TravisTestRouter(config-if)#do debug cry ips Crypto IPSEC debugging is on TravisTestRouter(config-if)#do debug cry ike IKEv2 default debugging is on TravisTestRouter(config-if)#cry map ATS TravisTestRouter(config-if)# *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: IPSEC: Expand action denied, notify RP *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: IPSEC: Expand action denied, discard or forward packet. *Dec 6 17:21:50.943: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *Dec 6 17:21:55.315: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 1.2.3.4:500, remote= 4.3.2.1:500, local_proxy= 10.10.0.0/255.255.0.0/256/0, remote_proxy= 172.16.0.0/255.240.0.0/256/0, protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Dec 6 17:21:55.315: IKEv2:% Getting preshared key from profile keyring L2L-Keyring *Dec 6 17:21:55.315: IKEv2:% Matched peer block 'vpn' *Dec 6 17:21:55.315: IKEv2:Searching Policy with fvrf 0, local address 1.2.3.4 *Dec 6 17:21:55.315: IKEv2:Found Policy 'ATS-POLICY' *Dec 6 17:21:55.315: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 21 *Dec 6 17:21:55.407: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Dec 6 17:21:55.407: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key *Dec 6 17:21:55.407: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Dec 6 17:21:55.407: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message *Dec 6 17:21:55.407: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA512 SHA512 DH_GROUP_521_ECP/Group 21 *Dec 6 17:21:55.407: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 4.3.2.1:500/From 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Dec 6 17:21:55.407: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 4.3.2.1:500/To 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found *Dec 6 17:21:55.415: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 21 *Dec 6 17:21:55.991: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Dec 6 17:21:55.991: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret *Dec 6 17:21:55.991: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Dec 6 17:21:55.995: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id DefaultL2LGroup, key len 32 *Dec 6 17:21:55.995: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Dec 6 17:21:55.995: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK' *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: 'DefaultL2LGroup' of type 'key ID' *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 DES MD596 Don't use ESN *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Dec 6 17:21:55.995: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 4.3.2.1:500/From 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR *Dec 6 17:21:55.999: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 4.3.2.1:500/To 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN) *Dec 6 17:21:55.999: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify *Dec 6 17:21:55.999: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1): *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '4.3.2.1' of type 'IPv4 address' *Dec 6 17:21:56.003: IKEv2:Searching Policy with fvrf 0, local address 1.2.3.4 *Dec 6 17:21:56.003: IKEv2:Found Policy 'ATS-POLICY' *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK' *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 4.3.2.1 *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 4.3.2.1, key len 32 *Dec 6 17:21:56.003: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Dec 6 17:21:56.003: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (4.3.2.1, DefaultL2LGroup) is UP *Dec 6 17:21:56.003: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found *Dec 6 17:21:56.003: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xF875A983] *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: DELETE *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 4.3.2.1:500/From 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xF2054F017F1CE3E8 RSPI: 0xCA30A58BAA75C52A] *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: DELETE *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 4.3.2.1:500/To 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange *Dec 6 17:21:56.007: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA *Dec 6 17:21:56.011: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Dec 6 17:21:56.011: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 4.3.2.1:500/From 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR *Dec 6 17:21:56.011: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 4.3.2.1:500/To 1.2.3.4:500/VRF i0:f0] Initiator SPI : F2054F017F1CE3E8 - Responder SPI : CA30A58BAA75C52A Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: DELETE *Dec 6 17:21:56.011: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange *Dec 6 17:21:56.011: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA