11-14-2013 02:50 AM
Hi,
Due some changes with our ISP, the atm interface on the 877 router won't support stable connections anymore. The fix I'm having to do is to use our ISP provided modem/router, and have the 877 use an fe port as a WAN port and instigate the VPN from there.
I've had issues with getting the WAN port to work correctly that I got fixed here:
https://supportforums.cisco.com/message/4090973
Now I've got to get this bit going then I'm all good!
Basic set up is:
Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc
172.20.0.0/16 192.168.1.254 192.168.1.139 172.30.99.1 172.30.99.0/24
Current config is:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ITTEST
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 10240
enable secret
enable password
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 172.30.99.1 172.30.99.100
!
ip dhcp pool dhcppool
import all
network 172.30.99.0 255.255.255.0
default-router 172.30.99.1
dns-server 172.30.99.1 172.20.0.120 172.20.0.121
domain-name gratte.com
update arp
!
!
ip cef
ip domain name gratte.com
ip name-server 192.168.1.254
ip name-server 172.20.0.120
ip name-server 172.20.0.121
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.99.10 255.255.255.252
ip ospf mtu-ignore
load-interval 30
tunnel source Vlan1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description DATA
spanning-tree portfast
!
interface FastEthernet1
description VOICE
switchport access vlan 100
switchport voice vlan 100
spanning-tree portfast
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
switchport access vlan 666
no cdp enable
spanning-tree portfast
!
interface Vlan1
ip address 172.30.99.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan666
ip address 192.168.1.139 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 10.20.0.0 255.255.0.0 Tunnel0
ip route 10.21.0.0 255.255.0.0 Tunnel0
ip route 64.156.192.220 255.255.255.255 Tunnel0
ip route 64.156.192.245 255.255.255.255 Tunnel0
ip route 74.50.50.16 255.255.255.255 Tunnel0
ip route 74.50.63.14 255.255.255.255 Tunnel0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.30.99.0 255.255.255.0 Vlan1
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 100 interface Vlan666 overload
!
access-list 100 permit ip 172.30.99.0 0.0.0.255 any
access-list 199 permit icmp any any
!
!
!
!
snmp-server community public RO
snmp-server community blobby RW
!
control-plane
!
!
line con 0
password
login
no modem enable
line aux 0
line vty 0 4
password
login
!
scheduler max-task-time 5000
ntp server 72.8.140.222
ntp server 172.20.0.120
ntp server 172.20.0.121
end
Hope someone can help!
11-14-2013 05:00 AM
Hi,
your VPN peering must be done on public IP addresses not private ones which are not "routeable" on the Internet.
You'll have to do the PPPoE/PPPoA on the 877 to get a public IP and do your tunnel from there.
Regards
Alain
Don't forget to rate helpful posts.
11-14-2013 05:15 AM
I assumed NAT would take care of that?
Would I have to configure the ISP router to bridge mode to achieve this then?
Another example where a similar set up to this works; we have a site where we have access to an existing internet connection; on this site I have a Juniper SRX100 (no dsl interface), a port configured for untrust (internet facing) and a port configured for trust (private network), I am able to make the tunnel work (using a dynamic VPN on the SRX100 end as no designated IP). It is seen as the existing internet connections public IP.
11-14-2013 06:41 AM
Ok, tunnel is up!
Just used Dynamic instead of static and aggressive mode.
Now I have a strange problem.
Gateway at HO is 172.20.0.251, this is the site the 877 connects to.
Laptop on connected to VLAN 1 on the 877 is on 172.30.99.101
HO can ping the 877 on 172.30.99.1, the router can ping everything, the laptop can only ping the router.
Why can't HO ping the laptop and vice versa?
The router shows:
ITTEST#ping 172.20.0.251
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms
ITTEST#ping 172.30.99.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.99.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ITTEST#ping 172.30.99.101 source tun0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.99.101, timeout is 2 seconds:
Packet sent with a source address of 172.30.99.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
ITTEST#ping 172.20.0.251 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:
Packet sent with a source address of 172.30.99.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 ms
a tracert from HO to the laptop reaches 172.30.99.1 and stops
a tracert from the laptop to HO reaches 172.30.99.1 and stops
strange.
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 10.20.0.0 255.255.0.0 Tunnel0
ip route 10.21.0.0 255.255.0.0 Tunnel0
ip route 64.156.192.220 255.255.255.255 Tunnel0
ip route 64.156.192.245 255.255.255.255 Tunnel0
ip route 74.50.50.16 255.255.255.255 Tunnel0
ip route 74.50.63.14 255.255.255.255 Tunnel0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.30.99.0 255.255.255.0 Vlan1
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 100 interface Vlan666 overload
!
access-list 100 permit ip 172.30.99.0 0.0.0.255 any
access-list 100 permit ip 172.20.0.0 0.0.255.255 any
access-list 199 permit icmp any any
11-15-2013 03:52 AM
And now coupled with the routing problem in my last post, the tunnel seems to be a bit odd.
It comes up, works, pings can be made, then the below happens, it is seen at the remote end as connected, 877 shows as vpn up, but you can't ping across it anymore:
ITTEST#ping 172.20.0.251
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms
ITTEST#
00:59:38: ISAKMP (0): received packet from
00:59:38: %CRYPTO-4-IKMP_NO_SA: IKE message from
has no SA and is not an initialization offer
00:59:40: ISAKMP (0): received packet from
dport 500 sport 500 Global (N) NEW SA
00:59:43: ISAKMP (0): received packet from
00:59:43: ISAKMP (0): received packet from
00:59:48: ISAKMP (0): received packet from
00:59:48: ISAKMP (0): received packet from
00:59:53: ISAKMP (0): received packet from
00:59:56: ISAKMP (0): received packet from
00:59:58: ISAKMP (0): received packet from
01:00:03: ISAKMP (0): received packet from
01:00:08: ISAKMP (0): received packet from
01:00:18: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
01:00:18: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 43 seconds
01:00:18: ISAKMP: set new node 0 to QM_IDLE
01:00:18: SA has outstanding requests (local 133.37.54.100 port 500, remote 133.37.54.72 port 500)
01:00:18: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE )
01:00:18: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 614665514
01:00:18: ISAKMP:(2001):QM Initiator gets spi
01:00:18: ISAKMP:(2001): sending packet to
01:00:18: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:00:18: ISAKMP:(2001):Node 614665514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
01:00:18: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
01:00:28: ISAKMP:(2001): retransmitting phase 2 QM_IDLE 614665514 ...
01:00:28: ISAKMP (2001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
01:00:28: ISAKMP (2001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
01:00:28: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE
01:00:28: ISAKMP:(2001): sending packet to
01:00:28: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:00:38: ISAKMP:(2001): retransmitting phase 2 QM_IDLE 614665514 ...
01:00:38: ISAKMP (2001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
01:00:38: ISAKMP (2001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
01:00:38: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE
01:00:38: ISAKMP:(2001): sending packet to
01:00:38: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:00:48: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
01:00:48: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
01:00:48: ISAKMP: set new node 0 to QM_IDLE
01:00:48: SA has outstanding requests (local 133.37.54.100 port 500, remote 133.37.54.72 port 500)
01:00:48: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE )
01:00:48: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 1063065985
01:00:48: ISAKMP:(2001):QM Initiator gets spi
01:00:48: ISAKMP:(2001): sending packet to
01:00:48: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:00:48: ISAKMP:(2001):Node 1063065985, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
01:00:48: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
01:00:48: ISAKMP:(2001): retransmitting phase 2 QM_IDLE 614665514 ...
01:00:48: ISAKMP (2001): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
01:00:48: ISAKMP (2001): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
01:00:48: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE
01:00:48: ISAKMP:(2001): sending packet to
01:00:48: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:00:58: ISAKMP:(2001): retransmitting phase 2 QM_IDLE 1063065985 ...
