Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
0
Replies

Dynamic Crypto-Map L2L VPN

rdj.perezv
Level 1
Level 1

‎03-03-2014 01:00 PM

Hi,

I'm trying to setup a VPN Site-To-Site implementing Crypto-Map Dynamic because i have a scenario where one endpoint have a public ip address but the other one is behind a NAT from an AT&T DSL router.

When i try to establish the Tunnel, it starts the ISAKMP phase and it completes that phase, also the IPSec phase, but for some reason, the traffic is not going through.

This is the network scenario:

  • R7 is behind the NAT
  • R2 is the one that will wait for the VPN Negotiation.

Attached you'll find a picture of the scenario, and for a better reference, i'm uploading also the running-configurarions of both routers.

Why is that i can't send traffic from the R7 Loopback interface to the R2 Inside Interface f0/0

Thanks in advance!

Here's the debug ISAKMP SA and the debug IPSEC sa outputs for R2:

R2#debug crypto isakmp

Crypto ISAKMP debugging is on

R2#deb

R2#debug cr

R2#debug crypto ip[s

R2#debug crypto ip 

R2#debug crypto ips

R2#debug crypto ipsec

Crypto IPSEC debugging is on

R2#

R2#

R2#

R2#

R2#

R2#

*Mar  3 16:31:40.743: ISAKMP (0): received packet from 10.10.10.2 dport 500 sport 500 Global (N) NEW SA

*Mar  3 16:31:40.747: ISAKMP: Created a peer struct for 10.10.10.2, peer port 500

*Mar  3 16:31:40.747: ISAKMP: New peer created peer = 0x66DFB88C peer_handle = 0x80000002

*Mar  3 16:31:40.747: ISAKMP: Locking peer struct 0x66DFB88C, refcount 1 for crypto_isakmp_process_block

*Mar  3 16:31:40.747: ISAKMP: local port 500, remote port 500

*Mar  3 16:31:40.747: ISAKMP:(0):insert sa successfully sa = 6912D854

*Mar  3 16:31:40.751: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:31:40.751: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  3 16:31:40.751: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  3 16:31:40.755: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:40.755: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar  3 16:31:40.755: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar  3 16:31:40.755: ISAKMP:(0): proce

R2#ssing vendor id payload

*Mar  3 16:31:40.755: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  3 16:31:40.755: ISAKMP (0): vendor ID is NAT-T v7

*Mar  3 16:31:40.755: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:40.755: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar  3 16:31:40.755: ISAKMP:(0): vendor ID is NAT-T v3

*Mar  3 16:31:40.755: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:40.755: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar  3 16:31:40.755: ISAKMP:(0): vendor ID is NAT-T v2

*Mar  3 16:31:40.755: ISAKMP:(0):found peer pre-shared key matching 10.10.10.2

*Mar  3 16:31:40.755: ISAKMP:(0): local preshared key found

*Mar  3 16:31:40.755: ISAKMP : Scanning profiles for xauth ... L2L VPNClient

*Mar  3 16:31:40.755: ISAKMP:(0): Authentication by xauth preshared

*Mar  3 16:31:40.755: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  3 16:31:40.755: ISAKMP:      encryption

R2#3DES-CBC

*Mar  3 16:31:40.755: ISAKMP:      hash SHA

*Mar  3 16:31:40.755: ISAKMP:      default group 2

*Mar  3 16:31:40.755: ISAKMP:      auth pre-share

*Mar  3 16:31:40.755: ISAKMP:      life type in seconds

*Mar  3 16:31:40.755: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar  3 16:31:40.755: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  3 16:31:40.755: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar  3 16:31:40.755: ISAKMP:(0):Acceptable atts:life: 0

*Mar  3 16:31:40.755: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar  3 16:31:40.755: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Mar  3 16:31:40.755: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar  3 16:31:40.755: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar  3 16:31:40.759: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:40.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar  3 16:31:40.759: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar  3 16:31:40.759: ISAKMP:

R2#(0): processing vendor id payload

*Mar  3 16:31:40.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  3 16:31:40.759: ISAKMP (0): vendor ID is NAT-T v7

*Mar  3 16:31:40.759: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:40.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar  3 16:31:40.759: ISAKMP:(0): vendor ID is NAT-T v3

*Mar  3 16:31:40.759: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:40.759: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar  3 16:31:40.759: ISAKMP:(0): vendor ID is NAT-T v2

*Mar  3 16:31:40.759: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  3 16:31:40.759: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar  3 16:31:40.759: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar  3 16:31:40.759: ISAKMP:(0): sending packet to 10.10.10.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar  3 16:31:40.763: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  3 1

R2#6:31:40.763: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  3 16:31:40.767: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Mar  3 16:31:40.823: ISAKMP (0): received packet from 10.10.10.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Mar  3 16:31:40.827: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:31:40.827: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Mar  3 16:31:40.835: ISAKMP:(0): processing KE payload. message ID = 0

*Mar  3 16:31:40.863: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar  3 16:31:40.863: ISAKMP:(0):found peer pre-shared key matching 10.10.10.2

*Mar  3 16:31:40.863: ISAKMP:(1001): processing vendor id payload

*Mar  3 16:31:40.863: ISAKMP:(1001): vendor ID is DPD

*Mar  3 16:31:40.863: ISAKMP:(1001): processing vendor id payload

*Mar  3 16:31:40.863: ISAKMP:(1001): speaking to another IOS box!

*Mar  3 16:31:40.863: ISAKMP:(1001): processing vendor id payload

*Mar  3 16:31:40.863: ISAK

R2#MP:(1001): vendor ID seems Unity/DPD but major 19 mismatch

*Mar  3 16:31:40.863: ISAKMP:(1001): vendor ID is XAUTH

*Mar  3 16:31:40.863: ISAKMP:received payload type 20

*Mar  3 16:31:40.867: ISAKMP (1001): His hash no match - this node outside NAT

*Mar  3 16:31:40.867: ISAKMP:received payload type 20

*Mar  3 16:31:40.867: ISAKMP (1001): His hash no match - this node outside NAT

*Mar  3 16:31:40.867: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  3 16:31:40.867: ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Mar  3 16:31:40.867: ISAKMP:(1001): sending packet to 10.10.10.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar  3 16:31:40.867: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar  3 16:31:40.867: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  3 16:31:40.871: ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Mar  3 16:31:40.947: ISAKMP (1001): received packet from 10.10.10.2 dport 4500 sport 4501 Global

R2# (R) MM_KEY_EXCH

*Mar  3 16:31:40.951: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:31:40.951: ISAKMP:(1001):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Mar  3 16:31:40.959: ISAKMP:(1001): processing ID payload. message ID = 0

*Mar  3 16:31:40.963: ISAKMP (1001): ID payload

next-payload : 8

type         : 1

address      : 10.11.11.2

protocol     : 17

port         : 0

length       : 12

*Mar  3 16:31:40.963: ISAKMP:(0):: peer matches L2L profile

*Mar  3 16:31:40.963: ISAKMP:(1001):Found ADDRESS key in keyring SPOKES

*Mar  3 16:31:40.967: ISAKMP:(1001): processing HASH payload. message ID = 0

*Mar  3 16:31:40.967: ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 0x6912D854

*Mar  3 16:31:40.967: ISAKMP:(1001):SA authentication status:

authenticated

*Mar  3 16:31:40.967: ISAKMP:(1001):SA has been authenticated with 10.10.10.2

*Mar  3 16:31:40.967: ISAKMP:(1001):Detected port floating to port = 4

R2#501

*Mar  3 16:31:40.967: ISAKMP: Trying to find existing peer 190.167.228.10/10.10.10.2/4501/

*Mar  3 16:31:40.967: ISAKMP:(1001):SA authentication status:

authenticated

*Mar  3 16:31:40.967: ISAKMP:(1001): Process initial contact,

bring down existing phase 1 and 2 SA's with local 190.167.228.10 remote 10.10.10.2 remote port 4501

*Mar  3 16:31:40.967: ISAKMP: Trying to insert a peer 190.167.228.10/10.10.10.2/4501/,  and inserted successfully 66DFB88C.

*Mar  3 16:31:40.967: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  3 16:31:40.967: ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Mar  3 16:31:40.971: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  3 16:31:40.971: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  3 16:31:40.971: ISAKMP (1001): ID payload

next-payload : 8

type         : 1

address      : 190.167.228.10

protocol     : 17

port         : 0

length    

R2#  : 12

*Mar  3 16:31:40.971: ISAKMP:(1001):Total payload length: 12

*Mar  3 16:31:40.971: ISAKMP:(1001): sending packet to 10.10.10.2 my_port 4500 peer_port 4501 (R) MM_KEY_EXCH

*Mar  3 16:31:40.971: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar  3 16:31:40.975: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  3 16:31:40.975: ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Mar  3 16:31:40.983: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  3 16:31:40.983: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

R2#

*Mar  3 16:31:51.075: ISAKMP (1001): received packet from 10.10.10.2 dport 4500 sport 4501 Global (R) QM_IDLE     

*Mar  3 16:31:51.075: ISAKMP: set new node 871551958 to QM_IDLE     

*Mar  3 16:31:51.079: ISAKMP:(1001): processing HASH payload. message ID = 871551958

*Mar  3 16:31:51.083: ISAKMP:(1001): processing SA payload. message ID = 871551958

*Mar  3 16:31:51.083: ISAKMP:(1001):Checking IPSec proposal 1

*Mar  3 16:31:51.087: ISAKMP: transform 1, ESP_3DES

*Mar  3 16:31:51.087: ISAKMP:   attributes in transform:

*Mar  3 16:31:51.087: ISAKMP:      encaps is 3 (Tunnel-UDP)

*Mar  3 16:31:51.091: ISAKMP:      SA life type in seconds

*Mar  3 16:31:51.091: ISAKMP:      SA life duration (basic) of 3600

*Mar  3 16:31:51.091: ISAKMP:      SA life type in kilobytes

*Mar  3 16:31:51.095: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  3 16:31:51.099: ISAKMP:      authenticator is HMAC-SHA

*Mar  3 16:31:51.099: ISAKMP:(1001):atts are acceptable.

*Mar  3 16:

R2#31:51.099: IPSEC(validate_proposal_request): proposal part #1

*Mar  3 16:31:51.099: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 190.167.228.10:0, remote= 10.10.10.2:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 172.17.0.0/255.255.255.0/256/0,

    protocol= ESP, transform= NONE  (Tunnel-UDP),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar  3 16:31:51.099: map_db_check_isakmp_profile profile did not match

*Mar  3 16:31:51.103: ISAKMP:(1001): processing NONCE payload. message ID = 871551958

*Mar  3 16:31:51.103: ISAKMP:(1001): processing ID payload. message ID = 871551958

*Mar  3 16:31:51.103: ISAKMP:(1001): processing ID payload. message ID = 871551958

*Mar  3 16:31:51.103: ISAKMP:(1001):QM Responder gets spi

*Mar  3 16:31:51.107: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  3 16:31:51.107: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_SP

R2#I_STARVE

*Mar  3 16:31:51.107: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Mar  3 16:31:51.107: ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT

*Mar  3 16:31:51.107: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  3 16:31:51.107: map_db_check_isakmp_profile profile did not match

*Mar  3 16:31:51.107: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dynmap

*Mar  3 16:31:51.123: IPSEC(create_sa): sa created,

  (sa) sa_dest= 190.167.228.10, sa_proto= 50,

    sa_spi= 0xD9C90D79(3653832057),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1

    sa_lifetime(k/sec)= (4608000/3600)

*Mar  3 16:31:51.123: IPSEC(create_sa): sa created,

  (sa) sa_dest= 10.10.10.2, sa_proto= 50,

    sa_spi= 0xD1518057(3511779415),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2

    sa_lifetime(k/sec)= (4608000/3600)

*Mar  3 16:31:51.123:  ISAKMP: Failed to find peer index node to update peer_info_list

*Mar  3 1

R2#6:31:51.127: ISAKMP:(1001):Received IPSec Install callback... proceeding with the negotiation

*Mar  3 16:31:51.131: ISAKMP:(1001): sending packet to 10.10.10.2 my_port 4500 peer_port 4501 (R) QM_IDLE     

*Mar  3 16:31:51.131: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar  3 16:31:51.135: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

*Mar  3 16:31:51.139: ISAKMP:(1001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2

*Mar  3 16:31:51.255: ISAKMP (1001): received packet from 10.10.10.2 dport 4500 sport 4501 Global (R) QM_IDLE     

