Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1495
Views
2
Helpful
18
Replies

IPSEC IKEv2 not establishing between ASA 1150 and Opengear

oscardenizjensen
Level 1
Level 1

‎02-29-2024 07:12 AM

Hej
I am trying to setup a IPSEC IKEv2 tunnel between an ASA1150 and an Opengear OM1208 device.

I am wondering what am I missing. I use a similar config between ASAv-ASAv and it works ok.

Host-1----172.16.68.0/24------ASA----------Opengear----172.16.69.0/24----Host-2

ASA Config

Spoiler
interface GigabitEthernet0/0
 nameif MGMT
 security-level 100
 ip address 10.250.3.25 255.255.252.0 
!
interface GigabitEthernet0/3
 nameif UBUNTU-1-OPENGEAR-IPSEC
 security-level 100
 ip address 172.16.68.1 255.255.255.0 
!
access-list MGMT extended permit ip any any
access-list UBUNTU-1-OPENGEAR-IPSEC extended permit ip any any 


access-group MGMT in interface MGMT
access-group UBUNTU-1-OPENGEAR-IPSEC in interface UBUNTU-1-OPENGEAR-IPSEC

route MGMT 10.0.0.0 255.255.255.0 10.250.0.1
route MGMT 172.16.69.0 255.255.255.0 10.250.0.1 1

object network OPENGEAR-IPSEC-LOCAL
subnet 172.16.68.0 255.255.255.0
object network OPENGEAR-IPSEC-REMOTE
subnet 172.16.69.0 255.255.255.0

access-list OPENGEAR-IPSEC extended permit ip object OPENGEAR-IPSEC-LOCAL object OPENGEAR-IPSEC-REMOTE

crypto ipsec ikev2 ipsec-proposal OPENGEAR-IPSEC-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite

crypto map OPENGEAR-1 1 match address OPENGEAR-IPSEC
crypto map OPENGEAR-1 1 set peer 10.0.0.250
crypto map OPENGEAR-1 1 set ikev2 ipsec-proposal OPENGEAR-IPSEC-PROPOSAL
crypto map OPENGEAR-1 interface MGMT

crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 19
prf sha256
lifetime seconds 86400

crypto ikev2 enable MGMT

group-policy OPENGEAR-IPSEC internal

tunnel-group 10.0.0.250 type ipsec-l2l
tunnel-group 10.0.0.250 general-attributes
default-group-policy OPENGEAR-IPSEC
tunnel-group 10.0.0.250 ipsec-attributes
ikev2 remote-authentication pre-shared-key XXXXX
ikev2 local-authentication pre-shared-key XXXXX

ASA Packet trace Outside-to-Inside

Spoiler
FW-3(config)# packet-tracer input MGMT tcp 172.16.69.2 bgp 172.16.68.2 bgp det$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 26424 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.16.68.2 using egress ifc UBUNTU-1-OPENGEAR-IPSEC

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8930 ns
Config:
access-group MGMT in interface MGMT
access-list MGMT extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb0654b7f50, priority=13, domain=permit, deny=false
hits=7, user_data=0x7fb04b7b1d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=MGMT, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8930 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb06505d300, priority=0, domain=nat-per-session, deny=false
hits=3733, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8930 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb065466130, priority=0, domain=inspect-ip-options, deny=true
hits=6721, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=MGMT, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 160379 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb065415f20, priority=70, domain=qos-per-class, deny=false
hits=3936, user_data=0x7fb0653b3960, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Elapsed time: 2202 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb065e85320, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=3, user_data=0x0, cs_id=0x7fb065c51610, reverse, flags=0x0, protocol=0
src ip/id=172.16.69.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.68.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=MGMT, output_ifc=any

Result:
input-interface: MGMT
input-status: up
input-line-status: up
output-interface: UBUNTU-1-OPENGEAR-IPSEC
output-status: up
output-line-status: up
Action: drop
Time Taken: 215795 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561c24a5e4c0 flow (NA)/NA

ASA Packet trace Inside-to-Outside

Spoiler
FW-3(config)# packet-tracer input UBUNTU-1-OPENGEAR-IPSEC tcp 172.16.68.2 bgp $

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 19818 ns
Config:
Additional Information:
Found next-hop 10.0.0.1 using egress ifc MGMT

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6116 ns
Config:
access-group UBUNTU-1-OPENGEAR-IPSEC in interface UBUNTU-1-OPENGEAR-IPSEC
access-list UBUNTU-1-OPENGEAR-IPSEC extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb066d6cf80, priority=13, domain=permit, deny=false
hits=96, user_data=0x7fb04b7b1400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=UBUNTU-1-OPENGEAR-IPSEC, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6116 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb06505d300, priority=0, domain=nat-per-session, deny=false
hits=3734, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6116 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb065e659e0, priority=0, domain=inspect-ip-options, deny=true
hits=111, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=UBUNTU-1-OPENGEAR-IPSEC, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 19451 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb065415f20, priority=70, domain=qos-per-class, deny=false
hits=3937, user_data=0x7fb0653b3960, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Elapsed time: 4037 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb065e84b80, priority=70, domain=encrypt, deny=false
hits=102, user_data=0x0, cs_id=0x7fb065c51610, reverse, flags=0x0, protocol=0
src ip/id=172.16.68.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.69.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=MGMT

Result:
input-interface: UBUNTU-1-OPENGEAR-IPSEC
input-status: up
input-line-status: up
output-interface: MGMT
output-status: up
output-line-status: up
Action: drop
Time Taken: 61654 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561c24a5e4c0 flow (NA)/NA

ASA Debug

Spoiler
IKEv2-PLAT-4: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: attempting to find tunnel group for IP: 10.0.0.250
IKEv2-PLAT-4: mapped to tunnel group 10.0.0.250 using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: ISAKMP P1 ID = 0
IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 254
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0xC62F2BE2, error FALSE
IKEv2-PLAT-4: 
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: tp_name set to: 
IKEv2-PLAT-4: tg_name set to: 10.0.0.250
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (32): Setting configured policies
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (32): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
IKEv2-PROTO-4: (32): Request queued for computation of DH key
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (32): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (32): IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
(32):    AES-CBC(32):    SHA512(32):    SHA512(32):    DH_GROUP_256_ECP/Group 19IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(32):  
IKEv2-PROTO-4: (32): Sending Packet [To 10.0.0.250:500/From 10.250.3.25:500/VRF i0:f0] 
(32): Initiator SPI : 98F8243DC22B2F9B - Responder SPI : 0000000000000000 Message id: 0
(32): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (32): Next payload: SA, version: 2.0 (32): Exchange type: IKE_SA_INIT, flags: INITIATOR (32): Message id: 0, length: 382(32):  
Payload contents: 
(32):  SA(32):   Next payload: KE, reserved: 0x0, length: 48
(32):   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(32):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
(32):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
(32):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
(32):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(32):  KE(32):   Next payload: N, reserved: 0x0, length: 72
(32):     DH group: 19, Reserved: 0x0
(32): 
(32):      58 40 08 bf e6 ab b1 15 84 81 5d a3 08 bd 73 90
(32):      7f 4f ca af c2 4a c9 ea 8d 39 64 95 49 62 d2 7b
(32):      e9 b9 31 ad 25 d8 8e 07 de 65 ff 19 ae da fc 81
(32):      d1 82 9c a3 7c 90 5e 2f e1 8e d2 25 cc b2 54 ff
(32):  N(32):   Next payload: VID, reserved: 0x0, length: 68
(32): 
(32):      3b 94 ee 53 06 1e 3c 01 01 5f 43 a7 2f 1b d0 e1
(32):      f5 af 71 c0 ec 26 c1 47 49 17 e5 63 7d cb 32 02
(32):      2a 92 0f 9e a0 53 28 91 0b 4d 81 89 24 b4 7a 28
(32):      1b 2b 6b 21 c5 64 44 a3 b7 3b 8e e4 1f 8a a8 3d
(32):  VID(32):   Next payload: VID, reserved: 0x0, length: 23
(32): 
(32):      43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(32):      53 4f 4e
(32):  VID(32):   Next payload: NOTIFY, reserved: 0x0, length: 59
(32): 
(32):      43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(32):      26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(32):      30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(32):      73 2c 20 49 6e 63 2e
(32):  NOTIFY(NAT_DETECTION_SOURCE_IP)(32):   Next payload: NOTIFY, reserved: 0x0, length: 28
(32):     Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(32): 
(32):      08 6f 6f 2e 6c 69 67 b0 66 44 d2 a8 87 1b f9 8c
(32):      fd 40 e7 31
(32):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(32):   Next payload: NOTIFY, reserved: 0x0, length: 28
(32):     Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(32): 
(32):      c7 a4 08 4b 3a 17 2d fb 4c d5 3e d5 e8 30 d2 47
(32):      3a 3b 54 fb
(32):  NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(32):   Next payload: VID, reserved: 0x0, length: 8
(32):     Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(32):  VID(32):   Next payload: NONE, reserved: 0x0, length: 20
(32): 
(32):      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(32):  
IKEv2-PLAT-5: (32): SENT PKT [IKE_SA_INIT] [10.250.3.25]:500->[10.0.0.250]:500 InitSPI=0x98f8243dc22b2f9b RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (32): Insert SA
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT


IKEv2 Recv RAW packet dump
98 f8 24 3d c2 2b 2f 9b bf 26 0d 3b 50 2c 6e 80    |  ..$=.+/..&.;P,n.
21 20 22 20 00 00 00 00 00 00 01 08 22 00 00 30    |  ! " ........"..0
00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c    |  ...,............
80 0e 01 00 03 00 00 08 03 00 00 0e 03 00 00 08    |  ................
02 00 00 07 00 00 00 08 04 00 00 13 28 00 00 48    |  ............(..H
00 13 00 00 69 4a a7 0c 8c c4 c8 11 f6 8c 6f 96    |  ....iJ........o.
3e 64 5c 34 e0 48 24 6c 8c 20 19 8b 62 28 bd 02    |  >d\4.H$l. ..b(..
26 c8 36 ce 38 bb 4e c1 9a dd 56 92 62 f1 38 3f    |  &.6.8.N...V.b.8?
83 b0 76 c2 bf 07 02 d4 1c d5 9a 1f 0b 70 cb d6    |  ..v..........p..
40 66 0a df 29 00 00 24 18 bb 93 a3 85 68 70 d4    |  @f..)..$.....hp.
92 48 c0 38 dc 08 12 83 65 b0 75 0b 09 47 cf db    |  .H.8....e.u..G..
b3 3a 9e bf a2 c1 cc 12 29 00 00 1c 00 00 40 04    |  .:......).....@.
2c 79 8d 9b 0b 3a 1d fd 18 36 2e bc d5 61 0b 34    |  ,y...:...6...a.4
84 66 8c 14 29 00 00 1c 00 00 40 05 fc 2e a8 3c    |  .f..).....@....<
e1 b2 fb 04 52 cc 6e 38 7f af 4d 95 1e 72 69 80    |  ....R.n8.M..ri.
29 00 00 08 00 00 40 2e 29 00 00 08 00 00 40 22    |  ).....@.).....@"
00 00 00 08 00 00 40 14                            |  ......@.
IKEv2-PLAT-5: RECV PKT [IKE_SA_INIT] [10.0.0.250]:500->[10.250.3.25]:500 InitSPI=0x98f8243dc22b2f9b RespSPI=0xbf260d3b502c6e80 MID=00000000
(32):  
IKEv2-PROTO-4: (32): Received Packet [From 10.0.0.250:500/To 10.250.3.25:500/VRF i0:f0] 
(32): Initiator SPI : 98F8243DC22B2F9B - Responder SPI : BF260D3B502C6E80 Message id: 0
(32): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (32): Next payload: SA, version: 2.0 (32): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (32): Message id: 0, length: 264(32):  
Payload contents: 
(32):  SA(32):   Next payload: KE, reserved: 0x0, length: 48
(32):   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(32):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
(32):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
(32):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
(32):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(32):  KE(32):   Next payload: N, reserved: 0x0, length: 72
(32):     DH group: 19, Reserved: 0x0
(32): 
(32):      69 4a a7 0c 8c c4 c8 11 f6 8c 6f 96 3e 64 5c 34
(32):      e0 48 24 6c 8c 20 19 8b 62 28 bd 02 26 c8 36 ce
(32):      38 bb 4e c1 9a dd 56 92 62 f1 38 3f 83 b0 76 c2
(32):      bf 07 02 d4 1c d5 9a 1f 0b 70 cb d6 40 66 0a df
(32):  N(32):   Next payload: NOTIFY, reserved: 0x0, length: 36
(32): 
(32):      18 bb 93 a3 85 68 70 d4 92 48 c0 38 dc 08 12 83
(32):      65 b0 75 0b 09 47 cf db b3 3a 9e bf a2 c1 cc 12
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(32):  NOTIFY(NAT_DETECTION_SOURCE_IP)(32):   Next payload: NOTIFY, reserved: 0x0, length: 28
(32):     Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(32): 
(32):      2c 79 8d 9b 0b 3a 1d fd 18 36 2e bc d5 61 0b 34
(32):      84 66 8c 14
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(32):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(32):   Next payload: NOTIFY, reserved: 0x0, length: 28
(32):     Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(32): 
(32):      fc 2e a8 3c e1 b2 fb 04 52 cc 6e 38 7f af 4d 95
(32):      1e 72 69 80
IKEv2-PROTO-7: Parse Notify Payload: IKEV2_FRAGMENTATION_SUPPORTED(32):  NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(32):   Next payload: NOTIFY, reserved: 0x0, length: 8
(32):     Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16418(32):  NOTIFY(Unknown - 16418)(32):   Next payload: NOTIFY, reserved: 0x0, length: 8
(32):     Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16404(32):  NOTIFY(Unknown - 16404)(32):   Next payload: NONE, reserved: 0x0, length: 8
(32):     Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
(32):  
(32): Decrypted packet:(32): Data: 264 bytes
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (32): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (32): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (32): Verify SA init message
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (32): Processing IKE_SA_INIT message
IKEv2-PLAT-4: (32): my auth method set to: 2
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (32): Process NAT discovery notify
IKEv2-PROTO-7: (32): Processing nat detect src notify
IKEv2-PROTO-7: (32): Remote address matched
IKEv2-PROTO-7: (32): Processing nat detect dst notify
IKEv2-PROTO-7: (32): Local address matched
IKEv2-PROTO-7: (32): No NAT found
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (32): Checking NAT discovery
IKEv2-PROTO-4: (32): NAT not found
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (32): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
IKEv2-PROTO-4: (32): Request queued for computation of DH secret
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (32): Generate skeyid
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-4: (32): IETF Fragmentation is enabled
IKEv2-PROTO-4: (32): Completed SA init exchange
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-4: Build config mode reply: no request stored
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_FOR_PPK
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_PPK_MAND
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (32): Check for EAP exchange
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (32): Generate my authentication data
IKEv2-PROTO-4: (32): Use preshared key for id 10.250.3.25, key len 8
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_FALLBACK_AUTH
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (32): Get my authentication method
IKEv2-PROTO-4: (32): My authentication method is 'PSK'
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (32): Check for EAP exchange
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (32): Generating IKE_AUTH message
IKEv2-PROTO-7: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-4: (32): Constructing IDi payload: '10.250.3.25' of type 'IPv4 address'
IKEv2-PROTO-4: (32): ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
(32):    AES-CBC(32):    SHA512(32):    Don't use ESNIKEv2-PROTO-7: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-7: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-7: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-4: (32): Building packet for encryption. 
(32):  
Payload contents: 
(32):  VID(32):   Next payload: IDi, reserved: 0x0, length: 20
(32): 
(32):      9a f8 25 3d d1 1c dc dc 8a 19 49 0b ad b4 b3 cb
(32):  IDi(32):   Next payload: AUTH, reserved: 0x0, length: 12
(32):     Id type: IPv4 address, Reserved: 0x0 0x0
(32): 
(32):      0a fa 03 19
(32):  AUTH(32):   Next payload: SA, reserved: 0x0, length: 72
(32):     Auth method PSK, reserved: 0x0, reserved 0x0
(32): Auth data: 64 bytes
(32):  SA(32):   Next payload: TSi, reserved: 0x0, length: 44
(32):   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(32):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
(32):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
(32):     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id: Don't use ESN
(32):  TSi(32):   Next payload: TSr, reserved: 0x0, length: 40
(32):     Num of TSs: 2, reserved 0x0, reserved 0x0
(32):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(32):     start port: 0, end port: 65535
(32):     start addr: 172.16.68.2, end addr: 172.16.68.2
(32):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(32):     start port: 0, end port: 65535
(32):     start addr: 172.16.68.0, end addr: 172.16.68.255
(32):  TSr(32):   Next payload: NOTIFY, reserved: 0x0, length: 40
(32):     Num of TSs: 2, reserved 0x0, reserved 0x0
(32):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(32):     start port: 0, end port: 65535
(32):     start addr: 172.16.69.2, end addr: 172.16.69.2
(32):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(32):     start port: 0, end port: 65535
(32):     start addr: 172.16.69.0, end addr: 172.16.69.255
(32):  NOTIFY(INITIAL_CONTACT)(32):   Next payload: NOTIFY, reserved: 0x0, length: 8
(32):     Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(32):  NOTIFY(ESP_TFC_NO_SUPPORT)(32):   Next payload: NOTIFY, reserved: 0x0, length: 8
(32):     Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(32):  NOTIFY(NON_FIRST_FRAGS)(32):   Next payload: NONE, reserved: 0x0, length: 8
(32):     Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (32): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(32):  
IKEv2-PROTO-4: (32): Sending Packet [To 10.0.0.250:500/From 10.250.3.25:500/VRF i0:f0] 
(32): Initiator SPI : 98F8243DC22B2F9B - Responder SPI : BF260D3B502C6E80 Message id: 1
(32): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (32): Next payload: ENCR, version: 2.0 (32): Exchange type: IKE_AUTH, flags: INITIATOR (32): Message id: 1, length: 336(32):  
Payload contents: 
(32):  ENCR(32):   Next payload: VID, reserved: 0x0, length: 308
(32): Encrypted data: 304 bytes
(32):  
IKEv2-PLAT-5: (32): SENT PKT [IKE_AUTH] [10.250.3.25]:500->[10.0.0.250]:500 InitSPI=0x98f8243dc22b2f9b RespSPI=0xbf260d3b502c6e80 MID=00000001
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (32): Check for EAP exchange
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT


IKEv2 Recv RAW packet dump
98 f8 24 3d c2 2b 2f 9b bf 26 0d 3b 50 2c 6e 80    |  ..$=.+/..&.;P,n.
2e 20 23 20 00 00 00 01 00 00 00 b0 24 00 00 94    |  . # ........$...
76 90 50 70 9e 04 b7 54 b4 7b 0f a8 f5 06 05 9b    |  v.Pp...T.{......
a4 cd 1b ce d0 fd 76 66 43 e9 1d b5 c9 d4 3e 08    |  ......vfC.....>.
5b c6 51 2b e5 69 36 2b fd ac 72 c6 d8 95 43 96    |  [.Q+.i6+..r...C.
34 cc e6 f2 7c d5 a6 87 e8 20 88 fc 05 63 6f ca    |  4...|.... ...co.
1e 87 5e 67 df 06 6a 75 f1 ac 30 7b cb ba df 6a    |  ..^g..ju..0{...j
d0 03 d5 25 f2 bc 0e 40 1b d1 5d 46 82 72 17 79    |  ...%...@..]F.r.y
3f 27 5d 3a f1 f0 ab 13 17 c6 23 78 6a 80 52 39    |  ?']:......#xj.R9
c7 25 db b9 0b 87 80 51 59 6b 60 a3 20 f8 3a 52    |  .%.....QYk`. .:R
c0 85 3b 8b 08 9f 88 f3 ee 50 3d a8 c4 9d ba 7b    |  ..;......P=....{
IKEv2-PLAT-5: RECV PKT [IKE_AUTH] [10.0.0.250]:500->[10.250.3.25]:500 InitSPI=0x98f8243dc22b2f9b RespSPI=0xbf260d3b502c6e80 MID=00000001
(32):  
IKEv2-PROTO-4: (32): Received Packet [From 10.0.0.250:500/To 10.250.3.25:500/VRF i0:f0] 
(32): Initiator SPI : 98F8243DC22B2F9B - Responder SPI : BF260D3B502C6E80 Message id: 1
(32): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (32): Next payload: ENCR, version: 2.0 (32): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (32): Message id: 1, length: 176(32):  
Payload contents: 
IKEv2-PLAT-4: (32): Decrypt success status returned via ipc 1
IKEv2-PROTO-4: decrypt queued(32):  
(32): Decrypted packet:(32): Data: 176 bytes
(32): REAL Decrypted packet:(32): Data: 92 bytes
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     0a 00 00 fa
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 72
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
IKEv2-PROTO-7: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: TS_UNACCEPTABLE
 
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (32): Process auth response notify
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-4: (32): peer auth method set to: 2
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (32): Searching policy based on peer's identity '10.0.0.250' of type 'IPv4 address'
IKEv2-PLAT-4: (32): Site to Site connection detected
IKEv2-PLAT-4: connection initiated with tunnel group 10.0.0.250 
IKEv2-PLAT-2: (32): Template number 0 
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: (32): PSH P1 ID = 1
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (32): Verify peer's policy
IKEv2-PROTO-4: (32): Peer's policy verified
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: unknown event
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (32): Get peer's authentication method
IKEv2-PROTO-4: (32): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (32): Get peer's preshared key for 10.0.0.250
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (32): Verify peer's authentication data
IKEv2-PROTO-4: (32): Use preshared key for id 10.0.0.250, key len 8
IKEv2-PROTO-7: (32): Computing AUTH data to authenticate Peer, return code = 1

IKEv2-PROTO-4: (32): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (32): Check for EAP exchange
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PLAT-4: (32): Completed authentication for connection
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (32): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PLAT-7: New ikev2 sa request activated
IKEv2-PLAT-7: Decrement count for outgoing negotiating
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (32): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PLAT-4: 
CONNECTION STATUS: UP... peer: 10.0.0.250:500, phase1_id: 10.0.0.250
IKEv2-PROTO-4: (32): Session with IKE ID PAIR (10.0.0.250, 10.250.3.25) is UP
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-4: (32): connection auth hdl set to 287
IKEv2-PLAT-4: (32): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-4: (32): idle timeout set to: 30 
IKEv2-PLAT-4: (32): session timeout set to: 0 
IKEv2-PLAT-4: (32): group policy set to OPENGEAR-IPSEC
IKEv2-PLAT-4: (32): class attr set
IKEv2-PLAT-4: (32): tunnel protocol set to: 0x4c
IKEv2-PLAT-4: (32): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (32): group lock set to: none
IKEv2-PLAT-4: (32): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (32): connection attributes set valid to TRUE
IKEv2-PLAT-4: (32): Successfully retrieved conn attrs
IKEv2-PLAT-4: (32): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (32): connection auth hdl set to -1
IKEv2-PLAT-4: 
CONNECTION STATUS: REGISTERED... peer: 10.0.0.250:500, phase1_id: 10.0.0.250
IKEv2-PROTO-4: (32): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-4: mib_index set to: 501
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (32): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (32): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-4: (32): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-7: (32): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-4: (32): Sending DELETE INFO message for IKEv2 SA [ISPI: 0x98F8243DC22B2F9B RSPI: 0xBF260D3B502C6E80]
IKEv2-PROTO-4: (32): Building packet for encryption. 
(32):  
Payload contents: 
(32):  DELETE(32):   Next payload: NONE, reserved: 0x0, length: 8
(32):     Security protocol id: IKE, spi size: 0, num of spi: 0
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (32): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (32): Checking if request will fit in peer window
(32):  
IKEv2-PROTO-4: (32): Sending Packet [To 10.0.0.250:500/From 10.250.3.25:500/VRF i0:f0] 
(32): Initiator SPI : 98F8243DC22B2F9B - Responder SPI : BF260D3B502C6E80 Message id: 2
(32): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (32): Next payload: ENCR, version: 2.0 (32): Exchange type: INFORMATIONAL, flags: INITIATOR (32): Message id: 2, length: 96(32):  
Payload contents: 
(32):  ENCR(32):   Next payload: DELETE, reserved: 0x0, length: 68
(32): Encrypted data: 64 bytes
(32):  
IKEv2-PLAT-5: (32): SENT PKT [INFORMATIONAL] [10.250.3.25]:500->[10.0.0.250]:500 InitSPI=0x98f8243dc22b2f9b RespSPI=0xbf260d3b502c6e80 MID=00000002
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (32): Check for existing active SA
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-4: (32): Delete all IKE SAs
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PLAT-4: Received PFKEY delete SA for SPI 0xC62F2BE2 error FALSE
IKEv2-PLAT-4: PFKEY Delete Ack from IPSec


IKEv2 Recv RAW packet dump
98 f8 24 3d c2 2b 2f 9b bf 26 0d 3b 50 2c 6e 80    |  ..$=.+/..&.;P,n.
2e 20 25 20 00 00 00 02 00 00 00 60 00 00 00 44    |  . % .......`...D
55 84 68 a4 4a c2 4c d9 33 11 c3 51 8d 92 bf db    |  U.h.J.L.3..Q....
c3 4c 3b fd cf ea 07 55 de 5a a8 48 78 c0 ca b6    |  .L;....U.Z.Hx...
6d a2 e3 c3 90 1d 1c a7 1d 43 8f eb ed 55 4d b4    |  m........C...UM.
7e 4d f7 29 44 8e c1 2f 09 9c c7 c8 bf 23 02 cf    |  ~M.)D../.....#..
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [10.0.0.250]:500->[10.250.3.25]:500 InitSPI=0x98f8243dc22b2f9b RespSPI=0xbf260d3b502c6e80 MID=00000002
(32):  
IKEv2-PROTO-4: (32): Received Packet [From 10.0.0.250:500/To 10.250.3.25:500/VRF i0:f0] 
(32): Initiator SPI : 98F8243DC22B2F9B - Responder SPI : BF260D3B502C6E80 Message id: 2
(32): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (32): Next payload: ENCR, version: 2.0 (32): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (32): Message id: 2, length: 96(32):  
Payload contents: 
IKEv2-PLAT-4: (32): Decrypt success status returned via ipc 1
IKEv2-PROTO-4: decrypt queued(32):  
(32): Decrypted packet:(32): Data: 96 bytes
(32): REAL Decrypted packet:(32): Data: 0 bytes
 
