*Feb 21 09:43:50.715: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : B6B0B6DED8C6F2F9 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:43:50.735: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:43:50.739: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:43:50.743: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:43:50.743: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:43:50.747: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:43:50.755: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:43:50.759: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:50.763: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:43:50.763: IKEv2:(SA ID = 3):[PKI -> IKEv2] G Cbtme-Hub#etting of Public Key Hashes of trustpoints PASSED *Feb 21 09:43:50.767: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:43:50.771: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:43:50.775: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:43:50.779: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:43:50.779: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:43:50.787: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:43:51.051: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:43:51.051: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:43:51.051: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:43:51.051: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 S Cbtme-Hub#A PASSED *Feb 21 09:43:51.055: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:43:51.059: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:43:51.059: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : B6B0B6DED8C6F2F9 - Responder SPI : 8AFB8396AE8E3867 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID V Cbtme-Hub#ID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:43:51.067: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:43:51.919: IKEv2:(SA ID = 3):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : B6B0B6DED8C6F2F9 - Responder SPI : 8AFB8396AE8E3867 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:43:51.947: IKEv2:(SA ID = 3):Stopping timer to wait for auth message *Feb 21 09:43:51.951: IKEv2:(SA ID = 3):Checking NAT discovery *Feb 21 09:43:51.951: IKEv2:(SA ID = 3):NAT not found *Feb 21 09:43:51.967: IKEv2:(SA ID = 3):Searching policy base Cbtme-Hub#d on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:43:51.975: IKEv2:Optional profile description not updated in PSH *Feb 21 09:43:51.975: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:43:51.975: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:43:51.975: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):Verify peer's policy *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):Peer's policy verified *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):Get peer's authentication method *Feb 21 09:43:51.97 Cbtme-Hub#5: IKEv2:(SA ID = 3):Peer's authentication method is 'RSA' *Feb 21 09:43:51.975: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:43:52.039: IKEv2:(SA ID = 3):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:43:52.039: IKEv2:(SA ID = 3):Save pubkey *Feb 21 09:43:52.039: IKEv2:(SA ID = 3):Verify peer's authentication data *Feb 21 09:43:52.039: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:43:52.039: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:43:52.039: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:43:52.055: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:43:52.055: IKEv2:(SA ID = 3):Processing INITIAL_CONTACT *Feb 21 09:43:52.055: IKEv2:(SA ID = 3):Received valid config mode data *Feb 21 09:43:52.055: IKEv2:Config data recieved: *Feb 21 09:43:52.059: Config-type: C Cbtme-Hub#onfig-request *Feb 21 09:43:52.059: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:43:52.063: Attrib type: split-dns, length: 0 *Feb 21 09:43:52.063: Attrib type: banner, length: 0 *Feb 21 09:43:52.063: Attrib type: config-url, length: 0 *Feb 21 09:43:52.067: Attrib type: backup-gateway, length: 0 *Feb 21 09:43:52.067: Attrib type: def-domain, length: 0 *Feb 21 09:43:52.071: IKEv2:(SA ID = 3):Set received config mode data *Feb 21 09:43:52.071: IKEv2:(SA ID = 3):Processing IKE_AUTH message *Feb 21 09:43:52.071: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:43:52.071: IPSEC(validate_proposal_request): proposal part #1 *Feb 21 09:43:52.071: IPSEC(validate_ Cbtme-Hub#proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:43:52.071: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:43:52.079: IKEv2:Error constructing config reply *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):Generate my authentication data *Feb 21 09:43:52.083: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:43:52.083: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 Cbtme-Hub# 09:43:52.083: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):Sign authentication data *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting private key *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:43:52.083: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:43:52.503: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):Authentication material has been sucessfully signed *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):Generating IKE_AUTH message *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Feb 21 09 Cbtme-Hub#:43:52.507: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : B6B0B6DED8C6F2F9 - Responder SPI : 8AFB8396AE8E3867 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:43:52.507: IKEv2:IKEv2 MIB tunnel started, tunnel index 3 *Feb 21 09:43:52.507: IKEv2:(SA Cbtme-Hub#ID = 3):Load IPSEC key material *Feb 21 09:43:52.507: IKEv2:(SA ID = 3):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 21 09:43:52.511: IKEv2:(SA ID = 3):Asynchronous request queued *Feb 21 09:43:52.515: IKEv2:(SA ID = 3): *Feb 21 09:43:52.523: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:43:52.523: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:43:52.523: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel0-head-0 *Feb 21 09:43:52.535: IPSEC(create_sa): sa created, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0x532B357(87208791), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 55 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:43:52.539: IPSEC(create_sa): sa created, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0x5C101E7D(1544560253), sa_trans= esp-aes 256 esp-sha256-hmac , sa_c Cbtme-Hub#onn_id= 56 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:43:52.539: IPSEC: Expand action denied, notify RP *Feb 21 09:43:52.539: IKEv2:(SA ID = 3):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:43:52.547: IKEv2:(SA ID = 3):Checking for duplicate IKEv2 SA *Feb 21 09:43:52.551: IKEv2:(SA ID = 3):No duplicate IKEv2 SA found *Feb 21 09:43:52.555: IKEv2:(SA ID = 3):Starting timer (8 sec) to delete negotiation context *Feb 21 09:43:52.727: IKEv2:(SA ID = 3):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : B6B0B6DED8C6F2F9 - Responder SPI : 8AFB8396AE8E3867 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: DELETE *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : B6B0B6DED8C6F2F9 - Responder SPI : 8 Cbtme-Hub#AFB8396AE8E3867 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Process delete request from peer *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xB6B0B6DED8C6F2F9 RSPI: 0x8AFB8396AE8E3867] *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Check for existing active SA *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Delete all IKE SAs *Feb 21 09:43:52.735: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:43:52.735: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:43:52.735: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:43:52.735: IPSEC(key_engine_delete_sas): delete SA with spi 0x532B357 proto 50 for 150.150.150.1 *Feb 21 09:43:52.759: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI 5C101E7D *Feb 21 09:43:52.759: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa Cbtme-Hub#_spi= 0x532B357(87208791), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 55 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:43:52.767: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI 5C101E7D *Feb 21 09:43:52.771: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0x5C101E7D(1544560253), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 56 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:43:52.791: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:43:52.795: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP Cbtme-Hub# *Feb 21 09:43:52.795: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:43:54.439: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : 81203DC6B50956CF - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:43:54.451: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:43:54.451: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:43:54.459: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:43:54.459: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:43:54.463: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public K Cbtme-Hub#ey Hashes of trustpoints *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:43:54.467: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:43:54.671: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:43:54.671: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:43:54.671: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:43:54.671: IKEv2:(SA ID Cbtme-Hub#= 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:43:54.671: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:43:54.675: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:43:54.679: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator SPI : 81203DC6B50956CF - Responder SPI : BF978BEAE3F99C72 Messa Cbtme-Hub#ge id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:43:54.687: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:43:54.687: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : FF6FF1D332506ECA - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):Verify SA init message *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):Insert SA *Feb 21 09:43:54.687: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:43:54.687: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):Proces Cbtme-Hub#sing IKE_SA_INIT message *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):Request queued for computation of DH key *Feb 21 09:43:54.687: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):[Crypto En Cbtme-Hub#gine -> IKEv2] DH key Computation PASSED *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):Request queued for computation of DH secret *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:43:54.951: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):Generating IKE_SA_INIT message *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:43:54.951: Cbtme-Hub# IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):Sending Packet [To 130.130.130.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : FF6FF1D332506ECA - Responder SPI : 81808A9FBBD8DDB3 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):Completed SA init exchange *Feb 21 09:43:54.951: IKEv2:(SA ID = 4):Starting timer (30 sec) to wait for auth message *Feb 21 09:43:56.607: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired *Feb 21 09:43:56.611: IKEv2:(SA ID = 1): *Feb 21 09:43:56.611: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:43:56.615: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:43:56.615: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:43:56.619: IKEv2:(SA ID = Cbtme-Hub# 1):Abort exchange *Feb 21 09:43:56.623: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:43:56.631: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:43:56.631: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):Failed to receive the AUTH msg before the timer expired *Feb 21 09:43:57.151: IKEv2:(SA ID = 2): *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):Abort exchange *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:43:57.151: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:00.683: IKEv2:Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 000000000000 Cbtme-Hub#0000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:00.703: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:44:00.703: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:44:00.711: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:00.711: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:00.715: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:44:00.723: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:00.727: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:00.727: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:00.731: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:00.735: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:00.739: IKEv2:(SA ID = 1):[PKI Cbtme-Hub#-> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:00.743: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:00.743: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:00.747: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:44:00.755: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:01.099: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:01.099: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:44:01.099: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:01.099: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:01.099: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:01.099: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message Cbtme-Hub# *Feb 21 09:44:01.103: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:01.111: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:01.115: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:01.115: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:01.115: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:01.115: IKEv2:(SA ID = 1):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:01.115: IKEv2:(SA ID = 1):Completed S Cbtme-Hub#A init exchange *Feb 21 09:44:01.115: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:01.939: IKEv2:(SA ID = 1):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:44:01.971: IKEv2:(SA ID = 1):Stopping timer to wait for auth message *Feb 21 09:44:01.975: IKEv2:(SA ID = 1):Checking NAT discovery *Feb 21 09:44:01.983: IKEv2:(SA ID = 1):NAT not found *Feb 21 09:44:02.007: IKEv2:(SA ID = 1):Searching policy based on peer's identity 'cn=cbtme-spoke4.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:02.015: IKEv2:Optional profile description not updated in PSH *Feb 21 09:44:02.019: IKEv2:Searching Policy Cbtme-Hub#with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:02.019: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:02.019: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:44:02.019: IKEv2:(SA ID = 1):Verify peer's policy *Feb 21 09:44:02.019: IKEv2:(SA ID = 1):Peer's policy verified *Feb 21 09:44:02.019: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:44:02.019: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:02.023: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:44:02.023: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:44:02.023: IKEv2:(SA ID = 1):Get peer's authentication method *Feb 21 09:44:02.023: IKEv2:(SA ID = 1):Peer's authentication method is 'RSA' *Feb 21 09:44:02.023: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:44:02.071: IKEv2:(SA ID = 1):[PKI -> IKEv Cbtme-Hub#2] Validation of certificate chain PASSED *Feb 21 09:44:02.071: IKEv2:(SA ID = 1):Save pubkey *Feb 21 09:44:02.087: IKEv2:(SA ID = 1):Verify peer's authentication data *Feb 21 09:44:02.087: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:02.087: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:02.087: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:44:02.091: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:44:02.103: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT *Feb 21 09:44:02.103: IKEv2:(SA ID = 1):Received valid config mode data *Feb 21 09:44:02.103: IKEv2:Config data recieved: *Feb 21 09:44:02.103: Config-type: Config-request *Feb 21 09:44:02.103: Attrib type: ipv4-dns, length: 0 *Feb 21 09:44:02.103: Attrib type: ipv4-dns, length: 0 *Feb 21 09:44:02.103: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:44 Cbtme-Hub#:02.103: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:44:02.103: Attrib type: ipv4-subnet, length: 0 *Feb 21 09:44:02.103: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:44:02.103: Attrib type: split-dns, length: 0 *Feb 21 09:44:02.103: Attrib type: banner, length: 0 *Feb 21 09:44:02.103: Attrib type: config-url, length: 0 *Feb 21 09:44:02.103: Attrib type: backup-gateway, length: 0 *Feb 21 09:44:02.103: Attrib type: def-domain, length: 0 *Feb 21 09:44:02.103: IKEv2:(SA ID = 1):Set received config mode data *Feb 21 09:44:02.103: IKEv2:(SA ID = 1):Processing IKE_AUTH message *Feb 21 09:44:02.103: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0 *Feb 21 09:44:02.103: I Cbtme-Hub#PSEC(validate_proposal_request): proposal part #1 *Feb 21 09:44:02.103: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 140.140.140.1:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:44:02.107: map_db_find_best did not find matching map *Feb 21 09:44:02.107: IPSEC(ipsec_process_proposal): proxy identities not supported *Feb 21 09:44:02.119: IKEv2:(SA ID = 1):There was no IPSEC policy found for received TS *Feb 21 09:44:02.119: IKEv2:(SA ID = 1): *Feb 21 09:44:02.127: IKEv2:(SA ID = 1):Sending TS unacceptable notify *Feb 21 09:44:02.131: IKEv2:(SA ID = 1):Get my authentication method *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):My authentication method is 'RSA' *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):Generate my authentication data *Feb 21 09 Cbtme-Hub#:44:02.135: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:02.135: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):Get my authentication method *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):My authentication method is 'RSA' *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):Sign authentication data *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:44:02.135: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:44:02.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:44:02.695: IKEv2:(SA ID = 1):Authentication material has been sucessfully signed *Feb 21 09:44:02.699: IKEv2:(SA ID = 1):Generating IKE_AUTH message *Feb 21 09:44:02.707: IKEv2:(SA ID = 1):Constructing IDr payload: 'cn=cbtme-hub.crypto.local Cbtme-Hub#' of type 'DER ASN1 DN' *Feb 21 09:44:02.711: IKEv2:(SA ID = 1):Building packet for encryption. Payload contents: VID IDr CERT AUTH NOTIFY(TS_UNACCEPTABLE) *Feb 21 09:44:02.715: IKEv2:(SA ID = 1):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:02.719: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:02.735: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:02.739: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:44:02.747: IKEv2:(SA ID = 1):Session with IKE ID PAIR (cn=cbtme-spoke4.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:44:02.747: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 *Feb 21 09:44:02.751: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA *Feb 21 09:44 Cbtme-Hub#:02.755: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found *Feb 21 09:44:02.763: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context *Feb 21 09:44:02.915: IKEv2:(SA ID = 1):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:44:02.935: IKEv2:(SA ID = 1):Building packet for encryption. *Feb 21 09:44:02.975: IKEv2:(SA ID = 1):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:02.979: IKEv2:(SA ID = 1):Process delete request from peer *Feb 21 09:44:02.979: IKEv2:(SA ID = 1):Processing DELETE INFO message for IPsec SA [SPI: 0xC184190C] *Feb 21 09:44:02.979: IKEv2:(SA ID = 1):Check for existing Cbtme-Hub# active SA *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Building packet for encryption. Payload contents: DELETE *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 5FDC679E182C82E7 - Responder SPI : 7042DA99A1A287ED Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Process delete request from peer *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x5FDC679E182C82E7 RSPI: 0x7042DA99A1A287ED] *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Check for existing active SA *Feb 21 09:44:03.051: IKEv2:(SA ID = 1):Delete all IKE SAs *F Cbtme-Hub#eb 21 09:44:03.051: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:44:20.743: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 68E19BB94208CBF3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:44:20.747: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:20.747: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 Cbtme-Hub# 09:44:20.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:44:20.747: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:20.967: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:20.967: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:44:20.967: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:20.967: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKE Cbtme-Hub#YSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:20.967: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:20.971: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message *Feb 21 09:44:20.975: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 68E19BB94208CBF3 - Responder SPI : 4D407B34F8A61861 Message id: 0 IKEv2 IKE_SA_INIT Excha Cbtme-Hub#nge RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):Completed SA init exchange *Feb 21 09:44:20.983: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:21.831: IKEv2:(SA ID = 1):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 68E19BB94208CBF3 - Responder SPI : 4D407B34F8A61861 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:44:21.843: IKEv2:(SA ID = 1):Stopping timer to wait for auth message *Feb 21 09:44:21.843: IKEv2:(SA ID = 1):Checking NAT discovery *Feb 21 09:44:21.843: IKEv2:(SA ID = 1):NAT not found *Feb 21 09:4 Cbtme-Hub#4:21.859: IKEv2:(SA ID = 1):Searching policy based on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:21.891: IKEv2:Optional profile description not updated in PSH *Feb 21 09:44:21.895: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:21.895: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:21.899: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:44:21.907: IKEv2:(SA ID = 1):Verify peer's policy *Feb 21 09:44:21.911: IKEv2:(SA ID = 1):Peer's policy verified *Feb 21 09:44:21.915: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:44:21.919: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:21.923: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:44:21.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:44:21.939: IKEv2:(SA ID = 1):Get Cbtme-Hub#peer's authentication method *Feb 21 09:44:21.939: IKEv2:(SA ID = 1):Peer's authentication method is 'RSA' *Feb 21 09:44:21.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:44:22.031: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:44:22.031: IKEv2:(SA ID = 1):Save pubkey *Feb 21 09:44:22.047: IKEv2:(SA ID = 1):Verify peer's authentication data *Feb 21 09:44:22.047: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:22.047: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:22.047: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:44:22.059: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:44:22.063: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT *Feb 21 09:44:22.063: IKEv2:(SA ID = 1):Received valid config mode data *Feb 21 09:44:22.063: IKEv2:Config dat Cbtme-Hub#a recieved: *Feb 21 09:44:22.063: Config-type: Config-request *Feb 21 09:44:22.063: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:44:22.063: Attrib type: split-dns, length: 0 *Feb 21 09:44:22.063: Attrib type: banner, length: 0 *Feb 21 09:44:22.063: Attrib type: config-url, length: 0 *Feb 21 09:44:22.063: Attrib type: backup-gateway, length: 0 *Feb 21 09:44:22.063: Attrib type: def-domain, length: 0 *Feb 21 09:44:22.063: IKEv2:(SA ID = 1):Set received config mode data *Feb 21 09:44:22.063: IKEv2:(SA ID = 1):Processing IKE_AUTH message *Feb 21 09:44:22.063: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:44:22.063: IPSEC(validate_proposal_request): propos Cbtme-Hub#al part #1 *Feb 21 09:44:22.063: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:44:22.071: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:44:22.079: IKEv2:Error constructing config reply *Feb 21 09:44:22.083: IKEv2:(SA ID = 1):Get my authentication method *Feb 21 09:44:22.091: IKEv2:(SA ID = 1):My authentication method is 'RSA' *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):Generate my authentication data *Feb 21 09:44:22.095: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:22.095: IKEv2:[Crypto Engine -> IKEv2] IKE Cbtme-Hub#v2 authentication data generation PASSED *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):Get my authentication method *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):My authentication method is 'RSA' *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):Sign authentication data *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:44:22.095: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):Authentication material has been sucessfully signed *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):Generating IKE_AUTH message *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 Cbtme-Hub# AES-CBC SHA256 Don't use ESN *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:44:22.547: IKEv2:(SA ID = 1):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 68E19BB94208CBF3 - Responder SPI : 4D407B34F8A61861 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:22.555: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:22.563: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:22.563: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:44:22.563: IKEv2:(SA ID = 1):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:44:22.579: IKEv2:IKEv2 MIB tunnel started, Cbtme-Hub# tunnel index 1 *Feb 21 09:44:22.579: IKEv2:(SA ID = 1):Load IPSEC key material *Feb 21 09:44:22.579: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 21 09:44:22.579: IKEv2:(SA ID = 1):Asynchronous request queued *Feb 21 09:44:22.579: IKEv2:(SA ID = 1): *Feb 21 09:44:22.579: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:22.579: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:44:22.579: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel0-head-0 *Feb 21 09:44:22.595: IPSEC(create_sa): sa created, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0x829D0F87(2191331207), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 57 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:44:22.595: IPSEC(create_sa): sa created, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0x3692ADFC(915582460), Cbtme-Hub# sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 58 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:44:22.603: IPSEC: Expand action denied, notify RP *Feb 21 09:44:22.611: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:44:22.619: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA *Feb 21 09:44:22.619: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found *Feb 21 09:44:22.619: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context *Feb 21 09:44:22.767: IKEv2:(SA ID = 1):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 68E19BB94208CBF3 - Responder SPI : 4D407B34F8A61861 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:44:22.787: IKEv2:(SA ID = 1):Building packet for encryption. Payload contents: DELETE *Feb 21 09:44:22.787: IKEv2:(SA ID = 1):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] I Cbtme-Hub#nitiator SPI : 68E19BB94208CBF3 - Responder SPI : 4D407B34F8A61861 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:22.795: IKEv2:(SA ID = 1):Process delete request from peer *Feb 21 09:44:22.803: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x68E19BB94208CBF3 RSPI: 0x4D407B34F8A61861] *Feb 21 09:44:22.803: IKEv2:(SA ID = 1):Check for existing active SA *Feb 21 09:44:22.803: IKEv2:(SA ID = 1):Delete all IKE SAs *Feb 21 09:44:22.803: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:44:22.803: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:22.803: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:44:22.803: IPSEC(key_engine_delete_sas): delete SA with spi 0x829D0F87 proto 50 for 150.150.150.1 *Feb 21 09:44:22.803: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI 3692ADFC *Feb 21 09:44:22.803: IPSEC(delete_sa): deleting SA, Cbtme-Hub# (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0x829D0F87(2191331207), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 57 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:44:22.811: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI 3692ADFC *Feb 21 09:44:22.815: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0x3692ADFC(915582460), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 58 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:44:22.819: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:22.819: IPSEC(ke Cbtme-Hub#y_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:44:22.823: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:24.687: IKEv2:(SA ID = 3):Failed to receive the AUTH msg before the timer expired *Feb 21 09:44:24.691: IKEv2:(SA ID = 3): *Feb 21 09:44:24.691: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:44:24.695: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:44:24.695: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:44:24.703: IKEv2:(SA ID = 3):Abort exchange *Feb 21 09:44:24.703: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:44:24.711: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:24.715: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:24.951: IKEv2:(SA ID = 4):Failed to receive the AUTH msg before the timer expired *Feb 21 09:44:24.955: IKEv2:(SA ID = 4): *Feb 21 09:44:24.955: IKEv2:(SA ID = 4):Auth exchange failed *Feb 21 09:44:24.959: IKEv2:(SA ID = 4):Auth exchange failed Cbtme-Hub# *Feb 21 09:44:24.959: IKEv2:(SA ID = 4):Auth exchange failed *Feb 21 09:44:24.967: IKEv2:(SA ID = 4):Abort exchange *Feb 21 09:44:24.967: IKEv2:(SA ID = 4):Deleting SA *Feb 21 09:44:24.967: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:24.967: IKEv2:(SA ID = 4):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:28.127: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : 400647AA92567849 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:28.131: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:44:28.131: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:44:28.131: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:44:28.131: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:28.131: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message Cbtme-Hub# *Feb 21 09:44:28.135: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:28.135: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:28.139: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:28.143: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:28.147: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:28.147: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:28.147: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:28.147: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:28.147: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:44:28.147: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Co Cbtme-Hub#mputation PASSED *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:28.383: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):[PKI Cbtme-Hub#-> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator SPI : 400647AA92567849 - Responder SPI : F5BBCF3870261A30 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:28.383: IKEv2:(SA ID = 1):Completed SA init exchange *Feb 21 09:44:28.387: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:28.939: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 9B5FD8A61A9E10E3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):Verify SA init Cbtme-Hub# message *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:44:28.959: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:28.959: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):Processing IKE_SA_INIT message *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Comp Cbtme-Hub#utation PASSED *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:44:28.959: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:29.163: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[IKEv Cbtme-Hub#2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):Sending Packet [To 130.130.130.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 9B5FD8A61A9E10E3 - Responder SPI : A16DA47E2CAED364 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:44:29.163: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:30.043: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110 Cbtme-Hub#.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 *Feb 21 09:44:30.747: IKEv2:Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:44:30.751: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:30.751: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[IKEv2 -> Cbtme-Hub#PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:44:30.751: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:31.0 Cbtme-Hub#15: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:31.015: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528 Cbtme-Hub#438AE1343AB Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:44:31.015: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:31.967: IKEv2:(SA ID = 3):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528438AE1343AB Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:44:31.987: IKEv2:(SA ID = 3):Stopping timer to wait for auth message *Feb 21 09:44:31.987: IKEv2:(SA ID = 3):Checking NAT discovery *Feb 21 09:44:31.987: IKEv2:(SA ID = 3):NAT Cbtme-Hub#not found *Feb 21 09:44:32.003: IKEv2:(SA ID = 3):Searching policy based on peer's identity 'cn=cbtme-spoke4.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:32.019: IKEv2:Optional profile description not updated in PSH *Feb 21 09:44:32.019: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:32.019: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:32.019: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:44:32.019: IKEv2:(SA ID = 3):Verify peer's policy *Feb 21 09:44:32.019: IKEv2:(SA ID = 3):Peer's policy verified *Feb 21 09:44:32.019: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:44:32.019: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:32.019: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:44:32.035: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:44:32.035: Cbtme-Hub# IKEv2:(SA ID = 3):Get peer's authentication method *Feb 21 09:44:32.035: IKEv2:(SA ID = 3):Peer's authentication method is 'RSA' *Feb 21 09:44:32.035: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:44:32.211: IKEv2:(SA ID = 3):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:44:32.215: IKEv2:(SA ID = 3):Save pubkey *Feb 21 09:44:32.239: IKEv2:(SA ID = 3):Verify peer's authentication data *Feb 21 09:44:32.239: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:32.239: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:32.239: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:44:32.255: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:44:32.271: IKEv2:(SA ID = 3):Processing INITIAL_CONTACT *Feb 21 09:44:32.271: IKEv2:(SA ID = 3):Received valid config mode data *Feb 21 09:44:3 Cbtme-Hub#2.275: IKEv2:Config data recieved: *Feb 21 09:44:32.275: Config-type: Config-request *Feb 21 09:44:32.279: Attrib type: ipv4-dns, length: 0 *Feb 21 09:44:32.279: Attrib type: ipv4-dns, length: 0 *Feb 21 09:44:32.279: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:44:32.283: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:44:32.283: Attrib type: ipv4-subnet, length: 0 *Feb 21 09:44:32.283: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:44:32.287: Attrib type: split-dns, length: 0 *Feb 21 09:44:32.287: Attrib type: banner, length: 0 *Feb 21 09:44:32.291: Attrib type: config-url, length: 0 *Feb 21 09:44:32.291: Attrib type: backup-gateway, length: 0 *Feb 21 09:44:32.291: Attrib type: def-domain, length: 0 *Feb 21 09:44:32.29 Cbtme-Hub#9: IKEv2:(SA ID = 3):Set received config mode data *Feb 21 09:44:32.303: IKEv2:(SA ID = 3):Processing IKE_AUTH message *Feb 21 09:44:32.347: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0 *Feb 21 09:44:32.347: IPSEC(validate_proposal_request): proposal part #1 *Feb 21 09:44:32.351: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 140.140.140.1:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:44:32.359: map_db_find_best did not find matching map *Feb 21 09:44:32.359: IPSEC(ipsec_process_proposal): proxy identities not supported *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):There was no IPSEC policy found for received TS *Feb 21 09:44:32.395: IKEv2:(SA ID = 3): *Feb 21 09:44:32.395: IKEv2:(SA Cbtme-Hub# ID = 3):Sending TS unacceptable notify *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):Generate my authentication data *Feb 21 09:44:32.395: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:32.395: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):Sign authentication data *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting private key *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:44:32.395: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:44:32.963: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Signing of authenticaito Cbtme-Hub#n data PASSED *Feb 21 09:44:32.963: IKEv2:(SA ID = 3):Authentication material has been sucessfully signed *Feb 21 09:44:32.963: IKEv2:(SA ID = 3):Generating IKE_AUTH message *Feb 21 09:44:32.963: IKEv2:(SA ID = 3):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:32.963: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: VID IDr CERT AUTH NOTIFY(TS_UNACCEPTABLE) *Feb 21 09:44:32.971: IKEv2:(SA ID = 3):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528438AE1343AB Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:32.983: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:32.995: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:33.003: IKEv2:(SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:44:33. Cbtme-Hub#011: IKEv2:(SA ID = 3):Session with IKE ID PAIR (cn=cbtme-spoke4.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:44:33.011: IKEv2:IKEv2 MIB tunnel started, tunnel index 3 *Feb 21 09:44:33.019: IKEv2:(SA ID = 3):Checking for duplicate IKEv2 SA *Feb 21 09:44:33.023: IKEv2:(SA ID = 3):No duplicate IKEv2 SA found *Feb 21 09:44:33.023: IKEv2:(SA ID = 3):Starting timer (8 sec) to delete negotiation context *Feb 21 09:44:33.163: IKEv2:(SA ID = 3):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528438AE1343AB Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:44:33.183: IKEv2:(SA ID = 3):Building packet for encryption. *Feb 21 09:44:33.211: IKEv2:(SA ID = 3):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528438AE1343AB Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONS Cbtme-Hub#E Payload contents: ENCR *Feb 21 09:44:33.223: IKEv2:(SA ID = 3):Process delete request from peer *Feb 21 09:44:33.227: IKEv2:(SA ID = 3):Processing DELETE INFO message for IPsec SA [SPI: 0xA2A3A3C8] *Feb 21 09:44:33.227: IKEv2:(SA ID = 3):Check for existing active SA *Feb 21 09:44:33.287: IKEv2:(SA ID = 3):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528438AE1343AB Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:44:33.291: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: DELETE *Feb 21 09:44:33.291: IKEv2:(SA ID = 3):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : F28CB09D3A3B6A15 - Responder SPI : B6528438AE1343AB Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:33.291: IKEv2:(SA ID = 3):Process delete request from peer Cbtme-Hub#*Feb 21 09:44:33.295: IKEv2:(SA ID = 3):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xF28CB09D3A3B6A15 RSPI: 0xB6528438AE1343AB] *Feb 21 09:44:33.295: IKEv2:(SA ID = 3):Check for existing active SA *Feb 21 09:44:33.295: IKEv2:(SA ID = 3):Delete all IKE SAs *Feb 21 09:44:33.307: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:44:52.003: IPSEC(cleanup_tun_decap_oce): unlock and null out Tunnel0 tun_decap_oce 679EE17C from ident 6781E3C8 *Feb 21 09:44:52.019: IKEv2:Failed to process KMI delete SA message with error 4 *Feb 21 09:44:53.555: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0A6DE15D67A1081F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:53.571: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:44:53.571: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:44:53.579: Cbtme-Hub# IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:53.579: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):Request queued for computa Cbtme-Hub#tion of DH key *Feb 21 09:44:53.579: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:53.879: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:53.879: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:44:53.879: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:53.879: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:53.883: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:53.887: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:44:53.891: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:53.895: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:53.895: IKEv2:(SA ID = Cbtme-Hub#3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:53.895: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:53.895: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:53.895: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0A6DE15D67A1081F - Responder SPI : 64B47A264B3C0599 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:53.895: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:44:53.895: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:54.759: IKEv2:(SA ID = 3):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0A6DE15D67A1081F - Responder SPI : 64B47A264B3C0599 Message id: Cbtme-Hub# 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:44:54.767: IKEv2:(SA ID = 3):Stopping timer to wait for auth message *Feb 21 09:44:54.767: IKEv2:(SA ID = 3):Checking NAT discovery *Feb 21 09:44:54.767: IKEv2:(SA ID = 3):NAT not found *Feb 21 09:44:54.815: IKEv2:(SA ID = 3):Searching policy based on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:54.847: IKEv2:Optional profile description not updated in PSH *Feb 21 09:44:54.847: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:54.847: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:54.847: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:44:54.847: IKEv2:(SA ID = 3):Verify peer's policy *Feb 21 09:44:54.847: IKEv2:(SA ID = 3):Pee Cbtme-Hub#r's policy verified *Feb 21 09:44:54.847: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:44:54.847: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:54.847: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:44:54.863: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:44:54.863: IKEv2:(SA ID = 3):Get peer's authentication method *Feb 21 09:44:54.863: IKEv2:(SA ID = 3):Peer's authentication method is 'RSA' *Feb 21 09:44:54.879: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:44:54.939: IKEv2:(SA ID = 3):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:44:54.939: IKEv2:(SA ID = 3):Save pubkey *Feb 21 09:44:54.939: IKEv2:(SA ID = 3):Verify peer's authentication data *Feb 21 09:44:54.939: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:54 Cbtme-Hub#.939: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:54.943: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:44:54.955: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:44:54.967: IKEv2:(SA ID = 3):Processing INITIAL_CONTACT *Feb 21 09:44:54.971: IKEv2:(SA ID = 3):Received valid config mode data *Feb 21 09:44:54.971: IKEv2:Config data recieved: *Feb 21 09:44:54.971: Config-type: Config-request *Feb 21 09:44:54.971: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:44:54.971: Attrib type: split-dns, length: 0 *Feb 21 09:44:54.971: Attrib type: banner, length: 0 *Feb 21 09:44:54.971: Attrib Cbtme-Hub# type: config-url, length: 0 *Feb 21 09:44:54.971: Attrib type: backup-gateway, length: 0 *Feb 21 09:44:54.971: Attrib type: def-domain, length: 0 *Feb 21 09:44:54.971: IKEv2:(SA ID = 3):Set received config mode data *Feb 21 09:44:54.971: IKEv2:(SA ID = 3):Processing IKE_AUTH message *Feb 21 09:44:54.971: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:44:54.971: IPSEC(validate_proposal_request): proposal part #1 *Feb 21 09:44:54.971: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:44:54.983: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb *Feb 21 09:44: Cbtme-Hub#54.991: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:44:54.995: IKEv2:Error constructing config reply *Feb 21 09:44:55.003: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:44:55.007: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:44:55.011: IKEv2:(SA ID = 3):Generate my authentication data *Feb 21 09:44:55.015: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:44:55.019: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:44:55.023: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:44:55.027: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:44:55.035: IKEv2:(SA ID = 3):Sign authentication data *Feb 21 09:44:55.035: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting private key *Feb 21 09:44:55.039: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of private key PASSED *Feb Cbtme-Hub# 21 09:44:55.039: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:44:55.039: IPSEC: Expand action denied, notify RP *Feb 21 09:44:55.043: IPSEC: Expand action denied, notify RP *Feb 21 09:44:55.043: IPSEC: Expand action denied, discard or forward packet. *Feb 21 09:44:55.043: IPSEC: Expand action denied, discard or forward packet. *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):Authentication material has been sucessfully signed *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):Generating IKE_AUTH message *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: VI Cbtme-Hub#D IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0A6DE15D67A1081F - Responder SPI : 64B47A264B3C0599 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:55.403: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:55.419: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:55.419: IKEv2:(SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:44:55.419: IKEv2:(SA ID = 3):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:44:55.419: IKEv2:IKEv2 MIB tunnel started, tunnel index 3 *Feb 21 09:44:55.419: IKEv2:(SA ID = 3):Load IPSEC key material *Feb 21 09:44:55.419: IKEv2:(SA ID = 3):[IKEv2 -> IPsec Cbtme-Hub#] Create IPsec SA into IPsec database *Feb 21 09:44:55.419: IKEv2:(SA ID = 3):Asynchronous request queued *Feb 21 09:44:55.419: IKEv2:(SA ID = 3): *Feb 21 09:44:55.427: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:55.431: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:44:55.431: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel0-head-0 *Feb 21 09:44:55.435: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 120.120.120.1 *Feb 21 09:44:55.435: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating Tunnel0 ident 6781E3C8 with tun_decap_oce 679EE17C *Feb 21 09:44:55.435: IPSEC(create_sa): sa created, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0x7DBC7D00(2109504768), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 59 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:44:55 Cbtme-Hub#.435: IPSEC(create_sa): sa created, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0xE122F0C9(3777163465), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 60 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:44:55.439: IPSEC: Expand action denied, notify RP *Feb 21 09:44:55.447: IKEv2:(SA ID = 3):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:44:55.451: IKEv2:(SA ID = 3):Checking for duplicate IKEv2 SA *Feb 21 09:44:55.451: IKEv2:(SA ID = 3):No duplicate IKEv2 SA found *Feb 21 09:44:55.451: IKEv2:(SA ID = 3):Starting timer (8 sec) to delete negotiation context *Feb 21 09:44:55.599: IKEv2:(SA ID = 3):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0A6DE15D67A1081F - Responder SPI : 64B47A264B3C0599 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: DELETE Cbtme-Hub# *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0A6DE15D67A1081F - Responder SPI : 64B47A264B3C0599 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Process delete request from peer *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x0A6DE15D67A1081F RSPI: 0x64B47A264B3C0599] *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Check for existing active SA *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Delete all IKE SAs *Feb 21 09:44:55.619: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:44:55.623: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:55.627: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:44:55.627: IPSEC(key_engine_delete_sas): delete SA with spi 0x7DBC7D00 proto 50 for 150.150.150.1 *Feb 21 09:44:55.635: IPSEC(update_current_outbound_sa): Cbtme-Hub#updated peer 120.120.120.1 current outbound sa to SPI E122F0C9 *Feb 21 09:44:55.635: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0x7DBC7D00(2109504768), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 59 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:44:55.635: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI E122F0C9 *Feb 21 09:44:55.635: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0xE122F0C9(3777163465), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 60 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.25 Cbtme-Hub#5/47/0 *Feb 21 09:44:55.635: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:55.635: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:44:55.635: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:44:58.119: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : 0B98823E9ACA46F0 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:58.139: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:44:58.143: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:44:58.147: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:44:58.147: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:58.155: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:44:58.159: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured t Cbtme-Hub#rustpoint(s) *Feb 21 09:44:58.163: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:58.167: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:58.167: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:58.167: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:58.167: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:58.171: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:58.175: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:58.179: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:44:58.183: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:58.395: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:58.395: IKEv2:(SA ID = 3):Request queued for c Cbtme-Hub#omputation of DH secret *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired *Feb 21 09:44:58.395: IKEv2:(SA ID = 1): *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):Abort exchange *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:58.395: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:58.395: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:58.399: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:58.403: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:58.407: IKEv2:(SA ID = 3):Genera Cbtme-Hub#ting IKE_SA_INIT message *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator SPI : 0B98823E9ACA46F0 - Responder SPI : 7F6B6D3D05C3B952 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:58.411: IKEv2 Cbtme-Hub#:(SA ID = 3):Completed SA init exchange *Feb 21 09:44:58.411: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:44:58.943: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 615933BC4834B2CF - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:44:58.959: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:44:58.959: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:58.959 Cbtme-Hub#: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:44:58.959: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:44:59.191: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:44:59.191: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:44:59.191: IKEv2:(SA ID = 2):Failed to receive the AUTH msg before the timer expired *F Cbtme-Hub#eb 21 09:44:59.195: IKEv2:(SA ID = 2): *Feb 21 09:44:59.195: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:44:59.199: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:44:59.199: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:44:59.203: IKEv2:(SA ID = 2):Abort exchange *Feb 21 09:44:59.207: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:44:59.207: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:44:59.207: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:44:59.207: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. t Cbtme-Hub#ransforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):Sending Packet [To 130.130.130.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 615933BC4834B2CF - Responder SPI : 2628B33273513464 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):Completed SA init exchange *Feb 21 09:44:59.207: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth mess Cbtme-Hub#age *Feb 21 09:45:23.619: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 814620D2C9FA8383 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:45:23.639: IKEv2:(SA ID = 2):Verify SA init message *Feb 21 09:45:23.639: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:45:23.647: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:45:23.647: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:23.651: IKEv2:(SA ID = 2):Processing IKE_SA_INIT message *Feb 21 09:45:23.651: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[PKI -> IKEv2 Cbtme-Hub#] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:45:23.655: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:45:23.843: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:23.843: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:45:23.843: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:45:23.851: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv Cbtme-Hub#2 SA PASSED *Feb 21 09:45:23.855: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 814620D2C9FA8383 - Responder SPI : AF96744EEB561576 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VI Cbtme-Hub#D VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:45:23.859: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:45:24.635: IKEv2:(SA ID = 2):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 814620D2C9FA8383 - Responder SPI : AF96744EEB561576 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:45:24.659: IKEv2:(SA ID = 2):Stopping timer to wait for auth message *Feb 21 09:45:24.659: IKEv2:(SA ID = 2):Checking NAT discovery *Feb 21 09:45:24.659: IKEv2:(SA ID = 2):NAT not found *Feb 21 09:45:24.687: IKEv2:(SA ID = 2):Searching policy b Cbtme-Hub#ased on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:45:24.695: IKEv2:Optional profile description not updated in PSH *Feb 21 09:45:24.695: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:45:24.695: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:24.695: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:45:24.695: IKEv2:(SA ID = 2):Verify peer's policy *Feb 21 09:45:24.699: IKEv2:(SA ID = 2):Peer's policy verified *Feb 21 09:45:24.699: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:45:24.699: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:24.699: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:45:24.703: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:45:24.707: IKEv2:(SA ID = 2):Get peer's authentication method *Feb 21 09:45:24 Cbtme-Hub#.707: IKEv2:(SA ID = 2):Peer's authentication method is 'RSA' *Feb 21 09:45:24.707: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:45:24.783: IKEv2:(SA ID = 2):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:45:24.783: IKEv2:(SA ID = 2):Save pubkey *Feb 21 09:45:24.799: IKEv2:(SA ID = 2):Verify peer's authentication data *Feb 21 09:45:24.799: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:45:24.799: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:45:24.799: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:45:24.815: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:45:24.815: IKEv2:(SA ID = 2):Processing INITIAL_CONTACT *Feb 21 09:45:24.823: IKEv2:(SA ID = 2):Received valid config mode data *Feb 21 09:45:24.827: IKEv2:Config data recieved: *Feb 21 09:45:24.827: Config-type Cbtme-Hub#: Config-request *Feb 21 09:45:24.831: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:45:24.831: Attrib type: split-dns, length: 0 *Feb 21 09:45:24.831: Attrib type: banner, length: 0 *Feb 21 09:45:24.831: Attrib type: config-url, length: 0 *Feb 21 09:45:24.831: Attrib type: backup-gateway, length: 0 *Feb 21 09:45:24.831: Attrib type: def-domain, length: 0 *Feb 21 09:45:24.831: IKEv2:(SA ID = 2):Set received config mode data *Feb 21 09:45:24.831: IKEv2:(SA ID = 2):Processing IKE_AUTH message *Feb 21 09:45:24.831: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:45:24.831: IPSEC(validate_proposal_request): proposal part #1 *Feb 21 09:45:24.831: IPSEC(valida Cbtme-Hub#te_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:45:24.835: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:45:24.839: IKEv2:Error constructing config reply *Feb 21 09:45:24.847: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:45:24.851: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:45:24.855: IKEv2:(SA ID = 2):Generate my authentication data *Feb 21 09:45:24.859: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:45:24.859: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb Cbtme-Hub# 21 09:45:24.863: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:45:24.863: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:45:24.863: IKEv2:(SA ID = 2):Sign authentication data *Feb 21 09:45:24.863: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting private key *Feb 21 09:45:24.863: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:45:24.863: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:45:25.271: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:45:25.271: IKEv2:(SA ID = 2):Authentication material has been sucessfully signed *Feb 21 09:45:25.271: IKEv2:(SA ID = 2):Generating IKE_AUTH message *Feb 21 09:45:25.271: IKEv2:(SA ID = 2):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:45:25.271: IKEv2:(SA ID = 2):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Feb 21 Cbtme-Hub# 09:45:25.271: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:45:25.287: IKEv2:(SA ID = 2):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 814620D2C9FA8383 - Responder SPI : AF96744EEB561576 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:45:25.291: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:45:25.299: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:45:25.299: IKEv2:(SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:45:25.299: IKEv2:(SA ID = 2):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:45:25.299: IKEv2:IKEv2 MIB tunnel started, tunnel index 2 *Feb 21 09:45:25.307: IKEv2:( Cbtme-Hub#SA ID = 2):Load IPSEC key material *Feb 21 09:45:25.311: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 21 09:45:25.315: IKEv2:(SA ID = 2):Asynchronous request queued *Feb 21 09:45:25.315: IKEv2:(SA ID = 2): *Feb 21 09:45:25.315: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:25.315: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:45:25.315: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel0-head-0 *Feb 21 09:45:25.327: IPSEC(create_sa): sa created, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0xC0FD47B4(3237824436), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 61 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:45:25.331: IPSEC(create_sa): sa created, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0x4C92B1FC(1284682236), sa_trans= esp-aes 256 esp-sha256-hmac Cbtme-Hub#, sa_conn_id= 62 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:45:25.331: IPSEC: Expand action denied, notify RP *Feb 21 09:45:25.335: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:45:25.347: IKEv2:(SA ID = 2):Checking for duplicate IKEv2 SA *Feb 21 09:45:25.347: IKEv2:(SA ID = 2):No duplicate IKEv2 SA found *Feb 21 09:45:25.347: IKEv2:(SA ID = 2):Starting timer (8 sec) to delete negotiation context *Feb 21 09:45:25.483: IKEv2:(SA ID = 2):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 814620D2C9FA8383 - Responder SPI : AF96744EEB561576 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:45:25.503: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: DELETE *Feb 21 09:45:25.519: IKEv2:(SA ID = 2):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 814620D2C9FA8383 - Responder S Cbtme-Hub#PI : AF96744EEB561576 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:45:25.531: IKEv2:(SA ID = 2):Process delete request from peer *Feb 21 09:45:25.535: IKEv2:(SA ID = 2):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x814620D2C9FA8383 RSPI: 0xAF96744EEB561576] *Feb 21 09:45:25.535: IKEv2:(SA ID = 2):Check for existing active SA *Feb 21 09:45:25.535: IKEv2:(SA ID = 2):Delete all IKE SAs *Feb 21 09:45:25.535: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:45:25.535: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:25.535: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:45:25.535: IPSEC(key_engine_delete_sas): delete SA with spi 0xC0FD47B4 proto 50 for 150.150.150.1 *Feb 21 09:45:25.535: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI 4C92B1FC *Feb 21 09:45:25.535: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 150.150.150.1, sa_proto= 50, Cbtme-Hub# sa_spi= 0xC0FD47B4(3237824436), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 61 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:45:25.535: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI 4C92B1FC *Feb 21 09:45:25.535: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0x4C92B1FC(1284682236), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 62 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:45:25.535: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:25.535: IPSEC(key_engine_delete_sas): rec'd delete notify f Cbtme-Hub#rom ISAKMP *Feb 21 09:45:25.535: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:28.411: IKEv2:(SA ID = 3):Failed to receive the AUTH msg before the timer expired *Feb 21 09:45:28.415: IKEv2:(SA ID = 3): *Feb 21 09:45:28.415: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:45:28.419: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:45:28.419: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:45:28.423: IKEv2:(SA ID = 3):Abort exchange *Feb 21 09:45:28.427: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:45:28.435: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:45:28.439: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:45:29.159: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : 6D4FFEBED73031EE - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DE Cbtme-Hub#TECTION_DESTINATION_IP) *Feb 21 09:45:29.175: IKEv2:(SA ID = 2):Verify SA init message *Feb 21 09:45:29.175: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:45:29.175: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:45:29.175: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:29.179: IKEv2:(SA ID = 2):Processing IKE_SA_INIT message *Feb 21 09:45:29.187: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Grou Cbtme-Hub#p 14 *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:45:29.191: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired *Feb 21 09:45:29.407: IKEv2:(SA ID = 1): *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):Abort exchange *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:45:29.407: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:45:29.407: IKEv2 Cbtme-Hub#:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:45:29.407: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of tr Cbtme-Hub#ustpoints PASSED *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator SPI : 6D4FFEBED73031EE - Responder SPI : 9A4B8B5164983C6B Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:45:29.407: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:45:31.175: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 *Feb 21 09:45:32.683: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 7B10C0F736162FFC - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQ Cbtme-Hub#UEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:45:32.687: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:45:32.687: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 Cbtme-Hub#09:45:32.687: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:45:32.687: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:45:32.907: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):IKE Prop Cbtme-Hub#osal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:32.907: IKEv2:(SA ID = 1):Sending Packet [To 130.130.130.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 7B10C0F736162FFC - Responder SPI : D9579ADE3749E4B1 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:45:32.915: IKEv2:(SA ID = 1):Completed SA init exchange *Feb 21 09:45:32.919: IKEv2:(SA I Cbtme-Hub#D = 1):Starting timer (30 sec) to wait for auth message Cbtme-Hub#config        no debut *Feb 21 09:45:53.595: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 1536BF6CEFA849AF - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:45:53.599: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:45:53.599: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[PKI -> IKEv2] G Cbtme-Hub#no debutetting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:45:53.599: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 S Cbtme-Hub#no debutA PASSED *Feb 21 09:45:53.815: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 1536BF6CEFA849AF - Responder SPI : DE4B5D1ABDC9EFE0 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID V Cbtme-Hub#no debut cyID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:45:53.815: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:45:54.519: IKEv2:(SA ID = 3):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 1536BF6CEFA849AF - Responder SPI : DE4B5D1ABDC9EFE0 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:45:54.531: IKEv2:(SA ID = 3):Stopping timer to wait for auth message *Feb 21 09:45:54.531: IKEv2:(SA ID = 3):Checking NAT discovery *Feb 21 09:45:54.531: IKEv2:(SA ID = 3):NAT not found *Feb 21 09:45:54.547: IKEv2:(SA ID = 3):Searching policy base Cbtme-Hub#no debut cy ryo Cbtme-Hub#no debut cryod on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:45:54.547: IKEv2:Optional profile description not updated in PSH *Feb 21 09:45:54.551: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:45:54.555: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:54.555: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):Verify peer's policy *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):Peer's policy verified *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):Get peer's authentication method *Feb 21 09:45:54.55 Cbtme-Hub#no debut cryo  9: IKEv2:(SA ID = 3):Peer's authentication method is 'RSA' *Feb 21 09:45:54.559: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:45:54.671: IKEv2:(SA ID = 3):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:45:54.671: IKEv2:(SA ID = 3):Save pubkey *Feb 21 09:45:54.675: IKEv2:(SA ID = 3):Verify peer's authentication data *Feb 21 09:45:54.679: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:45:54.683: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:45:54.687: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:45:54.687: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:45:54.695: IKEv2:(SA ID = 3):Processing INITIAL_CONTACT *Feb 21 09:45:54.703: IKEv2:(SA ID = 3):Received valid config mode data *Feb 21 09:45:54.703: IKEv2:Config data recieved: *Feb 21 09:45:54.703: Config-type: C Cbtme-Hub#no debut cryp Cbtme-Hub#no debut cryponfig-request *Feb 21 09:45:54.703: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:45:54.703: Attrib type: split-dns, length: 0 *Feb 21 09:45:54.703: Attrib type: banner, length: 0 *Feb 21 09:45:54.703: Attrib type: config-url, length: 0 *Feb 21 09:45:54.703: Attrib type: backup-gateway, length: 0 *Feb 21 09:45:54.703: Attrib type: def-domain, length: 0 *Feb 21 09:45:54.703: IKEv2:(SA ID = 3):Set received config mode data *Feb 21 09:45:54.703: IKEv2:(SA ID = 3):Processing IKE_AUTH message *Feb 21 09:45:54.703: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:45:54.703: IPSEC(validate_proposal_request): proposal part #1 *Feb 21 09:45:54.703: IPSEC(validate_ Cbtme-Hub#no debut crypto proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb 21 09:45:54.703: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:45:54.707: IKEv2:Error constructing config reply *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):Generate my authentication data *Feb 21 09:45:54.715: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:45:54.715: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 Cbtme-Hub#no debut crypto ipsec 09:45:54.715: IKEv2:(SA ID = 3):Get my authentication method *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):My authentication method is 'RSA' *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):Sign authentication data *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Getting private key *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:45:54.715: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:45:55.091: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:45:55.091: IKEv2:(SA ID = 3):Authentication material has been sucessfully signed *Feb 21 09:45:55.091: IKEv2:(SA ID = 3):Generating IKE_AUTH message *Feb 21 09:45:55.091: IKEv2:(SA ID = 3):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:45:55.091: IKEv2:(SA ID = 3):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Feb 21 09 Cbtme-Hub#no debut crypto ipsec ^ % Invalid input detected at '^' marker. Cbtme-Hub#:45:55.091: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:45:55.099: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 1536BF6CEFA849AF - Responder SPI : DE4B5D1ABDC9EFE0 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:45:55.107: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:45:55.107: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:45:55.107: IKEv2:(SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:45:55.107: IKEv2:(SA ID = 3):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:45:55.107: IKEv2:IKEv2 MIB tunnel started, tunnel index 3 *Feb 21 09:45:55.115: IKEv2:(SA Cbtme-Hub#no debut crypto ipsecID = 3):Load IPSEC key material *Feb 21 09:45:55.119: IKEv2:(SA ID = 3):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 21 09:45:55.123: IKEv2:(SA ID = 3):Asynchronous request queued *Feb 21 09:45:55.123: IKEv2:(SA ID = 3): *Feb 21 09:45:55.123: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:55.123: Crypto mapdb : proxy_match src addr : 150.150.150.1 dst addr : 120.120.120.1 protocol : 47 src port : 0 dst port : 0 *Feb 21 09:45:55.123: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel0-head-0 *Feb 21 09:45:55.131: IPSEC(create_sa): sa created, (sa) sa_dest= 150.150.150.1, sa_proto= 50, sa_spi= 0xB8AD2274(3098354292), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 63 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:45:55.135: IPSEC(create_sa): sa created, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0xD679517D(3598274941), sa_trans= esp-aes 256 esp-sha256-hmac , s Cbtme-Hub#no debut crypto ipseca_conn_id= 64 sa_lifetime(k/sec)= (4608000/3600) *Feb 21 09:45:55.139: IPSEC: Expand action denied, notify RP *Feb 21 09:45:55.139: IKEv2:(SA ID = 3):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:45:55.151: IKEv2:(SA ID = 3):Checking for duplicate IKEv2 SA *Feb 21 09:45:55.155: IKEv2:(SA ID = 3):No duplicate IKEv2 SA found *Feb 21 09:45:55.155: IKEv2:(SA ID = 3):Starting timer (8 sec) to delete negotiation context *Feb 21 09:45:55.243: IKEv2:(SA ID = 3):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 1536BF6CEFA849AF - Responder SPI : DE4B5D1ABDC9EFE0 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Building packet for encryption. Payload contents: DELETE *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 1536BF6CEFA849AF - Responder SPI Cbtme-Hub#no debut crypto ipsec: DE4B5D1ABDC9EFE0 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Process delete request from peer *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x1536BF6CEFA849AF RSPI: 0xDE4B5D1ABDC9EFE0] *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Check for existing active SA *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Delete all IKE SAs *Feb 21 09:45:55.263: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:45:55.279: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:55.279: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Feb 21 09:45:55.279: IPSEC(key_engine_delete_sas): delete SA with spi 0xB8AD2274 proto 50 for 150.150.150.1 *Feb 21 09:45:55.303: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI D679517D *Feb 21 09:45:55.303: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 150.150.150.1, sa_proto= 50, Cbtme-Hub#no debut crypto ipsec sa_spi= 0xB8AD2274(3098354292), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 63 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:45:55.311: IPSEC(update_current_outbound_sa): updated peer 120.120.120.1 current outbound sa to SPI D679517D *Feb 21 09:45:55.315: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 120.120.120.1, sa_proto= 50, sa_spi= 0xD679517D(3598274941), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 64 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 150.150.150.1:0, remote= 120.120.120.1:0, local_proxy= 150.150.150.1/255.255.255.255/47/0, remote_proxy= 120.120.120.1/255.255.255.255/47/0 *Feb 21 09:45:55.335: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:55.335: IPSEC(key_engine_delete_sas): rec'd delete notify from Cbtme-Hub#no debut crypto ipsec ^ % Invalid input detected at '^' marker. Cbtme-Hub#ISAKMP *Feb 21 09:45:55.339: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 21 09:45:59.151: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : 85BF95491F1E77DB - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:45:59.167: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:45:59.167: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:45:59.171: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:45:59.171: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Pu Cbtme-Hub#blic Key Hashes of trustpoints *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:45:59.171: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:45:59.419: IKEv2:( Cbtme-Hub#noSA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:45:59.419: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator SPI : 85BF95491F1E77DB - Responder SPI : FF3E8AE60D1F6BF7 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:45:59.419: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:45:59.423: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):Failed to receive the AUTH msg before the timer expired *Feb 21 09:45:59.435: IKEv2:(SA ID = 2): *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):Auth exch Cbtme-Hub#no deb Cbtme-Hub#no debug ange failed *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):Auth exchange failed *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):Abort exchange *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:45:59.435: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:00.727: IKEv2:Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:00.747: IKEv2:(SA ID = 2):Verify SA init message *Feb 21 09:46:00.751: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:46:00.755: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:00.755: IKEv2:Found Policy 'DMVPN-POLICY Cbtme-Hub#no debug cy' *Feb 21 09:46:00.763: IKEv2:(SA ID = 2):Processing IKE_SA_INIT message *Feb 21 09:46:00.767: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:00.771: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:00.775: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:00.775: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:00.779: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:46:00.783: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:00.787: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:00.791: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:00.791: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:46:00.791: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 * Cbtme-Hub#no debug cy Cbtme-Hub#no debug cy r Cbtme-Hub#no debug crypto Feb 21 09:46:01.071: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:01.071: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:46:01.071: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:01.075: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:01.079: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:46:01.083: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Cbtme-Hub#no debug crypto i Key Hashes of trustpoints *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 8CCFE691A2320F7C Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:46:01.087: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:01.991: IKEv2:(SA ID = 2):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 8CCFE691A2320F7C Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH Cbtme-Hub#no debug crypto ipsec CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:46:01.991: IKEv2:(SA ID = 2):Stopping timer to wait for auth message *Feb 21 09:46:01.991: IKEv2:(SA ID = 2):Checking NAT discovery *Feb 21 09:46:01.991: IKEv2:(SA ID = 2):NAT not found *Feb 21 09:46:02.007: IKEv2:(SA ID = 2):Searching policy based on peer's identity 'cn=cbtme-spoke4.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:02.023: IKEv2:Optional profile description not updated in PSH *Feb 21 09:46:02.023: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:02.023: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:02.023: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:46:02.023: IKEv2:(SA ID = 2):Verify peer's policy *Feb 21 09:46:02.023: IKEv2:(SA ID = 2):Peer's policy verified *Feb 21 09:46:02.023: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 0 Cbtme-Hub#no debug crypto ipsec Crypto IPSEC debugging is off Crypto IPSEC (detailed) debugging is off Cbtme-Hub#9:46:02.023: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:02.023: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:46:02.031: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:46:02.039: IKEv2:(SA ID = 2):Get peer's authentication method *Feb 21 09:46:02.039: IKEv2:(SA ID = 2):Peer's authentication method is 'RSA' *Feb 21 09:46:02.039: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:46:02.087: IKEv2:(SA ID = 2):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:46:02.091: IKEv2:(SA ID = 2):Save pubkey *Feb 21 09:46:02.103: IKEv2:(SA ID = 2):Verify peer's authentication data *Feb 21 09:46:02.103: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:02.103: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:02.103: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Cbtme-Hub#no debug crypto ipsec     Verify signed authenticaiton data *Feb 21 09:46:02.119: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:46:02.123: IKEv2:(SA ID = 2):Processing INITIAL_CONTACT *Feb 21 09:46:02.131: IKEv2:(SA ID = 2):Received valid config mode data *Feb 21 09:46:02.131: IKEv2:Config data recieved: *Feb 21 09:46:02.131: Config-type: Config-request *Feb 21 09:46:02.131: Attrib type: ipv4-dns, length: 0 *Feb 21 09:46:02.131: Attrib type: ipv4-dns, length: 0 *Feb 21 09:46:02.131: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:46:02.131: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:46:02.131: Attrib type: ipv4-subnet, length: 0 *Feb 21 09:46:02.131: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_tea Cbtme-Hub#no debug crypto ikm *Feb 21 09:46:02.131: Attrib type: split-dns, length: 0 *Feb 21 09:46:02.131: Attrib type: banner, length: 0 *Feb 21 09:46:02.131: Attrib type: config-url, length: 0 *Feb 21 09:46:02.131: Attrib type: backup-gateway, length: 0 *Feb 21 09:46:02.131: Attrib type: def-domain, length: 0 *Feb 21 09:46:02.131: IKEv2:(SA ID = 2):Set received config mode data *Feb 21 09:46:02.131: IKEv2:(SA ID = 2):Processing IKE_AUTH message *Feb 21 09:46:02.131: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0 *Feb 21 09:46:02.131: IPSEC(validate_proposal_request): proposal part #1 *Feb 21 09:46:02.131: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 150.150.150.1:0, remote= 140.140.140.1:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Feb Cbtme-Hub#no debug crypto ikev 21 09:46:02.131: map_db_find_best did not find matching map *Feb 21 09:46:02.135: IPSEC(ipsec_process_proposal): proxy identities not supported *Feb 21 09:46:02.175: IKEv2:(SA ID = 2):There was no IPSEC policy found for received TS *Feb 21 09:46:02.175: IKEv2:(SA ID = 2): *Feb 21 09:46:02.179: IKEv2:(SA ID = 2):Sending TS unacceptable notify *Feb 21 09:46:02.187: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:46:02.191: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:46:02.195: IKEv2:(SA ID = 2):Generate my authentication data *Feb 21 09:46:02.199: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:02.203: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:02.207: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:46:02.211: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:46:02.219: IKEv2:(SA ID = 2):Sign authentication data *Feb 21 09:46:02.219: IKEv2:(SA Cbtme-Hub#no debug crypto ikev2 ID = 2):[IKEv2 -> PKI] Getting private key *Feb 21 09:46:02.219: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:46:02.219: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:46:02.823: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:46:02.823: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : F7F1C641B1EDBA6B - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:02.823: IKEv2:(SA ID = 4):Verify SA init message *Feb 21 09:46:02.823: IKEv2:(SA ID = 4):Insert SA *Feb 21 09:46:02.827: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:02.827: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:02.835: IKEv2:(SA ID = 4):Processing IKE_SA_INIT message *Feb 21 Cbtme-Hub#no debug crypto ikev2 09:46:02.839: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:02.843: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:02.843: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:02.843: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:02.847: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:46:02.847: IKEv2:(SA ID = 4):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:02.847: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:02.847: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:02.847: IKEv2:(SA ID = 4):Request queued for computation of DH key *Feb 21 09:46:02.847: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:46:03.099: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation Cbtme-Hub#no debug crypto ikev2 PASSED *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):Request queued for computation of DH secret *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired *Feb 21 09:46:03.103: IKEv2:(SA ID = 1): *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):Abort exchange *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:46:03.103: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:03.103: IKEv2:IKEv2 responder - no config data to sen Cbtme-Hub#no debug crypto ikev2d in IKE_SA_INIT exch *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):Generating IKE_SA_INIT message *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):Sending Packet [To 130.130.130.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : F7F1C641B1EDBA6B - Responder SPI : 5D219CE5698CB488 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTR Cbtme-Hub#no debug crypto ikev2EQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:03.103: IKEv2:(SA ID = 4):Completed SA init exchange *Feb 21 09:46:03.107: IKEv2:(SA ID = 4):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:03.115: IKEv2:(SA ID = 2):Authentication material has been sucessfully signed *Feb 21 09:46:03.119: IKEv2:(SA ID = 2):Generating IKE_AUTH message *Feb 21 09:46:03.119: IKEv2:(SA ID = 2):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:03.119: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: VID IDr CERT AUTH NOTIFY(TS_UNACCEPTABLE) *Feb 21 09:46:03.119: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 8CCFE691A2320F7C Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:03.119: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:46:03.119: IKEv2:(SA ID = 2):[PK Cbtme-Hub#no debug crypto ikev2I -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:03.127: IKEv2:(SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:46:03.135: IKEv2:(SA ID = 2):Session with IKE ID PAIR (cn=cbtme-spoke4.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:46:03.135: IKEv2:IKEv2 MIB tunnel started, tunnel index 2 *Feb 21 09:46:03.135: IKEv2:(SA ID = 2):Checking for duplicate IKEv2 SA *Feb 21 09:46:03.135: IKEv2:(SA ID = 2):No duplicate IKEv2 SA found *Feb 21 09:46:03.135: IKEv2:(SA ID = 2):Starting timer (8 sec) to delete negotiation context *Feb 21 09:46:03.275: IKEv2:(SA ID = 2):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 8CCFE691A2320F7C Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:46:03.275: IKEv2:(SA ID = 2):Building packet for encryption. *Feb 21 09:46:03.275: IKEv2:(SA ID = 2):Sending Cbtme-Hub#no debug crypto ikev2 Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 8CCFE691A2320F7C Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:03.275: IKEv2:(SA ID = 2):Process delete request from peer *Feb 21 09:46:03.275: IKEv2:(SA ID = 2):Processing DELETE INFO message for IPsec SA [SPI: 0x2A8F9C44] *Feb 21 09:46:03.275: IKEv2:(SA ID = 2):Check for existing active SA *Feb 21 09:46:03.335: IKEv2:(SA ID = 2):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Responder SPI : 8CCFE691A2320F7C Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: DELETE *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : C787B85E1B624442 - Respond Cbtme-Hub#no debug crypto ikev2er SPI : 8CCFE691A2320F7C Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Process delete request from peer *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xC787B85E1B624442 RSPI: 0x8CCFE691A2320F7C] *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Check for existing active SA *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Delete all IKE SAs *Feb 21 09:46:03.339: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:46:23.579: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 8CAB66C7691CA5BA - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:23.583: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:46:23.583: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:46:23.591: IKEv2:Searching Policy Cbtme-Hub#no debug crypto ikev2 with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:23.591: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:23.595: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:23.599: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 Cbtme-Hub#no debug crypto ikev2 09:46:23.599: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:46:23.875: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:23.875: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:46:23.875: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:23.883: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:23.887: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:46:23.891: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message *Feb 21 09:46:23.891: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:23.891: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:23.891: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retri Cbtme-Hub#no debug crypto ikev2eved trustpoint(s): 'my-ca' *Feb 21 09:46:23.891: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:23.895: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:23.899: IKEv2:(SA ID = 1):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 8CAB66C7691CA5BA - Responder SPI : 808A4D3B58B307E4 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:23.907: IKEv2:(SA ID = 1):Completed SA init exchange *Feb 21 09:46:23.911: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:24.659: IKEv2:(SA ID = 1):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 8CAB66C7691CA5BA - Responder SPI : 808A4D3B58B307E4 Message id: 1 IKEv2 IKE_AUTH Exch Cbtme-Hub#no debug crypto ikev2ange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:46:24.695: IKEv2:(SA ID = 1):Stopping timer to wait for auth message *Feb 21 09:46:24.699: IKEv2:(SA ID = 1):Checking NAT discovery *Feb 21 09:46:24.699: IKEv2:(SA ID = 1):NAT not found *Feb 21 09:46:24.715: IKEv2:(SA ID = 1):Searching policy based on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:24.731: IKEv2:Optional profile description not updated in PSH *Feb 21 09:46:24.731: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:24.731: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:24.731: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):Verify peer's policy *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):Peer's policy verified *F Cbtme-Hub#no debug crypto ikev2eb 21 09:46:24.731: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):Get peer's authentication method *Feb 21 09:46:24.731: IKEv2:(SA ID = 1):Peer's authentication method is 'RSA' *Feb 21 09:46:24.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:46:24.775: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:46:24.775: IKEv2:(SA ID = 1):Save pubkey *Feb 21 09:46:24.791: IKEv2:(SA ID = 1):Verify peer's authentication data *Feb 21 09:46:24.791: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:24.791: IKEv2:[Crypto Eng Cbtme-Hub#no debug crypto ikev2ine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:24.791: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:46:24.807: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:46:24.807: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT *Feb 21 09:46:24.807: IKEv2:(SA ID = 1):Received valid config mode data *Feb 21 09:46:24.807: IKEv2:Config data recieved: *Feb 21 09:46:24.807: Config-type: Config-request *Feb 21 09:46:24.807: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:46:24.807: Attrib type: split-dns, length: 0 *Feb 21 09:46:24.807: Attrib type: banner, length: 0 *Feb 21 09:46:24.807: Attrib type: config-url, leng Cbtme-Hub#no debug crypto ikev2th: 0 *Feb 21 09:46:24.807: Attrib type: backup-gateway, length: 0 *Feb 21 09:46:24.807: Attrib type: def-domain, length: 0 *Feb 21 09:46:24.807: IKEv2:(SA ID = 1):Set received config mode data *Feb 21 09:46:24.807: IKEv2:(SA ID = 1):Processing IKE_AUTH message *Feb 21 09:46:24.807: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:46:24.811: IKEv2:Error constructing config reply *Feb 21 09:46:24.819: IKEv2:(SA ID = 1):Get my authentication method *Feb 21 09:46:24.823: IKEv2:(SA ID = 1):My authentication method is 'RSA' *Feb 21 09:46:24.823: IKEv2:(SA ID = 1):Generate my authentication data *Feb 21 09:46:24.823: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:24.827: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:24.831: IKEv2:(SA ID = 1):Get my authentication method *Feb 21 09:46:24.835: IKEv2:(SA ID = 1):My authentication method is 'RS Cbtme-Hub#no debug crypto ikev2A' *Feb 21 09:46:24.839: IKEv2:(SA ID = 1):Sign authentication data *Feb 21 09:46:24.839: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Feb 21 09:46:24.839: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:46:24.839: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):Authentication material has been sucessfully signed *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):Generating IKE_AUTH message *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPOR Cbtme-Hub#no debug crypto ikev2T_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 8CAB66C7691CA5BA - Responder SPI : 808A4D3B58B307E4 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:46:25.167: IKEv2:(SA ID = 1):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:46:25.175: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 *Feb 21 09:46:25.183: IKEv2:(SA ID = 1):Load IPSEC key material *Feb 21 09:46:25.183: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 21 Cbtme-Hub#no debug crypto ikev2 09:46:25.183: IKEv2:(SA ID = 1):Asynchronous request queued *Feb 21 09:46:25.183: IKEv2:(SA ID = 1): *Feb 21 09:46:25.199: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:46:25.211: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA *Feb 21 09:46:25.215: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found *Feb 21 09:46:25.215: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context *Feb 21 09:46:25.351: IKEv2:(SA ID = 1):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 8CAB66C7691CA5BA - Responder SPI : 808A4D3B58B307E4 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Building packet for encryption. Payload contents: DELETE *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 8CAB66C7691CA5BA - Responder SPI : 808A4D3B5 Cbtme-Hub#no debug crypto ikev28B307E4 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Process delete request from peer *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x8CAB66C7691CA5BA RSPI: 0x808A4D3B58B307E4] *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Check for existing active SA *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Delete all IKE SAs *Feb 21 09:46:25.355: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:46:29.423: IKEv2:(SA ID = 3):Failed to receive the AUTH msg before the timer expired *Feb 21 09:46:29.427: IKEv2:(SA ID = 3): *Feb 21 09:46:29.427: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:46:29.431: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:46:29.431: IKEv2:(SA ID = 3):Auth exchange failed *Feb 21 09:46:29.431: IKEv2:(SA ID = 3):Abort exchange *Feb 21 09:46:29.431: IKEv2:(SA ID = 3):Deleting SA *Feb 21 09:46:29.431: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session Cbtme-Hub#no debug crypto ikev2*Feb 21 09:46:29.431: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:30.587: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : D276190C1FE0CB69 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:30.591: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:46:30.591: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:46:30.591: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:46:30.591: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:30.591: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:46:30.591: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:30.595: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:30.595: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Cbtme-Hub#no debug crypto ikev2 Key Hashes of trustpoints *Feb 21 09:46:30.599: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:30.603: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:46:30.607: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:30.607: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:30.607: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:30.607: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:46:30.607: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:46:30.879: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:30.879: IKEv2:(SA ID = 1):Request queued for computation of DH secret *Feb 21 09:46:30.879: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:30.883: IKEv2:(SA I Cbtme-Hub#no debug crypto ikev2D = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:30.887: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:46:30.891: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator SPI : D276190C1FE0CB69 - Responder SPI : D7811E932232E01F Mes Cbtme-Hub#no debug crypto ikev2sage id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):Completed SA init exchange *Feb 21 09:46:30.895: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:30.895: IKEv2:Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):Verify SA init message *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:46:30.895: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:30.895: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):Proc Cbtme-Hub#no debug crypto ikev2essing IKE_SA_INIT message *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:46:30.895: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:46:31.155: IKEv2:(SA ID = 2):[Crypto Cbtme-Hub#no debug crypto ikev2Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:31.155: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:46:31.155: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:31.155: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:31.155: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:46:31.155: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:46:31.155: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:31.163: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:31.167: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:31.167: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:31.17 Cbtme-Hub#no debug crypto ikev21: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:31.171: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : B0CFE8616CA7A7B0 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:31.171: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:46:31.171: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:31.439: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 *Feb 21 09:46:32.059: IKEv2:(SA ID = 2):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6 Cbtme-Hub#no debug crypto ikev2A - Responder SPI : B0CFE8616CA7A7B0 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:46:32.067: IKEv2:(SA ID = 2):Stopping timer to wait for auth message *Feb 21 09:46:32.067: IKEv2:(SA ID = 2):Checking NAT discovery *Feb 21 09:46:32.067: IKEv2:(SA ID = 2):NAT not found *Feb 21 09:46:32.083: IKEv2:(SA ID = 2):Searching policy based on peer's identity 'cn=cbtme-spoke4.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:32.083: IKEv2:Optional profile description not updated in PSH *Feb 21 09:46:32.083: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:32.083: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:32.083: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:46:32.083: IKEv2:(SA ID = 2):Verify peer's policy *Feb 21 09:46:32.083: Cbtme-Hub#no debug crypto ikev2IKEv2:(SA ID = 2):Peer's policy verified *Feb 21 09:46:32.083: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:46:32.083: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:32.083: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:46:32.099: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:46:32.099: IKEv2:(SA ID = 2):Get peer's authentication method *Feb 21 09:46:32.099: IKEv2:(SA ID = 2):Peer's authentication method is 'RSA' *Feb 21 09:46:32.099: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:46:32.159: IKEv2:(SA ID = 2):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:46:32.159: IKEv2:(SA ID = 2):Save pubkey *Feb 21 09:46:32.159: IKEv2:(SA ID = 2):Verify peer's authentication data *Feb 21 09:46:32.159: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication d Cbtme-Hub#no debug crypto ikev2ata *Feb 21 09:46:32.159: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:32.159: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:46:32.175: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:46:32.175: IKEv2:(SA ID = 2):Processing INITIAL_CONTACT *Feb 21 09:46:32.179: IKEv2:(SA ID = 2):Received valid config mode data *Feb 21 09:46:32.183: IKEv2:Config data recieved: *Feb 21 09:46:32.183: Config-type: Config-request *Feb 21 09:46:32.187: Attrib type: ipv4-dns, length: 0 *Feb 21 09:46:32.187: Attrib type: ipv4-dns, length: 0 *Feb 21 09:46:32.187: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:46:32.191: Attrib type: ipv4-nbns, length: 0 *Feb 21 09:46:32.191: Attrib type: ipv4-subnet, length: 0 *Feb 21 09:46:32.191: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEA Cbtme-Hub#no debug crypto ikev2SE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:46:32.191: Attrib type: split-dns, length: 0 *Feb 21 09:46:32.191: Attrib type: banner, length: 0 *Feb 21 09:46:32.191: Attrib type: config-url, length: 0 *Feb 21 09:46:32.191: Attrib type: backup-gateway, length: 0 *Feb 21 09:46:32.191: Attrib type: def-domain, length: 0 *Feb 21 09:46:32.191: IKEv2:(SA ID = 2):Set received config mode data *Feb 21 09:46:32.191: IKEv2:(SA ID = 2):Processing IKE_AUTH message *Feb 21 09:46:32.191: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 5 flags 16369 keysize 256 IDB 0x0 *Feb 21 09:46:32.227: IKEv2:(SA ID = 2):There was no IPSEC policy found for received TS *Feb 21 09:46:32.227: IKEv2:(SA ID = 2): *Feb 21 09:46:32.235: IKEv2:(SA ID = 2):Sending TS unacceptable notify *Feb 21 09:46:32.239: IKEv2:(SA ID = 2):Get my authentication method *Fe Cbtme-Hub#no debug crypto ikev2b 21 09:46:32.243: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:46:32.251: IKEv2:(SA ID = 2):Generate my authentication data *Feb 21 09:46:32.251: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:32.255: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:32.259: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:46:32.267: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:46:32.271: IKEv2:(SA ID = 2):Sign authentication data *Feb 21 09:46:32.275: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting private key *Feb 21 09:46:32.275: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:46:32.279: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:46:32.875: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:46:32.879: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0: Cbtme-Hub#no debug crypto ikev2f0] Initiator SPI : 0BFAD987E62060C0 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:32.891: IKEv2:(SA ID = 3):Verify SA init message *Feb 21 09:46:32.891: IKEv2:(SA ID = 3):Insert SA *Feb 21 09:46:32.895: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:32.895: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:32.899: IKEv2:(SA ID = 3):Processing IKE_SA_INIT message *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[IKEv2 -> Cbtme-Hub#no debug crypto ikev2PKI] Start PKI Session *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):Request queued for computation of DH key *Feb 21 09:46:32.907: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:46:33.163: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:33.163: IKEv2:(SA ID = 3):Request queued for computation of DH secret *Feb 21 09:46:33.163: IKEv2:(SA ID = 4):Failed to receive the AUTH msg before the timer expired *Feb 21 09:46:33.163: IKEv2:(SA ID = 4): *Feb 21 09:46:33.163: IKEv2:(SA ID = 4):Auth exchange failed *Feb 21 09:46:33.163: IKEv2:(SA ID = 4):Auth exchange failed *Feb 21 09:46:33.163: IKEv2:(SA ID = 4):Auth exchange failed *F Cbtme-Hub#no debug crypto ikev2eb 21 09:46:33.167: IKEv2:(SA ID = 4):Abort exchange *Feb 21 09:46:33.167: IKEv2:(SA ID = 4):Deleting SA *Feb 21 09:46:33.175: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:46:33.179: IKEv2:(SA ID = 4):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:33.179: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):Generating IKE_SA_INIT message *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved t Cbtme-Hub#no debug crypto ikev2rustpoint(s): 'my-ca' *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):Sending Packet [To 130.130.130.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 0BFAD987E62060C0 - Responder SPI : A12B56B6B3F5E4AC Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:33.179: IKEv2:(SA ID = 3):Completed SA init exchange *Feb 21 09:46:33.183: IKEv2:(SA ID = 3):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:33.191: IKEv2:(SA ID = 2):Authentication material has been sucessfully signed *Feb 21 09:46:33.195: IKEv2:(SA ID = 2):Generating IKE_AUTH message *Feb 21 09:46:33.195: IKEv2:(SA ID = 2):Constructing IDr payloa Cbtme-Hub#no debug crypto ikev2d: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:33.195: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: VID IDr CERT AUTH NOTIFY(TS_UNACCEPTABLE) *Feb 21 09:46:33.195: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : B0CFE8616CA7A7B0 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:33.195: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:46:33.203: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:33.211: IKEv2:(SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:46:33.211: IKEv2:(SA ID = 2):Session with IKE ID PAIR (cn=cbtme-spoke4.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:46:33.211: IKEv2:IKEv2 MIB tunnel started, tunnel index 2 *Feb 21 09:46:33.211: IKEv2:(SA ID = 2):Checking for dupl Cbtme-Hub#no debug crypto ikev2icate IKEv2 SA *Feb 21 09:46:33.211: IKEv2:(SA ID = 2):No duplicate IKEv2 SA found *Feb 21 09:46:33.215: IKEv2:(SA ID = 2):Starting timer (8 sec) to delete negotiation context *Feb 21 09:46:33.367: IKEv2:(SA ID = 2):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : B0CFE8616CA7A7B0 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:46:33.367: IKEv2:(SA ID = 2):Building packet for encryption. *Feb 21 09:46:33.367: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : B0CFE8616CA7A7B0 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:33.367: IKEv2:(SA ID = 2):Process delete request from peer *Feb 21 09:46:33.367: IKEv2:(SA ID = 2):Processing DELETE INFO message for IPsec SA [SPI: 0x6AA576D8] *Feb 21 09:46:33.367: IKEv2:( Cbtme-Hub#no debug crypto ikev2SA ID = 2):Check for existing active SA *Feb 21 09:46:33.423: IKEv2:(SA ID = 2):Received Packet [From 140.140.140.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : B0CFE8616CA7A7B0 Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:46:33.427: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: DELETE *Feb 21 09:46:33.427: IKEv2:(SA ID = 2):Sending Packet [To 140.140.140.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 239759D07E36FB6A - Responder SPI : B0CFE8616CA7A7B0 Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:33.427: IKEv2:(SA ID = 2):Process delete request from peer *Feb 21 09:46:33.427: IKEv2:(SA ID = 2):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x239759D07E36FB6A RSPI: 0xB0CFE8616CA7A7B0] *Feb 21 09:46:33.431: IKEv2:(SA ID = 2):Check for existing active SA *Feb 21 09:46:33.431: IKEv2:(SA I Cbtme-Hub#no debug crypto ikev2D = 2):Delete all IKE SAs *Feb 21 09:46:33.431: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:46:44.079: IKEv2:Failed to process KMI delete SA message with error 4 *Feb 21 09:46:54.755: IKEv2:Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 17FBBCD902709B3C - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:46:54.767: IKEv2:(SA ID = 2):Verify SA init message *Feb 21 09:46:54.767: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:46:54.767: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:54.771: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:54.775: IKEv2:(SA ID = 2):Processing IKE_SA_INIT message *Feb 21 09:46:54.783: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:54.787: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): Cbtme-Hub#no debug crypto ikev2 'my-ca' *Feb 21 09:46:54.787: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:54.791: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:54.791: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:46:54.791: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:46:54.791: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:46:54.795: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:54.795: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:46:54.795: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:46:55.031: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Cal Cbtme-Hub#no debug crypto ikev2culate SKEYSEED and create rekeyed IKEv2 SA *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:46:55.035: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0 Cbtme-Hub#no debug crypto ikev2:f0] Initiator SPI : 17FBBCD902709B3C - Responder SPI : 71A864D36280B9FF Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:46:55.035: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:46:55.755: IKEv2:(SA ID = 2):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 17FBBCD902709B3C - Responder SPI : 71A864D36280B9FF Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:46:55.759: IKEv2:(SA ID = 2):Stopping timer to wait for auth message *Feb 21 09:46:55.7 Cbtme-Hub#no debug crypto ikev2 IKEv2 default debugging is off Cbtme-Hub#59: IKEv2:(SA ID = 2):Checking NAT discovery *Feb 21 09:46:55.759: IKEv2:(SA ID = 2):NAT not found *Feb 21 09:46:55.775: IKEv2:(SA ID = 2):Searching policy based on peer's identity 'cn=cbtme-spoke1.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:55.775: IKEv2:Optional profile description not updated in PSH *Feb 21 09:46:55.779: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:46:55.783: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:46:55.783: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF1' *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):Verify peer's policy *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):Peer's policy verified *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca *Feb 21 09:46:55.791: IKEv2:(SA ID Cbtme-Hub#= 2):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):Get peer's authentication method *Feb 21 09:46:55.791: IKEv2:(SA ID = 2):Peer's authentication method is 'RSA' *Feb 21 09:46:55.807: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Validating certificate chain *Feb 21 09:46:55.959: IKEv2:(SA ID = 2):[PKI -> IKEv2] Validation of certificate chain PASSED *Feb 21 09:46:55.967: IKEv2:(SA ID = 2):Save pubkey *Feb 21 09:46:56.003: IKEv2:(SA ID = 2):Verify peer's authentication data *Feb 21 09:46:56.003: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:56.003: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:56.003: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Feb 21 09:46:56.019: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Feb 21 09:46:56.019: IKEv2:(SA ID = 2):Processing INITIAL_CONTACT Cbtme-Hub# *Feb 21 09:46:56.019: IKEv2:(SA ID = 2):Received valid config mode data *Feb 21 09:46:56.019: IKEv2:Config data recieved: *Feb 21 09:46:56.019: Config-type: Config-request *Feb 21 09:46:56.019: Attrib type: app-version, length: 247, data: Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Thu 20-Feb-14 06:51 by prod_rel_team *Feb 21 09:46:56.019: Attrib type: split-dns, length: 0 *Feb 21 09:46:56.023: Attrib type: banner, length: 0 *Feb 21 09:46:56.023: Attrib type: config-url, length: 0 *Feb 21 09:46:56.023: Attrib type: backup-gateway, length: 0 *Feb 21 09:46:56.023: Attrib type: def-domain, length: 0 *Feb 21 09:46:56.031: IKEv2:(SA ID = 2):Set received config mode data *Feb 21 09:46:56.035: IKEv2:(SA ID = 2):Processing IKE_AUTH message *Feb 21 09:46:56.035: IKEv2:KMI/verify policy/sending to IPSec: prot: Cbtme-Hub#no debug crypto ikev2 IKEv2 default debugging is off Cbtme-Hub#3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0 *Feb 21 09:46:56.055: IKEv2:Error constructing config reply *Feb 21 09:46:56.063: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):Generate my authentication data *Feb 21 09:46:56.067: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 21 09:46:56.067: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):Get my authentication method *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):My authentication method is 'RSA' *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):Sign authentication data *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Getting private key *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of private key PASSED *Feb 21 09:46:56.067: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Sign authentication data *Feb 21 09:46:56.4 Cbtme-Hub#27: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Feb 21 09:46:56.427: IKEv2:(SA ID = 2):Authentication material has been sucessfully signed *Feb 21 09:46:56.427: IKEv2:(SA ID = 2):Generating IKE_AUTH message *Feb 21 09:46:56.427: IKEv2:(SA ID = 2):Constructing IDr payload: 'cn=cbtme-hub.crypto.local' of type 'DER ASN1 DN' *Feb 21 09:46:56.427: IKEv2:(SA ID = 2):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Feb 21 09:46:56.427: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 21 09:46:56.443: IKEv2:(SA ID = 2):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 17FBBCD902709B3C - Responder SPI : 71A864D36280B9FF Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: EN Cbtme-Hub#CR *Feb 21 09:46:56.447: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:46:56.459: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED *Feb 21 09:46:56.459: IKEv2:(SA ID = 2):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 21 09:46:56.459: IKEv2:(SA ID = 2):Session with IKE ID PAIR (cn=cbtme-spoke1.crypto.local, cn=cbtme-hub.crypto.local) is UP *Feb 21 09:46:56.459: IKEv2:IKEv2 MIB tunnel started, tunnel index 2 *Feb 21 09:46:56.463: IKEv2:(SA ID = 2):Load IPSEC key material *Feb 21 09:46:56.467: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 21 09:46:56.475: IKEv2:(SA ID = 2):Asynchronous request queued *Feb 21 09:46:56.475: IKEv2:(SA ID = 2): *Feb 21 09:46:56.487: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 21 09:46:56.491: IKEv2:(SA ID = 2):Checking for duplicate IKEv2 SA *Feb 21 09:46:56.491: IKEv2:(SA ID = 2):No duplicate IKE Cbtme-Hub#v2 SA found *Feb 21 09:46:56.491: IKEv2:(SA ID = 2):Starting timer (8 sec) to delete negotiation context *Feb 21 09:46:56.631: IKEv2:(SA ID = 2):Received Packet [From 120.120.120.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : 17FBBCD902709B3C - Responder SPI : 71A864D36280B9FF Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE *Feb 21 09:46:56.655: IKEv2:(SA ID = 2):Building packet for encryption. Payload contents: DELETE *Feb 21 09:46:56.663: IKEv2:(SA ID = 2):Sending Packet [To 120.120.120.1:500/From 150.150.150.1:500/VRF i0:f0] Initiator SPI : 17FBBCD902709B3C - Responder SPI : 71A864D36280B9FF Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR *Feb 21 09:46:56.663: IKEv2:(SA ID = 2):Process delete request from peer *Feb 21 09:46:56.663: IKEv2:(SA ID = 2):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x17FBBCD902709B3C RSPI: 0x71A864D36280B9FF] *Feb 21 09:46:56.663: IKEv2:(SA ID = Cbtme-Hub#2):Check for existing active SA *Feb 21 09:46:56.663: IKEv2:(SA ID = 2):Delete all IKE SAs *Feb 21 09:46:56.663: IKEv2:(SA ID = 2):Deleting SA *Feb 21 09:47:00.607: IKEv2:Received Packet [From 130.130.130.1:500/To 110.110.110.1:500/VRF i0:f0] Initiator SPI : CD7C4603AAB41676 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:47:00.623: IKEv2:(SA ID = 2):Verify SA init message *Feb 21 09:47:00.627: IKEv2:(SA ID = 2):Insert SA *Feb 21 09:47:00.631: IKEv2:Searching Policy with fvrf 0, local address 110.110.110.1 *Feb 21 09:47:00.635: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:47:00.635: IKEv2:(SA ID = 2):Processing IKE_SA_INIT message *Feb 21 09:47:00.639: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:47:00.639: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb Cbtme-Hub#21 09:47:00.639: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:47:00.639: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:47:00.643: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:47:00.643: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:47:00.643: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:47:00.643: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:47:00.647: IKEv2:(SA ID = 2):Request queued for computation of DH key *Feb 21 09:47:00.647: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):Request queued for computation of DH secret *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED an Cbtme-Hub#d create rekeyed IKEv2 SA *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Feb 21 09:47:00.883: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):Generating IKE_SA_INIT message *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:47:00.883: IKEv2:(SA ID = 2):Sending Packet [To 130.130.130.1:500/From 110.110.110.1:500/VRF i0:f0] Initiator S Cbtme-Hub#PI : CD7C4603AAB41676 - Responder SPI : F28AD2F3B9290575 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Feb 21 09:47:00.887: IKEv2:(SA ID = 2):Completed SA init exchange *Feb 21 09:47:00.891: IKEv2:(SA ID = 2):Starting timer (30 sec) to wait for auth message *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired *Feb 21 09:47:00.895: IKEv2:(SA ID = 1): *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):Auth exchange failed *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):Abort exchange *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):Deleting SA *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Feb 21 09:47:00.895: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Sess Cbtme-Hub#ion PASSED *Feb 21 09:47:02.671: IKEv2:Received Packet [From 130.130.130.1:500/To 150.150.150.1:500/VRF i0:f0] Initiator SPI : B4A367AB5F9CE650 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):Verify SA init message *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):Insert SA *Feb 21 09:47:02.691: IKEv2:Searching Policy with fvrf 0, local address 150.150.150.1 *Feb 21 09:47:02.691: IKEv2:Found Policy 'DMVPN-POLICY' *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[PKI - Cbtme-Hub#> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):Request queued for computation of DH key *Feb 21 09:47:02.691: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 Cbtme-Hub# *Feb 21 09:47:35.027: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 Cbtme-Hub# *Feb 21 09:48:35.055: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 Cbtme-Hub# *Feb 21 09:49:39.579: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 Cbtme-Hub# *Feb 21 09:50:43.787: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0 Cbtme-Hub#