*Mar  3 16:31:51.263: ISAKMP:(1001):deleting node 871551958 error FALSE reason "QM done (await)"

*Mar  3 16:31:51.263: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  3 16:31:51.267: ISAKMP:(1001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

*Mar  3 16:31:51.271: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  3 16:31:51.271: IPSEC(key_eng

R2#ine_enable_outbound): rec'd enable notify from ISAKMP

*Mar  3 16:31:51.279: IPSEC: Expand action denied, notify RP

R2#

*Mar  3 16:32:41.263: ISAKMP:(1001):purging node 871551958

R2#

Here's the debug ISAKMP SA and the debug IPSEC sa outputs for R7:

R7#ping 10.0.0.1 so

R7#ping 10.0.0.1 source loo

R7#ping 10.0.0.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 172.17.0.1

*Mar  3 16:31:40.927: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 10.11.11.2:500, remote= 190.167.228.10:500,

    local_proxy= 172.17.0.0/255.255.255.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar  3 16:31:40.939: ISAKMP:(0): SA request profile is (NULL)

*Mar  3 16:31:40.939: ISAKMP: Created a peer struct for 190.167.228.10, peer port 500

*Mar  3 16:31:40.939: ISAKMP: New peer created peer = 0x6750E470 peer_handle = 0x80000002

*Mar  3 16:31:40.939: ISAKMP: Locking peer struct 0x6750E470, refcount 1 for isakmp_initiator

*Mar  3 16:31:40.939: ISAKMP: local port 500, remote port 500

*Mar  3 16:31:40.939: ISAKMP: set new node 0 to QM_IDLE     

*Mar  3 16:31:40.939: ISAKMP:(0):insert sa successfully sa = 68769D50

*Mar  3 16:31:40.943: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar  3 16:31:40.943: ISAKMP:(0):found peer pre-shared key matching 190.167.228.10

*Mar  3 16:31:40.943: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar  3 16:31:40.943: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar  3 16:31:40.947: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  3 16:31:40.947: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar  3 16:31:40.947: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  3 16:31:40.947: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  3 16:31:40.947: ISAKMP:(0): beginning Main Mode exchange

*Mar  3 16:31:40.947: ISAKMP:(0): sending packet to 190.167.228.10 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  3 16:31:40.947: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  3 16:31:40.991: ISAKMP (0): received packet from 190.167.228.10 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar  3 16:31:41.007: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:31:41.011: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_.MM2

*Mar  3 16:31:41.019: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  3 16:31:41.019: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:41.023: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar  3 16:31:41.023: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar  3 16:31:41.027: ISAKMP:(0):found peer pre-shared key matching 190.167.228.10

*Mar  3 16:31:41.027: ISAKMP:(0): local preshared key found

*Mar  3 16:31:41.027: ISAKMP : Scanning profiles for xauth ...

*Mar  3 16:31:41.031: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  3 16:31:41.031: ISAKMP:      encryption 3DES-CBC

*Mar  3 16:31:41.031: ISAKMP:      hash SHA

*Mar  3 16:31:41.031: ISAKMP:      default group 2

*Mar  3 16:31:41.031: ISAKMP:      auth pre-share

*Mar  3 16:31:41.031: ISAKMP:      life type in seconds

*Mar  3 16:31:41.035: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar  3 16:31:41.035: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  3 16:31:41.035: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar  3 16:31:41.035: ISAKMP:(0):Acceptable atts:life: 0

*Mar  3 16:31:41.035: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar  3 16:31:41.035: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Mar  3 16:31:41.035: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar  3 16:31:41.035: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar  3 16:31:41.035: ISAKMP:(0): processing vendor id payload

*Mar  3 16:31:41.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar  3 16:31:41.035: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar  3 16:31:41.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  3 16:31:41.035: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  3 16:31:41.035: ISAKMP:(0): sending packet to 190.167.228.10 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar  3 16:31:41.035: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  3 16:31:41.039: ISAKMP:(0):Input = IKE_MESG_INTERN.AL, IKE_PROCESS_COMPLETE

*Mar  3 16:31:41.039: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  3 16:31:41.123: ISAKMP (0): received packet from 190.167.228.10 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar  3 16:31:41.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:31:41.131: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  3 16:31:41.131: ISAKMP:(0): processing KE payload. message ID = 0

*Mar  3 16:31:41.147: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar  3 16:31:41.147: ISAKMP:(0):found peer pre-shared key matching 190.167.228.10

*Mar  3 16:31:41.147: ISAKMP:(1001): processing vendor id payload

*Mar  3 16:31:41.151: ISAKMP:(1001): vendor ID is Unity

*Mar  3 16:31:41.151: ISAKMP:(1001): processing vendor id payload

*Mar  3 16:31:41.151: ISAKMP:(1001): vendor ID is DPD

*Mar  3 16:31:41.151: ISAKMP:(1001): processing vendor id payload

*Mar  3 16:31:41.155: ISAKMP:(1001): speaking to another IOS box!

*Mar  3 16:31:41.155: ISAKMP:received payload type 20

*Mar  3 16:31:41.155: ISAKMP (1001): NAT found, both nodes inside NAT

*Mar  3 16:31:41.155: ISAKMP:received payload type 20

*Mar  3 16:31:41.155: ISAKMP (1001): My hash no match -  this node inside NAT

*Mar  3 16:31:41.155: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  3 16:31:41.155: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  3 16:31:41.155: ISAKMP:(1001):Send initial contact

*Mar  3 16:31:41.155: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  3 16:31:41.155: ISAKMP (1001): ID payload

next-payload : 8

type         : 1

address      : 10.11.11.2

protocol     : 17

port         : 0

length       : 12

*Mar  3 16:31:41.155: ISAKMP:(1001):Total payload length: 12

*Mar  3 16:31:41.155: ISAKMP:(1001): sending packet to 190.167.228.10 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar  3 16:31:41.159: ISAKMP:(1001):Sending an IKE IPv4 .Packet.

*Mar  3 16:31:41.163: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  3 16:31:41.163: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  3 16:31:41.207: ISAKMP (1001): received packet from 190.167.228.10 dport 4500 sport 4500 Global (I) MM_KEY_EXCH

*Mar  3 16:31:41.211: ISAKMP:(1001): processing ID payload. message ID = 0

*Mar  3 16:31:41.215: ISAKMP (1001): ID payload

next-payload : 8

type         : 1

address      : 190.167.228.10

protocol     : 17

port         : 0

length       : 12

*Mar  3 16:31:41.219: ISAKMP:(0):: peer matches *none* of the profiles

*Mar  3 16:31:41.219: ISAKMP:(1001): processing HASH payload. message ID = 0

*Mar  3 16:31:41.223: ISAKMP:(1001):SA authentication status:

authenticated

*Mar  3 16:31:41.227: ISAKMP:(1001):SA has been authenticated with 190.167.228.10

*Mar  3 16:31:41.227: ISAKMP:(1001):Setting UDP ENC peer struct 0x69210CFC sa= 0x68769D50

*Mar  3 16:31:41.231: ISAKMP: Trying to insert a peer 10.11.11.2/190.167.228.10/4500/,  and inserted successfully 6750E470.

*Mar  3 16:31:41.235: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  3 16:31:41.235: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  3 16:31:41.243: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  3 16:31:41.243: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  3 16:31:41.243: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  3 16:31:41.243: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  3 16:31:41.247: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 871551958

*Mar  3 16:31:41.247: ISAKMP:(1001):QM Initiator gets spi

*Mar  3 16:31:41.251: ISAKMP:(1001): sending packet to 190.167.228.10 my_port 4500 peer_port 4500 (I) QM_IDLE     

*Mar  3 16:31:41.251: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar  3 16:31:41.255: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_INTERNAL., IKE_INIT_QM

*Mar  3 16:31:41.255: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Mar  3 16:31:41.255: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  3 16:31:41.255: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

.

Success rate is 0 percent (0/5)

R7#

*Mar  3 16:31:51.255: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       871551958 ...

*Mar  3 16:31:51.255: ISAKMP (1001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

*Mar  3 16:31:51.259: ISAKMP (1001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

*Mar  3 16:31:51.259: ISAKMP:(1001): retransmitting phase 2 871551958 QM_IDLE     

*Mar  3 16:31:51.263: ISAKMP:(1001): sending packet to 190.167.228.10 my_port 4500 peer_port 4500 (I) QM_IDLE     

*Mar  3 16:31:51.263: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar  3 16:31:51.391: ISAKMP (1001): received packet from 190.167.228.10 dport 4500 sport 4500 Global (I) QM_IDLE     

*Mar  3 16:31:51.399: ISAKMP:(1001): processing HASH payload. message ID = 871551958

*Mar  3 16:31:51.399: ISAKMP:(1001): processing SA payload. message ID = 871551958

*Mar  3 16:31:51.399: ISAKMP:(1001):Checking IPSec proposal 1

*Mar  3 16:31:51.399: ISAKMP: transform 1, ESP_3DES

*Mar  3 16:31:51.3

R7#99: ISAKMP:   attributes in transform:

*Mar  3 16:31:51.399: ISAKMP:      encaps is 3 (Tunnel-UDP)

*Mar  3 16:31:51.403: ISAKMP:      SA life type in seconds

*Mar  3 16:31:51.403: ISAKMP:      SA life duration (basic) of 3600

*Mar  3 16:31:51.403: ISAKMP:      SA life type in kilobytes

*Mar  3 16:31:51.403: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  3 16:31:51.403: ISAKMP:      authenticator is HMAC-SHA

*Mar  3 16:31:51.403: ISAKMP:(1001):atts are acceptable.

*Mar  3 16:31:51.403: IPSEC(validate_proposal_request): proposal part #1

*Mar  3 16:31:51.403: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 10.11.11.2:0, remote= 190.167.228.10:0,

    local_proxy= 172.17.0.0/255.255.255.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= NONE  (Tunnel-UDP),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar  3 16:31:51.403: Crypto mapdb : proxy_match

src add

R7#r     : 172.17.0.0

dst addr     : 0.0.0.0

protocol     : 0

src port     : 0

dst port     : 0

*Mar  3 16:31:51.407: ISAKMP:(1001): processing NONCE payload. message ID = 871551958

*Mar  3 16:31:51.411: ISAKMP:(1001): processing ID payload. message ID = 871551958

*Mar  3 16:31:51.411: ISAKMP:(1001): processing ID payload. message ID = 871551958

*Mar  3 16:31:51.415: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  3 16:31:51.415: ISAKMP:(1001):Old State = IKE_QM_I_QM1  New State = IKE_QM_IPSEC_INSTALL_AWAIT

*Mar  3 16:31:51.415: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  3 16:31:51.415: Crypto mapdb : proxy_match

src addr     : 172.17.0.0

dst addr     : 0.0.0.0

protocol     : 256

src port     : 0

dst port     : 0

*Mar  3 16:31:51.419: IPSEC(crypto_ipsec_create_ipsec_sas): Map found mymap

*Mar  3 16:31:51.419: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 190.167.228.10

*Mar

R7#  3 16:31:51.435: IPSEC(create_sa): sa created,

  (sa) sa_dest= 10.11.11.2, sa_proto= 50,

    sa_spi= 0xD1518057(3511779415),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1

    sa_lifetime(k/sec)= (4608000/3600)

*Mar  3 16:31:51.439: IPSEC(create_sa): sa created,

  (sa) sa_dest= 190.167.228.10, sa_proto= 50,

    sa_spi= 0xD9C90D79(3653832057),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2

    sa_lifetime(k/sec)= (4608000/3600)

*Mar  3 16:31:51.447: IPSEC: Expand action denied, notify RP

*Mar  3 16:31:51.451:  ISAKMP: Failed to find peer index node to update peer_info_list

*Mar  3 16:31:51.455: ISAKMP:(1001):Received IPSec Install callback... proceeding with the negotiation

*Mar  3 16:31:51.467: ISAKMP:(1001): sending packet to 190.167.228.10 my_port 4500 peer_port 4500 (I) QM_IDLE     

*Mar  3 16:31:51.471: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar  3 16:31:51.475: ISAKMP:(1001):deleting node 871551958 error FALSE reason "No Error"

*Mar  3 16:31:51

R7#.475: ISAKMP:(1001):Node 871551958, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

*Mar  3 16:31:51.479: ISAKMP:(1001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_PHASE2_COMPLETE

Labels:
15376991-R2 running.txt.zip
15376990-R7 Running.txt.zip
37 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents