=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.09.30 20:55:56 =~=~=~=~=~=~=~=~=~=~=~= d buffer from 1024 to 3072 *Sep 30 20:55:29.791: ISAKMP:(1021): using the dmvpn-ca trustpoint's keypair to sign *Sep 30 20:55:30.279: ISAKMP:(1021): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 30 20:55:30.283: ISAKMP:(1021):Sending an IKE IPv4 Packet. *Sep 30 20:55:30.287: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:55:30.287: ISAKMP:(1021):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Sep 30 20:55:30.475: ISAKMP (1019): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:55:30.523: ISAKMP:(1017):purging SA., sa=67ADC030, delme=67ADC030 *Sep 30 20:55:30.939: ISAKMP (1021): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 30 20:55:30.939: ISAKMP:(1021): processing ID payload. message ID = 0 *Sep 30 20:55:30.943: ISAKMP (1021): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Spoke2 protocol : 17 port Cbtme-Hub# : 500 length : 20 *Sep 30 20:55:30.943: ISAKMP:(1021): processing CERT payload. message ID = 0 *Sep 30 20:55:30.943: ISAKMP:(1021): processing a CT_X509_SIGNATURE cert *Sep 30 20:55:30.943: ISAKMP:(1021): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:55:30.947: ISAKMP:(1021): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:55:30.951: ISAKMP:(1021): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:55:30.951: ISAKMP:(1021): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:55:30.951: ISAKMP:(1021): peer's pubkey isn't cached *Sep 30 20:55:30.959: ISAKMP:(0):Unable to match the certificate map configured in the profile *Sep 30 20:55:30.959: ISAKMP (1021): FSM action returned error: 2 *Sep 30 20:55:30.959: ISAKMP:(1021):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:55:30.959: ISAKMP:(1021):Old State = IKE_I Cbtme-Hub#_MM5 New State = IKE_I_MM6 *Sep 30 20:55:30.959: ISAKMP:(1021):peer does not do paranoid keepalives. *Sep 30 20:55:30.959: ISAKMP:(1021):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:55:30.963: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:55:30.963: ISAKMP:(1021):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Sep 30 20:55:30.963: ISAKMP:(1021):peer does not do paranoid keepalives. *Sep 30 20:55:30.963: ISAKMP (1021): FSM action returned error: 2 *Sep 30 20:55:30.963: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Sep 30 20:55:30.963: ISAKMP:(1021):Old State = IKE_I_MM6 New State = IKE_I_MM5 *Sep 30 20:55:30.963: ISAKMP:(1021):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:55:30.963: ISAKMP: Unlocking peer struct 0x68DD7ECC for isadb_mark_sa_deleted(), count 0 *Sep 30 20:55:30.963: ISAKMP: Deleting peer node by peer_reap fo Cbtme-Hub#r 130.130.130.1: 68DD7ECC *Sep 30 20:55:30.967: ISAKMP:(1021):deleting node 1742021388 error FALSE reason "IKE deleted" *Sep 30 20:55:30.971: ISAKMP:(1021): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:55:30.975: ISAKMP:(1021): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:55:30.975: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 30 20:55:30.975: ISAKMP:(1021):Old State = IKE_I_MM5 New State = IKE_DEST_SA *Sep 30 20:55:33.275: ISAKMP:(1018):purging SA., sa=68283084, delme=68283084 *Sep 30 20:55:33.955: ISAKMP (1020): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:55:37.215: ISAKMP:(0): SA request profile is dmvpn1 *Sep 30 20:55:37.215: ISAKMP: Created a peer struct for 120.120.120.1, peer port 500 *Sep 30 20:55:37.215: ISAKMP: New peer created peer = 0x68DD7ECC peer_handle = 0x80000020 *Sep 30 20:55:37.215: ISAKMP: Locking peer struct 0x68DD7ECC, Cbtme-Hub#refcount 1 for isakmp_initiator *Sep 30 20:55:37.215: ISAKMP: local port 500, remote port 500 *Sep 30 20:55:37.219: ISAKMP: set new node 0 to QM_IDLE *Sep 30 20:55:37.219: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67ADC030 *Sep 30 20:55:37.219: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Sep 30 20:55:37.219: ISAKMP:(0):Profile has no keyring, aborting key search *Sep 30 20:55:37.219: ISAKMP:(0):Profile has no keyring, aborting host key search *Sep 30 20:55:37.219: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:37.219: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:37.223: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Sep 30 20:55:37.223: ISAKMP:(0): constructed NAT-T vendor-07 ID *Sep 30 20:55:37.223: ISAKMP:(0): constructed NAT-T vendor-03 ID *Sep 30 20:55:37.223: ISAKMP:(0): constructed NAT-T vendor-02 Cbtme-Hub#ID *Sep 30 20:55:37.223: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Sep 30 20:55:37.223: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Sep 30 20:55:37.223: ISAKMP:(0): beginning Main Mode exchange *Sep 30 20:55:37.227: ISAKMP:(0): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Sep 30 20:55:37.227: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:55:37.259: ISAKMP (0): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:55:37.259: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:55:37.259: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Sep 30 20:55:37.259: ISAKMP:(0): processing SA payload. message ID = 0 *Sep 30 20:55:37.259: ISAKMP:(0): processing vendor id payload *Sep 30 20:55:37.259: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:55:37.259: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:55:37.259: ISAKMP : Looking for xauth in profile dmvpn1 *Sep 30 20:55:37.263: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Sep 30 20:55:37.263: ISAKMP: encryption AES-CBC *Sep 30 20:55:37.263: ISAKMP: keylength of 256 *Sep 30 20:55:37.263: ISAKMP: hash Cbtme-Hub#SHA256 *Sep 30 20:55:37.263: ISAKMP: default group 2 *Sep 30 20:55:37.263: ISAKMP: auth RSA sig *Sep 30 20:55:37.263: ISAKMP: life type in seconds *Sep 30 20:55:37.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Sep 30 20:55:37.263: ISAKMP:(0):atts are acceptable. Next payload is 0 *Sep 30 20:55:37.263: ISAKMP:(0):Acceptable atts:actual life: 0 *Sep 30 20:55:37.263: ISAKMP:(0):Acceptable atts:life: 0 *Sep 30 20:55:37.263: ISAKMP:(0):Fill atts in sa vpi_length:4 *Sep 30 20:55:37.263: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Sep 30 20:55:37.263: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0):Returning Actual lifetime: 86400 *Sep 30 20:55:37.263: ISAKMP:(0)::Started lifetime timer: 86400. *Sep 30 20:55:37.263: ISAKMP:(0): processing vendor id payload *Sep 30 20:5 Cbtme-Hub#5:37.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:55:37.263: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:55:37.263: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:55:37.263: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Sep 30 20:55:37.263: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:55:37.263: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:55:37.267: ISAKMP (0): constructing CERT_REQ for issuer cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:55:37.267: ISAKMP:(0): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_SA_SETUP *Sep 30 20:55:37.267: ISAKMP:(0):Sending an I Cbtme-Hub#KE IPv4 Packet. *Sep 30 20:55:37.267: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:55:37.267: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Sep 30 20:55:37.327: ISAKMP (0): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_SA_SETUP *Sep 30 20:55:37.331: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:55:37.335: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Sep 30 20:55:37.343: ISAKMP:(0): processing KE payload. message ID = 0 *Sep 30 20:55:37.467: ISAKMP:(0): processing NONCE payload. message ID = 0 *Sep 30 20:55:37.467: ISAKMP:(1022): processing vendor id payload *Sep 30 20:55:37.467: ISAKMP:(1022): vendor ID is Unity *Sep 30 20:55:37.467: ISAKMP:(1022): processing vendor id payload *Sep 30 20:55:37.467: ISAKMP:(1022): vendor ID is DPD *Sep 30 20:55:37.467: ISAKMP:(1022): processing vendor id payload *Sep 30 20:55:37.467: ISAKMP:(1022): speaking to another IOS box! *Sep 30 20:55:37.467 Cbtme-Hub#: ISAKMP:received payload type 20 *Sep 30 20:55:37.467: ISAKMP (1022): His hash no match - this node outside NAT *Sep 30 20:55:37.467: ISAKMP:received payload type 20 *Sep 30 20:55:37.467: ISAKMP (1022): No NAT Found for self or peer *Sep 30 20:55:37.467: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:55:37.467: ISAKMP:(1022):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Sep 30 20:55:37.467: ISAKMP:(1022):Send initial contact *Sep 30 20:55:37.467: ISAKMP:(1022): processing CERT_REQ payload. *Sep 30 20:55:37.471: ISAKMP:(1022): peer wants a CT_X509_SIGNATURE cert *Sep 30 20:55:37.471: ISAKMP:(1022): peer wants cert issued by cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:55:37.471: Choosing trustpoint dmvpn-ca as issuer *Sep 30 20:55:37.471: ISAKMP:(1022): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:37.471: ISAKMP:(1022): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 120 Cbtme-Hub#.120.120.1) *Sep 30 20:55:37.471: ISAKMP:(1022): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:37.479: ISAKMP:(1022): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:37.479: ISAKMP:(1022):My ID configured as IPv4 Addr, but Addr not in Cert! *Sep 30 20:55:37.479: ISAKMP:(1022):Using FQDN as My ID *Sep 30 20:55:37.479: ISAKMP:(1022):SA is doing RSA signature authentication using id type ID_FQDN *Sep 30 20:55:37.479: ISAKMP (1022): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Hub protocol : 17 port : 500 length : 17 *Sep 30 20:55:37.479: ISAKMP:(1022):Total payload length: 17 *Sep 30 20:55:37.483: ISAKMP:(1022): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:37.491: ISAKMP:(1022): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:37.495: ISA Cbtme-Hub#KMP (1022): constructing CERT payload for cn=cbtme-hub.ekiosk-dc-CASVR-CA *Sep 30 20:55:37.495: ISKAMP: growing send buffer from 1024 to 3072 *Sep 30 20:55:37.495: ISAKMP:(1022): using the dmvpn-ca trustpoint's keypair to sign *Sep 30 20:55:38.011: ISAKMP:(1022): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 30 20:55:38.011: ISAKMP:(1022):Sending an IKE IPv4 Packet. *Sep 30 20:55:38.011: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:55:38.011: ISAKMP:(1022):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Sep 30 20:55:38.335: ISAKMP (1020): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:55:39.051: ISAKMP (1022): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 30 20:55:39.055: ISAKMP:(1022): processing ID payload. message ID = 0 *Sep 30 20:55:39.059: ISAKMP (1022): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Spo Cbtme-Hub#ke1 protocol : 17 port : 500 length : 20 *Sep 30 20:55:39.063: ISAKMP:(1022): processing CERT payload. message ID = 0 *Sep 30 20:55:39.063: ISAKMP:(1022): processing a CT_X509_SIGNATURE cert *Sep 30 20:55:39.067: ISAKMP:(1022): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:39.147: ISAKMP:(1022): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:39.147: ISAKMP:(1022): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:39.151: ISAKMP:(1022): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:39.151: ISAKMP:(1022): peer's pubkey isn't cached *Sep 30 20:55:39.243: ISAKMP:(0):Unable to match the certificate map configured in the profile *Sep 30 20:55:39.243: ISAKMP (1022): FSM action returned error: 2 *Sep 30 20:55:39.247: ISAKMP:(1022):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:55:3 Cbtme-Hub#9.247: ISAKMP:(1022):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Sep 30 20:55:39.251: ISAKMP:(1022):peer does not do paranoid keepalives. *Sep 30 20:55:39.251: ISAKMP:(1022):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:39.271: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:55:39.271: ISAKMP:(1022):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Sep 30 20:55:39.279: ISAKMP:(1022):peer does not do paranoid keepalives. *Sep 30 20:55:39.283: ISAKMP (1022): FSM action returned error: 2 *Sep 30 20:55:39.283: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Sep 30 20:55:39.287: ISAKMP:(1022):Old State = IKE_I_MM6 New State = IKE_I_MM5 *Sep 30 20:55:39.295: ISAKMP:(1022):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:55:39.295: ISAKMP: Unlocking peer struct 0x68DD7ECC for isadb_mark_sa_deleted(), count 0 *Sep 30 20:55:39.299: ISAK Cbtme-Hub#MP: Deleting peer node by peer_reap for 120.120.120.1: 68DD7ECC *Sep 30 20:55:39.303: ISAKMP:(1022):deleting node -1956572464 error FALSE reason "IKE deleted" *Sep 30 20:55:39.303: ISAKMP:(1022): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:39.319: ISAKMP:(1022): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:55:39.319: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 30 20:55:39.323: ISAKMP:(1022):Old State = IKE_I_MM5 New State = IKE_DEST_SA *Sep 30 20:55:42.147: ISAKMP (1021): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:55:45.475: ISAKMP (1022): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:55:50.387: ISAKMP:(1019):purging node -502864642 Cbtme-Hub# *Sep 30 20:55:52.115: ISAKMP (1021): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:55:55.463: ISAKMP (1022): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:55:58.815: ISAKMP:(1020):purging node 171493771 Cbtme-Hub# *Sep 30 20:56:00.391: ISAKMP:(1019):purging SA., sa=6823AEB4, delme=6823AEB4 Cbtme-Hub# *Sep 30 20:56:02.107: ISAKMP (1021): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:56:04.619: ISAKMP:(0): SA request profile is dmvpn1 *Sep 30 20:56:04.619: ISAKMP: Created a peer struct for 130.130.130.1, peer port 500 *Sep 30 20:56:04.619: ISAKMP: New peer created peer = 0x682233E4 peer_handle = 0x8000001F *Sep 30 20:56:04.619: ISAKMP: Locking peer struct 0x682233E4, refcount 1 for isakmp_initiator *Sep 30 20:56:04.619: ISAKMP: local port 500, remote port 500 *Sep 30 20:56:04.623: ISAKMP: set new node 0 to QM_IDLE *Sep 30 20:56:04.623: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67ADE748 *Sep 30 20:56:04.623: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Sep 30 20:56:04.623: ISAKMP:(0):Profile has no keyring, aborting key search *Sep 30 20:56:04.623: ISAKMP:(0):Profile has no keyring, aborting host key search *Sep 30 20:56:04.623: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:04.627: ISAKMP:(0): PKI->IKE Got configured TrustPoints stat Cbtme-Hub#e (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:04.631: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Sep 30 20:56:04.631: ISAKMP:(0): constructed NAT-T vendor-07 ID *Sep 30 20:56:04.631: ISAKMP:(0): constructed NAT-T vendor-03 ID *Sep 30 20:56:04.635: ISAKMP:(0): constructed NAT-T vendor-02 ID *Sep 30 20:56:04.635: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Sep 30 20:56:04.639: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Sep 30 20:56:04.639: ISAKMP:(0): beginning Main Mode exchange *Sep 30 20:56:04.643: ISAKMP:(0): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Sep 30 20:56:04.643: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:04.739: ISAKMP (0): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:04.743: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:04.743: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Sep 30 20:56:04.751: ISAKM Cbtme-Hub#P:(0): processing SA payload. message ID = 0 *Sep 30 20:56:04.755: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:04.755: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:04.759: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:04.759: ISAKMP : Looking for xauth in profile dmvpn1 *Sep 30 20:56:04.759: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:04.763: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:04.767: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Sep 30 20:56:04.767: ISAKMP: encryption AES-CBC *Sep 30 20:56:04.767: ISAKMP: keylength of 256 *Sep 30 20:56:04.767: ISAKMP: hash SHA256 *Sep 30 20:56:04.767: ISAKMP: default group 2 *Sep 30 20:56:04.767: ISAKMP: auth RSA sig *Sep 30 20:56:04.767: ISAKMP: life type in seconds *Sep 30 20:56:04.767: ISAKMP: life dura Cbtme-Hub#tion (VPI) of 0x0 0x1 0x51 0x80 *Sep 30 20:56:04.767: ISAKMP:(0):atts are acceptable. Next payload is 0 *Sep 30 20:56:04.767: ISAKMP:(0):Acceptable atts:actual life: 0 *Sep 30 20:56:04.767: ISAKMP:(0):Acceptable atts:life: 0 *Sep 30 20:56:04.767: ISAKMP:(0):Fill atts in sa vpi_length:4 *Sep 30 20:56:04.767: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Sep 30 20:56:04.767: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:04.767: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:04.767: ISAKMP:(0):Returning Actual lifetime: 86400 *Sep 30 20:56:04.771: ISAKMP:(0)::Started lifetime timer: 86400. *Sep 30 20:56:04.771: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:04.771: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:04.771: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:04.771: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN Cbtme-Hub#_MODE *Sep 30 20:56:04.771: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Sep 30 20:56:04.771: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:04.771: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:04.775: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:04.779: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:04.783: ISAKMP (0): constructing CERT_REQ for issuer cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:04.783: ISAKMP:(0): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_SA_SETUP *Sep 30 20:56:04.783: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:04.783: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:04.783: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Sep 30 20:56:04.863: ISAKMP Cbtme-Hub#(0): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_SA_SETUP *Sep 30 20:56:04.863: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:04.863: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Sep 30 20:56:04.863: ISAKMP:(0): processing KE payload. message ID = 0 *Sep 30 20:56:04.899: ISAKMP:(0): processing NONCE payload. message ID = 0 *Sep 30 20:56:04.903: ISAKMP:(1023): processing vendor id payload *Sep 30 20:56:04.903: ISAKMP:(1023): vendor ID is Unity *Sep 30 20:56:04.903: ISAKMP:(1023): processing vendor id payload *Sep 30 20:56:04.903: ISAKMP:(1023): vendor ID is DPD *Sep 30 20:56:04.903: ISAKMP:(1023): processing vendor id payload *Sep 30 20:56:04.903: ISAKMP:(1023): speaking to another IOS box! *Sep 30 20:56:04.903: ISAKMP:received payload type 20 *Sep 30 20:56:04.903: ISAKMP (1023): His hash no match - this node outside NAT *Sep 30 20:56:04.903: ISAKMP:received payload type 20 *Sep 30 20:56:04.903: ISAKMP (1023): No NAT Found for self or peer *Sep 30 20:56:04.903: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:04.903: ISAKMP:(1023):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Sep 30 20:56:04.903: ISAKMP:(1023):Send initial contact *Sep 30 20:56:04.903: ISAKMP:(1023): processing CERT_REQ payload. *Sep 30 20:56:04.903: ISAKMP:(1023): peer wants a CT_X509_SIGNATURE cert *Sep 30 20:56:04.903: ISAKMP:(1023): peer wants cert issued by cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:04.907: Choosi Cbtme-Hub#ng trustpoint dmvpn-ca as issuer *Sep 30 20:56:04.907: ISAKMP:(1023): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:04.907: ISAKMP:(1023): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:04.907: ISAKMP:(1023): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:04.919: ISAKMP:(1023): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:04.919: ISAKMP:(1023):My ID configured as IPv4 Addr, but Addr not in Cert! *Sep 30 20:56:04.919: ISAKMP:(1023):Using FQDN as My ID *Sep 30 20:56:04.919: ISAKMP:(1023):SA is doing RSA signature authentication using id type ID_FQDN *Sep 30 20:56:04.919: ISAKMP (1023): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Hub protocol : 17 port : 500 length : 17 *Sep 30 20:56:04.923: ISAKMP:(1023):Total payload length: 17 *Sep 30 20:56:04.923: ISAKMP:(10 Cbtme-Hub#23): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:04.927: ISAKMP:(1023): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:04.931: ISAKMP (1023): constructing CERT payload for cn=cbtme-hub.ekiosk-dc-CASVR-CA *Sep 30 20:56:04.931: ISKAMP: growing send buffer from 1024 to 3072 *Sep 30 20:56:04.931: ISAKMP:(1023): using the dmvpn-ca trustpoint's keypair to sign *Sep 30 20:56:05.343: ISAKMP:(1023): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 30 20:56:05.343: ISAKMP:(1023):Sending an IKE IPv4 Packet. *Sep 30 20:56:05.343: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:05.343: ISAKMP:(1023):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Sep 30 20:56:05.463: ISAKMP (1021): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:05.463: ISAKMP (1022): received packet Cbtme-Hub#from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:05.907: ISAKMP (1023): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 30 20:56:05.907: ISAKMP:(1023): processing ID payload. message ID = 0 *Sep 30 20:56:05.911: ISAKMP (1023): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Spoke2 protocol : 17 port : 500 length : 20 *Sep 30 20:56:05.911: ISAKMP:(1023): processing CERT payload. message ID = 0 *Sep 30 20:56:05.911: ISAKMP:(1023): processing a CT_X509_SIGNATURE cert *Sep 30 20:56:05.911: ISAKMP:(1023): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:05.915: ISAKMP:(1023): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:05.915: ISAKMP:(1023): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:05.915: ISAKMP:(1023): PKI->IKE Got PeerCertificateC Cbtme-Hub#hain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:05.915: ISAKMP:(1023): peer's pubkey isn't cached *Sep 30 20:56:05.923: ISAKMP:(0):Unable to match the certificate map configured in the profile *Sep 30 20:56:05.923: ISAKMP (1023): FSM action returned error: 2 *Sep 30 20:56:05.923: ISAKMP:(1023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:05.923: ISAKMP:(1023):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Sep 30 20:56:05.923: ISAKMP:(1023):peer does not do paranoid keepalives. *Sep 30 20:56:05.923: ISAKMP:(1023):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:05.923: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:05.923: ISAKMP:(1023):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Sep 30 20:56:05.923: ISAKMP:(1023):peer does not do paranoid keepalives. *Sep 30 20:56:05.923: ISAKMP (1023): FSM action returned error: 2 *Sep 30 20:56:05.923: ISAKMP:(1023):Input = IKE Cbtme-Hub#_MESG_INTERNAL, IKE_PROCESS_ERROR *Sep 30 20:56:05.923: ISAKMP:(1023):Old State = IKE_I_MM6 New State = IKE_I_MM5 *Sep 30 20:56:05.923: ISAKMP:(1023):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:05.923: ISAKMP: Unlocking peer struct 0x682233E4 for isadb_mark_sa_deleted(), count 0 *Sep 30 20:56:05.927: ISAKMP: Deleting peer node by peer_reap for 130.130.130.1: 682233E4 *Sep 30 20:56:05.931: ISAKMP:(1023):deleting node 1918259647 error FALSE reason "IKE deleted" *Sep 30 20:56:05.931: ISAKMP:(1023): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:05.935: ISAKMP:(1023): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:05.935: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 30 20:56:05.935: ISAKMP:(1023):Old State = IKE_I_MM5 New State = IKE_DEST_SA *Sep 30 20:56:08.815: ISAKMP:(1020):purging SA., sa=68DE1B78, delme=68DE1B78 *Sep 30 20:5 Cbtme-Hub#6:12.547: ISAKMP (1023): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:15.471: ISAKMP (1022): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:15.483: ISAKMP (1022): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:56:19.011: ISAKMP:(0): SA request profile is dmvpn1 *Sep 30 20:56:19.011: ISAKMP: Created a peer struct for 120.120.120.1, peer port 500 *Sep 30 20:56:19.015: ISAKMP: New peer created peer = 0x682233E4 peer_handle = 0x80000021 *Sep 30 20:56:19.015: ISAKMP: Locking peer struct 0x682233E4, refcount 1 for isakmp_initiator *Sep 30 20:56:19.015: ISAKMP: local port 500, remote port 500 *Sep 30 20:56:19.019: ISAKMP: set new node 0 to QM_IDLE *Sep 30 20:56:19.019: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 68DE1B78 *Sep 30 20:56:19.023: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Sep 30 20:56:19.023: ISAKMP:(0):Profile has no keyring, aborting key search *Sep 30 20:56:19.027: ISAKMP:(0):Profile has no keyring, aborting host key search *Sep 30 20:56:19.027: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:19.031: ISAKMP:(0): PKI->IKE Got configured TrustPoints stat Cbtme-Hub#e (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:19.035: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Sep 30 20:56:19.035: ISAKMP:(0): constructed NAT-T vendor-07 ID *Sep 30 20:56:19.039: ISAKMP:(0): constructed NAT-T vendor-03 ID *Sep 30 20:56:19.039: ISAKMP:(0): constructed NAT-T vendor-02 ID *Sep 30 20:56:19.039: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Sep 30 20:56:19.043: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Sep 30 20:56:19.043: ISAKMP:(0): beginning Main Mode exchange *Sep 30 20:56:19.047: ISAKMP:(0): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Sep 30 20:56:19.047: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:19.123: ISAKMP (0): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:19.127: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:19.127: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Sep 30 20:56:19.139: ISAKM Cbtme-Hub#P:(0): processing SA payload. message ID = 0 *Sep 30 20:56:19.139: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:19.139: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:19.143: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:19.143: ISAKMP : Looking for xauth in profile dmvpn1 *Sep 30 20:56:19.143: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:19.143: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:19.143: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Sep 30 20:56:19.143: ISAKMP: encryption AES-CBC *Sep 30 20:56:19.143: ISAKMP: keylength of 256 *Sep 30 20:56:19.143: ISAKMP: hash SHA256 *Sep 30 20:56:19.143: ISAKMP: default group 2 *Sep 30 20:56:19.143: ISAKMP: auth RSA sig *Sep 30 20:56:19.143: ISAKMP: life type in seconds *Sep 30 20:56:19.143: ISAKMP: life dura Cbtme-Hub#tion (VPI) of 0x0 0x1 0x51 0x80 *Sep 30 20:56:19.143: ISAKMP:(0):atts are acceptable. Next payload is 0 *Sep 30 20:56:19.143: ISAKMP:(0):Acceptable atts:actual life: 0 *Sep 30 20:56:19.143: ISAKMP:(0):Acceptable atts:life: 0 *Sep 30 20:56:19.143: ISAKMP:(0):Fill atts in sa vpi_length:4 *Sep 30 20:56:19.143: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Sep 30 20:56:19.143: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:19.143: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:19.143: ISAKMP:(0):Returning Actual lifetime: 86400 *Sep 30 20:56:19.143: ISAKMP:(0)::Started lifetime timer: 86400. *Sep 30 20:56:19.147: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:19.147: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:19.147: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:19.147: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN Cbtme-Hub#_MODE *Sep 30 20:56:19.147: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Sep 30 20:56:19.147: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:19.151: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:19.151: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:19.151: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:19.159: ISAKMP (0): constructing CERT_REQ for issuer cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:19.159: ISAKMP:(0): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_SA_SETUP *Sep 30 20:56:19.163: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:19.163: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:19.163: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Sep 30 20:56:19.247: ISAKMP Cbtme-Hub#(0): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_SA_SETUP *Sep 30 20:56:19.247: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:19.247: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Sep 30 20:56:19.247: ISAKMP:(0): processing KE payload. message ID = 0 *Sep 30 20:56:19.291: ISAKMP:(0): processing NONCE payload. message ID = 0 *Sep 30 20:56:19.295: ISAKMP:(1024): processing vendor id payload *Sep 30 20:56:19.295: ISAKMP:(1024): vendor ID is Unity *Sep 30 20:56:19.299: ISAKMP:(1024): processing vendor id payload *Sep 30 20:56:19.299: ISAKMP:(1024): vendor ID is DPD *Sep 30 20:56:19.299: ISAKMP:(1024): processing vendor id payload *Sep 30 20:56:19.299: ISAKMP:(1024): speaking to another IOS box! *Sep 30 20:56:19.299: ISAKMP:received payload type 20 *Sep 30 20:56:19.299: ISAKMP (1024): His hash no match - this node outside NAT *Sep 30 20:56:19.299: ISAKMP:received payload type 20 *Sep 30 20:56:19.299: ISAKMP (1024): No Cbtme-Hub#NAT Found for self or peer *Sep 30 20:56:19.299: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:19.299: ISAKMP:(1024):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Sep 30 20:56:19.299: ISAKMP:(1024):Send initial contact *Sep 30 20:56:19.299: ISAKMP:(1024): processing CERT_REQ payload. *Sep 30 20:56:19.299: ISAKMP:(1024): peer wants a CT_X509_SIGNATURE cert *Sep 30 20:56:19.299: ISAKMP:(1024): peer wants cert issued by cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:19.303: Choosing trustpoint dmvpn-ca as issuer *Sep 30 20:56:19.303: ISAKMP:(1024): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:19.303: ISAKMP:(1024): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:19.303: ISAKMP:(1024): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:19.319: ISAKMP:(1024): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 1 Cbtme-Hub#20.120.120.1) *Sep 30 20:56:19.319: ISAKMP:(1024):My ID configured as IPv4 Addr, but Addr not in Cert! *Sep 30 20:56:19.319: ISAKMP:(1024):Using FQDN as My ID *Sep 30 20:56:19.319: ISAKMP:(1024):SA is doing RSA signature authentication using id type ID_FQDN *Sep 30 20:56:19.319: ISAKMP (1024): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Hub protocol : 17 port : 500 length : 17 *Sep 30 20:56:19.319: ISAKMP:(1024):Total payload length: 17 *Sep 30 20:56:19.319: ISAKMP:(1024): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:19.323: ISAKMP:(1024): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:19.327: ISAKMP (1024): constructing CERT payload for cn=cbtme-hub.ekiosk-dc-CASVR-CA *Sep 30 20:56:19.327: ISKAMP: growing send buffer from 1024 to 3072 *Sep 30 20:56:19.327: ISAKMP:(1024): using the dmvpn-ca trustpoint Cbtme-Hub#'s keypair to sign *Sep 30 20:56:19.831: ISAKMP:(1024): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 30 20:56:19.831: ISAKMP:(1024):Sending an IKE IPv4 Packet. *Sep 30 20:56:19.831: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:19.831: ISAKMP:(1024):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Sep 30 20:56:20.107: ISAKMP (1022): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:20.563: ISAKMP (1024): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 30 20:56:20.571: ISAKMP:(1024): processing ID payload. message ID = 0 *Sep 30 20:56:20.571: ISAKMP (1024): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Spoke1 protocol : 17 port : 500 length : 20 *Sep 30 20:56:20.575: ISAKMP:(1024): processing CERT payload. message ID = 0 *Sep 30 20:56:20.579: ISAKMP:(1024): processing a CT_X509_SIGNA Cbtme-Hub#TURE cert *Sep 30 20:56:20.579: ISAKMP:(1024): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:20.647: ISAKMP:(1024): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:20.647: ISAKMP:(1024): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:20.647: ISAKMP:(1024): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:20.647: ISAKMP:(1024): peer's pubkey isn't cached *Sep 30 20:56:20.655: ISAKMP:(0):Unable to match the certificate map configured in the profile *Sep 30 20:56:20.655: ISAKMP (1024): FSM action returned error: 2 *Sep 30 20:56:20.659: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:20.659: ISAKMP:(1024):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Sep 30 20:56:20.659: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 120.120.120.1 *Sep 30 20:56:20.659: ISAKMP:( Cbtme-Hub#1024):peer does not do paranoid keepalives. *Sep 30 20:56:20.659: ISAKMP:(1024):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:20.659: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:20.659: ISAKMP:(1024):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Sep 30 20:56:20.659: ISAKMP:(1024):peer does not do paranoid keepalives. *Sep 30 20:56:20.659: ISAKMP (1024): FSM action returned error: 2 *Sep 30 20:56:20.659: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Sep 30 20:56:20.659: ISAKMP:(1024):Old State = IKE_I_MM6 New State = IKE_I_MM5 *Sep 30 20:56:20.663: ISAKMP:(1024):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:20.663: ISAKMP: Unlocking peer struct 0x682233E4 for isadb_mark_sa_deleted(), count 0 *Sep 30 20:56:20.667: ISAKMP: Deleting peer node by peer_reap for 120.120.120.1: 682233E4 *Sep 30 20:56:20.671: ISAKMP:(1024) Cbtme-Hub#:deleting node -976873711 error FALSE reason "IKE deleted" *Sep 30 20:56:20.675: ISAKMP:(1024): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:20.687: ISAKMP:(1024): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:20.687: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 30 20:56:20.691: ISAKMP:(1024):Old State = IKE_I_MM5 New State = IKE_DEST_SA *Sep 30 20:56:20.967: ISAKMP:(1021):purging node 1742021388 *Sep 30 20:56:22.559: ISAKMP (1023): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:29.303: ISAKMP:(1022):purging node -1956572464 Cbtme-Hub# *Sep 30 20:56:30.967: ISAKMP:(1021):purging SA., sa=6823BF8C, delme=6823BF8C Cbtme-Hub# *Sep 30 20:56:32.563: ISAKMP (1023): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:56:34.619: ISAKMP:(0): SA request profile is dmvpn1 *Sep 30 20:56:34.619: ISAKMP: Created a peer struct for 130.130.130.1, peer port 500 *Sep 30 20:56:34.619: ISAKMP: New peer created peer = 0x682233E4 peer_handle = 0x8000001E *Sep 30 20:56:34.619: ISAKMP: Locking peer struct 0x682233E4, refcount 1 for isakmp_initiator *Sep 30 20:56:34.619: ISAKMP: local port 500, remote port 500 *Sep 30 20:56:34.619: ISAKMP: set new node 0 to QM_IDLE *Sep 30 20:56:34.623: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67ADCFA4 *Sep 30 20:56:34.623: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Sep 30 20:56:34.623: ISAKMP:(0):Profile has no keyring, aborting key search *Sep 30 20:56:34.623: ISAKMP:(0):Profile has no keyring, aborting host key search *Sep 30 20:56:34.623: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:34.623: ISAKMP:(0): PKI->IKE Got configured TrustPoints stat Cbtme-Hub#e (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:34.627: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Sep 30 20:56:34.627: ISAKMP:(0): constructed NAT-T vendor-07 ID *Sep 30 20:56:34.627: ISAKMP:(0): constructed NAT-T vendor-03 ID *Sep 30 20:56:34.627: ISAKMP:(0): constructed NAT-T vendor-02 ID *Sep 30 20:56:34.631: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Sep 30 20:56:34.631: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Sep 30 20:56:34.631: ISAKMP:(0): beginning Main Mode exchange *Sep 30 20:56:34.631: ISAKMP:(0): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Sep 30 20:56:34.631: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:34.687: ISAKMP (0): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:34.687: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:34.691: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Sep 30 20:56:34.691: ISAKM Cbtme-Hub#P:(0): processing SA payload. message ID = 0 *Sep 30 20:56:34.691: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:34.691: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:34.691: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:34.691: ISAKMP : Looking for xauth in profile dmvpn1 *Sep 30 20:56:34.695: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:34.695: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:34.695: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Sep 30 20:56:34.695: ISAKMP: encryption AES-CBC *Sep 30 20:56:34.695: ISAKMP: keylength of 256 *Sep 30 20:56:34.695: ISAKMP: hash SHA256 *Sep 30 20:56:34.695: ISAKMP: default group 2 *Sep 30 20:56:34.695: ISAKMP: auth RSA sig *Sep 30 20:56:34.695: ISAKMP: life type in seconds *Sep 30 20:56:34.695: ISAKMP: life dura Cbtme-Hub#tion (VPI) of 0x0 0x1 0x51 0x80 *Sep 30 20:56:34.695: ISAKMP:(0):atts are acceptable. Next payload is 0 *Sep 30 20:56:34.695: ISAKMP:(0):Acceptable atts:actual life: 0 *Sep 30 20:56:34.695: ISAKMP:(0):Acceptable atts:life: 0 *Sep 30 20:56:34.695: ISAKMP:(0):Fill atts in sa vpi_length:4 *Sep 30 20:56:34.695: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Sep 30 20:56:34.695: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:34.695: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:34.695: ISAKMP:(0):Returning Actual lifetime: 86400 *Sep 30 20:56:34.695: ISAKMP:(0)::Started lifetime timer: 86400. *Sep 30 20:56:34.695: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:34.699: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:34.699: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:34.699: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN Cbtme-Hub#_MODE *Sep 30 20:56:34.699: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Sep 30 20:56:34.699: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:34.699: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:34.699: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:34.703: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 130.130.130.1) *Sep 30 20:56:34.707: ISAKMP (0): constructing CERT_REQ for issuer cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:34.707: ISAKMP:(0): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_SA_SETUP *Sep 30 20:56:34.707: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:34.707: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:34.707: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Sep 30 20:56:34.783: ISAKMP Cbtme-Hub#(0): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_SA_SETUP *Sep 30 20:56:34.783: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:34.787: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Sep 30 20:56:34.787: ISAKMP:(0): processing KE payload. message ID = 0 *Sep 30 20:56:34.823: ISAKMP:(0): processing NONCE payload. message ID = 0 *Sep 30 20:56:34.827: ISAKMP:(1025): processing vendor id payload *Sep 30 20:56:34.827: ISAKMP:(1025): vendor ID is Unity *Sep 30 20:56:34.827: ISAKMP:(1025): processing vendor id payload *Sep 30 20:56:34.827: ISAKMP:(1025): vendor ID is DPD *Sep 30 20:56:34.827: ISAKMP:(1025): processing vendor id payload *Sep 30 20:56:34.827: ISAKMP:(1025): speaking to another IOS box! *Sep 30 20:56:34.827: ISAKMP:received payload type 20 *Sep 30 20:56:34.827: ISAKMP (1025): His hash no match - this node outside NAT *Sep 30 20:56:34.827: ISAKMP:received payload type 20 *Sep 30 20:56:34.827: ISAKMP (1025): No Cbtme-Hub#NAT Found for self or peer *Sep 30 20:56:34.827: ISAKMP:(1025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:34.827: ISAKMP:(1025):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Sep 30 20:56:34.831: ISAKMP:(1025):Send initial contact *Sep 30 20:56:34.831: ISAKMP:(1025): processing CERT_REQ payload. *Sep 30 20:56:34.831: ISAKMP:(1025): peer wants a CT_X509_SIGNATURE cert *Sep 30 20:56:34.831: ISAKMP:(1025): peer wants cert issued by cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:34.831: Choosing trustpoint dmvpn-ca as issuer *Sep 30 20:56:34.831: ISAKMP:(1025): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:34.831: ISAKMP:(1025): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:34.831: ISAKMP:(1025): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:34.839: ISAKMP:(1025): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 1 Cbtme-Hub#30.130.130.1) *Sep 30 20:56:34.839: ISAKMP:(1025):My ID configured as IPv4 Addr, but Addr not in Cert! *Sep 30 20:56:34.839: ISAKMP:(1025):Using FQDN as My ID *Sep 30 20:56:34.839: ISAKMP:(1025):SA is doing RSA signature authentication using id type ID_FQDN *Sep 30 20:56:34.839: ISAKMP (1025): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Hub protocol : 17 port : 500 length : 17 *Sep 30 20:56:34.839: ISAKMP:(1025):Total payload length: 17 *Sep 30 20:56:34.839: ISAKMP:(1025): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:34.847: ISAKMP:(1025): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:34.851: ISAKMP (1025): constructing CERT payload for cn=cbtme-hub.ekiosk-dc-CASVR-CA *Sep 30 20:56:34.851: ISKAMP: growing send buffer from 1024 to 3072 *Sep 30 20:56:34.855: ISAKMP:(1025): using the dmvpn-ca trustpoint Cbtme-Hub#'s keypair to sign *Sep 30 20:56:35.403: ISAKMP:(1025): sending packet to 130.130.130.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 30 20:56:35.403: ISAKMP:(1025):Sending an IKE IPv4 Packet. *Sep 30 20:56:35.407: ISAKMP:(1025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:35.411: ISAKMP:(1025):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Sep 30 20:56:35.703: ISAKMP (1023): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:36.127: ISAKMP (1025): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 30 20:56:36.131: ISAKMP:(1025): processing ID payload. message ID = 0 *Sep 30 20:56:36.131: ISAKMP (1025): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Spoke2 protocol : 17 port : 500 length : 20 *Sep 30 20:56:36.135: ISAKMP:(1025): processing CERT payload. message ID = 0 *Sep 30 20:56:36.135: ISAKMP:(1025): processing a CT_X509_SIGNA Cbtme-Hub#TURE cert *Sep 30 20:56:36.135: ISAKMP:(1025): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:36.151: ISAKMP:(1025): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:36.155: ISAKMP:(1025): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:36.155: ISAKMP:(1025): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:36.155: ISAKMP:(1025): peer's pubkey isn't cached *Sep 30 20:56:36.167: ISAKMP:(0):Unable to match the certificate map configured in the profile *Sep 30 20:56:36.167: ISAKMP (1025): FSM action returned error: 2 *Sep 30 20:56:36.167: ISAKMP:(1025):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:36.171: ISAKMP:(1025):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Sep 30 20:56:36.171: ISAKMP:(1025):peer does not do paranoid keepalives. *Sep 30 20:56:36.171: ISAKMP:(1025):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:36.171: ISAKMP:(1025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:36.171: ISAKMP:(1025):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Sep 30 20:56:36.171: ISAKMP:(1025):peer does not do paranoid keepalives. *Sep 30 20:56:36.175: ISAKMP (1025): FSM action returned error: 2 *Sep 3 Cbtme-Hub#0 20:56:36.175: ISAKMP:(1025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Sep 30 20:56:36.175: ISAKMP:(1025):Old State = IKE_I_MM6 New State = IKE_I_MM5 *Sep 30 20:56:36.175: ISAKMP:(1025):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 130.130.130.1) *Sep 30 20:56:36.175: ISAKMP: Unlocking peer struct 0x682233E4 for isadb_mark_sa_deleted(), count 0 *Sep 30 20:56:36.175: ISAKMP: Deleting peer node by peer_reap for 130.130.130.1: 682233E4 *Sep 30 20:56:36.179: ISAKMP:(1025):deleting node -157347066 error FALSE reason "IKE deleted" *Sep 30 20:56:36.183: ISAKMP:(1025): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:36.187: ISAKMP:(1025): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 130.130.130.1) *Sep 30 20:56:36.187: ISAKMP:(1025):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 30 20:56:36.187: ISAKMP:(1025):Old State = IKE_I_MM5 New State = IKE_DEST_SA *Sep 30 20:56:39.303: ISAKMP:(1022):purging SA., Cbtme-Hub#sa=67ADC030, delme=67ADC030 *Sep 30 20:56:42.547: ISAKMP (1025): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:56:46.911: ISAKMP (1024): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:56:48.999: ISAKMP:(0): SA request profile is dmvpn1 *Sep 30 20:56:48.999: ISAKMP: Created a peer struct for 120.120.120.1, peer port 500 *Sep 30 20:56:49.003: ISAKMP: New peer created peer = 0x682233E4 peer_handle = 0x80000024 *Sep 30 20:56:49.003: ISAKMP: Locking peer struct 0x682233E4, refcount 1 for isakmp_initiator *Sep 30 20:56:49.003: ISAKMP: local port 500, remote port 500 *Sep 30 20:56:49.003: ISAKMP: set new node 0 to QM_IDLE *Sep 30 20:56:49.003: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67ADF22C *Sep 30 20:56:49.003: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Sep 30 20:56:49.003: ISAKMP:(0):Profile has no keyring, aborting key search *Sep 30 20:56:49.007: ISAKMP:(0):Profile has no keyring, aborting host key search *Sep 30 20:56:49.007: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:49.007: ISAKMP:(0): PKI->IKE Got configured TrustPoints stat Cbtme-Hub#debug crypto isakmp e (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:49.007: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Sep 30 20:56:49.007: ISAKMP:(0): constructed NAT-T vendor-07 ID *Sep 30 20:56:49.007: ISAKMP:(0): constructed NAT-T vendor-03 ID *Sep 30 20:56:49.007: ISAKMP:(0): constructed NAT-T vendor-02 ID *Sep 30 20:56:49.007: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Sep 30 20:56:49.007: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Sep 30 20:56:49.007: ISAKMP:(0): beginning Main Mode exchange *Sep 30 20:56:49.011: ISAKMP:(0): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Sep 30 20:56:49.011: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:49.035: ISAKMP (0): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:49.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:49.035: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Sep 30 20:56:49.035: ISAKM Cbtme-Hub#debug crypto isakmp P:(0): processing SA payload. message ID = 0 *Sep 30 20:56:49.035: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:49.039: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:49.039: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:49.039: ISAKMP : Looking for xauth in profile dmvpn1 *Sep 30 20:56:49.043: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:49.043: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:49.047: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Sep 30 20:56:49.047: ISAKMP: encryption AES-CBC *Sep 30 20:56:49.051: ISAKMP: keylength of 256 *Sep 30 20:56:49.051: ISAKMP: hash SHA256 *Sep 30 20:56:49.051: ISAKMP: default group 2 *Sep 30 20:56:49.055: ISAKMP: auth RSA sig *Sep 30 20:56:49.055: ISAKMP: life type in seconds *Sep 30 20:56:49.055: ISAKMP: life dura Cbtme-Hub#debug crypto isakmp tion (VPI) of 0x0 0x1 0x51 0x80 *Sep 30 20:56:49.055: ISAKMP:(0):atts are acceptable. Next payload is 0 *Sep 30 20:56:49.055: ISAKMP:(0):Acceptable atts:actual life: 0 *Sep 30 20:56:49.055: ISAKMP:(0):Acceptable atts:life: 0 *Sep 30 20:56:49.059: ISAKMP:(0):Fill atts in sa vpi_length:4 *Sep 30 20:56:49.059: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Sep 30 20:56:49.059: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:49.059: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:49.059: ISAKMP:(0):Returning Actual lifetime: 86400 *Sep 30 20:56:49.059: ISAKMP:(0)::Started lifetime timer: 86400. *Sep 30 20:56:49.059: ISAKMP:(0): processing vendor id payload *Sep 30 20:56:49.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Sep 30 20:56:49.063: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Sep 30 20:56:49.063: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN Cbtme-Hub#debug crypto isakmp ndebug crypto isakmp odebug crypto isakmp  debug crypto isakmp _MODE *Sep 30 20:56:49.067: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Sep 30 20:56:49.071: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:49.075: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:49.079: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:49.079: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 120.120.120.1) *Sep 30 20:56:49.083: ISAKMP (0): constructing CERT_REQ for issuer cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:49.087: ISAKMP:(0): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_SA_SETUP *Sep 30 20:56:49.087: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 30 20:56:49.087: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:49.087: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Sep 30 20:56:49.203: ISAKMP Cbtme-Hub#no debug crypto isakmp  Crypto ISAKMP debugging is off Cbtme-Hub#(0): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_SA_SETUP *Sep 30 20:56:49.207: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:49.207: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Sep 30 20:56:49.219: ISAKMP:(0): processing KE payload. message ID = 0 *Sep 30 20:56:49.271: ISAKMP:(0): processing NONCE payload. message ID = 0 *Sep 30 20:56:49.275: ISAKMP:(1026): processing vendor id payload *Sep 30 20:56:49.275: ISAKMP:(1026): vendor ID is Unity *Sep 30 20:56:49.275: ISAKMP:(1026): processing vendor id payload *Sep 30 20:56:49.275: ISAKMP:(1026): vendor ID is DPD *Sep 30 20:56:49.275: ISAKMP:(1026): processing vendor id payload *Sep 30 20:56:49.275: ISAKMP:(1026): speaking to another IOS box! *Sep 30 20:56:49.275: ISAKMP:received payload type 20 *Sep 30 20:56:49.275: ISAKMP (1026): His hash no match - this node outside NAT *Sep 30 20:56:49.275: ISAKMP:received payload type 20 *Sep 30 20:56:49.275: ISAKMP (1026): No Cbtme-Hub#NAT Found for self or peer *Sep 30 20:56:49.275: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:49.275: ISAKMP:(1026):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Sep 30 20:56:49.279: ISAKMP:(1026):Send initial contact *Sep 30 20:56:49.279: ISAKMP:(1026): processing CERT_REQ payload. *Sep 30 20:56:49.283: ISAKMP:(1026): peer wants a CT_X509_SIGNATURE cert *Sep 30 20:56:49.283: ISAKMP:(1026): peer wants cert issued by cn=ekiosk-dc-CASVR-CA,dc=ekiosk-dc,dc=local *Sep 30 20:56:49.283: Choosing trustpoint dmvpn-ca as issuer *Sep 30 20:56:49.283: ISAKMP:(1026): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:49.283: ISAKMP:(1026): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:49.287: ISAKMP:(1026): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:49.299: ISAKMP:(1026): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 1 Cbtme-Hub#20.120.120.1) *Sep 30 20:56:49.299: ISAKMP:(1026):My ID configured as IPv4 Addr, but Addr not in Cert! *Sep 30 20:56:49.299: ISAKMP:(1026):Using FQDN as My ID *Sep 30 20:56:49.299: ISAKMP:(1026):SA is doing RSA signature authentication using id type ID_FQDN *Sep 30 20:56:49.299: ISAKMP (1026): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Hub protocol : 17 port : 500 length : 17 *Sep 30 20:56:49.299: ISAKMP:(1026):Total payload length: 17 *Sep 30 20:56:49.299: ISAKMP:(1026): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:49.307: ISAKMP:(1026): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:49.315: ISAKMP (1026): constructing CERT payload for cn=cbtme-hub.ekiosk-dc-CASVR-CA *Sep 30 20:56:49.315: ISKAMP: growing send buffer from 1024 to 3072 *Sep 30 20:56:49.315: ISAKMP:(1026): using the dmvpn-ca trustpoint Cbtme-Hub#'s keypair to sign *Sep 30 20:56:49.899: ISAKMP:(1026): sending packet to 120.120.120.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Sep 30 20:56:49.899: ISAKMP:(1026):Sending an IKE IPv4 Packet. *Sep 30 20:56:49.899: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Sep 30 20:56:49.899: ISAKMP:(1026):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Sep 30 20:56:50.147: ISAKMP (1024): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_NO_STATE *Sep 30 20:56:50.583: ISAKMP (1026): received packet from 120.120.120.1 dport 500 sport 500 Global (I) MM_KEY_EXCH *Sep 30 20:56:50.587: ISAKMP:(1026): processing ID payload. message ID = 0 *Sep 30 20:56:50.591: ISAKMP (1026): ID payload next-payload : 6 type : 2 FQDN name : Cbtme-Spoke1 protocol : 17 port : 500 length : 20 *Sep 30 20:56:50.595: ISAKMP:(1026): processing CERT payload. message ID = 0 *Sep 30 20:56:50.595: ISAKMP:(1026): processing a CT_X509_SIGNA Cbtme-Hub#TURE cert *Sep 30 20:56:50.599: ISAKMP:(1026): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:50.675: ISAKMP:(1026): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:50.679: ISAKMP:(1026): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:50.679: ISAKMP:(1026): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:50.683: ISAKMP:(1026): peer's pubkey isn't cached *Sep 30 20:56:50.695: ISAKMP:(0):Unable to match the certificate map configured in the profile *Sep 30 20:56:50.699: ISAKMP (1026): FSM action returned error: 2 *Sep 30 20:56:50.699: ISAKMP:(1026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Sep 30 20:56:50.699: ISAKMP:(1026):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Sep 30 20:56:50.699: ISAKMP:(1026):peer does not do paranoid keepalives. *Sep 30 20:56:50.699: ISAKMP:(1026):deleting SA reason "IKMP_ER Cbtme-Hub#R_NO_RETRANS" state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:50.703: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Sep 30 20:56:50.703: ISAKMP:(1026):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Sep 30 20:56:50.703: ISAKMP:(1026):peer does not do paranoid keepalives. *Sep 30 20:56:50.703: ISAKMP (1026): FSM action returned error: 2 *Sep 30 20:56:50.703: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Sep 30 20:56:50.703: ISAKMP:(1026):Old State = IKE_I_MM6 New State = IKE_I_MM5 *Sep 30 20:56:50.703: ISAKMP:(1026):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 120.120.120.1) *Sep 30 20:56:50.703: ISAKMP: Unlocking peer struct 0x682233E4 for isadb_mark_sa_deleted(), count 0 *Sep 30 20:56:50.707: ISAKMP: Deleting peer node by peer_reap for 120.120.120.1: 682233E4 *Sep 30 20:56:50.711: ISAKMP:(1026):deleting node -170714666 error FALSE reason "IKE deleted" *Sep 30 20:56:50.715: ISAKMP:(1026): IKE->PKI End Cbtme-Hub#PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:50.715: ISAKMP:(1026): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 120.120.120.1) *Sep 30 20:56:50.715: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 30 20:56:50.715: ISAKMP:(1026):Old State = IKE_I_MM5 New State = IKE_DEST_SA *Sep 30 20:56:52.575: ISAKMP (1025): received packet from 130.130.130.1 dport 500 sport 500 Global (I) MM_NO_STATE Cbtme-Hub# *Sep 30 20:57:28.063: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 120.120.120.1 Cbtme-Hub# *Sep 30 20:58:40.715: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 130.130.130.1 Cbtme-Hub# *Sep 30 20:59:40.991: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 130.130.130.1 Cbtme-Hub# *Sep 30 21:00:44.319: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 120.120.120.1 Cbtme-Hub#