<< Prev Question Next Question >>
Question 9/36
-- Exhibit --
user@host> show log ike-test
...
Jun 13 10:36:52 ike_st_i_cr: Start
Jun 13 10:36:52 ike_st_i_cert: Start
Jun 13 10:36:52 ike_st_i_private: Start
Jun 13 10:36:52 ike_st_o_iD. Start
Jun 13 10:36:52 ike_st_o_hash: Start
Jun 13 10:36:52 ike_find_pre_shared_key: Find pre shared key key for 172.168.100.2:500, id = ipv4 (udp:500,[0..3]=172.168.100.2) -> 192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true
Jun 13 10:36:52 ike_st_o_status_n: Start
Jun 13 10:36:52 ike_st_o_private: Start
Jun 13 10:36:52 ike_policy_reply_private_payload_out: Start
Jun 13 10:36:52 ike_st_o_encrypt: Marking encryption for packet
Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b 93a10c7c - c6c3a771 f0475656 } /
00000000, nego = -1
Jun 13 10:36:52 ike_send_packet: Start, send SA = { 86b8160b 93a10c7c - c6c3a771 f0475656}, nego = -
1, src = 172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0 Jun 13 10:36:52 ike_get_sA. Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 } / 4cb03305, remote
= 192.168.101.2:500
Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 } Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656} Jun 13 10:36:52 ike_decode_packet: Start Jun 13 10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656} / 4cb03305, nego = 0 Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..16]
86b8160b 93a10c7c ..., data[0..113] = 800c0001 80030081 ...
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0) Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
...
Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0
Jun 13 10:37:07 ike_free_negotiation: Start, nego = 0
Jun 13 10:37:07 ike_retransmit_callback: Start, retransmit SA = { 17ef27d0 508bc5db - 00000000
00000000}, nego = -1
Jun 13 10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db -
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing table id = 0
...
Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0
Jun 13 10:37:17 ike_free_negotiation: Start, nego = 0
Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f a67dbcf3 - 00000000 00000000 } / 00000000, remote
= 192.168.103.2:500
Jun 13 10:37:19 ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d } Jun 13 10:37:19 ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19 ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d} / 00000000, nego = -1 Jun 13 10:37:19 ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 27bab5dc 01ea0760 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = cd604643 35df21f8 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 90cb8091 3ebb696e ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f ...
Jun 13 10:37:19 ike_st_i_sa_proposal: Start
Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start
Jun 13 10:37:19 ike_st_i_cert: Start
Jun 13 10:37:19 ike_st_i_private: Start
Jun 13 10:37:19 ike_st_o_sa_values: Start
Jun 13 10:37:19 172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 - a8307123
9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
Jun 13 10:37:19 ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d} Jun 13 10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 - a8307123 9c0e1f9d } /
1a8c665d, nego = 0
Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst = 192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}, nego = 0
-- Exhibit --
Click the Exhibit button.
You are asked to set up an IPsec tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the show security ike security-associations output that the destination stays in a down state.
Referring to exhibit, what is causing the problem?
user@host> show log ike-test
...
Jun 13 10:36:52 ike_st_i_cr: Start
Jun 13 10:36:52 ike_st_i_cert: Start
Jun 13 10:36:52 ike_st_i_private: Start
Jun 13 10:36:52 ike_st_o_iD. Start
Jun 13 10:36:52 ike_st_o_hash: Start
Jun 13 10:36:52 ike_find_pre_shared_key: Find pre shared key key for 172.168.100.2:500, id = ipv4 (udp:500,[0..3]=172.168.100.2) -> 192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true
Jun 13 10:36:52 ike_st_o_status_n: Start
Jun 13 10:36:52 ike_st_o_private: Start
Jun 13 10:36:52 ike_policy_reply_private_payload_out: Start
Jun 13 10:36:52 ike_st_o_encrypt: Marking encryption for packet
Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b 93a10c7c - c6c3a771 f0475656 } /
00000000, nego = -1
Jun 13 10:36:52 ike_send_packet: Start, send SA = { 86b8160b 93a10c7c - c6c3a771 f0475656}, nego = -
1, src = 172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0 Jun 13 10:36:52 ike_get_sA. Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 } / 4cb03305, remote
= 192.168.101.2:500
Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c - c6c3a771 f0475656 } Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656} Jun 13 10:36:52 ike_decode_packet: Start Jun 13 10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c - c6c3a771 f0475656} / 4cb03305, nego = 0 Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..16]
86b8160b 93a10c7c ..., data[0..113] = 800c0001 80030081 ...
Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0) Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000 Jun 13 10:36:52 172.168.100.2:500 (Responder) -> 192.168.101.2:500 { 86b8160b 93a10c7c - c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
...
Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0
Jun 13 10:37:07 ike_free_negotiation: Start, nego = 0
Jun 13 10:37:07 ike_retransmit_callback: Start, retransmit SA = { 17ef27d0 508bc5db - 00000000
00000000}, nego = -1
Jun 13 10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db -
00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst = 192.168.103.3:500, routing table id = 0
...
Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0
Jun 13 10:37:17 ike_free_negotiation: Start, nego = 0
Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f a67dbcf3 - 00000000 00000000 } / 00000000, remote
= 192.168.103.2:500
Jun 13 10:37:19 ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d } Jun 13 10:37:19 ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0 Jun 13 10:37:19 ike_decode_packet: Start Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d} / 00000000, nego = -1 Jun 13 10:37:19 ike_decode_payload_sA. Start Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 27bab5dc 01ea0760 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 6105c422 e76847e4 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = cd604643 35df21f8 ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 90cb8091 3ebb696e ...
Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f ...
Jun 13 10:37:19 ike_st_i_sa_proposal: Start
Jun 13 10:37:19 ike_isakmp_sa_reply: Start
Jun 13 10:37:19 ike_st_i_cr: Start
Jun 13 10:37:19 ike_st_i_cert: Start
Jun 13 10:37:19 ike_st_i_private: Start
Jun 13 10:37:19 ike_st_o_sa_values: Start
Jun 13 10:37:19 172.168.100.2:500 (Responder) -> 192.168.103.2:500 { 4326380f a67dbcf3 - a8307123
9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
Jun 13 10:37:19 ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d} Jun 13 10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 - a8307123 9c0e1f9d } /
1a8c665d, nego = 0
Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}, nego = 0, src = 172.168.100.2:500, dst = 192.168.103.2:500, routing table id = 0 Jun 13 10:37:19 ike_delete_negotiation: Start, SA = { 4326380f a67dbcf3 - a8307123 9c0e1f9d}, nego = 0
-- Exhibit --
Click the Exhibit button.
You are asked to set up an IPsec tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the show security ike security-associations output that the destination stays in a down state.
Referring to exhibit, what is causing the problem?
