01-29-2014 05:39 AM - edited 02-21-2020 07:28 PM
I am having issues getting an Android device to connect using the native L2TP/IPSEC VPN client.
With an iOS device, it connects fine. I have followed all of the online config guidance I can find but nothing seems to help on the Android side.
Here is my config:
vpdn enable
vpdn-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
lcp renegotiation always
l2tp tunnel hello 15
no l2tp tunnel authentication
l2tp tunnel receive-window 1024
l2tp ip udp checksum
ip pmtu
ip mtu adjust
username dan privilege 15 password dan
crypto isakmp policy 1
encr 3des
group 2
authentication pre-share
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp fragmentation
!
!
crypto ipsec transform-set L2TP-TS esp-3des esp-sha-hmac
mode transport require
crypto ipsec transform-set L2TP-TS1 esp-aes esp-sha-hmac
mode transport require
crypto ipsec transform-set L2TP-TS2 ah-sha-hmac esp-3des
mode transport
crypto ipsec transform-set L2TP-TS3 ah-md5-hmac esp-3des
mode transport
crypto ipsec transform-set L2TP-TS4 ah-md5-hmac esp-aes
mode transport
crypto ipsec transform-set L2TP-TS5 ah-sha-hmac esp-aes
mode transport
!
crypto dynamic-map dynvpn 1
set nat demux
set security-association lifetime seconds 28800
set transform-set L2TP-TS1
crypto map clientmap 30 ipsec-isakmp dynamic dynvpn
interface FastEthernet0/0
description Internet Connection
ip address <INTERNET>
duplex auto
speed auto
crypto map clientmap
interface FastEthernet0/0/3
!
interface Virtual-Template1
ip unnumbered Vlan8
ip mtu 1398
peer default ip address pool VPN
keepalive 5
ppp mtu adaptive
ppp authentication pap ms-chap ms-chap-v2 chap
ip local pool VPN 10.1.8.201 10.1.8.221
ip route 0.0.0.0 0.0.0.0 <INTERNET>
Add some debug (crypto isakamp and crypto ipsec):
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 29 01:33:06.425: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
*Jan 29 01:33:06.425: ISAKMP:(1243): IPSec policy invalidated proposal with error 256
*Jan 29 01:33:06.425: IPSEC(validate_proposal_request): proposal part #1
*Jan 29 01:33:06.425: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <INTERNET>, remote= <ANDROID>,
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jan 29 01:33:06.425: ISAKMP:(1243): processing NONCE payload. message ID = -2100912043
*Jan 29 01:33:06.425: ISAKMP:(1243): processing ID payload. message ID = -2100912043
*Jan 29 01:33:06.425: ISAKMP:(1243): processing ID payload. message ID = -2100912043
*Jan 29 01:33:06.429: ISAKMP:(1243):QM Responder gets spi
*Jan 29 01:33:06.429: ISAKMP:(1243):Node -2100912043, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 29 01:33:06.429: ISAKMP:(1243):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jan 29 01:33:06.429: ISAKMP:(1243): Creating IPSec SAs
*Jan 29 01:33:06.429: inbound SA from <ANDROID> to <INTERNET> (f/i) 0/ 0
(proxy <ANDROID> to <INTERNET>)
*Jan 29 01:33:06.429: has spi 0x9A969C5 and conn_id 0
*Jan 29 01:33:06.429: lifetime of 28800 seconds
*Jan 29 01:33:06.429: outbound SA from <INTERNET> to <ANDROID> (f/i) 0/0
(proxy <INTERNET> to <ANDROID>)
*Jan 29 01:33:06.429: has spi 0xB59BEB and conn_id 0
*Jan 29 01:33:06.429: lifetime of 28800 seconds
*Jan 29 01:33:06.429: ISAKMP:(1243): sending packet to <ANDROID> my_port 4500 peer_port 4500 (R) QM_IDLE
*Jan 29 01:33:06.429: ISAKMP:(1243):Sending an IKE IPv4 Packet.
*Jan 29 01:33:06.429: ISAKMP:(1243):Node -2100912043, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jan 29 01:33:06.433: ISAKMP:(1243):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jan 29 01:33:06.433: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 01:33:06.433: IPSEC(policy_db_add_ident): src <INTERNET>, dest <ANDROID>, dest_port 4500
*Jan 29 01:33:06.433: IPSEC(create_sa): sa created,
(sa) sa_dest= <INTERNET>, sa_proto= 50,
sa_spi= 0x9A969C5(162097605),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053
*Jan 29 01:33:06.433: IPSEC(create_sa): sa created,
(sa) sa_dest= <ANDROID>, sa_proto= 50,
sa_spi= 0xB59BEB(11901931),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054
*Jan 29 01:33:06.601: ISAKMP (0:1243): received packet from <ANDROID> dport 4500 sport 4500 Global (R) QM_IDLE
*Jan 29 01:33:06.601: ISAKMP:(1243):deleting node -2100912043 error FALSE reason "QM done (await)"
*Jan 29 01:33:06.601: ISAKMP:(1243):Node -2100912043, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 29 01:33:06.601: ISAKMP:(1243):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jan 29 01:33:06.601: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 01:33:06.601: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jan 29 01:33:06.601: IPSEC(key_engine_enable_outbound): enable SA with spi 11901931/50
*Jan 29 01:33:06.601: IPSEC(update_current_outbound_sa): updated peer <ANDROID> current outbound sa to SPI B59BEB
*Jan 29 01:33:08.245: %INTERFACE_API-3-NODESTROYSUBBLOCK: The SWIDB subblock named SW FIB PENDING EVENT was not removed, -Traceback= 0x60BB69F0 0x60365A1C 0x6036612C
*Jan 29 01:33:15.921: ISAKMP:(1241):purging SA., sa=63FDEA00, delme=63FDEA00
*Jan 29 01:33:56.405: ISAKMP:(1243):purging node -120856731
*Jan 29 01:33:56.417: ISAKMP:(1242):purging node -1787951035
*Jan 29 01:33:56.417: ISAKMP:(1242):purging node -1229870867
*Jan 29 01:33:56.601: ISAKMP:(1243):purging node -2100912043
*Jan 29 01:34:06.417: ISAKMP:(1242):purging SA., sa=653E1810, delme=653E1810
eRecharge-VPN-RTR1#
eRecharge-VPN-RTR1#
*Jan 29 01:35:29.625: ISAKMP (0:0): received packet from <ANDROID> dport 500 sport 500 Global (N) NEW SA
*Jan 29 01:35:29.625: ISAKMP: Created a peer struct for <ANDROID>, peer port 500
*Jan 29 01:35:29.625: ISAKMP: New peer created peer = 0x653EE3F0 peer_handle = 0x80000A91
*Jan 29 01:35:29.625: ISAKMP: Locking peer struct 0x653EE3F0, refcount 1 for crypto_isakmp_process_block
*Jan 29 01:35:29.629: ISAKMP: local port 500, remote port 500
*Jan 29 01:35:29.629: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 640A5FD8
*Jan 29 01:35:29.629: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 01:35:29.629: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 29 01:35:29.629: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 29 01:35:29.629: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 29 01:35:29.629: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jan 29 01:35:29.629: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jan 29 01:35:29.629: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 29 01:35:29.629: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jan 29 01:35:29.629: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): processing IKE frag vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID is IKE Fragmentation
*Jan 29 01:35:29.629: ISAKMP:(0): MM Fragmentation supported
*Jan 29 01:35:29.629: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.629: ISAKMP:(0): vendor ID is DPD
*Jan 29 01:35:29.629: ISAKMP:(0):found peer pre-shared key matching <ANDROID>
*Jan 29 01:35:29.633: ISAKMP:(0): local preshared key found
*Jan 29 01:35:29.633: ISAKMP : Scanning profiles for xauth ...
*Jan 29 01:35:29.633: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 29 01:35:29.633: ISAKMP: life type in seconds
*Jan 29 01:35:29.633: ISAKMP: life duration (basic) of 28800
*Jan 29 01:35:29.633: ISAKMP: encryption AES-CBC
*Jan 29 01:35:29.633: ISAKMP: keylength of 256
*Jan 29 01:35:29.633: ISAKMP: auth pre-share
*Jan 29 01:35:29.633: ISAKMP: hash SHA
*Jan 29 01:35:29.633: ISAKMP: default group 2
*Jan 29 01:35:29.633: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 01:35:29.633: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 01:35:29.633: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Jan 29 01:35:29.633: ISAKMP: life type in seconds
*Jan 29 01:35:29.633: ISAKMP: life duration (basic) of 28800
*Jan 29 01:35:29.633: ISAKMP: encryption AES-CBC
*Jan 29 01:35:29.633: ISAKMP: keylength of 256
*Jan 29 01:35:29.633: ISAKMP: auth pre-share
*Jan 29 01:35:29.633: ISAKMP: hash MD5
*Jan 29 01:35:29.633: ISAKMP: default group 2
*Jan 29 01:35:29.633: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 01:35:29.633: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 01:35:29.633: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Jan 29 01:35:29.633: ISAKMP: life type in seconds
*Jan 29 01:35:29.633: ISAKMP: life duration (basic) of 28800
*Jan 29 01:35:29.633: ISAKMP: encryption AES-CBC
*Jan 29 01:35:29.633: ISAKMP: keylength of 128
*Jan 29 01:35:29.633: ISAKMP: auth pre-share
*Jan 29 01:35:29.633: ISAKMP: hash SHA
*Jan 29 01:35:29.633: ISAKMP: default group 2
*Jan 29 01:35:29.633: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 01:35:29.633: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 01:35:29.633: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Jan 29 01:35:29.633: ISAKMP: life type in seconds
*Jan 29 01:35:29.633: ISAKMP: life duration (basic) of 28800
*Jan 29 01:35:29.633: ISAKMP: encryption AES-CBC
*Jan 29 01:35:29.633: ISAKMP: keylength of 128
*Jan 29 01:35:29.633: ISAKMP: auth pre-share
*Jan 29 01:35:29.633: ISAKMP: hash MD5
*Jan 29 01:35:29.633: ISAKMP: default group 2
*Jan 29 01:35:29.633: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 01:35:29.633: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 01:35:29.633: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Jan 29 01:35:29.633: ISAKMP: life type in seconds
*Jan 29 01:35:29.633: ISAKMP: life duration (basic) of 28800
*Jan 29 01:35:29.633: ISAKMP: encryption 3DES-CBC
*Jan 29 01:35:29.633: ISAKMP: auth pre-share
*Jan 29 01:35:29.633: ISAKMP: hash SHA
*Jan 29 01:35:29.633: ISAKMP: default group 2
*Jan 29 01:35:29.633: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jan 29 01:35:29.637: ISAKMP:(0):Acceptable atts:actual life: 3600
*Jan 29 01:35:29.637: ISAKMP:(0):Acceptable atts:life: 0
*Jan 29 01:35:29.637: ISAKMP:(0):Basic life_in_seconds:28800
*Jan 29 01:35:29.637: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 29 01:35:29.637: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 29 01:35:29.637: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 29 01:35:29.637: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jan 29 01:35:29.637: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jan 29 01:35:29.637: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 29 01:35:29.637: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jan 29 01:35:29.637: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): processing IKE frag vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID is IKE Fragmentation
*Jan 29 01:35:29.637: ISAKMP:(0): MM Fragmentation supported
*Jan 29 01:35:29.637: ISAKMP:(0): processing vendor id payload
*Jan 29 01:35:29.637: ISAKMP:(0): vendor ID is DPD
*Jan 29 01:35:29.637: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 29 01:35:29.637: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 29 01:35:29.641: ISAKMP:(0):sending IKE_FRAG vendor ID
*Jan 29 01:35:29.641: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 29 01:35:29.641: ISAKMP:(0): sending packet to <ANDROID> my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 29 01:35:29.641: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 01:35:29.641: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 29 01:35:29.641: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jan 29 01:35:29.869: ISAKMP (0:0): received packet from <ANDROID> dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 29 01:35:29.869: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 01:35:29.869: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jan 29 01:35:29.869: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 29 01:35:29.953: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 29 01:35:29.953: ISAKMP:(0):found peer pre-shared key matching <ANDROID>
*Jan 29 01:35:29.953: ISAKMP:received payload type 20
*Jan 29 01:35:29.953: ISAKMP:received payload type 20
*Jan 29 01:35:29.953: ISAKMP (0:1244): NAT found, the node outside NAT
*Jan 29 01:35:29.957: ISAKMP:(1244):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 29 01:35:29.957: ISAKMP:(1244):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 29 01:35:29.957: ISAKMP:(1244): sending packet to <ANDROID> my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 29 01:35:29.957: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*Jan 29 01:35:29.957: ISAKMP:(1244):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 29 01:35:29.957: ISAKMP:(1244):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jan 29 01:35:30.249: ISAKMP (0:1244): received packet from <ANDROID> dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Jan 29 01:35:30.249: ISAKMP:(1244):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 01:35:30.249: ISAKMP:(1244):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jan 29 01:35:30.253: ISAKMP:(1244): processing ID payload. message ID = 0
*Jan 29 01:35:30.253: ISAKMP (0:1244): ID payload
next-payload : 8
type : 1
address : 192.170.100.113
protocol : 17
port : 500
length : 12
*Jan 29 01:35:30.253: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 29 01:35:30.253: ISAKMP:(1244): processing HASH payload. message ID = 0
*Jan 29 01:35:30.253: ISAKMP:(1244):SA authentication status:
authenticated
*Jan 29 01:35:30.253: ISAKMP:(1244):SA has been authenticated with <ANDROID>
*Jan 29 01:35:30.253: ISAKMP:(1244):Detected port floating to port = 4500
*Jan 29 01:35:30.253: ISAKMP: Trying to insert a peer <INTERNET>/<ANDROID>/4500/, and found existing one 64B90268 to reuse, free 653EE3F0
*Jan 29 01:35:30.253: ISAKMP: Unlocking peer struct 0x653EE3F0 Reuse existing peer, count 0
*Jan 29 01:35:30.253: ISAKMP: Deleting peer node by peer_reap for <ANDROID>: 653EE3F0
*Jan 29 01:35:30.253: ISAKMP: Locking peer struct 0x64B90268, refcount 2 for Reuse existing peer
*Jan 29 01:35:30.253: ISAKMP:(1244):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 29 01:35:30.253: ISAKMP:(1244):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jan 29 01:35:30.253: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 01:35:30.257: ISAKMP:(1244):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 29 01:35:30.257: ISAKMP (0:1244): ID payload
next-payload : 8
type : 1
address : <INTERNET>
protocol : 17
port : 0
length : 12
*Jan 29 01:35:30.257: ISAKMP:(1244):Total payload length: 12
*Jan 29 01:35:30.257: ISAKMP:(1244): sending packet to <ANDROID> my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Jan 29 01:35:30.257: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*Jan 29 01:35:30.257: ISAKMP:(1244):Returning Actual lifetime: 3600
*Jan 29 01:35:30.257: ISAKMP: set new node 1108379192 to QM_IDLE
*Jan 29 01:35:30.257: ISAKMP:(1244):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 1688401496, message ID = 1108379192
*Jan 29 01:35:30.257: ISAKMP:(1244): sending packet to <ANDROID> my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Jan 29 01:35:30.257: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*Jan 29 01:35:30.257: ISAKMP:(1244):purging node 1108379192
*Jan 29 01:35:30.257: ISAKMP: Sending phase 1 responder lifetime 3600
*Jan 29 01:35:30.257: ISAKMP:(1244):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 29 01:35:30.261: ISAKMP:(1244):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jan 29 01:35:30.261: ISAKMP:(1244):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 29 01:35:30.261: ISAKMP:(1244):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 29 01:35:30.493: ISAKMP (0:1244): received packet from <ANDROID> dport 4500 sport 4500 Global (R) QM_IDLE
*Jan 29 01:35:30.493: ISAKMP: set new node -182504280 to QM_IDLE
*Jan 29 01:35:30.493: ISAKMP:(1244): processing HASH payload. message ID = -182504280
*Jan 29 01:35:30.493: ISAKMP:(1244): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -182504280, sa = 640A5FD8
*Jan 29 01:35:30.493: ISAKMP:(1244):SA authentication status:
authenticated
*Jan 29 01:35:30.493: ISAKMP:(1244): Process initial contact,
bring down existing phase 1 and 2 SA's with local <INTERNET> remote <ANDROID> remote port 4500
*Jan 29 01:35:30.493: ISAKMP:(1243):received initial contact, deleting SA
*Jan 29 01:35:30.497: ISAKMP:(1243):peer does not do paranoid keepalives.
*Jan 29 01:35:30.497: ISAKMP:(1243):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer <ANDROID>)
*Jan 29 01:35:30.497: ISAKMP:(1244):deleting node -182504280 error FALSE reason "Informational (in) state 1"
*Jan 29 01:35:30.497: ISAKMP:(1244):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan 29 01:35:30.497: ISAKMP:(1244):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 29 01:35:30.497: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 01:35:30.497: Delete IPsec SA by IC, local <INTERNET> remote <ANDROID> peer port 4500
*Jan 29 01:35:30.497: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= <INTERNET>, sa_proto= 50,
sa_spi= 0x9A969C5(162097605),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053,
(identity) local= <INTERNET>, remote= <ANDROID>,
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/4500 (type=1)
*Jan 29 01:35:30.497: IPSEC(update_current_outbound_sa): updated peer <ANDROID> current outbound sa to SPI 0
*Jan 29 01:35:30.497: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= <ANDROID>, sa_proto= 50,
sa_spi= 0xB59BEB(11901931),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054,
(identity) local= <INTERNET>, remote= <ANDROID>,
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/4500 (type=1)
*Jan 29 01:35:30.501: ISAKMP: set new node -1196491908 to QM_IDLE
*Jan 29 01:35:30.501: ISAKMP:(1243):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 29 01:35:30.501: ISAKMP:(1243):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jan 29 01:35:30.501: ISAKMP (0:1244): received packet from <ANDROID> dport 4500 sport 4500 Global (R) QM_IDLE
*Jan 29 01:35:30.501: ISAKMP: set new node -849535221 to QM_IDLE
*Jan 29 01:35:30.501: ISAKMP:(1244): processing HASH payload. message ID = -849535221
*Jan 29 01:35:30.505: ISAKMP:(1244): processing SA payload. message ID = -849535221
*Jan 29 01:35:30.505: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.505: ISAKMP: transform 1, ESP_AES
*Jan 29 01:35:30.505: ISAKMP: attributes in transform:
*Jan 29 01:35:30.505: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.505: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.505: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.505: ISAKMP: key length is 256
*Jan 29 01:35:30.505: ISAKMP: authenticator is HMAC-SHA
*Jan 29 01:35:30.505: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.505: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.505: ISAKMP: transform 2, ESP_AES
*Jan 29 01:35:30.505: ISAKMP: attributes in transform:
*Jan 29 01:35:30.505: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.505: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.505: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.505: ISAKMP: key length is 256
*Jan 29 01:35:30.505: ISAKMP: authenticator is HMAC-MD5
*Jan 29 01:35:30.505: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.505: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.505: ISAKMP: transform 3, ESP_AES
*Jan 29 01:35:30.505: ISAKMP: attributes in transform:
*Jan 29 01:35:30.505: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.505: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.505: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.505: ISAKMP: key length is 128
*Jan 29 01:35:30.505: ISAKMP: authenticator is HMAC-SHA
*Jan 29 01:35:30.505: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.505: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.505: ISAKMP: transform 4, ESP_AES
*Jan 29 01:35:30.505: ISAKMP: attributes in transform:
*Jan 29 01:35:30.505: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.505: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.505: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.505: ISAKMP: key length is 128
*Jan 29 01:35:30.505: ISAKMP: authenticator is HMAC-MD5
*Jan 29 01:35:30.505: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.505: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.505: ISAKMP: transform 5, ESP_3DES
*Jan 29 01:35:30.505: ISAKMP: attributes in transform:
*Jan 29 01:35:30.505: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.505: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.505: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.505: ISAKMP: authenticator is HMAC-SHA
*Jan 29 01:35:30.505: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.505: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.505: ISAKMP: transform 6, ESP_3DES
*Jan 29 01:35:30.505: ISAKMP: attributes in transform:
*Jan 29 01:35:30.505: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.509: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.509: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.509: ISAKMP: authenticator is HMAC-MD5
*Jan 29 01:35:30.509: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.509: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.509: ISAKMP: transform 7, ESP_DES
*Jan 29 01:35:30.509: ISAKMP: attributes in transform:
*Jan 29 01:35:30.509: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.509: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.509: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.509: ISAKMP: authenticator is HMAC-SHA
*Jan 29 01:35:30.509: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.509: ISAKMP:(1244):Checking IPSec proposal 1
*Jan 29 01:35:30.509: ISAKMP: transform 8, ESP_DES
*Jan 29 01:35:30.509: ISAKMP: attributes in transform:
*Jan 29 01:35:30.509: ISAKMP: SA life type in seconds
*Jan 29 01:35:30.509: ISAKMP: SA life duration (basic) of 28800
*Jan 29 01:35:30.509: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 01:35:30.509: ISAKMP: authenticator is HMAC-MD5
*Jan 29 01:35:30.509: ISAKMP:(1244):atts are acceptable.
