=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.05.02 19:15:44 =~=~=~=~=~=~=~=~=~=~=~= debu Router#debug ik  cry Router#debug crypto ik Router#debug crypto ikev2 IKEv2 default debugging is on Router# May 2 11:15:55.090: IKEv2:(SESSION ID = 7,SA ID = 2):Retransmitting packet May 2 11:15:55.090: IKEv2:(SESSION ID = 7,SA ID = 2):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 4F4918D9C8302DBD - Responder SPI : 5801DE70CC3FF70F Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:15:57.126: IKEv2:Searching Policy with fvrf 0, local address 10.1.14.143 May 2 11:15:57.126: IKEv2:Found Policy 'policy' May 2 11:15:57.126: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session May 2 11:15:57.126: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED May 2 11:15:57.127: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 May 2 11:15:57.127: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED May 2 11:15:57.127: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key May 2 11:15:57.127: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch May 2 11:15:57.127: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message May 2 11:15:57.127: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 May 2 11:15:57.128: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.14.37:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 81DC62AB2370BFC3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:15:57.129: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA May 2 11:15:57.665: IKEv2:Received Packet [From 10.1.14.142:500/To 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:15:57.666: IKEv2:(SESSION ID = 10,SA ID = 4):Verify SA init message May 2 11:15:57.666: IKEv2:(SESSION ID = 10,SA ID = 4):Insert SA May 2 11:15:57.667: IKEv2:Searching Policy with fvrf 0, local address 10.1.14.143 May 2 11:15:57.667: IKEv2:Found Policy 'policy' May 2 11:15:57.667: IKEv2:(SESSION ID = 10,SA ID = 4):Processing IKE_SA_INIT message May 2 11:15:57.667: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 2 11:15:57.667: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' 'TP-self-signed-4049900931' May 2 11:15:57.668: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 2 11:15:57.668: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 2 11:15:57.668: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Start PKI Session May 2 11:15:57.668: IKEv2:(SA ID = 4):[PKI -> IKEv2] Starting of PKI Session PASSED May 2 11:15:57.668: IKEv2:(SESSION ID = 10,SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 May 2 11:15:57.668: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED May 2 11:15:57.669: IKEv2:(SESSION ID = 10,SA ID = 4):Request queued for computation of DH key May 2 11:15:57.669: IKEv2:(SESSION ID = 10,SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 May 2 11:15:57.697: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED May 2 11:15:57.697: IKEv2:(SESSION ID = 10,SA ID = 4):Request queued for computation of DH secret May 2 11:15:57.697: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA May 2 11:15:57.697: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED May 2 11:15:57.698: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch May 2 11:15:57.698: IKEv2:(SESSION ID = 10,SA ID = 4):Generating IKE_SA_INIT message May 2 11:15:57.698: IKEv2:(SESSION ID = 10,SA ID = 4):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 May 2 11:15:57.699: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 2 11:15:57.699: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' 'TP-self-signed-4049900931' May 2 11:15:57.699: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 2 11:15:57.699: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 2 11:15:57.699: IKEv2:(SESSION ID = 10,SA ID = 4):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) May 2 11:15:57.701: IKEv2:(SESSION ID = 10,SA ID = 4):Completed SA init exchange May 2 11:15:57.701: IKEv2:(SESSION ID = 10,SA ID = 4):Starting timer (30 sec) to wait for auth message May 2 11:15:57.777: IKEv2:(SESSION ID = 10,SA ID = 4):Received Packet [From 10.1.14.142:500/To 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) May 2 11:15:57.779: IKEv2:(SESSION ID = 10,SA ID = 4):Stopping timer to wait for auth message May 2 11:15:57.779: IKEv2:(SESSION ID = 10,SA ID = 4):Checking NAT discovery May 2 11:15:57.779: IKEv2:(SESSION ID = 10,SA ID = 4):NAT not found May 2 11:15:57.781: IKEv2:(SESSION ID = 10,SA ID = 4):Searching policy based on peer's identity 'cn=R1.crypto.local' of type 'DER ASN1 DN' May 2 11:15:57.783: IKEv2:Searching Policy with fvrf 0, local address 10.1.14.143 May 2 11:15:57.783: IKEv2:Found Policy 'policy' May 2 11:15:57.783: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF' May 2 11:15:57.783: IKEv2:not a VPN-SIP session May 2 11:15:57.784: IKEv2:(SESSION ID = 10,SA ID = 4):Verify peer's policy May 2 11:15:57.784: IKEv2:(SESSION ID = 10,SA ID = 4):Peer's policy verified May 2 11:15:57.784: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) May 2 11:15:57.784: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' May 2 11:15:57.784: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca May 2 11:15:57.786: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED May 2 11:15:57.787: IKEv2:(SESSION ID = 10,SA ID = 4):Get peer's authentication method May 2 11:15:57.787: IKEv2:(SESSION ID = 10,SA ID = 4):Peer's authentication method is 'RSA' May 2 11:15:57.788: IKEv2:Validation list created with 1 trustpoints May 2 11:15:57.788: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Validating certificate chain May 2 11:15:57.794: IKEv2:(SA ID = 4):[PKI -> IKEv2] Validation of certificate chain PASSED May 2 11:15:57.795: IKEv2:(SESSION ID = 10,SA ID = 4):Save pubkey May 2 11:15:57.796: IKEv2:(SESSION ID = 10,SA ID = 4):Verify peer's authentication data May 2 11:15:57.797: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 2 11:15:57.797: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 2 11:15:57.797: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data May 2 11:15:57.798: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED May 2 11:15:57.799: IKEv2:(SESSION ID = 10,SA ID = 4):Processing INITIAL_CONTACT May 2 11:15:57.799: IKEv2:(SESSION ID = 9,SA ID = 3):Queuing SA delete for IC May 2 11:15:57.800: IKEv2:(SESSION ID = 10,SA ID = 4):Received valid config mode data May 2 11:15:57.800: IKEv2:Config data recieved: May 2 11:15:57.800: IKEv2:(SESSION ID = 10,SA ID = 4):Config-type: Config-request May 2 11:15:57.800: IKEv2:(SESSION ID = 10,SA ID = 4):Attrib type: app-version, length: 255, data: Cisco IOS Software [Fuji], ISR Software (ARMV8EB_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.9.2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Mon 05-Nov-18 17:42 by mcpre May 2 11:15:57.800: IKEv2:(SESSION ID = 10,SA ID = 4):Attrib type: split-dns, length: 0 May 2 11:15:57.800: IKEv2:(SESSION ID = 10,SA ID = 4):Attrib type: banner, length: 0 May 2 11:15:57.800: IKEv2:(SESSION ID = 10,SA ID = 4):Attrib type: config-url, length: 0 May 2 11:15:57.801: IKEv2:(SESSION ID = 10,SA ID = 4):Attrib type: backup-gateway, length: 0 May 2 11:15:57.801: IKEv2:(SESSION ID = 10,SA ID = 4):Attrib type: def-domain, length: 0 May 2 11:15:57.801: IKEv2:(SESSION ID = 10,SA ID = 4):Set received config mode data May 2 11:15:57.801: IKEv2:(SESSION ID = 10,SA ID = 4):Processing IKE_AUTH message May 2 11:15:57.803: IKEv2:IPSec policy validate request sent for profile DMVPN-PROF with psh index 4. May 2 11:15:57.803: IKEv2:(SESSION ID = 10,SA ID = 4): May 2 11:15:57.803: IKEv2:(SESSION ID = 9,SA ID = 3):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x4DEE3566FBC922B6 RSPI: 0xE3CA3A589E4F42F7] May 2 11:15:57.803: IKEv2:(SESSION ID = 9,SA ID = 3):Building packet for encryption. Payload contents: DELETE May 2 11:15:57.804: IKEv2:(SESSION ID = 9,SA ID = 3):Checking if request will fit in peer window May 2 11:15:57.804: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 4DEE3566FBC922B6 - Responder SPI : E3CA3A589E4F42F7 Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:15:57.805: IKEv2:(SESSION ID = 9,SA ID = 3):Check for existing active SA May 2 11:15:57.805: IKEv2:(SESSION ID = 9,SA ID = 3):Delete all IKE SAs May 2 11:15:57.808: IKEv2:(SA ID = 4):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED. May 2 11:15:57.810: IKEv2-ERROR:Error constructing config reply May 2 11:15:57.811: IKEv2:(SESSION ID = 10,SA ID = 4):Get my authentication method May 2 11:15:57.811: IKEv2:(SESSION ID = 10,SA ID = 4):My authentication method is 'RSA' May 2 11:15:57.811: IKEv2:(SESSION ID = 10,SA ID = 4):Generate my authentication data May 2 11:15:57.811: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 2 11:15:57.811: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 2 11:15:57.812: IKEv2:(SESSION ID = 10,SA ID = 4):Get my authentication method May 2 11:15:57.812: IKEv2:(SESSION ID = 10,SA ID = 4):My authentication method is 'RSA' May 2 11:15:57.812: IKEv2:(SESSION ID = 10,SA ID = 4):Sign authentication data May 2 11:15:57.812: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Getting private key May 2 11:15:57.812: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of private key PASSED May 2 11:15:57.812: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Sign authentication data May 2 11:15:57.856: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED May 2 11:15:57.856: IKEv2:(SESSION ID = 10,SA ID = 4):Authentication material has been sucessfully signed May 2 11:15:57.857: IKEv2:(SESSION ID = 10,SA ID = 4):Generating IKE_AUTH message May 2 11:15:57.857: IKEv2:(SESSION ID = 10,SA ID = 4):Constructing IDr payload: 'cn=R2.crypto.local' of type 'DER ASN1 DN' May 2 11:15:57.857: IKEv2:(SESSION ID = 10,SA ID = 4):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN May 2 11:15:57.857: IKEv2:(SESSION ID = 10,SA ID = 4):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) May 2 11:15:57.859: IKEv2:(SESSION ID = 10,SA ID = 4):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 2 11:15:57.860: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Close PKI Session May 2 11:15:57.860: IKEv2:(SA ID = 4):[PKI -> IKEv2] Closing of PKI Session PASSED May 2 11:15:57.860: IKEv2:(SESSION ID = 10,SA ID = 4):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started May 2 11:15:57.861: IKEv2:(SESSION ID = 10,SA ID = 4):Session with IKE ID PAIR (cn=R1.crypto.local, cn=R2.crypto.local) is UP May 2 11:15:57.862: IKEv2:IKEv2 MIB tunnel started, tunnel index 4 May 2 11:15:57.862: IKEv2:(SESSION ID = 10,SA ID = 4):Load IPSEC key material May 2 11:15:57.862: IKEv2:(SA ID = 4):[IKEv2 -> IPsec] Create IPsec SA into IPsec database May 2 11:15:57.877: IKEv2:(SA ID = 4):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED May 2 11:15:57.878: IKEv2:(SESSION ID = 10,SA ID = 4):Checking for duplicate IKEv2 SA May 2 11:15:57.878: IKEv2:(SESSION ID = 10,SA ID = 4):No duplicate IKEv2 SA found May 2 11:15:57.879: IKEv2:(SESSION ID = 10,SA ID = 4):Starting timer (8 sec) to delete negotiation context May 2 11:15:58.964: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet May 2 11:15:58.964: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.14.37:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 81DC62AB2370BFC3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:15:59.743: IKEv2:(SESSION ID = 9,SA ID = 3):Retransmitting packet May 2 11:15:59.743: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 4DEE3566FBC922B6 - Responder SPI : E3CA3A589E4F42F7 Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:02.568: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet May 2 11:16:02.568: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.14.37:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 81DC62AB2370BFC3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:16:03.549: IKEv2:(SESSION ID = 9,SA ID = 3):Retransmitting packet May 2 11:16:03.549: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 4DEE3566FBC922B6 - Responder SPI : E3CA3A589E4F42F7 Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:10.451: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet May 2 11:16:10.452: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.14.37:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 81DC62AB2370BFC3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:16:11.532: IKEv2:(SESSION ID = 9,SA ID = 3):Retransmitting packet May 2 11:16:11.532: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 4DEE3566FBC922B6 - Responder SPI : E3CA3A589E4F42F7 Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:25.724: IKEv2:(SESSION ID = 6,SA ID = 6):Retransmitting packet May 2 11:16:25.725: IKEv2:(SESSION ID = 6,SA ID = 6):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 411A051A8811796E - Responder SPI : D86CA8356F651438 Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:26.211: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet May 2 11:16:26.212: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.14.37:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 81DC62AB2370BFC3 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:16:27.125: IKEv2:Searching Policy with fvrf 0, local address 10.1.14.143 May 2 11:16:27.125: IKEv2:Found Policy 'policy' May 2 11:16:27.125: IKEv2:SA is already in negotiation, hence not negotiating again May 2 11:16:27.369: IKEv2:(SESSION ID = 9,SA ID = 3):Retransmitting packet May 2 11:16:27.369: IKEv2:(SESSION ID = 9,SA ID = 3):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 4DEE3566FBC922B6 - Responder SPI : E3CA3A589E4F42F7 Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:27.664: IKEv2:Received Packet [From 10.1.14.142:500/To 10.1.14.143:500/VRF i0:f0] Initiator SPI : 3CB02D6009507EBA - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) May 2 11:16:27.665: IKEv2:(SESSION ID = 11,SA ID = 5):Verify SA init message May 2 11:16:27.665: IKEv2:(SESSION ID = 11,SA ID = 5):Insert SA May 2 11:16:27.666: IKEv2:Searching Policy with fvrf 0, local address 10.1.14.143 May 2 11:16:27.666: IKEv2:Found Policy 'policy' May 2 11:16:27.666: IKEv2:(SESSION ID = 11,SA ID = 5):Processing IKE_SA_INIT message May 2 11:16:27.666: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 2 11:16:27.666: IKEv2:(SA ID = 5):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' 'TP-self-signed-4049900931' May 2 11:16:27.667: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 2 11:16:27.667: IKEv2:(SA ID = 5):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 2 11:16:27.667: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Start PKI Session May 2 11:16:27.667: IKEv2:(SA ID = 5):[PKI -> IKEv2] Starting of PKI Session PASSED May 2 11:16:27.667: IKEv2:(SESSION ID = 11,SA ID = 5):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 May 2 11:16:27.690: IKEv2:(SA ID = 5):[Crypto Engine -> IKEv2] DH key Computation PASSED May 2 11:16:27.690: IKEv2:(SESSION ID = 11,SA ID = 5):Request queued for computation of DH key May 2 11:16:27.690: IKEv2:(SESSION ID = 11,SA ID = 5):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 May 2 11:16:27.718: IKEv2:(SA ID = 5):[Crypto Engine -> IKEv2] DH key Computation PASSED May 2 11:16:27.718: IKEv2:(SESSION ID = 11,SA ID = 5):Request queued for computation of DH secret May 2 11:16:27.718: IKEv2:(SA ID = 5):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA May 2 11:16:27.719: IKEv2:(SA ID = 5):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED May 2 11:16:27.719: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch May 2 11:16:27.719: IKEv2:(SESSION ID = 11,SA ID = 5):Generating IKE_SA_INIT message May 2 11:16:27.719: IKEv2:(SESSION ID = 11,SA ID = 5):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 May 2 11:16:27.719: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 2 11:16:27.719: IKEv2:(SA ID = 5):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' 'TP-self-signed-4049900931' May 2 11:16:27.720: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 2 11:16:27.720: IKEv2:(SA ID = 5):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 2 11:16:27.720: IKEv2:(SESSION ID = 11,SA ID = 5):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 3CB02D6009507EBA - Responder SPI : 489D42158E57AF15 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) May 2 11:16:27.722: IKEv2:(SESSION ID = 11,SA ID = 5):Completed SA init exchange May 2 11:16:27.722: IKEv2:(SESSION ID = 11,SA ID = 5):Starting timer (30 sec) to wait for auth message May 2 11:16:27.797: IKEv2:(SESSION ID = 11,SA ID = 5):Received Packet [From 10.1.14.142:500/To 10.1.14.143:500/VRF i0:f0] Initiator SPI : 3CB02D6009507EBA - Responder SPI : 489D42158E57AF15 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) May 2 11:16:27.799: IKEv2:(SESSION ID = 11,SA ID = 5):Stopping timer to wait for auth message May 2 11:16:27.799: IKEv2:(SESSION ID = 11,SA ID = 5):Checking NAT discovery May 2 11:16:27.800: IKEv2:(SESSION ID = 11,SA ID = 5):NAT not found May 2 11:16:27.802: IKEv2:(SESSION ID = 11,SA ID = 5):Searching policy based on peer's identity 'cn=R1.crypto.local' of type 'DER ASN1 DN' May 2 11:16:27.803: IKEv2:Searching Policy with fvrf 0, local address 10.1.14.143 May 2 11:16:27.803: IKEv2:Found Policy 'policy' May 2 11:16:27.804: IKEv2:Found matching IKEv2 profile 'DMVPN-PROF' May 2 11:16:27.804: IKEv2:not a VPN-SIP session May 2 11:16:27.804: IKEv2:(SESSION ID = 11,SA ID = 5):Verify peer's policy May 2 11:16:27.804: IKEv2:(SESSION ID = 11,SA ID = 5):Peer's policy verified May 2 11:16:27.804: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) May 2 11:16:27.805: IKEv2:(SA ID = 5):[PKI -> IKEv2] Retrieved trustpoint(s): 'my-ca' May 2 11:16:27.805: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Getting cert chain for the trustpoint my-ca May 2 11:16:27.806: IKEv2:(SA ID = 5):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED May 2 11:16:27.807: IKEv2:(SESSION ID = 11,SA ID = 5):Get peer's authentication method May 2 11:16:27.808: IKEv2:(SESSION ID = 11,SA ID = 5):Peer's authentication method is 'RSA' May 2 11:16:27.809: IKEv2:Validation list created with 1 trustpoints May 2 11:16:27.809: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Validating certificate chain May 2 11:16:27.815: IKEv2:(SA ID = 5):[PKI -> IKEv2] Validation of certificate chain PASSED May 2 11:16:27.815: IKEv2:(SESSION ID = 11,SA ID = 5):Save pubkey May 2 11:16:27.817: IKEv2:(SESSION ID = 11,SA ID = 5):Verify peer's authentication data May 2 11:16:27.817: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 2 11:16:27.817: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 2 11:16:27.817: IKEv2:(SA ID = 5):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data May 2 11:16:27.819: IKEv2:(SA ID = 5):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED May 2 11:16:27.819: IKEv2:(SESSION ID = 11,SA ID = 5):Processing INITIAL_CONTACT May 2 11:16:27.820: IKEv2:(SESSION ID = 10,SA ID = 4):Queuing SA delete for IC May 2 11:16:27.820: IKEv2:(SESSION ID = 11,SA ID = 5):Received valid config mode data May 2 11:16:27.820: IKEv2:Config data recieved: May 2 11:16:27.820: IKEv2:(SESSION ID = 11,SA ID = 5):Config-type: Config-request May 2 11:16:27.820: IKEv2:(SESSION ID = 11,SA ID = 5):Attrib type: app-version, length: 255, data: Cisco IOS Software [Fuji], ISR Software (ARMV8EB_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.9.2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Mon 05-Nov-18 17:42 by mcpre May 2 11:16:27.820: IKEv2:(SESSION ID = 11,SA ID = 5):Attrib type: split-dns, length: 0 May 2 11:16:27.821: IKEv2:(SESSION ID = 11,SA ID = 5):Attrib type: banner, length: 0 May 2 11:16:27.821: IKEv2:(SESSION ID = 11,SA ID = 5):Attrib type: config-url, length: 0 May 2 11:16:27.821: IKEv2:(SESSION ID = 11,SA ID = 5):Attrib type: backup-gateway, length: 0 May 2 11:16:27.821: IKEv2:(SESSION ID = 11,SA ID = 5):Attrib type: def-domain, length: 0 May 2 11:16:27.821: IKEv2:(SESSION ID = 11,SA ID = 5):Set received config mode data May 2 11:16:27.821: IKEv2:(SESSION ID = 11,SA ID = 5):Processing IKE_AUTH message May 2 11:16:27.823: IKEv2:IPSec policy validate request sent for profile DMVPN-PROF with psh index 5. May 2 11:16:27.823: IKEv2:(SESSION ID = 11,SA ID = 5): May 2 11:16:27.823: IKEv2:(SESSION ID = 10,SA ID = 4):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x909020A3AF436539 RSPI: 0x93E94AF115BD18FC] May 2 11:16:27.824: IKEv2:(SESSION ID = 10,SA ID = 4):Building packet for encryption. Payload contents: DELETE May 2 11:16:27.824: IKEv2:(SESSION ID = 10,SA ID = 4):Checking if request will fit in peer window May 2 11:16:27.824: IKEv2:(SESSION ID = 10,SA ID = 4):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:27.825: IKEv2:(SESSION ID = 10,SA ID = 4):Check for existing active SA May 2 11:16:27.825: IKEv2:(SESSION ID = 10,SA ID = 4):Delete all IKE SAs May 2 11:16:27.829: IKEv2:(SA ID = 5):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED. May 2 11:16:27.830: IKEv2-ERROR:Error constructing config reply May 2 11:16:27.831: IKEv2:(SESSION ID = 11,SA ID = 5):Get my authentication method May 2 11:16:27.831: IKEv2:(SESSION ID = 11,SA ID = 5):My authentication method is 'RSA' May 2 11:16:27.831: IKEv2:(SESSION ID = 11,SA ID = 5):Generate my authentication data May 2 11:16:27.831: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 2 11:16:27.831: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 2 11:16:27.832: IKEv2:(SESSION ID = 11,SA ID = 5):Get my authentication method May 2 11:16:27.832: IKEv2:(SESSION ID = 11,SA ID = 5):My authentication method is 'RSA' May 2 11:16:27.832: IKEv2:(SESSION ID = 11,SA ID = 5):Sign authentication data May 2 11:16:27.832: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Getting private key May 2 11:16:27.832: IKEv2:(SA ID = 5):[PKI -> IKEv2] Getting of private key PASSED May 2 11:16:27.833: IKEv2:(SA ID = 5):[IKEv2 -> Crypto Engine] Sign authentication data May 2 11:16:27.876: IKEv2:(SA ID = 5):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED May 2 11:16:27.877: IKEv2:(SESSION ID = 11,SA ID = 5):Authentication material has been sucessfully signed May 2 11:16:27.877: IKEv2:(SESSION ID = 11,SA ID = 5):Generating IKE_AUTH message May 2 11:16:27.877: IKEv2:(SESSION ID = 11,SA ID = 5):Constructing IDr payload: 'cn=R2.crypto.local' of type 'DER ASN1 DN' May 2 11:16:27.877: IKEv2:(SESSION ID = 11,SA ID = 5):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN May 2 11:16:27.877: IKEv2:(SESSION ID = 11,SA ID = 5):Building packet for encryption. Payload contents: VID IDr CERT AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) May 2 11:16:27.878: IKEv2:(SESSION ID = 11,SA ID = 5):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 3CB02D6009507EBA - Responder SPI : 489D42158E57AF15 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 2 11:16:27.878: IKEv2:(SA ID = 5):[IKEv2 -> PKI] Close PKI Session May 2 11:16:27.879: IKEv2:(SA ID = 5):[PKI -> IKEv2] Closing of PKI Session PASSED May 2 11:16:27.879: IKEv2:(SESSION ID = 11,SA ID = 5):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started May 2 11:16:27.879: IKEv2:(SESSION ID = 11,SA ID = 5):Session with IKE ID PAIR (cn=R1.crypto.local, cn=R2.crypto.local) is UP May 2 11:16:27.880: IKEv2:IKEv2 MIB tunnel started, tunnel index 5 May 2 11:16:27.880: IKEv2:(SESSION ID = 11,SA ID = 5):Load IPSEC key material May 2 11:16:27.880: IKEv2:(SA ID = 5):[IKEv2 -> IPsec] Create IPsec SA into IPsec database May 2 11:16:27.897: IKEv2:(SA ID = 5):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED May 2 11:16:27.897: IKEv2:(SESSION ID = 11,SA ID = 5):Checking for duplicate IKEv2 SA May 2 11:16:27.898: IKEv2:(SESSION ID = 11,SA ID = 5):No duplicate IKEv2 SA found May 2 11:16:27.898: IKEv2:(SESSION ID = 11,SA ID = 5):Starting timer (8 sec) to delete negotiation context May 2 11:16:29.772: IKEv2:(SESSION ID = 10,SA ID = 4):Retransmitting packet May 2 11:16:29.772: IKEv2:(SESSION ID = 10,SA ID = 4):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:30.437: IKEv2-ERROR:(SESSION ID = 6,SA ID = 6):: Maximum number of retransmissions reached May 2 11:16:30.437: IKEv2:(SESSION ID = 6,SA ID = 6):Check for existing active SA May 2 11:16:30.437: IKEv2:(SESSION ID = 6,SA ID = 6):Deleting SA May 2 11:16:33.492: IKEv2:(SESSION ID = 10,SA ID = 4):Retransmitting packet May 2 11:16:33.492: IKEv2:(SESSION ID = 10,SA ID = 4):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR May 2 11:16:41.029: IKEv2:(SESSION ID = 10,SA ID = 4):Retransmitting packet May 2 11:16:41.030: IKEv2:(SESSION ID = 10,SA ID = 4):Sending Packet [To 10.1.14.142:500/From 10.1.14.143:500/VRF i0:f0] Initiator SPI : 909020A3AF436539 - Responder SPI : 93E94AF115BD18FC Message id: 0 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR Router#debug crypto ikev2 ndebug crypto ikev2 odebug crypto ikev2  debug crypto ikev2  IKEv2 default debugging is off Router#debut Router#debutik Router#debutik     g cry Router#debug crypto ips Router#debug crypto ipsec Crypto IPSEC debugging is on Router# May 2 11:17:22.666: IPSEC:(SESSION ID = 12) (delete_sa) deleting SA, (sa) sa_dest= 10.1.14.143, sa_proto= 50, sa_spi= 0x585FAE7F(1482665599), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2021 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:17:22.667: IPSEC:(SESSION ID = 12) (delete_sa) SA found saving DEL kmi May 2 11:17:22.667: IPSEC:(SESSION ID = 12) (delete_sa) deleting SA, (sa) sa_dest= 10.1.14.142, sa_proto= 50, sa_spi= 0x484DFB63(1213070179), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2022 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:17:22.667: IPSEC:(SESSION ID = 12) (update_current_outbound_sa) updated peer 10.1.14.142 current outbound sa to SPI 0 May 2 11:17:22.667: IPSEC:(SESSION ID = 12) (delete_sa) deleting SA, (sa) sa_dest= 10.1.14.143, sa_proto= 50, sa_spi= 0x585FAE7F(1482665599), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2021 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:17:22.668: IPSEC:(SESSION ID = 12) (delete_sa) SA found saving DEL kmi May 2 11:17:22.668: IPSEC:(SESSION ID = 12) (delete_sa) deleting SA, (sa) sa_dest= 10.1.14.142, sa_proto= 50, sa_spi= 0x484DFB63(1213070179), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2022 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:17:22.668: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE May 2 11:17:22.670: IPSEC:(SESSION ID = 12) (ident_update_final_flow_stats) Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x7F3D2B5000 ikmp handle 0x0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x24000015,peer index 0 May 2 11:17:22.670: IPSEC:(SESSION ID = 12) (cleanup_tun_decap_oce) unlock and null out Tunnel1 tun_decap_oce 7F3FFAE0B0 from ident 7F3D2AE2A0 May 2 11:17:22.674: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:17:22.674: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5732 May 2 11:17:22.674: IPSEC:(SESSION ID = 12) (key_engine_delete_sas) rec'd delete notify from ISAKMP May 2 11:17:22.674: IPSEC: still in use sa: 0x0 May 2 11:17:22.674: IPSEC: sa null May 2 11:17:22.674: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:17:22.675: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5732 May 2 11:17:22.675: IPSEC:(SESSION ID = 12) (key_engine_delete_sas) rec'd delete notify from ISAKMP May 2 11:17:22.675: IPSEC: still in use sa: 0x0 May 2 11:17:22.675: IPSEC: sa null May 2 11:17:27.126: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 3, (identity) local= 10.1.14.143:0, remote= 10.1.14.37:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 May 2 11:17:27.126: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.14.143:500, remote= 10.1.14.37:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 2 11:17:37.808: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:17:37.808: IPSEC(validate_proposal_request): proposal part #1 May 2 11:17:37.808: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 2 11:17:37.809: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:17:37.809: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:17:37.809: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:17:37.809: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:17:37.809: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:17:37.809: map_db_find_best did not find matching map May 2 11:17:37.809: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb May 2 11:17:37.811: IPSEC:(SESSION ID = 12) (recalculate_mtu) reset sadb_root 7F3D2A66C0 mtu to 1500 May 2 11:17:37.812: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:17:37.813: (ipsec_process_proposal)Map Accepted: Tunnel1-head-0, 65537 May 2 11:17:37.858: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:17:37.858: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:17:37.859: IPSEC:(SESSION ID = 13) (crypto_ipsec_create_ipsec_sas) Map found Tunnel1-head-0, 65537 May 2 11:17:37.859: IPSEC:(SESSION ID = 13) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 10.1.14.142TBAR_DBG ident_prep_create_sa: after initilize settings for time-based antireplay: do_ipd3p=0, ipd3p_type=0, win-size=0, do_tbar=0 May 2 11:17:37.859: IPSEC:(SESSION ID = 13) (crypto_ipsec_update_ident_tunnel_decap_oce) updating Tunnel1 ident 7F3D2AE2A0 with tun_decap_oce 7F3FFAE0B0 May 2 11:17:37.860: IPSEC:(SESSION ID = 13) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F3D2B5000 May 2 11:17:37.860: IPSEC:(SESSION ID = 13) (create_sa) sa created, (sa) sa_dest= 10.1.14.143, sa_proto= 50, sa_spi= 0xA01B6D84(2686152068), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2023 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:17:37.860: IPSEC:(SESSION ID = 13) (create_sa) sa created, (sa) sa_dest= 10.1.14.142, sa_proto= 50, sa_spi= 0xECCD22F0(3972866800), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2024 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 Router# May 2 11:17:57.125: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 4, (identity) local= 10.1.14.143:0, remote= 10.1.14.37:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 May 2 11:17:57.126: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.14.143:500, remote= 10.1.14.37:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 2 11:18:07.788: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:18:07.788: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5732 May 2 11:18:07.788: IPSEC:(SESSION ID = 13) (key_engine_delete_sas) rec'd delete notify from ISAKMP May 2 11:18:07.789: IPSEC: still in use sa: 0x7F3D2B7968 May 2 11:18:07.789: IPSEC:(SESSION ID = 13) (key_engine_delete_sas) delete SA with spi 0xA01B6D84 proto 50 for 10.1.14.143 May 2 11:18:07.789: IPSEC:(SESSION ID = 13) (delete_sa) deleting SA, (sa) sa_dest= 10.1.14.143, sa_proto= 50, sa_spi= 0xA01B6D84(2686152068), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2023 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:18:07.789: IPSEC:(SESSION ID = 13) (delete_sa) deleting SA, (sa) sa_dest= 10.1.14.142, sa_proto= 50, sa_spi= 0xECCD22F0(3972866800), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2024 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:18:07.790: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS May 2 11:18:07.791: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:18:07.792: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5732 May 2 11:18:07.792: IPSEC:(SESSION ID = 13) (key_engine_delete_sas) rec'd delete notify from ISAKMP May 2 11:18:07.792: IPSEC: still in use sa: 0x0 May 2 11:18:07.792: IPSEC: sa null May 2 11:18:07.792: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:18:07.792: IPSEC(validate_proposal_request): proposal part #1 May 2 11:18:07.792: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 May 2 11:18:07.793: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:18:07.793: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:18:07.793: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:18:07.793: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:18:07.793: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:18:07.793: map_db_find_best did not find matching map May 2 11:18:07.793: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:18:07.793: (ipsec_process_proposal)Map Accepted: Tunnel1-head-0, 65537 May 2 11:18:07.839: IPSEC(key_engine): got a queue event with 1 KMI message(s) May 2 11:18:07.839: Crypto mapdb : proxy_match src addr : 10.1.14.143 dst addr : 10.1.14.142 protocol : 47 src port : 0 dst port : 0 May 2 11:18:07.840: IPSEC:(SESSION ID = 14) (crypto_ipsec_create_ipsec_sas) Map found Tunnel1-head-0, 65537 May 2 11:18:07.840: IPSEC:(SESSION ID = 14) (ident_delete_notify_kmi) Failed to send KEY_ENG_DELETE_SAS May 2 11:18:07.840: IPSEC:(SESSION ID = 14) (ident_update_final_flow_stats) Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x7F3D2B5000 ikmp handle 0x0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x24000017,peer index 0 TBAR_DBG ident_prep_create_sa: after initilize settings for time-based antireplay: do_ipd3p=0, ipd3p_type=0, win-size=0, do_tbar=0 May 2 11:18:07.841: IPSEC:(SESSION ID = 14) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F3D2B5000 May 2 11:18:07.841: IPSEC:(SESSION ID = 14) (create_sa) sa created, (sa) sa_dest= 10.1.14.143, sa_proto= 50, sa_spi= 0xA86A05BB(2825520571), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2025 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 May 2 11:18:07.842: IPSEC:(SESSION ID = 14) (create_sa) sa created, (sa) sa_dest= 10.1.14.142, sa_proto= 50, sa_spi= 0xD1894888(3515435144), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2026 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.1.14.143:0, remote= 10.1.14.142:0, local_proxy= 10.1.14.143/255.255.255.255/47/0, remote_proxy= 10.1.14.142/255.255.255.255/47/0 Router#debug crypto ipsec ? error IPSEC errors ha IPSEC High Availability hw-request IPSEC hw-request message IPSEC message metadata CTS metadata states IPSEC states Router#debug crypto ipsec err Router#debug crypto ipsec error Crypto IPSEC Error debugging is on Router#debug crypto ipsec error  ndebug crypto ipsec odebug crypto ipsec  debug crypto ipsec  Crypto IPSEC debugging is off Crypto IPSEC (detailed) debugging is off Router# May 2 11:18:37.811: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS May 2 11:18:37.812: IPSEC: sa null May 2 11:18:37.812: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:18:37.812: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:18:37.812: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:18:37.812: map_db_find_best did not find matching map May 2 11:19:07.788: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS May 2 11:19:07.789: IPSEC: sa null May 2 11:19:07.789: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:19:07.790: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:19:07.790: map_db_check_isakmp_profile profile did not match, ike passed profile : DMVPN-PROF, map_ike_profile: profile, head_ike_profile: profile May 2 11:19:07.790: map_db_find_best did not find matching map Router#no debug crypto ipsec debug crypto ipsec error  May 2 11:19:19.664: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE May 2 11:19:19.669: IPSEC: sa null May 2 11:19:19.669: IPSEC: sa nullndebug crypto ipsec error odebug crypto ipsec error  debug crypto ipsec error  Crypto IPSEC Error debugging is off Crypto IPSEC (detailed) debugging is off Router# Router#sh cry isa pro Router#sh cry isa profile Router#sh cry isa profile  profile  profile  profile i profile k profile e profile  IKEv2 profile: profile Ref Count: 5 Match criteria: Fvrf: global Local address/interface: none Identities: none Certificate maps: my-map Local identity: DN Remote identity: none Local authentication method: rsa-sig Remote authentication method(s): rsa-sig EAP options: none Keyring: none Trustpoint(s): my-ca Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none mode auto: none --More--   AAA AnyConnect EAP authentication mlist: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: none IKEv2 profile: DMVPN-PROF Ref Count: 5 Description: DMVPN-IKE2 profile Match criteria: Fvrf: global Local address/interface: none Identities: none Certificate maps: dmvpn-map Local identity: DN Remote identity: none Local authentication method: rsa-sig Remote authentication method(s): rsa-sig EAP options: none Keyring: none Trustpoint(s): my-ca --More--   Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none mode auto: none AAA AnyConnect EAP authentication mlist: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: none Router#sh run | sec map crypto pki certificate map my-map 9 subject-name co pa_fw subject-name co crypto.local crypto pki certificate map dmvpn-map 10 subject-name co crypto.local match certificate my-map match certificate dmvpn-map Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#crypto pki certificate map my-map 9 Router(ca-certificate-map)#no  no sub Router(ca-certificate-map)#no subject-name co crypto.local Router(ca-certificate-map)# Router(ca-certificate-map)#end Router#sh May 2 11:24:09.301: %SYS-5-CONFIG_I: Configured from console by consolecry Router#sh crypto ik Router#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.1.14.143/500 10.1.14.142/500 none/none DELETE Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/46 sec Tunnel-id Local Remote fvrf/ivrf Status 5 10.1.14.143/500 10.1.14.142/500 none/none DELETE Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/106 sec Tunnel-id Local Remote fvrf/ivrf Status 3 10.1.14.143/500 10.1.14.142/500 none/none DELETE Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA --More--   Life/Active Time: 86400/146 sec Tunnel-id Local Remote fvrf/ivrf Status 4 10.1.14.143/500 10.1.14.142/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/16 sec IPv6 Crypto IKEv2 SA Router#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.1.14.143/500 10.1.14.142/500 none/none DELETE Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/55 sec Tunnel-id Local Remote fvrf/ivrf Status 5 10.1.14.143/500 10.1.14.142/500 none/none DELETE Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/115 sec Tunnel-id Local Remote fvrf/ivrf Status 3 10.1.14.143/500 10.1.14.142/500 none/none DELETE Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA --More--   Life/Active Time: 86400/155 sec Tunnel-id Local Remote fvrf/ivrf Status 4 10.1.14.143/500 10.1.14.142/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/25 sec IPv6 Crypto IKEv2 SA Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#do sh run | sec ? LINE Regular Expression exclude Exclude entire section(s) of output include Include entire section(s) of output Router(config)#do sh run | sec profile crypto ikev2 profile profile match certificate my-map identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint my-ca crypto ikev2 profile DMVPN-PROF description DMVPN-IKE2 profile match certificate dmvpn-map identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint my-ca crypto ipsec profile DMVPN-IPSEC set transform-set DMVPN-TS set ikev2-profile DMVPN-PROF crypto ipsec profile IPSec set transform-set TS set ikev2-profile profile tunnel protection ipsec profile IPSec tunnel protection ipsec profile DMVPN-IPSEC pnp profile pnp_cco_profile transport https ipv4 52.203.231.173 port 443 --More--  Router(config)#crypto ikev2 profile DMVPN-PROF Router(config-ikev2-profile)#no loc   iden Router(config-ikev2-profile)#no identity lo Router(config-ikev2-profile)#no identity local dn Router(config-ikev2-profile)#no identity local dn Router(config-ikev2-profile)#do sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket T1 - Route Installed, T2 - Nexthop-override C - CTS Capable, I2 - Temporary # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.14.142 192.168.202.2 UP 00:00:23 D Router(config-ikev2-profile)#do wr Building configuration... [OK] Router(config-ikev2-profile)# May 2 11:33:04.837: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file Router(config-ikev2-profile)#end Router#sh May 2 11:33:50.867: %SYS-5-CONFIG_I: Configured from console by consolentp asso address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 66 128 377 1.358 4.239 3.855 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset administratively down down GigabitEthernet0/0/1 10.1.14.143 YES manual up up GigabitEthernet0/1/0 unassigned YES unset down down GigabitEthernet0/1/1 unassigned YES unset down down GigabitEthernet0/1/2 unassigned YES unset down down GigabitEthernet0/1/3 unassigned YES unset down down Tunnel0 1.1.1.6 YES manual up down Tunnel1 192.168.202.1 YES manual up up Vlan1 unassigned YES unset up down Router#wr Building configuration... [OK] Router# May 2 11:34:55.104: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file Router con0 is now available Press RETURN to get started. Router> Router> Router> Router>sh Router>show ? aaa Show AAA values accounting Show accounting adjacency Adjacent nodes alg ALG information ancp ANCP information appfw Application Firewall information aps APS information arp ARP table auto Show Automation Template autonomic Autonomic Networking backup Backup status banner Display banner information bfd BFD protocol info bgp BGP information bootvar Boot and related environment variable bridge-domain Bridge-domain call Show call call-home Show command for call home capability Capability Information cca CCA information cdapi CDAPI information class-map Show CPL Class Map --More--   Router>show Router>sh  en Router#sh ? aaa Show AAA values access-expression List access expression access-lists List access lists access-session Show access-session Information accounting Show accounting adjacency Adjacent nodes alg ALG information aliases Display alias commands alignment Show alignment information ancp ANCP information app-hosting Application hosting related informations appfw Application Firewall information application Application Routing aps APS information archive Archive functions arp ARP table async Information on terminal lines used as router interfaces authentication Show authentication (access-session) Information auto Show Automation Template autonomic Autonomic Networking avc Application visibility and control --More--   Router#sh Router#sh ntp asso Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 51 512 377 1.370 1.060 1.704 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 180 512 377 1.323 0.837 1.065 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 187 512 377 1.323 0.837 1.065 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 190 512 377 1.323 0.837 1.065 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 191 512 377 1.323 0.837 1.065 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 192 512 377 1.323 0.837 1.065 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router#sh ntp associations address ref clock st when poll reach delay offset disp *~10.1.7.2 202.156.0.34 2 193 512 377 1.323 0.837 1.065 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured Router# Router con0 is now available Press RETURN to get started. Router> Router> Router>wr % Bad IP address or host name% Unknown command or computer name, or unable to find computer address Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#userna Router(config)#username admin pass Router(config)#username admin password admin WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type Router(config)# May 2 13:13:05.580: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type Router(config)#lin Router(config)#line v Router(config)#line vty 0 4 Router(config-line)#tr Router(config-line)#transport in Router(config-line)#transport input ss Router(config-line)#transport input ssh Router(config-line)#tr Router(config-line)#transport           lo Router(config-line)#log Router(config-line)#login Router(config-line)#login l Router(config-line)#login local Router(config-line)#do wr Building configuration... [OK] Router(config-line)#exit May 2 13:13:35.499: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file Router(config)#exit Router#do sh May 2 13:13:38.694: %SYS-5-CONFIG_I: Configured from console by consolentp ^ % Invalid input detected at '^' marker. Router#do sh ik Router#do sh ik        sh cry Router#sh crypto ik Router#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 5 10.1.14.143/500 10.1.14.142/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/6085 sec IPv6 Crypto IKEv2 SA Router#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket T1 - Route Installed, T2 - Nexthop-override C - CTS Capable, I2 - Temporary # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.14.142 192.168.202.2 UP 01:41:29 D Router#do sh cryp Router#do sh cryp          sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset administratively down down GigabitEthernet0/0/1 10.1.14.143 YES manual up up GigabitEthernet0/1/0 unassigned YES unset down down GigabitEthernet0/1/1 unassigned YES unset down down GigabitEthernet0/1/2 unassigned YES unset down down GigabitEthernet0/1/3 unassigned YES unset down down Tunnel0 1.1.1.6 YES manual up down Tunnel1 192.168.202.1 YES manual up up Vlan1 unassigned YES unset up down Router#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset administratively down down GigabitEthernet0/0/1 10.1.14.143 YES manual up up GigabitEthernet0/1/0 unassigned YES unset down down GigabitEthernet0/1/1 unassigned YES unset down down GigabitEthernet0/1/2 unassigned YES unset down down GigabitEthernet0/1/3 unassigned YES unset down down Tunnel0 1.1.1.6 YES manual up down Tunnel1 192.168.202.1 YES manual up up Vlan1 unassigned YES unset up down Router#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset administratively down down GigabitEthernet0/0/1 10.1.14.143 YES manual up up GigabitEthernet0/1/0 unassigned YES unset down down GigabitEthernet0/1/1 unassigned YES unset down down GigabitEthernet0/1/2 unassigned YES unset down down GigabitEthernet0/1/3 unassigned YES unset down down Tunnel0 1.1.1.6 YES manual up down Tunnel1 192.168.202.1 YES manual up up Vlan1 unassigned YES unset up down Router#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset administratively down down GigabitEthernet0/0/1 10.1.14.143 YES manual up up GigabitEthernet0/1/0 unassigned YES unset down down GigabitEthernet0/1/1 unassigned YES unset down down GigabitEthernet0/1/2 unassigned YES unset down down GigabitEthernet0/1/3 unassigned YES unset down down Tunnel0 1.1.1.6 YES manual up down Tunnel1 192.168.202.1 YES manual up up Vlan1 unassigned YES unset up down Router#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES unset administratively down down GigabitEthernet0/0/1 10.1.14.143 YES manual up up GigabitEthernet0/1/0 unassigned YES unset down down GigabitEthernet0/1/1 unassigned YES unset down down GigabitEthernet0/1/2 unassigned YES unset down down GigabitEthernet0/1/3 unassigned YES unset down down Tunnel0 1.1.1.6 YES manual up down Tunnel1 192.168.202.1 YES manual up up Vlan1 unassigned YES unset up down Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#