=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.04.09 14:13:25 =~=~=~=~=~=~=~=~=~=~=~= debug cy rup  up  ypto pki % Incomplete command. Remote-Store#debug crypto pki    *Apr 9 16:28:50.725: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX_HUBS) Client_public_addr = 172.16.1.2 Server_public_addr = 172.25.1.2 Remote-Store#debug crypto ikev2 IKEv2 default debugging is on Remote-Store#debug crypto ikev2 2 *Apr 9 16:29:00.746: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:29:00.750: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:29:00.772: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Apr 9 16:29:00.773: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Apr 9 16:29:00.774: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Apr 9 16:29:00.775: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Apr 9 16:29:00.776: IKEv2:(SESSION ID = 54,SA ID = 1):Request queued for computation of DH key *Apr 9 16:29:00.777: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Apr 9 16:29:00.779: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_SA_INIT message *Apr 9 16:29:00.779: IKEv2:(SESSION ID = 54,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Apr 9 16:29:00.785: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 82B0E40CF438FC7F - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) Remote-Store#debug crypto ikev2 c *Apr 9 16:29:00.791: IKEv2:(SESSION ID = 54,SA ID = 1):Insert SA *Apr 9 16:29:00.844: IKEv2:(SESSION ID = 54,SA ID = 1):Received Packet [From 172.25.1.2:500/To 172.16.1.2:500/VRF i0:f0] Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ *Apr 9 16:29:00.856: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message *Apr 9 16:29:00.857: IKEv2:(SESSION ID = 54,SA ID = 1):Verify SA init message *Apr 9 16:29:00.858: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message *Apr 9 16:29:00.861: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Apr 9 16:29:00.863: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' *Apr 9 16:29:00.864: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint WANLAB-CA *Apr 9 16:29:00.908: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Apr 9 16:29:00.909: IKEv2:(SESSION ID = 54,SA ID = 1):Checking NAT discovery *Apr 9 16:29:00.910: IKEv2:(SESSION ID = 54,SA ID = 1):NAT not found *Apr 9 16:29:00.911: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Apr 9 16:29:00.938: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Apr 9 16:29:00.940: IKEv2:(SESSION ID = 54,SA ID = 1):Request queued for computation of DH secret *Apr 9 16:29:00.942: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Apr 9 16:29:00.943: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Apr 9 16:29:00.944: IKEv2:(SESSION ID = 54,SA ID = 1):Completed SA init exchange *Apr 9 16:29:00.948: IKEv2:Config data to send: *Apr 9 16:29:00.949: IKEv2:(SESSION ID = 54,SA ID l Remote-Store#debug crypto ikev2 cli= 1):Config-type: Config-request *Apr 9 16:29:00.950: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Apr 9 16:29:00.951: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Apr 9 16:29:00.952: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Apr 9 16:29:00.952: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Apr 9 16:29:00.953: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-subnet, length: 0 *Apr 9 16:29:00.954: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-dns, length: 0 *Apr 9 16:29:00.955: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-subnet, length: 0 *Apr 9 16:29:00.956: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: app-version, length: 245, data: Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Tue 22-Mar-16 16:19 by prod_rel_team *Apr 9 16:29:00.956: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: split-dns, length: 0 *Apr 9 16:29:00.957: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: banner, length: 0 *Apr 9 16:29:00.958: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: config-url, length: 0 *Apr 9 16:29:00.959: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: backup-gateway, length: 0 *Apr 9 16:29:00.960: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: def-domain, length: 0 *Apr 9 16:29:00.966: IKEv2:(SESSION ID = 54,SA ID = 1):Have config mode data to send *Apr 9 16:29:00.967: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange *Apr 9 16:29:00.968: IKEv2:(SESSION ID = 54,SA ID = 1):Generate my authentication data *Apr 9 16:29:00.968: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Apr 9 16:29:00.970: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Apr 9 16:29:00.970: IKEv2:(SESSION ID = 54,SA ID = 1):Get my authenticaen Remote-Store#debug crypto ikev2 cliention method *Apr 9 16:29:00.971: IKEv2:(SESSION ID = 54,SA ID = 1):My authentication method is 'RSA' *Apr 9 16:29:00.972: IKEv2:(SESSION ID = 54,SA ID = 1):Sign authentication data *Apr 9 16:29:00.973: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Apr 9 16:29:00.974: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED *Apr 9 16:29:00.975: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data *Apr 9 16:29:01.010: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Apr 9 16:29:01.012: IKEv2:(SESSION ID = 54,SA ID = 1):Authentication material has been sucessfully signed *Apr 9 16:29:01.012: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange *Apr 9 16:29:01.013: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_AUTH message *Apr 9 16:29:01.014: IKEv2:(SESSION ID = 54,SA ID = 1):Constructing IDi payload: 'Remote-Store.wanlab.wan' of type 'FQDN' *Apr 9 16:29:01.015: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Apr 9 16:29:01.016: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' *Apr 9 16:29:01.017: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Apr 9 16:29:01.018: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Apr 9 16:29:01.023: IKEv2:(SESSION ID = 54,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Apr 9 16:29:01.025: IKEv2:(SESSION ID = 54,SA ID = 1):Building packet for encryption. Payload contents: VID IDi CERT CERTREQ AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Apr 9 16:29:01.032: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload cont Remote-Store#debug crypto ikev2 clienttents: ENCR *Apr 9 16:29:02.970: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:29:02.971: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store#debug crypto ikev2 client flexv *Apr 9 16:29:06.602: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:29:06.603: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store#debug crypto ikev2 client flexvpn FlexVPN debugging is on Remote-Store#cl *Apr 9 16:29:14.387: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:29:14.389: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR e Remote-Store#clear crypto ikev2 sa Remote-Store# *Apr 9 16:29:23.325: IKEv2:(SESSION ID = 54,SA ID = 1):Auth exchange failed *Apr 9 16:29:23.326: IKEv2-ERROR:(SESSION ID = 54,SA ID = 1):: Auth exchange failed *Apr 9 16:29:23.329: IKEv2:(SESSION ID = 54,SA ID = 1):Abort exchange *Apr 9 16:29:23.330: IKEv2:(SESSION ID = 54,SA ID = 1):Deleting SA *Apr 9 16:29:23.331: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Apr 9 16:29:23.332: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Apr 9 16:29:23.352: FlexVPN(FLEX_HUBS : 80000BE7) Current_state: NEGOTIATING *Apr 9 16:29:23.352: FlexVPN(FLEX_HUBS : 80000BE7) Current_event: EV_TP_ERROR *Apr 9 16:29:23.352: FlexVPN(FLEX_HUBS : 80000BE7) Error during negotiation initiating auto reconnect timer *Apr 9 16:29:23.353: FlexVPN(FLEX_HUBS : 80000BE7) Current_state: NEGOTIATING *Apr 9 16:29:23.353: FlexVPN(FLEX_HUBS : 80000BE7) Current_event: EV_DISCONNECT *Apr 9 16:29:23.354: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX_HUBS) Client_public_addr = 172.16.1.2 Server_public_addr = 172.25.1.2 Remote-Store# *Apr 9 16:29:23.354: FlexVPN(FLEX_HUBS : 0) Connection being terminated with peer 172.25.1.2 *Apr 9 16:29:23.356: FlexVPN(FLEX_HUBS : 0) advanced to next peer 172.25.1.2 Remote-Store# *Apr 9 16:29:33.352: FlexVPN(FLEX_HUBS : 0) Current_state: CONNECT_REQUIRED *Apr 9 16:29:33.353: FlexVPN(FLEX_HUBS : 0) Current_event: EV_CONNECT *Apr 9 16:29:33.353: FlexVPN(FLEX_HUBS : 0) Current_state: CONNECT_REQUIRED *Apr 9 16:29:33.354: FlexVPN(FLEX_HUBS : 0) Current_event: EV_SET_PEER *Apr 9 16:29:33.354: FlexVPN(FLEX_HUBS : 0) Validating peer 172.25.1.2 *Apr 9 16:29:33.355: FlexVPN(FLEX_HUBS : 0) Ready to connect to peer 172.25.1.2 *Apr 9 16:29:33.355: FlexVPN(FLEX_HUBS : 0) Current peer set to 172.25.1.2 *Apr 9 16:29:33.355: FlexVPN(FLEX_HUBS : 0) Current_state: CONNECT_REQUIRED *Apr 9 16:29:33.356: FlexVPN(FLEX_HUBS : 0) Current_event: EV_SET_SRC *Apr 9 16:29:33.356: FlexVPN(FLEX_HUBS : 0) Current source set to 172.16.1.2 *Apr 9 16:29:33.357: FlexVPN(FLEX_HUBS : 0) Current_state: INITIATED *Apr 9 16:29:33.357: FlexVPN(FLEX_HUBS : 0) Current_event: EV_INITIATE_TP *Apr 9 16:29:33.357: FlexVPN(FLEX_HUBS : 80000BE8) Initiating connection with peer 172.25.1.2 *Apr 9 16:29:33.374: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:29:33.374: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:29:33.393: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Apr 9 16:29:33.394: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Apr 9 16:29:33.394: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Apr 9 16:29:33.396: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Apr 9 16:29:33.397: IKEv2:(SESSION ID = 54,SA ID = 1):Request queued for computation of DH key *Apr 9 16:29:33.398: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Apr 9 16:29:33.400: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_SA_INIT message *Apr 9 16:29:33.400: IKEv2:(SESSION ID = 54,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Apr 9 16:29: Remote-Store#33.407: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Apr 9 16:29:33.413: IKEv2:(SESSION ID = 54,SA ID = 1):Insert SA *Apr 9 16:29:33.422: FlexVPN(FLEX_HUBS : 80000BE8) Current_state: INITIATED *Apr 9 16:29:33.422: FlexVPN(FLEX_HUBS : 80000BE8) Current_event: EV_TP_READY *Apr 9 16:29:33.489: IKEv2:(SESSION ID = 54,SA ID = 1):Received Packet [From 172.25.1.2:500/To 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ *Apr 9 16:29:33.505: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message *Apr 9 16:29:33.506: IKEv2:(SESSION ID = 54,SA ID = 1):Verify SA init message *Apr 9 16:29:33.507: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message *Apr 9 16:29:33.511: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Apr 9 16:29:33.513: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' *Apr 9 16:29:33.515: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint WANLAB-CA *Apr 9 16:29:33.560: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Apr 9 16:29:33.562: IKEv2:(SESSION ID = 54,SA ID = 1):Checking NAT discovery *Apr 9 16:29:33.562: IKEv2:(SESSION ID = 54,SA ID = 1):NAT not found *Apr 9 16:29:33.563: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Apr 9 16:29:33.590: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Apr 9 16:29:33.591: IKEv2:(SE Remote-Store#SSION ID = 54,SA ID = 1):Request queued for computation of DH secret *Apr 9 16:29:33.593: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Apr 9 16:29:33.594: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Apr 9 16:29:33.596: IKEv2:(SESSION ID = 54,SA ID = 1):Completed SA init exchange *Apr 9 16:29:33.599: IKEv2:Config data to send: *Apr 9 16:29:33.600: IKEv2:(SESSION ID = 54,SA ID = 1):Config-type: Config-request *Apr 9 16:29:33.601: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Apr 9 16:29:33.602: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Apr 9 16:29:33.602: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Apr 9 16:29:33.603: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Apr 9 16:29:33.604: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-subnet, length: 0 *Apr 9 16:29:33.605: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-dns, length: 0 *Apr 9 16:29:33.606: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-subnet, length: 0 *Apr 9 16:29:33.607: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: app-version, length: 245, data: Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Tue 22-Mar-16 16:19 by prod_rel_team *Apr 9 16:29:33.608: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: split-dns, length: 0 *Apr 9 16:29:33.608: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: banner, length: 0 *Apr 9 16:29:33.609: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: config-url, length: 0 *Apr 9 16:29:33.610: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: backup-gateway, length: 0 *Apr 9 16:29:33.611: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: def-domain, length: 0 *Apr 9 16:29:33.617: Remote-Store# IKEv2:(SESSION ID = 54,SA ID = 1):Have config mode data to send *Apr 9 16:29:33.618: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange *Apr 9 16:29:33.619: IKEv2:(SESSION ID = 54,SA ID = 1):Generate my authentication data *Apr 9 16:29:33.620: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Apr 9 16:29:33.621: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Apr 9 16:29:33.621: IKEv2:(SESSION ID = 54,SA ID = 1):Get my authentication method *Apr 9 16:29:33.622: IKEv2:(SESSION ID = 54,SA ID = 1):My authentication method is 'RSA' *Apr 9 16:29:33.623: IKEv2:(SESSION ID = 54,SA ID = 1):Sign authentication data *Apr 9 16:29:33.624: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Apr 9 16:29:33.625: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED *Apr 9 16:29:33.626: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data *Apr 9 16:29:33.665: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Apr 9 16:29:33.667: IKEv2:(SESSION ID = 54,SA ID = 1):Authentication material has been sucessfully signed *Apr 9 16:29:33.668: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange *Apr 9 16:29:33.668: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_AUTH message *Apr 9 16:29:33.669: IKEv2:(SESSION ID = 54,SA ID = 1):Constructing IDi payload: 'Remote-Store.wanlab.wan' of type 'FQDN' *Apr 9 16:29:33.670: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Apr 9 16:29:33.671: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' *Apr 9 16:29:33.672: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Apr 9 16:29:33.673: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Apr 9 16:29:33.678: IKEv2:(SESSION ID = 54,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Apr 9 16:2 Remote-Store#9:33.680: IKEv2:(SESSION ID = 54,SA ID = 1):Building packet for encryption. Payload contents: VID IDi CERT CERTREQ AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Apr 9 16:29:33.687: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR *Apr 9 16:29:35.861: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:29:35.862: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store# *Apr 9 16:29:39.577: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:29:39.578: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store# *Apr 9 16:29:47.394: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:29:47.395: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store# *Apr 9 16:30:02.745: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:30:02.747: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR *Apr 9 16:30:03.373: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:30:03.373: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:30:03.389: IKEv2:SA is already in negotiation, hence not negotiating again Remote-Store#sh clock *16:30:28.476 UTC Tue Apr 9 2019 Remote-Store# *Apr 9 16:30:33.373: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:30:33.374: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:30:33.392: IKEv2:SA is already in negotiation, hence not negotiating again *Apr 9 16:30:33.541: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:30:33.542: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 172.16.1.2/500 172.25.1.2/500 none/none IN-NEG Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: Unknown - 0 Life/Active Time: 86400/0 sec IPv6 Crypto IKEv2 SA Remote-Store# *Apr 9 16:31:03.376: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:31:03.377: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:31:03.398: IKEv2:SA is already in negotiation, hence not negotiating again Remote-Store# *Apr 9 16:31:31.760: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:31:31.762: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FC53A2BBA397BD5 - Responder SPI : 8CC98EE157D9C14B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store# *Apr 9 16:31:33.445: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:31:33.446: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:31:33.462: IKEv2:SA is already in negotiation, hence not negotiating again Remote-Store# *Apr 9 16:31:36.316: IKEv2-ERROR:(SESSION ID = 54,SA ID = 1):: Maximum number of retransmissions reached *Apr 9 16:31:36.317: IKEv2:(SESSION ID = 54,SA ID = 1):Auth exchange failed *Apr 9 16:31:36.319: IKEv2-ERROR:(SESSION ID = 54,SA ID = 1):: Auth exchange failed *Apr 9 16:31:36.322: IKEv2:(SESSION ID = 54,SA ID = 1):Abort exchange *Apr 9 16:31:36.323: IKEv2:(SESSION ID = 54,SA ID = 1):Deleting SA *Apr 9 16:31:36.324: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Apr 9 16:31:36.325: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED *Apr 9 16:31:36.342: FlexVPN(FLEX_HUBS : 80000BE8) Current_state: NEGOTIATING *Apr 9 16:31:36.342: FlexVPN(FLEX_HUBS : 80000BE8) Current_event: EV_TP_ERROR *Apr 9 16:31:36.343: FlexVPN(FLEX_HUBS : 80000BE8) Error during negotiation initiating auto reconnect timer *Apr 9 16:31:36.344: FlexVPN(FLEX_HUBS : 80000BE8) Current_state: NEGOTIATING *Apr 9 16:31:36.344: FlexVPN(FLEX_HUBS : 80000BE8) Current_event: EV_DISCONNECT *Apr 9 16:31:36.344: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX_HUBS) Client_public_addr = 172.16.1.2 Server_public_addr = 172.25.1.2 Remote-Store# *Apr 9 16:31:36.345: FlexVPN(FLEX_HUBS : 0) Connection being terminated with peer 172.25.1.2 *Apr 9 16:31:36.347: FlexVPN(FLEX_HUBS : 0) advanced to next peer 172.25.1.2 Remote-Store# *Apr 9 16:31:46.343: FlexVPN(FLEX_HUBS : 0) Current_state: CONNECT_REQUIRED *Apr 9 16:31:46.344: FlexVPN(FLEX_HUBS : 0) Current_event: EV_CONNECT *Apr 9 16:31:46.344: FlexVPN(FLEX_HUBS : 0) Current_state: CONNECT_REQUIRED *Apr 9 16:31:46.344: FlexVPN(FLEX_HUBS : 0) Current_event: EV_SET_PEER *Apr 9 16:31:46.345: FlexVPN(FLEX_HUBS : 0) Validating peer 172.25.1.2 *Apr 9 16:31:46.345: FlexVPN(FLEX_HUBS : 0) Ready to connect to peer 172.25.1.2 *Apr 9 16:31:46.346: FlexVPN(FLEX_HUBS : 0) Current peer set to 172.25.1.2 *Apr 9 16:31:46.346: FlexVPN(FLEX_HUBS : 0) Current_state: CONNECT_REQUIRED *Apr 9 16:31:46.346: FlexVPN(FLEX_HUBS : 0) Current_event: EV_SET_SRC *Apr 9 16:31:46.347: FlexVPN(FLEX_HUBS : 0) Current source set to 172.16.1.2 *Apr 9 16:31:46.347: FlexVPN(FLEX_HUBS : 0) Current_state: INITIATED *Apr 9 16:31:46.348: FlexVPN(FLEX_HUBS : 0) Current_event: EV_INITIATE_TP *Apr 9 16:31:46.348: FlexVPN(FLEX_HUBS : 80000BE9) Initiating connection with peer 172.25.1.2 *Apr 9 16:31:46.364: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.2 *Apr 9 16:31:46.365: IKEv2:Found Policy 'FLEX_POL' *Apr 9 16:31:46.384: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Apr 9 16:31:46.385: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Apr 9 16:31:46.385: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Apr 9 16:31:46.387: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Apr 9 16:31:46.388: IKEv2:(SESSION ID = 54,SA ID = 1):Request queued for computation of DH key *Apr 9 16:31:46.389: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Apr 9 16:31:46.390: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_SA_INIT message *Apr 9 16:31:46.391: IKEv2:(SESSION ID = 54,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 *Apr 9 16:31: Remote-Store#46.397: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FB951A604295F21 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Apr 9 16:31:46.403: IKEv2:(SESSION ID = 54,SA ID = 1):Insert SA *Apr 9 16:31:46.411: FlexVPN(FLEX_HUBS : 80000BE9) Current_state: INITIATED *Apr 9 16:31:46.411: FlexVPN(FLEX_HUBS : 80000BE9) Current_event: EV_TP_READY *Apr 9 16:31:46.457: IKEv2:(SESSION ID = 54,SA ID = 1):Received Packet [From 172.25.1.2:500/To 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FB951A604295F21 - Responder SPI : FE422BC44462E69D Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ *Apr 9 16:31:46.467: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message *Apr 9 16:31:46.468: IKEv2:(SESSION ID = 54,SA ID = 1):Verify SA init message *Apr 9 16:31:46.469: IKEv2:(SESSION ID = 54,SA ID = 1):Processing IKE_SA_INIT message *Apr 9 16:31:46.473: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Apr 9 16:31:46.474: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' *Apr 9 16:31:46.476: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint WANLAB-CA *Apr 9 16:31:46.522: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Apr 9 16:31:46.523: IKEv2:(SESSION ID = 54,SA ID = 1):Checking NAT discovery *Apr 9 16:31:46.524: IKEv2:(SESSION ID = 54,SA ID = 1):NAT not found *Apr 9 16:31:46.525: IKEv2:(SESSION ID = 54,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Apr 9 16:31:46.551: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Apr 9 16:31:46.553: IKEv2:(SE Remote-Store#SSION ID = 54,SA ID = 1):Request queued for computation of DH secret *Apr 9 16:31:46.554: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Apr 9 16:31:46.556: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Apr 9 16:31:46.557: IKEv2:(SESSION ID = 54,SA ID = 1):Completed SA init exchange *Apr 9 16:31:46.561: IKEv2:Config data to send: *Apr 9 16:31:46.562: IKEv2:(SESSION ID = 54,SA ID = 1):Config-type: Config-request *Apr 9 16:31:46.563: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Apr 9 16:31:46.564: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Apr 9 16:31:46.565: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Apr 9 16:31:46.565: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Apr 9 16:31:46.566: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv4-subnet, length: 0 *Apr 9 16:31:46.567: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-dns, length: 0 *Apr 9 16:31:46.568: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: ipv6-subnet, length: 0 *Apr 9 16:31:46.569: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: app-version, length: 245, data: Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Tue 22-Mar-16 16:19 by prod_rel_team *Apr 9 16:31:46.570: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: split-dns, length: 0 *Apr 9 16:31:46.571: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: banner, length: 0 *Apr 9 16:31:46.571: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: config-url, length: 0 *Apr 9 16:31:46.572: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: backup-gateway, length: 0 *Apr 9 16:31:46.573: IKEv2:(SESSION ID = 54,SA ID = 1):Attrib type: def-domain, length: 0 *Apr 9 16:31:46.580: Remote-Store# IKEv2:(SESSION ID = 54,SA ID = 1):Have config mode data to send *Apr 9 16:31:46.581: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange *Apr 9 16:31:46.582: IKEv2:(SESSION ID = 54,SA ID = 1):Generate my authentication data *Apr 9 16:31:46.582: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Apr 9 16:31:46.583: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Apr 9 16:31:46.584: IKEv2:(SESSION ID = 54,SA ID = 1):Get my authentication method *Apr 9 16:31:46.585: IKEv2:(SESSION ID = 54,SA ID = 1):My authentication method is 'RSA' *Apr 9 16:31:46.586: IKEv2:(SESSION ID = 54,SA ID = 1):Sign authentication data *Apr 9 16:31:46.587: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key *Apr 9 16:31:46.588: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED *Apr 9 16:31:46.589: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data *Apr 9 16:31:46.628: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED *Apr 9 16:31:46.629: IKEv2:(SESSION ID = 54,SA ID = 1):Authentication material has been sucessfully signed *Apr 9 16:31:46.630: IKEv2:(SESSION ID = 54,SA ID = 1):Check for EAP exchange *Apr 9 16:31:46.631: IKEv2:(SESSION ID = 54,SA ID = 1):Generating IKE_AUTH message *Apr 9 16:31:46.632: IKEv2:(SESSION ID = 54,SA ID = 1):Constructing IDi payload: 'Remote-Store.wanlab.wan' of type 'FQDN' *Apr 9 16:31:46.633: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Apr 9 16:31:46.634: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'WANLAB-CA' *Apr 9 16:31:46.635: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Apr 9 16:31:46.636: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Apr 9 16:31:46.641: IKEv2:(SESSION ID = 54,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN *Apr 9 16:3 Remote-Store#1:46.643: IKEv2:(SESSION ID = 54,SA ID = 1):Building packet for encryption. Payload contents: VID IDi CERT CERTREQ AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Apr 9 16:31:46.650: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FB951A604295F21 - Responder SPI : FE422BC44462E69D Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR *Apr 9 16:31:48.598: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:31:48.599: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FB951A604295F21 - Responder SPI : FE422BC44462E69D Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store# *Apr 9 16:31:52.605: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:31:52.606: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FB951A604295F21 - Responder SPI : FE422BC44462E69D Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Remote-Store#u a *Apr 9 16:31:59.939: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet *Apr 9 16:31:59.940: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0] Initiator SPI : 9FB951A604295F21 - Responder SPI : FE422BC44462E69D Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR l Remote-Store#u all All possible debugging has been turned off Remote-Store# Remote-Store# Remote-Store# Remote-Store# Remote-Store#