01:00:58: ISAKMP (2001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
01:00:58: ISAKMP (2001): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
01:00:58: ISAKMP:(2001): retransmitting phase 2 1063065985 QM_IDLE
01:00:58: ISAKMP:(2001): sending packet to
01:00:58: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:00:58: ISAKMP:(2001): retransmitting phase 2 QM_IDLE 614665514 ...
01:00:58: ISAKMP (2001): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
01:00:58: ISAKMP (2001): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
01:00:58: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE
01:00:58: ISAKMP:(2001): sending packet to
01:00:58: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:01:01: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x42C0A605(1119921669),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
sa_lifetime(k/sec)= (4521680/3600),
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
01:01:01: IPSEC(update_current_outbound_sa): updated peer
01:01:01: IPSEC(delete_sa): deleting SA,
(sa) sa_dest=
sa_spi= 0xD8415C94(3628162196),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2
sa_lifetime(k/sec)= (4521680/3600),
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
01:01:01: ISAKMP: set new node -713733717 to QM_IDLE
01:01:01: ISAKMP:(2001):peer does not do paranoid keepalives.
01:01:01: ISAKMP:(2001):deleting SA reason "Death by retransmission throw" state (I) QM_IDLE (peer
01:01:01: ISAKMP:(2001):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
01:01:01: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
01:01:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
01:01:01: ISAKMP: set new node -312624059 to QM_IDLE
01:01:01: ISAKMP:(2001): sending packet to
01:01:01: ISAKMP:(2001):Sending an IKE IPv4 Packet.
01:01:01: ISAKMP:(2001):purging node -312624059
01:01:01: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
01:01:01: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
01:01:01: ISAKMP:(2001):deleting SA reason "Death by retransmission throw" state (I) QM_IDLE (peer
01:01:01: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
01:01:01: ISAKMP: Unlocking peer struct 0x848AD260 for isadb_mark_sa_deleted(), count 0
01:01:01: ISAKMP: Deleting peer node by peer_reap for
01:01:01: ISAKMP:(2001):deleting node 614665514 error FALSE reason "IKE deleted"
01:01:01: ISAKMP:(2001):deleting node 1063065985 error FALSE reason "IKE deleted"
01:01:01: ISAKMP:(2001):deleting node -713733717 error FALSE reason "IKE deleted"
01:01:01: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
01:01:01: ISAKMP:(2001):Old State = IKE_DEST_SA New State = IKE_DEST_SA
01:01:01: IPSEC(key_engine): got a queue event with 1 KMI message(s)
01:01:18: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
ITTEST#ping 172.20.0.251
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ITTEST#
I see the line ISAKMP:(2001):peer does not do paranoid keepalives. message, but this occured within an hour of the tunnel coming up, the lifetime would be the 24 hour default (86400)...
11-15-2013 04:51 AM
And pretty much an hour to the time of when it dropped out, it's kicked back in:
02:00:40: ISAKMP (0): received packet from
02:00:40: %CRYPTO-4-IKMP_NO_SA: IKE message from
02:00:42: ISAKMP (0): received packet from
02:00:45: ISAKMP (0): received packet from
02:00:45: ISAKMP (0): received packet from
02:00:50: ISAKMP (0): received packet from
02:00:50: ISAKMP (0): received packet from
02:00:55: ISAKMP (0): received packet from
02:00:57: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
02:00:57: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 68 seconds
02:00:57: ISAKMP: set new node 0 to QM_IDLE
02:00:57: SA has outstanding requests (local 132.76.193.228 port 500, remote 132.76.193.200 port 500)
02:00:57: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE )
02:00:57: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1560671909
02:00:57: ISAKMP:(2002):QM Initiator gets spi
02:00:57: ISAKMP:(2002): sending packet to
02:00:57: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:00:57: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
02:00:57: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
02:00:58: ISAKMP (2002): received packet from
02:00:58: ISAKMP: set new node 1105416027 to QM_IDLE
02:00:58: ISAKMP:(2002): processing HASH payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing SA payload. message ID = 1105416027
02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
02:00:58: ISAKMP: transform 1, ESP_3DES
02:00:58: ISAKMP: attributes in transform:
02:00:58: ISAKMP: SA life type in seconds
02:00:58: ISAKMP: SA life duration (basic) of 3600
02:00:58: ISAKMP: encaps is 1 (Tunnel)
02:00:58: ISAKMP: key length is 192
02:00:58: ISAKMP: authenticator is HMAC-SHA
02:00:58: ISAKMP:(2002):atts are acceptable.
02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
02:00:58: ISAKMP: transform 2, ESP_3DES
02:00:58: ISAKMP: attributes in transform:
02:00:58: ISAKMP: SA life type in seconds
02:00:58: ISAKMP: SA life duration (basic) of 3600
02:00:58: ISAKMP: encaps is 1 (Tunnel)
02:00:58: ISAKMP: authenticator is HMAC-SHA
02:00:58: ISAKMP:(2002):atts are acceptable.
02:00:58: IPSEC(validate_proposal_request): proposal part #1
02:00:58: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
02:00:58: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:00:58: ISAKMP:(2002): processing NONCE payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
02:00:58: ISAKMP:(2002):QM Responder gets spi
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:00:58: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
02:00:58: ISAKMP:(2002): Creating IPSec SAs
02:00:58: inbound SA from
(proxy 0.0.0.0 to 0.0.0.0)
02:00:58: has spi 0x48E03F51 and conn_id 0
02:00:58: lifetime of 3600 seconds
02:00:58: outbound SA from 172.30.99.1 to
(proxy 0.0.0.0 to 0.0.0.0)
02:00:58: has spi 0xD4AF8B3C and conn_id 0
02:00:58: lifetime of 3600 seconds
02:00:58: ISAKMP:(2002): sending packet to
02:00:58: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
02:00:58: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:58: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:00:58: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
02:00:58: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x48E03F51(1222655825),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4450631/3600)
02:00:58: IPSEC(create_sa): sa created,
(sa) sa_dest=
sa_spi= 0xD4AF8B3C(3568274236),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4450631/3600)
02:00:58: ISAKMP (2002): received packet from
02:00:58: ISAKMP:(2002):deleting node 1105416027 error FALSE reason "QM done (await)"
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:00:58: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:58: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
02:00:58: IPSEC(key_engine_enable_outbound): enable SA with spi 3568274236/50
02:00:58: IPSEC(update_current_outbound_sa): updated peer
02:00:59: ISAKMP (2002): received packet from
02:00:59: ISAKMP: set new node -1124267365 to QM_IDLE
02:00:59: ISAKMP:(2002): processing HASH payload. message ID = -1124267365
02:00:59: ISAKMP:(2002): processing DELETE payload. message ID = -1124267365
02:00:59: ISAKMP:(2002):peer does not do paranoid keepalives.
02:00:59: ISAKMP:(2002):deleting node -1124267365 error FALSE reason "Informational (in) state 1"
02:00:59: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:59: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
02:00:59: IPSEC(key_engine_delete_sas): delete SA with spi 0xBDD33AB1 proto 50 for
02:00:59: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x539777E6(1402435558),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
sa_lifetime(k/sec)= (4412467/3600),
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:00:59: IPSEC(delete_sa): deleting SA,
(sa) sa_dest=
sa_spi= 0xBDD33AB1(3184736945),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
sa_lifetime(k/sec)= (4412467/3600),
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:00: ISAKMP (2002): received packet from
02:01:00: ISAKMP: set new node -2105526428 to QM_IDLE
02:01:00: ISAKMP:(2002): processing HASH payload. message ID = -2105526428
02:01:00: ISAKMP:(2002): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -2105526428, sa = 844CC060
02:01:00: ISAKMP:(2002):deleting node -2105526428 error FALSE reason "Informational (in) state 1"
02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
02:01:00: ISAKMP:(2002):DPD/R_U_THERE received from peer
02:01:00: ISAKMP: set new node 971443288 to QM_IDLE
02:01:00: ISAKMP:(2002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2220478360, message ID = 971443288
02:01:00: ISAKMP:(2002): seq. no 0x22D
02:01:00: ISAKMP:(2002): sending packet to
02:01:00: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:01:00: ISAKMP:(2002):purging node 971443288
02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
02:01:02: ISAKMP (2002): received packet from
02:01:02: ISAKMP:(2002): processing HASH payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing SA payload. message ID = 1560671909
02:01:02: ISAKMP:(2002):Checking IPSec proposal 1
02:01:02: ISAKMP: transform 1, ESP_3DES
02:01:02: ISAKMP: attributes in transform:
02:01:02: ISAKMP: encaps is 1 (Tunnel)
02:01:02: ISAKMP: SA life type in seconds
02:01:02: ISAKMP: SA life duration (basic) of 3600
02:01:02: ISAKMP: SA life type in kilobytes
02:01:02: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
02:01:02: ISAKMP: authenticator is HMAC-SHA
02:01:02: ISAKMP:(2002):atts are acceptable.
02:01:02: IPSEC(validate_proposal_request): proposal part #1
02:01:02: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
02:01:02: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:01:02: ISAKMP:(2002): processing NONCE payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): Creating IPSec SAs
02:01:02: inbound SA from
(proxy 0.0.0.0 to 0.0.0.0)
02:01:02: has spi 0x84F77E7D and conn_id 0
02:01:02: lifetime of 3600 seconds
02:01:02: lifetime of 4608000 kilobytes
02:01:02: outbound SA from 172.30.99.1 to
(proxy 0.0.0.0 to 0.0.0.0)
02:01:02: has spi 0xCA486707 and conn_id 0
02:01:02: lifetime of 3600 seconds
02:01:02: lifetime of 4608000 kilobytes
02:01:02: ISAKMP:(2002): sending packet to
02:01:02: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:01:02: ISAKMP:(2002):deleting node 1560671909 error FALSE reason "No Error"
02:01:02: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:01:02: ISAKMP:(2002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
02:01:02: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:01:02: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:01:02: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
02:01:02: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x84F77E7D(2230812285),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7
sa_lifetime(k/sec)= (4550947/3600)
02:01:02: IPSEC(create_sa): sa created,
(sa) sa_dest=
sa_spi= 0xCA486707(3393742599),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8
sa_lifetime(k/sec)= (4550947/3600)
02:01:02: IPSEC(update_current_outbound_sa): updated peer
02:01:02: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=48E03F51
02:01:02: IPSEC(early_age_out_sibling): sibling outbound SPI D4AF8B3C expiring in 30 seconds due to it's a duplicate SA bundle.
02:01:03: ISAKMP (2002): received packet from
02:01:03: ISAKMP: set new node 2041302203 to QM_IDLE
02:01:03: ISAKMP:(2002): processing HASH payload. message ID = 2041302203
02:01:03: ISAKMP:(2002): processing DELETE payload. message ID = 2041302203
02:01:03: ISAKMP:(2002):peer does not do paranoid keepalives.
02:01:03: ISAKMP:(2002):deleting node 2041302203 error FALSE reason "Informational (in) state 1"
02:01:03: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:01:03: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
02:01:03: IPSEC(key_engine_delete_sas): delete SA with spi 0xD4AF8B3C proto 50 for
02:01:03: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x48E03F51(1222655825),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4450631/3600),
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:03: IPSEC(delete_sa): deleting SA,
(sa) sa_dest=
sa_spi= 0xD4AF8B3C(3568274236),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4450631/3600),
(identity) local= 172.30.99.1, remote=
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:48: ISAKMP:(2002):purging node 1105416027
02:01:49: ISAKMP:(2002):purging node -1124267365
02:01:50: ISAKMP:(2002):purging node -2105526428
02:01:52: ISAKMP:(2002):purging node 1560671909
02:01:53: ISAKMP:(2002):purging node 2041302203
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide