Cisco - Cisco Secure VPN Client: Troubleshooting with View Log
Contents
1. user s data SA each party s nonce NON and each party s ID The parameters agreed upon are IPSec protocol Encapsulation Security Protocol ESP or Authentication Header AH encryption algorithm if ESP is to be used hash algorithm and if tunneling is to be performed Hash algorithms and tunneling settings are for either ESP or AH This message was sent by the responder in an IKE that did not use Perfect Forward Secrecy PFS as their were no KE s This means the parties will reuse some of the agreed upon key in the calculation of the IPSec key This message is secured using the agreed upon ISAKMP parameters and key as denoted by the asterisk Cisco Cisco Secure VPN Client Troubleshooting with View Log ISAKMP OAK QM HASH ISAKMP OAK MM KE NON VID Conclusion of the QM exchange containing a hash of the agreed upon key protocol the responder s SPI and the two nonces Diffie Hellman exchanged and nonce used as key material for securing sensitive IPSec message used to finalize the entire exchange This also provides a form of verification as the hash is calculated using the IPSec key IPSec protocol agreed upon the other party s Security Parameter Index SPI number and the two nonces each party used Each party uses the SPI to keep track of the parameters and keys to be used for the traffic they send and receive I would tell you my SPI2. 4c af 1f 2c 20 Pre share Initiating IKE P message id 61965C8D Initiator IP ADDR Responder IP ADDR Pre share SENDING gt gt gt gt Pre share RECEIVED OTIFY STATUS RESP LIF Pre share SENDING gt gt gt gt Pre share RECEIVED OTIFY NOTIFY CONNECTED Pre share Loading IPSec SA OUTBOUND SPI 405 INBOUND S Pre share Pre share Pre share Pre share Pre share Pre share OTIFY STAT Pre share P P ISAK ISAK TIME ISAK ISAK E ting IKE P DING gt gt gt gt ISAK EIVED lt lt lt ISAK ENDING gt gt gt gt ISAK Established IK Initia EN Pre share Pre share Pre share Pre share Pre share C E E S R S P IE hase 1 IAL CONTACT your IPSec peer PI hase 1 IP ADDR IPSec peer MM MM MM MM MM P OAK OAK OAK OAK OAK NON VID NON HASH VID OAK MM HASH 9 56 16 d0 ec hase 2 with Client IDs prot 0 port prot 0 port 0 P OAK QM HASH SA NON P OAK QM HASH SA NON ID ID P OAK QM HASH P OAK QM HASH address 0 ID ID Message ID 61965C8D 493B30CC IP ADDR IPSec peer P OAK AG SA KE NON ID VID P OAK AG SA KE NON ID HASH P OAK AG HASH VID SA MY COOK 73 9c 76 19 4f 5e 35 c8 HIS COOKIE e9 94 9c 82 64 b2 fa 44 Pre share Ini
3. Client Troubleshooting with View Log exists to the local router and then to the IPSec peer Failed Quick Mode QM negotiation Improper IPSec peer configuration The VPN Client was configured for three re transmissions to establish SA IKE Message Table IKE Message E ISAKMP OAK MM SA Demo ENDING gt gt gt gt ISAKMP OAK MM Retransmission Demo Demo Demo Demo Demo Demo Demo ded 3 IKE SA negotiation attempts itiating IKE P ENDING gt gt gt gt ISAK ECEIVED ISAK ENDING gt gt gt gt ISAK ECEIVED ISAKMP OAK ENDING gt gt gt gt ISAKMP OAK hase 1 P OAK OAK OAK DDR IPSec peer NON VID VID NON Demo Demo HIS Demo message id Initiator prot Responder prot Demo Demo NOTIFY Demo Demo NOTIFY Demo Demo NOTIFY NOTIFY MY COOKIE ID Received Received Received Received Exceeded re S D TUS INITIAL CONTACT ECEIVED ISAKMP OAK MM stablished IKE SA 1f 5 e4 d 84 30 9 5c 4c AF 1f 2c 20 16 do tiating IKE 61965C8D IP ADDR your address 0 IP ADDR IPSec peer 0 port 0 SENDING gt gt gt gt ISAK ID ECEIVED ISAKMP OAK INFO HASH O_PROPOSAL_CHOSEN O_PROPOSAL_CHOSEN message SENDING gt gt gt gt ISAKMP OAK QM Retransmission RECEIVED lt lt lt ISAKMP OAK INFO HASH O_PROPOSAL_CHOSEN O_PROPOSAL_CHOSEN message SENDING g
4. Client documentation e Technical Support Cisco Systems All contents are Copyright 1992 2005 Cisco Systems Inc All rights reserved Important Notices and Privacy Statement Updated Sep 13 2005 Document ID 14127 Cisco Cisco Secure VPN Client Troubleshooting with View Log
5. both sides have accepted the other s ID Phase 1 is completed and Phase 2 begins 7 Phase 2 combines some Phase 1 steps A list of proposed parameters is sent from Device A using the new key material established in Phase 1 8 Phase 2 concludes with a HASH which is the IDs and NONSs of each device and the Responder s Device B in this case SPI to use when sending packets IKE Example Device A Device B Phase 1 Authentication Cisco Cisco Secure VPN Client Troubleshooting with View Log SA Security Association DES SHA 1 DHG1 TDES SHA 1 DHG2 TDES SHA 1 DHG Diffie Hellman a x NON nonsense random number Diffie Hellman a y NON nonsense random number the identification of one party HASH 25 d SA 3 MM KE 4 KE 5 MM ID 6 lt ID HASH ck ck Ck ck KKK Ck ck ck Ck ck ck ck ck ock kk ck KKK kx KA KK Phase 1 Completed kk ck ck Ck ck ck Ck ck Ck ck ck ck ck ck kk Sk ko Sk kv Mk ko ko kockok Phase 2 Key Exchange with Perfect Forward Secrecy PFS 1 QM 2 o o o c e oY SA ESP DES SHA 1 ESP TDES SHA 1 AH MD5 KE NON 2a lt I mo eae OM SA ESP TDES SHA 1 KE NON 3 QM HASH Related Information IPSec Support Page Cisco VPN Client Support Page Cisco Secure VPN
6. document describes Cisco Secure VPN Client View Log messages and explains how to use the View Log messages to troubleshoot problems with establishing IPSec communications The user must enable the View Log before logging occurs Log files can be saved to a disk for future analysis Before You Begin Conventions For more information on document conventions see the Cisco Technical Tips Conventions Prerequisites There are no specific prerequisites for this document Components Used The information in this document is based on the software and hardware versions below Cisco Secure VPN Client 1 1 The information presented in this document was created from devices in a specific lab environment All of the devices used in this document started with a cleared default configuration If you are working in a live network ensure that you understand the potential impact of any command before using it Cisco Cisco Secure VPN Client Troubleshooting with View Log View Log Message Format Two types of messages can appear in the View Log error messages and Internet Key Exchange IKE messages Error messages are defined in the Cisco Secure VPN Client View Log error message table The format of the IKE message is as follows The following example is a typical message from the View Log 01 38 02 570 Balt Corporate Access SENDING gt gt gt gt ISAKMP OAK MM SA ic UM Field ald Definition Time Time the message is f 01 38 0
7. secret value As each party knows their secret exponent they can take the KE received from the other party and raise that by their exponent When each party performs this procedure they get a shared secret key The nonce NON is a nonsense random value used in the calculation to add randomness to the KE ISAKMP message containing the identity one Cisco Cisco Secure VPN Client Troubleshooting with View Log calculated hash party is using as as assurance of identification identification ID to the other This could be the IP address domain name e mail address or distinguished name That identity would have to be accepted by the receiving party for a positive identification The hash HASH is created by selecting bits of the message as samples and sending those selected bits through an algorithm The pattern for selection and the algorithm are agreed upon in the MM proposal exchange as the hash algorithm setting This message one of the final MM messages is protected encrypted and hashed as denoted by the asterisk ISAKMP OAK QM HASH SA Proposed IPSec exchange NON ID ID parameters for message securing the IP containing a data the two hash of the parties message identification contents and nonces for HASH a list of a non PFS the proposed Cisco Cisco Secure VPN Client Troubleshooting with View Log exchange parameters to be used on the
8. so when you transmit a protected message to me I know how to handle the message properly and vice versa This message is secured using the agreed upon ISAKMP parameters and key as denoted by the asterisk ISAKMP message containing a Diffie Hellman key KE nonce used to add Cisco Cisco Secure VPN Client Troubleshooting with View Log exchange randomness to messages and the key anda the product Vendor ID vendor ID VID used to notify the receiver of the transmitting party s vendor This can be used to determine what the transmitter s capabilities are and allow parameter preferences to be made as well as determining if the connection should be established IPSec message sent when the list of proposed parameters did not have any Exchange has common failed because settings for the the QM transmitter This exchange means the IPSec parameters parameters for were each party need incompatible to be verified This message is secured using the agreed upon ISAKMP parameters and key as denoted by the asterisk ISAKMP OAK QM Retransmission A previously IPSec message sent message is sent when a sent once more previous because no message was not response was responded to received in the within the allotted time configured amount of time This indicates that one of the ISAKMP OAK INFO HASH NOTIFY NO PROPOSAL CHOSEN Cisco Cisco Secure VPN Client Troublesh
9. 2 570 written to the log Connection Policy Editor Connection name associated with the IKE activity Balt Corporate Access Transmit Direction of the IKE Direction message Sending or SENDING gt gt gt gt Fi IKE message indicating type of Internet Security Association and Key Management Protocol ISAKMP message being processed IKE messages are defined in the Cisco Secure VPN Client View Log IKE message table ISAKMP OAK MM SA Troubleshooting with the View Log The following table lists different scenarios and the accompanying debug messages You can refer to this information when interpreting the View Log file Use this table in conjunction with the Cisco Secure VPN Client View Log IKE Message table Successful IKE Establishment If the IKE establishment is successful a key is displayed in the Cisco Secure VPN Client icon located on the Taskbar at the bottom of your screen Cisco Cisco Secure VPN Client Troubleshooting with View Log Problem Symptoms Description Successful Security Association SA established Key is displayed in Cisco Secure VPN Client icon Successful main mode negotiation pre share Successful Debug Messages Initiating IKE P DING gt gt gt gt ISAK EIVED ISAK DING gt gt gt gt ISAK EIVED ISAK ENDING gt gt gt gt ISAK _INIT ECEIVED lt lt lt ISAK Pre share Established IK MY COOKIE 1f f5 e4 d 84 3 HIS COOKIE
10. Cisco Cisco Secure VPN Client Troubleshooting with View Log Table of Contents Cisco Secure VPN Client Troubleshooting with View Log 1 Document 1D 14127 n ete er Aoc 1 Introd ctioRi iret ero iaa did it sabandeabesdesuavaiatvoes 1 Before You Begin soe ecd e RR et RN et t ERG ERR AE ERAT EH Pe eve ti 1 Conventions 555 A AA E ERO WOCHE ERG P eren 1 Pr r quisites 2 itte A HA eG Re 1 Components Used s con GA Oe cete toe area Lette teen neo dos ue esie ested tea eee beaten e Sed 1 View Log Message Formate rb eee te tede E TR PR Pe da 2 Troubleshooting with the View LOG eecceccesssecessesececeseecseceesaecseaecseaeecsaeecaeeseaaeceaaeceeaeeceeeecaeeseaaeseaaeceeeeenees 2 Successful IKE Establishment rnit ecce e treo docete oe eee doy See eee Ere ep even kn ERE VENERE ra SENE M RR Y 2 Failed IKE Estable ER Len a Lee oa e pei Aege deseas Uds 3 IKE Message IE CREER AE 4 How IKBWOEKS eandem DG Dine e PED 10 IKE Examen eee ice rapi testes 10 Related Information eere etre eto E eese es edet eee nag eem RE AA NG E aao o Ear aia 11 Cisco Secure VPN Client Troubleshooting with View Log Document ID 14127 Introduction Before You Begin Conventions Prerequisites Components Used View Log Message Format Troubleshooting with the View Log Successful IKE Establishment Failed IKE Establishment IKE Message Table How IKE Works IKE Example Related Information Introduction This
11. ooting with View Log parties may be unavailable to complete the exchange This message is secured using the agreed upon ISAKMP parameters and key as denoted by the asterisk How IKE Works The following steps explain how IKE functions 1 In Phase 1 ID and parameters are established for protecting Phase 2 Device A sends a list of proposed parameters to protect the Phase 2 key exchange and the level of key strength it would like to use for Phase 1 s key exchange 2 Device B selects the proposed parameters it prefers and send its selection to Device A If none of the proposals fit Device A s requirements then a NO PROPOSAL message is sent and the exchange ceases The two parties need to be reconfigured to work 3 If the exchange continues Device A calculates a number ax where a is known by each device and x is a random number known only by Device A The NON is a random number thrown into the calculation to add randomness 4 Device B receives that message and performs a similar calculation 5 Both sides exchange identification Alternate Subject Fields can be used as ID for example IP address e mail address and domain name The ID field contains the information the party is using to identify itself This could be any of the ID types such as IP address domain name and so forth 6 If either side fails to accept the other s ID then the exchange ceases and the two parties need to be reconfigured to work If
12. t gt gt gt ISAKMP OAK QM Retransmission RECEIVED lt lt lt ISAKMP OAK INFO HASH O_PROPOSAL_CHOSEN O_PROPOSAL_CHOSEN message SENDING gt gt gt gt ISAKMP OAK QM Retransmission RECEIVED lt lt lt ISAKMP OAK INFO HASH O_PROPOSAL_CHOSEN O_PROPOSAL_CHOSEN message try attempts deleting IPSec VHD E COOKI Ini P EC Phase 2 with Client IDs 0 port P OAK OM HASH SA Security Association ISAKMP Proposed parameters for proposal list securing exchange Each sensitive proposal has a exchange setting for messages encryption algorithm hash algorithm and Diffie Hellman Group The agreed upon settings are used to protect the final messages Cisco Cisco Secure VPN Client Troubleshooting with View Log ISAKMP OAK MM KE NON ISAKMP OAK MM ID HASH Diffie Hellman exchanged and nonce used as key material for securing sensitive exchange messages Party s identity used as authentication and a of Main Mode MM and all of Quick Mode QM If the settings are not compatible a NO PROPOSAL message is displayed ISAKMP Diffie Hellman key exchange with nonce The key KE is created by each party using an agreed upon formula plugging values in the formula and raising the result of the formula to the power of a
13. tiating IKE Phase 2 with Client IDs message id 99F08C75 Initiator IP ADDR Responder IP ADDR Pre share SENDING gt gt gt gt Pre share RECEIVED NOTIFY STATUS RESP LIF Pre share SENDING gt gt gt gt Pre share RECEIVED NOTIFY NOTIFY CONNECTED Pre share Loading IPSec SA OUTBOUND SPI 189 INBOUND SPI Successful SA established Key is displayed in Cisco Secure VPN Client icon aggressive mode negotiation pre share P your address prot 0 port IPSec peer prot 0 port 0 ISAKMP OAK OM HASH SA NON ISAKMP OAK OM HASH SA TIME NON ID ID ISAKMP OAK QM HASH ISAKMP OAK QM HASH 0 ID ID Message ID 99F08C75 BA78A2CD Failed IKE Establishment If IKE establishment fails the key is not displayed in the Cisco Secure VPN Client icon located on the Taskbar at the bottom of your screen Phase 1 IP ADDR IPSec peer Initiating IKE IPSec peer Remote peer Demo E not unreachable or Demo SENDING gt gt gt gt ISAKMP OAK MM SA y Demo message not received Retransmitting responding not responding to Demo SENDING gt gt gt gt ISAKMP OAK MM Retransmission SA request Demo message not received Retransmitting Verify that IP Demo SENDING gt gt gt gt ISAKMP OAK MM Retransmission connectivity Demo message not received Retransmitting Cisco Cisco Secure VPN
Download Pdf Manuals
Related Search