Configuration: --------------- crypto ikev2 keyring IKE-Key peer 22.22.22.22 address 22.22.22.22 pre-shared-key Password_123 ! ! crypto ikev2 profile IKev2-Profile match fvrf frontdoor match address local 1.1.1.1 match identity remote address 22.22.22.22 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local IKE-Key lifetime 900 ivrf VRF-X ! crypto ipsec transform-set AES256-SHA256-IPsec-prop esp-aes 256 esp-sha256-hmac mode tunnel ! ip access-list extended VPN-ACL-Cust_X permit ip host 10.10.10.1 192.168.1.0 0.0.0.255 permit ip 10.10.1.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 10.10.2.0 0.0.0.255 192.168.1.0 255.255.255.0 ! crypto map VPN 100 ipsec-isakmp set peer 22.22.22.22 set transform-set AES256-SHA256-IPsec-prop set ikev2-profile IKev2-Profile match address VPN-ACL-Cust_X reverse-route remote-peer Out_Side_IP static ! ip route vrf VRF-X Out_Side_IP 255.255.255.255 GigabitEthernet0/1 Out_Side_IP -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- VPN-Router# VPN-Router# VPN-Router#sh crypto ikev2 sa remote 22.22.22.22 detailed Tunnel-id Local Remote fvrf/ivrf Status 15 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 191915DBC7E7698B Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 20 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 0B7407579AD8F55F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 27 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 02F1AB39CB081C00 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 10 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: D641B6D41BF70CD8 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 4 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 4BA796756A5F6A58 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 5 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 23408666F1CB4C72 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 28 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 4F1109E0A175A08F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 32 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 319F9A39F7DF8394 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 22 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 79AE51B7B6346DC8 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 33 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 9BE036F3432F3143 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 3 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 0C1691E3C36306CB Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 19 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 9897D2C16AA60106 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 30 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 2B0A54219FDBFB81 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 39 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: B6A5D6D39DA69430 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 37 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 8D0E469B938C04CA Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 29 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 8D2F19E0F031C6A1 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 2 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 7425CFBF622DC20A Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 40 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 9F4EEF55145E1860 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 35 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 1D908057193F57F2 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 17 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: D02E014401F32D70 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 42 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 22474DE568287CC4 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 36 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 612E018621A9C9DB Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 31 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 937D74C845CDB246 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 24 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 9F01FEB9E72F7C90 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 8 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 8FBA9C9E438A8B70 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 34 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: B02763B221177CB9 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 49 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 5FC330517932B7CB Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 16 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: C128E8DD8E32B45A Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 48 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 5EEF7344AE402BF5 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 25 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 64A43F187ECD27D1 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 13 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 1D8170ECC21690F6 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 9 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: AB46E03D80F05CA7 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 18 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 8931A2E6E19FB75F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 53 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 5F49968B9112DA6B Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 23 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: B5359D1319EFC1C0 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 54 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 1ECE7F209747830A Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 46 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 69CA80649988C11E Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 61 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 3AF610D758E35EEB Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 26 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 2EACF2DC80B6A890 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 11 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: EE5DBBC6B4C5069D Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 44 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 2B120AD507070D21 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 60 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: AF176DD68657DFDE Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 62 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 3F9D847E6665DC7F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 65 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 1EC9177509E15BF7 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 66 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: D76195E51244D715 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 68 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 1806D108DB447017 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 64 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 984271C9F32190A5 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 6 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 595CD3F13ED0724F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 58 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 42F10DFD10C49B8F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 7 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 261AC88870C39337 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 52 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 8606AC1805194C0D Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 56 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 575783535EC053C7 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 69 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 41137901781155F1 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 70 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 42AB793CCC181255 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 51 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 238B04D45166144E Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 38 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: AF07907BD8E517D0 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 76 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 46637BB623A3B8AC Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 73 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 68A07457C1C2D8CB Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 82 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 23A646EE4F0D7D2F Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 77 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: E66147083EB5A195 Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 63 1.1.1.1/500 22.22.22.22/500 frontdoor/none IN-NEG Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0 Life/Active Time: 900/0 sec CE id: 0, Session-id: 0 Status Description: Initial State Local spi: 2F3C3421BF8C242E Remote spi: 0000000000000000 Local id: 1.1.1.1 Remote id: Local req msg id: 0 Remote req msg id: 0 Local next msg id: 0 Remote next msg id: 0 Local req queued: 0 Remote req queued: 0 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Tunnel-id Local Remote fvrf/ivrf Status 21 1.1.1.1/500 22.22.22.22/500 frontdoor/VRF-X READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:20, Auth sign: PSK, Auth verify: PSK Life/Active Time: 900/555 sec CE id: 0, Session-id: 34973 Status Description: Negotiation done Local spi: 67ACB7F32BA2A1E9 Remote spi: C5295107C4EC6806 Local id: 1.1.1.1 Remote id: 22.22.22.22 Local req msg id: 4 Remote req msg id: 6 Local next msg id: 4 Remote next msg id: 6 Local req queued: 4 Remote req queued: 6 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes VPN-Router# VPN-Router# VPN-Router#sh crypto session remote 22.22.22.22 detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation R - IKE Auto Reconnect, U - IKE Dynamic Route Update S - SIP VPN Interface: GigabitEthernet0/1 Profile: IKev2-Profile Uptime: 00:09:32 Session status: UP-ACTIVE Peer: 22.22.22.22 port 500 fvrf: frontdoor ivrf: VRF-X Phase1_id: 22.22.22.22 Desc: (none) Session ID: 278924 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Active Capabilities:(none) connid:21 lifetime:00:05:28 IPSEC FLOW: permit ip host 10.10.10.1 192.168.1.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/435 Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4608000/435 IPSEC FLOW: permit ip 10.10.1.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 513465 drop 0 life (KB/Sec) 4607838/367 Outbound: #pkts enc'ed 687393 drop 0 life (KB/Sec) 4607794/367 IPSEC FLOW: permit ip 10.10.2.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/430 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/430 Interface: (unknown) Uptime: 00:00:00 Session status: DOWN-NEGOTIATING Peer: 22.22.22.22 port 500 fvrf: frontdoor ivrf: (none) Desc: (none) Phase1_id: (none) Session ID: 130397 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:27 lifetime:0 Session ID: 130014 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:20 lifetime:0 Session ID: 134197 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:3 lifetime:0 Session ID: 218280 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:68 lifetime:0 Session ID: 129815 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:15 lifetime:0 Session ID: 170104 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:13 lifetime:0 Session ID: 138095 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:35 lifetime:0 Session ID: 213712 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:65 lifetime:0 Session ID: 182200 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:54 lifetime:0 Session ID: 143205 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:42 lifetime:0 Session ID: 132405 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:5 lifetime:0 Session ID: 246335 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:51 lifetime:0 Session ID: 263849 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:82 lifetime:0 Session ID: 225981 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:7 lifetime:0 Session ID: 135197 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:30 lifetime:0 Session ID: 194386 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:44 lifetime:0 Session ID: 190813 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:26 lifetime:0 Session ID: 274827 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:63 lifetime:0 Session ID: 133294 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:32 lifetime:0 Session ID: 185283 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:61 lifetime:0 Session ID: 206045 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:62 lifetime:0 Session ID: 239486 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:69 lifetime:0 Session ID: 245354 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:70 lifetime:0 Session ID: 221497 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:58 lifetime:0 Session ID: 256646 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:76 lifetime:0 Session ID: 132052 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:4 lifetime:0 Session ID: 132692 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:28 lifetime:0 Session ID: 234867 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:56 lifetime:0 Session ID: 221097 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:6 lifetime:0 Session ID: 165485 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:48 lifetime:0 Session ID: 176640 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:53 lifetime:0 Session ID: 156800 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:49 lifetime:0 Session ID: 147206 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:36 lifetime:0 Session ID: 166553 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:25 lifetime:0 Session ID: 257020 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:73 lifetime:0 Session ID: 184297 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:46 lifetime:0 Session ID: 137317 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:2 lifetime:0 Session ID: 133294 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:22 lifetime:0 Session ID: 232299 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:52 lifetime:0 Session ID: 176527 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:18 lifetime:0 Session ID: 135735 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:37 lifetime:0 Session ID: 136011 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:29 lifetime:0 Session ID: 155347 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:8 lifetime:0 Session ID: 153179 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:31 lifetime:0 Session ID: 219145 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:64 lifetime:0 Session ID: 134886 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:19 lifetime:0 Session ID: 133542 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:33 lifetime:0 Session ID: 153342 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:24 lifetime:0 Session ID: 137588 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:40 lifetime:0 Session ID: 172248 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:9 lifetime:0 Session ID: 251627 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:38 lifetime:0 Session ID: 203185 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:60 lifetime:0 Session ID: 156583 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:34 lifetime:0 Session ID: 181674 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:23 lifetime:0 Session ID: 135329 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:39 lifetime:0 Session ID: 164488 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:16 lifetime:0 Session ID: 138550 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:17 lifetime:0 Session ID: 131720 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:10 lifetime:0 Session ID: 213899 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:66 lifetime:0 Session ID: 272159 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:77 lifetime:0 Session ID: 191255 IKEv2 SA: local 1.1.1.1/500 remote 22.22.22.22/500 Inactive Capabilities:(none) connid:11 lifetime:0 VPN-Router# VPN-Router# VPN-Router#sh crypto ipsec sa peer 22.22.22.22 detail interface: GigabitEthernet0/1 Crypto map tag: vpn, local addr 1.1.1.1 protected vrf: VRF-X local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 22.22.22.22 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 22.22.22.22 plaintext mtu 9150, path mtu 9216, ip mtu 9216, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x4C4532EF(1279603439) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x9A039074(2583924852) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3961, flow_id: HW:1961, sibling_flags FFFFFFFF80000048, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4608000/413) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4C4532EF(1279603439) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3962, flow_id: HW:1962, sibling_flags FFFFFFFF80000048, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4608000/413) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: protected vrf: VRF-X local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 22.22.22.22 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 687580, #pkts encrypt: 687580, #pkts digest: 687580 #pkts decaps: 513607, #pkts decrypt: 513607, #pkts verify: 513607 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 22.22.22.22 plaintext mtu 9150, path mtu 9216, ip mtu 9216, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x4C4532EA(1279603434) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x906CD097(2423050391) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3942, flow_id: HW:1942, sibling_flags FFFFFFFF80000048, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4607831/345) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4C4532EA(1279603434) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3941, flow_id: HW:1941, sibling_flags FFFFFFFF80000048, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4607786/345) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: protected vrf: VRF-X local ident (addr/mask/prot/port): (10.10.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 22.22.22.22 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 22.22.22.22 plaintext mtu 9150, path mtu 9216, ip mtu 9216, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x4C4532EE(1279603438) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xE7AD56A9(3886896809) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3959, flow_id: HW:1959, sibling_flags FFFFFFFF80000048, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4608000/408) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4C4532EE(1279603438) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 3960, flow_id: HW:1960, sibling_flags FFFFFFFF80000048, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4608000/408) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: VPN-Router# VPN-Router# VPN-Router#sh crypto ikev2 session detailed | b 22.22.22.22 21 1.1.1.1/500 22.22.22.22/500 frontdoor/VRF-X READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:20, Auth sign: PSK, Auth verify: PSK Life/Active Time: 900/613 sec CE id: 0, Session-id: 34973 Status Description: Negotiation done Local spi: 67ACB7F32BA2A1E9 Remote spi: C5295107C4EC6806 Local id: 1.1.1.1 Remote id: 22.22.22.22 Local req msg id: 4 Remote req msg id: 6 Local next msg id: 4 Remote next msg id: 6 Local req queued: 4 Remote req queued: 6 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Child sa: local selector 10.10.10.1/0 - 10.10.10.1/65535 remote selector 192.168.1.0/0 - 192.168.1.255/65535 ESP spi in/out: 0x9A039074/0x4C4532EF AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-CBC, keysize: 256, esp_hmac: SHA256 ah_hmac: None, comp: IPCOMP_NONE, mode tunnel Child sa: local selector 10.10.2.0/0 - 10.10.2.255/65535 remote selector 192.168.1.0/0 - 192.168.1.255/65535 ESP spi in/out: 0xE7AD56A9/0x4C4532EE AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-CBC, keysize: 256, esp_hmac: SHA256 ah_hmac: None, comp: IPCOMP_NONE, mode tunnel Child sa: local selector 10.10.1.0/0 - 10.10.1.255/65535 remote selector 192.168.1.0/0 - 192.168.1.255/65535 ESP spi in/out: 0x906CD097/0x4C4532EA AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-CBC, keysize: 256, esp_hmac: SHA256 ah_hmac: None, comp: IPCOMP_NONE, mode tunnel VPN-Router# VPN-Router# VPN-Router#sh debugging IOSXE Conditional Debug Configs: Conditional Debug Global State: Stop IOSXE Packet Tracing Configs: Packet Infra debugs: Ip Address Port ------------------------------------------------------|---------- VPN-Router# VPN-Router# VPN-Router#debug crypto condition peer ipv4 22.22.22.22 VPN-Router# VPN-Router#debug crypto ikev2 IKEv2 default debugging is on VPN-Router# VPN-Router#debug crypto ikev2 packet IKEv2 packet debugging is on VPN-Router# VPN-Router#debug crypto ikev2 error IKEv2 error debugging is on VPN-Router# VPN-Router#debug crypto ipsec Crypto IPSEC debugging is on VPN-Router# VPN-Router#debug crypto ipsec error Crypto IPSEC Error debugging is on VPN-Router# VPN-Router#debug crypto ipsec message Crypto IPSEC message debugging is on VPN-Router# VPN-Router#debug crypto ipsec states Crypto IPSEC states debugging is on VPN-Router# VPN-Router# VPN-Router#sh debugging IOSXE Conditional Debug Configs: Conditional Debug Global State: Stop Conditions Direction ----------------------------------------------------------------------------------------------|--------- Feature Condition Type Value -----------------------|------------------------|-------------------------------------------------------- IPSEC Peer IP 22.22.22.22 IOSXE Packet Tracing Configs: Packet Infra debugs: Ip Address Port ------------------------------------------------------|---------- Cryptographic Subsystem: Crypto IPSEC debugging is on Crypto IPSEC Error debugging is on Crypto IPSEC states debugging is on Crypto IPSEC message debugging is on IKEV2: IKEv2 error debugging is on IKEv2 default debugging is on IKEv2 packet debugging is on VPN-Router# VPN-Router# VPN-Router# VPN-Router#sh log Jan 24 19:33:34.312 CET: IPSEC:(SESSION ID = 274578) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 95 dynamic seqno 0 Jan 24 19:33:37.288 CET: IPSEC:(SESSION ID = 231766) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:33:37.311 CET: IPSEC: still in use sa: 0x0 Jan 24 19:33:37.311 CET: IPSEC: sa null Jan 24 19:33:37.311 CET: IPSEC: still in use sa: 0x7FAE982D1C40 Jan 24 19:33:37.312 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:33:39.329 CET: IPSEC: still in use sa: 0x7FAE99A687D8 Jan 24 19:33:39.342 CET: IPSEC:(SESSION ID = 274578) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:33:48.062 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:33:57.598 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Checking if we need to rekey the IKE SA Jan 24 19:33:57.598 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Initiating a rekey Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Beginning IKE Rekey as Initiator Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 20 Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Request queued for computation of DH key Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Generating CREATE_CHILD_SA exchange Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKE Proposal: 1, SPI size: 8 (rekey), Num. transforms: 10 AES-CBC SHA512 SHA256 SHA512 SHA256 DH_GROUP_2048_256_MODP/Group 24 DH_GROUP_384_ECP/Group 20 DH_GROUP_4096_MODP/Group 16 DH_GROUP_3072_MODP/Group 15 DH_GROUP_2048_MODP/Group 14 Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKE Proposal: 2, SPI size: 8 (rekey), Num. transforms: 4 AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2 Jan 24 19:33:57.599 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Building packet for encryption. Payload contents: SA Next payload: N, reserved: 0x0, length: 156 last proposal: 0x2, reserved: 0x0, length: 100 Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 10 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_256_MODP/Group 24 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_4096_MODP/Group 16 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 last proposal: 0x0, reserved: 0x0, length: 52 Proposal: 2, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 N Next payload: KE, reserved: 0x0, length: 36 KE Next payload: NOTIFY, reserved: 0x0, length: 104 DH group: 20, Reserved: 0x0 NOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE Jan 24 19:33:57.600 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Checking if request will fit in peer window Jan 24 19:33:57.600 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 67ACB7F32BA2A1E9 - Responder SPI : C5295107C4EC6806 Message id: 4 IKEv2 CREATE_CHILD_SA Exchange REQUEST Jan 24 19:33:57.600 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 21):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: INITIATOR Message id: 4, length: 400 Payload contents: ENCR Next payload: SA, reserved: 0x0, length: 372 Jan 24 19:33:57.601 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Insert SA Jan 24 19:33:57.612 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 67ACB7F32BA2A1E9 - Responder SPI : C5295107C4EC6806 Message id: 4 IKEv2 CREATE_CHILD_SA Exchange RESPONSE Jan 24 19:33:57.612 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 21):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE Message id: 4, length: 288 Payload contents: SA Next payload: N, reserved: 0x0, length: 56 last proposal: 0x0, reserved: 0x0, length: 52 Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 N Next payload: KE, reserved: 0x0, length: 36 KE Next payload: NONE, reserved: 0x0, length: 104 DH group: 20, Reserved: 0x0 Jan 24 19:33:57.612 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Processing any notify-messages in child SA exchange Jan 24 19:33:57.613 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Validating create child message Jan 24 19:33:57.613 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Processing CREATE_CHILD_SA exchange Jan 24 19:33:57.613 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Checking for PFS configuration Jan 24 19:33:57.613 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):PFS configured, DH group 20 Jan 24 19:33:57.613 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20 Jan 24 19:33:57.619 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Request queued for computation of DH secret Jan 24 19:33:57.619 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Checking if IKE SA rekey Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Activating new IKE SA Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking for duplicate IKEv2 SA Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):No duplicate IKEv2 SA found Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKEV2 SA created; inserting SA into database. SA lifetime timer (900 sec) started Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x67ACB7F32BA2A1E9 RSPI: 0xC5295107C4EC6806] Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, num of spi: 0 Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Checking if request will fit in peer window Jan 24 19:33:57.620 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 67ACB7F32BA2A1E9 - Responder SPI : C5295107C4EC6806 Message id: 5 IKEv2 INFORMATIONAL Exchange REQUEST Jan 24 19:33:57.620 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 21):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 5, length: 96 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 68 Jan 24 19:33:57.621 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Check for existing active SA Jan 24 19:33:57.631 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 67ACB7F32BA2A1E9 - Responder SPI : C5295107C4EC6806 Message id: 5 IKEv2 INFORMATIONAL Exchange RESPONSE Jan 24 19:33:57.631 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 21):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 5, length: 96 Payload contents: Jan 24 19:33:57.631 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Processing ACK to informational exchange Jan 24 19:33:57.631 CET: IKEv2:(SESSION ID = 278924,SA ID = 21):Deleting SA Jan 24 19:34:07.296 CET: IPSEC: still in use sa: 0x0 Jan 24 19:34:07.296 CET: IPSEC: sa null Jan 24 19:34:07.296 CET: IPSEC: still in use sa: 0x7FAE982D24F8 Jan 24 19:34:07.297 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:34:28.270 CET: IPSEC:(SESSION ID = 278924) (lifetime_expiry) SA lifetime threshold reached, expiring in 62 seconds Jan 24 19:34:28.270 CET: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 22.22.22.22:500, local_proxy= 10.10.1.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), lifedur= 900s and 4608000kb, spi= 0x906CD097(2423050391), conn_id= 0, keysize= 256, flags= 0x0 Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for IPSEC rekey Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Beginning IPSec Rekey as Initiator Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Set IPSEC DH group Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking for PFS configuration Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):PFS not configured Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Generating CREATE_CHILD_SA exchange Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN Jan 24 19:34:28.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: NOTIFY(REKEY_SA) Next payload: SA, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, type: REKEY_SA SA Next payload: N, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN N Next payload: TSi, reserved: 0x0, length: 36 TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 10.10.1.0, end addr: 10.10.1.255 TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.1.0, end addr: 192.168.1.255 Jan 24 19:34:28.272 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if request will fit in peer window Jan 24 19:34:28.272 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 0 IKEv2 CREATE_CHILD_SA Exchange REQUEST Jan 24 19:34:28.272 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: INITIATOR Message id: 0, length: 224 Payload contents: ENCR Next payload: NOTIFY, reserved: 0x0, length: 196 Jan 24 19:34:28.282 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 0 IKEv2 CREATE_CHILD_SA Exchange RESPONSE Jan 24 19:34:28.283 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 224 Payload contents: SA Next payload: N, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN N Next payload: TSi, reserved: 0x0, length: 36 TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 10.10.1.0, end addr: 10.10.1.255 TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.1.0, end addr: 192.168.1.255 Jan 24 19:34:28.283 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing any notify-messages in child SA exchange Jan 24 19:34:28.283 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Validating create child message Jan 24 19:34:28.283 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing CREATE_CHILD_SA exchange Jan 24 19:34:28.284 CET: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.1.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 Jan 24 19:34:28.284 CET: (ipsec_process_proposal)Map Accepted: vpn, 63 Jan 24 19:34:28.284 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking for PFS configuration Jan 24 19:34:28.284 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):PFS not configured Jan 24 19:34:28.284 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if IKE SA rekey Jan 24 19:34:28.284 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Load IPSEC key material Jan 24 19:34:28.284 CET: IPSEC:(SESSION ID = 278924) (crypto_ipsec_create_ipsec_sas) Map found vpn, 63 Jan 24 19:34:28.284 CET: IPSEC:(SESSION ID = 278924) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 63 dynamic seqno 0 Jan 24 19:34:28.285 CET: IPSEC:(SESSION ID = 278924) (create_sa) sa created, (sa) sa_dest= 1.1.1.1, sa_proto= 50, sa_spi= 0xCB436D50(3410193744), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 4124 sa_lifetime(k/sec)= (4608000/900), (identity) local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.1.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0 Jan 24 19:34:28.285 CET: IPSEC:(SESSION ID = 278924) (create_sa) sa created, (sa) sa_dest= 22.22.22.22, sa_proto= 50, sa_spi= 0x4C453312(1279603474), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 4123 sa_lifetime(k/sec)= (4608000/900), (identity) local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.1.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0 Jan 24 19:34:28.286 CET: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL VPN-ACL-Cust_X, static seqno 63 dynamic seqno 0 Jan 24 19:34:28.287 CET: IPSEC:(SESSION ID = 278924) (update_current_outbound_sa) updated peer 22.22.22.22 current outbound sa to SPI 4C453312 Jan 24 19:34:28.300 CET: IPSEC:(SESSION ID = 278924) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:34:28.300 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKEV2 SA created; inserting SA into database. SA lifetime timer (900 sec) started Jan 24 19:34:28.301 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending DELETE INFO message for IPsec SA [SPI: 0x906CD097] Jan 24 19:34:28.301 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:34:28.301 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if request will fit in peer window Jan 24 19:34:28.301 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 1 IKEv2 INFORMATIONAL Exchange REQUEST Jan 24 19:34:28.301 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1, length: 96 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 68 Jan 24 19:34:28.301 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing IPSEC SA Jan 24 19:34:28.311 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 1 IKEv2 INFORMATIONAL Exchange RESPONSE Jan 24 19:34:28.311 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 96 Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:34:28.312 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing ACK to informational exchange Jan 24 19:34:28.312 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing IPSEC SA Jan 24 19:34:28.312 CET: IPSEC: still in use sa: 0x0 Jan 24 19:34:28.312 CET: IPSEC: sa null Jan 24 19:34:28.312 CET: IPSEC: still in use sa: 0x7FAE99EE6150 Jan 24 19:34:28.312 CET: IPSEC:(SESSION ID = 278924) (key_engine_delete_sas) delete SA with spi 0x906CD097 proto 50 for 1.1.1.1 Jan 24 19:34:28.313 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:34:28.313 CET: IPSEC:(SESSION ID = 278924) (ERROR) ident_get_ike_peer_index_from_peer could not find ikmp handle for peer 0x80007FAE98B6B908 Jan 24 19:34:29.269 CET: IPSEC:(SESSION ID = 278924) (lifetime_expiry) SA lifetime threshold reached, expiring in 87 seconds Jan 24 19:34:29.271 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if request will fit in peer window Jan 24 19:34:29.299 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKEV2 SA created; inserting SA into database. SA lifetime timer (900 sec) started Jan 24 19:34:29.300 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending DELETE INFO message for IPsec SA [SPI: 0xFAE69584] Jan 24 19:34:29.300 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:34:29.300 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if request will fit in peer window Jan 24 19:34:29.300 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Jan 24 19:34:29.300 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 3, length: 96 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 68 Jan 24 19:34:29.300 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing IPSEC SA Jan 24 19:34:29.310 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Jan 24 19:34:29.310 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 3, length: 96 Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:34:29.311 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing ACK to informational exchange Jan 24 19:34:29.311 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing IPSEC SA Jan 24 19:34:29.311 CET: IPSEC: still in use sa: 0x0 Jan 24 19:34:29.311 CET: IPSEC: sa null Jan 24 19:34:29.311 CET: IPSEC: still in use sa: 0x7FAE99A67A48 Jan 24 19:34:29.311 CET: IPSEC:(SESSION ID = 278924) (key_engine_delete_sas) delete SA with spi 0xFAE69584 proto 50 for 1.1.1.1 Jan 24 19:34:29.312 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:34:29.312 CET: IPSEC:(SESSION ID = 278924) (ERROR) ident_get_ike_peer_index_from_peer could not find ikmp handle for peer 0x80007FAE97171798 Jan 24 19:34:29.854 CET: IPSEC: still in use sa: 0x7FAE982D1D38 Jan 24 19:34:29.854 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:34:29.855 CET: IPSEC: still in use sa: 0x0 Jan 24 19:34:41.299 CET: IPSEC: sa null Jan 24 19:34:41.299 CET: IPSEC: still in use sa: 0x7FAE99A68EA0 Jan 24 19:34:41.299 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:34:44.046 CET: IPSEC: still in use sa: 0x7FAE924F91B8 Jan 24 19:34:44.046 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:34:59.294 CET: IPSEC: still in use sa: 0x0 Jan 24 19:34:59.294 CET: IPSEC: sa null Jan 24 19:34:59.294 CET: IPSEC: still in use sa: 0x7FAE99A67D30 Jan 24 19:34:59.294 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:35:00.772 CET: IPSEC:(SESSION ID = 282248) (STATES) ident_rekey_timeout Sending crypto_ss_connection_failed Jan 24 19:36:04.819 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 0 IKEv2 CREATE_CHILD_SA Exchange REQUEST Jan 24 19:36:04.819 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER Message id: 0, length: 224 Payload contents: NOTIFY(REKEY_SA) Next payload: SA, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, type: REKEY_SA SA Next payload: N, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN N Next payload: TSi, reserved: 0x0, length: 36 TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.1.0, end addr: 192.168.1.255 TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 10.10.2.0, end addr: 10.10.2.255 Jan 24 19:36:04.820 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Validating create child message Jan 24 19:36:04.820 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for create child response message type Jan 24 19:36:04.820 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Beginning IPSec Rekey as Responder Jan 24 19:36:04.820 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing CREATE_CHILD_SA exchange Jan 24 19:36:04.820 CET: IKEv2:(SESSION ID = 278924,SA ID = 79): Jan 24 19:36:04.821 CET: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.2.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 Jan 24 19:36:04.821 CET: (ipsec_process_proposal)Map Accepted: vpn, 63 Jan 24 19:36:04.821 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Set IPSEC DH group Jan 24 19:36:04.821 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Requesting SPI from IPSec Jan 24 19:36:04.821 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking for PFS configuration Jan 24 19:36:04.821 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):PFS not configured Jan 24 19:36:04.821 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if IKE SA rekey Jan 24 19:36:04.821 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Load IPSEC key material Jan 24 19:36:04.821 CET: IPSEC:(SESSION ID = 278924) (crypto_ipsec_create_ipsec_sas) Map found vpn, 63 Jan 24 19:36:04.822 CET: IPSEC:(SESSION ID = 278924) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 63 dynamic seqno 0 Jan 24 19:36:04.822 CET: IPSEC:(SESSION ID = 278924) (create_sa) sa created, (sa) sa_dest= 1.1.1.1, sa_proto= 50, sa_spi= 0xF9CB6B25(4190858021), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 4151 sa_lifetime(k/sec)= (4608000/900), (identity) local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.2.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0 Jan 24 19:36:04.823 CET: IPSEC:(SESSION ID = 278924) (create_sa) sa created, (sa) sa_dest= 22.22.22.22, sa_proto= 50, sa_spi= 0x4C453317(1279603479), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 4152 sa_lifetime(k/sec)= (4608000/900), (identity) local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.2.0/255.255.255.0/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0 Jan 24 19:36:04.823 CET: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL VPN-ACL-Cust_X, static seqno 63 dynamic seqno 0 Jan 24 19:36:04.824 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Generating CREATE_CHILD_SA exchange Jan 24 19:36:04.824 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN Jan 24 19:36:04.824 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: SA Next payload: N, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN N Next payload: TSi, reserved: 0x0, length: 36 TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.1.0, end addr: 192.168.1.255 TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 10.10.2.0, end addr: 10.10.2.255 Jan 24 19:36:04.825 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 0 IKEv2 CREATE_CHILD_SA Exchange RESPONSE Jan 24 19:36:04.825 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: INITIATOR MSG-RESPONSE Message id: 0, length: 224 Payload contents: ENCR Next payload: SA, reserved: 0x0, length: 196 Jan 24 19:36:04.825 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for create child request message type Jan 24 19:36:04.825 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKEV2 SA created; inserting SA into database. SA lifetime timer (900 sec) started Jan 24 19:36:07.096 CET: IPSEC: still in use sa: 0x7FAE99A67E28 Jan 24 19:36:07.110 CET: IPSEC:(SESSION ID = 248029) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:07.111 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:09.929 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 1 IKEv2 CREATE_CHILD_SA Exchange REQUEST Jan 24 19:36:09.929 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER Message id: 1, length: 224 Payload contents: NOTIFY(REKEY_SA) Next payload: SA, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, type: REKEY_SA SA Next payload: N, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN N Next payload: TSi, reserved: 0x0, length: 36 TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.1.0, end addr: 192.168.1.255 TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.1, end addr: 10.10.10.1 Jan 24 19:36:09.930 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Validating create child message Jan 24 19:36:09.930 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for create child response message type Jan 24 19:36:09.930 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Beginning IPSec Rekey as Responder Jan 24 19:36:09.930 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing CREATE_CHILD_SA exchange Jan 24 19:36:09.930 CET: IKEv2:(SESSION ID = 278924,SA ID = 79): Jan 24 19:36:09.930 CET: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.10.1/255.255.255.255/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 Jan 24 19:36:09.930 CET: (ipsec_process_proposal)Map Accepted: vpn, 63 Jan 24 19:36:09.931 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Set IPSEC DH group Jan 24 19:36:09.931 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Requesting SPI from IPSec Jan 24 19:36:09.931 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking for PFS configuration Jan 24 19:36:09.931 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):PFS not configured Jan 24 19:36:09.931 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Checking if IKE SA rekey Jan 24 19:36:09.931 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Load IPSEC key material Jan 24 19:36:09.931 CET: IPSEC:(SESSION ID = 278924) (crypto_ipsec_create_ipsec_sas) Map found vpn, 63 Jan 24 19:36:09.931 CET: IPSEC:(SESSION ID = 278924) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 63 dynamic seqno 0 Jan 24 19:36:09.932 CET: IPSEC:(SESSION ID = 278924) (create_sa) sa created, (sa) sa_dest= 1.1.1.1, sa_proto= 50, sa_spi= 0x4BCB782C(1271625772), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 4153 sa_lifetime(k/sec)= (4608000/900), (identity) local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.10.1/255.255.255.255/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0 Jan 24 19:36:09.932 CET: IPSEC:(SESSION ID = 278924) (create_sa) sa created, (sa) sa_dest= 22.22.22.22, sa_proto= 50, sa_spi= 0x4C453318(1279603480), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 4154 sa_lifetime(k/sec)= (4608000/900), (identity) local= 1.1.1.1:0, remote= 22.22.22.22:0, local_proxy= 10.10.10.1/255.255.255.255/256/0, remote_proxy= 192.168.1.0/255.255.255.0/256/0 Jan 24 19:36:09.933 CET: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL VPN-ACL-Cust_X, static seqno 63 dynamic seqno 0 Jan 24 19:36:09.934 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Generating CREATE_CHILD_SA exchange Jan 24 19:36:09.934 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN Jan 24 19:36:09.934 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: SA Next payload: N, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN N Next payload: TSi, reserved: 0x0, length: 36 TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.1.0, end addr: 192.168.1.255 TSr Next payload: NONE, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.1, end addr: 10.10.10.1 Jan 24 19:36:09.935 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 1 IKEv2 CREATE_CHILD_SA Exchange RESPONSE Jan 24 19:36:09.935 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: INITIATOR MSG-RESPONSE Message id: 1, length: 224 Payload contents: ENCR Next payload: SA, reserved: 0x0, length: 196 Jan 24 19:36:09.935 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for create child request message type Jan 24 19:36:09.935 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKEV2 SA created; inserting SA into database. SA lifetime timer (900 sec) started Jan 24 19:36:10.008 CET: IPSEC(STATES): SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 56 dynamic seqno 0 Jan 24 19:36:10.017 CET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Jan 24 19:36:10.029 CET: IPSEC(STATES): ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:11.107 CET: IPSEC: still in use sa: 0x7FAE924F9E50 Jan 24 19:36:11.107 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:14.833 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Jan 24 19:36:14.834 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 2, length: 96 Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:36:14.834 CET: IPSEC: still in use sa: 0x7FAE99EE73B8 Jan 24 19:36:14.834 CET: IPSEC:(SESSION ID = 278924) (update_current_outbound_sa) updated peer 22.22.22.22 current outbound sa to SPI 4C453317 Jan 24 19:36:14.847 CET: IPSEC:(SESSION ID = 278924) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:14.847 CET: IPSEC:(SESSION ID = 278924) (key_engine_delete_sas) delete SA with spi 0xE7AD56A9 proto 50 for 1.1.1.1 Jan 24 19:36:14.847 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:14.848 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:36:14.848 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Jan 24 19:36:14.848 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE Message id: 2, length: 96 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 68 Jan 24 19:36:14.849 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Process delete request from peer Jan 24 19:36:14.849 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing DELETE INFO message for IPsec SA [SPI: 0x4C4532EE] Jan 24 19:36:14.849 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing active SA Jan 24 19:36:14.849 CET: IPSEC:(SESSION ID = 278924) (ERROR) ident_get_ike_peer_index_from_peer could not find ikmp handle for peer 0x80007FAE9716E698 Jan 24 19:36:15.017 CET: IPSEC: still in use sa: 0x7FAE99A67760 Jan 24 19:36:15.018 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:16.282 CET: IPSEC:(SESSION ID = 139069) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 85 dynamic seqno 0 Jan 24 19:36:16.297 CET: IPSEC:(SESSION ID = 139069) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:16.305 CET: IPSEC: still in use sa: 0x0 Jan 24 19:36:16.305 CET: IPSEC: sa null Jan 24 19:36:16.305 CET: IPSEC: still in use sa: 0x7FAE924F9C60 Jan 24 19:36:16.305 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:16.345 CET: IPSEC:(SESSION ID = 282283) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 100 dynamic seqno 0 Jan 24 19:36:16.416 CET: IPSEC: still in use sa: 0x7FAE99A67A48 Jan 24 19:36:16.429 CET: IPSEC:(SESSION ID = 282283) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:16.430 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:19.945 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Jan 24 19:36:19.945 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 3, length: 96 Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:36:19.945 CET: IPSEC: still in use sa: 0x7FAE99EE6DE8 Jan 24 19:36:19.946 CET: IPSEC:(SESSION ID = 278924) (update_current_outbound_sa) updated peer 22.22.22.22 current outbound sa to SPI 4C453318 Jan 24 19:36:19.959 CET: IPSEC:(SESSION ID = 278924) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:19.960 CET: IPSEC:(SESSION ID = 278924) (key_engine_delete_sas) delete SA with spi 0x9A039074 proto 50 for 1.1.1.1 Jan 24 19:36:19.960 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:19.960 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:36:19.961 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Jan 24 19:36:19.961 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE Message id: 3, length: 96 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 68 Jan 24 19:36:19.961 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Process delete request from peer Jan 24 19:36:19.961 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing DELETE INFO message for IPsec SA [SPI: 0x4C4532EF] Jan 24 19:36:19.961 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing active SA Jan 24 19:36:19.962 CET: IPSEC:(SESSION ID = 278924) (ERROR) ident_get_ike_peer_index_from_peer could not find ikmp handle for peer 0x80007FAE97171488 Jan 24 19:36:23.275 CET: IPSEC:(SESSION ID = 278924) (lifetime_expiry) SA lifetime threshold reached, expiring in 41 seconds Jan 24 19:36:26.066 CET: IPSEC:(SESSION ID = 259732) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 60 dynamic seqno 0 Jan 24 19:36:29.083 CET: IPSEC: still in use sa: 0x7FAE924F9598 Jan 24 19:36:29.097 CET: IPSEC:(SESSION ID = 259732) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:29.098 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:31.717 CET: IPSEC(STATES): SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 69 dynamic seqno 0 Jan 24 19:36:31.730 CET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Jan 24 19:36:31.742 CET: IPSEC(STATES): ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:34.286 CET: IPSEC:(SESSION ID = 153670) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 64 dynamic seqno 0 Jan 24 19:36:34.302 CET: IPSEC:(SESSION ID = 153670) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:34.311 CET: IPSEC: still in use sa: 0x0 Jan 24 19:36:34.311 CET: IPSEC: sa null Jan 24 19:36:34.311 CET: IPSEC: still in use sa: 0x7FAE99EE5D70 Jan 24 19:36:34.311 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:35.535 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 4 IKEv2 CREATE_CHILD_SA Exchange RESPONSE Jan 24 19:36:35.535 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: INITIATOR MSG-RESPONSE Message id: 4, length: 224 Payload contents: ENCR Next payload: SA, reserved: 0x0, length: 196 Jan 24 19:36:35.535 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for create child request message type Jan 24 19:36:35.535 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):IKEV2 SA created; inserting SA into database. SA lifetime timer (900 sec) started Jan 24 19:36:45.539 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Received Packet [From 22.22.22.22:500/To 1.1.1.1:500/VRF i0:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 5 IKEv2 INFORMATIONAL Exchange REQUEST Jan 24 19:36:45.539 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 5, length: 96 Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:36:45.540 CET: IPSEC: still in use sa: 0x7FAE924F8330 Jan 24 19:36:45.540 CET: IPSEC:(SESSION ID = 278924) (update_current_outbound_sa) updated peer 22.22.22.22 current outbound sa to SPI 4C45331A Jan 24 19:36:45.553 CET: IPSEC:(SESSION ID = 278924) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:36:45.553 CET: IPSEC:(SESSION ID = 278924) (key_engine_delete_sas) delete SA with spi 0x3FE39938 proto 50 for 1.1.1.1 Jan 24 19:36:45.553 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jan 24 19:36:45.554 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 12 Security protocol id: ESP, spi size: 4, num of spi: 1 Jan 24 19:36:45.554 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Sending Packet [To 22.22.22.22:500/From 1.1.1.1:500/VRF i45:f4] Initiator SPI : 6B6688AB50240B59 - Responder SPI : 390AFC9C334B7A1A Message id: 5 IKEv2 INFORMATIONAL Exchange RESPONSE Jan 24 19:36:45.554 CET: IKEv2-PAK:(SESSION ID = 278924,SA ID = 79):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE Message id: 5, length: 96 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 68 Jan 24 19:36:45.554 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Process delete request from peer Jan 24 19:36:45.555 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Processing DELETE INFO message for IPsec SA [SPI: 0x4C4532F1] Jan 24 19:36:45.555 CET: IKEv2:(SESSION ID = 278924,SA ID = 79):Check for existing active SA Jan 24 19:36:45.556 CET: IPSEC:(SESSION ID = 278924) (ERROR) ident_get_ike_peer_index_from_peer could not find ikmp handle for peer 0x80007FAE97171DB8 Jan 24 19:38:00.773 CET: IPSEC:(SESSION ID = 282248) (STATES) ident_rekey_timeout Sending crypto_ss_connection_failed Jan 24 19:38:17.632 CET: IPSEC:(SESSION ID = 282283) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open Jan 24 19:38:17.633 CET: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS VPN-Router#