Mar 9 19:02:15.816: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:15.816: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:15.816: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:15.816: IKEv2:(SESSION ID = 556,SA ID = 11):Verify peer's policy *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Peer's policy verified *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Get peer's authentication method *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Peer's authentication method is 'PSK' *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Get peer's preshared key for 192.168.200.132 *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Verify peer's authentication data *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Use preshared key for id 192.168.200.132, key len 14 *Mar 9 19:02:15.817: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:15.817: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Verification of peer's authenctication data PASSED *Mar 9 19:02:15.817: IKEv2:(SESSION ID = 556,SA ID = 11):Processing INITIAL_CONTACT *Mar 9 19:02:15.817: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:15.817: IKEv2:(SA ID = 11):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:15.828: IKEv2:(SA ID = 11):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:15.830: IKEv2:(SESSION ID = 556,SA ID = 11):Received valid config mode data *Mar 9 19:02:15.831: IKEv2:Config data recieved: *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Config-type: Config-request *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: app-version, length: 241, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.5(3)M, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Wed 22-Jul-15 23:59 by prod_rel_team *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: split-dns, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: banner, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: config-url, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Attrib type: def-domain, length: 0 *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Set received config mode data *Mar 9 19:02:15.831: IKEv2:(SESSION ID = 556,SA ID = 11):Processing IKE_AUTH message *Mar 9 19:02:15.838: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 11. *Mar 9 19:02:15.838: IKEv2:(SESSION ID = 556,SA ID = 11): *Mar 9 19:02:16.562: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:16.733: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:17.319: IKEv2:(SESSION ID = 545,SA ID = 1):Verification of peer's authentication data FAILED *Mar 9 19:02:17.319: IKEv2:(SESSION ID = 545,SA ID = 1):Sending authentication failure notify *Mar 9 19:02:17.319: IKEv2:(SESSION ID = 545,SA ID = 1):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 9 19:02:17.319: IKEv2:(SESSION ID = 545,SA ID = 1):Sending Packet [To 78.101.19.39:4500/From 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 0D4AF1B76C3581A2 - Responder SPI : 5CE1AE2AF313AE5C Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 9 19:02:17.319: IKEv2:(SESSION ID = 545,SA ID = 1):Auth exchange failed *Mar 9 19:02:17.320: IKEv2-ERROR:(SESSION ID = 545,SA ID = 1):: Auth exchange failed *Mar 9 19:02:17.320: IKEv2:(SESSION ID = 545,SA ID = 1):Abort exchange *Mar 9 19:02:17.320: IKEv2:(SESSION ID = 545,SA ID = 1):Deleting SA *Mar 9 19:02:19.174: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI *Mar 9 19:02:19.174: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 89.211.110.18:4500/To 192.168.100.234:4500/VRF i0:f0] Initiator SPI : CAD1AC6594B06B33 - Responder SPI : 8E1132AC435C59DD Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST *Mar 9 19:02:19.175: IKEv2-ERROR:: A supplied parameter is incorrect *Mar 9 19:02:19.317: IKEv2:Received Packet [From 89.211.235.251:500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : E248A8D73C3640F1 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:19.318: IKEv2:(SESSION ID = 557,SA ID = 1):Verify SA init message *Mar 9 19:02:19.318: IKEv2:(SESSION ID = 557,SA ID = 1):Insert SA *Mar 9 19:02:19.318: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:19.318: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:19.318: IKEv2:(SESSION ID = 557,SA ID = 1):Processing IKE_SA_INIT message *Mar 9 19:02:19.327: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:19.327: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:19.327: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:19.332: IKEv2:(SESSION ID = 557,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:19.333: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:19.333: IKEv2:(SESSION ID = 557,SA ID = 1):Request queued for computation of DH key *Mar 9 19:02:19.333: IKEv2:(SESSION ID = 557,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:19.338: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:19.338: IKEv2:(SESSION ID = 557,SA ID = 1):Request queued for computation of DH secret *Mar 9 19:02:19.338: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:19.339: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:19.339: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:19.339: IKEv2:(SESSION ID = 557,SA ID = 1):Generating IKE_SA_INIT message *Mar 9 19:02:19.339: IKEv2:(SESSION ID = 557,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:19.339: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:19.339: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:19.339: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:19.344: IKEv2:(SESSION ID = 557,SA ID = 1):Sending Packet [To 89.211.235.251:500/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : E248A8D73C3640F1 - Responder SPI : F38D867FA87C4BD0 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:19.344: IKEv2:(SESSION ID = 557,SA ID = 1):Completed SA init exchange *Mar 9 19:02:19.344: IKEv2:(SESSION ID = 557,SA ID = 1):Starting timer (30 sec) to wait for auth message *Mar 9 19:02:19.378: IKEv2:(SESSION ID = 557,SA ID = 1):Received Packet [From 89.211.235.251:4500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : E248A8D73C3640F1 - Responder SPI : F38D867FA87C4BD0 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:19.378: IKEv2:(SESSION ID = 557,SA ID = 1):Stopping timer to wait for auth message *Mar 9 19:02:19.378: IKEv2:(SESSION ID = 557,SA ID = 1):Checking NAT discovery *Mar 9 19:02:19.378: IKEv2:(SESSION ID = 557,SA ID = 1):NAT INSIDE found *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):NAT detected float to init port 4500, resp port 4500 *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Searching policy based on peer's identity '192.168.100.144' of type 'IPv4 address' *Mar 9 19:02:19.379: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:19.379: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:19.379: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Verify peer's policy *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Peer's policy verified *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Get peer's authentication method *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Peer's authentication method is 'PSK' *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Get peer's preshared key for 192.168.100.144 *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Verify peer's authentication data *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Use preshared key for id 192.168.100.144, key len 14 *Mar 9 19:02:19.379: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:19.379: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Verification of peer's authenctication data PASSED *Mar 9 19:02:19.379: IKEv2:(SESSION ID = 557,SA ID = 1):Processing INITIAL_CONTACT *Mar 9 19:02:19.380: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:19.380: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:19.381: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Received valid config mode data *Mar 9 19:02:19.384: IKEv2:Config data recieved: *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Config-type: Config-request *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: split-dns, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: banner, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: config-url, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Attrib type: def-domain, length: 0 *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Set received config mode data *Mar 9 19:02:19.384: IKEv2:(SESSION ID = 557,SA ID = 1):Processing IKE_AUTH message *Mar 9 19:02:19.391: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 1. *Mar 9 19:02:19.391: IKEv2:(SESSION ID = 557,SA ID = 1): *Mar 9 19:02:19.391: IKEv2:Received Packet [From 78.101.226.231:500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : F46B97EE7858B85A - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:19.391: IKEv2:(SESSION ID = 558,SA ID = 12):Verify SA init message *Mar 9 19:02:19.391: IKEv2:(SESSION ID = 558,SA ID = 12):Insert SA *Mar 9 19:02:19.391: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:19.391: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:19.392: IKEv2:(SESSION ID = 558,SA ID = 12):Processing IKE_SA_INIT message *Mar 9 19:02:19.401: IKEv2:(SA ID = 12):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:19.401: IKEv2:(SA ID = 12):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:19.401: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:19.405: IKEv2:(SESSION ID = 558,SA ID = 12):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:19.405: IKEv2:(SA ID = 12):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:19.405: IKEv2:(SESSION ID = 558,SA ID = 12):Request queued for computation of DH key *Mar 9 19:02:19.405: IKEv2:(SESSION ID = 558,SA ID = 12):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:19.411: IKEv2:(SA ID = 12):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:19.411: IKEv2:(SESSION ID = 558,SA ID = 12):Request queued for computation of DH secret *Mar 9 19:02:19.411: IKEv2:(SA ID = 12):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:19.411: IKEv2:(SA ID = 12):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:19.411: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:19.411: IKEv2:(SESSION ID = 558,SA ID = 12):Generating IKE_SA_INIT message *Mar 9 19:02:19.411: IKEv2:(SESSION ID = 558,SA ID = 12):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:19.411: IKEv2:(SA ID = 12):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:19.411: IKEv2:(SA ID = 12):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:19.411: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:19.416: IKEv2:(SESSION ID = 558,SA ID = 12):Sending Packet [To 78.101.226.231:500/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : F46B97EE7858B85A - Responder SPI : 023C0FFBE66F715B Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:19.417: IKEv2:(SESSION ID = 558,SA ID = 12):Completed SA init exchange *Mar 9 19:02:19.417: IKEv2:(SESSION ID = 558,SA ID = 12):Starting timer (30 sec) to wait for auth message *Mar 9 19:02:19.574: IKEv2:(SESSION ID = 558,SA ID = 12):Received Packet [From 78.101.226.231:4500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : F46B97EE7858B85A - Responder SPI : 023C0FFBE66F715B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Stopping timer to wait for auth message *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Checking NAT discovery *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):NAT INSIDE found *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):NAT detected float to init port 4500, resp port 4500 *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Searching policy based on peer's identity '192.168.100.146' of type 'IPv4 address' *Mar 9 19:02:19.575: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:19.575: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:19.575: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Verify peer's policy *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Peer's policy verified *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Get peer's authentication method *Mar 9 19:02:19.575: IKEv2:(SESSION ID = 558,SA ID = 12):Peer's authentication method is 'PSK' *Mar 9 19:02:19.576: IKEv2:(SESSION ID = 558,SA ID = 12):Get peer's preshared key for 192.168.100.146 *Mar 9 19:02:19.576: IKEv2:(SESSION ID = 558,SA ID = 12):Verify peer's authentication data *Mar 9 19:02:19.576: IKEv2:(SESSION ID = 558,SA ID = 12):Use preshared key for id 192.168.100.146, key len 14 *Mar 9 19:02:19.576: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:19.576: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:19.576: IKEv2:(SESSION ID = 558,SA ID = 12):Verification of peer's authenctication data PASSED *Mar 9 19:02:19.576: IKEv2:(SESSION ID = 558,SA ID = 12):Processing INITIAL_CONTACT *Mar 9 19:02:19.576: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:19.576: IKEv2:(SA ID = 12):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:19.580: IKEv2:(SA ID = 12):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Received valid config mode data *Mar 9 19:02:19.583: IKEv2:Config data recieved: *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Config-type: Config-request *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: split-dns, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: banner, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: config-url, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Attrib type: def-domain, length: 0 *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Set received config mode data *Mar 9 19:02:19.583: IKEv2:(SESSION ID = 558,SA ID = 12):Processing IKE_AUTH message *Mar 9 19:02:19.590: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 12. *Mar 9 19:02:19.590: IKEv2:(SESSION ID = 558,SA ID = 12): *Mar 9 19:02:20.160: IKEv2:(SESSION ID = 546,SA ID = 6):Verification of peer's authentication data FAILED *Mar 9 19:02:20.160: IKEv2:(SESSION ID = 546,SA ID = 6):Sending authentication failure notify *Mar 9 19:02:20.160: IKEv2:(SESSION ID = 546,SA ID = 6):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 9 19:02:20.160: IKEv2:(SESSION ID = 546,SA ID = 6):Sending Packet [To 178.153.80.249:4500/From 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 12F27B60E12D27F2 - Responder SPI : 990E5D0576ABC344 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 9 19:02:20.161: IKEv2:(SESSION ID = 546,SA ID = 6):Auth exchange failed *Mar 9 19:02:20.161: IKEv2-ERROR:(SESSION ID = 546,SA ID = 6):: Auth exchange failed *Mar 9 19:02:20.161: IKEv2:(SESSION ID = 546,SA ID = 6):Abort exchange *Mar 9 19:02:20.161: IKEv2:(SESSION ID = 546,SA ID = 6):Deleting SA Translating "ull"...domain server (255.255.255.255) *Mar 9 19:02:21.191: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:21.249: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI *Mar 9 19:02:21.250: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 89.211.214.117:4500/To 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 6E43A10EBBE06199 - Responder SPI : E4D82B3400966E0B Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST *Mar 9 19:02:21.250: IKEv2-ERROR:: A supplied parameter is incorrect *Mar 9 19:02:21.294: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:21.404: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:21.482: IKEv2:Received Packet [From 178.153.32.48:500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : D0AD95046E8CD1CA - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:21.482: IKEv2:(SESSION ID = 559,SA ID = 6):Verify SA init message *Mar 9 19:02:21.482: IKEv2:(SESSION ID = 559,SA ID = 6):Insert SA *Mar 9 19:02:21.482: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:21.482: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:21.482: IKEv2:(SESSION ID = 559,SA ID = 6):Processing IKE_SA_INIT message *Mar 9 19:02:21.492: IKEv2:(SA ID = 6):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:21.492: IKEv2:(SA ID = 6):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:21.492: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:21.496: IKEv2:(SESSION ID = 559,SA ID = 6):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:21.496: IKEv2:(SA ID = 6):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:21.496: IKEv2:(SESSION ID = 559,SA ID = 6):Request queued for computation of DH key *Mar 9 19:02:21.497: IKEv2:(SESSION ID = 559,SA ID = 6):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:21.502: IKEv2:(SA ID = 6):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:21.502: IKEv2:(SESSION ID = 559,SA ID = 6):Request queued for computation of DH secret *Mar 9 19:02:21.502: IKEv2:(SA ID = 6):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:21.502: IKEv2:(SA ID = 6):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:21.502: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:21.502: IKEv2:(SESSION ID = 559,SA ID = 6):Generating IKE_SA_INIT message *Mar 9 19:02:21.502: IKEv2:(SESSION ID = 559,SA ID = 6):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:21.502: IKEv2:(SA ID = 6):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:21.502: IKEv2:(SA ID = 6):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:21.502: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:21.507: IKEv2:(SESSION ID = 559,SA ID = 6):Sending Packet [To 178.153.32.48:500/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : D0AD95046E8CD1CA - Responder SPI : 5CFF9527C5B4B4E7 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:21.508: IKEv2:(SESSION ID = 559,SA ID = 6):Completed SA init exchange *Mar 9 19:02:21.508: IKEv2:(SESSION ID = 559,SA ID = 6):Starting timer (30 sec) to wait for auth message *Mar 9 19:02:21.650: IKEv2:(SESSION ID = 559,SA ID = 6):Received Packet [From 178.153.32.48:4500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : D0AD95046E8CD1CA - Responder SPI : 5CFF9527C5B4B4E7 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:21.650: IKEv2:(SESSION ID = 559,SA ID = 6):Stopping timer to wait for auth message *Mar 9 19:02:21.650: IKEv2:(SESSION ID = 559,SA ID = 6):Checking NAT discovery *Mar 9 19:02:21.650: IKEv2:(SESSION ID = 559,SA ID = 6):NAT INSIDE found *Mar 9 19:02:21.650: IKEv2:(SESSION ID = 559,SA ID = 6):NAT detected float to init port 4500, resp port 4500 *Mar 9 19:02:21.650: IKEv2:(SESSION ID = 559,SA ID = 6):Searching policy based on peer's identity '192.168.100.130' of type 'IPv4 address' *Mar 9 19:02:21.650: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:21.650: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:21.650: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Verify peer's policy *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Peer's policy verified *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Get peer's authentication method *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Peer's authentication method is 'PSK' *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Get peer's preshared key for 192.168.100.130 *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Verify peer's authentication data *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Use preshared key for id 192.168.100.130, key len 14 *Mar 9 19:02:21.651: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:21.651: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Verification of peer's authenctication data PASSED *Mar 9 19:02:21.651: IKEv2:(SESSION ID = 559,SA ID = 6):Processing INITIAL_CONTACT *Mar 9 19:02:21.651: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:21.651: IKEv2:(SA ID = 6):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:21.655: IKEv2:(SA ID = 6):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Received valid config mode data *Mar 9 19:02:21.659: IKEv2:Config data recieved: *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Config-type: Config-request *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: split-dns, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: banner, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: config-url, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Attrib type: def-domain, length: 0 *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Set received config mode data *Mar 9 19:02:21.659: IKEv2:(SESSION ID = 559,SA ID = 6):Processing IKE_AUTH message *Mar 9 19:02:21.666: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 6. *Mar 9 19:02:21.666: IKEv2:(SESSION ID = 559,SA ID = 6): *Mar 9 19:02:21.669: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:22.735: IKEv2:Received Packet [From 78.100.239.234:500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 7380B48D4FBCE8AF - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:22.736: IKEv2:(SESSION ID = 560,SA ID = 13):Verify SA init message *Mar 9 19:02:22.736: IKEv2:(SESSION ID = 560,SA ID = 13):Insert SA *Mar 9 19:02:22.736: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:22.736: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:22.736: IKEv2:(SESSION ID = 560,SA ID = 13):Processing IKE_SA_INIT message *Mar 9 19:02:22.745: IKEv2:(SA ID = 13):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:22.745: IKEv2:(SA ID = 13):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:22.745: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:22.750: IKEv2:(SESSION ID = 560,SA ID = 13):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:22.750: IKEv2:(SA ID = 13):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:22.750: IKEv2:(SESSION ID = 560,SA ID = 13):Request queued for computation of DH key *Mar 9 19:02:22.750: IKEv2:(SESSION ID = 560,SA ID = 13):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:22.755: IKEv2:(SA ID = 13):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:22.755: IKEv2:(SESSION ID = 560,SA ID = 13):Request queued for computation of DH secret *Mar 9 19:02:22.755: IKEv2:(SA ID = 13):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:22.755: IKEv2:(SA ID = 13):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:22.755: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:22.755: IKEv2:(SESSION ID = 560,SA ID = 13):Generating IKE_SA_INIT message *Mar 9 19:02:22.755: IKEv2:(SESSION ID = 560,SA ID = 13):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:22.756: IKEv2:(SA ID = 13):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:22.756: IKEv2:(SA ID = 13):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:22.756: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:22.760: IKEv2:(SESSION ID = 560,SA ID = 13):Sending Packet [To 78.100.239.234:500/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : 7380B48D4FBCE8AF - Responder SPI : 6C7407645AF46591 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:22.761: IKEv2:(SESSION ID = 560,SA ID = 13):Completed SA init exchange *Mar 9 19:02:22.761: IKEv2:(SESSION ID = 560,SA ID = 13):Starting timer (30 sec) to wait for auth message *Mar 9 19:02:23.094: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI *Mar 9 19:02:23.094: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 89.211.110.18:4500/To 192.168.100.234:4500/VRF i0:f0] Initiator SPI : CAD1AC6594B06B33 - Responder SPI : 8E1132AC435C59DD Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST *Mar 9 19:02:23.094: IKEv2-ERROR:: A supplied parameter is incorrect *Mar 9 19:02:23.098: IKEv2:(SESSION ID = 547,SA ID = 2):Verification of peer's authentication data FAILED *Mar 9 19:02:23.098: IKEv2:(SESSION ID = 547,SA ID = 2):Sending authentication failure notify *Mar 9 19:02:23.098: IKEv2:(SESSION ID = 547,SA ID = 2):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 9 19:02:23.098: IKEv2:(SESSION ID = 547,SA ID = 2):Sending Packet [To 37.211.0.63:35666/From 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 7EF1BC25ADF8A338 - Responder SPI : 8614502C20139253 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 9 19:02:23.099: IKEv2:(SESSION ID = 547,SA ID = 2):Auth exchange failed *Mar 9 19:02:23.099: IKEv2-ERROR:(SESSION ID = 547,SA ID = 2):: Auth exchange failed *Mar 9 19:02:23.099: IKEv2:(SESSION ID = 547,SA ID = 2):Abort exchange *Mar 9 19:02:23.100: IKEv2:(SESSION ID = 547,SA ID = 2):Deleting SA *Mar 9 19:02:23.782: IKEv2:(SESSION ID = 548,SA ID = 7):Verification of peer's authentication data FAILED *Mar 9 19:02:23.782: IKEv2:(SESSION ID = 548,SA ID = 7):Sending authentication failure notify *Mar 9 19:02:23.782: IKEv2:(SESSION ID = 548,SA ID = 7):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 9 19:02:23.782: IKEv2:(SESSION ID = 548,SA ID = 7):Sending Packet [To 89.211.198.226:1025/From 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 225883330D4AB11F - Responder SPI : 583EC7D453D8FB74 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 9 19:02:23.782: IKEv2:(SESSION ID = 548,SA ID = 7):Auth exchange failed *Mar 9 19:02:23.782: IKEv2-ERROR:(SESSION ID = 548,SA ID = 7):: Auth exchange failed *Mar 9 19:02:23.783: IKEv2:(SESSION ID = 548,SA ID = 7):Abort exchange *Mar 9 19:02:23.783: IKEv2:(SESSION ID = 548,SA ID = 7):Deleting SA *Mar 9 19:02:25.082: IKEv2-ERROR:: Negotiation context locked currently in use *Mar 9 19:02:25.181: IKEv2:(SESSION ID = 554,SA ID = 10):Received Packet [From 78.100.239.234:4500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 88D9BFE441A18D35 - Responder SPI : 043BD65C8C01B420 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:25.181: IKEv2:(SESSION ID = 554,SA ID = 10):Stopping timer to wait for auth message *Mar 9 19:02:25.181: IKEv2:(SESSION ID = 554,SA ID = 10):Checking NAT discovery *Mar 9 19:02:25.181: IKEv2:(SESSION ID = 554,SA ID = 10):NAT INSIDE found *Mar 9 19:02:25.181: IKEv2:(SESSION ID = 554,SA ID = 10):NAT detected float to init port 4500, resp port 4500 *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Searching policy based on peer's identity '192.168.100.136' of type 'IPv4 address' *Mar 9 19:02:25.182: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:25.182: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:25.182: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Verify peer's policy *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Peer's policy verified *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Get peer's authentication method *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Peer's authentication method is 'PSK' *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Get peer's preshared key for 192.168.100.136 *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Verify peer's authentication data *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Use preshared key for id 192.168.100.136, key len 14 *Mar 9 19:02:25.182: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:25.182: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Verification of peer's authenctication data PASSED *Mar 9 19:02:25.182: IKEv2:(SESSION ID = 554,SA ID = 10):Processing INITIAL_CONTACT *Mar 9 19:02:25.182: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:25.183: IKEv2:(SA ID = 10):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:25.183: IKEv2:(SA ID = 10):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Received valid config mode data *Mar 9 19:02:25.186: IKEv2:Config data recieved: *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Config-type: Config-request *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: split-dns, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: banner, length: 0 *Mar 9 19:02:25.186: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: config-url, length: 0 *Mar 9 19:02:25.187: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:25.187: IKEv2:(SESSION ID = 554,SA ID = 10):Attrib type: def-domain, length: 0 *Mar 9 19:02:25.187: IKEv2:(SESSION ID = 554,SA ID = 10):Set received config mode data *Mar 9 19:02:25.187: IKEv2:(SESSION ID = 554,SA ID = 10):Processing IKE_AUTH message *Mar 9 19:02:25.193: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 10. *Mar 9 19:02:25.193: IKEv2:(SESSION ID = 554,SA ID = 10): *Mar 9 19:02:25.294: IKEv2:(SESSION ID = 553,SA ID = 9):Received Packet [From 178.153.99.48:4500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 7CEEDD74627715E7 - Responder SPI : 459A4601D1559CD2 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:25.294: IKEv2:(SESSION ID = 553,SA ID = 9):Stopping timer to wait for auth message *Mar 9 19:02:25.294: IKEv2:(SESSION ID = 553,SA ID = 9):Checking NAT discovery *Mar 9 19:02:25.294: IKEv2:(SESSION ID = 553,SA ID = 9):NAT INSIDE found *Mar 9 19:02:25.294: IKEv2:(SESSION ID = 553,SA ID = 9):NAT detected float to init port 4500, resp port 4500 *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Searching policy based on peer's identity '192.168.100.129' of type 'IPv4 address' *Mar 9 19:02:25.295: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:25.295: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:25.295: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Verify peer's policy *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Peer's policy verified *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Get peer's authentication method *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Peer's authentication method is 'PSK' *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Get peer's preshared key for 192.168.100.129 *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Verify peer's authentication data *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Use preshared key for id 192.168.100.129, key len 14 *Mar 9 19:02:25.295: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:25.295: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Verification of peer's authenctication data PASSED *Mar 9 19:02:25.295: IKEv2:(SESSION ID = 553,SA ID = 9):Processing INITIAL_CONTACT *Mar 9 19:02:25.296: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:25.296: IKEv2:(SA ID = 9):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:25.312: IKEv2:(SA ID = 9):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Received valid config mode data *Mar 9 19:02:25.315: IKEv2:Config data recieved: *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Config-type: Config-request *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: split-dns, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: banner, length: 0 *Mar 9 19:02:25.315: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: config-url, length: 0 *Mar 9 19:02:25.316: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:25.316: IKEv2:(SESSION ID = 553,SA ID = 9):Attrib type: def-domain, length: 0 *Mar 9 19:02:25.316: IKEv2:(SESSION ID = 553,SA ID = 9):Set received config mode data *Mar 9 19:02:25.316: IKEv2:(SESSION ID = 553,SA ID = 9):Processing IKE_AUTH message *Mar 9 19:02:25.322: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 9. *Mar 9 19:02:25.322: IKEv2:(SESSION ID = 553,SA ID = 9): *Mar 9 19:02:25.806: %IOSXE_INFRA-3-CONSOLE_DBUG_DROP: System dropped 1 bytes of console debug messages. *Mar 9 19:02:25.935: IKEv2:(SESSION ID = 549,SA ID = 14):Verification of peer's authentication data FAILED *Mar 9 19:02:25.935: IKEv2:(SESSION ID = 549,SA ID = 14):Sending authentication failure notify *Mar 9 19:02:25.935: IKEv2:(SESSION ID = 549,SA ID = 14):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 9 19:02:25.935: IKEv2:(SESSION ID = 549,SA ID = 14):Sending Packet [To 78.101.226.231:4500/From 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 43379DF3E577C976 - Responder SPI : AC910ABB60BA66C4 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 9 19:02:25.935: IKEv2:(SESSION ID = 549,SA ID = 14):Auth exchange failed *Mar 9 19:02:25.936: IKEv2-ERROR:(SESSION ID = 549,SA ID = 14):: Auth exchange failed *Mar 9 19:02:25.936: IKEv2:(SESSION ID = 549,SA ID = 14):Abort exchange *Mar 9 19:02:25.936: IKEv2:(SESSION ID = 549,SA ID = 14):Deleting SA *Mar 9 19:02:27.104: IKEv2:Received Packet [From 78.100.234.191:500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 61C55AA3C8D40B4D - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:27.104: IKEv2:(SESSION ID = 561,SA ID = 2):Verify SA init message *Mar 9 19:02:27.104: IKEv2:(SESSION ID = 561,SA ID = 2):Insert SA *Mar 9 19:02:27.104: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:27.104: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:27.104: IKEv2:(SESSION ID = 561,SA ID = 2):Processing IKE_SA_INIT message *Mar 9 19:02:27.114: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:27.114: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:27.114: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:27.118: IKEv2:(SESSION ID = 561,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:27.118: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:27.118: IKEv2:(SESSION ID = 561,SA ID = 2):Request queued for computation of DH key *Mar 9 19:02:27.118: IKEv2:(SESSION ID = 561,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:27.123: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:27.123: IKEv2:(SESSION ID = 561,SA ID = 2):Request queued for computation of DH secret *Mar 9 19:02:27.123: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:27.123: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:27.124: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:27.124: IKEv2:(SESSION ID = 561,SA ID = 2):Generating IKE_SA_INIT message *Mar 9 19:02:27.124: IKEv2:(SESSION ID = 561,SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:27.124: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:27.124: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:27.124: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:27.129: IKEv2:(SESSION ID = 561,SA ID = 2):Sending Packet [To 78.100.234.191:500/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : 61C55AA3C8D40B4D - Responder SPI : 501952C3F716377F Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:27.129: IKEv2:(SESSION ID = 561,SA ID = 2):Completed SA init exchange *Mar 9 19:02:27.129: IKEv2:(SESSION ID = 561,SA ID = 2):Starting timer (30 sec) to wait for auth message *Mar 9 19:02:27.401: IKEv2:(SESSION ID = 561,SA ID = 2):Received Packet [From 78.100.234.191:4500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 61C55AA3C8D40B4D - Responder SPI : 501952C3F716377F Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:27.402: IKEv2:(SESSION ID = 561,SA ID = 2):Stopping timer to wait for auth message *Mar 9 19:02:27.402: IKEv2:(SESSION ID = 561,SA ID = 2):Checking NAT discovery *Mar 9 19:02:27.402: IKEv2:(SESSION ID = 561,SA ID = 2):NAT INSIDE found *Mar 9 19:02:27.402: IKEv2:(SESSION ID = 561,SA ID = 2):NAT detected float to init port 4500, resp port 4500 *Mar 9 19:02:27.402: IKEv2:(SESSION ID = 561,SA ID = 2):Searching policy based on peer's identity '192.168.100.135' of type 'IPv4 address' *Mar 9 19:02:27.402: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:27.402: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:27.402: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:27.402: IKEv2:(SESSION ID = 561,SA ID = 2):Verify peer's policy *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Peer's policy verified *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Get peer's authentication method *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Peer's authentication method is 'PSK' *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Get peer's preshared key for 192.168.100.135 *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Verify peer's authentication data *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Use preshared key for id 192.168.100.135, key len 14 *Mar 9 19:02:27.403: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:27.403: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Verification of peer's authenctication data PASSED *Mar 9 19:02:27.403: IKEv2:(SESSION ID = 561,SA ID = 2):Processing INITIAL_CONTACT *Mar 9 19:02:27.403: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:27.403: IKEv2:(SA ID = 2):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:27.418: IKEv2:(SA ID = 2):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Received valid config mode data *Mar 9 19:02:27.422: IKEv2:Config data recieved: *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Config-type: Config-request *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: split-dns, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: banner, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: config-url, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Attrib type: def-domain, length: 0 *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Set received config mode data *Mar 9 19:02:27.422: IKEv2:(SESSION ID = 561,SA ID = 2):Processing IKE_AUTH message *Mar 9 19:02:27.429: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 2. *Mar 9 19:02:27.429: IKEv2:(SESSION ID = 561,SA ID = 2): *Mar 9 19:02:28.557: IKEv2:(SESSION ID = 550,SA ID = 3):Verification of peer's authentication data FAILED *Mar 9 19:02:28.557: IKEv2:(SESSION ID = 550,SA ID = 3):Sending authentication failure notify *Mar 9 19:02:28.557: IKEv2:(SESSION ID = 550,SA ID = 3):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 9 19:02:28.557: IKEv2:(SESSION ID = 550,SA ID = 3):Sending Packet [To 37.210.74.228:4500/From 192.168.100.234:4500/VRF i0:f0] Initiator SPI : 5F936852BD96971F - Responder SPI : FCB4EF944FCCA7AB Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 9 19:02:28.557: IKEv2:(SESSION ID = 550,SA ID = 3):Auth exchange failed *Mar 9 19:02:28.557: IKEv2-ERROR:(SESSION ID = 550,SA ID = 3):: Auth exchange failed *Mar 9 19:02:28.558: IKEv2:(SESSION ID = 550,SA ID = 3):Abort exchange *Mar 9 19:02:28.558: IKEv2:(SESSION ID = 550,SA ID = 3):Deleting SA *Mar 9 19:02:29.467: IKEv2:Received Packet [From 176.203.70.46:60568/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 5A2A21E475D13948 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:29.467: IKEv2:(SESSION ID = 562,SA ID = 3):Verify SA init message *Mar 9 19:02:29.467: IKEv2:(SESSION ID = 562,SA ID = 3):Insert SA *Mar 9 19:02:29.468: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:29.468: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:29.468: IKEv2:(SESSION ID = 562,SA ID = 3):Processing IKE_SA_INIT message *Mar 9 19:02:29.477: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:29.477: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:29.477: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:29.481: IKEv2:(SESSION ID = 562,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:29.481: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:29.481: IKEv2:(SESSION ID = 562,SA ID = 3):Request queued for computation of DH key *Mar 9 19:02:29.481: IKEv2:(SESSION ID = 562,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:29.486: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:29.486: IKEv2:(SESSION ID = 562,SA ID = 3):Request queued for computation of DH secret *Mar 9 19:02:29.487: IKEv2:(SA ID = 3):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:29.487: IKEv2:(SA ID = 3):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:29.487: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:29.487: IKEv2:(SESSION ID = 562,SA ID = 3):Generating IKE_SA_INIT message *Mar 9 19:02:29.487: IKEv2:(SESSION ID = 562,SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:29.487: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:29.487: IKEv2:(SA ID = 3):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:29.487: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:29.492: IKEv2:(SESSION ID = 562,SA ID = 3):Sending Packet [To 176.203.70.46:60568/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : 5A2A21E475D13948 - Responder SPI : 0AA9E7E2D79793C7 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:29.492: IKEv2:(SESSION ID = 562,SA ID = 3):Completed SA init exchange *Mar 9 19:02:29.492: IKEv2:(SESSION ID = 562,SA ID = 3):Starting timer (30 sec) to wait for auth message *Mar 9 19:02:29.558: IKEv2:(SESSION ID = 562,SA ID = 3):Received Packet [From 176.203.70.46:61246/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 5A2A21E475D13948 - Responder SPI : 0AA9E7E2D79793C7 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Mar 9 19:02:29.558: IKEv2:(SESSION ID = 562,SA ID = 3):Stopping timer to wait for auth message *Mar 9 19:02:29.558: IKEv2:(SESSION ID = 562,SA ID = 3):Checking NAT discovery *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):NAT INSIDE found *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):NAT detected float to init port 61246, resp port 4500 *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Searching policy based on peer's identity '192.168.100.138' of type 'IPv4 address' *Mar 9 19:02:29.559: IKEv2:found matching IKEv2 profile 'POC-IKEV2-PROFILE-01' *Mar 9 19:02:29.559: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:29.559: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Verify peer's policy *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Peer's policy verified *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Get peer's authentication method *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Peer's authentication method is 'PSK' *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Get peer's preshared key for 192.168.100.138 *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Verify peer's authentication data *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Use preshared key for id 192.168.100.138, key len 14 *Mar 9 19:02:29.559: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Mar 9 19:02:29.559: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Verification of peer's authenctication data PASSED *Mar 9 19:02:29.559: IKEv2:(SESSION ID = 562,SA ID = 3):Processing INITIAL_CONTACT *Mar 9 19:02:29.560: IKEv2:Using mlist default and username FLEX-AUTH-POL-01 for group author request *Mar 9 19:02:29.560: IKEv2:(SA ID = 3):[IKEv2 -> AAA] Authorisation request sent *Mar 9 19:02:29.560: IKEv2:(SA ID = 3):[AAA -> IKEv2] Received AAA authorisation response *Mar 9 19:02:29.563: IKEv2:(SESSION ID = 562,SA ID = 3):Received valid config mode data *Mar 9 19:02:29.563: IKEv2:Config data recieved: *Mar 9 19:02:29.563: IKEv2:(SESSION ID = 562,SA ID = 3):Config-type: Config-request *Mar 9 19:02:29.563: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:29.563: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv4-dns, length: 0 *Mar 9 19:02:29.563: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:29.563: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv4-nbns, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv4-subnet, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv6-dns, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: ipv6-subnet, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: app-version, length: 242, data: Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Tue 04-Aug-15 05:50 by prod_rel_team *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: split-dns, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: banner, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: config-url, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: backup-gateway, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Attrib type: def-domain, length: 0 *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Set received config mode data *Mar 9 19:02:29.564: IKEv2:(SESSION ID = 562,SA ID = 3):Processing IKE_AUTH message *Mar 9 19:02:29.570: IKEv2:% DVTI create request sent for profile POC-IKEV2-PROFILE-01 with PSH index 3. *Mar 9 19:02:29.570: IKEv2:(SESSION ID = 562,SA ID = 3): *Mar 9 19:02:30.284: IKEv2:Received Packet [From 178.153.80.249:500/To 192.168.100.234:500/VRF i0:f0] Initiator SPI : 23DCB4308970E278 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Mar 9 19:02:30.284: IKEv2:(SESSION ID = 563,SA ID = 7):Verify SA init message *Mar 9 19:02:30.284: IKEv2:(SESSION ID = 563,SA ID = 7):Insert SA *Mar 9 19:02:30.284: IKEv2:Searching Policy with fvrf 0, local address 192.168.100.234 *Mar 9 19:02:30.284: IKEv2:Found Policy 'POC-POL-01' *Mar 9 19:02:30.284: IKEv2:(SESSION ID = 563,SA ID = 7):Processing IKE_SA_INIT message *Mar 9 19:02:30.294: IKEv2:(SA ID = 7):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:30.294: IKEv2:(SA ID = 7):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:30.294: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:30.298: IKEv2:(SESSION ID = 563,SA ID = 7):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19 *Mar 9 19:02:30.298: IKEv2:(SA ID = 7):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:30.298: IKEv2:(SESSION ID = 563,SA ID = 7):Request queued for computation of DH key *Mar 9 19:02:30.298: IKEv2:(SESSION ID = 563,SA ID = 7):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19 *Mar 9 19:02:30.303: IKEv2:(SA ID = 7):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 9 19:02:30.303: IKEv2:(SESSION ID = 563,SA ID = 7):Request queued for computation of DH secret *Mar 9 19:02:30.303: IKEv2:(SA ID = 7):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 9 19:02:30.304: IKEv2:(SA ID = 7):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 9 19:02:30.304: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 9 19:02:30.304: IKEv2:(SESSION ID = 563,SA ID = 7):Generating IKE_SA_INIT message *Mar 9 19:02:30.304: IKEv2:(SESSION ID = 563,SA ID = 7):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19 *Mar 9 19:02:30.304: IKEv2:(SA ID = 7):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 9 19:02:30.304: IKEv2:(SA ID = 7):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Mar 9 19:02:30.304: IKEv2:Failed to retrieve Certificate Issuer list *Mar 9 19:02:30.309: IKEv2:(SESSION ID = 563,SA ID = 7):Sending Packet [To 178.153.80.249:500/From 192.168.100.234:500/VRF i0:f0] Initiator SPI : 23DCB4308970E278 - Responder SPI : 156F7E81F1E78F71 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)