IPv6 / IPSec / VRF
All, I am trying to configure IPv6 IPSec (with tunnel protection mode) on a tunnel interface within a VRF, not the global routing table. I have searched google and found the following post in which a user is discussing a very similar situation. Near the end of the thread, he posts a response from a TAC engineer listing some bug IDs, but I cannot find any info on those in the bug toolkit.
https://supportforums.cisco.com/thread/2119892
Has anyone heard or seen anything relating to this issue? I will continue to search as well. Thanks.
P.S. I can make the configuration work in the global context, but when I change the crypto keyring, isakmp profile, tunnel interface (using both 'vrf forwarding' and 'tunnel vrf' commands), it does not work. Show commands display the following:
R1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
dst: FEC0:0:0:1::1
src: FEC0:0:0:1::2
state: MM_SA_SETUP conn-id: 0 status: ACTIVE
R1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: FEC0:0:0:1::2 port 500
IKE SA: local FEC0:0:0:1::1/500
remote FEC0:0:0:1::2/500 Inactive
R1#show crypto ipsec sa
R1#
So it looks like the IKE SA comes up, but for some reason, the IPSec SA does not come up (debugging shows phase 1 timing out "death by retransmission", which makes me think routing within the crypto/ipv6/vrf setup is not working properly). Any thoughts or comments are appreciated. Thanks.
So, in playing around with this setup, i changed the tunnel mode to ipv6 with no encryption, just to see if I could get the tunnel to get to up/up state. I was not able to initially, but just for fun I added a static route to the global routing table for the tunnel destination ipv6 address and used the nexthop-vrf keyword and boom, the tunnel went to UP/UP!
So it looks like for some reason the "tunnel vrf" command is not taking effect and the tunnel is trying to use the global table rather than the vrf specific table to reach the tunnel endpoint. It looks like this is a problem with the "tunnel vrf" command referencing an IPv6-enabled vrf.
Similar Messages
-
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete) -
How to configure OSPFv3 with VRF in IOS (a guide)
Hi everybody,
I recently found myself in need of configuring VRF segregated IPv6 routing with OSPFv3 in a pair of IOS 6500s. After a bit of research, I found that although the latest IOS releases for the 6500 (15.1(1)SY for the Sup720 and Sup2T) support configuring OSPFv3 on VRFs, Cisco has yet to release any documentation pertaining to its configuration other then command references. So, I thought I would share some of the pertinent and important details I discovered along the way to getting this working and collect them all in one place to help out anyone else who is trying to do this.
1. The first thing you need to do is turn it on. Make sure you have enabled IPv6 routing with the "ipv6 unicast-routing" command and IPv6 VRFs with the "mls ipv6 vrf" command. Without these enabled, everything you try that seems like it should work will fail.
2. You must use the new style VRF definition commands, the old "ip vrf <name>" commands are for IPv4 only. The new style of configuring the VRFs is "vrf definition <name>", under these VRFs you must specify the IP versions you want to run with the "address-family ipv4" and "address-family ipv6" commands. Also the command to place an interface into these VRFs is slightly different as well. On an interface, you must use the "vrf forwarding <name>" command instead of the old "ip vrf forwarding <name>" command.
3. For OSPFv3 instances, the VRF is defined after you enter the proccess by using the "address-family ipv6 unicast vrf <name>" command. OSPFv2 instances are still define the VRF at the same time as the process using the traditional "router ospf <proccess> vrf <name>" command.
4. After you get this all configured the "show ipv6 ospf" commands will no longer work. You need to use the "show ospfv3 vrf" commands instead.
I have attached a sample configuration of what I did. If anyone out there knows this better than I do, please correct anything I got wrong and/or add anything you think would be helpful. I would just like there to be a good source of info available for this subject, so people don't have to waste their time figuring this out the hard way.
Best Regards,
GregGreg,
Greate information.
Thanks for posting This!!!
Reza -
With IPv6 I am most concerned today with receiving an IPv6 address from my ISP for my Spoke networks. I don't have plans to convert my Spoke LANs or Internal application servers to IPV6 anytime soon. Reviewing all the books and technical documentation out there, I don't see discussion about how to get my IPv4 traffic tunneled through the Internet via an IPv6 carrier, a 4to6 tunnel. Currently I'm running DMVPN which appears to support IPv6 tunnels, Native and 6to4. Can anyone provide direction or expertise on how to get IPv4 traffic between Enterprise locations with ISPs move to IPv6 addressing?
Thanks..Ryan,
If this is a question of connecting LAN in different branches.
The decently scalable option is GRE (with DMVPN being the neatest).
On top ASA supports IPv4 in IPv6 IPsec (to other ASAs at this point).
You might have a bit more challanges if you want to provide access to non-intrernal resources, Internet, partner sites without IPv4 on WANs.
M. -
Hi,
I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.
If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.
A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:
Spoke (IPv4) SA
interface: Tunnel1
Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 23255, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?
Interface Configuration
interface GigabitEthernet0
description ** Outside **
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:1:1:1::1/64
Crypto Configuration
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Configuration
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
shutdown
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
Regards,
ThomasHello Marcin,
it is working now :-)
First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.
I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.
Here are my final configurations:
Crypto
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Hub Dual Stacked
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Tunnel Spoke IPv4
interface Tunnel1
description ** DMVPN Intranet IPv4 **
ip vrf forwarding VPN
ip address 10.0.10.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 10.0.10.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
end
Tunnel Spoke IPv6
interface Tunnel1
description ** DMVPN Intranet IPv6 **
ip vrf forwarding VPN
ip address 10.0.12.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.12.1 2001:1:1:1::1
ip nhrp map multicast 2001:1:1:1::1
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp nhs 10.0.12.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Thanks again
Thomas -
ToS Preservation with egress remarking on inner packet
Hi, I am using DMVPN/IPSEC/VRFs. On the egress of the DMVPN/VRF tunnel interfaces, I have applied a Service Policy to remark traffic. Hence the remarking occurs on the inner packet header.
Assuming qos-preclassify is NOT enabled. Does anyone know how 12.4T IOS code should operate (options)
1. Copy the "remarked" TOS value to the outer headers as part of the TOS preservation feature
2. Copy the original (pre remarking) TOS value of the inner packet header as part of the TOS preservation feature
3. Egress inner packet header remarking disables TOS preservation feature.
4. Other ?
Problem Space : At remote sites, I can easily perform the QOS remarking on the router LAN ingress interface, rather than on the egress DMVPN tunnel interface. However at the head end, the DMVPN/IPSEC/VRF routers also happen to be MPLS PE devices. Hence remarking on Layer3/4 (IP/Ports) criteria on the ingress interface is not possible as we are dealing with MPLS labels. Hence why I am attempting to do this on the egress on the DMVPN tunnel/VRF interface.
thanks
GeorgeAfter testing. I can confirm that 2. appears to apply.
TOS preservation operation utilises the original inner header TOS values, rather than the remarked TOS value.
Hence even if the inner header is remarked (lets say from CS1 to AF11)on egress, the outer IPSEC header will still have the original TOS settings ie. CS1.
This aligns with the QoS Order of Operation.
http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080160fc1.shtml
which states -
"On the outbound path, common classification happens before any QoS features are applied. A result of this approach is that any QoS features applied on the outbound policy act upon the original priority value. If you need to take actions based on a remarked value on the same router, then you must mark the packets on the incoming interface and apply other QoS actions based on this new priority on the outgoing interface"
Hopefully the "qos pre-classify" feature should provide the capability to remark both the inner header and outer IPSEC header...back to testing...???
cheers
George
CCIE2980 -
OSPFv3 AF NSSA default-information-originate
Hi,
I'm having trouble injecting a default route into OSPFv3 AF NSSA using this config:
router ospfv3 1520
auto-cost reference-bandwidth 100000
address-family ipv6 unicast vrf CUST-1
redistribute connected route-map SET-TAG-LOCAL
router-id 100.64.20.9
capability vrf-lite
area 1520 nssa default-information-originate
exit-address-family
ipv6 route vrf CUST-1 ::/0 2A01:79A0:3000:F8BB::5
The default route does not get injected into the database. I have to clear the process for this VRF for it to appear in the database:
ROUTER# sh ospfv3 ipv6 vrf CUST-1 dat | in ::|Type-7
Type-7 AS External Link States (Area 1520)
100.64.20.9 632 0x80000004 2A01:79A0:3000:F8BB::/125
ROUTER#clear ospfv3 ipv6 vrf CUST-1 process
Reset selected OSPFv3 processes? [no]: yes
ROUTER# sh ospfv3 ipv6 vrf I-ST-INSIDE-1 dat | in ::|Type-7
Type-7 AS External Link States (Area 1520)
100.64.20.9 1 0x80000001 ::/0
100.64.20.9 1 0x80000001 2A01:79A0:3000:F8BB::/125
ROUTER#
Any help is greatly appreciated.
Thanks.
/JZHi,
A quick check of the config guide shows that their examples of default origination in OSPFv3 use the 'default information-originate' command, this can be tied in with a route-map, in order to match a certain condition. i.e. statement is configured under the process, not using the 'area' command.
1. create prefix -list matching routes (these form the matching condition)
2. create a route-map - with a permit statement matching the prefix-list.
3. default information-originate route-map [map name]
HTH
Mike -
BT Infinity still lagging with Fifa on Xbox One (W...
So I made many posts last year about My unlimited BT Infinity package ( ~55mb down, 16m/b up ) not working with Fifa 14/13 on the 360. I counted about 20 or 30 people experiencing the same issues last year.
The bad news is its exactly the same on the Xbox one so anyone who had trouble with delay/lag reaching easo.ea.com last year dont waste your time with Infinity if you plan on getting xbox One.
averaging 120-160ms ping on the servers that xbox one uses in california for Fifa absolute joke. I had a better connection back in 2004 playing team fortress.
Any word or hope of BT attempiting to look into the long acknowledged pronlem.
Also random other question but I read Xbox one servers can use ipv6 /ipsec protocols how do we set this up on out bt routers?IPV6 is currently not available on BT residential services as to server issues they still happen and nearly always appear at the game servers end and they always seem unwilling to admit to the problems and similar problems seem to appear on various ISP's world wide not just BT
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’ -
Hp LaserJet 5200 can not set IP manualy.
Hi!
In my HP LaserJet 5200, field where input IP address (configuration -> JetDirect -> TCP/IP) is empty.
How I can set IP addres?
Thank you!This printer needs "JetDirect" to operate as a network printer. Or, you would need to set up printer sharing through the computer you have it connected to.
Do you have any of the following on your printer?
, optional Connectivity
for HP LJ5200
HP Jetdirect 175x Fast Ethernet Print Server (J6035G), HP Jetdirect en3700 Fast Ethernet Print Server (J7942G), HP Jetdirect 620n Fast Ethernet Print Server (J7934G), HP Jetdirect 625n Gigabit Ethernet Print Server (J7960G), HP Jetdirect 635n IPv6/IPsec Print Server (J7961G), HP Jetdirect ew2400 802.11g Wireless Print Server (J7951G)
If your model is not network ready, you'd need to buy a print server.
For wireless connectivity, you might take a look at Apple's Airport Express, which allows a USB printer to be plugged in to it, and then wireless connectivity from network computers, that are wireless capable.
If you've had wireless connectivity with this printer before, then you should be able to access it from the computer it's attached to, I'd think, by going to printer settings, and configuring from there.
Sorry I can't be of more help, as I've not had personal use of that particular model. Maybe someone will chime in. -
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.
GTO-ClientEdge-RT1#sh cry ipse sa
interface: GigabitEthernet0/0
Crypto map tag: gto_share_map, local addr 192.33.232.209
protected vrf: vrf-veridian
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 173.46.8.98 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Crypto ISAKMP debugging is on
GTO-ClientEdge-RT1#
Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov 19 22:46:29.702: ISAKMP:(0): c
GTO-ClientEdgeonstructed NAT-T vendor-03 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:29.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:29.702: ISAKMP: keylength of 256
Nov 19 22:46:29.702: ISAKMP: hash SHA
Nov 19 22:46:29.702: ISAKMP: default group 5
Nov 19 22:46:29.702: ISAKMP: auth pre-share
Nov 19 22:46:29.702: ISAKMP: life type in seconds
Nov 19 22:46:29.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:received payload type 17
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
authenticated
Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1512038398, sa = 0x1235BF68
Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
GTO-ClientEdge-RT1#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.46.8.98 192.33.232.209 MM_NO_STATE 9023 ACTIVE (deleted) veridian-ike-prof
IPv6 Crypto ISAKMP SA
GTO-ClientEdge-RT1#
Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov
GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:59.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:59.702: ISAKMP: keylength of 256
Nov 19 22:46:59.702: ISAKMP: hash SHA
Nov 19 22:46:59.702: ISAKMP: default group 5
Nov 19 22:46:59.702: ISAKMP: auth pre-share
Nov 19 22:46:59.702: ISAKMP: life type in seconds
Nov 19 22:46:59.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:59.802: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP:received payload type 17
Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
authenticated
Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 4129876318, sa = 0x1235C984
Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.
Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#ASA doesn't like what you're sending.
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
Check what's happening around QM1 on ASA.
For reference working debugs:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml -
Hi All,
I have 2 questions.
1) Does Cisco Router 7600 with SUP720 3BXL supports VRF Selection based on Source IP Address [Layer 3 VPNs]?
2) We have various clients reaching a Router and we want to forward them to a their company's VRFs, based on their source address (Given by Radius or Statically). Now, Ideally, we want to give to the customer's H.Q. the option to connect to this router using Leased Lines (or Frame Relays) or by using IPSEC (over the internet). Is this possible? Can traffic from an access server arrive to an interface and based on the source, the user will be either forwarded to a VRF or an IPSEC?
Regards.
Regards.Hello,
a solution to xour problem could be to have a VRF aware access server and place the customers into their respective VRF right away (the feature is called Multi-VRF aka VRF-lite). IPSec and Dialer interfaces are possible. Based on authentication you could define the VRF and by having a dot1Q trunk to the 7600 which operates as the MPLS PE.
A second option is to have the trunk to the 7600, VLANs in different VRFs and to do PBR into different VLANs on the CE router/access server.
Hope this helps! please rate all posts.
Regards, Martin -
Hi ,
I am want to crerate a GREover IPsec Tunnel between Cisco ASR 1002 and cisco 3900 i am getting the below error.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47
I have attached the configuration file as well currently working on tunnel 117.
Site A already have some tunnels up and running but only tunnel 117 is not working which i created now on ASR 1002.
CAN ANYONE LET ME KNOW WHAT I AM FACING AN ISSUE.The first issue that I note is that you have applied the crypto map on the tunnel interface as well as on the physical interface. While there are perhaps still some examples that show this they are based on the operation of quite old IOS versions. The code that you are now running expects the crypto map to be applied only on the physical interface. I suggest that you remove the crypto map from the tunnel interfaces. Try that and let us know if the behavior changes.
HTH
Rick -
Hello. I cant get Per-session VRF feature working with IPv6 protocol. IPv4 is working fine.
Here is what i've got:
test1 Cleartext-Password := "test"
Framed-Protocol = PPP,
Service-Type == Framed-User,
Cisco-AVPair += "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool_vrf_no_nat",
Cisco-AVPair += "ip:vrf-id=NoNAT",
Cisco-AVPair += "ip:ip-unnumbered=Loopback1",
Cisco-AVPair += "ip:addr-pool=real"
Cisco-AVPair += "ipv6:ipv6-addr-pool=ppp_link_v6_pool_vrf_no_nat"
test2 Cleartext-Password := "test"
Framed-Protocol = PPP,
Service-Type == Framed-User,
Cisco-AVPair += "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool",
Cisco-AVPair += "lcp:interface-config=ip nat inside"
#sho run
interface Loopback0
ip address ****
ipv6 address 2001:DB8::20/128
ipv6 enable
interface Loopback1
vrf forwarding NoNAT
ip address *****
ipv6 address 2001:DB8::21/128
ipv6 enable
ipv6 dhcp pool AAA_dhcpv6_pool
prefix-delegation aaa method-list FREERADIUS
ip local pool pool192_168 192.168.128.0 192.168.255.254
ip local pool real *.*.*.* *.*.*.*
ipv6 local pool ppp_delegate_56_v6_pool 2001:DB8:3::/48 56
ipv6 local pool ppp_link_v6_pool 2001:DB8:1::/49 64
ipv6 local pool ppp_delegate_56_v6_pool_vrf_no_nat 2001:DB8:6::/48 56
ipv6 local pool ppp_link_v6_pool_vrf_no_nat 2001:DB8:4::/49 64
interface Virtual-Template1
ip unnumbered Loopback0
ipv6 unnumbered Loopback0
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp server AAA_dhcpv6_pool
peer default ip address pool pool192_168
peer default ipv6 pool ppp_link_v6_pool
! non-related config skipped
User test2 receive IPv4 private address and full IPv6 service: address negotiated on the link and delegation DHCPv6 service.
User test1 receive IPv4 real address only and no IPv6 at all.
Here is the debug, take a look at the bold line:
Jul 8 10:13:41: RADIUS(000000DF): Send Access-Request to 10.0.6.10:1812 id 1645/139, len 207
Jul 8 10:13:41: RADIUS: authenticator B8 8A 07 F3 D8 90 A5 FE - B0 10 9F 51 B2 4F 7E 0A
Jul 8 10:13:41: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 8 10:13:41: RADIUS: User-Name [1] 6 "test"
Jul 8 10:13:41: RADIUS: CHAP-Password [3] 19 *
Jul 8 10:13:41: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 8 10:13:41: RADIUS: NAS-Port [5] 6 0
Jul 8 10:13:41: RADIUS: NAS-Port-Id [87] 13 "0/1/0/2.301"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 41
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 35 "client-mac-address=5254.0018.9fb1"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 39
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 33 "circuit-id-tag=SNR eth 001,0301"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 39
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 33 "remote-id-tag=f8-f0-82-10-9b-9d"
Jul 8 10:13:41: RADIUS: Service-Type [6] 6 Framed [2]
Jul 8 10:13:41: RADIUS: NAS-IP-Address [4] 6 10.0.6.21
Jul 8 10:13:41: RADIUS(000000DF): Sending a IPv4 Radius Packet
Jul 8 10:13:41: RADIUS(000000DF): Started 5 sec timeout
Jul 8 10:13:41: RADIUS: Received from id 1645/139 10.0.6.10:1812, Access-Accept, len 236
Jul 8 10:13:41: RADIUS: authenticator 9C E6 3B 43 A3 58 06 AB - 17 99 AD 06 FF C6 9A 35
Jul 8 10:13:41: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 8 10:13:41: RADIUS: Service-Type [6] 6 Framed [2]
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 67
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 61 "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool_vrf_no_nat"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 23
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 17 "ip:vrf-id=NoNAT"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 34
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 28 "ip:ip-unnumbered=Loopback1"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 25
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 19 "ip:addr-pool=real"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 55
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 49 "ipv6:ipv6-addr-pool=ppp_link_v6_pool_vrf_no_nat"
Jul 8 10:13:41: RADIUS(000000DF): Received from id 1645/139
Jul 8 10:13:41: ppp202 PPP SSS: Forwarding request
Jul 8 10:13:41: ppp202 PPP: Phase is FORWARDING, Attempting Forward
Jul 8 10:13:41: PPP: Bind ppp202 to Virtual-Access2.1
Jul 8 10:13:41: Vi2.1 PPP: Static Bind peer_type[3]
Jul 8 10:13:41: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User
Jul 8 10:13:41: Vi2.1 CHAP: O SUCCESS id 1 len 4
Jul 8 10:13:41: Vi2.1 PPP: Phase is UP
Jul 8 10:13:41: Vi2.1 IPCP: Protocol configured, start CP. state[Initial]
Jul 8 10:13:41: Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]
Jul 8 10:13:41: Vi2.1 IPCP: O CONFREQ [Starting] id 1 len 10
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.8 (0x0306B92EC408)
Jul 8 10:13:41: Vi2.1 IPCP: Event[UP] State[Starting to REQsent]
Jul 8 10:13:41: Vi2.1 PPP: Send Message[Static Bind Response]
Jul 8 10:13:41: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Says use pool real
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Pool returned *.*.*.11
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Done. Her address 0.0.0.0, we want *.*.*.11
Jul 8 10:13:41: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.11 (0x0306B92EC50B)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 8.8.8.8 (0x810608080808)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 8.8.4.4 (0x830608080404)
Jul 8 10:13:41: Vi2.1 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
Jul 8 10:13:41: Vi2.1 IPV6CP: I CONFREQ [UNKNOWN] id 1 len 14
Jul 8 10:13:41: Vi2.1 IPV6CP: Interface-Id 11BF:9891:6F31:7C15 (0x010A11BF98916F317C15)
Jul 8 10:13:41: Vi2.1 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x0101000E010A11BF98916F317C15)
Jul 8 10:13:41: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.8 (0x0306B92EC408)
Jul 8 10:13:41: Vi2.1 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
Jul 8 10:13:41: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.11 (0x0306B92EC50B)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 8.8.8.8 (0x810608080808)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 8.8.4.4 (0x830608080404)
Jul 8 10:13:41: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 2 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.11 (0x0306B92EC50B)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 8.8.8.8 (0x810608080808)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 8.8.4.4 (0x830608080404)
Jul 8 10:13:41: Vi2.1 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
Jul 8 10:13:41: Vi2.1 IPCP: State is Open
Jul 8 10:13:41: Vi2.1 Added to neighbor route AVL tree: topoid 2, address *.*.*.11
Jul 8 10:13:41: Vi2.1 IPCP: Install route to *.*.*.11
Jul 8 10:13:41: RADIUS/ENCODE(000000DF):Orig. component type = PPPoE
Jul 8 10:13:41: RADIUS(000000DF): Config NAS IP: 10.0.6.21
Jul 8 10:13:41: RADIUS(000000DF): Config NAS IPv6: ::
Jul 8 10:13:41: RADIUS(000000DF): sending
Jul 8 10:13:41: RADIUS(000000DF): Send Accounting-Request to 10.0.6.10:1813 id 1646/109, len 264
Any suggestions?Fixed one problem and moved into other.
I've added
Cisco-AVPair += "lcp:interface-config=ipv6 unnumbered Loopback1"
to user profile, but stumbled into another problem: router ignores
Cisco-AVPair += "ipv6:ipv6-addr-pool=ppp_link_v6_pool"
regardless of vrf, even on usual user profile -
Hi,
Can we club DMVPN and VRF-Aware IPsec features ?
Regards
MaheshMillion thanks for this.
This now works after disabling CEF on the public facing interface.
Regards,
Zahid -
2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput
We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?
Hi Nick,
I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [14809800:0]
udp packets: [145107:0]
icmp packets: [20937:12]
I have disabled the ZFW and still see high cpu although it is a little lower.
Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
Anyone have some ideas?
Maybe you are looking for
-
Hi, Can anyone help me on this- I have a symbol in my stage. He is masked by a circle. I want that when I click on the Symbols, the mask expands and reveals what is behind it. Like this : I followed the threat "I want to know how masking objects or
-
What's apened ? What' is the problem ? Thank's you !
-
Hi, I've just finished this tutorial (http://www.adobe.com/devnet/dreamweaver/articles/table_to_css_pt2.html) but have a problem with my Spry Accordion Widget, when I preview the site my footer moves when I select a different panels in the widget, I'
-
Using iWeb to Publish to Google Sites
Does anybody know if you can publish a site created with iWeb to Google Sites? I use me.com so i've never had the need for this and for anything else i use the iWeb FTP function. I have no experience with google Sites. I have a friend who cant afford
-
Safari not caching on iPad?
When I open a new page then come back to the previous one, rather than just displaying the previous page just as it was when I minimized it by opening a new page Safari tends to redownload the page. This wastes time and bandwidth. I don't think Safar