001426: *Dec 6 12:09:33.620 SGP: ISAKMP-PAK: (0):received packet from 10.10.10.12 dport 500 sport 500 Global (N) NEW SA 001427: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):Created a peer struct for 10.10.10.12, peer port 500 001428: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):New peer created peer = 0x80FFFF7C7DE8C8 peer_handle = 0x80000040000012 001429: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):Locking peer struct 0x80FFFF7C7DE8C8, refcount 1 for crypto_isakmp_process_block 001430: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):local port 500, remote port 500 001431: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80FFFF82327EF8 001432: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001433: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 001434: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):processing SA payload. message ID = 0 001435: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):processing vendor id payload 001436: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch 001437: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):vendor ID is NAT-T v2 001438: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):processing vendor id payload 001439: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch 001440: *Dec 6 12:09:33.620 SGP: ISAKMP: (0):vendor ID is NAT-T v3 001441: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):processing vendor id payload 001442: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch 001443: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):vendor ID is NAT-T RFC 3947 001444: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):processing vendor id payload 001445: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):processing IKE frag vendor id payload 001446: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Support for IKE Fragmentation not enabled 001447: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Scanning profiles for xauth ... 001448: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 10.10.10.12) 001449: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 10.10.10.12) 001450: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy 001451: *Dec 6 12:09:33.621 SGP: ISAKMP: (0): default group 5 001452: *Dec 6 12:09:33.621 SGP: ISAKMP: (0): encryption AES-CBC 001453: *Dec 6 12:09:33.621 SGP: ISAKMP: (0): keylength of 256 001454: *Dec 6 12:09:33.621 SGP: ISAKMP: (0): hash SHA 001455: *Dec 6 12:09:33.621 SGP: ISAKMP: (0): auth RSA sig 001456: *Dec 6 12:09:33.621 SGP: ISAKMP: (0): life type in seconds 001457: *Dec 6 12:09:33.621 SGP: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 001458: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):atts are acceptable. Next payload is 0 001459: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Acceptable atts:actual life: 28800 001460: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Acceptable atts:life: 0 001461: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Fill atts in sa vpi_length:4 001462: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):Fill atts in sa life_in_seconds:86400 001463: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 10.10.10.12) 001464: *Dec 6 12:09:33.621 SGP: ISAKMP: (0):PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 10.10.10.12) 001465: *Dec 6 12:09:33.622 SGP: ISAKMP: (0):Returning Actual lifetime: 28800 001466: *Dec 6 12:09:33.622 SGP: ISAKMP: (0):Started lifetime timer: 28800. 001467: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):processing vendor id payload 001468: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch 001469: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):vendor ID is NAT-T v2 001470: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):processing vendor id payload 001471: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch 001472: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):vendor ID is NAT-T v3 001473: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):processing vendor id payload 001474: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch 001475: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):vendor ID is NAT-T RFC 3947 001476: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):processing vendor id payload 001477: *Dec 6 12:09:33.642 SGP: ISAKMP: (0):processing IKE frag vendor id payload 001478: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):Support for IKE Fragmentation not enabled 001479: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001480: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 001481: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID 001482: *Dec 6 12:09:33.643 SGP: ISAKMP-PAK: (0):sending packet to 10.10.10.12 my_port 500 peer_port 500 (R) MM_SA_SETUP 001483: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):Sending an IKE IPv4 Packet. 001484: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001485: *Dec 6 12:09:33.643 SGP: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 001486: *Dec 6 12:09:33.671 SGP: ISAKMP-PAK: (0):received packet from 10.10.10.12 dport 500 sport 500 Global (R) MM_SA_SETUP 001487: *Dec 6 12:09:33.671 SGP: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001488: *Dec 6 12:09:33.671 SGP: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 001489: *Dec 6 12:09:33.671 SGP: ISAKMP: (0):processing KE payload. message ID = 0 001490: *Dec 6 12:09:33.683 SGP: ISAKMP: (0):processing NONCE payload. message ID = 0 001491: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):processing vendor id payload 001492: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):vendor ID is Unity 001493: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):processing vendor id payload 001494: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):vendor ID seems Unity/DPD but major 226 mismatch 001495: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):vendor ID is XAUTH 001496: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):processing vendor id payload 001497: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):speaking to another IOS box! 001498: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):processing vendor id payload 001499: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):vendor ID seems Unity/DPD but hash mismatch 001500: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):received payload type 20 001501: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):His hash no match - this node outside NAT 001502: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):received payload type 20 001503: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):His hash no match - this node outside NAT 001504: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001505: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):Old State = IKE_R_MM3 New State = IKE_R_MM3 001506: *Dec 6 12:09:33.684 SGP: ISAKMP: (1002):IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 10.10.10.12) 001507: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 10.10.10.12) 001508: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 10.10.10.12) 001509: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 10.10.10.12) 001510: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):constructing CERT_REQ for issuer cn=Winston-Root 001511: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):constructing CERT_REQ for issuer cn=Cisco Licensing Root CA,o=Cisco 001512: *Dec 6 12:09:33.685 SGP: ISAKMP-PAK: (1002):sending packet to 10.10.10.12 my_port 500 peer_port 500 (R) MM_KEY_EXCH 001513: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):Sending an IKE IPv4 Packet. 001514: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001515: *Dec 6 12:09:33.685 SGP: ISAKMP: (1002):Old State = IKE_R_MM3 New State = IKE_R_MM4 001516: *Dec 6 12:09:33.726 SGP: ISAKMP-PAK: (1002):received packet from 10.10.10.12 dport 4500 sport 4500 Global (R) MM_KEY_EXCH 001517: *Dec 6 12:09:33.726 SGP: ISAKMP: (1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001518: *Dec 6 12:09:33.726 SGP: ISAKMP: (1002):Old State = IKE_R_MM4 New State = IKE_R_MM5 001519: *Dec 6 12:09:33.726 SGP: ISAKMP: (1002):processing ID payload. message ID = 0 001520: *Dec 6 12:09:33.727 SGP: ISAKMP: (1002):ID payload next-payload : 6 type : 9 001521: *Dec 6 12:09:33.727 SGP: ISAKMP: (1002): Dist. name : cn=Root-CA 001522: *Dec 6 12:09:33.727 SGP: ISAKMP: (1002): protocol : 0 port : 0 length : 42 001523: *Dec 6 12:09:33.727 SGP: ISAKMP: (0):UNITY's identity FQDN but no group info 001524: *Dec 6 12:09:33.727 SGP: ISAKMP: (0):peer matches *none* of the profiles 001525: *Dec 6 12:09:33.727 SGP: ISAKMP: (1002):processing CERT payload. message ID = 0 001526: *Dec 6 12:09:33.727 SGP: ISAKMP: (1002):processing a CT_X509_SIGNATURE cert 001527: *Dec 6 12:09:33.727 SGP: ISAKMP: (1002):IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.10.10.12) 001528: *Dec 6 12:09:33.728 SGP: ISAKMP: (1002):PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.10.10.12) 001529: *Dec 6 12:09:33.728 SGP: ISAKMP: (1002):IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001530: *Dec 6 12:09:33.728 SGP: ISAKMP: (1002):PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001531: *Dec 6 12:09:33.728 SGP: ISAKMP: (1002):peer's pubkey isn't cached 001532: *Dec 6 12:09:33.728 SGP: ISAKMP: (0):UNITY's identity FQDN but no group info 001533: *Dec 6 12:09:33.728 SGP: ISAKMP: (0):peer matches *none* of the profiles 001534: *Dec 6 12:09:33.728 SGP: ISAKMP: (1002):IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001535: *Dec 6 12:09:33.739 SGP: ISAKMP: (1002):PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001536: *Dec 6 12:09:33.739 SGP: ISAKMP-ERROR: (1002):Unable to get DN from certificate! 001537: *Dec 6 12:09:33.739 SGP: ISAKMP-ERROR: (1002):Cert presented by peer contains no OU field. 001538: *Dec 6 12:09:33.740 SGP: ISAKMP: (1002):processing SIG payload. message ID = 0 001539: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):received payload type 17 001540: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):processing keep alive: proposal=32767/32767 sec., actual=10/10 sec. 001541: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):processing vendor id payload 001542: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):vendor ID is DPD 001543: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):SA authentication status: authenticated 001544: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):SA has been authenticated with 10.10.10.12 001545: *Dec 6 12:09:33.741 SGP: ISAKMP: (1002):Detected port floating to port = 4500 001546: *Dec 6 12:09:33.742 SGP: ISAKMP: (0):Trying to insert a peer 10.20.20.9/10.10.10.12/4500/, 001547: *Dec 6 12:09:33.742 SGP: ISAKMP: (0): and inserted successfully 80FFFF7C7DE8C8. 001548: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001549: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_R_MM5 001550: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):processing CERT_REQ payload. message ID = 0 001551: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):peer wants a CT_X509_SIGNATURE cert 001552: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):peer wants cert issued by cn=Winston-Root 001553: *Dec 6 12:09:33.742 SGP: ISAKMP: (0):Choosing trustpoint Winston as issuer 001554: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):processing CERT_REQ payload. message ID = 0 001555: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):peer wants a CT_X509_SIGNATURE cert 001556: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):peer wants cert issued by cn=Winston-RootCA 001557: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):processing CERT_REQ payload. message ID = 0 001558: *Dec 6 12:09:33.742 SGP: ISAKMP: (1002):peer wants a CT_X509_SIGNATURE cert 001559: *Dec 6 12:09:33.743 SGP: ISAKMP: (1002):peer wants cert issued by cn=Winston-Root 001560: *Dec 6 12:09:33.743 SGP: ISAKMP: (1002):IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001561: *Dec 6 12:09:33.743 SGP: ISAKMP: (1002):PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001562: *Dec 6 12:09:33.743 SGP: ISAKMP: (1002):IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 10.10.10.12) 001563: *Dec 6 12:09:33.744 SGP: ISAKMP: (1002):PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 10.10.10.12) 001564: *Dec 6 12:09:33.744 SGP: ISAKMP: (1002):IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001565: *Dec 6 12:09:33.745 SGP: ISAKMP: (1002):PKI->IKE Got self CertificateChain IKE->PKI Get subject name attribute state (R) MM_KEY_EXCH (peer 10.10.10.12) 001566: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002):PKI->IKE Got subject name attribute state (R) MM_KEY_EXCH (peer 10.10.10.12) 001567: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002):SA is doing 001568: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002):RSA signature authentication using id type ID_DER_ASN1_DN 001569: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002):ID payload next-payload : 6 type : 9 001570: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002): Dist. name : cn=Winston-R1 001571: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002): protocol : 17 port : 0 length : 33 001572: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002):Total payload length: 33 001573: *Dec 6 12:09:33.746 SGP: ISAKMP: (1002):IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 10.10.10.12) 001574: *Dec 6 12:09:33.747 SGP: ISAKMP: (1002):PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 10.10.10.12) 001575: *Dec 6 12:09:33.749 SGP: ISAKMP: (1002):constructing CERT payload for cn=Winston-R1 001576: *Dec 6 12:09:33.749 SGP: ISAKMP: (0):growing send buffer from 1024 to 3072 001577: *Dec 6 12:09:33.749 SGP: ISAKMP: (1002):using the Winston trustpoint's keypair to sign 001578: *Dec 6 12:09:33.786 SGP: ISAKMP: (1002):Returning Actual lifetime: 28800 001579: *Dec 6 12:09:33.786 SGP: ISAKMP-PAK: (1002):sending packet to 10.10.10.12 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH 001580: *Dec 6 12:09:33.786 SGP: ISAKMP: (1002):Sending an IKE IPv4 Packet. 001581: *Dec 6 12:09:33.786 SGP: ISAKMP: (1002):Returning Actual lifetime: 28800 001582: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):set new node 3890166102 to QM_IDLE 001583: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 36310269796173576, message ID = 3890166102 001584: *Dec 6 12:09:33.787 SGP: ISAKMP-PAK: (1002):sending packet to 10.10.10.12 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH 001585: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Sending an IKE IPv4 Packet. 001586: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):purging node 3890166102 001587: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Sending phase 1 responder lifetime 28800 001588: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001589: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_R_MM5 001590: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR 001591: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 001592: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):IKE_DPD is enabled, initializing timers 001593: *Dec 6 12:09:33.787 SGP: ISAKMP: (1002):IKE->PKI End PKI Session state (R) QM_IDLE (peer 10.10.10.12) 001594: *Dec 6 12:09:33.788 SGP: ISAKMP: (1002):PKI->IKE Ended PKI session state (R) QM_IDLE (peer 10.10.10.12) 001595: *Dec 6 12:09:33.788 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 001596: *Dec 6 12:09:33.788 SGP: ISAKMP: (1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 001597: *Dec 6 12:09:33.833 SGP: ISAKMP-PAK: (1002):received packet from 10.10.10.12 dport 4500 sport 4500 Global (R) QM_IDLE 001598: *Dec 6 12:09:33.833 SGP: ISAKMP: (1002):set new node 3606052220 to QM_IDLE 001599: *Dec 6 12:09:33.833 SGP: ISAKMP: (1002):processing HASH payload. message ID = 3606052220 001600: *Dec 6 12:09:33.833 SGP: ISAKMP: (1002):processing DELETE payload. message ID = 3606052220 001601: *Dec 6 12:09:33.833 SGP: ISAKMP: (1002):peer does not do paranoid keepalives. 001602: *Dec 6 12:09:33.834 SGP: ISAKMP: (1002):deleting SA reason "No reason" state (R) QM_IDLE (peer 10.10.10.12) 001603: *Dec 6 12:09:33.834 SGP: ISAKMP: (1002):deleting node 3606052220 error FALSE reason "Informational (in) state 1" 001604: *Dec 6 12:09:33.834 SGP: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message 001605: *Dec 6 12:09:33.834 SGP: ISAKMP (1002): IPSec has no more SA's with this peer. Won't keepalive phase 1. 001606: *Dec 6 12:09:33.835 SGP: ISAKMP: (1002):set new node 1568445953 to QM_IDLE 001607: *Dec 6 12:09:33.835 SGP: ISAKMP-PAK: (1002):sending packet to 10.10.10.12 my_port 4500 peer_port 4500 (R) QM_IDLE 001608: *Dec 6 12:09:33.835 SGP: ISAKMP: (1002):Sending an IKE IPv4 Packet. 001609: *Dec 6 12:09:33.835 SGP: ISAKMP: (1002):purging node 1568445953 001610: *Dec 6 12:09:33.835 SGP: ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 001611: *Dec 6 12:09:33.835 SGP: ISAKMP: (1002):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA 001612: *Dec 6 12:09:33.835 SGP: ISAKMP: (1002):deleting SA reason "No reason" state (R) QM_IDLE (peer 10.10.10.12) 001613: *Dec 6 12:09:33.835 SGP: ISAKMP: (0):Unlocking peer struct 0x80FFFF7C7DE8C8 for isadb_mark_sa_deleted(), count 0 001614: *Dec 6 12:09:33.835 SGP: ISAKMP: (0):Deleting peer node by peer_reap for 10.10.10.12: 80FFFF7C7DE8C8 001615: *Dec 6 12:09:33.839 SGP: ISAKMP: (1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001616: *Dec 6 12:09:33.839 SGP: ISAKMP: (1002):Old State = IKE_DEST_SA New State = IKE_DEST_SA 001617: *Dec 6 12:09:41.619 SGP: ISAKMP-PAK: (0):received packet from 10.10.10.12 dport 500 sport 500 Global (N) NEW SA 001618: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):Created a peer struct for 10.10.10.12, peer port 500 001619: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):New peer created peer = 0x80FFFF82077100 peer_handle = 0x80000040000015 001620: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):Locking peer struct 0x80FFFF82077100, refcount 1 for crypto_isakmp_process_block 001621: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):local port 500, remote port 500 001622: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80FFFF75FFB5A8 001623: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001624: *Dec 6 12:09:41.619 SGP: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 001625: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):processing SA payload. message ID = 0 001626: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):processing vendor id payload 001627: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch 001628: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):vendor ID is NAT-T v2 001629: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):processing vendor id payload 001630: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch 001631: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):vendor ID is NAT-T v3 001632: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):processing vendor id payload 001633: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch 001634: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):vendor ID is NAT-T RFC 3947 001635: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):processing vendor id payload 001636: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):processing IKE frag vendor id payload 001637: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):Support for IKE Fragmentation not enabled 001638: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):Scanning profiles for xauth ... 001639: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 10.10.10.12) 001640: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 10.10.10.12) 001641: *Dec 6 12:09:41.620 SGP: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy 001642: *Dec 6 12:09:41.620 SGP: ISAKMP: (0): default group 5 001643: *Dec 6 12:09:41.620 SGP: ISAKMP: (0): encryption AES-CBC 001644: *Dec 6 12:09:41.620 SGP: ISAKMP: (0): keylength of 256 001645: *Dec 6 12:09:41.620 SGP: ISAKMP: (0): hash SHA 001646: *Dec 6 12:09:41.620 SGP: ISAKMP: (0): auth RSA sig 001647: *Dec 6 12:09:41.620 SGP: ISAKMP: (0): life type in seconds 001648: *Dec 6 12:09:41.620 SGP: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 001649: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):atts are acceptable. Next payload is 0 001650: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):Acceptable atts:actual life: 28800 001651: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):Acceptable atts:life: 0 001652: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):Fill atts in sa vpi_length:4 001653: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):Fill atts in sa life_in_seconds:86400 001654: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 10.10.10.12) 001655: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 10.10.10.12) 001656: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):Returning Actual lifetime: 28800 001657: *Dec 6 12:09:41.621 SGP: ISAKMP: (0):Started lifetime timer: 28800. 001658: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):processing vendor id payload 001659: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch 001660: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):vendor ID is NAT-T v2 001661: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):processing vendor id payload 001662: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch 001663: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):vendor ID is NAT-T v3 001664: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):processing vendor id payload 001665: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch 001666: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):vendor ID is NAT-T RFC 3947 001667: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):processing vendor id payload 001668: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):processing IKE frag vendor id payload 001669: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):Support for IKE Fragmentation not enabled 001670: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001671: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 001672: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID 001673: *Dec 6 12:09:41.642 SGP: ISAKMP-PAK: (0):sending packet to 10.10.10.12 my_port 500 peer_port 500 (R) MM_SA_SETUP 001674: *Dec 6 12:09:41.642 SGP: ISAKMP: (0):Sending an IKE IPv4 Packet. 001675: *Dec 6 12:09:41.643 SGP: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001676: *Dec 6 12:09:41.643 SGP: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 001677: *Dec 6 12:09:41.670 SGP: ISAKMP-PAK: (0):received packet from 10.10.10.12 dport 500 sport 500 Global (R) MM_SA_SETUP 001678: *Dec 6 12:09:41.670 SGP: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001679: *Dec 6 12:09:41.670 SGP: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 001680: *Dec 6 12:09:41.670 SGP: ISAKMP: (0):processing KE payload. message ID = 0 001681: *Dec 6 12:09:41.682 SGP: ISAKMP: (0):processing NONCE payload. message ID = 0 001682: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):processing vendor id payload 001683: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):vendor ID is Unity 001684: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):processing vendor id payload 001685: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):vendor ID seems Unity/DPD but major 253 mismatch 001686: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):vendor ID is XAUTH 001687: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):processing vendor id payload 001688: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):speaking to another IOS box! 001689: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):processing vendor id payload 001690: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):vendor ID seems Unity/DPD but hash mismatch 001691: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):received payload type 20 001692: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):His hash no match - this node outside NAT 001693: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):received payload type 20 001694: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):His hash no match - this node outside NAT 001695: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001696: *Dec 6 12:09:41.682 SGP: ISAKMP: (1003):Old State = IKE_R_MM3 New State = IKE_R_MM3 001697: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 10.10.10.12) 001698: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 10.10.10.12) 001699: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 10.10.10.12) 001700: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 10.10.10.12) 001701: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):constructing CERT_REQ for issuer cn=Winston-Root 001702: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):constructing CERT_REQ for issuer cn=Cisco Licensing Root CA,o=Cisco 001703: *Dec 6 12:09:41.683 SGP: ISAKMP-PAK: (1003):sending packet to 10.10.10.12 my_port 500 peer_port 500 (R) MM_KEY_EXCH 001704: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):Sending an IKE IPv4 Packet. 001705: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001706: *Dec 6 12:09:41.683 SGP: ISAKMP: (1003):Old State = IKE_R_MM3 New State = IKE_R_MM4 001707: *Dec 6 12:09:41.723 SGP: ISAKMP-PAK: (1003):received packet from 10.10.10.12 dport 4500 sport 4500 Global (R) MM_KEY_EXCH 001708: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001709: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):Old State = IKE_R_MM4 New State = IKE_R_MM5 001710: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):processing ID payload. message ID = 0 001711: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):ID payload next-payload : 6 type : 9 001712: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003): Dist. name : cn=Root-CA 001713: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003): protocol : 0 port : 0 length : 42 001714: *Dec 6 12:09:41.723 SGP: ISAKMP: (0):UNITY's identity FQDN but no group info 001715: *Dec 6 12:09:41.723 SGP: ISAKMP: (0):peer matches *none* of the profiles 001716: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):processing CERT payload. message ID = 0 001717: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):processing a CT_X509_SIGNATURE cert 001718: *Dec 6 12:09:41.723 SGP: ISAKMP: (1003):IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.10.10.12) 001719: *Dec 6 12:09:41.724 SGP: ISAKMP: (1003):PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.10.10.12) 001720: *Dec 6 12:09:41.725 SGP: ISAKMP: (1003):IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001721: *Dec 6 12:09:41.725 SGP: ISAKMP: (1003):PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001722: *Dec 6 12:09:41.725 SGP: ISAKMP: (1003):peer's pubkey isn't cached 001723: *Dec 6 12:09:41.725 SGP: ISAKMP: (0):UNITY's identity FQDN but no group info 001724: *Dec 6 12:09:41.725 SGP: ISAKMP: (0):peer matches *none* of the profiles 001725: *Dec 6 12:09:41.725 SGP: ISAKMP: (1003):IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001726: *Dec 6 12:09:41.732 SGP: ISAKMP: (1003):PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001727: *Dec 6 12:09:41.733 SGP: ISAKMP-ERROR: (1003):Unable to get DN from certificate! 001728: *Dec 6 12:09:41.733 SGP: ISAKMP-ERROR: (1003):Cert presented by peer contains no OU field. 001729: *Dec 6 12:09:41.733 SGP: ISAKMP: (1003):processing SIG payload. message ID = 0 001730: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):received payload type 17 001731: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):processing keep alive: proposal=32767/32767 sec., actual=10/10 sec. 001732: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):processing vendor id payload 001733: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):vendor ID is DPD 001734: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):SA authentication status: authenticated 001735: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):SA has been authenticated with 10.10.10.12 001736: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):Detected port floating to port = 4500 001737: *Dec 6 12:09:41.735 SGP: ISAKMP: (0):Trying to insert a peer 10.20.20.9/10.10.10.12/4500/, 001738: *Dec 6 12:09:41.735 SGP: ISAKMP: (0): and inserted successfully 80FFFF82077100. 001739: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001740: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):Old State = IKE_R_MM5 New State = IKE_R_MM5 001741: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):processing CERT_REQ payload. message ID = 0 001742: *Dec 6 12:09:41.735 SGP: ISAKMP: (1003):peer wants a CT_X509_SIGNATURE cert 001743: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):peer wants cert issued by cn=Winston-Root 001744: *Dec 6 12:09:41.736 SGP: ISAKMP: (0):Choosing trustpoint Winston as issuer 001745: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):processing CERT_REQ payload. message ID = 0 001746: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):peer wants a CT_X509_SIGNATURE cert 001747: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):peer wants cert issued by cn=Winston-RootCA 001748: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):processing CERT_REQ payload. message ID = 0 001749: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):peer wants a CT_X509_SIGNATURE cert 001750: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):peer wants cert issued by cn=Winston-Root 001751: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001752: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001753: *Dec 6 12:09:41.736 SGP: ISAKMP: (1003):IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 10.10.10.12) 001754: *Dec 6 12:09:41.737 SGP: ISAKMP: (1003):PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 10.10.10.12) 001755: *Dec 6 12:09:41.737 SGP: ISAKMP: (1003):IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.10.10.12) 001756: *Dec 6 12:09:41.738 SGP: ISAKMP: (1003):PKI->IKE Got self CertificateChain IKE->PKI Get subject name attribute state (R) MM_KEY_EXCH (peer 10.10.10.12) 001757: *Dec 6 12:09:41.739 SGP: ISAKMP: (1003):PKI->IKE Got subject name attribute state (R) MM_KEY_EXCH (peer 10.10.10.12) 001758: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003):SA is doing 001759: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003):RSA signature authentication using id type ID_DER_ASN1_DN 001760: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003):ID payload next-payload : 6 type : 9 001761: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003): Dist. name : cn=Winston-R1 001762: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003): protocol : 17 port : 0 length : 33 001763: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003):Total payload length: 33 001764: *Dec 6 12:09:41.740 SGP: ISAKMP: (1003):IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 10.10.10.12) 001765: *Dec 6 12:09:41.741 SGP: ISAKMP: (1003):PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 10.10.10.12) 001766: *Dec 6 12:09:41.742 SGP: ISAKMP: (1003):constructing CERT payload for cn=Winston-R1 001767: *Dec 6 12:09:41.742 SGP: ISAKMP: (0):growing send buffer from 1024 to 3072 001768: *Dec 6 12:09:41.742 SGP: ISAKMP: (1003):using the Winston trustpoint's keypair to sign 001769: *Dec 6 12:09:41.779 SGP: ISAKMP: (1003):Returning Actual lifetime: 28800 001770: *Dec 6 12:09:41.779 SGP: ISAKMP-PAK: (1003):sending packet to 10.10.10.12 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH 001771: *Dec 6 12:09:41.779 SGP: ISAKMP: (1003):Sending an IKE IPv4 Packet. 001772: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):Returning Actual lifetime: 28800 001773: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):set new node 2352578277 to QM_IDLE 001774: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 36310269796173576, message ID = 2352578277 001775: *Dec 6 12:09:41.780 SGP: ISAKMP-PAK: (1003):sending packet to 10.10.10.12 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH 001776: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):Sending an IKE IPv4 Packet. 001777: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):purging node 2352578277 001778: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):Sending phase 1 responder lifetime 28800 001779: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001780: *Dec 6 12:09:41.780 SGP: ISAKMP: (1003):Old State = IKE_R_MM5 New State = IKE_R_MM5 001781: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR 001782: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 001783: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):IKE_DPD is enabled, initializing timers 001784: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):IKE->PKI End PKI Session state (R) QM_IDLE (peer 10.10.10.12) 001785: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):PKI->IKE Ended PKI session state (R) QM_IDLE (peer 10.10.10.12) 001786: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 001787: *Dec 6 12:09:41.781 SGP: ISAKMP: (1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 001788: *Dec 6 12:09:41.823 SGP: ISAKMP-PAK: (1003):received packet from 10.10.10.12 dport 4500 sport 4500 Global (R) QM_IDLE 001789: *Dec 6 12:09:41.823 SGP: ISAKMP: (1003):set new node 672697455 to QM_IDLE 001790: *Dec 6 12:09:41.823 SGP: ISAKMP: (1003):processing HASH payload. message ID = 672697455 001791: *Dec 6 12:09:41.823 SGP: ISAKMP: (1003):processing DELETE payload. message ID = 672697455 001792: *Dec 6 12:09:41.823 SGP: ISAKMP: (1003):peer does not do paranoid keepalives. 001793: *Dec 6 12:09:41.823 SGP: ISAKMP: (1003):deleting SA reason "No reason" state (R) QM_IDLE (peer 10.10.10.12) 001794: *Dec 6 12:09:41.823 SGP: ISAKMP: (1003):deleting node 672697455 error FALSE reason "Informational (in) state 1" 001795: *Dec 6 12:09:41.823 SGP: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message 001796: *Dec 6 12:09:41.823 SGP: ISAKMP (1003): IPSec has no more SA's with this peer. Won't keepalive phase 1. 001797: *Dec 6 12:09:41.824 SGP: ISAKMP: (1003):set new node 3085128065 to QM_IDLE 001798: *Dec 6 12:09:41.824 SGP: ISAKMP-PAK: (1003):sending packet to 10.10.10.12 my_port 4500 peer_port 4500 (R) QM_IDLE 001799: *Dec 6 12:09:41.824 SGP: ISAKMP: (1003):Sending an IKE IPv4 Packet. 001800: *Dec 6 12:09:41.824 SGP: ISAKMP: (1003):purging node 3085128065 001801: *Dec 6 12:09:41.824 SGP: ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 001802: *Dec 6 12:09:41.824 SGP: ISAKMP: (1003):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA 001803: *Dec 6 12:09:41.824 SGP: ISAKMP: (1003):deleting SA reason "No reason" state (R) QM_IDLE (peer 10.10.10.12) 001804: *Dec 6 12:09:41.824 SGP: ISAKMP: (0):Unlocking peer struct 0x80FFFF82077100 for isadb_mark_sa_deleted(), count 0 001805: *Dec 6 12:09:41.824 SGP: ISAKMP: (0):Deleting peer node by peer_reap for 10.10.10.12: 80FFFF82077100 001806: *Dec 6 12:09:41.825 SGP: ISAKMP: (1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001807: *Dec 6 12:09:41.825 SGP: ISAKMP: (1003):Old State = IKE_DEST_SA New State = IKE_DEST_SA 001808: *Dec 6 12:09:49.740 SGP: ISAKMP-PAK: (0):received packet from 10.10.10.12 dport 500 sport 500 Global (N) NEW SA 001809: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):Created a peer struct for 10.10.10.12, peer port 500 001810: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):New peer created peer = 0x80FFFF82328CA0 peer_handle = 0x80000040000014 001811: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):Locking peer struct 0x80FFFF82328CA0, refcount 1 for crypto_isakmp_process_block 001812: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):local port 500, remote port 500 001813: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80FFFF72B126A8 001814: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001815: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 001816: *Dec 6 12:09:49.740 SGP: ISAKMP: (0):processing SA payload. message ID = 0 001817: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):processing vendor id payload 001818: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch 001819: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):vendor ID is NAT-T v2 001820: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):processing vendor id payload 001821: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch 001822: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):vendor ID is NAT-T v3 001823: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):processing vendor id payload 001824: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch 001825: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):vendor ID is NAT-T RFC 3947 001826: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):processing vendor id payload 001827: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):processing IKE frag vendor id payload 001828: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Support for IKE Fragmentation not enabled 001829: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Scanning profiles for xauth ... 001830: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 10.10.10.12) 001831: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 10.10.10.12) 001832: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy 001833: *Dec 6 12:09:49.741 SGP: ISAKMP: (0): default group 5 001834: *Dec 6 12:09:49.741 SGP: ISAKMP: (0): encryption AES-CBC 001835: *Dec 6 12:09:49.741 SGP: ISAKMP: (0): keylength of 256 001836: *Dec 6 12:09:49.741 SGP: ISAKMP: (0): hash SHA 001837: *Dec 6 12:09:49.741 SGP: ISAKMP: (0): auth RSA sig 001838: *Dec 6 12:09:49.741 SGP: ISAKMP: (0): life type in seconds 001839: *Dec 6 12:09:49.741 SGP: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 001840: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):atts are acceptable. Next payload is 0 001841: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Acceptable atts:actual life: 28800 001842: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Acceptable atts:life: 0 001843: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Fill atts in sa vpi_length:4 001844: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):Fill atts in sa life_in_seconds:86400 001845: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 10.10.10.12) 001846: *Dec 6 12:09:49.741 SGP: ISAKMP: (0):PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 10.10.10.12) 001847: *Dec 6 12:09:49.742 SGP: ISAKMP: (0):Returning Actual lifetime: 28800 001848: *Dec 6 12:09:49.742 SGP: ISAKMP: (0):Started lifetime timer: 28800. 001849: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):processing vendor id payload 001850: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch 001851: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):vendor ID is NAT-T v2 001852: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):processing vendor id payload 001853: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch 001854: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):vendor ID is NAT-T v3 001855: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):processing vendor id payload 001856: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch 001857: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):vendor ID is NAT-T RFC 3947 001858: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):processing vendor id payload 001859: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):processing IKE frag vendor id payload 001860: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):Support for IKE Fragmentation not enabled 001861: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001862: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 001863: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID 001864: *Dec 6 12:09:49.762 SGP: ISAKMP-PAK: (0):sending packet to 10.10.10.12 my_port 500 peer_port 500 (R) MM_SA_SETUP 001865: *Dec 6 12:09:49.762 SGP: ISAKMP: (0):Sending an IKE IPv4 Packet. 001866: *Dec 6 12:09:49.763 SGP: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001867: *Dec 6 12:09:49.763 SGP: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 001868: *Dec 6 12:09:49.790 SGP: ISAKMP-PAK: (0):received packet from 10.10.10.12 dport 500 sport 500 Global (R) MM_SA_SETUP 001869: *Dec 6 12:09:49.790 SGP: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001870: *Dec 6 12:09:49.790 SGP: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 001871: *Dec 6 12:09:49.790 SGP: ISAKMP: (0):processing KE payload. message ID = 0 001872: *Dec 6 12:09:49.801 SGP: ISAKMP: (0):processing NONCE payload. message ID = 0 001873: *Dec 6 12:09:49.801 SGP: ISAKMP: (1004):processing vendor id payload 001874: *Dec 6 12:09:49.801 SGP: ISAKMP: (1004):vendor ID is Unity 001875: *Dec 6 12:09:49.801 SGP: ISAKMP: (1004):processing vendor id payload 001876: *Dec 6 12:09:49.801 SGP: ISAKMP: (1004):vendor ID seems Unity/DPD but major 236 mismatch 001877: *Dec 6 12:09:49.801 SGP: ISAKMP: (1004):vendor ID is XAUTH 001878: *Dec 6 12:09:49.801 SGP: ISAKMP: (1004):processing vendor id payload 001879: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):speaking to another IOS box! 001880: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):processing vendor id payload 001881: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):vendor ID seems Unity/DPD but hash mismatch 001882: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):received payload type 20 001883: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):His hash no match - this node outside NAT 001884: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):received payload type 20 001885: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):His hash no match - this node outside NAT 001886: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 001887: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM3 001888: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 10.10.10.12) 001889: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 10.10.10.12) 001890: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 10.10.10.12) 001891: *Dec 6 12:09:49.802 SGP: ISAKMP: (1004):PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 10.10.10.12) 001892: *Dec 6 12:09:49.803 SGP: ISAKMP: (1004):constructing CERT_REQ for issuer cn=Winston-Root 001893: *Dec 6 12:09:49.803 SGP: ISAKMP: (1004):constructing CERT_REQ for issuer cn=Cisco Licensing Root CA,o=Cisco 001894: *Dec 6 12:09:49.803 SGP: ISAKMP-PAK: (1004):sending packet to 10.10.10.12 my_port 500 peer_port 500 (R) MM_KEY_EXCH 001895: *Dec 6 12:09:49.803 SGP: ISAKMP: (1004):Sending an IKE IPv4 Packet. 001896: *Dec 6 12:09:49.803 SGP: ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001897: *Dec 6 12:09:49.803 SGP: ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM4 001898: *Dec 6 12:09:49.835 SGP: ISAKMP-PAK: (1004):received packet from 10.10.10.12 dport 4500 sport 4500 Global (R) MM_KEY_EXCH 001899: *Dec 6 12:09:49.835 SGP: ISAKMP: (1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 001900: *Dec 6 12:09:49.835 SGP: ISAKMP: (1004):Old State = IKE_R_MM4 New State = IKE_R_MM5 001901: *Dec 6 12:09:49.835 SGP: ISAKMP: (1004):processing ID payload. message ID = 0 001902: *Dec 6 12:09:49.835 SGP: ISAKMP: (1004):ID payload next-payload : 6 type : 9 001903: *Dec 6 12:09:49.835 SGP: ISAKMP: (1004): Dist. name : cn=Root-CA 001904: *Dec 6 12:09:49.835 SGP: ISAKMP: (1004): protocol : 0 port : 0 length : 42