Udp to local subnet
hiho,
i plan to send broadcast datagrams to the local subnet, but i have not been successful so far. in plain old j2se i could send datagrams to an address such as "192.168.10.255:1234" to reach all machines in the local subnet (in a simple network at least). in j2me it does not seem to work and i could not find any proper information on broadcasting udp packets.
can anybody confirm that this is definitely not possible, or has anybody gotten this to work in the past?
i develop for midp2.0 and cldc 1.0 and/or 1.1 . the device is connected to the local network via wlan or bluetooth.
thx in advance,
zoidberg.
follow this link.
http://forum.java.sun.com/thread.jspa?forumID=82&threadID=671529
you will find at the end a discussion that can help you. in fact, i have a problem not to send a broadcast through j2me application to j2se applications, that works fine (i already try it), but in contrary, the broadcast from j2se application isn't listen by j2me application.
if you have any solution, please contact me ([email protected])
Mouh
Similar Messages
-
Sharing sites in home folder beyond 'local subnet'
Essentially I would like to make my computer a web server. But, I can't get past the local subnet option in the Sharing Preferences.
How do I set up my web sharing preferences so sites in my home sites folder be visible by anyone?
933 MHZ Quicksilver Mac OS X (10.4.5)
933 MHZ Quicksilver Mac OS X (10.4.2)Hey Michael.
this CAN be done, but I'd need more info before I can help you.
Generally speaking, when you connect to the internet(either dial up or modem) you computer as an IP address. If you use dial up, that IP address most likely changes everytime you dial in. If you have DSL or Cable, your IP address may change every few days or so. Just be aware that your IP address is the location of your computer on the internet.
But basically speaking, if you don't have a router, and you know your IP address, then they correct URL is this:
http://xxx.xxx.xxx.xxx/~username/ where xxx.xxx.xxx.xxx is the IP address of your computer, and ~username is obviously your user name(be sure to include the "~", or it won't work.
This will allow access to your Sites folder in your home folder.
Now a list of exceptions:
1. your computer must be connected directly to the internet.. no router
2. your ISP doesn't block Port 80, which is the port web services are hosted on. (most home ISP's DO block port 80, to cut down on the upstream data flow)
There are ways around both of those exceptions... but you'd need to tell me more about how your computer is connected to the internet before I can tell you exactly how to get it to work.
Now as to the subnet, that shouldn't make any difference. Generally speaking you won't be able to enter the URL isted above on the computer that is hosting your web site and have it appear.
Quad 2.5 Mac OS X (10.4.3) -
AD authentication for routed local subnet
Good day,
I'm testing the addition of a routed local subnet to existing network and seem to be experiencing trouble with AD authentication.
Primary network:
Subnet: 192.168.0.0/24
Default GW: 192.168.0.1
PDC/DHCP/DNS1: 192.168.0.2
BDC/DNS2: 192.168.0.3
Routed network:
Subnet: 192.168.17.0/24
Default GW: 192.168.17.1
DNS1/2: 192.168.0.2/192.168.0.3
DHCP relay is configured and functioning.
Primary network gateway has persistent route for subnet 192.168.17.0/24 hopping via router IP 192.168.0.122.
Ping tests OK both ways and internet is browsable from clients in routed network.
Problem occurs when clients in routed network attempt to access domain resources in primary network. Using
net view //test-host results in 5 minute pause and then "Access Denied". Unable to view //test-domain/netlogon
I have added routed subnet to existing default-first-site in AD Sites and Services.
I'm certain I'm missing something simple here and will appreciate any advice.Hi Christoffer, thanks for your reply.
There are no firewall rules active between the two subnets, however our primary network gateway is a Forefront TMG MBE firewall. To my knowledge this should not interfere with the inter-subnet routing however there could be access/policy rules that determine
how TMG (localhost) responds to traffic from routed subnet. Will need to look closely at this if AD authentication is not at fault.
The nltest queries also seem return successful responses:
nltest /dsgetdc:[DOMAIN]
DC: \\[PDC]
Address: \\192.168.0.2
Dom Guid: [GUID]
Dom Name: [DOMAIN]
Forest Name: [FOREST]
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET
nltest /dsgetsite
Default-First-Site-Name -
IPV6 DHCP stateful doesn't insert local subnet in route table
I am setting up IPV6 on a LAN using satic IPs for Win2008 servers and DHCP stateful mode for Win7 clients. All static assigned servers can ping each other and if I setup a static on the Win7 clients they can also ping the servers. However when I assign DHCP stateful mode IP to the clients they lose the ability to ping the servers. I think that was is going on is that when the Win7 machines get IP via DHCP they do not get a route in the routing table for the local subnet. I have included IP info for static and DHCP clients in attachments.
I figure if I could add the fd:0:0:1::/64 subnet to the DHCP client it would work but I haven't been able to find the correct syntax to add an "on-link" router. Furthermore, this would kind of defeat the purpose of DHCP if I had to manually add routes to clients.
I have a UC520 that is the default gateway on the LAN and seems to support IPV6. Maybe this guy can help me out?
Thanks in advance.Alain,
I disagree about the /128. If you look at the static host it also has a /128 route pointing to itself. Also the IPV4 also shows /32 routes pointing to the local IP. The static host has one additional route not found on the DHCP client which is the /64 route to the local subnet pointing to "on-link". It is not clear how to add an "on-link" route using netsh but my point is that DHCP should provide all info and relying on manually adding routes is not the optimal solution.
The UC520 does not have any IPV6 on it. I only mentioned it because usually I use Windows for DHCP but in this case Windows is giving me this weird behaviour. I would rather get Windows DHCP to solve the problem but if it can't I would use the UC520 as a backup option.
Thanks for your input.
Rgds,
Diego -
Stream works fine on local subnet but not over web
I am very new to FMS so excuse me if I get terminology messed up.
I followed Tom Green's tutorials and at this point I can publish a live stream which I can view and interact with just fine on my local LAN.
The FMS is NAT'ed to the outside world and I have ports 80 & 1935 open to the server.
When I use a browser from the outside world and put in the servers public address I can see & interact with the FMS start page just fine. I can use the "interactive" tab and supply my live stream name and view the stream just fine.
However when I try to launch the Flashplayer that I built all I see is the controls with moving stipes, No video feed above. I can browse to the flashplayer HTML file on my local LAN and it works fine. Interestingly enough I cannot open the flashplayer HTML file directly on the server either (but I can open the start page application and interact with it).
This seems like a permissions issue to me... any ideas?
Thanks in advance.
BrianHi Brian,
Is it possible for you to send the source for the sample flash movie that you built? That might give me a clue as to what could be going wrong.
Thanks
Mamata -
Windows L2TP with IPSEC override local subnet
Hi all,
I have a Meraki MX60 that I have setup Client VPN on according to Cisco's instructions (See https://docs.meraki.com/display/MX/Client+VPN+settings).
The issue is that my home network is 192.168.1.x/24 and one of the servers I am trying to RDP into once connected to the MX Client VPN session is on 192.168.1.1. The VPN connection isnt overriding my home network routing in Windows so a ping, trace, and specifically RDP is trying to hit a home network device which is on 192.168.1.1 instead of the server across the established VPN.
Hopefully that makes sense.
Any suggestions on how to fix this?
EDIT: Use default gateway on remote network is checked in IPV4 Settings BTWAny ideas?
-
IPSec Tunnel established but not able to reach remote Local subnet
Hi,
We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.
1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)
Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)
Additionally Tunnel only established if active traffice send from site B.
Thanks & Rgds,
Dhaval DikshitThanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.
When I'm doing packet tracer from site B I got following massage.
ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959c928, priority=1, domain=permit, deny=false
hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 155.220.21.175 255.255.255.255 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log
object-group network Tas_Tunnel
network-object host 192.168.50.50
network-object host 192.168.50.65
network-object host 192.168.50.220
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca246310, priority=12, domain=permit, deny=false
hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.50.220, mask=255.255.255.255, port=0
dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true
hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false
hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.50.220, mask=255.255.255.255, port=0
dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true
hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xca2f4c98, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0
src ip=155.220.21.175, mask=255.255.255.255, port=0
dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks & Rgrds,
Dhaval Dikshit -
Airprint in the Enterprise across subnets [Solution]
This is a message to help folks figure out how to setup
Airprint across wired/wireless subnets. Hopefully it will help a few people.
Airprint was designed to work with Bonjour on a local subnet/broadcast domain.
To print in the enterprise where we have wired/wireless infrastructure,
we need to use a DNS server to find the printer resources
Assumptions:
Our internal domain is: foocompany.com
We create a new subdomain: bonjour.foocompany.com
Creating a new subdomain allows up to apply DNS views so we can show print/bonjour services in
close proximity of the user.
You have a CUPS printer server (linux/apple) running at printserver.bonjour.foocompany.com
1. Setup a DNS server
If you setting up a test domain server, you can setup forwarding to your primary production server.
This way all DNS queries continue to work
In your named.conf file setup forwarding
options {
forwarders { YOURTOPNAMESERVER_IPADDR; YOURTOPNAMESERVER_IPADDR2; };
forward first;
allow-query-cache { any; }; // Allow client queries from other subnet to query from cache
Create a new zone, "bonjour.foocompany.com"
zone "bonjour.foocompany.com." { type master; file "/etc/bind/db.home"; };
zone "foocompany.com" { type forward; forward only; forwarders { YOURTOPNAMESERVER_IPADDR; YOURTOPNAMESERVER_IPADDR2; }; };
Create the following entries to support bonjour browsing
#=======DNS====Begin======
lb.dns-sd.udp IN PTR @
b.dns-sd.udp IN PTR @
dr.dns-sd.udp IN PTR @
db.dns-sd.udp IN PTR @
cf.dns-sd.udp IN PTR @
printserver IN A 10.47.203.188
# For every printer queue defined at the printer server you need to create a TXT and SRV entry
# The visual printer name that show up in the iOS listbox will be the part before .ipp.tcp, example "hpv8a", "hpv8acolor"
# _ipp and _printer seem to be equivalents, either seem to work on iOS.
# Printer 1
cups._sub._ipp.tcp IN PTR hpv8a.ipp.tcp
universal._sub._ipp.tcp IN PTR hpv8a.ipp.tcp
#Printer 2
cups._sub._ipp.tcp IN PTR hpv8acolor.printer.tcp
universal._sub._ipp.tcp IN PTR hpv8acolor.printer.tcp
hpv8a.ipp.tcp IN SRV 0 0 631 printserver
hpv8acolor.printer.tcp IN SRV 0 0 631 printserver
# The "adminurl" points to the printer queue url on the CUPS server
# The "rp" key points to the queue name as well
hpv8a.ipp.tcp IN TXT ( "txtvers=1" "qtotl=1" "rp=printers/V8A08A246LJ" "adminurl=http://printserver:631/printers/V8A_08A24
6_LJ" "ty=HP Laserjet V8A" "product=(HP LaserJet 4200)" "transparent=t" "copies=t" "duplex=t" "color=f" "pdl=application/octet-stream,
application/pdf,application/postscript,image/jpeg,image/png,image/urf" "URF=W8,SRGB24,CP1,RS600" )
hpv8acolor.printer.tcp IN TXT ( "txtvers=1" "qtotl=1" "rp=printers/V8A08A246_ColorLJ" "adminurl=http://printserver:
631/printers/V8A08A246_ColorLJ" "ty=HP Laserjet V8A Color" "product=(HP color LaserJet 4650)" "transparent=t" "copies=t" "duplex=t" "
color=t" "pdl=application/octet-stream,application/pdf,application/postscript,image/jpeg ,image/png,image/urf" "printer-type=0x801046" "URF=
W8,SRGB24,CP1,RS600" )
####Printer TEMPLATE
#cups._sub._ipp.tcp IN PTR NAMEX.printer.tcp
#universal._sub._ipp.tcp IN PTR NAMEX.printer.tcp
#NAMEX.ipp.tcp IN SRV 0 0 631 PRINTSERVERDNSNAME
#NAMEX.ipp.tcp IN TXT ( "txtvers=1" "qtotl=1" "rp=printers/QUEUENAME"
# "adminurl=http://PRINTSERVERDNSNAME:631/printers/QUEUENAME"
# "ty=Printer name"
# "product=(Printer PPD model line)" "transparent=t" "copies=t" "duplex=t" "color=f"
# "pdl=application/octet-stream,application/pdf,application/postscript,image/jpeg ,image/png,image/urf"
# "URF=W8,SRGB24,CP1,RS600" )
#=======DNS====End======
2. Setup CUPS
Add printers to the CUPS server.
Enable access to the printer queue from remote machines,
GUI: "System->Admin->Printing->Server->Server Setting: Allow printing from the internet"
Also make sure the following lines are present in /etc/cups/cupsd.conf
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
AccessLog syslog
AccessLogLevel all
LogLevel debug
MaxLogSize 0
SystemGroup lpadmin
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseRemoteProtocols CUPS
BrowseAddress @LOCAL
BrowseLocalProtocols CUPS dnssd
BrowseProtocols all
DefaultAuthType Basic
3. Change iPAD configs
Add your DNS server as the first DNS server in the network settting page.
Add "bonjour.foocompany.com" to the DNS domains to search
4. Test printing
Open up Photos application.
Select a picture
Select "Send To->Print"
Select "Printer", now a list of printer names should show up as defined in the DNS server
Select a printer and hit "Print"
Fast task switch to Print Center to verify print job is being sent
Thanks
Ashish Desai
Security Architect
Fidelity Investments
email: [email protected]Update for ios 8:
With ios 8 it appears that _printer and _ipp are no longer equivalent. For this to work it looks like you have to use _ipp._tcp
Also - the underscore characters are important and they are missing from the example above.
Last - you can use the "note" field to add a second line that is displayed in smaller text below the printer name in ios 8.
Here is an updated template:
####Printer TEMPLATE
cups._sub._ipp._tcp IN PTR NAMEX._ipp._tcp
universal._sub._ipp._tcp IN PTR NAMEX._ipp._tcp
NAMEX._ipp._tcp IN SRV 0 0 631 PRINTSERVERDNSNAME
NAMEX._ipp._tcp IN TXT ( "txtvers=1" "qtotl=1" "rp=printers/QUEUENAME"
"adminurl=http://PRINTSERVERDNSNAME:631/printers/QUEUENAME"
"note=more info about printer"
"ty=Printer name"
"product=(Printer PPD model line)" "transparent=t" "copies=t" "duplex=t" "color=f"
"pdl=application/octet-stream,application/pdf,application/postscript,image/jpeg ,image/png,image/urf"
"URF=W8,SRGB24,CP1,RS600" ) -
Remote access VPN Users not able to see local lan or internet
We are setting up a ASA5510. Right now our users can login to the vpn but can't access the internal Lan or internet.
Below is the config. Any help or insight would be greatly appreciated. Thanks
Cryptochecksum: dd11079f e4fe7597 4a8657ba 1e7b287f
: Saved
: Written by enable_15 at 11:04:57.005 UTC Wed Apr 22 2015
ASA Version 9.0(3)
hostname CP-ASA-TOR1
enable password m.EmhnDT1BILmiAY encrypted
names
ip local pool CPRAVPN 10.10.60.1-10.10.60.40 mask 255.255.255.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 63.250.109.211 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 10.10.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.60.0_26
subnet 10.10.60.0 255.255.255.192
access-list Outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object net-remote
access-list CPRemoteVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static net-local net-local destination static net-remote net-remote
nat (Inside,Outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 no-proxy-arp route-lookup
nat (Inside,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 63.250.109.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 209.171.34.91
crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy CPRemoteVPN internal
group-policy CPRemoteVPN attributes
dns-server value 10.10.10.12
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-network-list value CPRemoteVPN_splitTunnelAcl
default-domain value carepath.local
split-dns value carepath.ca
split-tunnel-all-dns enable
msie-proxy method no-proxy
address-pools value CPRAVPN
username roys password jjiV7E.dmZNdBlFQ encrypted privilege 0
username roys attributes
vpn-group-policy CPRemoteVPN
tunnel-group 209.171.34.91 type ipsec-l2l
tunnel-group 209.171.34.91 ipsec-attributes
ikev1 pre-shared-key *****************
tunnel-group CPRemoteVPN type remote-access
tunnel-group CPRemoteVPN general-attributes
address-pool CPRAVPN
default-group-policy CPRemoteVPN
tunnel-group CPRemoteVPN ipsec-attributes
ikev1 pre-shared-key **********
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd11079fe4fe75974a8657ba1e7b287f
: endSorry for the delay but I was able to put that command in this morning. But still no Joy.
Here is the updated config. Perhaps I didn't put it in right.
domain-name carepath.ca
enable password m.EmhnDT1BILmiAY encrypted
names
ip local pool CPRAVPN 10.10.60.1-10.10.60.40 mask 255.255.255.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 63.250.109.211 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name carepath.ca
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 10.10.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.60.0_26
subnet 10.10.60.0 255.255.255.192
access-list Outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object net-remote
access-list CPRemoteVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static net-local net-local destination static net-remote net-remote
nat (Inside,Outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 no-proxy-arp route-lookup
nat (Inside,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 63.250.109.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 209.171.34.91
crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.255 Inside
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy CPRemoteVPN internal
group-policy CPRemoteVPN attributes
dns-server value 10.10.10.12
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CPRemoteVPN_splitTunnelAcl
default-domain value carepath.local
split-dns value carepath.ca
split-tunnel-all-dns enable
msie-proxy method no-proxy
address-pools value CPRAVPN
username sroy password RiaBzZ+N4R7r5Fp/8RT+wg== nt-encrypted privilege 15
username roys password jjiV7E.dmZNdBlFQ encrypted privilege 0
username roys attributes
vpn-group-policy CPRemoteVPN
tunnel-group 209.171.34.91 type ipsec-l2l
tunnel-group 209.171.34.91 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group CPRemoteVPN type remote-access
tunnel-group CPRemoteVPN general-attributes
address-pool CPRAVPN
default-group-policy CPRemoteVPN
tunnel-group CPRemoteVPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bbc0f005f1a075a4f9cba737eaffb6f2 -
IPSEC tunnel sa local ident is an odd IP range
I am setting up for the first time a tunnell from my ASA 5505 to an ISA 2006 server. I have a successful connection between the two devices, but what seems for only a certain IP range. show crypto ipsec sa shows local ident (192.168.100.16/255.255.255.240/0/0). It has been like this since I set up the tunnel, a few days ago, then this morning there is another SA that has local ident (192.168.100.64/255.255.255.192/0/0). Everything acts as it should between boths ends of the tunnel from devices within these ip subnets.
The subnet should be 192.168.100.0 255.255.255.0, how can I fix this?
asa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.xxx.193
access-list outside_1_cryptomap permit ip DG-office 255.255.255.0 Colo 25
.255.255.0
local ident (addr/mask/prot/port): (192.168.100.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (Colo/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.162
#pkts encaps: 39963, #pkts encrypt: 39963, #pkts digest: 39963
#pkts decaps: 38308, #pkts decrypt: 38308, #pkts verify: 38308
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 39963, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.193, remote crypto endpt.: xxx.xxx.xxx.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8959F8CC
inbound esp sas:
spi: 0x3F356DCF (1060466127)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92667/2268)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8959F8CC (2304374988)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92660/2268)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.xxx.193
access-list outside_1_cryptomap permit ip DG-office 255.255.255.0 Colo 25
.255.255.0
local ident (addr/mask/prot/port): (192.168.100.64/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (Colo/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.162
#pkts encaps: 69, #pkts encrypt: 69, #pkts digest: 69
#pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 69, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.193, remote crypto endpt.: xxx.xxx.xxx.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B1A6CD86
inbound esp sas:
spi: 0xA5593A3C (2774088252)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92762/2814)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB1A6CD86 (2980498822)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92766/2814)
IV size: 8 bytes
replay detection support: YHere I increased the debug level to 255 and initiated the tunnel from the ISA side.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.16 15:13:19 =~=~=~=~=~=~=~=~=~=~=~=
VIREasa#
VIREasa# ena
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# ena
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# clear crypto isakmp sa
VIREasa# debug crypto condition peer XXX.XXX.XXX.162
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# debug crypto isakmp 255
VIREasa# debug crypto ipsec 255
VIREasa# Jul 16 10:37:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE Initiator: New Phase 1, Intf inside, IKE Peer XXX.XXX.XXX.162 local Proxy Address 192.168.100.0, remote Proxy Address 10.1.245.0, Crypto map (outside_map)
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing ISAKMP SA payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing Fragmentation VID + extended capabilities payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 108
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
01 10 02 00 00 00 00 00 00 00 00 a8 0d 00 00 38 | ...............8
00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01 | ...........,....
00 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 | ...$............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 00 70 80 0d 00 00 18 1e 2b 51 69 05 99 1c 7d | ..p......+Qi...}
7c 96 fc bf b5 87 e4 61 00 00 00 04 0d 00 00 14 | |......a........
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | @H..n...%......
0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ........>.in.c..
ec 42 7b 1f 00 00 00 14 72 87 2b 95 fc da 2e b7 | .B{.....r.+.....
08 ef e3 22 11 9b 49 71 | ..."..Iq
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 168
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
00 00 00 04
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
72 87 2b 95 fc da 2e b7 08 ef e3 22 11 9b 49 71
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing SA payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Oakley proposal is acceptable
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Received Fragmentation VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Received NAT-Traversal ver 02 VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing ke payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing nonce payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing Cisco Unity VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing xauth V6 VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Send IOS VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
20 ef 0c b5 34 72 9c d0 e7 04 57 3d c1 24 33 18
61 7b 4c 20 22 4f 21 35 03 9e f2 32 f4 00 93 dd
48 e5 75 70 88 84 59 e8 25 15 e6 7f 34 78 36 7b
fc ef c5 af 08 f7 84 42 ae 2f 2c bb 1f a5 28 c6
76 3d c5 96 72 e0 17 de 18 e9 65 37 b0 8d 8f ca
de 12 14 49 2d 92 2e c2 0f 75 82 ef e6 14 83 99
c3 34 f4 3f b1 18 b7 47 ec da 1f af 8a d3 4f c7
a6 8d be ab 06 f3 e9 b6 62 4b 92 aa 84 ea fd 1a
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
1d fd 28 53 fc e8 e3 a2 8e 45 13 6a f0 eb 35 ed
60 e9 b4 34
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
42 2e e9 4b 4d c6 d9 2a 0a 4f d8 e6 97 31 29 31
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
04 10 02 00 00 00 00 00 00 00 00 b8 0a 00 00 84 | ................
08 da ec 1d 50 67 35 31 dd 86 2e 10 8a 06 f9 5a | ....Pg51.......Z
15 b8 21 8f 41 78 91 6e 6a 58 69 9e 51 b2 3e c8 | ..!.Ax.njXi.Q.>.
f2 73 66 c6 dc 96 fc 02 c3 a8 4f 50 8c 39 c8 2e | .sf.......OP.9..
f1 ee f9 19 c3 b5 c8 19 2e d3 59 64 bb 78 19 a8 | ..........Yd.x..
ff e4 02 a6 82 a4 2c 73 ba 9a 7a c3 7b 3b 25 d9 | ......,s..z.{;%.
7b d5 e0 52 a5 c6 fb 5e b7 42 8e 5d 93 7d 83 c5 | {..R...^.B.].}..
91 8f 7d f9 4f 05 66 4b 6c c0 da bc 80 44 a5 1b | ..}.O.fKl....D..
da f4 34 03 3a a2 bd 24 6a 9c ff 47 3c f3 ba e8 | ..4.:..$j..G<...
00 00 00 18 1a bf f9 d7 92 92 38 1f 1f 37 48 18 | ..........8..7H.
e2 84 c9 5e 86 2c c8 e8 | ...^.,..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 184
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
08 da ec 1d 50 67 35 31 dd 86 2e 10 8a 06 f9 5a
15 b8 21 8f 41 78 91 6e 6a 58 69 9e 51 b2 3e c8
f2 73 66 c6 dc 96 fc 02 c3 a8 4f 50 8c 39 c8 2e
f1 ee f9 19 c3 b5 c8 19 2e d3 59 64 bb 78 19 a8
ff e4 02 a6 82 a4 2c 73 ba 9a 7a c3 7b 3b 25 d9
7b d5 e0 52 a5 c6 fb 5e b7 42 8e 5d 93 7d 83 c5
91 8f 7d f9 4f 05 66 4b 6c c0 da bc 80 44 a5 1b
da f4 34 03 3a a2 bd 24 6a 9c ff 47 3c f3 ba e8
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
1a bf f9 d7 92 92 38 1f 1f 37 48 18 e2 84 c9 5e
86 2c c8 e8
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing ke payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing ISA_KE payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing nonce payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, Connection landed on tunnel_group XXX.XXX.XXX.162
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Generating keys for Initiator...
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing ID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing hash payload
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Computing hash for ISAKMP
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing dpd vid payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 01 f4 ad 0f 76 c1 0d 00 00 18 7b 35 df 40 | ......v.....{5.@
d0 10 31 39 3a 14 72 50 cb ff 48 de c4 f1 9d e2 | ..19:.rP..H.....
00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | ........h...k...
77 57 01 00 | wW..
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: YYY.YYY.YYY
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
7b 35 df 40 d0 10 31 39 3a 14 72 50 cb ff 48 de
c4 f1 9d e2
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 84
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
05 10 02 01 00 00 00 00 00 00 00 44 ed 48 40 6f | ...........D.H@o
aa 8e b8 5a b3 59 f7 d8 cc 4e e9 a7 d3 d1 0a 04 | ...Z.Y...N......
ca cf 7f 53 11 d9 ea e7 fa eb 2f ad cf 85 fc d8 | ..S....../.....
d0 00 1e 11 | ....
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: XXX.XXX.XXX.162
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
9d 85 c6 d1 37 3d 5e df 25 22 2c 01 1f f8 4d 42
e5 51 da ed
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR ID received
XXX.XXX.XXX.162
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Computing hash for ISAKMP
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Connection landed on tunnel_group XXX.XXX.XXX.162
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Freeing previously allocated memory for authorization-dn-attributes
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Oakley begin quick mode
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator starting QM: msg id = d034947b
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, PHASE 1 COMPLETED
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Keep-alive type for this connection: None
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Keep-alives configured on but peer does not support keep-alives (type = None)
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Starting P1 rekey timer: 21600 seconds.
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x03F0A668,
SCB: 0x03E6B0D0,
Direction: inbound
SPI : 0xAC3E784B
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0xac3e784b
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Local subnet: 192.168.100.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending Initial Contact
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending 1st QM pkt: msg id = d034947b
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=d034947b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 7b 94 34 d0 1c 00 00 00 01 00 00 18 | .. .{.4.........
3f 10 13 8a 47 5e 02 06 75 50 d3 43 26 14 5f 12 | ?...G^..uP.C&._.
dd 0f 3c fa 0a 00 00 3c 00 00 00 01 00 00 00 01 | ..<....<........
00 00 00 30 01 03 04 01 ac 3e 78 4b 00 00 00 24 | ...0.....>xK...$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
05 00 00 18 53 e8 3e 40 01 c5 64 9e 79 39 ea 39 | ....S.>@..d.y9.9
ab a6 0d 55 14 26 f1 49 05 00 00 10 04 00 00 00 | ...U.&.I........
c0 a8 64 00 ff ff ff 00 0b 00 00 10 04 00 00 00 | ..d.............
0a 01 f5 00 ff ff ff 00 00 00 00 1c 00 00 00 01 | ................
01 10 60 02 b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d | ..`...NVM..*.@.]
bc 96 49 67 | ..Ig
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 7B9434D0
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
3f 10 13 8a 47 5e 02 06 75 50 d3 43 26 14 5f 12
dd 0f 3c fa
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: ac 3e 78 4b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
53 e8 3e 40 01 c5 64 9e 79 39 ea 39 ab a6 0d 55
14 26 f1 49
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: DG-office/255.255.255.0
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 05 01 ee d1 a5 04 00 00 00 44 26 c1 f7 cc | ...........D&...
ec 14 8f 80 ff d0 08 ae ab 96 92 b3 56 2b 07 7c | ............V+.|
c5 e5 77 ec 2e 15 6e 56 d2 5d 33 37 4d fc bb 7d | ..w...nV.]37M..}
e8 98 2b c1 | ..+.
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: EED1A504
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: EED1A504
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
53 20 d4 29 bd 19 4a b1 f6 65 f7 c4 e8 6d 5c af
cf fa ea b5
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: INVALID_ID_INFO
SPI: 00 00 00 00
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=eed1a504) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing notify payload
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received non-routine Notify message: Invalid ID info (18)
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 01 a2 7b cd 29 00 00 00 ac 19 db 72 b1 | .. ..{.)......r.
04 b4 77 94 93 8c 06 d2 9e 67 f7 ab c1 23 19 74 | ..w......g...#.t
e5 f6 92 4a 61 7b 62 93 2e 75 18 b6 c3 53 89 74 | ...Ja{b..u...S.t
d7 f9 b3 2e 6d 0f 9e 9c 26 4a b0 1e 6d 05 be 7f | ....m...&J..m..
e1 60 fa f1 34 c9 af d8 5c dd b5 71 a9 8c 80 77 | .`..4...\..q...w
7a ad b4 2e 72 a9 df d2 d1 cd 61 a6 02 5c 08 4f | z...r.....a..\.O
74 18 3e db 0e 4e 9d 8b a2 03 48 c2 a3 9e 30 de | t.>..N....H...0.
d6 93 fb df 34 fc e4 9c 28 59 bb b8 a6 d9 62 4d | ....4...(Y....bM
35 8c c4 65 78 03 a6 db cc 7f 33 7e eb ff 9e b3 | 5..ex....3~....
6f 11 7b aa 56 cf 74 48 58 45 1c c0 | o.{.V.tHXE..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: A27BCD29
Length: 172
Jul 16 10:37:07 [IKEv1 DECODE]: IP = XXX.XXX.XXX.162, IKE Responder starting QM: msg id = a27bcd29
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: A27BCD29
Length: 172
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
9c 15 1c c7 d7 e6 b5 91 c6 8e 1b d6 b2 4c c7 63
ee 9f 60 3e
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: de 9f df a1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
ed 0a 2d a8 d8 f0 80 aa c6 19 bf 9e bb d3 68 18
0c 40 15 96
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 192.168.100.16/255.255.255.240
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=a27bcd29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR_SUBNET ID received--10.1.245.0--255.255.255.0
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received remote IP Proxy Subnet data in ID Payload: Address 10.1.245.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR_SUBNET ID received--192.168.100.16--255.255.255.240
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received local IP Proxy Subnet data in ID Payload: Address 192.168.100.16, Mask 255.255.255.240, Protocol 0, Port 0
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, QM IsRekeyed old sa not found by addr
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Static Crypto Map check, checking map = outside_map, seq = 1...
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Static Crypto Map check, map outside_map, seq = 1 is a successful match
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Remote Peer configured for crypto map: outside_map
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 1
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE: requesting SPI!
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x0406CF98,
SCB: 0x03E3BE78,
Direction: inbound
SPI : 0x8B032DDE
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0x8b032dde
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 192.168.100.16 mask 255.255.255.240 Protocol 0 Port 0
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Responder sending 2nd QM pkt: msg id = a27bcd29
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=a27bcd29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 29 cd 7b a2 1c 00 00 00 01 00 00 18 | .. .).{.........
db fb e2 21 78 0a 66 2b b4 92 0f 63 80 bd ee b5 | ...!x.f+...c....
1a b6 be d1 0a 00 00 3c 00 00 00 01 00 00 00 01 | .......<........
00 00 00 30 01 03 04 01 8b 03 2d de 00 00 00 24 | ...0......-....$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00
IKE Recv RAW packet dump
b7 e9 Jul 16 10:37:07 [IKEv1]IPSEC: New embryonic SA created @ 0x03F64B78,
SCB: 0x03F74178,
Direction: outbound
SPI : 0xDE9FDFA1
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xDE9FDFA1
IPSEC: Creating outbound VPN context, SPI 0xDE9FDFA1
Flags: 0x00000005
SA : 0x03F64B78
SPI : 0xDE9FDFA1
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x03F74178
Channel: 0x0174FC00
IPSEC: Increment SA NP ref counter for outbound SPI 0xDE9FDFA1, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5166)
IPSEC: Completed outbound VPN context, SPI 0xDE9FDFA1
VPN handle: 0x053ADADC
IPSEC: Increment SA NP ref counter for outbound SPI 0xDE9FDFA1, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4257)
Jul 16 10:37:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, QM FSM error (P2 struct &0x3f0cf28, mess id 0xd034947b)!
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE QM Initiator FSM error history (struct &0x3f0cf28) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, sending delete/delete with reason message
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Deleting SA: Remote Proxy 10.1.245.0, Local Proxy 192.168.100.0
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Removing peer from correlator table failed, no match!
IPSEC: Received a PFKey message from IKE
IPSEC: Destroy current inbound SPI: 0xAC3E784B
Jul 16 10:37:39 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xac3e784b
Jul 16 10:37:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:40 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator: New Phase 2, Intf inside, IKE Peer XXX.XXX.XXX.162 local Proxy Address 192.168.100.0, remote Proxy Address 10.1.245.0, Crypto map (outside_map)
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Oakley begin quick mode
Jul 16 10:37:40 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator starting QM: msg id = 51890662
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x03F0A668,
SCB: 0x03E6B0D0,
Direction: inbound
SPI : 0xF14B8E07
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0xf14b8e07
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Local subnet: 192.168.100.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:40 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending 1st QM pkt: msg id = 51890662
Jul 16 10:37:40 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=51890662) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 62 06 89 51 1c 00 00 00 01 00 00 18 | .. .b..Q........
d1 63 d0 1c f2 fe 51 54 ed 50 52 e5 15 97 11 61 | .c....QT.PR....a
bc cf 89 bf 0a 00 00 3c 00 00 00 01 00 00 00 01 | .......<........
00 00 00 30 01 03 04 01 f1 4b 8e 07 00 00 00 24 | ...0.....K.....$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
05 00 00 18 dc d3 97 00 48 5b e9 d4 05 af ef 1d | ........H[......
5c 3f bd b4 06 e5 ad 4c 05 00 00 10 04 00 00 00 | \?.....L........
c0 a8 64 00 ff ff ff 00 00 00 00 10 04 00 00 00 | ..d.............
0a 01 f5 00 ff ff ff 00 | ........
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 62068951
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
d1 63 d0 1c f2 fe 51 54 ed 50 52 e5 15 97 11 61
bc cf 89 bf
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: f1 4b 8e 07
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
dc d3 97 00 48 5b e9 d4 05 af ef 1d 5c 3f bd b4
06 e5 ad 4c
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: DG-office/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 51890662
Length: 172
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 05 01 50 d5 d4 b3 00 00 00 44 6b 63 20 72 | ....P......Dkc r
fc 1c c8 af 22 61 8f ae f0 9c 5c 41 1d 80 b1 6e | ...."a....\A...n
75 46 65 1c 9d 8e 51 5b d0 f7 82 d8 88 9b 49 e9 | uFe...Q[......I.
42 5f a2 a8 | B_..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 50D5D4B3
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 50D5D4B3
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
a8 07 00 a6 3c 57 dd 50 49 a7 5e e0 55 ab 01 f3
65 29 9e 9b
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: INVALID_ID_INFO
SPI: 00 00 00 00
Jul 16 10:37:40 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=50d5d4b3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing notify payload
Jul 16 10:37:40 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received non-routine Notify message: Invalid ID info (18)
Jul 16 10:37:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 51890662
Length: 172
Jul 16 10:37:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
VIREasa#
VIREasa# no debug crypto isakmp 255
VIREasa# no debug crypto ipsec 255
VIREasa# -
UDP responses from multiple PCs
My laptop is on a local area network that consists of the laptop, a switch, and two RF switch boxes.
Not connected to the corporate network.
According to the equpment vendor a command can be broadcast to the local network using UDP and all tthe boxes that receive the request will respond.
The VI that they gave me only shows the response for one the boxes at a time.
How do I go about modifying the VI so that the response from both boxes are received?
Attached is their VI which I have simplified. The IPv4 address is for my laptop.
The boxes are at 192.168.0.141 and 192.,168.0.142
nyc wrote:
There is no input specifically called "local broadcast address".
With "local broadcast address" I meant the "broadcast address for the local subnet".
You are always sending from your own address. That's your own unicast IP address which is automatically added to the header of all outgoing packets. The devices at the other end will respond to the broadcast with a unicast to the source IP of the received packet, i.e. your adapter. Same for the port. "open UDP" reserves a local port, which is used as source port for the outging packets. The destination port is whatever the other devices are listening at, so you have no choice.
All adapters receive messages to their assigned IP address, to the local subnet broadcast address, to the generic broadcast address (255.255.255.255) as well as to certain multicast addresses. On the local subnet, things are actually guided by the MAC address and each adapter maintains an ARP table to correctly form the ethernet header. Your local switches will know (from learning) all connnected MAC addresses and their assigned IPs and will send out any incoming packet to the right connecter. They recognize broadcasts and will automatically send them out on all other connectors. If the address is not local, the ethernet packet is set to the MAC address of the router (the default gateway) and it will read the destination IP to determine which interface (i.e. other subnet) the packet should go out, etc.
nyc wrote:
Could you explain whey the IPv4 address is being OR'd with the negate of the subnet mask?
I am clueless as to the purpose.
Well, that's the correct math, look it up! (the original code does exactly the same, but in a Rube Goldberg kind of way )
For example if your IP address is:
192.168.5.45 and the netmask is 255.255.255.0, the broadcast address is 192.168.5.255
10.47.5.45 and the netmask is 255.0.0.0, the broadcast address is 10.255.255.255
etc.
Thus the local subnet broadcast addrees can be determined from the IP address and netmask.
Note that each address is internally just a U32 integer and boolean operations will function bitwise.
-
NetBoot across subnets with a bootpd relay
Hello Apple Community!
I've got 4 subnets at my school, each with various Macs around campus. I have a Mavericks server on each subnet currently, each with their own NetBoot images. It's a pain to keep everything updated. I can get a single client Mac (pre-2011) to boot across subnets using the bless command, but that's not really a viable solution for us to run a bless command on each client every single time we want to netboot. So far, the solution has been just to have dedicated netboot servers on each subnet, but I know there has to be a better way.
This article (OS X Server: How to use NetBoot across subnets - Apple Support) describes three different methods for netbooting across subnets, but two of them are not really viable for us. Those involve reconfiguring the network to allow BootP data to pass across subnets or configuring one server with multiple network connections, one for each subnet. However, option #2 describes configuring a bootpd relay. Based on my reading, this sounds like exactly what I need. However, I can't find any good documentation to walk me through setting it up.
I've thoroughly read the bootpd man page, which has had me editing the /etc/bootpd.plist on multiple servers. This hasn't gotten me very far. My clients still don't see the remote NetBoot server. It seems like the relay is supposed to redirect broadcasts from the remote Netboot server, through a local NetBoot server to the client. But I have no idea how to make this work.
Could someone please give me more guidance on what I'm supposed to be doing here? I'd like to host a single NetBoot server and have any client on any subnet be able to option-boot to see the NetBoot startup options (I have multiple NetBoot images, from Apple Service Toolkit to DeployStudio and Mavericks/Yosemite installers in between). Even if I could get it to just netboot to one default source (AST), I could deal with that. I'm also happy to host multiple NetBoot servers, but with all my NetBoot images in one location. I'm stumped in this multiple subnet environment and I need help. Please help.Thanks again for your feedback. I had forgotten I left the "tftp://" on the IP address. Though, I've tried that multiple ways, starting with IP only. Also, per the bootpd man page (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man8/bootpd.8.html), <allow/> and <deny/> are lists for MAC address allowances and when nothing is defined everything goes through. These are there by default, though I will remove them and see what happens. Also, according to the man page, bootp_enabled enables on all connections when a boolean is set rather than an array. Though I will still change this also and see what happens. The array that comes after the netboot_disabled key is auto-generated by NetInstall when you turn the service on in Server.app.
Essentially, that plist comes from a fresh activation of NetInstall. I deleted the previous .plist, rebooted the server and when I turned on NetInstall, that's what was created, plus my bootp modifications.
All that said, you said that you assumed I started the relay with the 'debug & logging' options enabled. I haven't started the relay in any active sense. So far, I've just been modifying this .plist, and rebooting a bunch of times, but that's where I seem to get lost. Is there a way to actively "start" the relay? I'd love to look at these 'debug & logging' options. As for the 'Startup Disk' prefs on the client Mac, they do not show any significant change. Basically, they just don't see the remote server as a startup option. I have not gleaned any pertinent info from console, though I'm not sure I know what I'm looking for.
On a side note, I had a wild hair to try something different. I set my local subnet's server to look at a NetBootSP0 folder that was actually a symlink to a NetBootSP0 folder that was mounted as a file share from the remote NetBoot server. This really looked like it might work. When you boot the client, it saw the startup volumes from the remote server. However, upon boot, it doesn't seem to make the connection and winds up booting back to the internal hard drive. It was worth a try... -
How To: Use Visual Studio, IIS Express, and Adobe Edge Inspect to view local projects
You CAN view a Visual Studio project with Adobe Inspect. The work around takes a little bit of time.
This involves using IIS Express to run your Visual Studio project, which is mainly a setting in Visual Studio, a Firewall change, a few command line and IIS Express config change. It isn't actually all that bad, but will make your life A LOT easier.
Here are the steps. (Note these are steps I used for Visual Studio 2012 and your project is part of a solution project. Windows 7 or Windows 8)
1. If IIS in not turned on, turn it on.How to: Enable Internet Information Services (IIS) - this should install IIS Express as well.
2. In Visual Studio, find the port that Visual Studio will be using for your project by Running your web project (Debug), and note/write down/save the port number that shows up in the browser when the project launches. (ex. http://localhost:12345)
3. Add a NetShare Reservation (process for this will be different for Windows XP)
Go to your Command Line (CMD) in Windows and in c:\Windows\system32> type in
netsh http add urlacl url=http://yourIPaddress:yourPortNumber user=everyone
(ex. netsh add urlacl url=http://12.34.56.78:12345 user=everyone)
Hit Enter key. You should be a successful add reservation message
3. Go to your Windows Explorer (File system) and go to c:/Users/YourName/MyDocuments (or Documents)/IISExpress/config/ and open 'applicationhost.config'
In the 'applicationhost.config' file find your site in the <sites> section.
Example:
<sites>
<site name="WebSite1" id="1" serverAutoStart="true">
<application path="/">
<virtualDirectory path="/" physicalPath="C:\MyProjects\TestSite" />
</application>
<bindings>
<binding protocol="http" bindingInformation=":12345:localhost" />
</bindings>
</site>
</sites>
In this section ADD 2 new lines to the <bindings> section. Note add your own IP address and your own Computer Name
<binding protocol="http" bindingInformation="*:12345:12.34.56.78" />
<binding protocol="http" bindingInformation=":12345:MyComputerName" />
Save the config file.
4. Open up your Windows Firewall and go to 'Advanced Settings'. Here you want to create an Inbound Rule.
Right click on Inbound Rule and select New Rule
- Rule Type select 'Custom'
- Program leave this
- Protocol and Ports > Protocol Type select 'TCP' then Local Port select 'Specific Port' and fill in the port number you got from VS. Leave Remote Port alone.
- Scope
There are a few ways of doing this. Typically you would go the the Remote IP address and select 'These IP addresses: and select ADD > select 'Predefined set of computers' and choose Local Subnet. IF this does not work leave Remote IP addresses > Any IP address option selected instead.
- Action leave this
- Profile select Domain and Private
- Name put IISExpressWeb for the name
Select 'Finish'
5. Go to Visual Studio. (Note if you have multiple projects in your solution, choose your start up project. Right click on your project in Solution Explorer in VS and select 'Set as Start Up Project' )
Right click on your start up project again and you should see an option to 'Use IISExpress'
In the DEBUG dropdown (from the main menu bar at the top) select 'YourProjectName Properties'. Mine was the last one in the list with a wrench icon next to it.
This should open an new tab in your project, You should see a left hand list of option and a right hand column of options.
In the left column select 'Web' and in this tab select Use Local IIS Web server and select 'Use IIS Express' and type in your IP Address and port number (same as before) in the Project Url text box.
Save.
NOW, you should be able to run your project in Visual Studio and use Adobe Edge Inspect on your device and view new results in Chrome. You can develop from there.
If you still can not see it working, please be sure your device is on the same SubNet or Wireless network as your computer. If you are in a large network but the domains can still see each other, the Firewall Setting detailed above to allow Any IP Address in your Scope section.Hi CMosqueda,
Thank you for taking time to share this information with other users.
Thanks,
Preran -
"2 routers, one subnet" or "how do I access LAN of Router#1 from R#2"
Hi folks,
First post is a question but I hope I can contribute in the future.
I realize what i really want is a Wireless Access Point but I was in a rush and none are available locally. My need is to provide wireless internet on my upper floor where the DSL connected router in the basement will not reach. Wireless is disabled on DSL Router1 and not required there. I have currently succeeded in this by connecting a second router (WRT110) via ethernet on my top floor and configuring it to provide a seperate subnet. It aquires an address on it's WAN port from Router1 via DHCP and feeds wireless divices on the new subnet with DHCP provided addresses of it's own. NAT is enabled.
--Works fine for accessing Internet.
However,
I need to run a Squeezebox (ethernet or wireless) from Router2. It has to talk to it's server on Router1's subnet. It succesfully receives an address from R2 but will not conenct to the server on the other subnet.
Short question is Can I make this Work and How?
Random thoughts.
Ideally, I wanted to have the WRT110 "existing on" and "providing wireless access to" the same subnet as Router1. I was told it could be done and it makes some sense if I connect them via LAN ports on both and address accordingly, disable NAT, etc... but I can't quiet figure it out. Even when I tell the WRT110 that I want to assign it a static IP from the first subnet, it asks for both a WAN and LAN address. If somebody can describe and how to configure it to simply exist on subnet #1, it would be most ideal.
Otherwise if keeping two routed subnets
I see a route in my routing table for the two subnets to talk but is NAT still occuring on the packets travelling through the WRT110, even when just trying to access the other local subnet? If so, that boggles my mind on the routing statement requirements.
I tried enabling port forwarding (totally demiliterized it) for the server's IP on Router2 but I'm now thinking I should have done it on R1 as thats where the server exists, but would that only aply to traffic out R1's WAN port? Is this even required at all?
Tried to ponder combinations of NAT off & static or enhanced routing but haven't devised a combination that makes sense or works.
If I ping the server from a laptop running from the second subnet, I get destination host unreachable vs. a time out. So it knows it's out there (kinda sorta) but can't talk at IP level? This only tells me that 'maybe' it's possible if I get it the routing set right.
I won't write every combo I tried, hoping that by now you see what I am trying to accomplish and can tell me the best way to do it or that it's not worth the effort.
P.S.
Yes, I have considered a cheap switch just ahead of R2 so that I could keep the Squeezebox on the old subnet where it's happy and also feed the WRT110 to let it happily route mywireless internet traffic.
I also considered returning the WRT110 and ordering a Wireless Access Point via the Internet but I need to provide service for some guests by tomorrow night. Hope someone here can help.
Thanks in advance.Assuming your DSL is connected to Router #1(not linksys) and it's default IP Address is 192.168.1.1(subnet : 255.255.255.0)...Then you should change the default IP Address of Router #2(Linskys - WRT110) to 192.168.1.2(this address should be unique) and disable the DHCP Server on Router #2 and it's Internet Connection type should always be 'Automatic DHCP'...This configuration will work when both the router's are connected using their LAN Ports...Internet/WAN Port is not used when connecting both the routers to each other...
With the above mentioned configuration, computers connected to router #1 will communicate with computers connected to router #2... -
Sometimes Local Address not in ARP table and Ping fails (network problem?)
I see something like this on our network a couple of times a week.
The same replies have been received from different hosts.
ping fails
local subnet machine is not in arp table
ping fails
local subnet machine is not in arp table
traceroute may or maynot succeed
If traceroute succeeds an entry is in the arp table
if traceroute fails no entry will be in the arp table.
A netstat -s, ont the local host, doesn't show any thing strange except that udpNoPorts=10844982 (Unfortunately I don't know what udpNoPorts is)
The remote host IS UP.
Does anyone have an idea as to why this is happening?
Can our 100mb network, which is not that busy, be loosing that many ICMP or ARP messages?
This is a problem because I'm the guy getting paged if a system is down.
Local host is Solaris 7 on same subnet at IP 168.173.8.8
Remote hosts are usually NT boxes.
/usr/sbin/ping -svR stpaul_web2 56 3
----stpaul_web2.agribank.com PING Statistics----
3 packets transmitted, 0 packets received, 100% packet loss
/usr/sbin/arp stpaul_web2
stpaul_web2 (168.173.8.143) -- no entry
/usr/sbin/ping -svR stpaul_web2 56 3
----stpaul_web2.agribank.com PING Statistics----
3 packets transmitted, 0 packets received, 100% packet loss
/usr/sbin/arp stpaul_web2
stpaul_web2 (168.173.8.143) -- no entry
/usr/sbin/traceroute stpaul_web2
1 stpaul_web2.AGRIBANK.COM (168.173.8.143) 2995.868 ms 0.231 ms 0.211 ms
/usr/sbin/arp stpaul_web2
stpaul_web2 (168.173.8.143) at 0:1:2:cc:a3:51
Any help is greatly appreciated.
KsHi,
I Think you need to do Teaming on the servers.
++ configure etherchannel between switch and the server.
configuring etherchannel b/w 4503 and server:
================================
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a008089a821.shtml
Sample NIC Teaming - HP NICs with Cisco Switches (EtherChannel) :
==============================================
http://support.citrix.com/article/CTX434260
There are several NIC teaming technologies available today from switch vendors. Cisco uses the term “EtherChannel.” Various switch vendors use various terms, and these may or may not provide the same exact functionality. Use of EtherChannel technology requires support from the server hardware vendor, NIC vendor, and Layer-2 switch vendor.
Hope this helps
Cheers
Somu
Rate helpful posts
Maybe you are looking for
-
How to delete unused entries in the FROM selectbox in mail.app
Hi, In the FROM selectbox in mail.app I find entries, that are not in the accoutlist and that are not in the list of the smtp accounts. How can I get rid of them Tnx Micho
-
How do you highlight text in Pages v5?
Hi guys, Was struggling a bit with the recent changes from Pages 5 and was wondering how we could highlight text (using different colours etc)? Thanks !
-
Importing contacts from outer space
Yo! So - I did purchase this device called iPhone 3Gs. Neat! My SONY Ericsson rest in pieces, as much as I still love it. Anyway - is there a way to export contacts from my Mac Entourage address book and import into this thing somehow? Any ideas warm
-
Dear all, Its going well with the creation of the physical standby database. I have copied the dbf, stbycf.ctl, init_stby.ora file to the standby system. Now I need to modify the init_stby.ora file. This file has to be modified in standby system or t
-
HT4528 Excess amounts of data being used.
Why is my iPhone 4 on Verizon suddenly using ridiclous amounts of data (16GB to be exact in 12 hours) when I am on wifi? Please help.