- Cisco Community
- Technology and Support
- Security
- VPN
- Solved it - Was a AAA issue.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IOS L2TP VPN Issues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2017 04:35 PM
Hi Guys
See the debug below, any ideas why a Windows10 cleint cannot authenticate.
L2TP with IPSec pre-share key.
Cheers Mike
*Nov 5 09:58:56.360: ISAKMP (0:0): received packet from 210.10.200.214 dport 500 sport 500 Global (N) NEW SA
*Nov 5 09:58:56.360: ISAKMP: Created a peer struct for 210.10.200.214, peer port 500
*Nov 5 09:58:56.360: ISAKMP: New peer created peer = 0x830D1878 peer_handle = 0x80000018
*Nov 5 09:58:56.360: ISAKMP: Locking peer struct 0x830D1878, refcount 1 for crypto_isakmp_process_block
*Nov 5 09:58:56.360: ISAKMP: local port 500, remote port 500
*Nov 5 09:58:56.360: insert sa successfully sa = 830D78D4
*Nov 5 09:58:56.360: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 5 09:58:56.360: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Nov 5 09:58:56.364: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 5 09:58:56.364: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID is NAT-T v2
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Nov 5 09:58:56.364: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.364: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Nov 5 09:58:56.364: ISAKMP:(0):found peer pre-shared key matching 210.10.200.214
*Nov 5 09:58:56.364: ISAKMP:(0): local preshared key found
*Nov 5 09:58:56.364: ISAKMP : Scanning profiles for xauth ...
*Nov 5 09:58:56.364: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov 5 09:58:56.364: ISAKMP: encryption AES-CBC
*Nov 5 09:58:56.364: ISAKMP: keylength of 256
*Nov 5 09:58:56.368: ISAKMP: hash SHA
*Nov 5 09:58:56.368: ISAKMP: unknown DH group 20
*Nov 5 09:58:56.368: ISAKMP: auth pre-share
*Nov 5 09:58:56.368: ISAKMP: life type in seconds
*Nov 5 09:58:56.368: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Nov 5 09:58:56.368: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 5 09:58:56.368: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 5 09:58:56.368: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Nov 5 09:58:56.368: ISAKMP: encryption AES-CBC
*Nov 5 09:58:56.368: ISAKMP: keylength of 128
*Nov 5 09:58:56.368: ISAKMP: hash SHA
*Nov 5 09:58:56.368: ISAKMP: unknown DH group 19
*Nov 5 09:58:56.368: ISAKMP: auth pre-share
*Nov 5 09:58:56.368: ISAKMP: life type in seconds
*Nov 5 09:58:56.368: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Nov 5 09:58:56.368: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 5 09:58:56.368: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 5 09:58:56.368: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Nov 5 09:58:56.368: ISAKMP: encryption AES-CBC
*Nov 5 09:58:56.368: ISAKMP: keylength of 256
*Nov 5 09:58:56.368: ISAKMP: hash SHA
*Nov 5 09:58:56.368: ISAKMP: unknown DH group 14
*Nov 5 09:58:56.368: ISAKMP: auth pre-share
*Nov 5 09:58:56.368: ISAKMP: life type in seconds
*Nov 5 09:58:56.368: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Nov 5 09:58:56.368: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 5 09:58:56.368: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 5 09:58:56.368: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Nov 5 09:58:56.368: ISAKMP: encryption 3DES-CBC
*Nov 5 09:58:56.368: ISAKMP: hash SHA
*Nov 5 09:58:56.368: ISAKMP: unknown DH group 14
*Nov 5 09:58:56.368: ISAKMP: auth pre-share
*Nov 5 09:58:56.368: ISAKMP: life type in seconds
*Nov 5 09:58:56.368: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Nov 5 09:58:56.368: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Nov 5 09:58:56.368: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 5 09:58:56.368: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Nov 5 09:58:56.372: ISAKMP: encryption 3DES-CBC
*Nov 5 09:58:56.372: ISAKMP: hash SHA
*Nov 5 09:58:56.372: ISAKMP: default group 2
*Nov 5 09:58:56.372: ISAKMP: auth pre-share
*Nov 5 09:58:56.372: ISAKMP: life type in seconds
*Nov 5 09:58:56.372: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Nov 5 09:58:56.372: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 5 09:58:56.372: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 5 09:58:56.372: ISAKMP:(0):Acceptable atts:life: 0
*Nov 5 09:58:56.372: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 5 09:58:56.372: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Nov 5 09:58:56.372: ISAKMP:(0):Returning Actual lifetime: 28800
*Nov 5 09:58:56.372: ISAKMP:(0)::Started lifetime timer: 28800.
*Nov 5 09:58:56.372: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 5 09:58:56.372: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 5 09:58:56.372: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 5 09:58:56.372: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Nov 5 09:58:56.372: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov 5 09:58:56.372: ISAKMP:(0): vendor ID is NAT-T v2
*Nov 5 09:58:56.372: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Nov 5 09:58:56.372: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.372: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Nov 5 09:58:56.376: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.376: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Nov 5 09:58:56.376: ISAKMP:(0): processing vendor id payload
*Nov 5 09:58:56.376: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Nov 5 09:58:56.376: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 5 09:58:56.376: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Nov 5 09:58:56.376: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 5 09:58:56.376: ISAKMP:(0): sending packet to 210.10.200.214 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Nov 5 09:58:56.376: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 5 09:58:56.376: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 5 09:58:56.376: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Nov 5 09:58:56.436: ISAKMP (0:0): received packet from 210.10.200.214 dport 500 sport 500 Global (R) MM_SA_SETUP
*Nov 5 09:58:56.440: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 5 09:58:56.440: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Nov 5 09:58:56.440: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 5 09:58:56.484: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 5 09:58:56.484: ISAKMP:(0):found peer pre-shared key matching 210.10.200.214
*Nov 5 09:58:56.484: ISAKMP:received payload type 20
*Nov 5 09:58:56.484: ISAKMP:received payload type 20
*Nov 5 09:58:56.484: ISAKMP (0:2018): NAT found, the node outside NAT
*Nov 5 09:58:56.484: ISAKMP:(2018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 5 09:58:56.484: ISAKMP:(2018):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Nov 5 09:58:56.484: ISAKMP:(2018): sending packet to 210.10.200.214 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Nov 5 09:58:56.484: ISAKMP:(2018):Sending an IKE IPv4 Packet.
*Nov 5 09:58:56.488: ISAKMP:(2018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 5 09:58:56.488: ISAKMP:(2018):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Nov 5 09:58:56.536: ISAKMP (0:2018): received packet from 210.10.200.214 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Nov 5 09:58:56.536: ISAKMP:(2018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 5 09:58:56.536: ISAKMP:(2018):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Nov 5 09:58:56.540: ISAKMP:(2018): processing ID payload. message ID = 0
*Nov 5 09:58:56.540: ISAKMP (0:2018): ID payload
next-payload : 8
type : 1
address : 192.168.10.21
protocol : 0
port : 0
length : 12
*Nov 5 09:58:56.540: ISAKMP:(0):: peer matches *none* of the profiles
*Nov 5 09:58:56.540: ISAKMP:(2018): processing HASH payload. message ID = 0
*Nov 5 09:58:56.540: ISAKMP:(2018):SA authentication status:
authenticated
*Nov 5 09:58:56.540: ISAKMP:(2018):SA has been authenticated with 210.10.200.214
*Nov 5 09:58:56.540: ISAKMP:(2018):Detected port floating to port = 4500
*Nov 5 09:58:56.540: ISAKMP: Trying to insert a peer 120.150.248.76/210.10.200.214/4500/, and inserted successfully 830D1878.
*Nov 5 09:58:56.540: ISAKMP:(2018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 5 09:58:56.540: ISAKMP:(2018):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Nov 5 09:58:56.540: ISAKMP:(2018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 5 09:58:56.540: ISAKMP (0:2018): ID payload
next-payload : 8
type : 1
address : 120.150.248.76
protocol : 17
port : 0
length : 12
*Nov 5 09:58:56.540: ISAKMP:(2018):Total payload length: 12
*Nov 5 09:58:56.544: ISAKMP:(2018): sending packet to 210.10.200.214 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Nov 5 09:58:56.544: ISAKMP:(2018):Sending an IKE IPv4 Packet.
*Nov 5 09:58:56.544: ISAKMP:(2018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 5 09:58:56.544: ISAKMP:(2018):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Nov 5 09:58:56.544: ISAKMP:(2018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov 5 09:58:56.544: ISAKMP:(2018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 5 09:58:56.592: ISAKMP (0:2018): received packet from 210.10.200.214 dport 4500 sport 4500 Global (R) QM_IDLE
*Nov 5 09:58:56.592: ISAKMP: set new node 1 to QM_IDLE
*Nov 5 09:58:56.592: ISAKMP:(2018): processing HASH payload. message ID = 1
*Nov 5 09:58:56.592: ISAKMP:(2018): processing SA payload. message ID = 1
*Nov 5 09:58:56.592: ISAKMP (0:2018): processing NAT-OAi payload. addr = 192.168.10.21, message ID = 1
*Nov 5 09:58:56.592: ISAKMP (0:2018): processing NAT-OAr payload. addr = 120.150.248.76, message ID = 1
*Nov 5 09:58:56.592: ISAKMP:(2018):Checking IPSec proposal 1
*Nov 5 09:58:56.592: ISAKMP: transform 1, ESP_AES
*Nov 5 09:58:56.592: ISAKMP: attributes in transform:
*Nov 5 09:58:56.592: ISAKMP: encaps is 4 (Transport-UDP)
*Nov 5 09:58:56.592: ISAKMP: key length is 128
*Nov 5 09:58:56.592: ISAKMP: authenticator is HMAC-SHA
*Nov 5 09:58:56.592: ISAKMP: SA life type in seconds
*Nov 5 09:58:56.592: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Nov 5 09:58:56.592: ISAKMP: SA life type in kilobytes
*Nov 5 09:58:56.592: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Nov 5 09:58:56.592: ISAKMP:(2018):atts are acceptable.
*Nov 5 09:58:56.592: ISAKMP:(2018): IPSec policy invalidated proposal with error 256
*Nov 5 09:58:56.592: ISAKMP:(2018):Checking IPSec proposal 2
*Nov 5 09:58:56.592: ISAKMP: transform 1, ESP_3DES
*Nov 5 09:58:56.596: ISAKMP: attributes in transform:
*Nov 5 09:58:56.596: ISAKMP: encaps is 4 (Transport-UDP)
*Nov 5 09:58:56.596: ISAKMP: authenticator is HMAC-SHA
*Nov 5 09:58:56.596: ISAKMP: SA life type in seconds
*Nov 5 09:58:56.596: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Nov 5 09:58:56.596: ISAKMP: SA life type in kilobytes
*Nov 5 09:58:56.596: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Nov 5 09:58:56.596: ISAKMP:(2018):atts are acceptable.
*Nov 5 09:58:56.596: ISAKMP:(2018): processing NONCE payload. message ID = 1
*Nov 5 09:58:56.596: ISAKMP:(2018): processing ID payload. message ID = 1
*Nov 5 09:58:56.596: ISAKMP:(2018): processing ID payload. message ID = 1
*Nov 5 09:58:56.596: ISAKMP:received payload type 21
*Nov 5 09:58:56.596: ISAKMP:received payload type 21
*Nov 5 09:58:56.596: ISAKMP:(2018):QM Responder gets spi
*Nov 5 09:58:56.596: ISAKMP:(2018):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Nov 5 09:58:56.596: ISAKMP:(2018):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Nov 5 09:58:56.600: ISAKMP:(2018): Creating IPSec SAs
*Nov 5 09:58:56.600: inbound SA from 210.10.200.214 to 120.150.248.76 (f/i) 0/ 0
(proxy 210.10.200.214 to 120.150.248.76)
*Nov 5 09:58:56.600: has spi 0x64006BA9 and conn_id 0
*Nov 5 09:58:56.600: lifetime of 3600 seconds
*Nov 5 09:58:56.600: lifetime of 250000 kilobytes
*Nov 5 09:58:56.600: outbound SA from 120.150.248.76 to 210.10.200.214 (f/i) 0/0
(proxy 120.150.248.76 to 210.10.200.214)
*Nov 5 09:58:56.600: has spi 0x31A7BABE and conn_id 0
*Nov 5 09:58:56.600: lifetime of 3600 seconds
*Nov 5 09:58:56.600: lifetime of 250000 kilobytes
*Nov 5 09:58:56.600: ISAKMP:(2018): sending packet to 210.10.200.214 my_port 4500 peer_port 4500 (R) QM_IDLE
*Nov 5 09:58:56.600: ISAKMP:(2018):Sending an IKE IPv4 Packet.
*Nov 5 09:58:56.600: ISAKMP:(2018):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Nov 5 09:58:56.600: ISAKMP:(2018):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Nov 5 09:58:56.652: ISAKMP (0:2018): received packet from 210.10.200.214 dport 4500 sport 4500 Global (R) QM_IDLE
*Nov 5 09:58:56.652: ISAKMP:(2018):deleting node 1 error FALSE reason "QM done (await)"
*Nov 5 09:58:56.652: ISAKMP:(2018):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Nov 5 09:58:56.652: ISAKMP:(2018):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Nov 5 09:58:59.081: ISAKMP (0:2018): received packet from 210.10.200.214 dport 4500 sport 4500 Global (R) QM_IDLE
*Nov 5 09:58:59.081: ISAKMP: set new node 1842625083 to QM_IDLE
*Nov 5 09:58:59.081: ISAKMP:(2018): processing HASH payload. message ID = 1842625083
*Nov 5 09:58:59.081: ISAKMP:(2018): processing DELETE payload. message ID = 1842625083
*Nov 5 09:58:59.081: ISAKMP:(2018):peer does not do paranoid keepalives.
*Nov 5 09:58:59.081: ISAKMP:(2018):deleting node 1842625083 error FALSE reason "Informational (in) state 1"
*Nov 5 09:58:59.081: ISAKMP (0:2018): received packet from 210.10.200.214 dport 4500 sport 4500 Global (R) QM_IDLE
*Nov 5 09:58:59.081: ISAKMP: set new node 412700261 to QM_IDLE
*Nov 5 09:58:59.081: ISAKMP:(2018): processing HASH payload. message ID = 412700261
*Nov 5 09:58:59.081: ISAKMP:(2018): processing DELETE payload. message ID = 412700261
*Nov 5 09:58:59.085: ISAKMP:(2018):peer does not do paranoid keepalives.
*Nov 5 09:58:59.085: ISAKMP:(2018):deleting SA reason "No reason" state (R) QM_IDLE (peer 210.10.200.214)
*Nov 5 09:58:59.085: ISAKMP:(2018):deleting node 412700261 error FALSE reason "Informational (in) state 1"
*Nov 5 09:58:59.085: ISAKMP: set new node -817604212 to QM_IDLE
*Nov 5 09:58:59.085: ISAKMP:(2018): sending packet to 210.10.200.214 my_port 4500 peer_port 4500 (R) QM_IDLE
*Nov 5 09:58:59.085: ISAKMP:(2018):Sending an IKE IPv4 Packet.
*Nov 5 09:58:59.089: ISAKMP:(2018):purging node -817604212
*Nov 5 09:58:59.089: ISAKMP:(2018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 5 09:58:59.089: ISAKMP:(2018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Nov 5 09:58:59.089: ISAKMP:(2018):deleting SA reason "No reason" state (R) QM_IDLE (peer 210.10.200.214)
*Nov 5 09:58:59.089: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Nov 5 09:58:59.089: ISAKMP: Unlocking peer struct 0x830D1878 for isadb_mark_sa_deleted(), count 0
*Nov 5 09:58:59.089: ISAKMP: Deleting peer node by peer_reap for 210.10.200.214: 830D1878
*Nov 5 09:58:59.089: ISAKMP:(2018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 5 09:58:59.089: ISAKMP:(2018):Old State = IKE_DEST_SA New State = IKE_DEST_SA
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2017 04:52 PM
*Nov 5 10:16:59.865: IPSEC(validate_proposal_request): proposal part #1
*Nov 5 10:16:59.865: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 120.150.248.76, remote= 210.10.200.214,
local_proxy= 120.150.248.76/255.255.255.255/17/1701 (type=1),
remote_proxy= 210.10.200.214/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Nov 5 10:16:59.865: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
*Nov 5 10:16:59.865: IPSEC(validate_proposal_request): proposal part #1
*Nov 5 10:16:59.865: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 120.150.248.76, remote= 210.10.200.214,
local_proxy= 120.150.248.76/255.255.255.255/17/1701 (type=1),
remote_proxy= 210.10.200.214/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Nov 5 10:16:59.869: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 5 10:16:59.869: IPSEC(policy_db_add_ident): src 120.150.248.76, dest 210.10.200.214, dest_port 4500
*Nov 5 10:16:59.869: IPSEC(create_sa): sa created,
(sa) sa_dest= 120.150.248.76, sa_proto= 50,
sa_spi= 0x9EACB3B2(2662118322),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 33
*Nov 5 10:16:59.869: IPSEC(create_sa): sa created,
(sa) sa_dest= 210.10.200.214, sa_proto= 50,
sa_spi= 0xA3152354(2736071508),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 34
*Nov 5 10:16:59.945: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 5 10:16:59.945: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Nov 5 10:16:59.945: IPSEC(key_engine_enable_outbound): enable SA with spi 2736071508/50
*Nov 5 10:16:59.945: IPSEC(update_current_outbound_sa): updated peer 210.10.200.214 current outbound sa to SPI A3152354
*Nov 5 10:17:00.421: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 5 10:17:00.421: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Nov 5 10:17:00.421: IPSEC(key_engine_delete_sas): delete SA with spi 0xA3152354 proto 50 for 210.10.200.214
*Nov 5 10:17:00.421: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 120.150.248.76, sa_proto= 50,
sa_spi= 0x9EACB3B2(2662118322),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 33,
(identity) local= 120.150.248.76, remote= 210.10.200.214,
local_proxy= 120.150.248.76/255.255.255.255/17/1701 (type=1),
remote_proxy= 210.10.200.214/255.255.255.255/17/4500 (type=1)
*Nov 5 10:17:00.421: IPSEC(update_current_outbound_sa): updated peer 210.10.200.214 current outbound sa to SPI 0
*Nov 5 10:17:00.421: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 210.10.200.214, sa_proto= 50,
sa_spi= 0xA3152354(2736071508),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 34,
(identity) local= 120.150.248.76, remote= 210.10.200.214,
local_proxy= 120.150.248.76/255.255.255.255/17/1701 (type=1),
remote_proxy= 210.10.200.214/255.255.255.255/17/4500 (type=1)
*Nov 5 10:17:00.425: IPSEC(key_engine): got a queue event with 1 KMI message(s)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2017 05:15 PM
Solved it - Was a AAA issue.
I had the VPN user as Priv0 - needed to be Priv15
Would love to have a differenet Priv level. Anyone know how to do?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: