Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
38369
Views
25
Helpful
1
Comments

Understanding ASA IPSec and IKE debugs - IKEv1 Main Mode.

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-19-2010 06:27 AM - edited ‎08-29-2017 02:40 AM

 

 

Disclaimer: This is best  effort work only, it may be (and probably is) not 100% accurate. This work  will be corrected as corrective feedback is received.

1. Introduction

 

This  document will attempt to describe how to understand debugs on ASA when main mode and pre shared key (PSK) is being used.

How to translate certain debug lines into configuration.

 

What will not be discussed:

- passing traffic after tunnel has been established.

- basic concepts of IPSec or IKE.

 

2. Core issue

 

IKE and IPSec debugs tend to get cryptic, TAC will very often use them to understand where a problem with IPSec VPN tunnel establishment is located.

 

3. Scenario

 

Main mode is typically used between Lan-to-Lan tunnels or in case of remote access (ezvpn) when certificates are used for authentiucation.

Those debugs are from ASA 8.3.2, other side is a router running 12.4T IOS. Those devices will form a LAN to LAN tunnel.

 

Two main scenarios will be described:

1. ASA is the initiator for IKE

2. ASA is the responder for IKE

 

 

3.1 Debugs used.

debug crypto isakmp 127

debug crypto ipsec 127

3.2 IOS router configuration.

IPSec configuration:

 

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

 

crypto isakmp key cisco address 10.0.0.1

 

crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac

 

crypto map MAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TRANSFORM
match address VPN


ip access-list extended VPN
permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Crypto map info:

Router#sh crypto map
Crypto Map "MAP" 10 ipsec-isakmp
        Peer = 10.0.0.1
        Extended IP access list VPN
            access-list VPN permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
            access-list VPN permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 10.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TRANSFORM:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map MAP:
                FastEthernet4

 

 

3.3 ASA configuration.

 

IPSec configuration:

crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac

 

crypto map MAP 10 match address VPN
crypto map MAP 10 set peer 10.0.0.2
crypto map MAP 10 set transform-set TRANSFORM
crypto map MAP 10 set reverse-route
crypto map MAP interface outside


crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

 

tunnel-group 10.0.0.2 type ipsec-l2l
tunnel-group 10.0.0.2 ipsec-attributes
pre-shared-key cisco

 

access-list VPN extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

 

IP configuration:

ciscoasa# sh ip

System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       inside                 192.168.1.1     255.255.255.0   manual
GigabitEthernet0/1       outside                10.0.0.1        255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       inside                 192.168.1.1     255.255.255.0   manual
GigabitEthernet0/1       outside                10.0.0.1        255.255.255.0   manual

 

NAT configuration:

 

ciscoasa# sh run object network

object network INSIDE-RANGE
subnet 192.168.1.0 255.255.255.0

 

object network FOREIGN_NETWORK
subnet 192.168.2.0 255.255.255.

ciscoasa# sh run nat

nat (inside,outside) source static INSIDE-RANGE INSIDE-RANGE destination static FOREIGN_NETWORK FOREIGN_NETWORK

 

object network INSIDE-RANGE
nat (inside,outside) dynamic interface

 

4. Debugging.

4.1 ASA as initiator

 

4.1.1 Main Mode message 1  (MM1)


Inckudes:

Initial propsal for IKE.

 

Nov 30 10:38:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.2, sport=2816, daddr=192.168.2.1, dport=2816
IPSEC(crypto_map_check)-3: Checking crypto map MAP 10: matched.
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0,  Crypto map (MAP)
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing ISAKMP SA payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Traversal VID ver 03 payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Traversal VID ver RFC payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing Fragmentation VID + extended capabilities payload
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

 

Related configuration:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

 

4.1.2 Main Mode message 2  (MM2)

 


Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Oakley proposal is acceptable
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal RFC VID

 

4.1.3 Main Mode message 3  (MM3)

Includes:

- NAT discovery

- Diffie-Hellman (DH) exchange part one.

 


Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing ke payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing nonce payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing Cisco Unity VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing xauth V6 VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Send IOS VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Discovery payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Discovery payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304

 

 

4.1.4 Main Mode message 4  (MM4)

Includes:

NAT detection payload

Continuation of DH exchange.

 


Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ke payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ISA_KE payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing nonce payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Received Cisco Unity client VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Received DPD VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Received xauth V6 VID
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing NAT-Discovery payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, processing NAT-Discovery payload
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2

 

 

 

4.1.5 Main Mode message 5  (MM5) - initiator send his identity.

 

Includes:

- Local identity information.

- Key


Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating keys for Initiator...
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing ID payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing hash payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Computing hash for ISAKMP
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing dpd vid payload
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +VENDOR (13) + NONE (0) total length : 96
Nov 30 10:38:29 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This  end is NOT behind a NAT device

 

Related configuration:

crypto isakmp identity auto

 

 

4.1.6 Main Mode message 6  (MM6) - responder sends it's identity. Phase 1 completion.

 

Includes:

- Remote identity sent from peer

- Final decission regarding tunnel group to pick.

 

 


Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR ID received
10.0.0.2
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Computing hash for ISAKMP
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Oakley begin quick mode
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Initiator starting QM: msg id = 7b80c2b0
Nov 30 10:38:29 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 1 COMPLETED
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, Keep-alive type for this connection: DPD
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Starting P1 rekey timer: 82080 seconds.

 

Related configuration:

 

tunnel-group 10.0.0.2 type ipsec-l2l
tunnel-group 10.0.0.2 ipsec-attributes
pre-shared-key cisco

 

4.1.7 Quick mode message 1  (QM1)

 

 


IPSEC: New embryonic SA created @ 0x53FC3C00,
    SCB: 0x53F90A00,
    Direction: inbound
    SPI      : 0xFD2D851F
    Session ID: 0x00006000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, IKE got SPI from key engine: SPI = 0xfd2d851f
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, oakley constucting quick mode
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing blank hash payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing IPSec SA payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing IPSec nonce payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing proxy ID
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Transmitting Proxy Id:
  Local subnet:  192.168.1.0  mask 255.255.255.0 Protocol 1  Port 0
  Remote subnet: 192.168.2.0  Mask 255.255.255.0 Protocol 1  Port 0
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Initiator sending Initial Contact
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing qm hash payload
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Initiator sending 1st QM pkt: msg id = 7b80c2b0
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=7b80c2b0) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200

 

Relevant configuration:

 

crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac

access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

 

4.1.8 Quick Mode Message 2  (QM2)

Includes:

Remote end sends it parameters.

We pick shorter out of the two proposed phase 2 liftimes.

 


Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=7b80c2b0) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing SA payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing nonce payload
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID received--192.168.1.0--255.255.255.0
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing notify payload
Nov 30 10:38:29 [IKEv1 DECODE]: Responder Lifetime decode follows (outb SPI[4]|attributes):
Nov 30 10:38:29 [IKEv1 DECODE]: 0000: DDE50931 80010001 00020004 00000E10     ...1............

 

Nov 30 10:38:29 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds

 

 

4.1.9 Quick Mode Message 3 (QM3) - phase two should be complete.

 


Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, loading all IPSEC SAs
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating Quick Mode Key!
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, NP encrypt rule look up for crypto map MAP 10 matching ACL VPN: returned cs_id=53f11198; rule=53f11a90
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x53FC3698,
    SCB: 0x53F910F0,
    Direction: outbound
    SPI      : 0xDDE50931
    Session ID: 0x00006000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xDDE50931
IPSEC: Creating outbound VPN context, SPI 0xDDE50931
    Flags: 0x00000005
    SA   : 0x53FC3698
    SPI  : 0xDDE50931
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x01CF218F
    Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context, SPI 0xDDE50931
    VPN handle: 0x000161A4
IPSEC: New outbound encrypt rule, SPI 0xDDE50931
    Src addr: 192.168.1.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 1
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xDDE50931
    Rule ID: 0x53FC3AD8
IPSEC: New outbound permit rule, SPI 0xDDE50931
    Src addr: 10.0.0.1
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xDDE50931
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xDDE50931
    Rule ID: 0x53F91538
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, NP encrypt rule look up for crypto map MAP 10 matching ACL VPN: returned cs_id=53f11198; rule=53f11a90
Nov 30 10:38:29 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Security negotiation complete for LAN-to-LAN Group (10.0.0.2)  Initiator, Inbound SPI = 0xfd2d851f, Outbound SPI = 0xdde50931
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, oakley constructing final quick mode
IPSEC: Completed host IBSA update, SPI 0xFD2D851F
IPSEC: Creating inbound VPN context, SPI 0xFD2D851F
    Flags: 0x00000006
    SA   : 0x53FC3C00
    SPI  : 0xFD2D851F
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x000161A4
    SCB  : 0x01CEA8EF
    Channel: 0x4C69CB80
IPSEC: Completed inbound VPN context, SPI 0xFD2D851F
    VPN handle: 0x00018BBC
IPSEC: Updating outbound VPN context 0x000161A4, SPI 0xDDE50931
    Flags: 0x00000005
    SA   : 0x53FC3698
    SPI  : 0xDDE50931
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00018BBC
    SCB  : 0x01CF218F
    Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context, SPI 0xDDE50931
    VPN handle: 0x000161A4
IPSEC: Completed outbound inner rule, SPI 0xDDE50931
    Rule ID: 0x53FC3AD8
IPSEC: Completed outbound outer SPD rule, SPI 0xDDE50931
    Rule ID: 0x53F91538
IPSEC: New inbound tunnel flow rule, SPI 0xFD2D851F
    Src addr: 192.168.2.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.1.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 1
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xFD2D851F
    Rule ID: 0x53F91970
IPSEC: New inbound decrypt rule, SPI 0xFD2D851F
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xFD2D851F
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xFD2D851F
    Rule ID: 0x53F91A08
IPSEC: New inbound permit rule, SPI 0xFD2D851F
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xFD2D851F
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xFD2D851F
    Rule ID: 0x53F91AA0
Nov 30 10:38:29 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Initiator sending 3rd QM pkt: msg id = 7b80c2b0
Nov 30 10:38:29 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=7b80c2b0) with payloads : HDR + HASH (8) + NONE (0) total length :76
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, IKE got a KEY_ADD msg for SA: SPI = 0xdde50931
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Pitcher: received KEY_UPDATE, spi 0xfd2d851f
Nov 30 10:38:29 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Starting P2 rekey timer: 3060 seconds.
Nov 30 10:38:29 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 2 COMPLETED (msgid=7b80c2b0)

 

 

 

4.2 ASA as responder

4.2.1 Main mode message 1 (MM1) - Initial contact.


Includes:

- Vendor IDs (VID)

- Capablities

- Phase 1 proposals

- IKE sa.

 

Nov 21 09:33:48 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) +VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 164
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, Oakley proposal is acceptable
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal RFC VID
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 03 VID
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 02 VID
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, processing IKE SA payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2

 

Relavent configuration:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

 

 

4.2.2 Main mode message 2 (MM2) - reply to initial contact.


Includes:

- Our cabapilities

- IKE SA

Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing ISAKMP SA payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload
Nov 21 09:33:48 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing Fragmentation VID + extended capabilities payload
Nov 21 09:33:48 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE(0) total length : 128

 

4.2.3 Main mode message 3 (MM3) - NAT discovery and Diffie-Hellman exchange.

Includes:

- NAT discovery payloadand hash.

- DH exchange initiation.

(- DPD support)

 

Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ke payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing ISA_KE payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing nonce payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Received DPD VID
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f6f)
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Received xauth V6 VID
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing NAT-Discovery payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, processing NAT-Discovery payload

 

4.2.4 Main mode message 4 (MM4) - NAT discovery and Diffie-Hellman exchange, our reply

Includes:

- NAT discovery payload

- DH exchange initiation.

Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing ke payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing nonce payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing Cisco Unity VID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing xauth V6 VID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Send IOS VID
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing VID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Discovery payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Discovery payload
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash
Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating keys for Responder...
Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

 

4.2.5 Main mode message 5 (MM5) - peer sends it's identity, NAT-T decission.

 

Includes:

- Remote peer identity (ID)

- Connection landing on a particular tunnel-group

 

Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload
Nov 21 09:33:49 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR ID received
10.0.0.2
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Computing hash for ISAKMP
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing notify payload
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This  end is NOT behind a NAT device
Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2

 

Relevant configuration:

tunnel-group 10.0.0.2 type ipsec-l2l

4.2.6 Main mode message 6 (MM6) - We send our identity, Phase 1 is estblished.


Includes:

- Rekey times started

- Our own idetity sent to remote peer.

Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing ID payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing hash payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Computing hash for ISAKMP
Nov 21 09:33:49 [IKEv1 DEBUG]: IP = 10.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing dpd vid payload
Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +VENDOR (13) + NONE (0) total length : 96
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 1 COMPLETED

Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, Keep-alive type for this connection: DPD
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Starting P1 rekey timer: 64800 seconds.

 

Relevant configuration:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
 lifetime 86400
ciscoasa# sh run all crypto isakmp
crypto isakmp identity auto

 


4.2.7 Quick mode message 1 (QM1) - peer starts phase 2.


Include:

- remote and local proxy IDs.

- Transform set(s)

 

Nov 21 09:33:49 [IKEv1 DECODE]: IP = 10.0.0.2, IKE Responder starting QM: msg id = 52481cf5
Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=52481cf5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing SA payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing nonce payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload
Nov 21 09:33:49 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.2.0, Mask 255.255.255.0, Protocol 1, Port 0
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload
Nov 21 09:33:49 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID received--192.168.1.0--255.255.255.0
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.1.0, Mask 255.255.255.0, Protocol 1, Port 0
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, QM IsRekeyed old sa not found by addr
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Static Crypto Map check, checking map = MAP, seq = 10...
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Static Crypto Map check, map MAP, seq = 10 is a successful match
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Remote Peer configured for crypto map: MAP
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing IPSec SA payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 10

 

Relevant configuration:

 

crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac

access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto map MAP 10 match address VPN

 

 

4.2.8 Quick mode message 2 (QM2)

Includes:

- Confirmation of proxy identities.

- Tunnel type.

 

Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0x53FC3698,
    SCB: 0x53FC2998,
    Direction: inbound
    SPI      : 0x1698CAC7
    Session ID: 0x00004000
    VPIF num  : 0x00000003
    Tunnel type: l2l
   Protocol   : esp
    Lifetime   : 240 seconds

Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, IKE got SPI from key engine: SPI = 0x1698cac7

Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, oakley constucting quick mode
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing blank hash payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing IPSec SA payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing IPSec nonce payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing proxy ID
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Transmitting Proxy Id:
  Remote subnet: 192.168.2.0  Mask 255.255.255.0 Protocol 1  Port 0
  Local subnet:  192.168.1.0  mask 255.255.255.0 Protocol 1  Port 0
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing qm hash payload
Nov 21 09:33:49 [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Responder sending 2nd QM pkt: msg id = 52481cf5
Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=52481cf5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172

 

4.2.9 Quick mode message 3 (QM3) - Phase 2 establishement.


Includes:

- Setting of SPIs to pass traffic.

 


Nov 21 09:33:49 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=52481cf5) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, loading all IPSEC SAs
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating Quick Mode Key!
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, NP encrypt rule look up for crypto map MAP 10 matching ACL VPN: returned cs_id=53f11198; rule=53f11a90
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x53F18B00,
    SCB: 0x53F8A1C0,
    Direction: outbound
    SPI      : 0xDB680406
    Session ID: 0x00004000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xDB680406
IPSEC: Creating outbound VPN context, SPI 0xDB680406
    Flags: 0x00000005
    SA   : 0x53F18B00
    SPI  : 0xDB680406
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x005E4849
    Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context, SPI 0xDB680406
    VPN handle: 0x0000E9B4
IPSEC: New outbound encrypt rule, SPI 0xDB680406
    Src addr: 192.168.1.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 1
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xDB680406
    Rule ID: 0x53F89160
IPSEC: New outbound permit rule, SPI 0xDB680406
    Src addr: 10.0.0.1
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xDB680406
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xDB680406
    Rule ID: 0x53E47E88
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, NP encrypt rule look up for crypto map MAP 10 matching ACL VPN: returned cs_id=53f11198; rule=53f11a90
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Security negotiation complete for LAN-to-LAN Group (10.0.0.2)  Responder, Inbound SPI = 0x1698cac7, Outbound SPI = 0xdb680406
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, IKE got a KEY_ADD msg for SA: SPI = 0xdb680406
IPSEC: Completed host IBSA update, SPI 0x1698CAC7
IPSEC: Creating inbound VPN context, SPI 0x1698CAC7
    Flags: 0x00000006
    SA   : 0x53FC3698
    SPI  : 0x1698CAC7
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0000E9B4
    SCB  : 0x005DAE51
    Channel: 0x4C69CB80
IPSEC: Completed inbound VPN context, SPI 0x1698CAC7
    VPN handle: 0x00011A8C
IPSEC: Updating outbound VPN context 0x0000E9B4, SPI 0xDB680406
    Flags: 0x00000005
    SA   : 0x53F18B00
    SPI  : 0xDB680406
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00011A8C
    SCB  : 0x005E4849
    Channel: 0x4C69CB80
IPSEC: Completed outbound VPN context, SPI 0xDB680406
    VPN handle: 0x0000E9B4
IPSEC: Completed outbound inner rule, SPI 0xDB680406
    Rule ID: 0x53F89160
IPSEC: Completed outbound outer SPD rule, SPI 0xDB680406
    Rule ID: 0x53E47E88
IPSEC: New inbound tunnel flow rule, SPI 0x1698CAC7
    Src addr: 192.168.2.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.1.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 1
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x1698CAC7
    Rule ID: 0x53FC3E80
IPSEC: New inbound decrypt rule, SPI 0x1698CAC7
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x1698CAC7
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x1698CAC7
    Rule ID: 0x53FC3F18
IPSEC: New inbound permit rule, SPI 0x1698CAC7
    Src addr: 10.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x1698CAC7
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x1698CAC7
    Rule ID: 0x53F8AEA8
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Pitcher: received KEY_UPDATE, spi 0x1698cac7
Nov 21 09:33:49 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Starting P2 rekey timer: 3060 seconds.
Nov 21 09:33:49 [IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 2 COMPLETED (msgid=52481cf5)

 

 

 

Tunnel verification.


Please note that since I used ICMP to trigger the tunnel, only one IPSec SA is up. Protocol 1 = ICMP.

show crypto ipsec sa
interface: outside
    Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1

 

      access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0)
      current_peer: 10.0.0.2

 

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: DB680406
      current inbound spi : 1698CAC7

 

    inbound esp sas:
      spi: 0x1698CAC7 (379112135)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16384, crypto-map: MAP
         sa timing: remaining key lifetime (kB/sec): (3914999/3326)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xDB680406 (3681027078)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16384, crypto-map: MAP
         sa timing: remaining key lifetime (kB/sec): (3914999/3326)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.0.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

 

 

 

 

 

5.0 Further reading.

 

A good place to start is wikipedia article on IPSec.

Standard and references contains a lot of useful information:

http://en.wikipedia.org/wiki/IPsec

Regarding aggressive mode

https://supportforums.cisco.com/docs/DOC-13715

 

 

Labels:
Comments
Pavel Pokorny
Level 1
Level 1
‎04-19-2011 01:07 AM

Hi,

Good work.

I would like to see it as a pdf file, but system says:

System Error

We're sorry but a serious error has occurred in the system.

Tested in different browsers.

Can you help

Thanks

Pavel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents