user@host> show log ike-test … Jun 13 10:36:52 ike_st_i_cr: Start Jun 13 10:36:52
ike_st_i_cert: Start Jun 13 10:36:52 ike_st_i_private: Start Jun 13 10:36:52 ike_st_o_iD.
Start Jun 13 10:36:52 ike_st_o_hash: Start Jun 13 10:36:52 ike_find_pre_shared_key: Find
pre shared key key for 172.168.100.2:500, id = ipv4(udp:500,[0..3]=172.168.100.2) ->
192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start
Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52
ike_st_o_status_n: Start Jun 13 10:36:52 ike_st_o_private: Start Jun 13 10:36:52
ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking
encryption for packet Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b
93a10c7c – c6c3a771 f0475656 } / 00000000, nego = -1 Jun 13 10:36:52 ike_send_packet:
Start, send SA = { 86b8160b 93a10c7c – c6c3a771 f0475656}, nego = -1, src =
172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0 Jun 13 10:36:52 ike_get_s
A.
Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656 } / 4cb03305, remote =
192.168.101.2:500 Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c –
c6c3a771 f0475656 } Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b
93a10c7c – c6c3a771 f0475656} Jun 13 10:36:52 ike_decode_packet: Start Jun 13
10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656} /
4cb03305, nego = 0 Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload
malformed (16), spi[0..16] = 86b8160b 93a10c7c …, data[0..113] = 800c0001 80030081 …
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771
f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771
f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0) Jun
13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16)
to isakmp sa, delete it … Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0 Jun 13
10:37:07 ike_free_negotiation: Start, nego = 0 Jun 13 10:37:07 ike_retransmit_callback:
Start, retransmit SA = { 17ef27d0 508bc5db – 00000000 00000000}, nego = -1 Jun 13
10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db –
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing
table id = 0 … Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0 Jun 13 10:37:17
ike_free_negotiation: Start, nego = 0 Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f
a67dbcf3 – 00000000 00000000 } / 00000000, remote = 192.168.103.2:500 Jun 13 10:37:19
ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d } Jun 13 10:37:19
ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19
ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d} / 00000000, nego = -1 Jun 13 10:37:19
ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 … Jun 13 10:37:19
ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
27bab5dc 01ea0760 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 …
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd … Jun 13 10:37:19
ike_st_i_viD. VID[0..16] = cd604643 35df21f8 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
90cb8091 3ebb696e … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f …
Jun 13 10:37:19 ike_st_i_sa_proposal: Start Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start Jun 13 10:37:19 ike_st_i_cert: Start Jun 13 10:37:19
ike_st_i_private: Start Jun 13 10:37:19 ike_st_o_sa_values: Start Jun 13 10:37:19
172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 – a8307123
9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14) Jun 13 10:37:19
ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d} Jun 13
10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 – a8307123 9c0e1f9d } /
1a8c665d, nego = 0 Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst =
192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA =
{ 4326380f a67dbcf3 – a8307123 9c0e1f9d}, nego = 0 You are asked to set up an IPsec
tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the
show security ike security-associations output that the destination stays in a down state.
What is causing the problem?
The IKE policy does not match.
A.
Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656 } / 4cb03305, remote =
192.168.101.2:500 Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c –
c6c3a771 f0475656 } Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b
93a10c7c – c6c3a771 f0475656} Jun 13 10:36:52 ike_decode_packet: Start Jun 13
10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656} /
4cb03305, nego = 0 Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload
malformed (16), spi[0..16] = 86b8160b 93a10c7c …, data[0..113] = 800c0001 80030081 …
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b
93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771
f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52
172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c – c6c3a771
f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0) Jun
13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13
10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c –
c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16)
to isakmp sa, delete it … Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0 Jun 13
10:37:07 ike_free_negotiation: Start, nego = 0 Jun 13 10:37:07 ike_retransmit_callback:
Start, retransmit SA = { 17ef27d0 508bc5db – 00000000 00000000}, nego = -1 Jun 13
10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db –
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing
table id = 0 … Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0 Jun 13 10:37:17
ike_free_negotiation: Start, nego = 0 Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f
a67dbcf3 – 00000000 00000000 } / 00000000, remote = 192.168.103.2:500 Jun 13 10:37:19
ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d } Jun 13 10:37:19
ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19
ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d} / 00000000, nego = -1 Jun 13 10:37:19
ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 … Jun 13 10:37:19
ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
27bab5dc 01ea0760 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 …
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd … Jun 13 10:37:19
ike_st_i_viD. VID[0..16] = cd604643 35df21f8 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] =
90cb8091 3ebb696e … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f …
Jun 13 10:37:19 ike_st_i_sa_proposal: Start Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start Jun 13 10:37:19 ike_st_i_cert: Start Jun 13 10:37:19
ike_st_i_private: Start Jun 13 10:37:19 ike_st_o_sa_values: Start Jun 13 10:37:19
172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 – a8307123
9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14) Jun 13 10:37:19
ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d} Jun 13
10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 – a8307123 9c0e1f9d } /
1a8c665d, nego = 0 Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f
a67dbcf3 – a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst =
192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA =
{ 4326380f a67dbcf3 – a8307123 9c0e1f9d}, nego = 0 You are asked to set up an IPsec
tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the
show security ike security-associations output that the destination stays in a down state.
What is causing the problem?
The IKE policy does not match.
B.
The gateway is incorrect.
C.
The proposal does not match.
D.
The preshared key is incorrect.