3CA00 00000000 06300D06 092A8648
    86F70D01 01050500 306E311E 301C0609 2A864886 F70D0109 01160F63 6161646D
  --More--
   quit
   certificate 1188CE98000000000007
    3082049D 30820447 A0030201 02020A11 88CE9800 00000000 07300D06 092A8648
    86F70D01 01050500 306E311E 301C0609 2A864886 F70D0109 01160F63 6161646D
    quit
  !
  crypto isakmp policy 10
   lifetime 14400
  crypto isakmp identity hostname
  !
  !
  crypto ipsec transform-set realworld esp-des esp-sha-hmac
  !
  crypto map vpn local-address Loopback0
  crypto map vpn 10 ipsec-isakmp
   set peer 220.220.220.5
   set transform-set realworld
   set pfs group1
   match address vpn
  !
  ip access-list extended vpn
   permit ip 12.146.79.192 0.0.0.31 12.144.107.0 0.0.0.63
   permit ip 12.146.79.192 0.0.0.31 12.144.104.0 0.0.0.255
   permit ip 12.146.79.192 0.0.0.31 12.144.105.0 0.0.0.255
   permit ip 12.146.79.192 0.0.0.31 12.144.106.0 0.0.0.255
  !
  ntp authentication-key 1 md5 14141B180F0B 7
  ntp authenticate
  ntp trusted-key 1
  ntp clock-period 17178718
  ntp server 220.220.220.5 key 1
  end

  Does anyone see where I've gone wrong?

  See you in the morning.

  Brian T. Albert
  CCIE #9682
  brian.albert@worldnet.att.net