*Jan 29 01:35:30.509: IPSEC(validate_proposal_request): proposal part #1
*Jan 29 01:35:30.509: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <INTERNET>, remote= <ANDROID>,
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 29 01:35:30.509: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
*Jan 29 01:35:30.509: ISAKMP:(1244): IPSec policy invalidated proposal with error 256
*Jan 29 01:35:30.509: IPSEC(validate_proposal_request): proposal part #1
*Jan 29 01:35:30.509: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <INTERNET>, remote= <ANDROID>,
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 29 01:35:30.509: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
*Jan 29 01:35:30.509: ISAKMP:(1244): IPSec policy invalidated proposal with error 256
*Jan 29 01:35:30.509: IPSEC(validate_proposal_request): proposal part #1
*Jan 29 01:35:30.509: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <INTERNET>, remote= <ANDROID>,
local_proxy= <INTERNET>/255.255.255.255/17/1701 (type=1),
remote_proxy= <ANDROID>/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jan 29 01:35:30.513: ISAKMP:(1244): processing NONCE payload. message ID = -849535221
*Jan 29 01:35:30.513: ISAKMP:(1244): processing ID payload. message ID = -849535221
*Jan 29 01:35:30.513: ISAKMP:(1244): processing ID payload. message ID = -849535221
*Jan 29 01:35:30.513: ISAKMP:(1244):QM Responder gets spi
*Jan 29 01:35:30.513: ISAKMP:(1244):Node -849535221, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 29 01:35:30.513: ISAKMP:(1244):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jan 29 01:35:30.513: ISAKMP:(1244): Creating IPSec SAs
*Jan 29 01:35:30.513: inbound SA from <ANDROID> to <INTERNET> (f/i) 0/ 0
(proxy <ANDROID> to <INTERNET>)
*Jan 29 01:35:30.513: has spi 0x4878E485 and conn_id 0
*Jan 29 01:35:30.513: lifetime of 28800 seconds
*Jan 29 01:35:30.513: outbound SA from <INTERNET> to <ANDROID> (f/i) 0/0
(proxy <INTERNET> to <ANDROID>)
*Jan 29 01:35:30.513: has spi 0xEB65E76 and conn_id 0
*Jan 29 01:35:30.513: lifetime of 28800 seconds
*Jan 29 01:35:30.517: ISAKMP:(1244): sending packet to <ANDROID> my_port 4500 peer_port 4500 (R) QM_IDLE
*Jan 29 01:35:30.517: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*Jan 29 01:35:30.517: ISAKMP:(1244):Node -849535221, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jan 29 01:35:30.517: ISAKMP:(1244):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jan 29 01:35:30.517: ISAKMP: set new node -34372654 to QM_IDLE
*Jan 29 01:35:30.517: ISAKMP:(1244): sending packet to <ANDROID> my_port 4500 peer_port 4500 (R) QM_IDLE
*Jan 29 01:35:30.517: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*Jan 29 01:35:30.517: ISAKMP:(1244):purging node -34372654
*Jan 29 01:35:30.517: ISAKMP:(1244):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jan 29 01:35:30.517: ISAKMP:(1244):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 29 01:35:30.517: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 01:35:30.521: IPSEC(policy_db_add_ident): src <INTERNET>, dest <ANDROID>, dest_port 4500
*Jan 29 01:35:30.521: IPSEC(create_sa): sa created,
(sa) sa_dest= <INTERNET>, sa_proto= 50,
sa_spi= 0x4878E485(1215882373),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2055
*Jan 29 01:35:30.521: IPSEC(create_sa): sa created,
(sa) sa_dest= <ANDROID>, sa_proto= 50,
sa_spi= 0xEB65E76(246832758),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2056
*Jan 29 01:35:30.521: ISAKMP:(1243):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer <ANDROID>)
*Jan 29 01:35:30.521: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Jan 29 01:35:30.521: ISAKMP: Unlocking peer struct 0x64B90268 for isadb_mark_sa_deleted(), count 1
*Jan 29 01:35:30.521: ISAKMP:(1243):deleting node -1196491908 error FALSE reason "IKE deleted"
*Jan 29 01:35:30.521: ISAKMP:(1243):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 01:35:30.521: ISAKMP:(1243):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Jan 29 01:35:30.693: ISAKMP (0:1244): received packet from <ANDROID> dport 4500 sport 4500 Global (R) QM_IDLE
*Jan 29 01:35:30.693: ISAKMP:(1244):deleting node -849535221 error FALSE reason "QM done (await)"
*Jan 29 01:35:30.693: ISAKMP:(1244):Node -849535221, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 29 01:35:30.693: ISAKMP:(1244):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jan 29 01:35:30.693: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 01:35:30.693: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jan 29 01:35:30.693: IPSEC(key_engine_enable_outbound): enable SA with spi 246832758/50
*Jan 29 01:35:30.693: IPSEC(update_current_outbound_sa): updated peer <ANDROID> current outbound sa to SPI EB65E76
*Jan 29 01:35:32.493: %INTERFACE_API-3-NODESTROYSUBBLOCK: The SWIDB subblock named SW FIB PENDING EVENT was not removed, -Traceback= 0x60BB69F0 0x60365A1C 0x6036612C
01-29-2014 09:08 AM
Two things:
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 29 01:33:06.425: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
That does not look like a transform set you configured as the one to be used.
Second
%INTERFACE_API-3-NODESTROYSUBBLOCK: The SWIDB subblock named SW FIB PENDING EVENT was not removed, -Traceback= 0x60BB69F0 0x60365A1C 0x6036612C
Does not appear to be healthy. Try a new version see if this messasge keeps popping up, open a TAC case.
01-29-2014 09:17 AM
Thanks. I fixed that transform set issue but still no lick. The proposals are chosen now:
*Jan 29 15:43:45.982: ISAKMP (0:0): received packet from
*Jan 29 15:43:45.982: ISAKMP: Created a peer struct for
*Jan 29 15:43:45.982: ISAKMP: New peer created peer = 0x63FCE984 peer_handle = 0x80000B6C
*Jan 29 15:43:45.986: ISAKMP: Locking peer struct 0x63FCE984, refcount 1 for crypto_isakmp_process_block
*Jan 29 15:43:45.986: ISAKMP: local port 500, remote port 500
*Jan 29 15:43:45.986: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6409866C
*Jan 29 15:43:45.986: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 15:43:45.986: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 29 15:43:45.986: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 29 15:43:45.986: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 29 15:43:45.986: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jan 29 15:43:45.986: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jan 29 15:43:45.986: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 29 15:43:45.986: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jan 29 15:43:45.986: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): processing IKE frag vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID is IKE Fragmentation
*Jan 29 15:43:45.986: ISAKMP:(0): MM Fragmentation supported
*Jan 29 15:43:45.986: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.986: ISAKMP:(0): vendor ID is DPD
*Jan 29 15:43:45.990: ISAKMP:(0):found peer pre-shared key matching
*Jan 29 15:43:45.990: ISAKMP:(0): local preshared key found
*Jan 29 15:43:45.990: ISAKMP : Scanning profiles for xauth ...
*Jan 29 15:43:45.990: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 29 15:43:45.990: ISAKMP: life type in seconds
*Jan 29 15:43:45.990: ISAKMP: life duration (basic) of 28800
*Jan 29 15:43:45.990: ISAKMP: encryption AES-CBC
*Jan 29 15:43:45.990: ISAKMP: keylength of 256
*Jan 29 15:43:45.990: ISAKMP: auth pre-share
*Jan 29 15:43:45.990: ISAKMP: hash SHA
*Jan 29 15:43:45.990: ISAKMP: default group 2
*Jan 29 15:43:45.990: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 15:43:45.990: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 15:43:45.990: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Jan 29 15:43:45.990: ISAKMP: life type in seconds
*Jan 29 15:43:45.990: ISAKMP: life duration (basic) of 28800
*Jan 29 15:43:45.990: ISAKMP: encryption AES-CBC
*Jan 29 15:43:45.990: ISAKMP: keylength of 256
*Jan 29 15:43:45.990: ISAKMP: auth pre-share
*Jan 29 15:43:45.990: ISAKMP: hash MD5
*Jan 29 15:43:45.990: ISAKMP: default group 2
*Jan 29 15:43:45.990: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 15:43:45.990: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 15:43:45.990: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Jan 29 15:43:45.990: ISAKMP: life type in seconds
*Jan 29 15:43:45.990: ISAKMP: life duration (basic) of 28800
*Jan 29 15:43:45.990: ISAKMP: encryption AES-CBC
*Jan 29 15:43:45.990: ISAKMP: keylength of 128
*Jan 29 15:43:45.990: ISAKMP: auth pre-share
*Jan 29 15:43:45.990: ISAKMP: hash SHA
*Jan 29 15:43:45.990: ISAKMP: default group 2
*Jan 29 15:43:45.990: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 15:43:45.990: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 15:43:45.990: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Jan 29 15:43:45.990: ISAKMP: life type in seconds
*Jan 29 15:43:45.990: ISAKMP: life duration (basic) of 28800
*Jan 29 15:43:45.990: ISAKMP: encryption AES-CBC
*Jan 29 15:43:45.990: ISAKMP: keylength of 128
*Jan 29 15:43:45.990: ISAKMP: auth pre-share
*Jan 29 15:43:45.990: ISAKMP: hash MD5
*Jan 29 15:43:45.990: ISAKMP: default group 2
*Jan 29 15:43:45.990: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan 29 15:43:45.990: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 29 15:43:45.990: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Jan 29 15:43:45.990: ISAKMP: life type in seconds
*Jan 29 15:43:45.990: ISAKMP: life duration (basic) of 28800
*Jan 29 15:43:45.990: ISAKMP: encryption 3DES-CBC
*Jan 29 15:43:45.990: ISAKMP: auth pre-share
*Jan 29 15:43:45.990: ISAKMP: hash SHA
*Jan 29 15:43:45.994: ISAKMP: default group 2
*Jan 29 15:43:45.994: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jan 29 15:43:45.994: ISAKMP:(0):Acceptable atts:actual life: 3600
*Jan 29 15:43:45.994: ISAKMP:(0):Acceptable atts:life: 0
*Jan 29 15:43:45.994: ISAKMP:(0):Basic life_in_seconds:28800
*Jan 29 15:43:45.994: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 29 15:43:45.994: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 29 15:43:45.994: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 29 15:43:45.994: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jan 29 15:43:45.994: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jan 29 15:43:45.994: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 29 15:43:45.994: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jan 29 15:43:45.994: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): processing IKE frag vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID is IKE Fragmentation
*Jan 29 15:43:45.994: ISAKMP:(0): MM Fragmentation supported
*Jan 29 15:43:45.994: ISAKMP:(0): processing vendor id payload
*Jan 29 15:43:45.994: ISAKMP:(0): vendor ID is DPD
*Jan 29 15:43:45.994: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 29 15:43:45.994: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 29 15:43:45.998: ISAKMP:(0):sending IKE_FRAG vendor ID
*Jan 29 15:43:45.998: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 29 15:43:45.998: ISAKMP:(0): sending packet to
*Jan 29 15:43:45.998: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 15:43:45.998: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 29 15:43:45.998: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jan 29 15:43:46.194: ISAKMP (0:0): received packet from
*Jan 29 15:43:46.194: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 15:43:46.194: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jan 29 15:43:46.194: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 29 15:43:46.262: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 29 15:43:46.262: ISAKMP:(0):found peer pre-shared key matching
*Jan 29 15:43:46.262: ISAKMP:received payload type 20
*Jan 29 15:43:46.262: ISAKMP:received payload type 20
*Jan 29 15:43:46.266: ISAKMP (0:1299): NAT found, the node outside NAT
*Jan 29 15:43:46.266: ISAKMP:(1299):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 29 15:43:46.266: ISAKMP:(1299):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 29 15:43:46.266: ISAKMP:(1299): sending packet to
*Jan 29 15:43:46.266: ISAKMP:(1299):Sending an IKE IPv4 Packet.
*Jan 29 15:43:46.266: ISAKMP:(1299):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 29 15:43:46.266: ISAKMP:(1299):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jan 29 15:43:46.450: ISAKMP (0:1299): received packet from
*Jan 29 15:43:46.454: ISAKMP:(1299):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 15:43:46.454: ISAKMP:(1299):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jan 29 15:43:46.454: ISAKMP:(1299): processing ID payload. message ID = 0
*Jan 29 15:43:46.454: ISAKMP (0:1299): ID payload
next-payload : 8
type : 1
address : 192.170.100.113
protocol : 17
port : 500
length : 12
*Jan 29 15:43:46.454: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 29 15:43:46.454: ISAKMP:(1299): processing HASH payload. message ID = 0
*Jan 29 15:43:46.454: ISAKMP:(1299):SA authentication status:
authenticated
*Jan 29 15:43:46.454: ISAKMP:(1299):SA has been authenticated with
*Jan 29 15:43:46.454: ISAKMP:(1299):Detected port floating to port = 4500
*Jan 29 15:43:46.454: ISAKMP: Trying to insert a peer
*Jan 29 15:43:46.454: ISAKMP: Unlocking peer struct 0x63FCE984 Reuse existing peer, count 0
*Jan 29 15:43:46.454: ISAKMP: Deleting peer node by peer_reap for
*Jan 29 15:43:46.454: ISAKMP: Locking peer struct 0x655D4AF4, refcount 2 for Reuse existing peer
*Jan 29 15:43:46.454: ISAKMP:(1299):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 29 15:43:46.454: ISAKMP:(1299):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jan 29 15:43:46.454: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 15:43:46.458: ISAKMP:(1299):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 29 15:43:46.458: ISAKMP (0:1299): ID payload
next-payload : 8
type : 1
address :
protocol : 17
port : 0
length : 12
*Jan 29 15:43:46.458: ISAKMP:(1299):Total payload length: 12
*Jan 29 15:43:46.458: ISAKMP:(1299): sending packet to
*Jan 29 15:43:46.458: ISAKMP:(1299):Sending an IKE IPv4 Packet.
*Jan 29 15:43:46.458: ISAKMP:(1299):Returning Actual lifetime: 3600
*Jan 29 15:43:46.458: ISAKMP: set new node -2086118910 to QM_IDLE
*Jan 29 15:43:46.458: ISAKMP:(1299):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 1688401496, message ID = -2086118910
*Jan 29 15:43:46.458: ISAKMP:(1299): sending packet to
*Jan 29 15:43:46.458: ISAKMP:(1299):Sending an IKE IPv4 Packet.
*Jan 29 15:43:46.458: ISAKMP:(1299):purging node -2086118910
*Jan 29 15:43:46.462: ISAKMP: Sending phase 1 responder lifetime 3600
*Jan 29 15:43:46.462: ISAKMP:(1299):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 29 15:43:46.462: ISAKMP:(1299):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jan 29 15:43:46.462: ISAKMP:(1299):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 29 15:43:46.462: ISAKMP:(1299):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 29 15:43:46.590: ISAKMP (0:1299): received packet from
*Jan 29 15:43:46.590: ISAKMP: set new node -825415819 to QM_IDLE
*Jan 29 15:43:46.590: ISAKMP:(1299): processing HASH payload. message ID = -825415819
*Jan 29 15:43:46.590: ISAKMP:(1299): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -825415819, sa = 6409866C
*Jan 29 15:43:46.590: ISAKMP:(1299):SA authentication status:
authenticated
*Jan 29 15:43:46.590: ISAKMP:(1299): Process initial contact,
bring down existing phase 1 and 2 SA's with local
*Jan 29 15:43:46.590: ISAKMP:(1298):received initial contact, deleting SA
*Jan 29 15:43:46.590: ISAKMP:(1298):peer does not do paranoid keepalives.
*Jan 29 15:43:46.590: ISAKMP:(1298):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer
*Jan 29 15:43:46.594: ISAKMP:(1299):deleting node -825415819 error FALSE reason "Informational (in) state 1"
*Jan 29 15:43:46.594: ISAKMP:(1299):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan 29 15:43:46.594: ISAKMP:(1299):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 29 15:43:46.594: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 15:43:46.594: Delete IPsec SA by IC, local
*Jan 29 15:43:46.594: IPSEC(delete_sa): deleting SA,
(sa) sa_dest=
sa_spi= 0x1195A763(295020387),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2093,
(identity) local=
local_proxy=
remote_proxy=
*Jan 29 15:43:46.594: IPSEC(update_current_outbound_sa): updated peer
*Jan 29 15:43:46.594: IPSEC(delete_sa): deleting SA,
(sa) sa_dest=
sa_spi= 0x33196AE(53581486),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2094,
(identity) local=
local_proxy=
remote_proxy=
*Jan 29 15:43:46.598: ISAKMP: set new node -1056199272 to QM_IDLE
*Jan 29 15:43:46.598: ISAKMP:(1298):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 29 15:43:46.598: ISAKMP:(1298):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jan 29 15:43:46.598: ISAKMP: set new node -167706179 to QM_IDLE
*Jan 29 15:43:46.598: ISAKMP:(1299): sending packet to
*Jan 29 15:43:46.598: ISAKMP:(1299):Sending an IKE IPv4 Packet.
*Jan 29 15:43:46.598: ISAKMP:(1299):purging node -167706179
*Jan 29 15:43:46.598: ISAKMP:(1299):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jan 29 15:43:46.598: ISAKMP:(1299):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 29 15:43:46.602: ISAKMP:(1298):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer
*Jan 29 15:43:46.602: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Jan 29 15:43:46.602: ISAKMP: Unlocking peer struct 0x655D4AF4 for isadb_mark_sa_deleted(), count 1
*Jan 29 15:43:46.602: ISAKMP:(1298):deleting node -1056199272 error FALSE reason "IKE deleted"
*Jan 29 15:43:46.602: ISAKMP:(1298):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 29 15:43:46.602: ISAKMP:(1298):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Jan 29 15:43:47.750: ISAKMP (0:1299): received packet from
*Jan 29 15:43:47.750: ISAKMP: set new node -930304950 to QM_IDLE
*Jan 29 15:43:47.750: ISAKMP:(1299): processing HASH payload. message ID = -930304950
*Jan 29 15:43:47.750: ISAKMP:(1299): processing SA payload. message ID = -930304950
*Jan 29 15:43:47.750: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.750: ISAKMP: transform 1, ESP_AES
*Jan 29 15:43:47.750: ISAKMP: attributes in transform:
*Jan 29 15:43:47.750: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.750: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.750: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.750: ISAKMP: key length is 256
*Jan 29 15:43:47.750: ISAKMP: authenticator is HMAC-SHA
*Jan 29 15:43:47.750: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.750: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.750: ISAKMP: transform 2, ESP_AES
*Jan 29 15:43:47.750: ISAKMP: attributes in transform:
*Jan 29 15:43:47.750: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.750: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.750: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.750: ISAKMP: key length is 256
*Jan 29 15:43:47.750: ISAKMP: authenticator is HMAC-MD5
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.754: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.754: ISAKMP: transform 3, ESP_AES
*Jan 29 15:43:47.754: ISAKMP: attributes in transform:
*Jan 29 15:43:47.754: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.754: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.754: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.754: ISAKMP: key length is 128
*Jan 29 15:43:47.754: ISAKMP: authenticator is HMAC-SHA
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.754: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.754: ISAKMP: transform 4, ESP_AES
*Jan 29 15:43:47.754: ISAKMP: attributes in transform:
*Jan 29 15:43:47.754: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.754: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.754: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.754: ISAKMP: key length is 128
*Jan 29 15:43:47.754: ISAKMP: authenticator is HMAC-MD5
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.754: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.754: ISAKMP: transform 5, ESP_3DES
*Jan 29 15:43:47.754: ISAKMP: attributes in transform:
*Jan 29 15:43:47.754: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.754: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.754: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.754: ISAKMP: authenticator is HMAC-SHA
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.754: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.754: ISAKMP: transform 6, ESP_3DES
*Jan 29 15:43:47.754: ISAKMP: attributes in transform:
*Jan 29 15:43:47.754: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.754: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.754: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.754: ISAKMP: authenticator is HMAC-MD5
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.754: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.754: ISAKMP: transform 7, ESP_DES
*Jan 29 15:43:47.754: ISAKMP: attributes in transform:
*Jan 29 15:43:47.754: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.754: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.754: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.754: ISAKMP: authenticator is HMAC-SHA
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.754: ISAKMP:(1299):Checking IPSec proposal 1
*Jan 29 15:43:47.754: ISAKMP: transform 8, ESP_DES
*Jan 29 15:43:47.754: ISAKMP: attributes in transform:
*Jan 29 15:43:47.754: ISAKMP: SA life type in seconds
*Jan 29 15:43:47.754: ISAKMP: SA life duration (basic) of 28800
*Jan 29 15:43:47.754: ISAKMP: encaps is 4 (Transport-UDP)
*Jan 29 15:43:47.754: ISAKMP: authenticator is HMAC-MD5
*Jan 29 15:43:47.754: ISAKMP:(1299):atts are acceptable.
*Jan 29 15:43:47.758: IPSEC(validate_proposal_request): proposal part #1
*Jan 29 15:43:47.758: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local=
local_proxy=
remote_proxy=
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 29 15:43:47.758: ISAKMP:(1299): processing NONCE payload. message ID = -930304950
*Jan 29 15:43:47.758: ISAKMP:(1299): processing ID payload. message ID = -930304950
*Jan 29 15:43:47.758: ISAKMP:(1299): processing ID payload. message ID = -930304950
*Jan 29 15:43:47.758: ISAKMP:(1299):QM Responder gets spi
*Jan 29 15:43:47.758: ISAKMP:(1299):Node -930304950, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 29 15:43:47.758: ISAKMP:(1299):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jan 29 15:43:47.758: ISAKMP:(1299): Creating IPSec SAs
*Jan 29 15:43:47.762: inbound SA from
(proxy
*Jan 29 15:43:47.762: has spi 0x9E62C88A and conn_id 0
*Jan 29 15:43:47.762: lifetime of 28800 seconds
*Jan 29 15:43:47.762: outbound SA from
(proxy
*Jan 29 15:43:47.762: has spi 0x560114E and conn_id 0
*Jan 29 15:43:47.762: lifetime of 28800 seconds
*Jan 29 15:43:47.762: ISAKMP:(1299): sending packet to
*Jan 29 15:43:47.762: ISAKMP:(1299):Sending an IKE IPv4 Packet.
*Jan 29 15:43:47.762: ISAKMP:(1299):Node -930304950, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jan 29 15:43:47.762: ISAKMP:(1299):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jan 29 15:43:47.762: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 15:43:47.762: IPSEC(policy_db_add_ident): src
*Jan 29 15:43:47.762: IPSEC(create_sa): sa created,
(sa) sa_dest=
sa_spi= 0x9E62C88A(2657273994),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2095
*Jan 29 15:43:47.762: IPSEC(create_sa): sa created,
(sa) sa_dest=
sa_spi= 0x560114E(90181966),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2096
*Jan 29 15:43:47.886: ISAKMP (0:1299): received packet from
*Jan 29 15:43:47.890: ISAKMP:(1299):deleting node -930304950 error FALSE reason "QM done (await)"
*Jan 29 15:43:47.890: ISAKMP:(1299):Node -930304950, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 29 15:43:47.890: ISAKMP:(1299):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jan 29 15:43:47.890: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 29 15:43:47.890: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jan 29 15:43:47.890: IPSEC(key_engine_enable_outbound): enable SA with spi 90181966/50
*Jan 29 15:43:47.890: IPSEC(update_current_outbound_sa): updated peer
*Jan 29 15:44:10.598: ISAKMP:(1296):purging node -1355843683
*Jan 29 15:44:10.598: ISAKMP:(1296):purging node 547877735
*Jan 29 15:44:10.598: ISAKMP:(1296):purging node -1647095265
*Jan 29 15:44:20.598: ISAKMP:(1296):purging SA., sa=640A43BC, delme=640A43BC
01-29-2014 09:28 AM
TBH, doesn't look like there's anything wrong with IPsec on this end (I'm stressing out _IPsec_ and _this_ end).
01-29-2014 09:36 AM
Yeah, that is why I am stumped. And iOS devices work fine.
10-06-2017 08:12 PM
I have exactly the same problem with Android 8.0 connecting Cisco ISR 4000, IOS XE version 16.6 while Windows 10 and iPhone/iPad IOS 11.0.2 work perfectly. I managed to find an old Android 4.1 for testing the connection. No luck either. Seems Android phones don't fit Cisco routers L2TP/IPSec tunnel at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide