08-19-2012 08:52 PM
hi,
still having some troubles making client vpn to work. Following the configuration and the debug crypto isakmp.
From a client prospective, it starts the connection it prompts for password (and if it is the wrong password it prompts again, that means the authetication process apparently works), but then the client terminates with:
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
thanks
Conf.
!
! Last configuration change at 09:32:19 AWST Mon Aug 20 2012 by rda
! NVRAM config last updated at 08:09:31 AWST Mon Aug 20 2012 by rda
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname perprimus878
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$q5HQ$QZV42umjVRzsseSlxSQq//
enable password **********
!
--More-- aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authentication login admins local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa authorization network RDAPER group radius local
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
clock timezone AWST 8
ip cef
!
!
!
!
!
!
!
sername ********* p rivilege 15 secret 5 $1$S.bS$SYFFnu/JkGAMHp13lMKvK/
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key ************ address ************* no-xauth
crypto isakmp key ************ address ************* no-xauth
crypto isakmp key ************* address *************** no-xauth
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group RDAPER
key CiscoVPN
dns 192.168.0.20
domain ************
pool VPNPool
acl 108
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-sha-hmac
crypto ipsec transform-set myset3 esp-null esp-md5-hmac
crypto ipsec transform-set myset4 esp-null esp-sha-hmac
crypto ipsec transform-set myset5 esp-des
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map RDAPER client authentication list userauthen
crypto map RDAPER isakmp authorization list groupauthor
crypto map RDAPER 2 ipsec-isakmp
description VPN to Perth
set peer ***************
set transform-set ESP-3DES-SHA
set pfs group2
match address 118
crypto map RDAPER 10 ipsec-isakmp dynamic dynmap
!
crypto map RDAVPN client authentication list userauthen
crypto map RDAVPN isakmp authorization list groupauthor
crypto map RDAVPN client configuration address respond
crypto map RDAVPN 1 ipsec-isakmp
description IPSec with RDACSYD
set peer *************
set transform-set myset1 myset2 myset3 myset4 myset5
match address 103
crypto map RDAVPN 2 ipsec-isakmp
description IPSec with RDACBRIS
set peer **************8
set transform-set myset1
match address 104
crypto map RDAVPN 30 ipsec-isakmp dynamic dynmap
!
crypto map VPNTOMEL 1 ipsec-isakmp
description VPN to Perth
set peer *****************8
set transform-set ESP-3DES-SHA
set pfs group2
match address 118
!
!
interface Loopback0
description IPSec NAT Fix
ip address 10.100.0.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
--More-- interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.10 255.255.255.0 secondary
ip address 192.168.0.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1380
--More-- ip policy route-map nonat
!
interface Dialer0
description $FW_OUTSIDE$
ip address *************** 255.255.255.240
ip mtu 1492
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname *****************88
ppp chap password 0 ***************
crypto map RDAPER
!
interface Dialer1
no ip address
!
router ospf 1
log-adjacency-changes
redistribute static
network 192.168.0.0 0.0.0.255 area 0
!
ip local pool VPNPool 172.28.11.1 172.28.11.254
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 119 interface Dialer0 overload
i
ip ospf name-lookup
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
remark SDM_ACL Category=1
ip access-list extended SDM_ESP
--More-- remark SDM_ACL Category=1
permit esp any any
remark SDM_ACL Category=1
!
access-list 23 permit 202.72.186.18
access-list 23 permit 203.161.68.210
access-list 23 permit 172.28.10.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 101 deny ip 192.168.200.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 101 deny ip 172.28.3.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 101 deny ip 172.28.11.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.28.11.0 0.0.0.255
access-list 101 deny ip 10.111.112.0 0.0.0.3 192.168.200.0 0.0.0.255
access-list 101 deny ip 10.111.112.0 0.0.0.3 172.28.11.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.28.7.0 0.0.0.255
access-list 101 deny ip 192.168.200.0 0.0.0.255 172.28.7.0 0.0.0.255
access-list 101 deny ip 172.28.66.0 0.0.0.255 172.28.11.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 10.111.112.0 0.0.0.3 any
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 103 permit ip 10.111.112.0 0.0.0.3 192.168.200.0 0.0.0.255
--More-- access-list 104 permit ip 192.168.0.0 0.0.0.255 172.28.7.0 0.0.0.255
access-list 104 permit ip 192.168.200.0 0.0.0.255 172.28.7.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.0.255 172.28.11.0 0.0.0.255
access-list 108 permit ip 172.28.66.0 0.0.0.255 172.28.11.0 0.0.0.255
access-list 118 remark VPN TO MEL
access-list 118 permit ip 192.168.0.0 0.0.0.255 172.28.3.0 0.0.0.255
access-list 118 permit ip 172.28.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 119 deny ip 192.168.0.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 119 deny ip 192.168.0.0 0.0.0.255 172.28.3.0 0.0.0.255
access-list 119 deny ip 192.168.200.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 119 deny ip 172.28.3.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 119 deny ip 172.28.11.0 0.0.0.255 172.28.66.0 0.0.0.255
access-list 119 deny ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 119 deny ip 192.168.0.0 0.0.0.255 172.28.11.0 0.0.0.255
access-list 119 deny ip 10.111.112.0 0.0.0.3 192.168.200.0 0.0.0.255
access-list 119 deny ip 10.111.112.0 0.0.0.3 172.28.11.0 0.0.0.255
access-list 119 deny ip 192.168.0.0 0.0.0.255 172.28.7.0 0.0.0.255
access-list 119 deny ip 192.168.200.0 0.0.0.255 172.28.7.0 0.0.0.255
access-list 119 deny ip 172.28.66.0 0.0.0.255 172.28.11.0 0.0.0.255
access-list 119 permit ip 192.168.0.0 0.0.0.255 any
access-list 119 permit ip 10.111.112.0 0.0.0.3 any
access-list 123 remark IPSec NAT Fix
access-list 123 permit ip host 192.168.0.11 192.168.200.0 0.0.0.255
--More-- access-list 123 permit ip host 192.168.0.11 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.13 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.13 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.118 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.118 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.60 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.60 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.65 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.65 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.63 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.63 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.16 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.16 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.11 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.13 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.118 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.60 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.65 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.63 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.16 172.28.7.0 0.0.0.255
access-list 123 permit ip host 192.168.0.155 192.168.200.0 0.0.0.255
access-list 123 permit ip host 192.168.0.155 172.28.11.0 0.0.0.255
access-list 123 permit ip host 192.168.0.155 172.28.7.0 0.0.0.255
--More-- access-list 123 remark IPSec NAT Fix
dialer-list 1 protocol ip permit
snmp-server community RDAC RW 23
snmp-server community RDA RO 23
snmp-server enable traps tty
!
!
!
route-map nonat permit 10
match ip address 123
set ip next-hop 10.100.0.2
!
radius-server host 192.168.0.20 auth-port 1645 acct-port 1646 key **********
!
control-plane
!
!
line con 0
password 7 110D1602464A19050B
no modem enable
line aux 0
line vty 0 4
access-class 23 in
password 7 130118155A54162324
!
scheduler max-task-time 5000
ntp clock-period 17174972
ntp server 192.168.0.20
end
Aug 20 03:39:49.967: ISAKMP (0:0): received packet from **************8 dport 500 sport 1156 Global (N) NEW SA
Aug 20 03:39:49.967: ISAKMP: Created a peer struct for ****************88, peer port 1156
Aug 20 03:39:49.967: ISAKMP: New peer created peer = 0x82D9411C peer_handle = 0x80000029
Aug 20 03:39:49.967: ISAKMP: Locking peer struct 0x82D9411C, refcount 1 for crypto_isakmp_process_block
Aug 20 03:39:49.967: ISAKMP:(0):Setting client config settings 83BCB4C4
Aug 20 03:39:49.967: ISAKMP:(0):(Re)Setting client xauth list and state
Aug 20 03:39:49.967: ISAKMP/xauth: initializing AAA request
Aug 20 03:39:49.971: ISAKMP: local port 500, remote port 1156
Aug 20 03:39:49.971: insert sa successfully sa = 83FEB880
Aug 20 03:39:49.971: ISAKMP:(0): processing SA payload. message ID = 0
Aug 20 03:39:49.971: ISAKMP:(0): processing ID payload. message ID = 0
Aug 20 03:39:49.971: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : RDAPER
protocol : 17
port : 500
length : 14
Aug 20 03:39:49.971: ISAKMP:(0):: peer matches *none* of the profiles
Aug 20 03:39:49.971: ISAKMP:(0): processing vendor id payload
Aug 20 03:39:49.971: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
Aug 20 03:39:49.971: ISAKMP:(0): vendor ID is XAUTH
Aug 20 03:39:49.971: ISAKMP:(0): processing vendor id payload
Aug 20 03:39:49.971: ISAKMP:(0): vendor ID is DPD
Aug 20 03:39:49.971: ISAKMP:(0): processing vendor id payload
Aug 20 03:39:49.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Aug 20 03:39:49.975: ISAKMP:(0): processing vendor id payload
Aug 20 03:39:49.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Aug 20 03:39:49.975: ISAKMP:(0): vendor ID is NAT-T v2
Aug 20 03:39:49.975: ISAKMP:(0): processing vendor id payload
Aug 20 03:39:49.975: ISAKMP:(0): vendor ID is Unity
Aug 20 03:39:49.975: ISAKMP:(0): Authentication by xauth preshared
Aug 20 03:39:49.975: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Aug 20 03:39:49.975: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.975: ISAKMP: hash SHA
Aug 20 03:39:49.975: ISAKMP: default group 2
Aug 20 03:39:49.975: ISAKMP: auth XAUTHInitPreShared
Aug 20 03:39:49.975: ISAKMP: life type in seconds
Aug 20 03:39:49.975: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.975: ISAKMP: keylength of 256
Aug 20 03:39:49.975: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.975: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.975: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
Aug 20 03:39:49.975: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.975: ISAKMP: hash MD5
Aug 20 03:39:49.975: ISAKMP: default group 2
Aug 20 03:39:49.975: ISAKMP: auth XAUTHInitPreShared
Aug 20 03:39:49.975: ISAKMP: life type in seconds
Aug 20 03:39:49.975: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.975: ISAKMP: keylength of 256
Aug 20 03:39:49.979: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.979: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.979: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
Aug 20 03:39:49.979: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.979: ISAKMP: hash SHA
Aug 20 03:39:49.979: ISAKMP: default group 2
Aug 20 03:39:49.979: ISAKMP: auth pre-share
Aug 20 03:39:49.979: ISAKMP: life type in seconds
Aug 20 03:39:49.979: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.979: ISAKMP: keylength of 256
Aug 20 03:39:49.979: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.979: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.979: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
Aug 20 03:39:49.979: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.979: ISAKMP: hash MD5
Aug 20 03:39:49.979: ISAKMP: default group 2
Aug 20 03:39:49.979: ISAKMP: auth pre-share
Aug 20 03:39:49.979: ISAKMP: life type in seconds
Aug 20 03:39:49.979: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.979: ISAKMP: keylength of 256
Aug 20 03:39:49.979: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.979: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.979: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
Aug 20 03:39:49.979: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.979: ISAKMP: hash SHA
Aug 20 03:39:49.979: ISAKMP: default group 2
Aug 20 03:39:49.979: ISAKMP: auth XAUTHInitPreShared
Aug 20 03:39:49.979: ISAKMP: life type in seconds
Aug 20 03:39:49.983: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.983: ISAKMP: keylength of 128
Aug 20 03:39:49.983: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.983: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.983: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
Aug 20 03:39:49.983: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.983: ISAKMP: hash MD5
Aug 20 03:39:49.983: ISAKMP: default group 2
Aug 20 03:39:49.983: ISAKMP: auth XAUTHInitPreShared
Aug 20 03:39:49.983: ISAKMP: life type in seconds
Aug 20 03:39:49.983: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.983: ISAKMP: keylength of 128
Aug 20 03:39:49.983: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.983: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.983: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
Aug 20 03:39:49.983: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.983: ISAKMP: hash SHA
Aug 20 03:39:49.983: ISAKMP: default group 2
Aug 20 03:39:49.983: ISAKMP: auth pre-share
Aug 20 03:39:49.983: ISAKMP: life type in seconds
Aug 20 03:39:49.983: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.983: ISAKMP: keylength of 128
Aug 20 03:39:49.983: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.983: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.987: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
Aug 20 03:39:49.987: ISAKMP: encryption AES-CBC
Aug 20 03:39:49.987: ISAKMP: hash MD5
Aug 20 03:39:49.987: ISAKMP: default group 2
Aug 20 03:39:49.987: ISAKMP: auth pre-share
Aug 20 03:39:49.987: ISAKMP: life type in seconds
Aug 20 03:39:49.987: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.987: ISAKMP: keylength of 128
Aug 20 03:39:49.987: ISAKMP:(0):Encryption algorithm offered does not match policy!
Aug 20 03:39:49.987: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.987: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
Aug 20 03:39:49.987: ISAKMP: encryption 3DES-CBC
Aug 20 03:39:49.987: ISAKMP: hash SHA
Aug 20 03:39:49.987: ISAKMP: default group 2
Aug 20 03:39:49.987: ISAKMP: auth XAUTHInitPreShared
Aug 20 03:39:49.987: ISAKMP: life type in seconds
Aug 20 03:39:49.987: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.987: ISAKMP:(0):Hash algorithm offered does not match policy!
Aug 20 03:39:49.987: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 20 03:39:49.987: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
Aug 20 03:39:49.987: ISAKMP: encryption 3DES-CBC
Aug 20 03:39:49.987: ISAKMP: hash MD5
Aug 20 03:39:49.987: ISAKMP: default group 2
Aug 20 03:39:49.987: ISAKMP: auth XAUTHInitPreShared
Aug 20 03:39:49.987: ISAKMP: life type in seconds
Aug 20 03:39:49.987: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Aug 20 03:39:49.987: ISAKMP:(0):atts are acceptable. Next payload is 3
Aug 20 03:39:49.987: ISAKMP:(0): processing KE payload. message ID = 0
Aug 20 03:39:49.995: ISAKMP:(0): processing NONCE payload. message ID = 0
Aug 20 03:39:49.995: ISAKMP:(0): vendor ID is NAT-T v2
Aug 20 03:39:49.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Aug 20 03:39:49.995: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
Aug 20 03:39:49.999: ISAKMP:(2029): constructed NAT-T vendor-02 ID
Aug 20 03:39:49.999: ISAKMP:(2029):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Aug 20 03:39:49.999: ISAKMP (0:2029): ID payload
next-payload : 10
type : 1
address : 203.134.63.178
protocol : 17
port : 0
length : 12
Aug 20 03:39:49.999: ISAKMP:(2029):Total payload length: 12
Aug 20 03:39:50.003: ISAKMP:(2029): sending packet to ************** my_port 500 peer_port 1156 (R) AG_INIT_EXCH
Aug 20 03:39:50.003: ISAKMP:(2029):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
Aug 20 03:39:50.003: ISAKMP:(2029):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
Aug 20 03:39:50.263: ISAKMP (0:2029): received packet from **************8 dport 4500 sport 1157 Global (R) AG_INIT_EXCH
Aug 20 03:39:50.263: ISAKMP:(2029): processing HASH payload. message ID = 0
Aug 20 03:39:50.263: ISAKMP:(2029): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83FEB880
Aug 20 03:39:50.263: ISAKMP:received payload type 20
Aug 20 03:39:50.263: ISAKMP:received payload type 20
Aug 20 03:39:50.263: ISAKMP (0:2029): NAT found, the node outside NAT
Aug 20 03:39:50.263: ISAKMP:(2029):SA authentication status:
authenticated
Aug 20 03:39:50.263: ISAKMP:(2029):SA has been authenticated with 220.233.203.106
Aug 20 03:39:50.263: ISAKMP:(2029):Detected port,floating to port = 1157
Aug 20 03:39:50.263: ISAKMP: Trying to find existing peer ***************
Aug 20 03:39:50.263: ISAKMP:(2029):SA authentication status:
authenticated
Aug 20 03:39:50.263: ISAKMP:(2029): Process initial contact,
bring down existing phase 1 and 2 SA's with local ***************8 remote ***********88 remote port 1157
Aug 20 03:39:50.267: ISAKMP:(2029):returning IP addr to the address pool
Aug 20 03:39:50.267: ISAKMP: Trying to insert a peer **********8/, and inserted successfully 82D9411C.
Aug 20 03:39:50.267: ISAKMP: set new node -2054341534 to CONF_XAUTH
Aug 20 03:39:50.271: ISAKMP:(2029):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2206265168, message ID = -2054341534
Aug 20 03:39:50.271: ISAKMP:(2029): sending packet to ******************** my_port 4500 peer_port 1157 (R) QM_IDLE
Aug 20 03:39:50.271: ISAKMP:(2029):purging node -2054341534
Aug 20 03:39:50.271: ISAKMP: Sending phase 1 responder lifetime 28800
Aug 20 03:39:50.271: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Aug 20 03:39:50.271: ISAKMP:(2029):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
Aug 20 03:39:50.271: ISAKMP:(2029):Need XAUTH
Aug 20 03:39:50.271: ISAKMP: set new node -567734444 to CONF_XAUTH
Aug 20 03:39:50.271: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Aug 20 03:39:50.271: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Aug 20 03:39:50.275: ISAKMP:(2029): initiating peer config to ****. ID = -567734444
Aug 20 03:39:50.275: ISAKMP:(2029): sending packet to **** my_port 4500 peer_port 1157 (R) CONF_XAUTH
Aug 20 03:39:50.275: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Aug 20 03:39:50.275: ISAKMP:(2029):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Aug 20 03:39:57.185: ISAKMP (0:2029): received packet from ************** dport 4500 sport 1157 Global (R) CONF_XAUTH
Aug 20 03:39:57.185: ISAKMP:(2029):processing transaction payload from *****************8. message ID = -567734444
Aug 20 03:39:57.185: ISAKMP: Config payload REPLY
Aug 20 03:39:57.185: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Aug 20 03:39:57.185: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Aug 20 03:39:57.189: ISAKMP:(2029):deleting node -567734444 error FALSE reason "Done with xauth request/reply exchange"
Aug 20 03:39:57.189: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Aug 20 03:39:57.189: ISAKMP:(2029):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
Aug 20 03:39:57.289: ISAKMP: set new node 1173242474 to CONF_XAUTH
Aug 20 03:39:57.289: ISAKMP:(2029): initiating peer config to 220.233.203.106. ID = 1173242474
Aug 20 03:39:57.289: ISAKMP:(2029): sending packet to **06 my_port 4500 peer_port 1157 (R) CONF_XAUTH
Aug 20 03:39:57.293: ISAKMP:(2029):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
Aug 20 03:39:57.293: ISAKMP:(2029):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
Aug 20 03:39:57.433: ISAKMP (0:2029): received packet from 220.233.203.106 dport 4500 sport 1157 Global (R) CONF_XAUTH
Aug 20 03:39:57.433: ISAKMP:(2029):processing transaction payload from 220.233.203.106. message ID = 1173242474
Aug 20 03:39:57.433: ISAKMP: Config payload ACK
Aug 20 03:39:57.433: ISAKMP:(2029): (blank) XAUTH ACK Processed
Aug 20 03:39:57.437: ISAKMP:(2029):deleting node 1173242474 error FALSE reason "Transaction mode done"
Aug 20 03:39:57.437: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Aug 20 03:39:57.437: ISAKMP:(2029):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
Aug 20 03:39:57.437: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Aug 20 03:39:57.437: ISAKMP:(2029):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Aug 20 03:39:57.785: ISAKMP (0:2029): received packet from 2****.106 dport 4500 sport 1157 Global (R) QM_IDLE
Aug 20 03:39:57.785: ISAKMP: set new node 1110568144 to QM_IDLE
Aug 20 03:39:57.785: ISAKMP:(2029):processing transaction payload from 220.233.203.106. message ID = 1110568144
Aug 20 03:39:57.785: ISAKMP: Config payload REQUEST
Aug 20 03:39:57.785: ISAKMP:(2029):checking request:
Aug 20 03:39:57.785: ISAKMP: IP4_ADDRESS
Aug 20 03:39:57.785: ISAKMP: IP4_NETMASK
Aug 20 03:39:57.785: ISAKMP: IP4_DNS
Aug 20 03:39:57.789: ISAKMP: IP4_NBNS
Aug 20 03:39:57.789: ISAKMP: ADDRESS_EXPIRY
Aug 20 03:39:57.789: ISAKMP: MODECFG_BANNER
Aug 20 03:39:57.789: ISAKMP: MODECFG_SAVEPWD
Aug 20 03:39:57.789: ISAKMP: DEFAULT_DOMAIN
Aug 20 03:39:57.789: ISAKMP: SPLIT_INCLUDE
Aug 20 03:39:57.789: ISAKMP: SPLIT_DNS
Aug 20 03:39:57.789: ISAKMP: PFS
Aug 20 03:39:57.789: ISAKMP: MODECFG_BROWSER_PROXY
Aug 20 03:39:57.789: ISAKMP: BACKUP_SERVER
Aug 20 03:39:57.789: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x700C
Aug 20 03:39:57.789: ISAKMP: APPLICATION_VERSION
Aug 20 03:39:57.789: ISAKMP: FW_RECORD
Aug 20 03:39:57.789: ISAKMP: MODECFG_HOSTNAME
Aug 20 03:39:57.789: ISAKMP/author: Author request for group RDAPERsuccessfully sent to AAA
Aug 20 03:39:57.789: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Aug 20 03:39:57.789: ISAKMP:(2029):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
Aug 20 03:39:57.793: ISAKMP:(2029):Receive config attributes requested butconfig attributes not in crypto map. Sending empty reply.
Aug 20 03:39:57.793: ISAKMP:(2029):attributes sent in message:
Aug 20 03:39:57.793: Address: 0.2.0.0
Aug 20 03:39:57.793: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 28792
Aug 20 03:39:57.793: ISAKMP (0/2029): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
Aug 20 03:39:57.793: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Sat 24-Mar-07 03:56 by prod_rel_team
Aug 20 03:39:57.793: ISAKMP (0/2029): Unknown Attr: MODECFG_HOSTNAME (0x700A)
Aug 20 03:39:57.793: ISAKMP:(2029): responding to peer config from 220.233.203.106. ID = 1110568144
Aug 20 03:39:57.797: ISAKMP:(2029): sending packet to ***06 my_port 4500 peer_port 1157 (R) CONF_ADDR
Aug 20 03:39:57.797: ISAKMP:(2029):deleting node 1110568144 error FALSE reason "No Error"
Aug 20 03:39:57.797: ISAKMP:(2029):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
Aug 20 03:39:57.797: ISAKMP:(2029):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
Aug 20 03:39:57.797: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Aug 20 03:39:57.797: ISAKMP:(2029):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Aug 20 03:39:58.229: ISAKMP (0:2029): received packet from 2**3.106 dport 4500 sport 1157 Global (R) QM_IDLE
Aug 20 03:39:58.229: ISAKMP: set new node -1232980111 to QM_IDLE
Aug 20 03:39:58.229: ISAKMP:(2029): processing HASH payload. message ID = -1232980111
Aug 20 03:39:58.229: ISAKMP:received payload type 18
Aug 20 03:39:58.229: ISAKMP:(2029): processing DELETE_WITH_REASON payload, message ID = -1232980111, reason: DELETE_BY_USER_COMMAND
Aug 20 03:39:58.229: ISAKMP:(2029):peer does not do paranoid keepalives.
Aug 20 03:39:58.229: ISAKMP:(2029):deleting SA reason "BY user command" state (R) QM_IDLE (peer 220.233.203.106)
Aug 20 03:39:58.229: ISAKMP:(2029):deleting node -1232980111 error FALSE reason "Informational (in) state 1"
Aug 20 03:39:58.229: ISAKMP: set new node -1138782828 to QM_IDLE
Aug 20 03:39:58.233: ISAKMP:(2029): sending packet to ***06 my_port 4500 peer_port 1157 (R) QM_IDLE
Aug 20 03:39:58.233: ISAKMP:(2029):purging node -1138782828
Aug 20 03:39:58.233: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 20 03:39:58.233: ISAKMP:(2029):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Aug 20 03:39:58.233: ISAKMP:(2029):deleting SA reason "No reason" state (R) QM_IDLE (peer 220.233.203.106)
Aug 20 03:39:58.233: ISAKMP: Unlocking peer struct 0x82D9411C for isadb_mark_sa_deleted(), count 0
Aug 20 03:39:58.237: ISAKMP: Deleting peer node by peer_reap for 220.233.203.106: 82D9411C
Aug 20 03:39:58.237: ISAKMP:(2029):deleting node -567734444 error FALSE reason "IKE deleted"
Aug 20 03:39:58.237: ISAKMP:(2029):deleting node 1173242474 error FALSE reason "IKE deleted"
Aug 20 03:39:58.237: ISAKMP:(2029):deleting node 1110568144 error FALSE reason "IKE deleted"
Aug 20 03:39:58.237: ISAKMP:(2029):deleting node -1232980111 error FALSE reason "IKE deleted"
Aug 20 03:39:58.237: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 20 03:39:58.237: ISAKMP:(2029):Old State = IKE_DEST_SA New State = IKE_DEST_SA
08-20-2012 05:53 PM
any clues anyone?
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide