To display messages about IKE events, use the debug crypto
isakmp command in privileged EXEC mode. To disable debugging output,
use the no form of this command.
Cisco IOS software
can generate many useful system error messages for ISAKMP
. Two examples of
error messages are shown below:
%CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from
%15i if SA is not authenticated! The ISAKMP security association
with the remote peer was not authenticated yet the peer attempted to begin a
Quick Mode exchange. This exchange must only be done with an authenticated
security association. The recommended action is to contact the administrator of
the remote peer to resolve the improper configuration.
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with
attribute [chars] not offered or changed ISAKMP peers negotiate
policy by the initiator offering a list of possible alternate protection
suites. The responder responded with an ISAKMP policy that the initiator did
not offer. The recommended action is to contact the administrator of the remote
peer to resolve the improper configuration.
Lab
Exercise: Configure IOS IPSec using Pre-shared Keys
In this lab, students
will prepare to configure Virtual Private Network (VPN) support. Students will
learn to configure Internet Key Exchange (IKE) phase one. Students will also
configure IKE parameters and verify IKE and IP Security (IPSec). Students will
then configure the IPSec parameters. Finally, students will test and verify the
IPSec configuration.