What is causing the problem?

user@host> show log ike-test … Jun 13 10:36:52 ike_st_i_cr: Start Jun 13 10:36:52
ike_st_i_cert: Start Jun 13 10:36:52 ike_st_i_private: Start Jun 13 10:36:52 ike_st_o_iD.
Start Jun 13 10:36:52 ike_st_o_hash: Start Jun 13 10:36:52 ike_find_pre_shared_key: Find
pre shared key key for 172.168.100.2:500, id = ipv4(udp:500,[0..3]=172.168.100.2) ->
192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start
Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52
ike_st_o_status_n: Start Jun 13 10:36:52 ike_st_o_private: Start Jun 13 10:36:52
ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking
encryption for packet Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b
93a10c7c – c6c3a771 f0475656 } / 00000000, nego = -1 Jun 13 10:36:52 ike_send_packet:
Start, send SA = { 86b8160b 93a10c7c – c6c3a771 f0475656}, nego = -1, src =
172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0 Jun 13 10:36:52 ike_get_s

user@host> show log ike-test … Jun 13 10:36:52 ike_st_i_cr: Start Jun 13 10:36:52
ike_st_i_cert: Start Jun 13 10:36:52 ike_st_i_private: Start Jun 13 10:36:52 ike_st_o_iD.
Start Jun 13 10:36:52 ike_st_o_hash: Start Jun 13 10:36:52 ike_find_pre_shared_key: Find
pre shared key key for 172.168.100.2:500, id = ipv4(udp:500,[0..3]=172.168.100.2) ->
192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start
Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52
ike_st_o_status_n: Start Jun 13 10:36:52 ike_st_o_private: Start Jun 13 10:36:52
ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking
encryption for packet Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b
93a10c7c – c6c3a771 f0475656 } / 00000000, nego = -1 Jun 13 10:36:52 ike_send_packet:
Start, send SA = { 86b8160b 93a10c7c – c6c3a771 f0475656}, nego = -1, src =
172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0 Jun 13 10:36:52 ike_get_s

A.
Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656 } / 4cb03305, remote =
192.168.101.2:500 Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c –
c6c3a771 f0475656 } Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b
93a10c7c – c6c3a771 f0475656} Jun 13 10:36:52 ike_decode_packet: Start Jun 13
10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656} /
4cb03305, nego = 0 Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload
malformed (16), spi[0..16] = 86b8160b 93a10c7c …, data[0..113] = 800c0001 80030081 …
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771
f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771

f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0) Jun
13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16)
to isakmp sa, delete it … Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0 Jun 13
10:37:07 ike_free_negotiation: Start, nego = 0 Jun 13 10:37:07 ike_retransmit_callback:
Start, retransmit SA = { 17ef27d0 508bc5db – 00000000 00000000}, nego = -1 Jun 13
10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db –
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing
table id = 0 … Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0 Jun 13 10:37:17
ike_free_negotiation: Start, nego = 0 Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f
a67dbcf3 – 00000000 00000000 } / 00000000, remote = 192.168.103.2:500 Jun 13 10:37:19
ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d } Jun 13 10:37:19
ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19
ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d} / 00000000, nego = -1 Jun 13 10:37:19
ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 … Jun 13 10:37:19
ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
27bab5dc 01ea0760 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 …
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd … Jun 13 10:37:19
ike_st_i_viD. VID[0..16] = cd604643 35df21f8 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
90cb8091 3ebb696e … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f …
Jun 13 10:37:19 ike_st_i_sa_proposal: Start Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start Jun 13 10:37:19 ike_st_i_cert: Start Jun 13 10:37:19
ike_st_i_private: Start Jun 13 10:37:19 ike_st_o_sa_values: Start Jun 13 10:37:19
172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 – a8307123
9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14) Jun 13 10:37:19
ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d} Jun 13
10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 – a8307123 9c0e1f9d } /
1a8c665d, nego = 0 Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst =

192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA =
{ 4326380f a67dbcf3 – a8307123 9c0e1f9d}, nego = 0 You are asked to set up an IPsec
tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the
show security ike security-associations output that the destination stays in a down state.
What is causing the problem?
The IKE policy does not match.

A.
Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656 } / 4cb03305, remote =
192.168.101.2:500 Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c –
c6c3a771 f0475656 } Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b
93a10c7c – c6c3a771 f0475656} Jun 13 10:36:52 ike_decode_packet: Start Jun 13
10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656} /
4cb03305, nego = 0 Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload
malformed (16), spi[0..16] = 86b8160b 93a10c7c …, data[0..113] = 800c0001 80030081 …
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771
f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771

f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0) Jun
13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16)
to isakmp sa, delete it … Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0 Jun 13
10:37:07 ike_free_negotiation: Start, nego = 0 Jun 13 10:37:07 ike_retransmit_callback:
Start, retransmit SA = { 17ef27d0 508bc5db – 00000000 00000000}, nego = -1 Jun 13
10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db –
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing
table id = 0 … Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0 Jun 13 10:37:17
ike_free_negotiation: Start, nego = 0 Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f
a67dbcf3 – 00000000 00000000 } / 00000000, remote = 192.168.103.2:500 Jun 13 10:37:19
ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d } Jun 13 10:37:19
ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19
ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d} / 00000000, nego = -1 Jun 13 10:37:19
ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 … Jun 13 10:37:19
ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
27bab5dc 01ea0760 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 …
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd … Jun 13 10:37:19
ike_st_i_viD. VID[0..16] = cd604643 35df21f8 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
90cb8091 3ebb696e … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f …
Jun 13 10:37:19 ike_st_i_sa_proposal: Start Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start Jun 13 10:37:19 ike_st_i_cert: Start Jun 13 10:37:19
ike_st_i_private: Start Jun 13 10:37:19 ike_st_o_sa_values: Start Jun 13 10:37:19
172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 – a8307123
9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14) Jun 13 10:37:19
ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d} Jun 13
10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 – a8307123 9c0e1f9d } /
1a8c665d, nego = 0 Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst =

192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA =
{ 4326380f a67dbcf3 – a8307123 9c0e1f9d}, nego = 0 You are asked to set up an IPsec
tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the
show security ike security-associations output that the destination stays in a down state.
What is causing the problem?
The IKE policy does not match.

B.
The gateway is incorrect.

C.
The proposal does not match.

D.
The preshared key is incorrect.



Leave a Reply 0

Your email address will not be published. Required fields are marked *