cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3641
Views
0
Helpful
5
Replies

IKEV2 SITE-2-SITE VPN FAIL ON CISCO ASA 5500-X

Revenue_admin
Level 1
Level 1

Hi Forum, 

Unable to set up a tunnel between identical ASA 5525-x over the internet even after much troubleshooting. 

Below are the debug output from both peers:

 

Peer 1

IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-5: (93): Setting configured policies
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-2: (93): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
IKEv2-PROTO-2: (93): Request queued for computation of DH key
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (93): Action: Action_Null
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (93): Generating IKE_SA_INIT message
IKEv2-PROTO-2: (93): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(93): AES-CBC(93): SHA256(93): SHA256(93): DH_GROUP_256_ECP/Group 19(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-2: (93): Insert SA
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (93): Retransmitting packet
(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (93): Retransmitting packet
(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (93): Retransmitting packet
(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (93): Retransmitting packet
(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (93): Retransmitting packet
(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (93): Retransmitting packet
(93):
IKEv2-PROTO-2: (93): Sending Packet [To 105.112.132.242:500/From 102.38.58.10:500/VRF i0:f0]
(93): Initiator SPI : 51A50CFEA2D5F5D5 - Responder SPI : 0000000000000000 Message id: 0
(93): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (93): Next payload: SA, version: 2.0 (93): Exchange type: IKE_SA_INIT, flags: INITIATOR (93): Message id: 0, length: 382(93):
Payload contents:
(93): SA(93): Next payload: KE, reserved: 0x0, length: 48
(93): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(93): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(93): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(93): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(93): KE(93): Next payload: N, reserved: 0x0, length: 72
(93): DH group: 19, Reserved: 0x0
(93):
(93): 2e a5 93 64 52 88 ac 45 54 2d 25 91 89 65 d9 db
(93): 96 dc 7f a5 f7 ae 53 69 75 ab 48 7e 2c aa c8 ef
(93): 40 1c 8c 53 7b c9 4e 5f d2 b8 c4 9a e1 8a 07 57
(93): 7b 10 e9 22 30 0f 7f 7d a8 d8 7c 0b e8 b4 73 ad
(93): N(93): Next payload: VID, reserved: 0x0, length: 68
(93):
(93): 4f 74 75 04 f7 02 6e 82 5c 2d 8c ba 9e 8d 9d 0c
(93): 3e a4 fe df d5 ae 6b 41 fb f5 46 73 04 34 d0 2d
(93): 41 5c 91 c1 f4 2c 13 f0 ac 07 80 22 3d 55 92 3b
(93): 94 e9 e4 a4 85 bc f0 b5 aa 52 20 3b c7 cb f6 e0
(93): VID(93): Next payload: VID, reserved: 0x0, length: 23
(93):
(93): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(93): 53 4f 4e
(93): VID(93): Next payload: NOTIFY, reserved: 0x0, length: 59
(93):
(93): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(93): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(93): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(93): 73 2c 20 49 6e 63 2e
(93): NOTIFY(NAT_DETECTION_SOURCE_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(93):
(93): 1a b3 ba 29 97 65 87 b6 35 e4 c4 2b cb e8 93 5c
(93): 6a 65 8c 18
(93): NOTIFY(NAT_DETECTION_DESTINATION_IP)(93): Next payload: NOTIFY, reserved: 0x0, length: 28
(93): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(93):
(93): 6b 11 9a a3 eb 9a a7 26 21 c7 c3 d0 ca 38 34 3f
(93): 19 6f 43 44
(93): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(93): Next payload: VID, reserved: 0x0, length: 8
(93): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(93): VID(93): Next payload: NONE, reserved: 0x0, length: 20
(93):
(93): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-1: (93): Maximum number of retransmissions reached
IKEv2-PROTO-1: (93):
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-2: (93): Failed SA init exchange
IKEv2-PROTO-1: (93): Initial exchange failed
IKEv2-PROTO-1: (93): Initial exchange failed
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (93): SM Trace-> SA: I_SPI=51A50CFEA2D5F5D5 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (93): Abort exchange
IKEv2-PROTO-2: (93): Deleting SA

 

 

