cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

1673
Views
0
Helpful
25
Replies
Beginner

Site to Site VPN assistance

Hi All

I hope to get some clarification and assistance here on a configuration issue i cant get my head around.

I have a Cisco C837 router all functional with client access VPNs setup and working, its a inherited setup and not our own and i need to create a site to site VPN to another Cisco small business router preferably whilst keeping the current client access setup, from what ive read you can only have 1 crypto map per interface and i can just about get my head around creating a static VPN for site to site when the router doesn't have a existing crypto map and policy, i cant however figure out how to add the site to site on top of this setup and from what i have read it can be done using the existing crypto map but im only getting bit of the required setup information from here and there nothing concrete.

Can anyone one help and save my sanity ?

Everyone's tags (4)
10 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Site to Site VPN assistance

All you have to do is to configure the static lan-to-lan VPN with the same crypto map name, but with a different sequence number. It needs to have a sequence number with a lower number than the crypto map for the vpn client.

Eg:

If your vpn client has the following configuration:

crypto map mymap 500 ipsec-isakmp dynamic

Then for the static lan-to-lan tunnel, you can use the same name and configure the static ones:

crypto map mymap 10 ipsec-isakmp

  set peer

  set transform-set

  match address

Here is a configuration guide for the LAN-to-LAN side (check out the router config):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Hope that helps.

Cisco Employee

Site to Site VPN assistance

Yes, you can use the same transform-set that you use for your existing VPN Client, or you can create a new transform-set as well.

Just be advised that transform-set entry needs to match on both end of the tunnel.

Cisco Employee

Site to Site VPN assistance

Excellent.

Just PM you back the necessary configuration.

Re: Site to Site VPN assistance

Your Phase 1 Settings appear to be accepted...as we can see from your debug output:

05:55:32: ISAKMP (0:113): Checking ISAKMP transform 1 against priority 2 policy

05:55:32: ISAKMP:      encryption 3DES-CBC

05:55:32: ISAKMP:      hash MD5

05:55:32: ISAKMP:      default group 1

05:55:32: ISAKMP:      auth pre-share

05:55:32: ISAKMP:      life type in seconds

05:55:32: ISAKMP:      life duration (basic) of 28800

05:55:32: ISAKMP (0:113): atts are acceptable. Next payload is 0

The process appears to be failing at Phase 2. Which usually means one of two things:

1) Your transform set parameters don't match on both sides

or (and most often the culprit)

2) Your "interesting traffic" ACL is not symmetical on both sides. (ie if your ACL is:

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

on one side of the tunnel, it needs to be an exact mirror image on the other side

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255  )

Hope this helps!

Re: Site to Site VPN assistance

Have you checked the pre-shared-key for this L2L tunnel? Could you please make sure it has the "no xauth" keyword at the end?

crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

Thanks.

Portu.

Please rate any helpful posts

Re: Site to Site VPN assistance

Hello,

Did you add the no-xauth command on the 837 for the crypto isakmp key command?

IE: crypto isakmp key your_key_goes_here addresss x.x.x.x no-xauth? I'm seeing a lot of XAUTH information in that debug that I not accustomed to seeing. Xauth only comes into play with your remote VPN clients like the Cisco VPN client - it's what initiates the username/pass request after you authenticate the Group Name and Key successfully. It's not used in site-to-site IPSEC VPN configurations.

Edit: I see you just posted the config. Change it to:

crypto isakmp key 0 mysharedkey address 80.176.85.8 no-xauth

and see if that makes any difference.

Cisco Employee

Site to Site VPN assistance

Yes, Jonathan is right.

Pls edit it as follows:

crypto isakmp key 0 mysharedkey address 80.176.85.8 no-xauth no-config

Re: Site to Site VPN assistance

I also noticed, that if your remote subnet is 192.168.22.0 0.0.0.255, then the order you have in your NAT access list needs to change.

You have the following:

access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255

The first line will Nat-exempt traffic going to the 192.168.101.0 0.0.0.255 subnet, but the second line permits any traffic going from 192.168.1.0 0.0.0.255 to any site to be NAT'ed. You should move the deny statement for 192.168.1.0 to 192.168.22.0 up a line before the permit any statement so it will be NAT exempt as well. For example:

access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

It should be int that order, because the ACL processes matches in a top-down fashion.

Re: Site to Site VPN assistance

Where that isakmp key is just for that specific IPSEC host, you should be fine to add the no-xauth at the end of the line -- it shouldn't affect your VPN users, which pull their config from the crypto isakmp client configuration group section.

Re: Site to Site VPN assistance

Good to hear everything is up and running now!

Using the VPN client at the remote location where there is an IPSEC tunnel already in place just seems like it would end up being more trouble than it's worth, especially where the SRP527W is probably limited in what NAT exemptions and Crypto ACL configs you can pull off.

You could probably also get your DHCP server to associate the MAC address of his PC with the same IP address every time when he's at that location, or a unique range of IPs and only allow that IP or range of IPs to travel across the tunnel to the exchange server/ any other resources he wants to reach.

Also, keep in mind you can apply an access-list to the Crypto Map just like you would to an interface. This way, once the traffic is decrypted, it will process the packets just like a regular firewall, so you could lock down access just to specific ports/hosts/source/destination, etc, just like normal:

crypto map rtp 5 ipsec-isakmp

set ip access-group (ACL NAME)

25 REPLIES 25
Cisco Employee

Site to Site VPN assistance

All you have to do is to configure the static lan-to-lan VPN with the same crypto map name, but with a different sequence number. It needs to have a sequence number with a lower number than the crypto map for the vpn client.

Eg:

If your vpn client has the following configuration:

crypto map mymap 500 ipsec-isakmp dynamic

Then for the static lan-to-lan tunnel, you can use the same name and configure the static ones:

crypto map mymap 10 ipsec-isakmp

  set peer

  set transform-set

  match address

Here is a configuration guide for the LAN-to-LAN side (check out the router config):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Hope that helps.

Beginner

Site to Site VPN assistance

Hi Jennifer

Thanks for the response, thats sort of what i have read so far, but can i also use the same transfer set name for the static VPN ?

Cisco Employee

Site to Site VPN assistance

Yes, you can use the same transform-set that you use for your existing VPN Client, or you can create a new transform-set as well.

Just be advised that transform-set entry needs to match on both end of the tunnel.

Beginner

Site to Site VPN assistance

Hi jennifer

The other end of the tunnel is a SRP527W-K9-G5  small buisiness pro, doesnt say anything about transform set in the options and i cannot access the cli.

Cisco Employee

Site to Site VPN assistance

It should have the IPSec policy on that device.

Yes, you are right, they won't call it transform-set. Just check for the IPSec policy on the remote end.

Beginner

Site to Site VPN assistance

Hi Jennifer

Yes thats what i setup with the same settings etc

Policy on its way to you in PM

Regards

Cisco Employee

Site to Site VPN assistance

Excellent.

Just PM you back the necessary configuration.

Beginner

Site to Site VPN assistance

Link doesnt apear to be working as yet, constant pings run to add to the debug log below.

I did see something in there about no matching policy ?

Any advice ?


05:42:56: ISAKMP (0:81): Need XAUTH
05:42:56: ISAKMP (0:81): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
05:42:56: ISAKMP (0:81): Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_AAA_
START_LOGIN_AWAIT

05:42:56: ISAKMP: got callback 1
05:42:56: ISAKMP: set new node 1266304201 to CONF_XAUTH
05:42:56: ISAKMP/xauth: request attribute XAUTH_TYPE
05:42:56: ISAKMP/xauth: request attribute XAUTH_MESSAGE
05:42:56: ISAKMP/xauth: request attribute XAUTH_USER_NAME
05:42:56: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
05:42:56: ISAKMP (0:81): initiating peer config to 80.176.85.8. ID = 1266304201
05:42:56: ISAKMP (0:81): sending packet to 80.176.85.8 my_port 500 peer_port 500
(I) CONF_XAUTH
05:42:56: ISAKMP (0:81): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
05:42:56: ISAKMP (0:81): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT  New State
= IKE_XAUTH_REQ_SENT
nodebug crypto isakmp
05:43:01: ISAKMP (0:81): retransmitting phase 2 CONF_XAUTH    1266304201 ...
05:43:01: ISAKMP (0:81): incrementing error counter on sa: retransmit phase 2
05:43:01: ISAKMP (0:81): incrementing error counter on sa: retransmit phase 2
05:43:01: ISAKMP (0:81): retransmitting phase 2 1266304201 CONF_XAUTH
05:43:01: ISAKMP (0:81): sending packet to 80.176.85.8 my_port 500 peer_port 500
(I) CONF_XAUTH    debug crypto isakmp
Crypto ISAKMP debugging is off
DyconRouter#debug crypto isakmp
Crypto ISAKMP debugging is on
DyconRouter#
05:55:07: ISAKMP (0:111): retransmitting phase 2 CONF_XAUTH    -343755912 ...
05:55:07: ISAKMP (0:111): incrementing error counter on sa: retransmit phase 2
05:55:07: ISAKMP (0:111): incrementing error counter on sa: retransmit phase 2
05:55:07: ISAKMP (0:111): retransmitting phase 2 -343755912 CONF_XAUTH
05:55:07: ISAKMP (0:111): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) CONF_XAUTH
05:55:10: ISAKMP (0:0): received packet from 80.176.85.8 dport 500 sport 500 Glo
bal (N) NEW SA
05:55:10: ISAKMP: Found a peer struct for 80.176.85.8, peer port 500
05:55:10: ISAKMP: Locking peer struct 0x8180C7B0, IKE refcount 2 for crypto_ikmp
_config_initialize_sa
05:55:10: ISAKMP (0:0): (Re)Setting client xauth list userauthen and state
05:55:10: ISAKMP: local port 500, remote port 500
05:55:10: ISAKMP: insert sa successfully sa = 818150C0
05:55:10: ISAKMP (0:112): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
05:55:10: ISAKMP (0:112): Old State = IKE_READY  New State = IKE_R_MM1

05:55:10: ISAKMP (0:112): processing SA payload. message ID = 0
05:55:10: ISAKMP (0:112): processing vendor id payload
05:55:10: ISAKMP (0:112): vendor ID seems Unity/DPD but major 0 mismatch
05:55:10: ISAKMP (0:112): processing vendor id payload
05:55:10: ISAKMP (0:112): vendor ID is DPD
05:55:10: ISAKMP: Looking for a matching key for 80.176.85.8 in default : succes
s
05:55:10: ISAKMP (0:112): found peer pre-shared key matching 80.176.85.8
05:55:10: ISAKMP (0:112) local preshared key found
05:55:10: ISAKMP (0:112) Authentication by xauth preshared
05:55:10: ISAKMP (0:112): Checking ISAKMP transform 0 against priority 2 policy
05:55:10: ISAKMP:      life type in seconds
05:55:10: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53
05:55:10: ISAKMP:      encryption 3DES-CBC
05:55:10: ISAKMP:      hash MD5
05:55:10: ISAKMP:      auth pre-share
05:55:10: ISAKMP:      default group 2
05:55:10: ISAKMP (0:112): Diffie-Hellman group offered does not match policy!
05:55:10: ISAKMP (0:112): atts are not acceptable. Next payload is 0
05:55:10: ISAKMP (0:112): Checking ISAKMP transform 0 against priority 3 policy
05:55:10: ISAKMP:      life type in seconds
05:55:10: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53
05:55:10: ISAKMP:      encryption 3DES-CBC
05:55:10: ISAKMP:      hash MD5
05:55:10: ISAKMP:      auth pre-share
05:55:10: ISAKMP:      default group 2
05:55:10: ISAKMP (0:112): Hash algorithm offered does not match policy!
05:55:10: ISAKMP (0:112): atts are not acceptable. Next payload is 0
05:55:10: ISAKMP (0:112): Checking ISAKMP transform 0 against priority 65535 pol
icy
05:55:10: ISAKMP:      life type in seconds
05:55:10: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53
05:55:10: ISAKMP:      encryption 3DES-CBC
05:55:10: ISAKMP:      hash MD5
05:55:10: ISAKMP:      auth pre-share
05:55:10: ISAKMP:      default group 2
05:55:10: ISAKMP (0:112): Encryption algorithm offered does not match policy!
05:55:10: ISAKMP (0:112): atts are not acceptable. Next payload is 0
05:55:10: ISAKMP (0:112): no offers accepted!
05:55:10: ISAKMP (0:112): phase 1 SA policy not acceptable! (local 95.177.89.17
remote 80.176.85.8)
05:55:10: ISAKMP (0:112): incrementing error counter on sa: construct_fail_ag_in
it
05:55:10: ISAKMP (0:112): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
05:55:10: ISAKMP (0:112): Old State = IKE_R_MM1  New State = IKE_R_MM1

05:55:10: ISAKMP (0:112): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
05:55:10: ISAKMP (0:112): Old State = IKE_R_MM1  New State = IKE_READY

05:55:11: ISAKMP (0:109): purging node -552166740
05:55:11: ISAKMP (0:109): purging node 1578875044
05:55:12: ISAKMP (0:111): retransmitting phase 2 CONF_XAUTH    -343755912 ...
05:55:12: ISAKMP (0:111): incrementing error counter on sa: retransmit phase 2
05:55:12: ISAKMP (0:111): incrementing error counter on sa: retransmit phase 2
05:55:12: ISAKMP (0:111): retransmitting phase 2 -343755912 CONF_XAUTH
05:55:12: ISAKMP (0:111): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) CONF_XAUTH
05:55:17: ISAKMP (0:111): retransmitting phase 2 CONF_XAUTH    -343755912 ...
05:55:17: ISAKMP (0:111): incrementing error counter on sa: retransmit phase 2
05:55:17: ISAKMP (0:111): incrementing error counter on sa: retransmit phase 2
05:55:17: ISAKMP (0:111): retransmitting phase 2 -343755912 CONF_XAUTH
05:55:17: ISAKMP (0:111): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) CONF_XAUTH
05:55:21: ISAKMP (0:109): purging SA., sa=81813AA8, delme=81813AA8
05:55:22: ISAKMP (0:111): retransmitting phase 2 CONF_XAUTH    -343755912 ...
05:55:22: ISAKMP (0:111): peer does not do paranoid keepalives.

05:55:22: ISAKMP (0:111): deleting SA reason "death by retransmission P2" state
(I) CONF_XAUTH    (peer 80.176.85.8) input queue 0
05:55:22: ISAKMP (0:111): peer does not do paranoid keepalives.

05:55:22: ISAKMP: set new node 740025583 to CONF_XAUTH
05:55:22: ISAKMP (0:111): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) CONF_XAUTH
05:55:22: ISAKMP (0:111): purging node 740025583
05:55:22: ISAKMP (0:111): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
05:55:22: ISAKMP (0:111): Old State = IKE_XAUTH_REQ_SENT  New State = IKE_DEST_S
A

05:55:22: ISAKMP (0:111): deleting SA reason "" state (I) CONF_XAUTH    (peer 80
.176.85.8) input queue 0
05:55:22: ISAKMP: Unlocking IKE struct 0x8180C7B0 for isadb_mark_sa_deleted(), c
ount 1
05:55:22: ISAKMP (0:111): deleting node 1912558642 error FALSE reason ""
05:55:22: ISAKMP (0:111): deleting node -343755912 error FALSE reason ""
05:55:22: ISAKMP (0:111): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
05:55:22: ISAKMP (0:111): Old State = IKE_DEST_SA  New State = IKE_DEST_SA

05:55:22: ISAKMP (0:111): received packet from 80.176.85.8 dport 500 sport 500 G
lobal (I) MM_NO_STATE
05:55:31: ISAKMP: received ke message (3/1)
05:55:31: ISAKMP (0:111): peer does not do paranoid keepalives.

05:55:31: ISAKMP (0:110): peer does not do paranoid keepalives.

05:55:31: ISAKMP (0:112): peer does not do paranoid keepalives.

05:55:31: ISAKMP (0:112): deleting SA reason "gen_ipsec_isakmp_delete but doi is
akmp" state (R) MM_NO_STATE (peer 80.176.85.8) input queue 0
05:55:31: ISAKMP (0:112): deleting SA reason "gen_ipsec_isakmp_delete but doi is
akmp" state (R) MM_NO_STATE (peer 80.176.85.8) input queue 0
05:55:31: ISAKMP: Unlocking IKE struct 0x8180C7B0 for isadb_mark_sa_deleted(), c
ount 0
05:55:31: ISAKMP: Deleting peer node by peer_reap for 80.176.85.8: 8180C7B0
05:55:31: ISAKMP (0:112): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
05:55:31: ISAKMP (0:112): Old State = IKE_READY  New State = IKE_DEST_SA

05:55:32: ISAKMP: received ke message (1/1)
05:55:32: ISAKMP (0:0): SA request profile is (NULL)
05:55:32: ISAKMP: Created a peer struct for 80.176.85.8, peer port 500
05:55:32: ISAKMP: Locking peer struct 0x816DC700, IKE refcount 1 for crypto_ikmp
_config_initialize_sa
05:55:32: ISAKMP (0:0): Setting client config settings 816DA04C
05:55:32: ISAKMP (0:0): (Re)Setting client xauth list  and state
05:55:32: ISAKMP: local port 500, remote port 500
05:55:32: ISAKMP: set new node 0 to CONF_XAUTH
05:55:32: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =
81813AA8
05:55:32: ISAKMP (0:113): Can not start Aggressive mode, trying Main mode.
05:55:32: ISAKMP: Looking for a matching key for 80.176.85.8 in default : succes
s
05:55:32: ISAKMP (0:113): found peer pre-shared key matching 80.176.85.8
05:55:32: ISAKMP (0:113): constructed NAT-T vendor-03 ID
05:55:32: ISAKMP (0:113): constructed NAT-T vendor-02 ID
05:55:32: ISAKMP (0:113): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
05:55:32: ISAKMP (0:113): Old State = IKE_READY  New State = IKE_I_MM1

05:55:32: ISAKMP (0:113): beginning Main Mode exchange
05:55:32: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) MM_NO_STATE
05:55:32: ISAKMP (0:113): received packet from 80.176.85.8 dport 500 sport 500 G
lobal (I) MM_NO_STATE
05:55:32: ISAKMP (0:113): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM1  New State = IKE_I_MM2

05:55:32: ISAKMP (0:113): processing SA payload. message ID = 0
05:55:32: ISAKMP (0:113): processing vendor id payload
05:55:32: ISAKMP (0:113): vendor ID seems Unity/DPD but major 0 mismatch
05:55:32: ISAKMP (0:113): processing vendor id payload
05:55:32: ISAKMP (0:113): vendor ID is DPD
05:55:32: ISAKMP: Looking for a matching key for 80.176.85.8 in default : succes
s
05:55:32: ISAKMP (0:113): found peer pre-shared key matching 80.176.85.8
05:55:32: ISAKMP (0:113) local preshared key found
05:55:32: ISAKMP (0:113) Authentication by xauth preshared
05:55:32: ISAKMP (0:113): Checking ISAKMP transform 1 against priority 2 policy
05:55:32: ISAKMP:      encryption 3DES-CBC
05:55:32: ISAKMP:      hash MD5
05:55:32: ISAKMP:      default group 1
05:55:32: ISAKMP:      auth pre-share
05:55:32: ISAKMP:      life type in seconds
05:55:32: ISAKMP:      life duration (basic) of 28800
05:55:32: ISAKMP (0:113): atts are acceptable. Next payload is 0
05:55:32: ISAKMP (0:113): processing vendor id payload
05:55:32: ISAKMP (0:113): vendor ID seems Unity/DPD but major 0 mismatch
05:55:32: ISAKMP (0:113): processing vendor id payload
05:55:32: ISAKMP (0:113): vendor ID is DPD
05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM2  New State = IKE_I_MM2

05:55:32: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) MM_SA_SETUP
05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM2  New State = IKE_I_MM3

05:55:32: ISAKMP (0:113): received packet from 80.176.85.8 dport 500 sport 500 G
lobal (I) MM_SA_SETUP
05:55:32: ISAKMP (0:113): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM3  New State = IKE_I_MM4

05:55:32: ISAKMP (0:113): processing KE payload. message ID = 0
05:55:32: ISAKMP (0:113): processing NONCE payload. message ID = 0
05:55:32: ISAKMP: Looking for a matching key for 80.176.85.8 in default : succes
s
05:55:32: ISAKMP (0:113): found peer pre-shared key matching 80.176.85.8
05:55:32: ISAKMP (0:113): SKEYID state generated
05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM4  New State = IKE_I_MM4

05:55:32: ISAKMP (0:113): Send initial contact
05:55:32: ISAKMP (0:113): SA is doing pre-shared key authentication using id typ
e ID_IPV4_ADDR
05:55:32: ISAKMP (113): ID payload
        next-payload : 8
        type         : 1
        addr         : 95.177.89.17
        protocol     : 17
        port         : 500
        length       : 8
05:55:32: ISAKMP (113): Total payload length: 12
05:55:32: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) MM_KEY_EXCH
05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM4  New State = IKE_I_MM5

05:55:32: ISAKMP (0:113): received packet from 80.176.85.8 dport 500 sport 500 G
lobal (I) MM_KEY_EXCH
05:55:32: ISAKMP (0:113): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM5  New State = IKE_I_MM6

05:55:32: ISAKMP (0:113): processing ID payload. message ID = 0
05:55:32: ISAKMP (0:113): processing HASH payload. message ID = 0
05:55:32: ISAKMP (0:113): SA has been authenticated with 80.176.85.8
05:55:32: ISAKMP (0:113): peer matches *none* of the profiles
05:55:32: ISAKMP: Trying to insert a peer 95.177.89.17/80.176.85.8/500/,  and in
serted successfully.
05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM6  New State = IKE_I_MM6

05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
05:55:32: ISAKMP (0:113): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

05:55:32: ISAKMP (0:113): Need XAUTH
05:55:32: ISAKMP (0:113): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
05:55:32: ISAKMP (0:113): Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_AAA
_START_LOGIN_AWAIT

05:55:32: ISAKMP: got callback 1
05:55:32: ISAKMP: set new node 1403552346 to CONF_XAUTH
05:55:32: ISAKMP/xauth: request attribute XAUTH_TYPE
05:55:32: ISAKMP/xauth: request attribute XAUTH_MESSAGE
05:55:32: ISAKMP/xauth: request attribute XAUTH_USER_NAME
05:55:32: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
05:55:32: ISAKMP (0:113): initiating peer config to 80.176.85.8. ID = 1403552346
05:55:32: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) CONF_XAUTH
05:55:32: ISAKMP (0:113): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
05:55:32: ISAKMP (0:113): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT  New State
= IKE_XAUTH_REQ_SENT
no debug crypto isakmp
05:55:37: ISAKMP (0:113): retransmitting phase 2 CONF_XAUTH    1403552346 ...
05:55:37: ISAKMP (0:113): incrementing error counter on sa: retransmit phase 2
05:55:37: ISAKMP (0:113): incrementing error counter on sa: retransmit phase 2
05:55:37: ISAKMP (0:113): retransmitting phase 2 1403552346 CONF_XAUTH
05:55:37: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
no no debug crypto isakmp
05:55:42: ISAKMP (0:110): purging node -1613856600
05:55:42: ISAKMP (0:110): purging node 365597337
05:55:42: ISAKMP (0:113): retransmitting phase 2 CONF_XAUTH    1403552346 ...
05:55:42: ISAKMP (0:113): incrementing error counter on sa: retransmit phase 2
05:55:42: ISAKMP (0:113): incrementing error counter on sa: retransmit phase 2
05:55:42: ISAKMP (0:113): retransmitting phase 2 1403552346 CONF_XAUTH
05:55:42: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
no debug crypto isakmp
05:55:47: ISAKMP (0:113): retransmitting phase 2 CONF_XAUTH    1403552346 ...
05:55:47: ISAKMP (0:113): incrementing error counter on sa: retransmit phase 2
05:55:47: ISAKMP (0:113): incrementing error counter on sa: retransmit phase 2
05:55:47: ISAKMP (0:113): retransmitting phase 2 1403552346 CONF_XAUTH
05:55:47: ISAKMP (0:113): sending packet to 80.176.85.8 my_port 500 peer_port 50
0 (I) CONF_XAUTH
Crypto ISAKMP debugging is off
DyconRouter#
06:47:58: %CRYPTO-4-IKMP_NO_SA: IKE message from 80.176.85.8     has no SA and i
s not an initialization offer

Re: Site to Site VPN assistance

Have you checked the pre-shared-key for this L2L tunnel? Could you please make sure it has the "no xauth" keyword at the end?

crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

Thanks.

Portu.

Please rate any helpful posts

Beginner

Site to Site VPN assistance

Hi Portu

In regards to this statment, i know this is off on the otherside as its a sbs pro with a gui, is this setting on by default on a C837 as i cant see it in my config and what would be the full syntax to add it onto the key please

crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

Regards

Re: Site to Site VPN assistance

Your Phase 1 Settings appear to be accepted...as we can see from your debug output:

05:55:32: ISAKMP (0:113): Checking ISAKMP transform 1 against priority 2 policy

05:55:32: ISAKMP:      encryption 3DES-CBC

05:55:32: ISAKMP:      hash MD5

05:55:32: ISAKMP:      default group 1

05:55:32: ISAKMP:      auth pre-share

05:55:32: ISAKMP:      life type in seconds

05:55:32: ISAKMP:      life duration (basic) of 28800

05:55:32: ISAKMP (0:113): atts are acceptable. Next payload is 0

The process appears to be failing at Phase 2. Which usually means one of two things:

1) Your transform set parameters don't match on both sides

or (and most often the culprit)

2) Your "interesting traffic" ACL is not symmetical on both sides. (ie if your ACL is:

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

on one side of the tunnel, it needs to be an exact mirror image on the other side

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255  )

Hope this helps!

Highlighted
Beginner

Site to Site VPN assistance

Thanks Gents i will look at those issues but the other end is a Small business pro SRP527W, currently the firewall is off for testing off the link and i have no telnet access from the gui, itt looks like the only way to access he cli on this device is a console cable.

Beginner

Site to Site VPN assistance

The settings on the SBS pro for the local and remote traffic are a reverse of the above rule and looks ok, i have the SPI firewall protection turned off currently, should this be on and a seperate Internet access control policy added.

I currently cannot run a debug as other vpn easy connect clients are trying to connect which muddy the waters of the debug.

Beginner

Site to Site VPN assistance

The config on the other end the sbs pro looks ok and i have removed and rebuilt it and still no connection.

Debug as below,i will also add the config of the router with this debug, i preferably would like to keep the client access vpn functional as well as inserting the static vpn, another side effect i have found is with this config i can connect to the client vpn but users who could previously connect now cannot connect if they are located on the lan range on the other side of the peer which is 192.168.22.0.

Any ideas welcome as im losing my mind here, ive also read about numerous issues and bugs with the sbs pro router and various firmware releases.


10:45:33: ISAKMP (0:13): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
10:45:33: ISAKMP (13): ID payload
        next-payload : 8
        type         : 1
        addr         : 95.177.89.17
        protocol     : 17
        port         : 500
        length       : 8
10:45:33: ISAKMP (13): Total payload length: 12
10:45:33: ISAKMP (0:13): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) MM_KEY_EXCH
10:45:33: ISAKMP: set new node 349800015 to CONF_XAUTH
10:45:33: ISAKMP (0:13): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) MM_KEY_EXCH
10:45:33: ISAKMP (0:13): purging node 349800015
10:45:33: ISAKMP: Sending phase 1 responder lifetime 28800

10:45:33: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
10:45:33: ISAKMP (0:13): Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

10:45:33: ISAKMP (0:13): Need XAUTH
10:45:33: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
10:45:33: ISAKMP (0:13): Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_AAA_
START_LOGIN_AWAIT

10:45:33: ISAKMP: got callback 1
10:45:33: ISAKMP: set new node 1567868750 to CONF_XAUTH
10:45:33: ISAKMP/xauth: request attribute XAUTH_TYPE
10:45:33: ISAKMP/xauth: request attribute XAUTH_MESSAGE
10:45:33: ISAKMP/xauth: request attribute XAUTH_USER_NAME
10:45:33: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
10:45:33: ISAKMP (0:13): initiating peer config to 80.176.85.8. ID = 1567868750
10:45:33: ISAKMP (0:13): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:45:33: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
10:45:33: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT  New State
= IKE_XAUTH_REQ_SENT

10:45:34: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:45:34: ISAKMP: set new node 1237541463 to CONF_XAUTH
10:45:34: ISAKMP (0:13): Unknown Input: state = IKE_XAUTH_REQ_SENT, major, minor
= IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

10:45:34: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:45:34: ISAKMP: set new node -1485389802 to CONF_XAUTH
10:45:34: ISAKMP (0:13): Waiting for config mode response ... dropping Quick Mod
e message.
10:45:34: ISAKMP (0:12): purging SA., sa=817D4EBC, delme=817D4EBC
10:45:38: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH    1567868750 ...
10:45:38: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
10:45:38: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
10:45:38: ISAKMP (0:13): retransmitting phase 2 1567868750 CONF_XAUTH
10:45:38: ISAKMP (0:13): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:45:43: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:45:43: ISAKMP (0:13): phase 2 packet is a duplicate of a previous packet.
10:45:43: ISAKMP (0:13): retransmitting due to retransmit phase 2
10:45:43: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH    -1485389802 ...
10:45:43: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:45:43: ISAKMP (0:13): phase 2 packet is a duplicate of a previous packet.
10:45:43: ISAKMP (0:13): retransmitting due to retransmit phase 2
10:45:43: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH    1237541463 ...
10:45:43: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH    1567868750 ...
10:45:43: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
10:45:43: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
10:45:43: ISAKMP (0:13): retransmitting phase 2 1567868750 CONF_XAUTH
10:45:43: ISAKMP (0:13): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:45:44: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH    -1485389802 ...
10:45:44: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
10:45:44: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
10:45:44: ISAKMP (0:13): no outgoing phase 2 packet to retransmit. -1485389802 C
ONF_XAUTH
10:45:44: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH    1237541463 ...
10:45:44: ISAKMP (0:13): peer does not do paranoid keepalives.

10:45:44: ISAKMP (0:13): deleting SA reason "death by retransmission P2" state (
R) CONF_XAUTH    (peer 80.176.85.8) input queue 0
10:45:44: ISAKMP (0:13): peer does not do paranoid keepalives.

10:45:44: ISAKMP: set new node 399689993 to CONF_XAUTH
10:45:44: ISAKMP (0:13): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:45:44: ISAKMP (0:13): purging node 399689993
10:45:44: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
10:45:44: ISAKMP (0:13): Old State = IKE_XAUTH_REQ_SENT  New State = IKE_DEST_SA


10:45:44: ISAKMP (0:13): deleting SA reason "" state (R) CONF_XAUTH    (peer 80.
176.85.8) input queue 0
10:45:44: ISAKMP: Unlocking IKE struct 0x817C3090 for isadb_mark_sa_deleted(), c
ount 0
10:45:44: ISAKMP: Deleting peer node by peer_reap for 80.176.85.8: 817C3090
10:45:44: ISAKMP (0:13): deleting node 1567868750 error FALSE reason ""
10:45:44: ISAKMP (0:13): deleting node 1237541463 error FALSE reason ""
10:45:44: ISAKMP (0:13): deleting node -1485389802 error FALSE reason ""
10:45:44: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
10:45:44: ISAKMP (0:13): Old State = IKE_DEST_SA  New State = IKE_DEST_SA

10:45:44: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_NO_STATE
10:46:03: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_NO_STATE
10:46:03: ISAKMP (0:13): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_NO_STATE
10:46:34: ISAKMP (0:13): purging node 1567868750
10:46:34: ISAKMP (0:13): purging node 1237541463
10:46:34: ISAKMP (0:13): purging node -1485389802
10:46:43: ISAKMP (0:0): received packet from 80.176.85.8 dport 500 sport 500 Glo
bal (N) NEW SA
10:46:43: ISAKMP: Created a peer struct for 80.176.85.8, peer port 500
10:46:43: ISAKMP: Locking peer struct 0x81824140, IKE refcount 1 for crypto_ikmp
_config_initialize_sa
10:46:43: ISAKMP (0:0): Setting client config settings 817C97CC
10:46:43: ISAKMP (0:0): (Re)Setting client xauth list  and state
10:46:43: ISAKMP: local port 500, remote port 500
10:46:43: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =
8183A860
10:46:43: ISAKMP (0:14): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
10:46:43: ISAKMP (0:14): Old State = IKE_READY  New State = IKE_R_MM1

10:46:43: ISAKMP (0:14): processing SA payload. message ID = 0
10:46:43: ISAKMP (0:14): processing vendor id payload
10:46:43: ISAKMP (0:14): vendor ID seems Unity/DPD but major 0 mismatch
10:46:43: ISAKMP (0:14): processing vendor id payload
10:46:43: ISAKMP (0:14): vendor ID is DPD
10:46:43: ISAKMP: Looking for a matching key for 80.176.85.8 in default : succes
s
10:46:43: ISAKMP (0:14): found peer pre-shared key matching 80.176.85.8
10:46:43: ISAKMP (0:14) local preshared key found
10:46:43: ISAKMP (0:14) Authentication by xauth preshared
10:46:43: ISAKMP (0:14): Checking ISAKMP transform 0 against priority 1 policy
10:46:43: ISAKMP:      life type in seconds
10:46:43: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53
10:46:43: ISAKMP:      encryption 3DES-CBC
10:46:43: ISAKMP:      hash SHA
10:46:43: ISAKMP:      auth pre-share
10:46:43: ISAKMP:      default group 2
10:46:43: ISAKMP (0:14): atts are acceptable. Next payload is 0
10:46:43: ISAKMP (0:14): processing vendor id payload
10:46:43: ISAKMP (0:14): vendor ID seems Unity/DPD but major 0 mismatch
10:46:43: ISAKMP (0:14): processing vendor id payload
10:46:43: ISAKMP (0:14): vendor ID is DPD
10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM1  New State = IKE_R_MM1

10:46:43: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) MM_SA_SETUP
10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM1  New State = IKE_R_MM2

10:46:43: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_SA_SETUP
10:46:43: ISAKMP (0:14): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM2  New State = IKE_R_MM3

10:46:43: ISAKMP (0:14): processing KE payload. message ID = 0
10:46:43: ISAKMP (0:14): processing NONCE payload. message ID = 0
10:46:43: ISAKMP: Looking for a matching key for 80.176.85.8 in default : succes
s
10:46:43: ISAKMP (0:14): found peer pre-shared key matching 80.176.85.8
10:46:43: ISAKMP (0:14): SKEYID state generated
10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM3  New State = IKE_R_MM3

10:46:43: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) MM_KEY_EXCH
10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM3  New State = IKE_R_MM4

10:46:43: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_KEY_EXCH
10:46:43: ISAKMP (0:14): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM4  New State = IKE_R_MM5

10:46:43: ISAKMP (0:14): processing ID payload. message ID = 0
10:46:43: ISAKMP (0:14): peer matches *none* of the profiles
10:46:43: ISAKMP (0:14): processing HASH payload. message ID = 0
10:46:43: ISAKMP (0:14): SA has been authenticated with 80.176.85.8
10:46:43: ISAKMP: Trying to insert a peer 95.177.89.17/80.176.85.8/500/,  and in
serted successfully.
10:46:43: ISAKMP (0:14): peer matches *none* of the profiles
10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM5  New State = IKE_R_MM5

10:46:43: ISAKMP (0:14): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
10:46:43: ISAKMP (14): ID payload
        next-payload : 8
        type         : 1
        addr         : 95.177.89.17
        protocol     : 17
        port         : 500
        length       : 8
10:46:43: ISAKMP (14): Total payload length: 12
10:46:43: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) MM_KEY_EXCH
10:46:43: ISAKMP: set new node 1996570655 to CONF_XAUTH
10:46:43: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) MM_KEY_EXCH
10:46:43: ISAKMP (0:14): purging node 1996570655
10:46:43: ISAKMP: Sending phase 1 responder lifetime 28800

10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
10:46:43: ISAKMP (0:14): Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

10:46:43: ISAKMP (0:14): Need XAUTH
10:46:43: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
10:46:43: ISAKMP (0:14): Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_AAA_
START_LOGIN_AWAIT

10:46:43: ISAKMP: got callback 1
10:46:43: ISAKMP: set new node -989660487 to CONF_XAUTH
10:46:43: ISAKMP/xauth: request attribute XAUTH_TYPE
10:46:43: ISAKMP/xauth: request attribute XAUTH_MESSAGE
10:46:43: ISAKMP/xauth: request attribute XAUTH_USER_NAME
10:46:43: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
10:46:43: ISAKMP (0:14): initiating peer config to 80.176.85.8. ID = -989660487
10:46:43: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:46:43: ISAKMP (0:14): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
10:46:43: ISAKMP (0:14): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT  New State
= IKE_XAUTH_REQ_SENT

10:46:44: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:46:44: ISAKMP: set new node 1328280229 to CONF_XAUTH
10:46:44: ISAKMP (0:14): Unknown Input: state = IKE_XAUTH_REQ_SENT, major, minor
= IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

10:46:44: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:46:44: ISAKMP: set new node -2053848848 to CONF_XAUTH
10:46:44: ISAKMP (0:14): Waiting for config mode response ... dropping Quick Mod
e message.
10:46:44: ISAKMP (0:13): purging SA., sa=817D5548, delme=817D5548
10:46:48: ISAKMP (0:14): retransmitting phase 2 CONF_XAUTH    -989660487 ...
10:46:48: ISAKMP (0:14): incrementing error counter on sa: retransmit phase 2
10:46:48: ISAKMP (0:14): incrementing error counter on sa: retransmit phase 2
10:46:48: ISAKMP (0:14): retransmitting phase 2 -989660487 CONF_XAUTH
10:46:48: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:46:53: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:46:53: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.
10:46:53: ISAKMP (0:14): retransmitting due to retransmit phase 2
10:46:53: ISAKMP (0:14): retransmitting phase 2 CONF_XAUTH    -2053848848 ...
10:46:53: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) CONF_XAUTH
10:46:53: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.
10:46:53: ISAKMP (0:14): retransmitting due to retransmit phase 2
10:46:53: ISAKMP (0:14): retransmitting phase 2 CONF_XAUTH    1328280229 ...
10:46:53: ISAKMP (0:14): retransmitting phase 2 CONF_XAUTH    -2053848848 ...
10:46:53: ISAKMP (0:14): incrementing error counter on sa: retransmit phase 2
10:46:53: ISAKMP (0:14): incrementing error counter on sa: retransmit phase 2
10:46:53: ISAKMP (0:14): no outgoing phase 2 packet to retransmit. -2053848848 C
ONF_XAUTH
10:46:53: ISAKMP (0:14): retransmitting phase 2 CONF_XAUTH    1328280229 ...
10:46:53: ISAKMP (0:14): incrementing error counter on sa: retransmit phase 2
10:46:53: ISAKMP (0:14): incrementing error counter on sa: retransmit phase 2
10:46:53: ISAKMP (0:14): no outgoing phase 2 packet to retransmit. 1328280229 CO
NF_XAUTH
10:46:53: ISAKMP (0:14): retransmitting phase 2 CONF_XAUTH    -989660487 ...
10:46:53: ISAKMP (0:14): peer does not do paranoid keepalives.

10:46:53: ISAKMP (0:14): deleting SA reason "death by retransmission P2" state (
R) CONF_XAUTH    (peer 80.176.85.8) input queue 0
10:46:53: ISAKMP (0:14): peer does not do paranoid keepalives.

10:46:53: ISAKMP: set new node 1669504821 to CONF_XAUTH
10:46:53: ISAKMP (0:14): sending packet to 80.176.85.8 my_port 500 peer_port 500
(R) CONF_XAUTH
10:46:53: ISAKMP (0:14): purging node 1669504821
10:46:53: ISAKMP (0:14): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
10:46:53: ISAKMP (0:14): Old State = IKE_XAUTH_REQ_SENT  New State = IKE_DEST_SA


10:46:53: ISAKMP (0:14): deleting SA reason "" state (R) CONF_XAUTH    (peer 80.
176.85.8) input queue 0
10:46:53: ISAKMP: Unlocking IKE struct 0x81824140 for isadb_mark_sa_deleted(), c
ount 0
10:46:53: ISAKMP: Deleting peer node by peer_reap for 80.176.85.8: 81824140
10:46:53: ISAKMP (0:14): deleting node -989660487 error FALSE reason ""
10:46:53: ISAKMP (0:14): deleting node 1328280229 error FALSE reason ""
10:46:53: ISAKMP (0:14): deleting node -2053848848 error FALSE reason ""
10:46:53: ISAKMP (0:14): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
10:46:53: ISAKMP (0:14): Old State = IKE_DEST_SA  New State = IKE_DEST_SA

10:46:54: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_NO_STATE
10:47:13: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_NO_STATE
10:47:13: ISAKMP (0:14): received packet from 80.176.85.8 dport 500 sport 500 Gl
obal (R) MM_NO_STATE