- Cisco Community
- Technology and Support
- Security
- VPN
- l2tp over ipsec doesn't work for andriod in router 4331(16.12x)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2021 08:33 AM
hi,i have a proble for andriod connect vpn to 4331 in l2tp/ipsec. win10、win11、iphone is ok to connect the vpn。which config i miss.please help to fix. thanks!
version 16.12
aaa new-model
!
!
aaa authentication ppp l2tp group radius local
aaa authorization network default group radius
!
!
!
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
license boot level appxk9
license boot level securityk9
!
!
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 0.0.0.0
!
!
crypto ipsec transform-set L2TP-SET esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-SET
!
!
crypto map outsidemap 1000 ipsec-isakmp dynamic dyn-map
!
!
interface Loopback100
ip address 10.10.100.2 255.255.255.255
!
interface GigabitEthernet0/0/1
ip address x.x.x.x 255.255.255.248
media-type rj45
negotiation auto
crypto map outsidemap
!
!
interface Virtual-Template1
ip unnumbered Loopback100
ip tcp adjust-mss 1450
ip policy route-map gz-l2tp
peer default ip address pool gz-l2tp-user
ppp authentication ms-chap-v2 l2tp
!
ip local pool gz-l2tp-user 172.26.60.0 172.26.60.253
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended gz-l2tp
10 permit ip 172.26.60.0 0.0.0.255 host 8.8.8.8
20 permit ip 172.26.60.0 0.0.0.255 host x.x.x.x
30 permit ip 172.26.60.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/0/0
!
!
route-map gz-l2tp permit 10
match ip address gz-l2tp
set ip next-hop 172.26.0.7
!
radius server gzradius65
address ipv4 172.26.0.65 auth-port 1812 acct-port 1813
key xxxxxxx
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2024 01:04 AM
hear form my customer,vpn will be work in ikev2,because Android only support ikev2.. funny
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2021 04:28 PM
follow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2021 11:38 PM
i had dbeug some info when andriod connected the vpn,hope to help for find the issue.thanks.
---------------------------------------------------------------------------------------------------------------
*Dec 19 07:25:28.493: ISAKMP-PAK: (0):received packet from andriod-ip dport 500 sport 22202 Global (N) NEW SA
*Dec 19 07:25:28.493: ISAKMP: (0):Created a peer struct for andriod-ip, peer port 22202
*Dec 19 07:25:28.494: ISAKMP: (0):New peer created peer = 0x80007F3AD147AF20 peer_handle = 0x800000004000008F
*Dec 19 07:25:28.494: ISAKMP: (0):Locking peer struct 0x80007F3AD147AF20, refcount 1 for crypto_isakmp_process_block
*Dec 19 07:25:28.494: ISAKMP: (0):local port 500, remote port 22202
*Dec 19 07:25:28.494: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F3AD18FD0E0
*Dec 19 07:25:28.494: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 07:25:28.494: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
*Dec 19 07:25:28.494: ISAKMP: (0):processing SA payload. message ID = 0
*Dec 19 07:25:28.494: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Dec 19 07:25:28.495: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
*Dec 19 07:25:28.495: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID is NAT-T v2
*Dec 19 07:25:28.495: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
*Dec 19 07:25:28.495: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):processing IKE frag vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Dec 19 07:25:28.495: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.495: ISAKMP: (0):vendor ID is DPD
*Dec 19 07:25:28.495: ISAKMP: (0):found peer pre-shared key matching andriod-ip
*Dec 19 07:25:28.496: ISAKMP: (0):local preshared key found
*Dec 19 07:25:28.496: ISAKMP: (0):Scanning profiles for xauth ...
*Dec 19 07:25:28.496: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
*Dec 19 07:25:28.496: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.496: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.496: ISAKMP: (0): encryption AES-CBC
*Dec 19 07:25:28.496: ISAKMP: (0): keylength of 256
*Dec 19 07:25:28.496: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.496: ISAKMP: (0): hash SHA256
*Dec 19 07:25:28.496: ISAKMP: (0): default group 2
*Dec 19 07:25:28.496: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Dec 19 07:25:28.496: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.496: ISAKMP: (0):Checking ISAKMP transform 2 against priority 10 policy
*Dec 19 07:25:28.496: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.496: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.496: ISAKMP: (0): encryption AES-CBC
*Dec 19 07:25:28.497: ISAKMP: (0): keylength of 256
*Dec 19 07:25:28.497: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.497: ISAKMP: (0): hash SHA
*Dec 19 07:25:28.497: ISAKMP: (0): default group 2
*Dec 19 07:25:28.497: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Dec 19 07:25:28.497: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.497: ISAKMP: (0):Checking ISAKMP transform 3 against priority 10 policy
*Dec 19 07:25:28.497: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.497: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.497: ISAKMP: (0): encryption AES-CBC
*Dec 19 07:25:28.497: ISAKMP: (0): keylength of 256
*Dec 19 07:25:28.497: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.497: ISAKMP: (0): hash MD5
*Dec 19 07:25:28.497: ISAKMP: (0): default group 2
*Dec 19 07:25:28.497: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Dec 19 07:25:28.497: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.497: ISAKMP: (0):Checking ISAKMP transform 4 against priority 10 policy
*Dec 19 07:25:28.497: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.497: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.497: ISAKMP: (0): encryption AES-CBC
*Dec 19 07:25:28.497: ISAKMP: (0): keylength of 128
*Dec 19 07:25:28.497: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.497: ISAKMP: (0): hash SHA256
*Dec 19 07:25:28.498: ISAKMP: (0): default group 2
*Dec 19 07:25:28.498: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Dec 19 07:25:28.498: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.498: ISAKMP: (0):Checking ISAKMP transform 5 against priority 10 policy
*Dec 19 07:25:28.498: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.498: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.498: ISAKMP: (0): encryption AES-CBC
*Dec 19 07:25:28.498: ISAKMP: (0): keylength of 128
*Dec 19 07:25:28.498: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.498: ISAKMP: (0): hash SHA
*Dec 19 07:25:28.498: ISAKMP: (0): default group 2
*Dec 19 07:25:28.498: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Dec 19 07:25:28.498: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.498: ISAKMP: (0):Checking ISAKMP transform 6 against priority 10 policy
*Dec 19 07:25:28.498: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.498: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.498: ISAKMP: (0): encryption AES-CBC
*Dec 19 07:25:28.498: ISAKMP: (0): keylength of 128
*Dec 19 07:25:28.498: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.498: ISAKMP: (0): hash MD5
*Dec 19 07:25:28.498: ISAKMP: (0): default group 2
*Dec 19 07:25:28.498: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Dec 19 07:25:28.498: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.498: ISAKMP: (0):Checking ISAKMP transform 7 against priority 10 policy
*Dec 19 07:25:28.499: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.499: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.499: ISAKMP: (0): encryption 3DES-CBC
*Dec 19 07:25:28.499: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.499: ISAKMP: (0): hash SHA256
*Dec 19 07:25:28.499: ISAKMP: (0): default group 2
*Dec 19 07:25:28.499: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
*Dec 19 07:25:28.499: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Dec 19 07:25:28.499: ISAKMP: (0):Checking ISAKMP transform 8 against priority 10 policy
*Dec 19 07:25:28.499: ISAKMP: (0): life type in seconds
*Dec 19 07:25:28.499: ISAKMP: (0): life duration (basic) of 28800
*Dec 19 07:25:28.499: ISAKMP: (0): encryption 3DES-CBC
*Dec 19 07:25:28.499: ISAKMP: (0): auth pre-share
*Dec 19 07:25:28.499: ISAKMP: (0): hash SHA
*Dec 19 07:25:28.499: ISAKMP: (0): default group 2
*Dec 19 07:25:28.499: ISAKMP: (0):atts are acceptable. Next payload is 3
*Dec 19 07:25:28.499: ISAKMP: (0):Acceptable atts:actual life: 86400
*Dec 19 07:25:28.499: ISAKMP: (0):Acceptable atts:life: 0
*Dec 19 07:25:28.499: ISAKMP: (0):Basic life_in_seconds:28800
*Dec 19 07:25:28.499: ISAKMP: (0):Returning Actual lifetime: 28800
*Dec 19 07:25:28.499: ISAKMP: (0):Started lifetime timer: 28800.
*Dec 19 07:25:28.499: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.499: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Dec 19 07:25:28.500: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Dec 19 07:25:28.500: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.500: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
*Dec 19 07:25:28.500: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.500: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Dec 19 07:25:28.500: ISAKMP: (0):vendor ID is NAT-T v2
*Dec 19 07:25:28.500: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.500: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
*Dec 19 07:25:28.500: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.500: ISAKMP: (0):processing IKE frag vendor id payload
*Dec 19 07:25:28.500: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Dec 19 07:25:28.500: ISAKMP: (0):processing vendor id payload
*Dec 19 07:25:28.500: ISAKMP: (0):vendor ID is DPD
*Dec 19 07:25:28.500: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 07:25:28.501: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Dec 19 07:25:28.501: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Dec 19 07:25:28.501: ISAKMP-PAK: (0):sending packet to andriod-ip my_port 500 peer_port 22202 (R) MM_SA_SETUP
*Dec 19 07:25:28.501: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Dec 19 07:25:28.501: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 07:25:28.501: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Dec 19 07:25:28.525: ISAKMP-PAK: (0):received packet from andriod-ip dport 500 sport 22202 Global (R) MM_SA_SETUP
*Dec 19 07:25:28.525: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 07:25:28.525: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Dec 19 07:25:28.526: ISAKMP: (0):processing KE payload. message ID = 0
*Dec 19 07:25:28.530: ISAKMP: (0):processing NONCE payload. message ID = 0
*Dec 19 07:25:28.530: ISAKMP: (0):found peer pre-shared key matching andriod-ip
*Dec 19 07:25:28.530: ISAKMP: (1126):received payload type 20
*Dec 19 07:25:28.530: ISAKMP: (1126):His hash no match - this node outside NAT
*Dec 19 07:25:28.530: ISAKMP: (1126):received payload type 20
*Dec 19 07:25:28.531: ISAKMP: (1126):His hash no match - this node outside NAT
*Dec 19 07:25:28.531: ISAKMP: (1126):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 07:25:28.531: ISAKMP: (1126):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Dec 19 07:25:28.531: ISAKMP-PAK: (1126):sending packet to andriod-ip my_port 500 peer_port 22202 (R) MM_KEY_EXCH
*Dec 19 07:25:28.531: ISAKMP: (1126):Sending an IKE IPv4 Packet.
*Dec 19 07:25:28.531: ISAKMP: (1126):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 07:25:28.532: ISAKMP: (1126):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Dec 19 07:25:28.566: ISAKMP-PAK: (1126):received packet from andriod-ip dport 4500 sport 40072 Global (R) MM_KEY_EXCH
*Dec 19 07:25:28.566: ISAKMP: (1126):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 07:25:28.566: ISAKMP: (1126):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Dec 19 07:25:28.566: ISAKMP: (1126):processing ID payload. message ID = 0
*Dec 19 07:25:28.566: ISAKMP: (1126):ID payload
next-payload : 8
type : 1
*Dec 19 07:25:28.566: ISAKMP: (1126): address : 10.153.195.54
*Dec 19 07:25:28.566: ISAKMP: (1126): protocol : 17
port : 500
length : 12
*Dec 19 07:25:28.566: ISAKMP: (0):peer matches *none* of the profiles
*Dec 19 07:25:28.566: ISAKMP: (1126):processing HASH payload. message ID = 0
*Dec 19 07:25:28.567: ISAKMP: (1126):SA authentication status:
authenticated
*Dec 19 07:25:28.567: ISAKMP: (1126):SA has been authenticated with andriod-ip
*Dec 19 07:25:28.567: ISAKMP: (1126):Detected port floating to port = 40072
*Dec 19 07:25:28.567: ISAKMP: (0):Trying to insert a peer router-ip/andriod-ip/40072/,
*Dec 19 07:25:28.567: ISAKMP: (0): and found existing one 80007F3AD18ED030 to reuse, free 80007F3AD147AF20
*Dec 19 07:25:28.568: ISAKMP: (0):Unlocking peer struct 0x80007F3AD147AF20 Reuse existing peer, count 0
*Dec 19 07:25:28.568: ISAKMP: (0):Deleting peer node by peer_reap for andriod-ip: 80007F3AD147AF20
*Dec 19 07:25:28.568: ISAKMP: (0):Locking peer struct 0x80007F3AD18ED030, refcount 2 for Reuse existing peer
*Dec 19 07:25:28.569: ISAKMP: (1126):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 07:25:28.569: ISAKMP: (1126):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Dec 19 07:25:28.569: ISAKMP: (1126):SA is doing
*Dec 19 07:25:28.569: ISAKMP: (1126):pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 19 07:25:28.570: ISAKMP: (1126):ID payload
next-payload : 8
type : 1
*Dec 19 07:25:28.570: ISAKMP: (1126): address : router-ip
*Dec 19 07:25:28.570: ISAKMP: (1126): protocol : 17
port : 0
length : 12
*Dec 19 07:25:28.570: ISAKMP: (1126):Total payload length: 12
*Dec 19 07:25:28.570: ISAKMP-PAK: (1126):sending packet to andriod-ip my_port 4500 peer_port 40072 (R) MM_KEY_EXCH
*Dec 19 07:25:28.570: ISAKMP: (1126):Sending an IKE IPv4 Packet.
*Dec 19 07:25:28.570: ISAKMP: (1126):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 07:25:28.570: ISAKMP: (1126):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Dec 19 07:25:28.571: ISAKMP: (1126):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR
*Dec 19 07:25:28.571: ISAKMP: (1126):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Dec 19 07:25:28.571: ISAKMP: (1126):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 19 07:25:28.571: ISAKMP: (1126):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Dec 19 07:25:28.605: ISAKMP-PAK: (1126):received packet from andriod-ip dport 4500 sport 40072 Global (R) QM_IDLE
*Dec 19 07:25:28.605: ISAKMP: (1126):set new node 4016018306 to QM_IDLE
*Dec 19 07:25:28.605: ISAKMP: (1126):processing HASH payload. message ID = 4016018306
*Dec 19 07:25:28.606: ISAKMP: (1126):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 4016018306, sa = 0x80007F3AD18FD0E0
*Dec 19 07:25:28.606: ISAKMP: (1126):SA authentication status:
authenticated
*Dec 19 07:25:28.606: ISAKMP: (1126):Process initial contact,
bring down existing phase 1 and 2 SA's with local router-ip remote andriod-ip remote port 40072
*Dec 19 07:25:28.606: ISAKMP: (1125):Received delete SA on GigabitEthernet0/0/1 with reason "Receive initial contact"
*Dec 19 07:25:28.606: ISAKMP: (1125):peer does not do paranoid keepalives.
*Dec 19 07:25:28.606: ISAKMP-ERROR: (1125):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer andriod-ip)
*Dec 19 07:25:28.606: ISAKMP: (1126):deleting node 4016018306 error FALSE reason "Informational (in) state 1"
*Dec 19 07:25:28.606: ISAKMP: (1126):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Dec 19 07:25:28.606: ISAKMP: (1126):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Dec 19 07:25:28.607: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 19 07:25:28.607: Delete IPsec SA by IC, local router-ip remote andriod-ip peer port 40072
*Dec 19 07:25:28.607: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= router-ip, sa_proto= 50,
sa_spi= 0x1347E0B4(323477684),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2259
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/40072
*Dec 19 07:25:28.607: IPSEC(delete_sa): SA found saving DEL kmi
*Dec 19 07:25:28.607: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= andriod-ip, sa_proto= 50,
sa_spi= 0x9569357(156668759),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2260
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/40072
*Dec 19 07:25:28.608: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Dec 19 07:25:28.608: IPSEC(update_current_outbound_sa): updated peer andriod-ip current outbound sa to SPI 0
*Dec 19 07:25:28.608: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= router-ip, sa_proto= 50,
sa_spi= 0x1347E0B4(323477684),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2259
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/40072
*Dec 19 07:25:28.608: IPSEC(delete_sa): SA found saving DEL kmi
*Dec 19 07:25:28.608: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= andriod-ip, sa_proto= 50,
sa_spi= 0x9569357(156668759),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2260
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/40072
*Dec 19 07:25:28.609: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE
*Dec 19 07:25:28.609: ipsec_out_sa_hash_idx: sa=0x7F3ACD3DDF88, hash_idx=740, port=4500/40072, addr=0x716C83E5/0x70607311
*Dec 19 07:25:28.610: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Dec 19 07:25:28.610: ISAKMP: (1125):set new node 1431317966 to QM_IDLE
*Dec 19 07:25:28.611: ISAKMP-PAK: (1125):sending packet to andriod-ip my_port 4500 peer_port 40072 (R) QM_IDLE
*Dec 19 07:25:28.611: ISAKMP: (1125):Sending an IKE IPv4 Packet.
*Dec 19 07:25:28.611: ISAKMP: (1125):purging node 1431317966
*Dec 19 07:25:28.611: ISAKMP: (1125):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 19 07:25:28.611: ISAKMP: (1125):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Dec 19 07:25:28.612: ISAKMP-ERROR: (1125):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer andriod-ip)
*Dec 19 07:25:28.612: ISAKMP: (0):Unlocking peer struct 0x80007F3AD18ED030 for isadb_mark_sa_deleted(), count 1
*Dec 19 07:25:28.612: ISAKMP: (1125):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 07:25:28.612: ISAKMP: (1125):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Dec 19 07:25:28.613: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x7F3ACD3DC3C8 ikmp handle 0x40000085
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x24000103,peer index 0
*Dec 19 07:25:28.614: ISAKMP: (1126):set new node 2301196154 to QM_IDLE
*Dec 19 07:25:28.614: ISAKMP-PAK: (1126):sending packet to andriod-ip my_port 4500 peer_port 40072 (R) QM_IDLE
*Dec 19 07:25:28.614: ISAKMP: (1126):Sending an IKE IPv4 Packet.
*Dec 19 07:25:28.614: ISAKMP: (1126):purging node 2301196154
*Dec 19 07:25:28.614: ISAKMP: (1126):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Dec 19 07:25:28.614: ISAKMP: (1126):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Dec 19 07:25:29.709: ISAKMP-PAK: (1126):received packet from andriod-ip dport 4500 sport 40072 Global (R) QM_IDLE
*Dec 19 07:25:29.709: ISAKMP: (1126):set new node 4233289096 to QM_IDLE
*Dec 19 07:25:29.710: ISAKMP: (1126):processing HASH payload. message ID = 4233289096
*Dec 19 07:25:29.710: ISAKMP: (1126):processing SA payload. message ID = 4233289096
*Dec 19 07:25:29.710: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.710: ISAKMP: (1126):transform 1, ESP_AES
*Dec 19 07:25:29.710: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.710: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.710: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.710: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.710: ISAKMP: (1126): key length is 256
*Dec 19 07:25:29.710: ISAKMP: (1126): authenticator is HMAC-SHA256
*Dec 19 07:25:29.710: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.711: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.711: ISAKMP: (1126):transform 2, ESP_AES
*Dec 19 07:25:29.711: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.711: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.711: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.711: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.711: ISAKMP: (1126): key length is 256
*Dec 19 07:25:29.711: ISAKMP: (1126): authenticator is HMAC-SHA
*Dec 19 07:25:29.711: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.711: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.711: ISAKMP: (1126):transform 3, ESP_AES
*Dec 19 07:25:29.711: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.711: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.711: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.712: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.712: ISAKMP: (1126): key length is 256
*Dec 19 07:25:29.712: ISAKMP: (1126): authenticator is HMAC-MD5
*Dec 19 07:25:29.712: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.712: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.712: ISAKMP: (1126):transform 4, ESP_AES
*Dec 19 07:25:29.712: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.712: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.712: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.712: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.712: ISAKMP: (1126): key length is 128
*Dec 19 07:25:29.712: ISAKMP: (1126): authenticator is HMAC-SHA256
*Dec 19 07:25:29.712: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.712: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.712: ISAKMP: (1126):transform 5, ESP_AES
*Dec 19 07:25:29.712: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.713: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.713: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.713: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.713: ISAKMP: (1126): key length is 128
*Dec 19 07:25:29.713: ISAKMP: (1126): authenticator is HMAC-SHA
*Dec 19 07:25:29.713: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.713: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.713: ISAKMP: (1126):transform 6, ESP_AES
*Dec 19 07:25:29.713: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.713: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.713: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.713: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.713: ISAKMP: (1126): key length is 128
*Dec 19 07:25:29.713: ISAKMP: (1126): authenticator is HMAC-MD5
*Dec 19 07:25:29.713: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.713: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.713: ISAKMP: (1126):transform 7, ESP_3DES
*Dec 19 07:25:29.713: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.713: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.713: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.713: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.713: ISAKMP: (1126): authenticator is HMAC-SHA256
*Dec 19 07:25:29.714: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.714: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.714: ISAKMP: (1126):transform 8, ESP_3DES
*Dec 19 07:25:29.714: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.714: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.714: ISAKMP: (1126): authenticator is HMAC-SHA
*Dec 19 07:25:29.714: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.714: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.714: ISAKMP: (1126):transform 9, ESP_3DES
*Dec 19 07:25:29.714: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.714: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.714: ISAKMP: (1126): authenticator is HMAC-MD5
*Dec 19 07:25:29.714: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.714: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.714: ISAKMP: (1126):transform 10, ESP_DES
*Dec 19 07:25:29.714: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.714: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.714: ISAKMP: (1126): authenticator is HMAC-SHA256
*Dec 19 07:25:29.714: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.714: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.714: ISAKMP: (1126):transform 11, ESP_DES
*Dec 19 07:25:29.714: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.714: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.715: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.715: ISAKMP: (1126): authenticator is HMAC-SHA
*Dec 19 07:25:29.715: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.715: ISAKMP: (1126):Checking IPSec proposal 1
*Dec 19 07:25:29.715: ISAKMP: (1126):transform 12, ESP_DES
*Dec 19 07:25:29.715: ISAKMP: (1126): attributes in transform:
*Dec 19 07:25:29.715: ISAKMP: (1126): SA life type in seconds
*Dec 19 07:25:29.715: ISAKMP: (1126): SA life duration (basic) of 28800
*Dec 19 07:25:29.715: ISAKMP: (1126): encaps is 4 (Transport-UDP)
*Dec 19 07:25:29.715: ISAKMP: (1126): authenticator is HMAC-MD5
*Dec 19 07:25:29.715: ISAKMP: (1126):atts are acceptable.
*Dec 19 07:25:29.715: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.715: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 19 07:25:29.715: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes 256 esp-sha256-hmac }
*Dec 19 07:25:29.715: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.716: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.716: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 19 07:25:29.716: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes 256 esp-sha-hmac }
*Dec 19 07:25:29.716: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.717: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.717: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 19 07:25:29.717: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes 256 esp-md5-hmac }
*Dec 19 07:25:29.718: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.718: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.718: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-aes esp-sha256-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 07:25:29.719: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes esp-sha256-hmac }
*Dec 19 07:25:29.719: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.719: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.719: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 07:25:29.720: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes esp-sha-hmac }
*Dec 19 07:25:29.720: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.720: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.721: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-aes esp-md5-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 07:25:29.721: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes esp-md5-hmac }
*Dec 19 07:25:29.721: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.722: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.722: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-3des esp-sha256-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Dec 19 07:25:29.722: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-3des esp-sha256-hmac }
*Dec 19 07:25:29.722: ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256
*Dec 19 07:25:29.723: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.723: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Dec 19 07:25:29.723: (ipsec_process_proposal)Map Accepted: dyn-map, 10
*Dec 19 07:25:29.723: ISAKMP: (1126):processing NONCE payload. message ID = 4233289096
*Dec 19 07:25:29.723: ISAKMP: (1126):processing ID payload. message ID = 4233289096
*Dec 19 07:25:29.723: ISAKMP: (1126):processing ID payload. message ID = 4233289096
*Dec 19 07:25:29.724: ISAKMP: (1126):QM Responder gets spi
*Dec 19 07:25:29.724: ISAKMP: (1126):Node 4233289096, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 19 07:25:29.724: ISAKMP: (1126):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Dec 19 07:25:29.724: ISAKMP: (1126):Node 4233289096, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Dec 19 07:25:29.724: ISAKMP: (1126):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Dec 19 07:25:29.724: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 19 07:25:29.724: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dyn-map, 10
*Dec 19 07:25:29.726: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F3ACD3DC3C8
*Dec 19 07:25:29.726: IPSEC(create_sa): sa created,
(sa) sa_dest= router-ip, sa_proto= 50,
sa_spi= 0x1FAE1EBD(531504829),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2261
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/40072
*Dec 19 07:25:29.727: ipsec_out_sa_hash_idx: sa=0x7F3ACD3DDE80, hash_idx=740, port=4500/40072, addr=0x716C83E5/0x70607311
*Dec 19 07:25:29.727: crypto_ipsec_hook_out_sa: ipsec_out_sa_hash_array[740]=0x7F3ACD3DDE80
*Dec 19 07:25:29.727: IPSEC(create_sa): sa created,
(sa) sa_dest= andriod-ip, sa_proto= 50,
sa_spi= 0x4CE867(5040231),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2262
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/40072
*Dec 19 07:25:29.731: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Dec 19 07:25:29.731: ISAKMP: (1126):Received IPSec Install callback... proceeding with the negotiation
*Dec 19 07:25:29.731: ISAKMP: (1126):Successfully installed IPSEC SA (SPI:0x1FAE1EBD) on GigabitEthernet0/0/1
*Dec 19 07:25:29.732: ISAKMP-PAK: (1126):sending packet to andriod-ip my_port 4500 peer_port 40072 (R) QM_IDLE
*Dec 19 07:25:29.732: ISAKMP: (1126):Sending an IKE IPv4 Packet.
*Dec 19 07:25:29.732: ISAKMP: (1126):Node 4233289096, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Dec 19 07:25:29.732: ISAKMP: (1126):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Dec 19 07:25:29.765: ISAKMP-PAK: (1126):received packet from andriod-ip dport 4500 sport 40072 Global (R) QM_IDLE
*Dec 19 07:25:29.765: ISAKMP: (1126):deleting node 4233289096 error FALSE reason "QM done (await)"
*Dec 19 07:25:29.765: ISAKMP: (1126):Node 4233289096, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 19 07:25:29.765: ISAKMP: (1126):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Dec 19 07:25:29.765: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 19 07:25:29.765: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Dec 19 07:26:18.606: ISAKMP: (1126):purging node 4016018306
*Dec 19 07:26:19.765: ISAKMP: (1126):purging node 4233289096
*Dec 19 07:26:28.612: ISAKMP: (1125):purging SA., sa=80007F3AD149C210, delme=80007F3AD149C210
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2021 05:06 AM
Hi Friend,
can you change the IPSec Set, change it one by one where some OS not support IPSec Set that Cisco router support, this mismatch may be the reason.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2021 07:00 PM
hi ,thanks for replay!
i check the debug info ,router didn't have the erro like ‘ ISAKMP-ERROR: (1126):IPSec policy invalidated proposal with error 256’when match the ipsec-set esp-3des esp-sha-hmac
*Dec 19 07:25:29.723: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 07:25:29.723: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= router-ip:0, remote= andriod-ip:0,
local_proxy= router-ip/255.255.255.255/17/1701,
remote_proxy= andriod-ip/255.255.255.255/17/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
#
#
in the end of the debug ,i can see the info ‘Dec 19 07:25:29.765: ISAKMP: (1126):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE’,it seem to succeed in phase 1 and phase 2 process,so i dont think ipsec-set config have problem,but i will create another ipsec-set and used in crypto dyn-map with different number,thanks for the suggestion!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 07:51 AM
hi,after try another transform-set,it still not work for andriod。
in fact,i have the 19xx router (ver 15.2)running in the network.the device also config the l2tp over ipsec,win、apple、andriod all can connet the vpn in 19xx。
because the 19xx too old,so want to use 4331 instead of the old device。the 4331 config almost as same as 19xx..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 02:41 PM
Under isakmp policy
add
hash sha
and make connect again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 05:24 PM
hi:
the hash had been set sha already,sha is default config,so won't display in show running。
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2021 10:15 AM
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14131-ios-804.html
since there is IPSec and NAT in same Interface so you need exclude the traffic from NAT when it go through IPSec tunnel.
check above link.
Note:- there are many proposal for IPSec Set "I see it in debug" with different priority see the one that match both end and config it on both end.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2024 01:04 AM
hear form my customer,vpn will be work in ikev2,because Android only support ikev2.. funny
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2024 01:12 AM
Thanks for updating me
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide