Ipsec within ipsec problem
So this is the scenario:
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
Anyone got a good idea for a workaround?
Create a GRE tunnel between the routers, that traverses the VPN. Then put the aruba traffic into the GRE tunnel.
Sent from Cisco Technical Support iPad App
Similar Messages
-
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Error Message : Drop-reason: (ipsec-spoof) IPSEC Spoof detected
Hi,
When i run a Packet tracer in PIX, getting a below output:
Result:
input-interface: outside_interface
input-status: up
input-line-status: up
output-interface: mpls_interface
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
Please help me to fix this issue.Hi,
To my understanding you are trying to emulate VPN/Encrypted traffic from the PIX firewalls outside interface and therefore the PIX drops the traffic (because its supposed to be encrypted traffic arriving on a VPN connection to the PIX)
If you are testing a L2L VPN connection on the PIX, do the test in the other direction. From IN -> OUT
This should already bring the VPN tunnel up even though no actual traffic is generated to the tunnel.
- Jouni -
I am trying to create a site-to-site l2l vpn and phase 1 completes fine but when validating the proxy-id in phase 2, the id is not being set correctly.
here is the config:
access-list ssatunnel extended permit ip 10.1.10.0 255.255.255.0 x.x.x.32 255.255.255.224
crypto ipsec security-association lifetime seconds 3600
crypto map ssa 1 match address ssatunnel
crypto map ssa 1 set pfs
crypto map ssa 1 set connection-type originate-only
crypto map ssa 1 set peer peerip
crypto map ssa 1 set ikev1 transform-set ssa
crypto map ssa 1 set security-association lifetime seconds 3600
crypto map ssa interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
tunnel-group peerip type ipsec-l2l
tunnel-group peerip ipsec-attributes
ikev1 pre-shared-key *****
it keeps useing the the peer-ip and my public ip for the proxy-id. this faild the check on the remote side so phase 2 fails.
is there something i am missing.this is the error message from the juniper
2013-04-25 11:15:43
info
IKE 192.168.2.221 Phase 2 msg ID 67bd2a80: Negotiations have failed.
2013-04-25 11:15:43
info
Rejected an IKE packet on ethernet1/3 from 192.168.2.221:500 to 10.10.10.18:500with cookies e2bea3abcac4b367 and 5b81debf2f1f2970 because The peer sent a proxy ID that did not match the one in the SA config.
2013-04-25 11:15:43
info
IKE 192.168.2.221 Phase 2: No policy exists for the proxy ID received: local ID (10.10.10.18/255.255.255.255, 0, 0) remote ID (192.168.2.221/255.255.255.255, 0, 0).
2013-04-25 11:15:43
info
IKE 192.168..221 Phase 2 msg ID 67bd2a80: Responded to the peer's first message.
2013-04-25 11:15:43
info
IKE 192.168.2.221 Phase 1: Completed Main mode negotiations with a 28800-second lifetime. -
c7600s72033-adventerprisek9-mz.122-33.SRC3.bin
7609 with Sup7203BXL supervisors.
Command rejected: VLAN 881 is crypto connected to Vl1020.This command is rejected because allowing it will result in a crypto connected interface vlan to belong to the interface's allowed vlan list. This poses a potential IPSec security breach.Note that this behavior applies to all trunk ports. If you're attempting to do "no switchport trunk allowed vlan <vlanlist>" Instead, use "switchport trunk allowed vlan none", or "switchport trunk allowed vlan remove <vlanlist>"
I get the preceding message currently when trying to add the IPSec VLAN to a trunk port. Little background, this has been working for about a year on a different endpoint device with a trunk up to it. We migrated to a new device for the entpoint of the IPSec traffic and when trying to add the VLANs involved with it to the trunk, I get that message.
Interface VLAN 881 on IPSec Service Module port GigabitEthernet7/0/1 connected to Vlan1020 with crypto map set IPSEC
Interface VLAN 882 on IPSec Service Module port GigabitEthernet7/0/1 connected to Vlan1020 with crypto map set IPSEC
Interface Vlan1020 on IPSec Service Module port GigabitEthernet7/0/1 connected to GigabitEthernet1/1 with crypto map set
There is the show crypto vlan output. This was working just fine previously when I added the VLANs to a trunk, but when I tried to add the VLANs to a new set of interfaces, I got that error message. I went so far as to remove the VLANs from the working trunk and try to put them back, now I get the same message as above.
VLAN Usage
1006 online diag vlan0
1007 online diag vlan1
1008 online diag vlan2
1009 online diag vlan3
1010 online diag vlan4
1011 online diag vlan5
1012 PM vlan process (trunk tagging)
1013 Control Plane Protection
1014 vrf_0_vlan
1015 Container0
1016 IPv6-mpls RSVD VLAN
1017 L3 multicast partial shortcuts for VPN 0
1018 Egress internal vlan
1019 Multicast VPN 0 QOS vlan
1020 macedon_vrf0
1021 IPv6 Multicast Egress multicast
1022 GigabitEthernet1/1
1023 GigabitEthernet1/2
1024 GigabitEthernet1/3
1025 GigabitEthernet1/7
1026 GigabitEthernet1/22
1027 GigabitEthernet1/24
1028 macedon_ctlvlan
1029 macedon_nat7.0
1030 GigabitEthernet2/1
1031 GigabitEthernet2/3
1032 GigabitEthernet2/7
1033 GigabitEthernet2/24
1401 GigabitEthernet1/7.1401
There is the internal VLAN usage. The IPSec tunnel is using VRF mode with the IPSec tunnel dropping to a VRF and the outside interfaces being in the gloal routing table. The VLANs 881 and 882 are part of that VRF and they are SVIs.Hello,
You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
There is more information on this via the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
Warm Regards,
Rose -
Scenario
Presently use a GRE tunnel between Router A at client A and router B at HQ. This tunnel allows a crypto device behind each router to establish their own IPSEC tunnel accross the GRE tunnel. The restriction with this setup is that the Router at Client A needs to be directly connected to the ISP demarcation point and thus have an Internet routable ip configured on
it's WAN interface.This allows the cryto devices to keep their private ip addreses. Works great this way.
Note: the router at HQ is already directly connected to the ISP demarcation, so no issue there.
Problem
Not all clients have their ISP demarcation point directly connected to the client router that the crypto device behind connects to. We are required to go through the client's existing network, therefore that router where the WAN interface was configured with an Internet routable ip address will need a private ip address configured instead that would need to be nat'd. Tried establishing that same GRE tunnel but when using NAT and that did not work. Have the following questions.
The crypto devices at each end originally were able to use their private ip addresses when using the GRE tunnel, will I need to NAT those ip addresses.If so will the router that is directly connected to the crypto device need to perform nat for those crypto devices.
Also, the router at the client where the crypto device connects to, will it also need a private ip address for it's WAN
interface to be nated and would the nat take place on the client's departmental internet facing router?
I'm sure this has been done before, establishing an IPsec tunnel between a private network via another private network. In a nutshell, just trying to get those crypto devices to form their IPSEC tunnel with one connected behind a client's existing private network. It would be easy to maintain the GRE solution, but like I mentionned , does not work when NAT is involved.
I have attached a diagram for illustration purposes. In that diagram would I, under the proposed drawing, establish the first IPSEC tunnel between router B and C or between Router B and A? The other IPsec tunnel between the Crypto device are automatically setup, as long as there is connectivity between the two sites.
Any examples that mirror what I am looking for?If your connections are breaking due to NAT/IPSEC-being-blocked issues, then SSL VPNs have a better chance as 443 is rarely blocked. But if your IPSEC VPN is properly setup with NAT-T and keepalives, they should work through most networks.
You need to post more details about the existing issues to comment further.
Regards
Farrukh -
dears,
i was design an form that read an excel sheet and upload the excel sheet contant into a table on DB, the excel sheet contain only 2 columns, the problem is when i compile the form CTRL+K there is no errors shown but when the form run i click Browes button but it give me error as below
ORA-06508 PL/SQL could not find program unit being called .
the program unit is client_get_file_name it a package within WEBUTIL attached library, the problem is the form cant call any package or anything from WEBUTIL attached library.
on the form i have 2 buttons
First Button Code: "Browes"
Declare
V_FILE VARCHAR2(2000);
BEGIN
V_FILE := client_get_file_name(NULL, NULL, NULL, NULL, open_file, TRUE);
:main_block.FNAME := V_FILE;
EXCEPTION
WHEN OTHERS THEN
my_alert('There Is Error: '||sqlerrm); -- My_alert(p_text) is program unit
RAISE FORM_TRIGGER_FAILURE;
END;
Second Button code : "Import to DB"
DECLARE
MYFILE CLIENT_TEXT_IO.FILE_TYPE;
filename varchar2(100);
temp varchar2(1000);
t1 varchar2(1000);
t2 varchar2(1000);
cust_id number;
dfrom date;
dto date;
ccode varchar2(100);
r varchar2(1000);
transfer_status boolean;
begin
filename := :main_block.fname;
MYFILE := CLIENT_TEXT_IO.FOPEN(filename, 'r');
SYNCHRONIZE;
SYNCHRONIZE;
CLIENT_TEXT_IO.get_line(MYFILE,temp);
t1:=temp;
while temp is not null loop
CLIENT_TEXT_IO.get_line(MYFILE,temp);
t1:=temp;
select substr(t1,1,instr(t1,',') -1)
into t2
from dual;
ccode:=t2;
select substr(t1,instr(t1,',') +1)
into t1
from dual;
insert into trc_upload -- table on DB
values(t2,t1);
commit;
end loop;
CLIENT_TEXT_IO.FCLOSE(MYFILE);
EXCEPTION
WHEN DDE.DDE_APP_FAILURE THEN
my_alert('WINDOWS APPLICATION CANNOT START.');
WHEN DDE.DDE_PARAM_ERR THEN
my_alert('A NULL VALUE WAS PASSED TO DDE');
WHEN DDE.DMLERR_NO_CONV_ESTABLISHED THEN
my_alert('DDE CANNOT ESTABLISH A CONVERSATION');
WHEN DDE.DMLERR_NOTPROCESSED THEN
my_alert('A TRANSACTION FAILED');
end;
so please to help me on this issue
Note:
the form deployed under UNIX on Application Server
Thanks
Murad.From ORA-06508 is seems like WEBUTIL.pll is not found in the runtime-environment.
Possible solutions:
Check if the WEBUTIL.pll (or plx) is on the path where the fmx-File is placed.
If not, check the FORMS90_PATH in your env-File (normally default.env) (you didn't mention your forms-Version, may also be FORMS60_PATH) and if the WEBUTIL.pll is in that path, if not adjust the env-file.
If its still not working, check if WEBUTIL.pll is attached including the full Path (unattach WEBUTIL.pll and reattach it without the path)
Last hint: Case-sensitivity: If you attach in lowercase-letters and library is in uppercase on unix-system the library will not be found at runtime. You won't see how the the pll was attached, best method is to unattach library and reattach it in correct case.
Another remark:
The DDE-Exception seem to be useless, because you don't use DDE (and i would not work for its not available under unix).
Hope this helps -
Correct linking within site problem
Hello everyone, I hope you will be able to help me or point
me in the right direction:
On the webhosting server that I am using (can't change it, my
company chose ...), there is an extremely strange linking structure
(or maybe it just seems strange to me?).
When you log-in into your account to upload your site, the
login takes you to the server/domain folder, where you simply
upload your site. Naturally, all ofther files within the "site" are
linked by /otherfile.html, because they are in the same folder.
However, the server that the hosting company is using requires the
link to be of the format /domainfolder/otherfile.html.
To illustrate it with code:
a) the way Dreamweaver sets up a link within a Dreamweaver
site relative to the index.html page:
<frame src="/IndexTop.htm" name="mainFrame"
title="mainFrame">
<frame src="/IndexBottom.htm" name="bottomFrame"
scrolling="auto" noresize>
b) the way I have to adjust the code for it to work on the
server
<frame src="/domainfolder/IndexTop.htm" name="mainFrame"
title="mainFrame">
<frame src="/domainfolder/IndexBottom.htm"
name="bottomFrame" scrolling="auto" noresize>
This means that I would have to go through every single link
that I creat in my site in wordpad after I am done in dreamweaver
and update those links.
Therefore, my question is - is there a way to automatically
add that /domainfolder/ part to every link? I was thinking that
specifying the Host directory as domainfoler would solve the
problem, but then wouldn't Dreamweaver:
1. put the index file into that directory
2. create a domainfolder directory in the host directory,
esentially causing a folder structure of the format
server/domainfolder/domainfolder (because when you log in your
files get automatically placed in your domainfolder on the server)?
Thank you very much for any help that you can offer, I
sincerely appreciate it.You'd be ever so much better off without frames. But
<sigh> it's up to you.
Frames are rarely the optimal choice for your layout because
they bring SO
MANY problems into your life, and into the lives of your
visitors.
Anyhow - which DW are you using?
And - can you point me to any page on your site?
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"friikazoid" <[email protected]> wrote in
message
news:[email protected]...
> Hello everyone, I hope you will be able to help me or
point me in the
> right
> direction:
>
> On the webhosting server that I am using (can't change
it, my company
> chose
> ...), there is an extremely strange linking structure
(or maybe it just
> seems
> strange to me?).
>
> When you log-in into your account to upload your site,
the login takes you
> to
> the server/domain folder, where you simply upload your
site. Naturally,
> all
> ofther files within the "site" are linked by
/otherfile.html, because they
> are
> in the same folder. However, the server that the hosting
company is using
> requires the link to be of the format
/domainfolder/otherfile.html.
>
> To illustrate it with code:
>
> a) the way Dreamweaver sets up a link within a
Dreamweaver site relative
> to
> the index.html page:
> <frame src="/IndexTop.htm" name="mainFrame"
title="mainFrame">
> <frame src="/IndexBottom.htm" name="bottomFrame"
scrolling="auto"
> noresize>
>
> b) the way I have to adjust the code for it to work on
the server
> <frame src="/domainfolder/IndexTop.htm"
name="mainFrame"
> title="mainFrame">
> <frame src="/domainfolder/IndexBottom.htm"
name="bottomFrame"
> scrolling="auto" noresize>
>
> This means that I would have to go through every single
link that I creat
> in
> my site in wordpad after I am done in dreamweaver and
update those links.
>
> Therefore, my question is - is there a way to
automatically add that
> /domainfolder/ part to every link? I was thinking that
specifying the Host
> directory as domainfoler would solve the problem, but
then wouldn't
> Dreamweaver:
> 1. put the index file into that directory
> 2. create a domainfolder directory in the host
directory, esentially
> causing a
> folder structure of the format
server/domainfolder/domainfolder (because
> when
> you log in your files get automatically placed in your
domainfolder on the
> server)?
>
> Thank you very much for any help that you can offer, I
sincerely
> appreciate it.
>
> -
L2TP over IPSec - Can IPSec be disabled?
Hello.
I need a pure L2TP connection. Mac OS X has L2TP over IPSec by default. I went through all checkboxes and have not found the one that could disable IPSec. Do I have to do it in the Terminal? If so, what is the command?
Thanks.It can be done by editing some files, but the documention I knew about is gone, but perhaps the zipped script in this thread will give you a clue on how to do it without OSX' built in one.
http://forums.macosxhints.com/showthread.php?t=40920
There are some GUI APPs that support plain L2TP...
IPsecuritas
http://www.lobotomo.com/products/IPSecuritas/
VaporSec
http://www.afp548.com/Software/VaporSec/
VPN Tracker
http://www.equinux.com/us/products/vpntracker/index.html -
Procedure within procedure problem
Hi
I have a table of 5 different magazines and a table of purchases of those magazines. I have written a procedure to take the details of a given magazine and place the sales for a given month into a sales table as follows:
create or replace procedure monthly_sales(mag number, startdate date, enddate date) is
magtotal number(7,0);
magprice magazine.unitprice%type;
magsales number(7,2);
begin
select count(p.magid), m.unitprice into magtotal, magprice from purchase p, magazine m where p.datepurchased between startdate and enddate and p.magid = mag and m.magid=p.magid
group by m.unitprice;
magsales := magtotal*magprice;
insert into sales values(startdate, mag, magtotal, magsales);
end;
What I would like to do though is have a procedure that you just need to run once and it will enter the sales for a given month for all magazines into the sales table. My thought was to try to do this using procedures within a procedure as follows:
create or replace procedure monthly_sales(startdate date, enddate date) is
magtotal number(7,0);
magprice magazine.unitprice%type;
magsales number(7,2);
procedure mag1 is
begin
select count(p.magid), m.unitprice into magtotal, magprice from purchase p, magazine m where p.datepurchased between startdate and enddate and p.magid = 1 and m.magid=p.magid
group by m.unitprice;
magsales := magtotal*magprice;
insert into sales values(startdate, 1, magtotal, magsales);
end mag1;
procedure mag2 is
begin
select count(p.magid), m.unitprice into magtotal, magprice from purchase p, magazine m where p.datepurchased between startdate and enddate and p.magid = 2 and m.magid=p.magid
group by m.unitprice;
magsales := magtotal*magprice;
insert into sales values(startdate, 2, magtotal, magsales);
end mag2;
procedure mag3 is
begin
select count(p.magid), m.unitprice into magtotal, magprice from purchase p, magazine m where p.datepurchased between startdate and enddate and p.magid = 3 and m.magid=p.magid
group by m.unitprice;
magsales := magtotal*magprice;
insert into sales values(startdate, 3, magtotal, magsales);
end mag3;
procedure mag4 is
begin
select count(p.magid), m.unitprice into magtotal, magprice from purchase p, magazine m where p.datepurchased between startdate and enddate and p.magid = 4 and m.magid=p.magid
group by m.unitprice;
magsales := magtotal*magprice;
insert into sales values(startdate, 4, magtotal, magsales);
end mag4;
begin
select count(p.magid), m.unitprice into magtotal, magprice from purchase p, magazine m where p.datepurchased between startdate and enddate and p.magid = 5 and m.magid=p.magid
group by m.unitprice;
magsales := magtotal*magprice;
insert into sales values(startdate, 5, magtotal, magsales);
end;
However, when I run this it is ignoring all the procedures within the main procedure and just entering the results for magazine 5. I'm at a loss as to why this isn't working, is this even the correct way to go about it? any help would be greatly appreciated
thanksWhy doing it the hard way?
A single insert statement will do the trick.
I made a bit of a guess as to the structure of your tables:
create table magazine (magid number primary key, unitprice number);
create table purchase (magid number references magazine(magid), datepurchased date);
create table sales (startdate date, magid number references magazine(magid), magtotal number, magsales number);
insert into magazine(magid, unitprice) values (1, 3.95);
insert into magazine(magid, unitprice) values (2, 4.95);
insert into magazine(magid, unitprice) values (3, 3.50);
insert into magazine(magid, unitprice) values (4, 6.0);
insert into magazine(magid, unitprice) values (5, 5.50);
insert into purchase(magid, datepurchased) values (1, sysdate);
insert into purchase(magid, datepurchased) values (1, sysdate);
insert into purchase(magid, datepurchased) values (2, sysdate);
insert into purchase(magid, datepurchased) values (2, sysdate);
insert into purchase(magid, datepurchased) values (2, sysdate);
insert into purchase(magid, datepurchased) values (4, sysdate);
insert into purchase(magid, datepurchased) values (5, sysdate);
insert into purchase(magid, datepurchased) values (5, sysdate);
insert into purchase(magid, datepurchased) values (5, sysdate);
insert into purchase(magid, datepurchased) values (5, sysdate);
commit;
create or replace procedure monthly_sales(p_startdate in date, p_enddate in date)
is
begin
insert into sales (startdate, magid, magtotal, magsales)
select p_startdate
, p.magid
, count(p.magid)
, count(p.magid) * m.unitprice
from purchase p
join magazine m on m.magid = p.magid
where p.datepurchased between p_startdate and p_enddate
group by p.magid
, m.unitprice;
end;
begin
monthly_sales(trunc(sysdate,'MM'), last_day(trunc(sysdate,'MM')));
end;
select * from sales;
STARTDATE MAGID MAGTOTAL MAGSALES
01-JAN-11 1 2 7.9
01-JAN-11 2 3 14.85
01-JAN-11 4 1 6
01-JAN-11 5 4 22 -
JCO.Server within Tomcat problem
Hello.
I have implemented a JCO Server as a servlet and it is working just fine. However, it refuses to allow other servlets to connect to SAP. It grabs a hold of sapjcorfc.dll and will not let go. So that when I run a servlet that needs to call a BAPI I get the following error message:
java.lang.ExceptionInInitializerError: JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'
JCO.nativeInit(): Could not initialize dynamic link library sapjcorfc [Native Library C:\WINDOWS\system32\sapjcorfc.dll already loaded in another classloader]. java.library.path [C:\Program Files\Java\jdk1.5.0_10\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Java\jdk1.5.0_10\bin]
com.sap.mw.jco.JCO.<clinit>(JCO.java:776)
Anyone have any idea how I can tell the JCO server not to be so selfish. I tried the JCO Library 2.0.9 and 2.1.8 with same results. This is obviously running on Windows, XP variety. Tomcat 5.5 and Java 1.5.
Thank you in advance.
Rudy> Hi Rudy,
>
> You are a little bit off topic here,
Sorry <blush> I thought I might be, but I was getting desperate. I posted it in the Java Programming but didn't get much there.
> anyway please check
> <a href="/thread/2 [original link is broken]
> 61626">this</a> thread and especially the two SAP
> notes mentioned there.
Thank you. This hint is what I was looking for. I was hoping to be able to get to it today, but I guess it'll have to wait till Monday. In the meantime I found another solution in the OSS notes yesterday. It seem as though the classloader for the sapjcorfc.dll will look for it in the same directory as sapjco.jar first. So I deleted it from the system32 folder and copied it into WEB-INF\lib folder of each project and voila it worked. Although I still want to figure out what this solution is as well.
>
> HTH!
>
> -Vladimir
Spasibo Volodya. -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
PFS shown as disabled in 'show crypto ipsec sa' even tough configured
Hi,
I have PFS configured (at least I think) but when I do a 'show crypto ipsec sa', it says 'PFS: N' ...
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
#pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340
#pkts compressed: 5, #pkts decompressed: 8
#pkts not compressed: 157, #pkts compr. failed: 1
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.10
current outbound spi: 0x2093BFD5(546553813)
PFS (Y/N): N, DH group: none
Here's the relevant config:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 20
lifetime 3600
crypto ipsec transform-set vpn-s2s-ts esp-aes 256 esp-sha256-hmac comp-lzs
mode transport require
crypto ipsec profile vpn-s2s
set transform-set vpn-s2s-ts
set pfs group20
interface Tunnel0
tunnel protection ipsec profile vpn-s2s
A 'show crypto map' shows it enabled AFAICT:
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 2.2.2.2
Extended IP access list
access-list permit gre host 1.1.1.1 host 2.2.2.2
Current peer: 2.2.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group20
Transform sets={
vpn-s2s-ts: { esp-256-aes esp-sha256-hmac } , { comp-lzs } ,
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
Any idea ?
Cheers,
SylvainHi,
I have the same problem with an ASR1001, running asr1001-universalk9.03.10.03.S.153-3.S3-ext.bin.
Im am using IKEv2 and IPSec with PFS group20. Here's the relevant config (lab):
crypto ikev2 proposal ikev2-prop_1
encryption aes-cbc-256
integrity sha512
group 20
crypto ikev2 policy ikev2-pol_1
match address local 10.10.0.1
proposal ikev2-prop_1
crypto ikev2 profile ikev2-prof_1
match address local interface GigabitEthernet0/0/1
match identity remote address 10.10.0.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keyring_1
dpd 10 3 on-demand
crypto ipsec profile ipsec-prof_1
set transform-set tset_1
set pfs group20
set ikev2-profile ikev2-prof_1
interface Tunnel1
ip address 10.20.0.1 255.255.255.252
tunnel source GigabitEthernet0/0/1
tunnel destination 10.10.0.2
tunnel protection ipsec profile ipsec-prof_1
As soon as the IPSec SA is established, the "show crypto ipsec sa" command shows:
PFS (Y/N): N, DH group: none
But after the first rekeying (after default time of 3600 secs) it shows:
PFS (Y/N): Y, DH group: group20
I consider this a cosmetical problem only, since PFS is doing its job. This can be told from the debugs during the first rekeying:
000492: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking for PFS configuration
000493: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):PFS configured, DH group 20
000494: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
000495: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
000496: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Request queued for computation of DH secret
000497: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking if IKE SA rekey
000498: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Load IPSEC key material
000499: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database -
Hi Jazib,
May i ask you a question? I face an unsolved issue. After i tested using packet-tracer, below is the results;
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
But when trying on "inside", it successful.
Let me draws out my issue;
server <-connect-> pix <-connect-> router <-> pix <-connect-> user
ipsec is between the outside leg of 2 pix fws
server using port 80,443 and 2000.
I encountered problem in access web services using 2000. It is ok for 80 and 443.
In pix, using packet-tracer. All 3 ports results are same. Me ipsec configuration is simple one. end to end.
Do you know what go wrong? Really appreciate for your advise and help.
Thank you.IPSEC Spoof detected:
This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.
Refer the following URL for more information on syslog message related to "IPSEC Spoof detected" being the reason for drop:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4772700 -
IPSEC tunnel sa local ident is an odd IP range
I am setting up for the first time a tunnell from my ASA 5505 to an ISA 2006 server. I have a successful connection between the two devices, but what seems for only a certain IP range. show crypto ipsec sa shows local ident (192.168.100.16/255.255.255.240/0/0). It has been like this since I set up the tunnel, a few days ago, then this morning there is another SA that has local ident (192.168.100.64/255.255.255.192/0/0). Everything acts as it should between boths ends of the tunnel from devices within these ip subnets.
The subnet should be 192.168.100.0 255.255.255.0, how can I fix this?
asa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.xxx.193
access-list outside_1_cryptomap permit ip DG-office 255.255.255.0 Colo 25
.255.255.0
local ident (addr/mask/prot/port): (192.168.100.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (Colo/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.162
#pkts encaps: 39963, #pkts encrypt: 39963, #pkts digest: 39963
#pkts decaps: 38308, #pkts decrypt: 38308, #pkts verify: 38308
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 39963, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.193, remote crypto endpt.: xxx.xxx.xxx.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8959F8CC
inbound esp sas:
spi: 0x3F356DCF (1060466127)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92667/2268)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8959F8CC (2304374988)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92660/2268)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.xxx.193
access-list outside_1_cryptomap permit ip DG-office 255.255.255.0 Colo 25
.255.255.0
local ident (addr/mask/prot/port): (192.168.100.64/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (Colo/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.162
#pkts encaps: 69, #pkts encrypt: 69, #pkts digest: 69
#pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 69, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.193, remote crypto endpt.: xxx.xxx.xxx.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B1A6CD86
inbound esp sas:
spi: 0xA5593A3C (2774088252)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92762/2814)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB1A6CD86 (2980498822)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92766/2814)
IV size: 8 bytes
replay detection support: YHere I increased the debug level to 255 and initiated the tunnel from the ISA side.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.16 15:13:19 =~=~=~=~=~=~=~=~=~=~=~=
VIREasa#
VIREasa# ena
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# ena
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# clear crypto isakmp sa
VIREasa# debug crypto condition peer XXX.XXX.XXX.162
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# debug crypto isakmp 255
VIREasa# debug crypto ipsec 255
VIREasa# Jul 16 10:37:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE Initiator: New Phase 1, Intf inside, IKE Peer XXX.XXX.XXX.162 local Proxy Address 192.168.100.0, remote Proxy Address 10.1.245.0, Crypto map (outside_map)
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing ISAKMP SA payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing Fragmentation VID + extended capabilities payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 108
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
01 10 02 00 00 00 00 00 00 00 00 a8 0d 00 00 38 | ...............8
00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01 | ...........,....
00 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 | ...$............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 00 70 80 0d 00 00 18 1e 2b 51 69 05 99 1c 7d | ..p......+Qi...}
7c 96 fc bf b5 87 e4 61 00 00 00 04 0d 00 00 14 | |......a........
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | @H..n...%......
0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ........>.in.c..
ec 42 7b 1f 00 00 00 14 72 87 2b 95 fc da 2e b7 | .B{.....r.+.....
08 ef e3 22 11 9b 49 71 | ..."..Iq
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 168
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
00 00 00 04
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
72 87 2b 95 fc da 2e b7 08 ef e3 22 11 9b 49 71
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing SA payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Oakley proposal is acceptable
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Received Fragmentation VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Received NAT-Traversal ver 02 VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing ke payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing nonce payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing Cisco Unity VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing xauth V6 VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Send IOS VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
20 ef 0c b5 34 72 9c d0 e7 04 57 3d c1 24 33 18
61 7b 4c 20 22 4f 21 35 03 9e f2 32 f4 00 93 dd
48 e5 75 70 88 84 59 e8 25 15 e6 7f 34 78 36 7b
fc ef c5 af 08 f7 84 42 ae 2f 2c bb 1f a5 28 c6
76 3d c5 96 72 e0 17 de 18 e9 65 37 b0 8d 8f ca
de 12 14 49 2d 92 2e c2 0f 75 82 ef e6 14 83 99
c3 34 f4 3f b1 18 b7 47 ec da 1f af 8a d3 4f c7
a6 8d be ab 06 f3 e9 b6 62 4b 92 aa 84 ea fd 1a
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
1d fd 28 53 fc e8 e3 a2 8e 45 13 6a f0 eb 35 ed
60 e9 b4 34
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
42 2e e9 4b 4d c6 d9 2a 0a 4f d8 e6 97 31 29 31
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
04 10 02 00 00 00 00 00 00 00 00 b8 0a 00 00 84 | ................
08 da ec 1d 50 67 35 31 dd 86 2e 10 8a 06 f9 5a | ....Pg51.......Z
15 b8 21 8f 41 78 91 6e 6a 58 69 9e 51 b2 3e c8 | ..!.Ax.njXi.Q.>.
f2 73 66 c6 dc 96 fc 02 c3 a8 4f 50 8c 39 c8 2e | .sf.......OP.9..
f1 ee f9 19 c3 b5 c8 19 2e d3 59 64 bb 78 19 a8 | ..........Yd.x..
ff e4 02 a6 82 a4 2c 73 ba 9a 7a c3 7b 3b 25 d9 | ......,s..z.{;%.
7b d5 e0 52 a5 c6 fb 5e b7 42 8e 5d 93 7d 83 c5 | {..R...^.B.].}..
91 8f 7d f9 4f 05 66 4b 6c c0 da bc 80 44 a5 1b | ..}.O.fKl....D..
da f4 34 03 3a a2 bd 24 6a 9c ff 47 3c f3 ba e8 | ..4.:..$j..G<...
00 00 00 18 1a bf f9 d7 92 92 38 1f 1f 37 48 18 | ..........8..7H.
e2 84 c9 5e 86 2c c8 e8 | ...^.,..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 184
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
08 da ec 1d 50 67 35 31 dd 86 2e 10 8a 06 f9 5a
15 b8 21 8f 41 78 91 6e 6a 58 69 9e 51 b2 3e c8
f2 73 66 c6 dc 96 fc 02 c3 a8 4f 50 8c 39 c8 2e
f1 ee f9 19 c3 b5 c8 19 2e d3 59 64 bb 78 19 a8
ff e4 02 a6 82 a4 2c 73 ba 9a 7a c3 7b 3b 25 d9
7b d5 e0 52 a5 c6 fb 5e b7 42 8e 5d 93 7d 83 c5
91 8f 7d f9 4f 05 66 4b 6c c0 da bc 80 44 a5 1b
da f4 34 03 3a a2 bd 24 6a 9c ff 47 3c f3 ba e8
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
1a bf f9 d7 92 92 38 1f 1f 37 48 18 e2 84 c9 5e
86 2c c8 e8
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing ke payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing ISA_KE payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing nonce payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, Connection landed on tunnel_group XXX.XXX.XXX.162
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Generating keys for Initiator...
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing ID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing hash payload
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Computing hash for ISAKMP
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing dpd vid payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 01 f4 ad 0f 76 c1 0d 00 00 18 7b 35 df 40 | ......v.....{5.@
d0 10 31 39 3a 14 72 50 cb ff 48 de c4 f1 9d e2 | ..19:.rP..H.....
00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | ........h...k...
77 57 01 00 | wW..
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: YYY.YYY.YYY
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
7b 35 df 40 d0 10 31 39 3a 14 72 50 cb ff 48 de
c4 f1 9d e2
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 84
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
05 10 02 01 00 00 00 00 00 00 00 44 ed 48 40 6f | ...........D.H@o
aa 8e b8 5a b3 59 f7 d8 cc 4e e9 a7 d3 d1 0a 04 | ...Z.Y...N......
ca cf 7f 53 11 d9 ea e7 fa eb 2f ad cf 85 fc d8 | ..S....../.....
d0 00 1e 11 | ....
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: XXX.XXX.XXX.162
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
9d 85 c6 d1 37 3d 5e df 25 22 2c 01 1f f8 4d 42
e5 51 da ed
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR ID received
XXX.XXX.XXX.162
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Computing hash for ISAKMP
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Connection landed on tunnel_group XXX.XXX.XXX.162
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Freeing previously allocated memory for authorization-dn-attributes
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Oakley begin quick mode
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator starting QM: msg id = d034947b
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, PHASE 1 COMPLETED
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Keep-alive type for this connection: None
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Keep-alives configured on but peer does not support keep-alives (type = None)
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Starting P1 rekey timer: 21600 seconds.
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x03F0A668,
SCB: 0x03E6B0D0,
Direction: inbound
SPI : 0xAC3E784B
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0xac3e784b
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Local subnet: 192.168.100.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending Initial Contact
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending 1st QM pkt: msg id = d034947b
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=d034947b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 7b 94 34 d0 1c 00 00 00 01 00 00 18 | .. .{.4.........
3f 10 13 8a 47 5e 02 06 75 50 d3 43 26 14 5f 12 | ?...G^..uP.C&._.
dd 0f 3c fa 0a 00 00 3c 00 00 00 01 00 00 00 01 | ..<....<........
00 00 00 30 01 03 04 01 ac 3e 78 4b 00 00 00 24 | ...0.....>xK...$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
05 00 00 18 53 e8 3e 40 01 c5 64 9e 79 39 ea 39 | ....S.>@..d.y9.9
ab a6 0d 55 14 26 f1 49 05 00 00 10 04 00 00 00 | ...U.&.I........
c0 a8 64 00 ff ff ff 00 0b 00 00 10 04 00 00 00 | ..d.............
0a 01 f5 00 ff ff ff 00 00 00 00 1c 00 00 00 01 | ................
01 10 60 02 b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d | ..`...NVM..*.@.]
bc 96 49 67 | ..Ig
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 7B9434D0
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
3f 10 13 8a 47 5e 02 06 75 50 d3 43 26 14 5f 12
dd 0f 3c fa
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: ac 3e 78 4b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
53 e8 3e 40 01 c5 64 9e 79 39 ea 39 ab a6 0d 55
14 26 f1 49
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: DG-office/255.255.255.0
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 05 01 ee d1 a5 04 00 00 00 44 26 c1 f7 cc | ...........D&...
ec 14 8f 80 ff d0 08 ae ab 96 92 b3 56 2b 07 7c | ............V+.|
c5 e5 77 ec 2e 15 6e 56 d2 5d 33 37 4d fc bb 7d | ..w...nV.]37M..}
e8 98 2b c1 | ..+.
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: EED1A504
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: EED1A504
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
53 20 d4 29 bd 19 4a b1 f6 65 f7 c4 e8 6d 5c af
cf fa ea b5
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: INVALID_ID_INFO
SPI: 00 00 00 00
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=eed1a504) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing notify payload
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received non-routine Notify message: Invalid ID info (18)
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 01 a2 7b cd 29 00 00 00 ac 19 db 72 b1 | .. ..{.)......r.
04 b4 77 94 93 8c 06 d2 9e 67 f7 ab c1 23 19 74 | ..w......g...#.t
e5 f6 92 4a 61 7b 62 93 2e 75 18 b6 c3 53 89 74 | ...Ja{b..u...S.t
d7 f9 b3 2e 6d 0f 9e 9c 26 4a b0 1e 6d 05 be 7f | ....m...&J..m..
e1 60 fa f1 34 c9 af d8 5c dd b5 71 a9 8c 80 77 | .`..4...\..q...w
7a ad b4 2e 72 a9 df d2 d1 cd 61 a6 02 5c 08 4f | z...r.....a..\.O
74 18 3e db 0e 4e 9d 8b a2 03 48 c2 a3 9e 30 de | t.>..N....H...0.
d6 93 fb df 34 fc e4 9c 28 59 bb b8 a6 d9 62 4d | ....4...(Y....bM
35 8c c4 65 78 03 a6 db cc 7f 33 7e eb ff 9e b3 | 5..ex....3~....
6f 11 7b aa 56 cf 74 48 58 45 1c c0 | o.{.V.tHXE..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: A27BCD29
Length: 172
Jul 16 10:37:07 [IKEv1 DECODE]: IP = XXX.XXX.XXX.162, IKE Responder starting QM: msg id = a27bcd29
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: A27BCD29
Length: 172
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
9c 15 1c c7 d7 e6 b5 91 c6 8e 1b d6 b2 4c c7 63
ee 9f 60 3e
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: de 9f df a1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
ed 0a 2d a8 d8 f0 80 aa c6 19 bf 9e bb d3 68 18
0c 40 15 96
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 192.168.100.16/255.255.255.240
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=a27bcd29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR_SUBNET ID received--10.1.245.0--255.255.255.0
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received remote IP Proxy Subnet data in ID Payload: Address 10.1.245.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR_SUBNET ID received--192.168.100.16--255.255.255.240
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received local IP Proxy Subnet data in ID Payload: Address 192.168.100.16, Mask 255.255.255.240, Protocol 0, Port 0
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, QM IsRekeyed old sa not found by addr
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Static Crypto Map check, checking map = outside_map, seq = 1...
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Static Crypto Map check, map outside_map, seq = 1 is a successful match
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Remote Peer configured for crypto map: outside_map
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 1
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE: requesting SPI!
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x0406CF98,
SCB: 0x03E3BE78,
Direction: inbound
SPI : 0x8B032DDE
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0x8b032dde
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 192.168.100.16 mask 255.255.255.240 Protocol 0 Port 0
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Responder sending 2nd QM pkt: msg id = a27bcd29
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=a27bcd29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 29 cd 7b a2 1c 00 00 00 01 00 00 18 | .. .).{.........
db fb e2 21 78 0a 66 2b b4 92 0f 63 80 bd ee b5 | ...!x.f+...c....
1a b6 be d1 0a 00 00 3c 00 00 00 01 00 00 00 01 | .......<........
00 00 00 30 01 03 04 01 8b 03 2d de 00 00 00 24 | ...0......-....$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00
IKE Recv RAW packet dump
b7 e9 Jul 16 10:37:07 [IKEv1]IPSEC: New embryonic SA created @ 0x03F64B78,
SCB: 0x03F74178,
Direction: outbound
SPI : 0xDE9FDFA1
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xDE9FDFA1
IPSEC: Creating outbound VPN context, SPI 0xDE9FDFA1
Flags: 0x00000005
SA : 0x03F64B78
SPI : 0xDE9FDFA1
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x03F74178
Channel: 0x0174FC00
IPSEC: Increment SA NP ref counter for outbound SPI 0xDE9FDFA1, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5166)
IPSEC: Completed outbound VPN context, SPI 0xDE9FDFA1
VPN handle: 0x053ADADC
IPSEC: Increment SA NP ref counter for outbound SPI 0xDE9FDFA1, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4257)
Jul 16 10:37:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, QM FSM error (P2 struct &0x3f0cf28, mess id 0xd034947b)!
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE QM Initiator FSM error history (struct &0x3f0cf28) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, sending delete/delete with reason message
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Deleting SA: Remote Proxy 10.1.245.0, Local Proxy 192.168.100.0
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Removing peer from correlator table failed, no match!
IPSEC: Received a PFKey message from IKE
IPSEC: Destroy current inbound SPI: 0xAC3E784B
Jul 16 10:37:39 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xac3e784b
Jul 16 10:37:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:40 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator: New Phase 2, Intf inside, IKE Peer XXX.XXX.XXX.162 local Proxy Address 192.168.100.0, remote Proxy Address 10.1.245.0, Crypto map (outside_map)
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Oakley begin quick mode
Jul 16 10:37:40 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator starting QM: msg id = 51890662
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x03F0A668,
SCB: 0x03E6B0D0,
Direction: inbound
SPI : 0xF14B8E07
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0xf14b8e07
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Local subnet: 192.168.100.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:40 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending 1st QM pkt: msg id = 51890662
Jul 16 10:37:40 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=51890662) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 62 06 89 51 1c 00 00 00 01 00 00 18 | .. .b..Q........
d1 63 d0 1c f2 fe 51 54 ed 50 52 e5 15 97 11 61 | .c....QT.PR....a
bc cf 89 bf 0a 00 00 3c 00 00 00 01 00 00 00 01 | .......<........
00 00 00 30 01 03 04 01 f1 4b 8e 07 00 00 00 24 | ...0.....K.....$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
05 00 00 18 dc d3 97 00 48 5b e9 d4 05 af ef 1d | ........H[......
5c 3f bd b4 06 e5 ad 4c 05 00 00 10 04 00 00 00 | \?.....L........
c0 a8 64 00 ff ff ff 00 00 00 00 10 04 00 00 00 | ..d.............
0a 01 f5 00 ff ff ff 00 | ........
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 62068951
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
d1 63 d0 1c f2 fe 51 54 ed 50 52 e5 15 97 11 61
bc cf 89 bf
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: f1 4b 8e 07
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
dc d3 97 00 48 5b e9 d4 05 af ef 1d 5c 3f bd b4
06 e5 ad 4c
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: DG-office/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 51890662
Length: 172
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 05 01 50 d5 d4 b3 00 00 00 44 6b 63 20 72 | ....P......Dkc r
fc 1c c8 af 22 61 8f ae f0 9c 5c 41 1d 80 b1 6e | ...."a....\A...n
75 46 65 1c 9d 8e 51 5b d0 f7 82 d8 88 9b 49 e9 | uFe...Q[......I.
42 5f a2 a8 | B_..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 50D5D4B3
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 50D5D4B3
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
a8 07 00 a6 3c 57 dd 50 49 a7 5e e0 55 ab 01 f3
65 29 9e 9b
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: INVALID_ID_INFO
SPI: 00 00 00 00
Jul 16 10:37:40 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=50d5d4b3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing notify payload
Jul 16 10:37:40 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received non-routine Notify message: Invalid ID info (18)
Jul 16 10:37:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 51890662
Length: 172
Jul 16 10:37:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
VIREasa#
VIREasa# no debug crypto isakmp 255
VIREasa# no debug crypto ipsec 255
VIREasa#
Maybe you are looking for
-
My Quicktime 7 is No longer able to play HD trailers online, or D/L them
Please Help OK, so, I have always been an avid user of my Quicktime Pro to watch the HD (720p & 1080p) off-line. Actually it was the only way to watch them. Recently, any trailer on the trailers.apple.com site, Will NOT play or d/l when I click on "W
-
How do i update my itunes to be compatible with my ios 6.1.3 without losing my music
hi, i need help, i've recently upgraded the software on mt iphone 4s to ios 6.1.3 and now i need to update itunes in order to put music on my phone. how do i do this without losing all the music in my current itunes library?
-
I have moved my videorecordings from my Ipad to my PC (not mac). Is there a program I can use to burn the mov-files to a dvd. My burningprogram can not burn MOV files
-
ok have a canon printer/photocopier that is no where near an ethernet port so is it possible to connect the photocopier to an airport express via the ethernet port on the airport express and on the photocopier, then connect an airport base station to
-
2012 mac mini does not boot when usb 3 drive is connected
I have a late 2012 Mac Mini, Ivy Bridge, that has a USB 3.0 external hard drive connected to it. If the hard drive is powered on when I power up the Mac Mini, I get a light grey screen, but never see the Apple logo and the system just sists there.