PEER 2

IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-5: (81): Setting configured policies
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-2: (81): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
IKEv2-PROTO-2: (81): Request queued for computation of DH key
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (81): Action: Action_Null
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (81): Generating IKE_SA_INIT message
IKEv2-PROTO-2: (81): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(81): AES-CBC(81): SHA256(81): SHA256(81): DH_GROUP_256_ECP/Group 19(81):
IKEv2-PROTO-2: (81): Sending Packet [To 102.38.58.10:500/From 102.38.57.50:500/VRF i0:f0]
(81): Initiator SPI : 8835862735F9FE19 - Responder SPI : 0000000000000000 Message id: 0
(81): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (81): Next payload: SA, version: 2.0 (81): Exchange type: IKE_SA_INIT, flags: INITIATOR (81): Message id: 0, length: 382(81):
Payload contents:
(81): SA(81): Next payload: KE, reserved: 0x0, length: 48
(81): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(81): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(81): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(81): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(81): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(81): KE(81): Next payload: N, reserved: 0x0, length: 72
(81): DH group: 19, Reserved: 0x0
(81):
(81): 9c 48 53 c7 1b 92 77 94 d9 2e 8a 54 ec 28 88 c6
(81): 6d 6a 8f 95 24 56 fc ba 72 9f b5 80 74 d4 f8 e6
(81): b1 b1 c8 43 0c a9 4e 1b ac 43 0e 0e f8 75 fd 45
(81): 97 41 23 59 74 84 7e 8a 2f 6b b7 80 14 10 ec 0d
(81): N(81): Next payload: VID, reserved: 0x0, length: 68
(81):
(81): a4 8b bc b8 fd 9f 7c 35 d3 9e 17 cc e3 b8 3a 1a
(81): 16 f5 61 b7 36 d8 ce 6f 1e 5c 40 6c 7a f9 3c 62
(81): e7 4a 75 be 7c a3 b1 fa ca 5f 3e 88 ac 85 73 d4
(81): c3 35 d2 d2 cd 12 ad 26 fa 2c 5a 9f a7 f6 d2 47
(81): VID(81): Next payload: VID, reserved: 0x0, length: 23
(81):
(81): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(81): 53 4f 4e
(81): VID(81): Next payload: NOTIFY, reserved: 0x0, length: 59
(81):
(81): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(81): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(81): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(81): 73 2c 20 49 6e 63 2e
(81): NOTIFY(NAT_DETECTION_SOURCE_IP)(81): Next payload: NOTIFY, reserved: 0x0, length: 28
(81): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(81):
(81): 3b 0f 04 7b 3b 13 f3 1a 61 bf 7f 2a fd 28 88 04
(81): 32 98 01 11
(81): NOTIFY(NAT_DETECTION_DESTINATION_IP)(81): Next payload: NOTIFY, reserved: 0x0, length: 28
(81): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(81):
(81): da 4d 72 71 c6 51 c8 64 de 69 06 af 42 61 23 f0
(81): 66 3f a3 3e
(81): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(81): Next payload: VID, reserved: 0x0, length: 8
(81): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(81): VID(81): Next payload: NONE, reserved: 0x0, length: 20
(81):
(81): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(81):
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-2: (81): Insert SA
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT


IKEv2 Recv RAW packet dump
88 35 86 27 35 f9 fe 19 5e 40 92 3e c4 3e 20 ca | .5.'5...^@.>.> .
21 20 22 20 00 00 00 00 00 00 01 7e 22 00 00 30 | ! " .......~"..0
00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c | ...,............
80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 | ................
03 00 00 0c 00 00 00 08 04 00 00 13 28 00 00 48 | ............(..H
00 13 00 00 c0 e3 6e 5a 4a e6 7e 14 60 46 44 5f | ......nZJ.~.`FD_
e4 a3 03 c3 88 6f f5 eb ff 6a 7e 4b 2a 54 94 0e | .....o...j~K*T..
ed 31 1b 85 11 54 fb 4c b0 af 42 7b 67 21 c2 fa | .1...T.L..B{g!..
88 68 7d d8 d8 8a 8c 51 a0 f2 07 bd 72 9e 4b 06 | .h}....Q....r.K.
38 f1 38 a3 2b 00 00 44 a5 b2 a9 bb 8a 6b d3 e5 | 8.8.+..D.....k..
92 67 13 72 77 83 68 86 fc 65 f0 89 15 29 7d 47 | .g.rw.h..e...)}G
48 6d bb 25 87 77 07 66 c9 ae 8e a0 90 69 79 32 | Hm.%.w.f.....iy2
35 33 4e 0b 58 81 96 3c 0e a5 ad e0 65 e2 e8 ee | 53N.X..<....e...
f4 85 48 a9 3b dc df fa 2b 00 00 17 43 49 53 43 | ..H.;...+...CISC
4f 2d 44 45 4c 45 54 45 2d 52 45 41 53 4f 4e 29 | O-DELETE-REASON)
00 00 3b 43 49 53 43 4f 28 43 4f 50 59 52 49 47 | ..;CISCO(COPYRIG
48 54 29 26 43 6f 70 79 72 69 67 68 74 20 28 63 | HT)&Copyright (c
29 20 32 30 30 39 20 43 69 73 63 6f 20 53 79 73 | ) 2009 Cisco Sys
74 65 6d 73 2c 20 49 6e 63 2e 29 00 00 1c 01 00 | tems, Inc.).....
40 04 8f f1 29 f0 df f3 4c 27 4b 06 33 86 6a 33 | @...)...L'K.3.j3
15 6a ee 25 a0 41 29 00 00 1c 01 00 40 05 1b 52 | .j.%.A).....@..R
99 72 2b 72 b4 25 96 68 ae ff 7f d8 0d ac 7b 70 | .r+r.%.h....{p
b6 04 2b 00 00 08 00 00 40 2e 00 00 00 14 40 48 | ..+.....@.....@H
b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | ..n...%.....
(81):
IKEv2-PROTO-2: (81): Received Packet [From 102.38.58.10:500/To 102.38.57.50:500/VRF i0:f0]
(81): Initiator SPI : 8835862735F9FE19 - Responder SPI : 5E40923EC43E20CA Message id: 0
(81): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-3: (81): Next payload: SA, version: 2.0 (81): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (81): Message id: 0, length: 382(81):
Payload contents:
(81): SA(81): Next payload: KE, reserved: 0x0, length: 48
(81): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(81): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(81): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(81): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(81): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(81): KE(81): Next payload: N, reserved: 0x0, length: 72
(81): DH group: 19, Reserved: 0x0
(81):
(81): c0 e3 6e 5a 4a e6 7e 14 60 46 44 5f e4 a3 03 c3
(81): 88 6f f5 eb ff 6a 7e 4b 2a 54 94 0e ed 31 1b 85
(81): 11 54 fb 4c b0 af 42 7b 67 21 c2 fa 88 68 7d d8
(81): d8 8a 8c 51 a0 f2 07 bd 72 9e 4b 06 38 f1 38 a3
(81): N(81): Next payload: VID, reserved: 0x0, length: 68
(81):
(81): a5 b2 a9 bb 8a 6b d3 e5 92 67 13 72 77 83 68 86
(81): fc 65 f0 89 15 29 7d 47 48 6d bb 25 87 77 07 66
(81): c9 ae 8e a0 90 69 79 32 35 33 4e 0b 58 81 96 3c
(81): 0e a5 ad e0 65 e2 e8 ee f4 85 48 a9 3b dc df fa
(81): VID(81): Next payload: VID, reserved: 0x0, length: 23
(81):
(81): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(81): 53 4f 4e
(81): VID(81): Next payload: NOTIFY, reserved: 0x0, length: 59
(81):
(81): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(81): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(81): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(81): 73 2c 20 49 6e 63 2e
(81): NOTIFY(NAT_DETECTION_SOURCE_IP)(81): Next payload: NOTIFY, reserved: 0x0, length: 28
(81): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(81):
(81): 8f f1 29 f0 df f3 4c 27 4b 06 33 86 6a 33 15 6a
(81): ee 25 a0 41
(81): NOTIFY(NAT_DETECTION_DESTINATION_IP)(81): Next payload: NOTIFY, reserved: 0x0, length: 28
(81): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(81):
(81): 1b 52 99 72 2b 72 b4 25 96 68 ae ff 7f d8 0d ac
(81): 7b 70 b6 04
(81): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(81): Next payload: VID, reserved: 0x0, length: 8
(81): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(81): VID(81): Next payload: NONE, reserved: 0x0, length: 20
(81):
(81): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(81):
(81): Decrypted packet:(81): Data: 382 bytes
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (81): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (81): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-2: (81): Verify SA init message
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (81): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-5: (81): Process NAT discovery notify
IKEv2-PROTO-5: (81): Processing nat detect src notify
IKEv2-PROTO-5: (81): Remote address matched
IKEv2-PROTO-5: (81): Processing nat detect dst notify
IKEv2-PROTO-5: (81): Local address matched
IKEv2-PROTO-5: (81): No NAT found
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-2: (81): Checking NAT discovery
IKEv2-PROTO-2: (81): NAT not found
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-2: (81): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
IKEv2-PROTO-2: (81): Request queued for computation of DH secret
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (81): Action: Action_Null
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-5: (81): Generate skeyid
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-2: (81): IETF Fragmentation is enabled
IKEv2-PROTO-2: (81): Cisco Fragmentation is enabled
IKEv2-PROTO-5: (81): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-2: (81): Completed SA init exchange
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-2: (81): Check for EAP exchange
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-2: (81): Generate my authentication data
IKEv2-PROTO-2: (81): Use preshared key for id 102.38.57.50, key len 10
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-2: (81): Get my authentication method
IKEv2-PROTO-2: (81): My authentication method is 'PSK'
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-2: (81): Check for EAP exchange
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (81): Generating IKE_AUTH message
IKEv2-PROTO-2: (81): Constructing IDi payload: '102.38.57.50' of type 'IPv4 address'
IKEv2-PROTO-2: (81): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(81): AES-CBC(81): SHA96(81): Don't use ESNIKEv2-PROTO-2: (81): Building packet for encryption.
(81):
Payload contents:
(81): VID(81): Next payload: IDi, reserved: 0x0, length: 20
(81):
(81): 8a 35 87 27 26 ce 0d 5e 50 ff 1e f2 24 9b ad a2
(81): IDi(81): Next payload: AUTH, reserved: 0x0, length: 12
(81): Id type: IPv4 address, Reserved: 0x0 0x0
(81):
(81): 66 26 39 32
(81): AUTH(81): Next payload: SA, reserved: 0x0, length: 40
(81): Auth method PSK, reserved: 0x0, reserved 0x0
(81): Auth data: 32 bytes
(81): SA(81): Next payload: TSi, reserved: 0x0, length: 44
(81): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(81): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(81): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(81): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(81): TSi(81): Next payload: TSr, reserved: 0x0, length: 40
(81): Num of TSs: 2, reserved 0x0, reserved 0x0
(81): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(81): start port: 0, end port: 65535
(81): start addr: 10.60.10.35, end addr: 10.60.10.35
(81): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(81): start port: 0, end port: 65535
(81): start addr: 10.60.10.0, end addr: 10.60.10.255
(81): TSr(81): Next payload: NOTIFY, reserved: 0x0, length: 40
(81): Num of TSs: 2, reserved 0x0, reserved 0x0
(81): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(81): start port: 0, end port: 65535
(81): start addr: 10.51.3.5, end addr: 10.51.3.5
(81): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(81): start port: 0, end port: 65535
(81): start addr: 10.51.0.0, end addr: 10.51.255.255
(81): NOTIFY(INITIAL_CONTACT)(81): Next payload: NOTIFY, reserved: 0x0, length: 8
(81): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(81): NOTIFY(ESP_TFC_NO_SUPPORT)(81): Next payload: NOTIFY, reserved: 0x0, length: 8
(81): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(81): NOTIFY(NON_FIRST_FRAGS)(81): Next payload: NONE, reserved: 0x0, length: 8
(81): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-2: (81):
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-5: (81): Action: Action_Null
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(81):
IKEv2-PROTO-2: (81): Sending Packet [To 102.38.58.10:500/From 102.38.57.50:500/VRF i0:f0]
(81): Initiator SPI : 8835862735F9FE19 - Responder SPI : 5E40923EC43E20CA Message id: 1
(81): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (81): Next payload: ENCR, version: 2.0 (81): Exchange type: IKE_AUTH, flags: INITIATOR (81): Message id: 1, length: 288(81):
Payload contents:
(81): ENCR(81): Next payload: VID, reserved: 0x0, length: 260
(81): Encrypted data: 256 bytes
(81):
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-2: (81): Check for EAP exchange
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT


IKEv2 Recv RAW packet dump
88 35 86 27 35 f9 fe 19 5e 40 92 3e c4 3e 20 ca | .5.'5...^@.>.> .
2e 20 23 20 00 00 00 01 00 00 00 50 29 00 00 34 | . # .......P)..4
83 d8 9d 7e 52 26 4f f9 82 72 34 96 74 8c 31 2f | ...~R&O..r4.t.1/
0d ae 59 b9 35 7a 7d 2d 35 58 22 74 a7 86 b4 26 | ..Y.5z}-5X"t...&
a7 9d 60 ea f0 28 52 a4 ce dc 08 12 3f e5 0b 5c | ..`..(R.....?..\
(81):
IKEv2-PROTO-2: (81): Received Packet [From 102.38.58.10:500/To 102.38.57.50:500/VRF i0:f0]
(81): Initiator SPI : 8835862735F9FE19 - Responder SPI : 5E40923EC43E20CA Message id: 1
(81): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-3: (81): Next payload: ENCR, version: 2.0 (81): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (81): Message id: 1, length: 80(81):
Payload contents:
(81):
(81): Decrypted packet:(81): Data: 80 bytes
(81): REAL Decrypted packet:(81): Data: 8 bytes
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (81): Action: Action_Null
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (81): Process auth response notify
IKEv2-PROTO-1: (81):
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-2: (81): Auth exchange failed
IKEv2-PROTO-1: (81): Auth exchange failed
IKEv2-PROTO-1: (81): Auth exchange failed
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (81): SM Trace-> SA: I_SPI=8835862735F9FE19 R_SPI=5E40923EC43E20CA (I) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (81): Abort exchange
IKEv2-PROTO-2: (81): Deleting SA

 

VPN Config

crypto ikev2 enable Outside2

object-group network SITE_A
network-object 10.50.0.0 255.255.0.0
network-object 172.16.50.0 255.255.255.0
network-object 10.60.10.0 255.255.255.0

object-group network SITE_B
network-object 10.51.0.0 255.255.0.0
network-object 172.17.50.0 255.255.255.0

access-list VPN-L2L-TRAFFIC line 1 extended permit ip object-group SITE_B object-group SITE_A

nat (inside,Outside2) source static SITE_B SITE_B destination static SITE_A SITE_A no-proxy-arp route-lookup

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes


ikev2 remote-authentication pre-shared-key 2345167890
ikev2 local-authentication pre-shared-key 2345167890

isakmp keepalive threshold 10 retry 2
exit

crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto map CRYPTO-MAP 1 match address VPN-L2L-TRAFFIC
crypto map CRYPTO-MAP 1 set peer X.X.X.X
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface Outside2

 

 

 

Any assistance would be very much appreciated please.

 

 

5 Replies 5

@Revenue_admin 

You have this error message - "IKEv2-PROTO-1: (81): Auth exchange failed"

Please double check the PSK on both ends is identical.

Do you have multiple outside interfaces?

Is the default route via outside2?

Or a static to the VPN peer?

Please provide your routing configuration.

If the PSK is correct, please provide the VPN configuration of the other device.

 

 

 

I just went through my config again and realised I ommited the phase 1 HAGLE set. Let me edit the config and report. 

Ok was mistaken there, the config is correct. But to address your points:-

PSK is identical on both ends

Yes we do have multiple outside interfaces - this might actually be a part of the problem. One peer I have PBR to share traffic to both ISP but the 'outside' isn't default though the PBR assigns certain traffic to it. On the second peer though the Outside2 interface is default.

 

Sorry, I'm not sure what is meant by 'a static to the VPN peer'.

 

Routing Config Peer1

route-map pbr_map permit 5
match ip address pbr_acl_2
set interface DMZ2

!
route-map pbr_map permit 10
match ip address pbr_acl   <------ I just realised only half of the interesting traffic is captured in this ACL

set ip next-hop y.y.y.y (outside_2)

!
route outside 0.0.0.0 0.0.0.0 z.z.z.z 1 track 1
route outside_2 0.0.0.0 0.0.0.0 y.y.y.y (outside_2) 10

 

 

Routing Config Peer2

route Outside2 0.0.0.0 0.0.0.0 a.a.a.a (Outside2)1 track 1
route outside 0.0.0.0 0.0.0.0 b.b.b.b 10

 

 

VPN Config of the other device

crypto ikev2 enable outside_2

object-group network SITE_A
network-object 10.50.0.0 255.255.0.0
network-object 172.16.50.0 255.255.255.0
network-object 10.60.10.0 255.255.255.0


object-group network SITE_B
network-object 10.51.0.0 255.255.0.0
network-object 172.17.50.0 255.255.255.0

access-list VPN-L2L-TRAFFIC line 1 extended permit ip object-group SITE_A object-group SITE_B

nat (inside,outside_2) source static SITE_A SITE_A destination static SITE_B SITE_B no-proxy-arp route-lookup

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes

ikev2 remote-authentication pre-shared-key 2345167890
ikev2 local-authentication pre-shared-key 2345167890

isakmp keepalive threshold 10 retry 2
exit

crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime 86400

crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto map CRYPTO-MAP 1 match address VPN-L2L-TRAFFIC
crypto map CRYPTO-MAP 1 set peer A.A.A.A
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside_2

 

is the vpn up and running now after change the PSK keys? if there is a still problem could you run these captures and display the outputs.

crypto VPN type isakmp interface outside ip host x.x.x.x host y.y.y.y
please do not forget to rate.

PBR is issue here, 

Peer1"w/o PBR"-Peer2"w PBR"
Peer1 have Key Outside1Peer2 password
Peer2 have Key Outside1Peer1 password

 

Peer1 will use Outside1 and send IPSec exchange 


Peer2 will check and find Key and it OK, BUT 
because of PBR it will select Outside2

Peer1 will check and find that key is not correct......why because the Pee2 use Outside2 not Outside1

solution 
make the access list of PBR extended and same as access list use for IPSec.