cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1980
Views
0
Helpful
9
Replies
Tommy Svensson
Beginner

Route between VPN-tunnels

Hi.

I have a Cisco 1921 and it has 2 VPN IP-sec site-to-site tunnels up and running. Lets say the tunnels goes from the Cisco to Site A and Site B.

Now i want Site A to reach Site B through the existing tunnels. Im guessing that static routes maybe the awnser but i cant seem to get it working.

The LAN networks is as follows:

Cisco: 192.168.15.0/24
Site A: 192.168.0.0/24
Site B: 10.27.27.0/24

At Site A i have set up a static route as follows:

Traffic destined for 10.27.27.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)

At Site B i have set up a static route as follows:

Traffic destined for 192.168.0.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)

Hoping someone could shine some light on this matter.

Kind regards

9 REPLIES 9

Hi,

   You need to define interesting traffic for site-to-site VPN as well. Please post a brief diagram and configuration on both VPN routers.

HTH,

Toshi

I have now added the traffic onto the access-lists for the IPsec tunnels and still no change. Is it correct for me to set the default gateway of the both sides as 192.168.15.1 (LAN interface on the middle router) when they want to talk to eachother?

See attachments for configs.

The running config is from the router in the middle of the network drawing.

Kind regards.

ramkumar62
Beginner

Adding static routes with next hop 192.168.15.1 may fail if it tries to do arp for next hop which actually needs to be reached by VPN. Try adding routes via your ISP defaul gateway hence it passes traffic to crypto interface which will get encrypted.

Sent from Cisco Technical Support iPhone App

Hi Tommy,

to the best of my knowledge you can't do this using crypto maps.  You can however do it using VTI tunnels protected with ipsec as then it is just a matter of a simple static route.

so on the cisco you would have already in place static routes of the nature

ip route 192.168.0.0 255.255.255.0 tunnel 0

ip route 10.27.27.0 255.255.255.0 tunnel 1

you would then just need to tell the routers at SiteA that Site B also is accessable through Tunnel0 and similarly on SiteB that SiteA is accessible through it's tunnel.

Over all easier once setup.

Im sorry but the VTI tunnels is not supported in the routertype at both Site A and Site B. Or at least i cant find it.

I looked into it now and it seems like it would be the way to go about it in this case aswell. Thank you very much, i will get back to you all with the results of this VTI configuration.

Kind regards.

Hi Tommy,

The feature set says it supports this method.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ReallyGoodPassword address no-xauth

crypto ipsec transform-set TranSet esp-3des esp-md5-hmac

crypto ipsec profile proVTI

set transform-set TranSet

interface Tunnel0

description Site-Site Tunnel Other End is 201.2

ip address 192.168.201.1 255.255.255.252 ! (or pick an subnet that doesn't conflict)

no shutdown

tunnel source Dialer0 ! or IP of this WAN Interface

tunnel destination ! IP or of other WAN Interface

tunnel mode ipsec ipv4

tunnel protection ipsec profile proVTI

ip route tunnel0

Do this at both ends and all is good.

Then add a

ip route 10.27.27.0 255.255.255.0 tunnel 0

on the site A router and

ip route 192.168.0.0 255.255.255.0 tunnel 0 ! or whatever number you gave it

on the site B router and all traffic should flow fine albeit a little clumsy.  any reason you can't just add a tunnel between the site A and Site B router instead?

Hi.

I have now implemented the method for one tunnel, however the tunnel goes down and timeouts for like 20 seconds once every minute.

So there are two tunnels configured as before and one tunnel configured using VTI and that one is the one timing out.

Is my configuration of the interface Tunnel0 wrong and if so, is there anything else that jumps out thats wrong?

King regards.

Here is my configuration on this matter:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxx address 194.23.14.xxx

crypto isakmp key xxxxxxxxx address 212.37.97.xxx

crypto isakmp key xxxxxxxxx address 81.232.19.xxx no-xauth

!

!

crypto ipsec transform-set TF_Stockholm esp-3des esp-sha-hmac

!

crypto ipsec profile P1

set security-association lifetime seconds 28800

set transform-set TF_Stockholm

set pfs group2

!

!

crypto map TF_Stockholm 30 ipsec-isakmp

set peer 194.23.14.xxx

set security-association lifetime seconds 86400

set transform-set TF_Stockholm

set pfs group2

match address 103

crypto map TF_Stockholm 40 ipsec-isakmp

set peer 212.37.97.xxx

set transform-set TF_Stockholm

set pfs group2

match address 102

!

!

interface Tunnel0

description TUNNEL TILL DOFH

ip unnumbered GigabitEthernet0/0

zone-member security WAN_ZONE

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination 81.232.19.xxx

tunnel protection ipsec profile P1

!

interface GigabitEthernet0/0

ip address 194.17.211.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security WAN_ZONE

duplex auto

speed auto

crypto map TF_Stockholm

Here is my debug log:

*Jul 11 09:21:31.057: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:21:31.057: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:21:31.057: ISAKMP:(1180):Node 1791448660, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jul 11 09:21:31.061: ISAKMP:(1180):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Jul 11 09:21:41.057: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       1791448660 ...

*Jul 11 09:21:41.057: ISAKMP (1180): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

*Jul 11 09:21:41.057: ISAKMP (1180): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

*Jul 11 09:21:41.057: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE

*Jul 11 09:21:41.057: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:21:41.057: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:21:47.201: ISAKMP (0): received packet from 81.228.205.xxx dport 500 sport 500 Global (R) MM_NO_STATE

*Jul 11 09:21:51.057: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       1791448660 ...

*Jul 11 09:21:51.057: ISAKMP (1180): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

*Jul 11 09:21:51.057: ISAKMP (1180): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

*Jul 11 09:21:51.057: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE

*Jul 11 09:21:51.057: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:21:51.057: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:22:01.033: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 194.17.211.126:0, remote= 81.232.19.xxx:0,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

*Jul 11 09:22:01.033: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 194.17.211.xxx:500, remote= 81.232.19.xxx:500,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jul 11 09:22:01.057: ISAKMP: set new node 0 to QM_IDLE

*Jul 11 09:22:01.057: SA has outstanding requests  (local 39.204.159.xxx port 500, remote 39.204.159.xxx port 500)

*Jul 11 09:22:01.057: ISAKMP:(1180): sitting IDLE. Starting QM immediately (QM_IDLE      )

*Jul 11 09:22:01.057: ISAKMP:(1180):beginning Quick Mode exchange, M-ID of -890998029

*Jul 11 09:22:01.081: ISAKMP:(1180):QM Initiator gets spi

*Jul 11 09:22:01.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:22:01.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:22:01.081: ISAKMP:(1180):Node -890998029, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Jul 11 09:22:01.081: ISAKMP:(1180):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Jul 11 09:22:01.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       1791448660 ...

*Jul 11 09:22:01.081: ISAKMP (1180): incrementing error counter on node, attempt 3 of 5: retransmit phase 2

*Jul 11 09:22:01.081: ISAKMP (1180): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2

*Jul 11 09:22:01.081: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE

*Jul 11 09:22:01.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:22:01.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:22:08.249: ISAKMP:(0):purging SA., sa=27DCB3B4, delme=27DCB3B4

*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       -890998029 ...

*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2

*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 -890998029 QM_IDLE

*Jul 11 09:22:11.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:22:11.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       1791448660 ...

*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on node, attempt 4 of 5: retransmit phase 2

*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2

*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE

*Jul 11 09:22:11.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:22:11.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:22:21.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       -890998029 ...

*Jul 11 09:22:21.081: ISAKMP:(1180):peer does not do paranoid keepalives.

*Jul 11 09:22:21.081: ISAKMP:(1180):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 81.232.19.xxx)

*Jul 11 09:22:21.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE       1791448660 ...

*Jul 11 09:22:21.081: ISAKMP:(1180):peer does not do paranoid keepalives.

*Jul 11 09:22:21.081: ISAKMP: set new node 1538683159 to QM_IDLE

*Jul 11 09:22:21.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

*Jul 11 09:22:21.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.

*Jul 11 09:22:21.081: ISAKMP:(1180):purging node 1538683159

*Jul 11 09:22:21.081: ISAKMP:(1180):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jul 11 09:22:21.081: ISAKMP:(1180):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jul 11 09:22:21.081: ISAKMP:(1180):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 81.232.19.xxx)

*Jul 11 09:22:21.081: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

*Jul 11 09:22:21.081: ISAKMP: Unlocking peer struct 0x316B5470 for isadb_mark_sa_deleted(), count 0

*Jul 11 09:22:21.081: ISAKMP:(1180):deleting node 1791448660 error FALSE reason "IKE deleted"

*Jul 11 09:22:21.081: ISAKMP:(1180):deleting node -890998029 error FALSE reason "IKE deleted"

*Jul 11 09:22:21.081: ISAKMP:(1180):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 11 09:22:21.081: ISAKMP:(1180):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

TEST_ROUTER(config)#

Hi Tommy,

the VTI Tunnel can't be unnumbered to the gi0/0 to the best of my knowledge (but I am not an expert) it needs an ip on a unique subnet so it can be routed.  I am unsure whether your acls fo traffic of interest refer to the traffic at the other end of the VTI as well.  the config you posted is obviously not complete.  I would definitely fix that IP for the tunnel though.

Message was edited by: Ross Marston

Hi.

Thank you for your feedback, i have changed the configuration somewhat but i still got the same results of the tunnel timing out and going down for like 15 seconds every other minute.

Config for remote site is on pic1 and pic2.

Here is my current running config of the matter:

class-map type inspect match-any LAN_TO_WAN

match access-group name LAN_TO_WAN

class-map type inspect match-any WAN_TO_LAN

match access-group name WAN_TO_LAN

!

!

policy-map type inspect LAN_TO_WAN

class type inspect LAN_TO_WAN

inspect

class class-default

drop

policy-map type inspect WAN_TO_LAN

class type inspect WAN_TO_LAN

inspect

class class-default

drop

!

zone security LAN_ZONE

zone security WAN_ZONE

zone security LAN2_ZONE

zone-pair security LAN_TO_WAN source LAN_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_LAN source WAN_ZONE destination LAN_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security LAN2_TO_WAN source LAN2_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_LAN2 source WAN_ZONE destination LAN2_ZONE

service-policy type inspect WAN_TO_LAN

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxxx address 81.232.19.xxx

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TS1 esp-3des esp-md5-hmac

!

crypto ipsec profile P1

set transform-set TS1

set pfs group2

!

!

interface Tunnel0

ip address 192.168.250.1 255.255.255.0

zone-member security LAN2_ZONE

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination 81.232.19.xxx

tunnel protection ipsec profile P1

!

interface GigabitEthernet0/0

ip address 194.17.211.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security WAN_ZONE

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1.15

encapsulation dot1Q 15

ip address 192.168.15.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security LAN2_ZONE

!

interface GigabitEthernet0/1.101

encapsulation dot1Q 101

ip address 10.0.1.28 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security LAN_ZONE

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool with_overload 194.17.211.xxx 194.17.211.xxx prefix-length 29

ip nat inside source list 105 pool with_overload overload

ip route 0.0.0.0 0.0.0.0 194.17.211.xxx

ip route 192.168.2.0 255.255.255.0 Tunnel0

!

ip access-list extended LAN_TO_WAN

permit ip any any

ip access-list extended WAN_TO_LAN

permit tcp any any eq ftp-data

permit tcp any any eq ftp

permit tcp any any eq 22

permit tcp any any eq telnet

permit tcp any any eq 24

permit tcp any any eq smtp

permit tcp any any eq 26

permit tcp any any eq 27

permit tcp any any eq 28

permit tcp any any eq 29

permit tcp any any eq 30

permit tcp any any eq 31

permit tcp any any eq 32

permit tcp any any eq 33

permit tcp any any eq 34

permit tcp any any eq 35

permit tcp any any eq www

permit tcp any any eq 443

permit ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 any

permit ip 10.27.27.0 0.0.0.255 192.168.15.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255

permit esp any any

!

access-list 101 permit ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 10.27.27.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.15.0 0.0.0.255 10.27.27.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.27.27.0 0.0.0.255

access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 deny   ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny   ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 105 deny   ip 10.0.1.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 105 deny   ip 192.168.15.0 0.0.0.255 10.27.27.0 0.0.0.255

access-list 105 deny   ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 permit ip 10.0.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.15.0 0.0.0.255 any

Here is my debug output with this config:

Jul 12 12:53:06.646: ISAKMP: set new node 0 to QM_IDLE

Jul 12 12:53:06.646: SA has outstanding requests  (local 39.220.181.28 port 500, remote 39.220.181.56 port 500)

Jul 12 12:53:06.646: ISAKMP:(1473): sitting IDLE. Starting QM immediately (QM_IDLE      )

Jul 12 12:53:06.646: ISAKMP:(1473):beginning Quick Mode exchange, M-ID of -140327640

Jul 12 12:53:06.666: ISAKMP:(1473):QM Initiator gets spi

Jul 12 12:53:06.666: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

Jul 12 12:53:06.666: ISAKMP:(1473):Sending an IKE IPv4 Packet.

Jul 12 12:53:06.666: ISAKMP:(1473):Node -140327640, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 12 12:53:06.666: ISAKMP:(1473):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Jul 12 12:53:06.670: ISAKMP:(1473): retransmitting phase 2 QM_IDLE       1426390693 ...

Jul 12 12:53:06.670: ISAKMP (1473): incrementing error counter on node, attempt 3 of 5: retransmit phase 2

Jul 12 12:53:06.670: ISAKMP (1473): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2

Jul 12 12:53:06.670: ISAKMP:(1473): retransmitting phase 2 1426390693 QM_IDLE

Jul 12 12:53:06.670: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

Jul 12 12:53:06.670: ISAKMP:(1473):Sending an IKE IPv4 Packet.

Jul 12 12:53:11.014: ISAKMP:(1473):purging node -1007574191

Jul 12 12:53:11.598: ISAKMP:(1473):purging node -134087220

Jul 12 12:53:16.666: ISAKMP:(1473): retransmitting phase 2 QM_IDLE       -140327640 ...

Jul 12 12:53:16.666: ISAKMP (1473): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

Jul 12 12:53:16.666: ISAKMP (1473): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2

Jul 12 12:53:16.666: ISAKMP:(1473): retransmitting phase 2 -140327640 QM_IDLE

Jul 12 12:53:16.666: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

Jul 12 12:53:16.666: ISAKMP:(1473):Sending an IKE IPv4 Packet.

Jul 12 12:53:16.670: ISAKMP:(1473): retransmitting phase 2 QM_IDLE       1426390693 ...

Jul 12 12:53:16.670: ISAKMP (1473): incrementing error counter on node, attempt 4 of 5: retransmit phase 2

Jul 12 12:53:16.670: ISAKMP (1473): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2

Jul 12 12:53:16.670: ISAKMP:(1473): retransmitting phase 2 1426390693 QM_IDLE

Jul 12 12:53:16.670: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

Jul 12 12:53:16.670: ISAKMP:(1473):Sending an IKE IPv4 Packet.

Jul 12 12:53:26.666: ISAKMP:(1473): retransmitting phase 2 QM_IDLE       -140327640 ...

Jul 12 12:53:26.666: ISAKMP:(1473):peer does not do paranoid keepalives.

Jul 12 12:53:26.666: ISAKMP:(1473):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 81.232.19.xxx)

Jul 12 12:53:26.666: ISAKMP: set new node -1873188883 to QM_IDLE

Jul 12 12:53:26.666: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE

Jul 12 12:53:26.666: ISAKMP:(1473):Sending an IKE IPv4 Packet.

Jul 12 12:53:26.666: ISAKMP:(1473):purging node -1873188883

Jul 12 12:53:26.666: ISAKMP:(1473):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jul 12 12:53:26.666: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jul 12 12:53:26.666: ISAKMP:(1473):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 81.232.19.xxx)

Jul 12 12:53:26.666: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

Jul 12 12:53:26.666: ISAKMP: Unlocking peer struct 0x2800B1E4 for isadb_mark_sa_deleted(), count 0

Jul 12 12:53:26.666: ISAKMP:(1473):deleting node 1426390693 error FALSE reason "IKE deleted"

Jul 12 12:53:26.666: ISAKMP:(1473):deleting node -140327640 error FALSE reason "IKE deleted"

Jul 12 12:53:26.666: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jul 12 12:53:26.666: ISAKMP:(1473):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Jul 12 12:53:36.646: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 194.17.211.xxx:0, remote= 81.232.19.xxx:0,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

Jul 12 12:53:42.458: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down