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (32): Processing ACK to informational exchange
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-7: (32): Action: Action_Null
IKEv2-PROTO-7: (32): SM Trace-> SA: I_SPI=98F8243DC22B2F9B R_SPI=BF260D3B502C6E80 (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (32): Deleting SA
IKEv2-PLAT-4: 
CONNECTION STATUS: DOWN... peer: 10.0.0.250:500, phase1_id: 10.0.0.250
IKEv2-PLAT-4: (32): IKEv2 session deregistered from session manager. Reason: 8
IKEv2-PLAT-4: (32): session manager killed ikev2 tunnel. Reason: Internal Error
IKEv2-PLAT-4: (32): Deleted associated IKE flow: MGMT, 10.250.3.25:62465 <-> 10.0.0.250:62465
IKEv2-PLAT-4: (32): PSH cleanup
IKEv2-PLAT-7: Active ike sa request deleted
IKEv2-PLAT-7: Decrement count for outgoing active
IKEv2-PLAT-4: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: attempting to find tunnel group for IP: 10.0.0.250
IKEv2-PLAT-4: mapped to tunnel group 10.0.0.250 using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: ISAKMP P1 ID = 0
IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 254
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0xF702A0FB, error FALSE
IKEv2-PLAT-4: 
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: tp_name set to: 
IKEv2-PLAT-4: tg_name set to: 10.0.0.250
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (33): Setting configured policies
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (33): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
IKEv2-PROTO-4: (33): Request queued for computation of DH key
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (33): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (33): IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
(33):    AES-CBC(33):    SHA512(33):    SHA512(33):    DH_GROUP_256_ECP/Group 19IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(33):  
IKEv2-PROTO-4: (33): Sending Packet [To 10.0.0.250:500/From 10.250.3.25:500/VRF i0:f0] 
(33): Initiator SPI : 50797D141ED3E71E - Responder SPI : 0000000000000000 Message id: 0
(33): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (33): Next payload: SA, version: 2.0 (33): Exchange type: IKE_SA_INIT, flags: INITIATOR (33): Message id: 0, length: 382(33):  
Payload contents: 
(33):  SA(33):   Next payload: KE, reserved: 0x0, length: 48
(33):   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(33):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
(33):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
(33):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
(33):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(33):  KE(33):   Next payload: N, reserved: 0x0, length: 72
(33):     DH group: 19, Reserved: 0x0
(33): 
(33):      b5 b5 76 39 de 13 0c d9 91 23 d7 0d 33 d9 ba 57
(33):      a7 9c cf 45 67 f7 3d 25 f4 cd df ba 2c cf d9 38
(33):      79 cd 63 a5 ca 78 f0 8f 7f 6f 80 25 f7 e0 28 d0
(33):      cf 66 76 4f 8a 7a e8 67 87 13 45 d3 42 19 ff 7c
(33):  N(33):   Next payload: VID, reserved: 0x0, length: 68
(33): 
(33):      af 9a c8 12 49 18 28 11 07 4b 00 47 cd f8 78 6c
(33):      1e d7 85 27 ff 2e dc 3e 8e 92 1d 8b b8 07 28 b1
(33):      47 3c 68 eb e1 0a d5 6f 68 aa c5 35 d4 2f 39 7c
(33):      24 f9 a8 2e eb 92 4d be 8c 29 a4 59 33 41 c4 31
(33):  VID(33):   Next payload: VID, reserved: 0x0, length: 23
(33): 
(33):      43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(33):      53 4f 4e
(33):  VID(33):   Next payload: NOTIFY, reserved: 0x0, length: 59
(33): 
(33):      43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(33):      26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(33):      30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(33):      73 2c 20 49 6e 63 2e
(33):  NOTIFY(NAT_DETECTION_SOURCE_IP)(33):   Next payload: NOTIFY, reserved: 0x0, length: 28
(33):     Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(33): 
(33):      a4 24 41 3c c6 c9 a8 d0 39 d6 b3 31 36 82 d2 d7
(33):      0d b0 6b 54
(33):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(33):   Next payload: NOTIFY, reserved: 0x0, length: 28
(33):     Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(33): 
(33):      6f 02 2e 31 c3 da 61 fa 1f eb b7 6f 60 d4 93 1b
(33):      34 e3 d4 8b
(33):  NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(33):   Next payload: VID, reserved: 0x0, length: 8
(33):     Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(33):  VID(33):   Next payload: NONE, reserved: 0x0, length: 20
(33): 
(33):      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(33):  
IKEv2-PLAT-5: (33): SENT PKT [IKE_SA_INIT] [10.250.3.25]:500->[10.0.0.250]:500 InitSPI=0x50797d141ed3e71e RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (33): Insert SA
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT


IKEv2 Recv RAW packet dump
50 79 7d 14 1e d3 e7 1e 67 b5 22 4e 93 25 b5 1f    |  Py}.....g."N.%..
21 20 22 20 00 00 00 00 00 00 01 08 22 00 00 30    |  ! " ........"..0
00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c    |  ...,............
80 0e 01 00 03 00 00 08 03 00 00 0e 03 00 00 08    |  ................
02 00 00 07 00 00 00 08 04 00 00 13 28 00 00 48    |  ............(..H
00 13 00 00 a7 70 53 a2 14 7c 59 45 da db ff f1    |  .....pS..|YE....
24 06 a8 5c 35 27 69 63 f8 96 24 c0 8d 40 4f 0d    |  $..\5'ic..$..@O.
71 1c 3f d1 9a 93 aa b5 64 1c fe 0e 5b c1 a0 41    |  q.?.....d...[..A
98 d5 3f 2d 42 8a df 48 3e cf 4c 45 f1 ef 6a 8e    |  ..?-B..H>.LE..j.
61 02 2b 04 29 00 00 24 fc 15 ad b1 23 2d 02 37    |  a.+.)..$....#-.7
1d a2 43 3d b8 09 f5 ee 69 06 2c 3a 30 ce 6d 05    |  ..C=....i.,:0.m.
3f a9 1f 78 7f 44 a6 c6 29 00 00 1c 00 00 40 04    |  ?..xD..).....@.
98 d5 53 5a 65 82 87 e4 75 e1 73 6c 90 8d 17 6e    |  ..SZe...u.sl...n
a3 9f 12 56 29 00 00 1c 00 00 40 05 e2 c8 16 3a    |  ...V).....@....:
80 50 81 14 0a 81 82 b6 cd 56 97 ab 19 e2 0e bd    |  .P.......V......
29 00 00 08 00 00 40 2e 29 00 00 08 00 00 40 22    |  ).....@.).....@"
00 00 00 08 00 00 40 14                            |  ......@.
IKEv2-PLAT-5: RECV PKT [IKE_SA_INIT] [10.0.0.250]:500->[10.250.3.25]:500 InitSPI=0x50797d141ed3e71e RespSPI=0x67b5224e9325b51f MID=00000000
(33):  
IKEv2-PROTO-4: (33): Received Packet [From 10.0.0.250:500/To 10.250.3.25:500/VRF i0:f0] 
(33): Initiator SPI : 50797D141ED3E71E - Responder SPI : 67B5224E9325B51F Message id: 0
(33): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (33): Next payload: SA, version: 2.0 (33): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (33): Message id: 0, length: 264(33):  
Payload contents: 
(33):  SA(33):   Next payload: KE, reserved: 0x0, length: 48
(33):   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(33):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
(33):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
(33):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
(33):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(33):  KE(33):   Next payload: N, reserved: 0x0, length: 72
(33):     DH group: 19, Reserved: 0x0
(33): 
(33):      a7 70 53 a2 14 7c 59 45 da db ff f1 24 06 a8 5c
(33):      35 27 69 63 f8 96 24 c0 8d 40 4f 0d 71 1c 3f d1
(33):      9a 93 aa b5 64 1c fe 0e 5b c1 a0 41 98 d5 3f 2d
(33):      42 8a df 48 3e cf 4c 45 f1 ef 6a 8e 61 02 2b 04
(33):  N(33):   Next payload: NOTIFY, reserved: 0x0, length: 36
(33): 
(33):      fc 15 ad b1 23 2d 02 37 1d a2 43 3d b8 09 f5 ee
(33):      69 06 2c 3a 30 ce 6d 05 3f a9 1f 78 7f 44 a6 c6
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(33):  NOTIFY(NAT_DETECTION_SOURCE_IP)(33):   Next payload: NOTIFY, reserved: 0x0, length: 28
(33):     Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(33): 
(33):      98 d5 53 5a 65 82 87 e4 75 e1 73 6c 90 8d 17 6e
(33):      a3 9f 12 56
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(33):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(33):   Next payload: NOTIFY, reserved: 0x0, length: 28
(33):     Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(33): 
(33):      e2 c8 16 3a 80 50 81 14 0a 81 82 b6 cd 56 97 ab
(33):      19 e2 0e bd
IKEv2-PROTO-7: Parse Notify Payload: IKEV2_FRAGMENTATION_SUPPORTED(33):  NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(33):   Next payload: NOTIFY, reserved: 0x0, length: 8
(33):     Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16418(33):  NOTIFY(Unknown - 16418)(33):   Next payload: NOTIFY, reserved: 0x0, length: 8
(33):     Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16404(33):  NOTIFY(Unknown - 16404)(33):   Next payload: NONE, reserved: 0x0, length: 8
(33):     Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
(33):  
(33): Decrypted packet:(33): Data: 264 bytes
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (33): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (33): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (33): Verify SA init message
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (33): Processing IKE_SA_INIT message
IKEv2-PLAT-4: (33): my auth method set to: 2
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (33): Process NAT discovery notify
IKEv2-PROTO-7: (33): Processing nat detect src notify
IKEv2-PROTO-7: (33): Remote address matched
IKEv2-PROTO-7: (33): Processing nat detect dst notify
IKEv2-PROTO-7: (33): Local address matched
IKEv2-PROTO-7: (33): No NAT found
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (33): Checking NAT discovery
IKEv2-PROTO-4: (33): NAT not found
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (33): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
IKEv2-PROTO-4: (33): Request queued for computation of DH secret
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (33): Generate skeyid
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-4: (33): IETF Fragmentation is enabled
IKEv2-PROTO-4: (33): Completed SA init exchange
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-4: Build config mode reply: no request stored
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_FOR_PPK
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_PPK_MAND
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (33): Check for EAP exchange
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (33): Generate my authentication data
IKEv2-PROTO-4: (33): Use preshared key for id 10.250.3.25, key len 8
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_FALLBACK_AUTH
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (33): Get my authentication method
IKEv2-PROTO-4: (33): My authentication method is 'PSK'
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (33): Check for EAP exchange
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (33): Generating IKE_AUTH message
IKEv2-PROTO-7: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-4: (33): Constructing IDi payload: '10.250.3.25' of type 'IPv4 address'
IKEv2-PROTO-4: (33): ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
(33):    AES-CBC(33):    SHA512(33):    Don't use ESNIKEv2-PROTO-7: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-7: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-7: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-4: (33): Building packet for encryption. 
(33):  
Payload contents: 
(33):  VID(33):   Next payload: IDi, reserved: 0x0, length: 20
(33): 
(33):      52 79 7c 14 0d e4 14 59 14 ed 81 c9 38 71 2a 65
(33):  IDi(33):   Next payload: AUTH, reserved: 0x0, length: 12
(33):     Id type: IPv4 address, Reserved: 0x0 0x0
(33): 
(33):      0a fa 03 19
(33):  AUTH(33):   Next payload: SA, reserved: 0x0, length: 72
(33):     Auth method PSK, reserved: 0x0, reserved 0x0
(33): Auth data: 64 bytes
(33):  SA(33):   Next payload: TSi, reserved: 0x0, length: 44
(33):   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(33):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
(33):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
(33):     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id: Don't use ESN
(33):  TSi(33):   Next payload: TSr, reserved: 0x0, length: 40
(33):     Num of TSs: 2, reserved 0x0, reserved 0x0
(33):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(33):     start port: 0, end port: 65535
(33):     start addr: 172.16.68.2, end addr: 172.16.68.2
(33):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(33):     start port: 0, end port: 65535
(33):     start addr: 172.16.68.0, end addr: 172.16.68.255
(33):  TSr(33):   Next payload: NOTIFY, reserved: 0x0, length: 40
(33):     Num of TSs: 2, reserved 0x0, reserved 0x0
(33):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(33):     start port: 0, end port: 65535
(33):     start addr: 172.16.69.2, end addr: 172.16.69.2
(33):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(33):     start port: 0, end port: 65535
(33):     start addr: 172.16.69.0, end addr: 172.16.69.255
(33):  NOTIFY(INITIAL_CONTACT)(33):   Next payload: NOTIFY, reserved: 0x0, length: 8
(33):     Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(33):  NOTIFY(ESP_TFC_NO_SUPPORT)(33):   Next payload: NOTIFY, reserved: 0x0, length: 8
(33):     Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(33):  NOTIFY(NON_FIRST_FRAGS)(33):   Next payload: NONE, reserved: 0x0, length: 8
(33):     Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (33): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(33):  
IKEv2-PROTO-4: (33): Sending Packet [To 10.0.0.250:500/From 10.250.3.25:500/VRF i0:f0] 
(33): Initiator SPI : 50797D141ED3E71E - Responder SPI : 67B5224E9325B51F Message id: 1
(33): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (33): Next payload: ENCR, version: 2.0 (33): Exchange type: IKE_AUTH, flags: INITIATOR (33): Message id: 1, length: 336(33):  
Payload contents: 
(33):  ENCR(33):   Next payload: VID, reserved: 0x0, length: 308
(33): Encrypted data: 304 bytes
(33):  
IKEv2-PLAT-5: (33): SENT PKT [IKE_AUTH] [10.250.3.25]:500->[10.0.0.250]:500 InitSPI=0x50797d141ed3e71e RespSPI=0x67b5224e9325b51f MID=00000001
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (33): Check for EAP exchange
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT


IKEv2 Recv RAW packet dump
50 79 7d 14 1e d3 e7 1e 67 b5 22 4e 93 25 b5 1f    |  Py}.....g."N.%..
2e 20 23 20 00 00 00 01 00 00 00 b0 24 00 00 94    |  . # ........$...
f2 2d 05 4f d7 fd d3 bb f8 47 a5 22 f0 15 bb 59    |  .-.O.....G."...Y
1a a0 fa 20 12 d2 67 b4 1f d9 31 5f f8 6b ff 1f    |  ... ..g...1_.k..
ad 0e 3f 4a 1c 5c d9 dc 26 23 54 14 3a 6e 03 ea    |  ..?J.\..&#T.:n..
da 38 76 91 40 72 ec 9a 77 dc 3d 92 ee 83 28 cd    |  .8v.@r..w.=...(.
8b e5 c7 79 f3 13 b4 f2 77 6c 3e 01 23 c9 27 63    |  ...y....wl>.#.'c
cb c6 2c d8 2b 1c a7 5f f3 4f 74 5b 96 4b e3 4a    |  ..,.+.._.Ot[.K.J
8d 56 dd d7 22 ed 2f 03 6c 18 8a fe 25 27 41 b2    |  .V.."./.l...%'A.
48 09 ed 71 c0 83 33 59 ba 9e 90 30 81 d6 2e bd    |  H..q..3Y...0....
5e 45 e3 67 0a da 86 04 30 8f 84 16 65 27 cc 9f    |  ^E.g....0...e'..
IKEv2-PLAT-5: RECV PKT [IKE_AUTH] [10.0.0.250]:500->[10.250.3.25]:500 InitSPI=0x50797d141ed3e71e RespSPI=0x67b5224e9325b51f MID=00000001
(33):  
IKEv2-PROTO-4: (33): Received Packet [From 10.0.0.250:500/To 10.250.3.25:500/VRF i0:f0] 
(33): Initiator SPI : 50797D141ED3E71E - Responder SPI : 67B5224E9325B51F Message id: 1
(33): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (33): Next payload: ENCR, version: 2.0 (33): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (33): Message id: 1, length: 176(33):  
Payload contents: 
IKEv2-PLAT-4: (33): Decrypt success status returned via ipc 1
IKEv2-PROTO-4: decrypt queued(33):  
(33): Decrypted packet:(33): Data: 176 bytes
(33): REAL Decrypted packet:(33): Data: 92 bytes
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     0a 00 00 fa
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 72
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
IKEv2-PROTO-7: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: TS_UNACCEPTABLE
 
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (33): Process auth response notify
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-4: (33): peer auth method set to: 2
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (33): Searching policy based on peer's identity '10.0.0.250' of type 'IPv4 address'
IKEv2-PLAT-4: (33): Site to Site connection detected
IKEv2-PLAT-4: connection initiated with tunnel group 10.0.0.250 
IKEv2-PLAT-2: (33): Template number 0 
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: (33): PSH P1 ID = 1
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (33): Verify peer's policy
IKEv2-PROTO-4: (33): Peer's policy verified
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: unknown event
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (33): Get peer's authentication method
IKEv2-PROTO-4: (33): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (33): Get peer's preshared key for 10.0.0.250
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (33): Verify peer's authentication data
IKEv2-PROTO-4: (33): Use preshared key for id 10.0.0.250, key len 8
IKEv2-PROTO-7: (33): Computing AUTH data to authenticate Peer, return code = 1

IKEv2-PROTO-4: (33): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (33): Check for EAP exchange
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PLAT-4: (33): Completed authentication for connection
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (33): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PLAT-7: New ikev2 sa request activated
IKEv2-PLAT-7: Decrement count for outgoing negotiating
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (33): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PLAT-4: 
CONNECTION STATUS: UP... peer: 10.0.0.250:500, phase1_id: 10.0.0.250
IKEv2-PROTO-4: (33): Session with IKE ID PAIR (10.0.0.250, 10.250.3.25) is UP
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-4: (33): connection auth hdl set to 288
IKEv2-PLAT-4: (33): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-4: (33): idle timeout set to: 30 
IKEv2-PLAT-4: (33): session timeout set to: 0 
IKEv2-PLAT-4: (33): group policy set to OPENGEAR-IPSEC
IKEv2-PLAT-4: (33): class attr set
IKEv2-PLAT-4: (33): tunnel protocol set to: 0x4c
IKEv2-PLAT-4: (33): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (33): group lock set to: none
IKEv2-PLAT-4: (33): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (33): connection attributes set valid to TRUE
IKEv2-PLAT-4: (33): Successfully retrieved conn attrs
IKEv2-PLAT-4: (33): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (33): connection auth hdl set to -1
IKEv2-PLAT-4: 
CONNECTION STATUS: REGISTERED... peer: 10.0.0.250:500, phase1_id: 10.0.0.250
IKEv2-PROTO-4: (33): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-4: mib_index set to: 501
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (33): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (33): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-4: (33): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-7: (33): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-4: (33): Sending DELETE INFO message for IKEv2 SA [ISPI: 0x50797D141ED3E71E RSPI: 0x67B5224E9325B51F]
IKEv2-PROTO-4: (33): Building packet for encryption. 
(33):  
Payload contents: 
(33):  DELETE(33):   Next payload: NONE, reserved: 0x0, length: 8
(33):     Security protocol id: IKE, spi size: 0, num of spi: 0
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (33): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (33): Checking if request will fit in peer window
(33):  
IKEv2-PROTO-4: (33): Sending Packet [To 10.0.0.250:500/From 10.250.3.25:500/VRF i0:f0] 
(33): Initiator SPI : 50797D141ED3E71E - Responder SPI : 67B5224E9325B51F Message id: 2
(33): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (33): Next payload: ENCR, version: 2.0 (33): Exchange type: INFORMATIONAL, flags: INITIATOR (33): Message id: 2, length: 96(33):  
Payload contents: 
(33):  ENCR(33):   Next payload: DELETE, reserved: 0x0, length: 68
(33): Encrypted data: 64 bytes
(33):  
IKEv2-PLAT-5: (33): SENT PKT [INFORMATIONAL] [10.250.3.25]:500->[10.0.0.250]:500 InitSPI=0x50797d141ed3e71e RespSPI=0x67b5224e9325b51f MID=00000002
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (33): Check for existing active SA
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-4: (33): Delete all IKE SAs
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PLAT-4: Received PFKEY delete SA for SPI 0xF702A0FB error FALSE
IKEv2-PLAT-4: PFKEY Delete Ack from IPSec


IKEv2 Recv RAW packet dump
50 79 7d 14 1e d3 e7 1e 67 b5 22 4e 93 25 b5 1f    |  Py}.....g."N.%..
2e 20 25 20 00 00 00 02 00 00 00 60 00 00 00 44    |  . % .......`...D
e1 44 15 b0 62 e2 5d 72 0f 04 2c ae fe 55 8b 80    |  .D..b.]r..,..U..
e8 d6 4c b8 eb ce bd 59 1d ae 6f 0b 7a 06 c4 67    |  ..L....Y..o.z..g
c0 f2 97 97 78 fa a6 67 a1 cd a7 9a cd eb bb 08    |  ....x..g........
48 1e 22 d0 5a 59 48 20 f4 a7 03 7c af a6 0f 58    |  H.".ZYH ...|...X
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [10.0.0.250]:500->[10.250.3.25]:500 InitSPI=0x50797d141ed3e71e RespSPI=0x67b5224e9325b51f MID=00000002
(33):  
IKEv2-PROTO-4: (33): Received Packet [From 10.0.0.250:500/To 10.250.3.25:500/VRF i0:f0] 
(33): Initiator SPI : 50797D141ED3E71E - Responder SPI : 67B5224E9325B51F Message id: 2
(33): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (33): Next payload: ENCR, version: 2.0 (33): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (33): Message id: 2, length: 96(33):  
Payload contents: 
IKEv2-PLAT-4: (33): Decrypt success status returned via ipc 1
IKEv2-PROTO-4: decrypt queued(33):  
(33): Decrypted packet:(33): Data: 96 bytes
(33): REAL Decrypted packet:(33): Data: 0 bytes
 
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (33): Processing ACK to informational exchange
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-7: (33): Action: Action_Null
IKEv2-PROTO-7: (33): SM Trace-> SA: I_SPI=50797D141ED3E71E R_SPI=67B5224E9325B51F (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (33): Deleting SA
IKEv2-PLAT-4: 
CONNECTION STATUS: DOWN... peer: 10.0.0.250:500, phase1_id: 10.0.0.250
IKEv2-PLAT-4: (33): IKEv2 session deregistered from session manager. Reason: 8
IKEv2-PLAT-4: (33): session manager killed ikev2 tunnel. Reason: Internal Error
IKEv2-PLAT-4: (33): Deleted associated IKE flow: MGMT, 10.250.3.25:62465 <-> 10.0.0.250:62465
IKEv2-PLAT-4: (33): PSH cleanup
IKEv2-PLAT-7: Active ike sa request deleted
IKEv2-PLAT-7: Decrement count for outgoing active

Opengear Config

Spoiler
oscardenizjensen_0-1709218843210.png

oscardenizjensen_1-1709218872725.png
oscardenizjensen_2-1709218913994.png

 


 



 

 

Labels:
0 Helpful
18 Replies 18

Rob Ingram
VIP
VIP

‎02-29-2024 07:28 AM

@oscardenizjensen for a start the MGMT interface is the outside interface? Set the security level as 0 not 100, or make it lower than the inside interface.

interface GigabitEthernet0/0
nameif MGMT
security-level 0

I am not familar with the opengear but surely this selection below should mirror the crypto ACL configured on the ASA (remote 172.16.68.0/24 and local 172.16.69.0/24).

RobIngram_0-1709220286365.png

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to Rob Ingram

‎02-29-2024 07:37 AM - edited ‎02-29-2024 07:38 AM

Hej Rob
This is a purely lab environment that is why I set the security level to 100, when it goes to production I would change it

You are correct, it does act like an ACL and I have changed it, but still the same result.

I saw some extra logs which might help

Spoiler
Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = OPENGEAR-1. Map Sequence Number = 1.
Local:10.250.3.25:500 Remote:10.0.0.250:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.68.2-172.16.68.2 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.69.2-172.16.69.2 Protocol: 0 Port Range: 0-65535
Built local-host MGMT:10.0.0.250
Built outbound UDP connection 6178 for MGMT:10.0.0.250/500 (10.0.0.250/500) to identity:10.250.3.25/500 (10.250.3.25/500)
IKE Receiver: Packet received on 10.250.3.25:500 from 10.0.0.250:500
Local:10.250.3.25:500 Remote:10.0.0.250:500 Username:10.0.0.250 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify
IKEv2 was unsuccessful at setting up a tunnel. Map Tag = OPENGEAR-1. Map Sequence Number = 1.
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= OPENGEAR-1. Map Sequence Number = 1.
Tunnel Manager Removed entry. Map Tag = OPENGEAR-1. Map Sequence Number = 1.
Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = OPENGEAR-1. Map Sequence Number = 1.
Local:10.250.3.25:500 Remote:10.0.0.250:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.68.2-172.16.68.2 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.69.2-172.16.69.2 Protocol: 0 Port Range: 0-65535
IKE Receiver: Packet received on 10.250.3.25:500 from 10.0.0.250:500
Local:10.250.3.25:500 Remote:10.0.0.250:500 Username:10.0.0.250 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify
IKEv2 was unsuccessful at setting up a tunnel. Map Tag = OPENGEAR-1. Map Sequence Number = 1.
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= OPENGEAR-1. Map Sequence Number = 1.
Tunnel Manager Removed entry. Map Tag = OPENGEAR-1. Map Sequence Number = 1.
Teardown UDP connection 6178 for MGMT:10.0.0.250/500 to identity:10.250.3.25/500 duration 0:02:06 bytes 836




0 Helpful

Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎02-29-2024 07:44 AM

@oscardenizjensen what are the opengear IKE/IPSec crypto settings? they need to match the ASA.

IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify

 

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to Rob Ingram

‎02-29-2024 07:49 AM

Opengear had the negotiable option for ikev2 so I left it at that, thought it would be easier. If I chose negotiable I can not choose any specific algorithms

 

oscardenizjensen_0-1709221711547.png

 

0 Helpful

Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎02-29-2024 07:58 AM

@oscardenizjensen ok what are the opengear algorithms it is trying to use? Check the opengear documentation and amend the Cisco side. Why can you not set specific algorithms on the opengear?

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to Rob Ingram

‎02-29-2024 08:01 AM

Unfortunately I only found documentation for IKEv1 for between ASA and Opengear.
I can actually set specific algorithms as well on Opengear if I choose the specific option. I tried these but get the same error. Maybe I am picking the wrong options?

oscardenizjensen_0-1709222421441.png

oscardenizjensen_1-1709222443352.png

 



0 Helpful

Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎02-29-2024 08:07 AM

@oscardenizjensen but the documentation should state what the default negotiated algorithms are?

Looking at that screenshot, on the ASA you may wish to change PRF to 512 (to match the integrity) or add another IKEv2 policy. Also configure PFS group 19 on the ASA or disable on the opengear side.

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to Rob Ingram

‎03-01-2024 03:14 AM

I have changed config on both ASA and Opengear but still not working.

I have changed ASA to be more catch all

 

Spoiler
crypto ipsec ikev2 ipsec-proposal OPENGEAR-IPSEC-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-51

crypto ikev2 policy 10
 encryption aes-256
 integrity sha512
 group 31 21 20 19 16 15 14
 prf sha512 sha384 sha256
 lifetime seconds 86400

I have added everything on Opengear side as well

Spoiler
oscardenizjensen_0-1709290612009.png

 

oscardenizjensen_1-1709291616236.png

 

oscardenizjensen_2-1709291643728.png

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to oscardenizjensen

‎02-29-2024 08:12 AM

You select initiator then you select nego' 

Instead use respond and select nego 

And for local add the LAN protect by ikev2 

MHM

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to MHM Cisco World

‎03-01-2024 03:16 AM

I have changed Opengear to Responder now but same result. I have also changed Proposal to be wider as on an above post

Not sure what you mean by "And for local add the LAN protect by ikev2 "

0 Helpful

MHM Cisco World
VIP
VIP
In response to oscardenizjensen

‎03-02-2024 09:50 AM

sorry for late reply

Now in OM addresses you only select remote lan not local lan? You need to specify local lan protect by vpn

For SA that you dont know which OM use

Make OM as initiator' ping from OM LAN  to ASA LAN 

In ASA use 

Debug crypto isakmp 127  <- for phase1

Debbug crypto ipsec 127 <- for phase2 

When you see debug in asa ypu can know which SA OM use' write them and modify ypur asa config to match what OM send 

MHM

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to MHM Cisco World

‎03-05-2024 01:51 AM

I have added the local lan on OM as well

I can not do "debug crypto isakmp". So I use "debug crypto ikev2 protocol 127" and "debug crypto ikev2 platform 127"

I have turned OM as initiator and started a ping but that does not seem to trigger any Logs on ASA

MHM Cisco World
VIP
VIP
In response to oscardenizjensen

‎03-05-2024 02:40 AM

OM have default route or static route for ASA LAN?

MHM

0 Helpful

oscardenizjensen
Level 1
Level 1
In response to MHM Cisco World

‎03-05-2024 04:50 AM

Yes it has default route set on WAN interface

0 Helpful
Customers Also Viewed These Support Documents