on 11-01-2010 06:34 AM
Establishing a Remote Access Connection to an Easy VPN Server Running 7.0
[IKEv1 DEBUG]: IP = 192.1.1.77, processing SA payload (1)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.77, IKE Peer included IKE
fragmentation capability flags: Main Mode: True
Aggressive Mode: False
[IKEv1 DEBUG]: IP = 192.1.1.77, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.77, Received Cisco Unity client VID (2)
[IKEv1]: IP = 192.1.1.77, Connection landed on tunnel_
group salesgroup
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, processing
IKE SA
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, IKE SA (3)
Proposal # 1, Transform # 5 acceptable Matches global
IKE entry # 1
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, constructing
ISA_SA for isakmp
[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, constructing
nonce payload
output omitted
[IKEv1 DEBUG]: Processing MODE_CFG Reply attributes. (4)
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: primary DNS = 4.2.2.1
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: secondary DNS = cleared
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: primary WINS = cleared
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: secondary WINS = cleared
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: IP Compression = disabled
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, IKEGetUserAttributes: Split Tunneling
Policy = Disabled
[IKEv1]: Group = salesgroup, Username = salesuser, (5)
IP = 192.1.1.77, User (salesuser) authenticated.
output omitted
[IKEv1 DEBUG]: Processing cfg Request attributes (6)
[IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 address!
[IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 net mask!
[IKEv1 DEBUG]: MODE_CFG: Received request for DNS server address!
[IKEv1 DEBUG]: MODE_CFG: Received request for WINS server address!
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received unsupported transaction mode
attribute: 5
[IKEv1 DEBUG]: MODE_CFG: Received request for Banner!
[IKEv1 DEBUG]: MODE_CFG: Received request for Save PW setting!
[IKEv1 DEBUG]: MODE_CFG: Received request for Default Domain Name!
[IKEv1 DEBUG]: MODE_CFG: Received request for Split Tunnel List!
[IKEv1 DEBUG]: MODE_CFG: Received request for Split DNS!
[IKEv1 DEBUG]: MODE_CFG: Received request for PFS setting!
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received unknown transaction mode attribute: 28683
[IKEv1 DEBUG]: MODE_CFG: Received request for backup ip-sec peer
list!
[IKEv1 DEBUG]: MODE_CFG: Received request for Application (7)
Version!
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Client Type: WinNT Client Application
Version: 4.6.01.0019
[IKEv1 DEBUG]: MODE_CFG: Received request for FWTYPE!
[IKEv1 DEBUG]: MODE_CFG: Received request for DHCP hostname for
DDNS is: i7500!
[IKEv1 DEBUG]: MODE_CFG: Received request for UDP Port!
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (8)
IP = 192.1.1.77, constructing blank hash
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, constructing qm hash
[IKEv1]: IP = 192.1.1.77, IKE DECODE SENDING Message
(msgid=e9f26b16) with payloads : HDR + HASH (8) + ATTR (14)
+ NONE (0) total length : 170
[IKEv1 DECODE]: IP = 192.1.1.77, IKE Responder starting QM:
msg id = d9fcc34b
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Delay Quick Mode processing, Cert/Trans
Exch/RM DSID in progress
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Resume Quick Mode processing, Cert/Trans
Exch/RM DSID completed
[IKEv1]: Group = salesgroup, Username = salesuser, (9)
IP = 192.1.1.77, PHASE 1 COMPLETED
output omitted
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (10)
IP = 192.1.1.77, constructing blank hash
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, constructing qm hash
[IKEv1]: IP = 192.1.1.77, IKE DECODE SENDING Message
(msgid=3b776e14) with payloads : HDR + HASH (8) +
NOTIFY (11) + NONE (0) total length : 92
[IKEv1]: IP = 192.1.1.77, IKE DECODE RECEIVED Message
(msgid=d9fcc34b) with payloads : HDR + HASH (8) + SA (1)
+ NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing hash
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing SA payload
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing nonce payload
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Processing ID
[IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.168.2.200 (11)
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received remote Proxy Host data in ID
Payload: Address 192.168.2.200, Protocol 0, Port 0
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Processing ID
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--
0.0.0.0--0.0.0.0
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Received local IP Proxy Subnet data in ID
Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
[IKEv1]: QM IsRekeyed old sa not found by addr (12)
[IKEv1]: Group = salesgroup, Username = salesuser, (13)
IP = 192.1.1.77, Static Crypto Map check, checking
map = mymap, seq = 10...
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Static Crypto Map check, map = mymap,
seq = 10, ACL does not match proxy IDs src:192.168.2.200
dst:0.0.0.0
[IKEv1]: Group = salesgroup, Username = salesuser, (14)
IP = 192.1.1.77, IKE Remote Peer configured for SA: dynmap
[IKEv1]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, processing IPSEC SA
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (15)
IP = 192.1.1.77, IPsec SA Proposal # 11, Transform # 1
acceptable Matches global IPsec SA entry # 1
output omitted
[IKEv1]: Group = salesgroup, Username = salesuser, (16)
IP = 192.1.1.77, Overriding Initiator's IPsec rekeying
duration from 2147483 to 28800 seconds
output omitted
[IKEv1]: Group = salesgroup, Username = salesuser, (17)
IP = 192.1.1.77, Security negotiation complete for
User (salesuser) Responder, Inbound SPI = 0x46ffd888,
Outbound SPI = 0xfc4dd2f3
[IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0xfc4dd2f3
[IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0x46ffd888
output omitted
[IKEv1]: Group = salesgroup, Username = salesuser, (18)
IP = 192.1.1.77, Adding static route for client address:
192.168.2.200
[IKEv1]: Group = salesgroup, Username = salesuser, (19)
IP = 192.1.1.77, PHASE 2 COMPLETED (msgid=d9fcc34b)
output omitted
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser, (20)
IP = 192.1.1.77, Received keep-alive of type DPD R-U-THERE
(seq number 0xa780a31f)
[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,
IP = 192.1.1.77, Sending keep-alive of type DPD R-U-THERE-ACK
(seq number 0xa780a31f)
output omitted
Here's an explanation of the debug output:
The Remote (192.1.1.77) initiates a session to the appliance (acting as a Server). | |
2. | The Remote sends its identity type to the Server, along with the group it wants to connect to ("salesgroup"). |
3. | A matching Phase 1 policy is found: policy 5 of the Remote matches the first policy of the Server). |
4. | The Remote initiates IKE Mode Config and the appliance is determining which parameters it has configured for the associated group. |
5. | The group authentication is successful, as is the XAUTH authentication via the user account "salesuser"; notice that this message appears here rather than before IKE Mode Config, because the appliance needs to verify whether or not the user is allowed access to the group. |
6. | The Remote sends an IKE Mode Config request for the policies defined for the salesgroup group. |
7. | During IKE Mode Config, the appliance learns the client type and version. |
8. | The Server sends back the IKE Mode Config parameters. |
9. | This completes ISAKMP/IKE Phase 1. |
10. | Quick mode begins with an exchange of policies. |
11. | The internal address of the client is 192.168.2.200 and the proxy message it sends indicates that all of its traffic is to be protected (the group policy is split tunneling disabled). |
12. | A check is performed to make sure that the client isn't reconnecting (the Initial Contact feature for Easy VPN); in this example, the client is initiating a new connection. |
13. | The appliance compares the proxy information with its first crypto map entry (which is a static one) and finds that it doesn't match this entry (the proxy information doesn't match). |
14. | The appliance compares the proxy information with its second crypto map entry, which is a dynamic crypto map for remote access users. |
15. | A matching data transform is found. |
16. | There is a difference in the data SA lifetime values between the two devices: the lower one (28,800 seconds) is negotiated. |
17. | The two IPsec data SAs (inbound and outbound) are created and SPIs are assigned. |
18. | Because RRI is enabled, a static route for the Remote's internal address (192.168.2.200) is added to the Server's local routing table. |
19. | Phase 2 has completed. |
20. | Because DPD was negotiated in Phase 1, DPD now takes place; in this instance, the Remote is initiating DPD (however, both sides of the tunnel will do this periodically based on their local keepalive counters). |
References----
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
thanks for sharing
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: