Ipsec over nat traversal
can anyone tell me what this does please ?
It allows ipsec to work through nat?
How did your last post turn out?
Similar Messages
-
Ipsec-manual, NAT-Traversal?
Is there a way in IOS to enabled NAT-Traversal (ESP-UDP) for manually keyed IPsec tunnels?
Thus far, it looks to me like IKE is required for the NAT detection.
In Linux, I can manually create ESP-UDP SA's, I was hoping to be able to do the same in IOS.It allows ipsec to work through nat?
How did your last post turn out? -
L2TP over IPSEC Static NAT trouble
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. As of right now i have two open issues that i cannot figure out. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.
The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail. The config is below.
To sum up, and put this in perspective i need to be able to do the following...
VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
As well as any help with DNS. Please advise, thank you.
-tony
: Saved
ASA Version 8.2(1)
hostname fw-01
enable password HOB2xUbkoBliqazl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.103.6.0 K2CONT description K2 Control Network
name 10.103.5.0 K2FTP description K2 FTP Network
name 10.103.1.0 NET description Internal Network Core Subnet
name 10.1.4.0 WBND description WBND Business Network
name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
name 10.103.2.50 ENG-PC description Engineering PC
name 10.103.2.56 NAV-PC description Navigator PC
name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
name 10.103.2.0 GEN-NET description General Broadcast Network
name 10.103.4.0 INEWS-NET description INEWS Network
name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
name 10.103.3.0 TELE-NET description TELEMETRICS Network
name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
name 10.103.4.80 MOSGW description "MOS Gateway."
name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
name 209.118.74.10 PF-EXT-0 description PF External Server 0
name 209.118.74.19 PF-EXT-1 description PF External Server 1
name 209.118.74.26 PF-EXT-2 description PF External Server 2
name 209.118.74.80 PF-EXT-3 description PF External Server 3
name 10.103.4.37 PIXPWR description Pixel Power System 0
name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
name 10.103.4.121 ignite
name 10.103.3.89 telemetrics
name 10.1.4.50 vpn_3000
name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
name 10.1.4.40 NAT-ENG-PC description Engineering HP
name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
name 10.1.1.0 WCIU description WCIU
name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
name 10.2.1.0 A-10.2.1.0 description WCIU 2
name 10.1.50.0 VPN-POOL description VPN ACCESS
interface Ethernet0/0
description "Internal Network 10.103.1.0/24"
nameif inside
security-level 100
ip address 10.103.1.1 255.255.255.0
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/2
nameif COMCAST_PUBLIC
security-level 0
ip address 173.161.x.x 255.255.255.240
interface Ethernet0/3
description "WBND Business Network 10.1.4.0/24"
nameif outside
security-level 0
ip address 10.1.4.8 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone Indiana -4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-OK
description "ICMP types we want to permit."
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
object-group network INTERNAL-ALL
description "All internal networks."
network-object NET 255.255.255.0
network-object GEN-NET 255.255.255.0
network-object TELE-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
network-object K2FTP 255.255.255.0
network-object K2CONT 255.255.255.0
object-group service W3C
description "HTTP/S"
service-object tcp eq www
service-object tcp eq https
object-group service FTP-ALL
description "FTP Active/Passive."
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service INEWS-CLI
description "Ports required for INEWS client/server communications."
service-object tcp eq telnet
service-object tcp eq login
service-object tcp eq 600
service-object tcp eq 49153
service-object tcp eq 49152
service-object tcp-udp eq 1020
service-object tcp-udp eq 1019
group-object W3C
group-object FTP-ALL
service-object tcp eq ssh
service-object tcp-udp eq 1034
service-object tcp-udp eq 1035
object-group service NET-BASE
description "Base network services required by all."
service-object tcp-udp eq 123
service-object udp eq domain
object-group network INEWS-SVR
description "iNEWS Servers."
network-object INEWS0 255.255.255.255
network-object INEWS1 255.255.255.255
object-group network WCIU-INEWS
description "iNEWS Servers at WCIU."
network-object WCIU-INEWS0 255.255.255.255
network-object WCIU-INEWS1 255.255.255.255
object-group network K2-FTP
description "K2 Servers"
network-object host K2-FTP0
network-object host K2-FTP1
object-group network PF-SYS
description Internal PathFire Systems
network-object host PF-DUB-01
network-object host PF-SVR-01
object-group network INET-ALLOWED
description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
network-object host ENG-PC
network-object host NAV-PC
network-object host PF-SVR-01
group-object INEWS-SVR
group-object K2-FTP
group-object PF-SYS
network-object host PIXPWR
network-object K2CONT 255.255.255.0
object-group service GoToAssist
description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
service-object tcp eq 8200
object-group service DM_INLINE_SERVICE_1
group-object FTP-ALL
group-object W3C
service-object tcp eq ssh
service-object tcp eq telnet
group-object GoToAssist
object-group network RTI
network-object host RTISVR1
network-object host RTISVR
object-group network NAT-K2-SVR
description "Public NAT addresses of K2 Servers."
network-object host NAT-K2-FTP0
network-object host NAT-K2-FTP1
object-group network NAT-INEWS-SVR
description "Public NAT addresses of iNEWS servers."
network-object host NAT-INEWS0
network-object host NAT-INEWS1
object-group service INEWS-SVCS
description "Ports required for iNEWS inter-server communication.
group-object INEWS-CLI
service-object tcp eq 1022
service-object tcp eq 1023
service-object tcp eq 2048
service-object tcp eq 698
service-object tcp eq 699
object-group service MOS
description "Ports used for MOS Gateway Services."
service-object tcp eq 10540
service-object tcp eq 10541
service-object tcp eq 6826
service-object tcp eq 10591
object-group network DM_INLINE_NETWORK_1
network-object host WCIU-INEWS0
network-object host WCIU-INEWS1
object-group network DM_INLINE_NETWORK_2
network-object GEN-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
object-group network PF-Svrs
description External PathfFire Servers
network-object host PF-EXT-0
network-object host PF-EXT-1
network-object host PF-EXT-2
network-object host PF-EXT-3
object-group service PF
description PathFire Services
group-object FTP-ALL
service-object tcp eq 1901
service-object tcp eq 24999
service-object udp range 6652 6654
service-object udp range 6680 6691
object-group service GVG-SDB
description "Ports required by GVG SDB Client/Server Communication."
service-object tcp eq 2000
service-object tcp eq 2001
service-object tcp eq 3000
service-object tcp eq 3001
object-group service MS-SVCS
description "Ports required for Microsoft networking."
service-object tcp-udp eq 135
service-object tcp eq 445
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp-udp eq cifs
service-object tcp-udp eq domain
service-object tcp-udp eq kerberos
service-object tcp eq netbios-ssn
service-object udp eq kerberos
service-object udp eq netbios-ns
service-object tcp-udp eq 139
service-object udp eq netbios-dgm
service-object tcp eq cifs
service-object tcp eq kerberos
service-object udp eq cifs
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_2
group-object MS-SVCS
group-object NET-BASE
group-object GVG-SDB
group-object W3C
object-group service DM_INLINE_SERVICE_3
group-object GVG-SDB
group-object MS-SVCS
group-object W3C
object-group service PIXEL-PWR
description "Pixel Power Services"
service-object tcp-udp eq 10250
object-group service DM_INLINE_SERVICE_4
group-object FTP-ALL
group-object GoToAssist
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
group-object MS-SVCS
service-object ip
object-group service DM_INLINE_SERVICE_5
group-object MS-SVCS
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
object-group service IG-TELE tcp-udp
port-object range 2500 49501
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host ENG-PC
network-object host NAT-ENG-PC
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
object-group network il2k_test
network-object 207.32.225.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_8
service-object ip
group-object INEWS-CLI
service-object icmp
service-object udp
object-group service DM_INLINE_SERVICE_6
service-object ip
group-object MS-SVCS
object-group network DM_INLINE_NETWORK_5
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp
service-object udp
group-object INEWS-CLI
object-group network DM_INLINE_NETWORK_9
network-object host NAT-INEWS0
network-object host INEWS0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group network VPN-POOL
description "IP range assigned to dial-up IPSec VPN."
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object WBND 255.255.255.0
network-object VPN-POOL 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object TELE-NET 255.255.255.0
network-object host ignite
access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit icmp any any object-group ICMP-OK
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit object-group MS-SVCS any any
access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
access-list outbound extended permit icmp any any object-group ICMP-OK
access-list outbound extended permit ip GEN-NET 255.255.255.0 any
access-list outbound extended permit ip host ignite host telemetrics
access-list outbound extended permit ip host NAV-PC host 10.103.2.18
access-list outbound extended permit ip any GEN-NET 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
access-list COMCAST_access_in extended permit ip any any
access-list COMCAST_PUBLIC_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor notifications
logging buffered notifications
logging asdm notifications
mtu inside 1500
mtu COMCAST_PUBLIC 1500
mtu outside 1500
mtu management 1500
ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in deny ip any any
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any COMCAST_PUBLIC
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
no asdm history enable
arp timeout 14400
global (COMCAST_PUBLIC) 1 173.161.x.x
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
access-group outbound in interface inside per-user-override
access-group inside_access_ipv6_in in interface inside per-user-override
access-group outbound in interface COMCAST_PUBLIC
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
route outside WCIU 255.255.255.0 10.1.4.11 1
route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
route inside GEN-NET 255.255.255.0 10.103.1.2 1
route inside TELE-NET 255.255.255.0 10.103.1.2 1
route inside INEWS-NET 255.255.255.0 10.103.1.2 1
route inside K2FTP 255.255.255.0 10.103.1.62 1
route inside K2CONT 255.255.255.0 10.103.1.62 1
route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DOMCON protocol radius
accounting-mode simultaneous
aaa-server DOMCON (outside) host 10.1.4.17
timeout 5
key Tr3at!Ne
acl-netmask-convert auto-detect
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http NET 255.255.255.0 inside
http GEN-NET 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
crypto ipsec transform-set il2k-transform-set mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
crypto map VPN 10 ipsec-isakmp dynamic dyno
crypto map VPN interface COMCAST_PUBLIC
crypto map VPN interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable COMCAST_PUBLIC
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh NET 255.255.255.0 inside
ssh GEN-NET 255.255.255.0 inside
ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
ssh 10.103.1.224 255.255.255.240 outside
ssh WBND 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 20
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.103.2.52 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-simultaneous-logins 100
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value MAINSERV
intercept-dhcp enable
address-pools value VPN-POOL
group-policy il2k internal
group-policy il2k attributes
dns-server value 10.1.4.17
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
username interlink password 4QnXXKO..Ry/9yKL encrypted
username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
username iphone attributes
service-type remote-access
username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
username hriczo attributes
service-type remote-access
username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
username cheighway attributes
vpn-group-policy il2k
service-type admin
username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
username roscor password jLkgabJ1qUf3hXax encrypted
username roscor attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
authentication-server-group DOMCON LOCAL
authentication-server-group (outside) LOCAL
authentication-server-group (inside) LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
: endNo one? I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction. I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
Please help. Thank you -
Hi,
I would like to create a multiplayer game over the internet via WiFi or 3G, however, I would like to know how to get around the NAT firewalls. How can I get the iPhone devices to see each other if they are both behind different NAT firewalls? I have read that NAT traversal is a way to accomplish this using Upnp or nat-pmp but there are no sample codes that I can look at. I am new to developing for the Apple platform and any help would be greatly appreciated.
Thanks
VinHi Aksher, nat traversal feature is used to allow ipsec packets travel across nat devices, so you would use nat traversal whenever there are nat devices in between your vpn end points, this feature enables Ipsec peer stablish a connection through a NAT device by encapsulating ipsec traffic in UDP datagram using por 4500 to provide NAT devices with port information.. nat-t when enabled it autodetecs NAT devices and only encapsulates ipsec traffic when necessary.
to answer your question no, nat traversal does not overides static nat.
To grasp a beter understanding of nat traversal feature and its backround I couldn't find a better link for you than this link bellow.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html#1049093
Rgds
Jorge -
[SRP527w] NAT Traversal not available in VPN options!!!
Hi,
I'm so disappointed to find such a light and incomplete VPN menu on the SRP527w.
As a Cisco certified network engineer, I'm testing it because my company needs about twenty ADSL+ 3G Backup router, and Cisco seemed to offer the best solution.
We need to build a VPN over 3G if the ADSL link fails. Unfortunately, 3G acces in France are routed through a wide private network before reaching the Internet. That's not a matter for one of our Zyxel routers, wich include the NAT Traversal (or NAT-T) feature. But with this Cisco, it's impossible to make the traffic go through the VPN.
Please tell me that this feature will be included in the next firmware release!
Regards,
GaultierThank you for your lightning-fast answer!
I downloaded the MR3 RC release, and... it works fine! My VPN is established over 3G.
Thank you for the great job you did improving the capabilities of the SRP520... Hope there are much more useful features like that on your roadmap!
Regards,
Gaultier. -
Hi Guys,
When using EZVPN IOS client, is there a way to force it to use NAT-T??
I know it automatically uses NAT-T if it detects NAT in the network, however can you force it to use NAT-T even without a NAT??
Cheers
ScottHi all,
Cisco devices using the NAT-T detection by default and you cannot disable this behaviour as it saves overhead by not encapsulating packets using UDP encapsulation while there is no NAT devices in between, so the proper way is to use NAT-T, But for the software clients it doesn't support NAT-T and works directly using the UDP encapsulation
By default, the Easy VPN hardware client and server encapsulate IPSec in User Datagram Protocol (UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to encapsulate IPSec within TCP packets to enable secure tunneling. If your environment allows UDP, however, configuring IPSec over TCP adds unnecessary overhead -
i use a vpn client 3.6.4 behind a cisco 827 (ppoe with NAT) to connect to a pix 515 (configure also with nat ). I want to access a sever behind the pix.
Can i configure ip nat traversal on the cisco 827 (ios 12.2.13T) ?
does it work ?
vpn client 6.3.4<--->cisco827(NAT) <-----internet------> Pix515(NAT)<--->server
thanks !Not quite right. NAT-T is supported on routers and PIX's now also.
However, you have the wrong idea of where to configure it. You configure NAT-T on the VPN termination point, in your case the PIX. The intermediate 837 doesn't need to know about anything, as the VPN client and the PIX will encapsulate their IPSec packets into UDP 4500 and the 837 will just NAT them like any other packet.
On the PIX, upgrade it to 6.3 code and use the command:
> isakmp nat-traversal
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 -
Is there a difference between NAT Traversal & NAT Transparency?
What is the difference between NAT Traversal & NAT Transparency?
And does (NAT-T) refers to NAT Traversal or NAT Transparency?As in, how the screen's pixels display colors? No, there shouldn't be any difference.
-
IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination
>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides. -
JMS Issues over NAT IP in weblogc 10.3
Dear Tom B,
We have an issue in connecting to the JMS TOPIC's over NAT IP. Pls note the application has Applets/Swing and hence use Thin Client jars for communicating it with weblogic server. We are getting the following exception when we try to look up using the Natted IP.
Exception at MessagingServiceFactory :::weblogic.jms.common.JMSException: [JMSClientExceptions:055054]Error finding dispatcher: weblogic.messaging.dispatcher.DispatcherException: Could not register a DisconnectListener for [IOR:0000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a30303030303030303030303030303030000000000000010000000000000208000102000000000d3137322e31362e31372e313000001f6a000000f800424541080103000000000b74726561737572792d3100000000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a303030303030303030303030303030300000000000000432363800000000024245412a0000001000000000000000007667e38aea8d58524245410b00000068000000000000006000005d7765626c6f6769632e6d6573736167696e672e646973706174636865722e4469737061746368657252656d6f74653a7765626c6f6769632e6d6573736167696e672e646973706174636865722e446973706174636865724f6e6557617900000005000000010000002c0000000000010020000000030001002000010001050100010001010000000003000101000001010905010001000000190000003b0000000000000033687474703a2f2f3137322e31362e31372e31303a383034322f6265615f776c735f696e7465726e616c2f636c61737365732f00000000001f000000040000000300000020000000040000000100000021000000580001000000000001000000000000002200000000004000000000000806066781020101010000001f0401000806066781020101010000000f7765626c6f67696344454641554c540000000000000000000000000000000000] for treasury-1
weblogic.jms.common.JMSException: [JMSClientExceptions:055054]Error finding dispatcher: weblogic.messaging.dispatcher.DispatcherException: Could not register a DisconnectListener for [IOR:0000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a30303030303030303030303030303030000000000000010000000000000208000102000000000d3137322e31362e31372e313000001f6a000000f800424541080103000000000b74726561737572792d3100000000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a303030303030303030303030303030300000000000000432363800000000024245412a0000001000000000000000007667e38aea8d58524245410b00000068000000000000006000005d7765626c6f6769632e6d6573736167696e672e646973706174636865722e4469737061746368657252656d6f74653a7765626c6f6769632e6d6573736167696e672e646973706174636865722e446973706174636865724f6e6557617900000005000000010000002c0000000000010020000000030001002000010001050100010001010000000003000101000001010905010001000000190000003b0000000000000033687474703a2f2f3137322e31362e31372e31303a383034322f6265615f776c735f696e7465726e616c2f636c61737365732f00000000001f000000040000000300000020000000040000000100000021000000580001000000000001000000000000002200000000004000000000000806066781020101010000001f0401000806066781020101010000000f7765626c6f67696344454641554c540000000000000000000000000000000000] for treasury-1
at weblogic.jms.client.JMSConnectionFactory.setupJMSConnection(JMSConnectionFactory.java:266)
at weblogic.jms.client.JMSConnectionFactory.createConnectionInternal(JMSConnectionFactory.java:285)
at weblogic.jms.client.JMSConnectionFactory.createTopicConnection(JMSConnectionFactory.java:184)
I read your other thread Weblogic JMS port usage! where you have said a special -D property might be required, but I could not get the exact property for us to try it out.
Request your advise.
Regards
Suresh.Hi ,
Would you be able to explain what are you trying to do , what is failing along with tha stack trace please?
Presumably, you have got JMS modules -> JMS Topic created and all assigned/targetted to the Managed server instances? Are you having trouble connecting/subscribing to that topic from your client code? if so, where does your client code execute from .. I mean is that on the same host as weblogic server ?
from the host that has your client code - try ping / nslookup /tracert to weblogic host and see if thats resolved in the first place.
HTH
Sri -
Hi
I see that is is not possible with a standard config to connect to a MS ISCSI target over NAT , are there any special tricks to getting the external IP and not the internal.
DaveHi
I see that is is not possible with a standard config to connect to a MS ISCSI target over NAT , are there any special tricks to getting the external IP and not the internal.
Dave
Connecting from inside a VM should do the trick.
StarWind Virtual SAN clusters Hyper-V without SAS, Fibre Channel, SMB 3.0 or iSCSI, uses Ethernet to mirror internally mounted SATA disks between hosts. -
Hi All
In our network we have configured tunnel over NAT setup
this tunnel is flapping continuously
with log meesage CRYPTOSESSION UP & DOWN
Attaching the configuration detail on the remote Side router
there is Crypto Seesion Up & Down log in the Hub Side routerHi, Yes i have removed the crypto map from the tunnel & applied only in Fastethernet but the tunnel is still flapping
with the same log messages:
Aug 14 17:28:55: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 165.204.14.205 (Tunn
el160) is down: interface down
Aug 14 17:29:33: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 195.75.9
7.209:4500 Id: 195.75.97.209
Aug 14 17:29:33: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 195.75.9
7.209:4500 Id: 195.75.97.209
Aug 14 17:29:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel160, chan
ged state to up
Aug 14 17:30:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 165.204.14.205 (Tunn
el160) is up: new adjacency
Configuration Detail
dubai-vpn1#sh running-config interface tunnel 160
Building configuration...
Current configuration : 388 bytes
interface Tunnel160
description Primary GRE to drsfso-vpn1
bandwidth 512
ip address 165.204.14.206 255.255.255.252
ip mtu 1400
ip hello-interval eigrp 1 40
ip hold-time eigrp 1 220
ip route-cache flow
ip tcp adjust-mss 1360
no ip mroute-cache
load-interval 30
delay 1000
qos pre-classify
keepalive 20 5
tunnel source FastEthernet0/1
tunnel destination 195.75.97.209
end
Regards
Gopinath.V -
IPsec over GRE in ASR 1000 with VRF
Hi
I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
local_proxy= 10.255.68.246/255.255.255.255/256/0,
remote_proxy= 10.200.25.106/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: map_db_find_best did not find matching map
Oct 3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
Oct 3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
anybody could help me to troubleshoot why it doesn´t work?
I post you involved configuration sections from ASR and 819G routers
B.R.Ops!! I forgot to paste involved routes from both devices.
ASR router
ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6 <--- c819G LAN network
Cisco 819G
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 10.255.68.246 255.255.255.255 Cellular0
B.R. -
IPsec VTI over NAT IKE Phase I Failure
Hey everyone,
I have two routers and an ASA with one of the routers sitting behind the ASA. I have a VTI configuration between the two routers, the regular GRE traffic passes through just fine but after applying an IPsec profile to the interfaces, IKE Phase I never completes. I have the configurations and debugs posted below. Thank you in advance for your help. I have confirmed reachability and there are no access list issues.
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
interface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
crypto isakmp key SECURITYKEY address 200.1.1.2
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel121
ip address 172.16.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel protection ipsec profile IPSEC
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
crypto isakmp key SECURITYKEY address 200.1.1.1
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
R2#debug crypto isakmp
R2#
R2#
May 7 14:30:35 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:35 CDT: ISAKMP (0:134218443): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:36 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 -1092494630 QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:46 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP: received ke message (3/1)
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP:(0:715:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP: set new node 1345361410 to QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):purging node 1345361410
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP: Unlocking IKE struct 0x656AA2B0 for isadb_mark_sa_deleted(), count 0
May 7 14:30:52 CDT: ISAKMP: Deleting peer node by peer_reap for 200.1.1.1: 656AA2B0
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting node -1092494630 error FALSE reason "IKE deleted"
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 14:30:55 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:05 CDT: ISAKMP:(0:715:SW:1):purging node 1843499205
May 7 14:31:05 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:15 CDT: ISAKMP:(0:715:SW:1):purging SA., sa=64E4AB14, delme=64E4AB14
May 7 14:31:42 CDT: ISAKMP:(0:716:SW:1):purging node -1092494630
May 7 14:31:45 CDT: ISAKMP (0:0): received packet from 200.1.1.1 dport 500 sport 500 Global (N) NEW SA
May 7 14:31:45 CDT: ISAKMP: Created a peer struct for 200.1.1.1, peer port 500
May 7 14:31:45 CDT: ISAKMP: New peer created peer = 0x656AA2B0 peer_handle = 0x80000514
May 7 14:31:45 CDT: ISAKMP: Locking peer struct 0x656AA2B0, IKE refcount 1 for crypto_isakmp_process_block
May 7 14:31:45 CDT: ISAKMP: local port 500, remote port 500
May 7 14:31:45 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 7 14:31:45 CDT: ISAKMP : Scanning profiles for xauth ...
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 1
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption 3DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 5
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:134218445): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): constructed NAT-T vendor-07 ID
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing KE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NONCE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SKEYID state generated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is Unity
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is DPD
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): speaking to another IOS box!
May 7 14:31:45 CDT: ISAKMP (0:134218445): NAT found, the node inside NAT
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing ID payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):: peer matches *none* of the profiles
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing HASH payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.1 remote 200.1.1.1 remote port 4500
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA has been authenticated with 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Detected port floating to port = 4500
May 7 14:31:45 CDT: ISAKMP: Trying to insert a peer 10.1.1.1/200.1.1.1/4500/, and inserted successfully 656AA2B0.
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Setting UDP ENC peer struct 0x661D688C sa= 0x64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Total payload length: 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 14:31:52 CDT: ISAKMP: received ke message (1/1)
May 7 14:31:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):beginning Quick Mode exchange, M-ID of -1201835538
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): retransmitting due to retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:31:56 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
R2#
R2#
R2#un
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 QM_IDLE -1201835538 ...
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 -1201835538 QM_IDLE
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
The specific portion of the debug that has caught my attention is as follows toward the end:
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.Thank you for the suggestions Sokakkar. I did just what you asked with
undebug all
debug crypto condition peer ipv4
debug crypto isakmp
this is a production environment and I have altered the information for privacy reasons. So I am not able to reload either of the devices.
The debugs are as follows:
R1 DEBUGS:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*May 8 20:14:18.668: ISAKMP:(6151):purging node -1205767715
*May 8 20:14:28.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:28.144: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:28.144: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FED9E4
*May 8 20:14:28.144: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:28.144: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:28.144: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:28.144: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:28.144: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:28.144: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:28.144: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.356: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:28.356: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.356: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:28.356: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:28.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.356: ISAKMP:(0): local preshared key found
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:28.356: ISAKMP: encryption AES-CBC
*May 8 20:14:28.356: ISAKMP: keylength of 256
*May 8 20:14:28.356: ISAKMP: hash SHA
*May 8 20:14:28.356: ISAKMP: default group 5
*May 8 20:14:28.356: ISAKMP: auth pre-share
*May 8 20:14:28.356: ISAKMP: life type in seconds
*May 8 20:14:28.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:28.360: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:28.360: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:28.360: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.360: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.360: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:28.360: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:28.360: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:28.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:28.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:28.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is Unity
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is DPD
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): speaking to another IOS box!
*May 8 20:14:28.672: ISAKMP (0:6153): NAT found, the node outside NAT
*May 8 20:14:28.672: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.672: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:28.672: ISAKMP:(6151):purging SA., sa=45291908, delme=45291908
*May 8 20:14:28.672: ISAKMP:(6153):Send initial contact
*May 8 20:14:28.672: ISAKMP:(6153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:28.672: ISAKMP (0:6153): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:28.672: ISAKMP:(6153):Total payload length: 12
*May 8 20:14:28.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:28.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
*May 8 20:14:28.676: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.676: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:33.780: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer
R1#
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:38.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:48.664: ISAKMP:(6152):purging node 1194713063
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:48.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:58.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:58.140: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:58.140: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FEE170
*May 8 20:14:58.140: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:58.140: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:58.140: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:58.140: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:58.140: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:58.140: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:58.140: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.352: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:58.352: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.352: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:58.352: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.356: ISAKMP:(0): local preshared key found
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:58.356: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:58.356: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.356: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:58.356: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:58.356: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:58.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:58.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:58.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is Unity
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is DPD
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): speaking to another IOS box!
*May 8 20:14:58.668: ISAKMP (0:6154): NAT found, the node outside NAT
*May 8 20:14:58.668: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.668: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:58.668: ISAKMP:(6152):purging SA., sa=45FEB894, delme=45FEB894
*May 8 20:14:58.668: ISAKMP:(6154):Send initial contact
*May 8 20:14:58.668: ISAKMP:(6154):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:58.668: ISAKMP (0:6154): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:58.668: ISAKMP:(6154):Total payload length: 12
*May 8 20:14:58.672: ISAKMP:(6154): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6154):Sending an IKE IPv4 Packet.
*May 8 20:14:58.672: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.672: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:58.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R2 DEBUGS:
R2#debug crypto isakmp
Crypto ISAKMP debugging is on
R2#
May 8 15:17:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):beginning Quick Mode exchange, M-ID of -1574699992
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Node -1574699992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:17:52 CDT: ISAKMP:(0:1990:SW:1):purging SA., sa=64E62620, delme=64E62620
May 8 15:17:57 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:17:58 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:08 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP: local port 500, remote port 500
May 8 15:18:17 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 1
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption 3DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 5
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:134219720): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): constructed NAT-T vendor-07 ID
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing KE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NONCE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SKEYID state generated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is Unity
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is DPD
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): speaking to another IOS box!
May 8 15:18:17 CDT: ISAKMP (0:134219720): NAT found, the node inside NAT
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 8 15:18:17 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing ID payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):: peer matches *none* of the profiles
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing HASH payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.64.11.253 remote 200.1.1.1 remote port 4500
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):received initial contact, deleting SA
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):peer does not do paranoid keepalives.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA has been authenticated with 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Detected port floating to port = 4500
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Setting UDP ENC peer struct 0x0 sa= 0x64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP: set new node 231359858 to QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):purging node 231359858
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 10.64.11.253
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Total payload length: 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting node -1574699992 error FALSE reason "IKE deleted"
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#
May 8 15:18:22 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):beginning Quick Mode exchange, M-ID of 1324849371
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Node 1324849371, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:18:27 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:27 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:28 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 QM_IDLE 1324849371 ...
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 1324849371 QM_IDLE
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:37 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:37 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:38 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
R2#
R2#
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDL -
IPsec over GRE not coming up, cant see why, debug inc...
Hi all,
Rattling my brains here, as far as i can see everything is fine, it should be working, but for some reason its not, and i cant see anything in the debug thats hinting to the reason why, can anyone help me out with this?
im normally good at this stuff, but this time its got me!
the hub config works with many 3 other spokes configured in the same way!
Thanks for any help guys
SPOKE
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xx3
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec transform-set AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec profile GRE_TUNNEL
set transform-set AES-SHA
archive
log config
hidekeys
ip ssh version 2
interface Tunnel1
bandwidth 100000
ip address 192.168.100.103 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication xxxxxx
ip nhrp map 192.168.100.1 xxx.xxx.xxx.xx3
ip nhrp map multicast xxx.xxx.xxx.xx3
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
qos pre-classify
tunnel source Vlan100
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile GRE_TUNNEL
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
dsl operating-mode auto
interface FastEthernet0
switchport access vlan 100
interface FastEthernet1
switchport access vlan 103
interface FastEthernet2
switchport access vlan 103
interface FastEthernet3
switchport access vlan 103
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
shutdown
interface Vlan100
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
interface Vlan103
ip address 192.168.103.254 255.255.255.0
ip nat inside
ip virtual-reassembly
router eigrp 100
network 192.168.100.0
network 192.168.103.0
auto-summary
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list OUTBOUND interface Vlan100 overload
ip access-list extended INBOUND
deny tcp any any eq 22
deny tcp any any eq telnet
permit ip any any
deny ip any any
ip access-list extended OUTBOUND
permit ip any any
deny ip any any
HUB
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp policy 15
encr 3des
authentication pre-share
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec security-association idle-time 7800
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES_MD5_TUNNEL esp-aes 256 esp-md5-hmac
crypto ipsec profile DataTunnels
set transform-set AES-SHA
interface Tunnel1
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication xxxxxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DataTunnels
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 201
interface FastEthernet1
switchport access vlan 201
interface FastEthernet2
switchport access vlan 201
interface Vlan201
ip address 192.168.201.254 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
no cdp enable
router eigrp 100
network 192.168.100.0
network 192.168.201.0
redistribute static
router nhrp
router odr
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.201.0 0.0.0.255 any
deny ip any any
DEBUG
CWT-DATA#sh ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel1 created 1w5d, never expire
Type: static, Flags: used
NBMA address: xxx.xxx.xxx.xx3
CWT-DATA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xxx.xxx.xxx.xx3 192.168.1.7 MM_NO_STATE 2821 0 ACTIVE (deleted)
Jul 4 12:53:35.551: ISAKMP:(2822):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:53:45.553: ISAKMP:(2822): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:45.553: ISAKMP:(2822):peer does not do paranoid keepalives.
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP: Unlocking peer struct 0x835CCCE8 for isadb_mark_sa_deleted(), count 0
Jul 4 12:53:45.553: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xx3: 835CCCE8
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node -32418685 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node 2092182627 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 4 12:53:45.553: ISAKMP:(2822):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Jul 4 12:53:45.585: ISAKMP:(0): SA request profile is (NULL)
Jul 4 12:53:45.585: ISAKMP: Created a peer struct for xxx.xxx.xxx.xx3, peer port 500
Jul 4 12:53:45.585: ISAKMP: New peer created peer = 0x835CCCE8 peer_handle = 0x800025C0
Jul 4 12:53:45.585: ISAKMP: Locking peer struct 0x835CCCE8, refcount 1 for isakmp_initiator
Jul 4 12:53:45.585: ISAKMP: local port 500, remote port 500
Jul 4 12:53:45.585: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:53:45.585: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8333DA70
Jul 4 12:53:45.585: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jul 4 12:53:45.585: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 4 12:53:45.585: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 4 12:53:45.585: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jul 4 12:53:45.589: ISAKMP:(0): beginning Main Mode exchange
Jul 4 12:53:45.589: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 4 12:53:45.589: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.653: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_NO_STATE
Jul 4 12:53:45.653: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.653: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jul 4 12:53:45.653: ISAKMP:(0): processing SA payload. message ID = 0
Jul 4 12:53:45.653: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.653: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.653: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.653: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.653: ISAKMP:(0): local preshared key found
Jul 4 12:53:45.653: ISAKMP : Scanning profiles for xauth ...
Jul 4 12:53:45.653: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jul 4 12:53:45.653: ISAKMP: encryption AES-CBC
Jul 4 12:53:45.653: ISAKMP: keylength of 256
Jul 4 12:53:45.653: ISAKMP: hash SHA
Jul 4 12:53:45.653: ISAKMP: default group 5
Jul 4 12:53:45.653: ISAKMP: auth pre-share
Jul 4 12:53:45.653: ISAKMP: life type in seconds
Jul 4 12:53:45.653: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 4 12:53:45.657: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 4 12:53:45.657: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 4 12:53:45.657: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 4 12:53:45.657: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.657: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.657: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.657: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.657: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jul 4 12:53:45.657: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jul 4 12:53:45.657: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.661: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.661: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jul 4 12:53:45.813: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_SA_SETUP
Jul 4 12:53:45.817: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.817: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 4 12:53:45.817: ISAKMP:(0): processing KE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is Unity
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is DPD
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): speaking to another IOS box!
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP (0:2823): NAT found, the node inside NAT
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.993: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jul 4 12:53:45.993: ISAKMP:(2823):Send initial contact
Jul 4 12:53:45.993: ISAKMP:(2823):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 4 12:53:45.993: ISAKMP (0:2823): ID payload
next-payload : 8
type : 1
address : 192.168.1.7
protocol : 17
port : 0
length : 12
Jul 4 12:53:45.993: ISAKMP:(2823):Total payload length: 12
Jul 4 12:53:45.997: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:53:45.997: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.997: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.997: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM5
CWT-DATA#
Jul 4 12:53:55.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:53:55.794: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:53:55.794: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:56.294: ISAKMP (0:2823): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:53:56.294: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:53:56.294: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:05.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:05.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:05.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:06.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:06.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:15.797: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:15.797: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:15.797: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:16.297: ISAKMP (0:2823): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:16.297: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:19.537: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:54:19.537: ISAKMP:(2823):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote xxx.xxx.xxx.xx3)
Jul 4 12:54:19.537: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 4 12:54:19.537: ISAKMP: Error while processing KMI message 0, error 2.
CWT-DATA#
Jul 4 12:54:25.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:25.798: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:25.798: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:26.298: ISAKMP (0:2823): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:26.298: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:26.298: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:35.555: ISAKMP:(2822):purging node -32418685
Jul 4 12:54:35.555: ISAKMP:(2822):purging node 2092182627
Jul 4 12:54:35.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:35.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:35.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:36.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:36.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:36.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#no debug all
All possible debugging has been turned offheres the hub debug
CWCH#
*Jul 5 11:58:16.208: ISAKMP: set new node 1382820308 to QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116):Sending an IKE IPv4 Packet.
*Jul 5 11:58:16.208: ISAKMP:(2116):purging node 1382820308
*Jul 5 11:58:16.208: ISAKMP:(2116):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 5 11:58:16.208: ISAKMP:(2116):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP: set new node -146383553 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120): processing HASH payload. message ID = -146383553
*Jul 5 12:02:47.504: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -146383553, sa = 0x854A7094
*Jul 5 12:02:47.504: ISAKMP:(2120):deleting node -146383553 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP: set new node -1398198787 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120): seq. no 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:47.504: ISAKMP:(2120):purging node -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:52.516: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP: set new node -459292560 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120): processing HASH payload. message ID = -459292560
*Jul 5 12:02:52.516: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -459292560, sa = 0x854A7094
*Jul 5 12:02:52.516: ISAKMP:(2120):deleting node -459292560 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:52.516: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:52.516: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:52.516: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP: set new node -1245354522 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1245354522
*Jul 5 12:02:52.516: ISAKMP:(2120): seq. no 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:52.516: ISAKMP:(2120):purging node -1245354522
*Jul 5 12:02:52.520: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:52.520: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:55.636: ISAKMP:(2119):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:55.636: ISAKMP:(2119):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:55.656: ISAKMP:(2119):purging node 926310294
CWCH#
*Jul 5 12:02:58.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:58.000: ISAKMP: set new node -1957053939 to QM_IDLE
*Jul 5 12:02:58.000: ISAKMP:(2120): processing HASH payload. message ID = -1957053939
*Jul 5 12:02:58.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1957053939, sa = 0x854A7094
*Jul 5 12:02:58.000: ISAKMP:(2120):deleting node -1957053939 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:58.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:58.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:58.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3E
*Jul 5 12:02:58.000: ISAKMP: set new node -1198504167 to QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120): seq. no 0x63A1AE3E
*Jul 5 12:02:58.004: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:58.004: ISAKMP:(2120):purging node -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:58.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:03.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP: set new node 599666073 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120): processing HASH payload. message ID = 599666073
*Jul 5 12:03:03.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 599666073, sa = 0x854A7094
*Jul 5 12:03:03.000: ISAKMP:(2120):deleting node 599666073 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:03.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:03.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:03.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP: set new node 1035716483 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = 1035716483
*Jul 5 12:03:03.000: ISAKMP:(2120): seq. no 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:03:03.004: ISAKMP:(2120):purging node 1035716483
*Jul 5 12:03:03.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:03.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:08.008: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:08.008: ISAKMP: set new node 230166927 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120): processing HASH payload. message ID = 230166927
*Jul 5 12:03:08.008: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 230166927, sa = 0x854A7094
*Jul 5 12:03:08.008: ISAKMP:(2120):deleting node 230166927 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:08.008: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:08.008: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:08.008: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE40
*Jul 5 12:03:08.008: ISAKMP: set new node -1886395474 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1886395474
*Jul 5 12:03:08.008: ISAKMP:(2120): seq. no 0x63A1AE40
*Jul 5 12:03:08.012: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:08.012: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no
*Jul 5 12:03:08.012: ISAKMP:(2120):purging node -1886395474
*Jul 5 12:03:08.012: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:08.012: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP: set new node 841395293 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120): processing HASH payload. message ID = 841395293
*Jul 5 12:03:13.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 841395293, sa = 0x854A7094
*Jul 5 12:03:13.000: ISAKMP:(2120):deleting node 841395293 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:13.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:13.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP: set new node -820358795 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -820358795
*Jul 5 12:03:13.000: ISAKMP:(2120): seq. no 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no debug all
All possible debugging has been turned off
CWCH#
*Jul 5 12:03:13.004: ISAKMP:(2120):purging node -820358795
*Jul 5 12:03:13.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:13.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Maybe you are looking for
-
Business Rules - faulted while invoking operation "callFunctionStateless"
Hello, everyone, I have a composite application which receives a file through an FTP adapter and re-names it depending on the filename and its body contents using Business Rules. I had deployed it and everything was working fine for about a week and
-
Serializing an image NEED URGENT HELP (PLEASE!!!)
HI all , I am trying to serialize an image object . the class has been extended from java.awt.frame. when i try to serialize it, i get the following error :- Writing aborted: sun.awt.window.wImage not serializable. I want the same object in another c
-
Use AcroPDf.dll with 64 bit
Hi, I am trying to display the pdf by adding Adobe Reader's COM component to my 64 bit application . But it throws error. Is there any way I can use the AcroPDF.dll with 64 bit?
-
I need help using the Stacks feature in the Dock. When I drag a document out of the Finder and move it into a folder in the Dock, the entire document is removed from the Finder. No trace of the document is left in the Finder. Then, if I delete the do
-
I have a HP Pavilion g7 and all of a sudden...my earphones don't work anymore
I have a HP Pavilion g7 and all of a sudden...my earphones don't work anymore in the laptop..unless i jiggle and move it around and it still wont stay...the speakers still play out loud and when i looked at the volume area...it had a laptop icon...in