Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3495
Views
25
Helpful
42
Replies

Point to point vpn without a tunnel

Go to solution
Mike Buyarski
Level 3
Level 3

‎01-17-2019 05:43 AM

SO we are setting up a connection to a DR cloud location and to connect to this cloud the cloud provider has given us an IP to connect to and a pre shared key. we need to create a vpn connection with just that information.

so far this is what i added but the connection is not working. this is a Cisco 4331router running version 16.6.3

 

crypto keyring Navisite
  pre-shared-key address "DR IP address" key "this key"

crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp profile Navisite
   keyring Navisite
   match identity address "DR IP address" 255.255.255.255
   local-address GigabitEthernet0/0/0
!
crypto ipsec transform-set Navisite esp-3des esp-sha-hmac
 mode tunnel
!
crypto map Navisite 1 ipsec-isakmp
 set peer "DR IP address"
 set transform-set Navisite
 match address NAVISITE
!
ip access-list extended NAVISITE
 permit ip "internal subnet1"  "DR remote subnet"
 permit ip "internal subnet2" "DR remote subnet"
!
interface GigabitEthernet0/0/0
 crypto map Navisite

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-18-2019 07:21 AM

Ok, "phase 1 SA policy not acceptable!"

The ISAKMP Policy appear to be different. You need to confirm between yourself and the provider what you've both configured on each end.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-18-2019 11:27 AM

The nat ACL needs modifying to exclude the source internal network not the remote subnet, assuming the source network is within the larger 10.0.0.0/8 network range.

E.g:-
access-list 199 deny ip "local network & reverse mask" any

Make sure it's above "access-list 199 permit ip 10.0.0.0 0.255.255.255 any" - show access-list to confirm order

View solution in original post

42 Replies 42

Go to solution
Rob Ingram
VIP
VIP

‎01-17-2019 06:06 AM

Hi,

Do you control the other end of the VPN? Can you confirm the configuration of the other peer, especially in regard to the isakmp policy and transform set? PFS is also not enabled under the crypto-map in your configuration, this may be enabled on the other peer. So best to clarify what the other peer has defined.

 

If you enable "debug crypto isakmp", attempt to send traffic over the VPN tunnel and then upload the output of the debug please?

 

This link is useful in troubleshooting IPSec tunnels

 

HTH

0 Helpful

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-17-2019 06:32 AM

well i set group 2 under the policy but i wall add it to the crypto map

i do not have access to the remote site at all.

0 Helpful

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-17-2019 07:04 AM

I did enable the debugs but i appear to be getting nothing from that what so ever from that DR IP. there is alot of fluff in the debug since i have 60 DMPVN tunnels running on this very same router currently.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-17-2019 07:12 AM

We really need to confirm the correct isakmp, ipsec configuration of the peer router.

Try these debug commands:-
debug crypto condition peer X.X.X.X < where X.X.X.X is the peer IP address
debug crypto ikev1 200
0 Helpful

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-17-2019 07:24 AM

couple things on this one.

First so far i have not receive anything logs on the debug.

debug crypto condition peer ipv4 "DR ip address" worked

and the other debug does not seem to exist at all.

R-BAY-TW#debug crypto ?
  3gpp           Crypto 3GPP Group Key Management debug
  ber              decode ASN.1 BER data
  condition      Define debug condition filters
  eap              EAP
  engine         Crypto Engine Debug
  est-client     Enrollment over Secure Transport (EST) Client
  gdoi             Crypto GKM - Group Key Management (including GDOI) debug
  gkm             Crypto GKM - Group Key Management debug
  ha               Crypto High Availability (generic) debug
  ikev2           IKEv2 debugging
  interface     Crypto Interface debug
  ipsec          IPSEC processing
  ipv6            Crypto IPv6 debug
  isakmp       ISAKMP Key Management
  kmi            Crypto Key Management Interface debug
  mib            IPSEC Management Transactions
  pki             PKI Client
  rmal           Crypto RMAL debug
  routing       IPSEC Route Events
  socket       Crypto Secure Socket Debug
  ssl             Crypto SSL Packet Debugs
  tls-tunnel   Crypto TLS-Tunnel Debugs
  verbose     verbose decode

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-17-2019 07:30 AM

Replace ikev1 with isakmp - "debug crypto isakmp 200", it's the same command I previously provided, just if used inconjunction with the 60 dmvpn tunnels it will restrict output to just the DR peer.

Did you generate some traffic to the DR peer last time from the internal subnet 1 or 2 networks?
If you don't see any output at all in the debugs that would imply the traffic probably didn't match the crypto map ACL and therefore did not attempt to build the tunnel. If you do get some output and then we can work with the errors.

I assume the traffic to the DR networks is routed via this router, nothing simple like a missing route?

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-17-2019 08:07 AM

the internal networks in question are not on this router they are on a core switch. I see where you are getting at I will need to put a route on the core switch for the DR subnet to point to the router in question.

0 Helpful

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-17-2019 08:28 AM

sorry but the "debug crypto isakmp 200" does not work either best i can get is the "debug crypto isakmp"

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-17-2019 08:34 AM

Fine, just use debug crypto isakmp. What is the output?
I assume the route on the core is now in place and now routed to the router?
0 Helpful

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-17-2019 10:30 AM

Sorry i am still not getting anything from the debugs. i have gone back to the cloud provider to see if there is missing information.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-17-2019 10:39 AM

If no debugs are generated that would imply the no interesting traffic is matching the crypto ACL or the traffic is not being routed to the router in the first place

Can you confirm you defininately have a route on the core for the DC networks pointing to the router?
You generated traffic (ping or something) from local subnet 1 or 2 to DR remote network?

Perhaps take a packet capture on the router to confirm traffic is hitting the router.
0 Helpful

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-18-2019 06:53 AM

OK so it turns out the provider did not have anything set. so now it is, and now i am getting debugs

R-BAY-TW(conf-keyring)#do sh log
Syslog logging: enabled (0 messages dropped, 622 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level warnings, 24010 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 148 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 378926 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 48606 message lines logged
        Logging Source-Interface:       VRF Name:

Log Buffer (100000 bytes):

Jan 18 08:44:34: ISAKMP-PAK: (0):received packet from 209.235.70.147 dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 08:45:03: ISAKMP: (0):purging SA., sa=80007FA2D6EC4C58, delme=80007FA2D6EC4C58
Jan 18 08:45:13: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (N) NEW SA
Jan 18 08:45:13: ISAKMP: (0):Created a peer struct for "remote IP", peer port 500
Jan 18 08:45:13: ISAKMP: (0):New peer created peer = 0x80007FA2D69BBA70 peer_handle = 0x80000000800027A6
Jan 18 08:45:13: ISAKMP: (0):Locking peer struct 0x80007FA2D69BBA70, refcount 1 for crypto_isakmp_process_block
Jan 18 08:45:13: ISAKMP: (0):local port 500, remote port 500
Jan 18 08:45:13: ISAKMP: (0):insert sa successfully sa = 80007FA2CA37CC38
Jan 18 08:45:13: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 08:45:13: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 18 08:45:13: ISAKMP: (0):processing SA payload. message ID = 0
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID is DPD
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:45:13: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:45:13: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:45:13: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:45:13: ISAKMP: (0):found peer pre-shared key matching "remote IP"
Jan 18 08:45:13: ISAKMP: (0):local preshared key found
Jan 18 08:45:13: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1 policy
Jan 18 08:45:13: ISAKMP: (0):      life type in seconds
Jan 18 08:45:13: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:45:13: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:45:13: ISAKMP: (0):      hash SHA
Jan 18 08:45:13: ISAKMP: (0):      auth pre-share
Jan 18 08:45:13: ISAKMP: (0):      default group 2
Jan 18 08:45:13: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:45:13: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:45:13: ISAKMP: (0):Checking ISAKMP transform 0 against priority 2 policy
Jan 18 08:45:13: ISAKMP: (0):      life type in seconds
Jan 18 08:45:13: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:45:13: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:45:13: ISAKMP: (0):      hash SHA
Jan 18 08:45:13: ISAKMP: (0):      auth pre-share
Jan 18 08:45:13: ISAKMP: (0):      default group 2
Jan 18 08:45:13: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:45:13: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:45:13: ISAKMP: (0):Checking ISAKMP transform 0 against priority 10 policy
Jan 18 08:45:13: ISAKMP: (0):      life type in seconds
Jan 18 08:45:13: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:45:13: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:45:13: ISAKMP: (0):      hash SHA
Jan 18 08:45:13: ISAKMP: (0):      auth pre-share
Jan 18 08:45:13: ISAKMP: (0):      default group 2
Jan 18 08:45:13: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Jan 18 08:45:13: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:45:13: ISAKMP-ERROR: (0):no offers accepted!
Jan 18 08:45:13: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local "Router IP" remote "remote IP")
Jan 18 08:45:13: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 18 08:45:13: ISAKMP-PAK: (0):sending packet to "remote IP" my_port 500 peer_port 500 (R) MM_NO_STATE
Jan 18 08:45:13: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 18 08:45:13: ISAKMP: (0):peer does not do paranoid keepalives.
Jan 18 08:45:13: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID is DPD
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:45:13: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:45:13: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:45:13: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:45:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:45:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:45:13: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Jan 18 08:45:13: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 08:45:13: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 18 08:45:13: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:45:13: ISAKMP: (0):Unlocking peer struct 0x80007FA2D69BBA70 for isadb_mark_sa_deleted(), count 0
Jan 18 08:45:13: ISAKMP: (0):Deleting peer node by peer_reap for "remote IP": 80007FA2D69BBA70
Jan 18 08:45:13: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 18 08:45:13: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

Jan 18 08:45:53: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 08:45:57: %SYS-5-CONFIG_I: Configured from console by zmbbadm on vty0 (10.210.1.4)
Jan 18 08:46:03: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (N) NEW SA
Jan 18 08:46:03: ISAKMP: (0):Created a peer struct for "remote IP", peer port 500
Jan 18 08:46:03: ISAKMP: (0):New peer created peer = 0x80007FA2D6E5EEE8 peer_handle = 0x80000000800050BE
Jan 18 08:46:03: ISAKMP: (0):Locking peer struct 0x80007FA2D6E5EEE8, refcount 1 for crypto_isakmp_process_block
Jan 18 08:46:03: ISAKMP: (0):local port 500, remote port 500
Jan 18 08:46:03: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007FA2D694C7B0
Jan 18 08:46:03: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 08:46:03: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 18 08:46:03: ISAKMP: (0):processing SA payload. message ID = 0
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID is DPD
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:46:03: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:46:03: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:46:03: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:46:03: ISAKMP: (0):found peer pre-shared key matching 209.235.70.147
Jan 18 08:46:03: ISAKMP: (0):local preshared key found
Jan 18 08:46:03: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1 policy
Jan 18 08:46:03: ISAKMP: (0):      life type in seconds
Jan 18 08:46:03: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:46:03: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:46:03: ISAKMP: (0):      hash SHA
Jan 18 08:46:03: ISAKMP: (0):      auth pre-share
Jan 18 08:46:03: ISAKMP: (0):      default group 2
Jan 18 08:46:03: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:46:03: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:46:03: ISAKMP: (0):Checking ISAKMP transform 0 against priority 2 policy
Jan 18 08:46:03: ISAKMP: (0):      life type in seconds
Jan 18 08:46:03: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:46:03: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:46:03: ISAKMP: (0):      hash SHA
Jan 18 08:46:03: ISAKMP: (0):      auth pre-share
Jan 18 08:46:03: ISAKMP: (0):      default group 2
Jan 18 08:46:03: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:46:03: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:46:03: ISAKMP: (0):Checking ISAKMP transform 0 against priority 10 policy
Jan 18 08:46:03: ISAKMP: (0):      life type in seconds
Jan 18 08:46:03: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:46:03: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:46:03: ISAKMP: (0):      hash SHA
Jan 18 08:46:03: ISAKMP: (0):      auth pre-share
Jan 18 08:46:03: ISAKMP: (0):      default group 2
Jan 18 08:46:03: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Jan 18 08:46:03: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:46:03: ISAKMP-ERROR: (0):no offers accepted!
Jan 18 08:46:03: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local "Router IP" remote "remote IP")
Jan 18 08:46:03: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 18 08:46:03: ISAKMP-PAK: (0):sending packet to "remote IP" my_port 500 peer_port 500 (R) MM_NO_STATE
Jan 18 08:46:03: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 18 08:46:03: ISAKMP: (0):peer does not do paranoid keepalives.
Jan 18 08:46:03: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID is DPD
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:46:03: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:46:03: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:46:03: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:46:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:46:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:46:03: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Jan 18 08:46:03: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 08:46:03: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 18 08:46:03: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:46:03: ISAKMP: (0):Unlocking peer struct 0x80007FA2D6E5EEE8 for isadb_mark_sa_deleted(), count 0
Jan 18 08:46:03: ISAKMP: (0):Deleting peer node by peer_reap for "remote IP": 80007FA2D6E5EEE8
Jan 18 08:46:03: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 18 08:46:03: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

Jan 18 08:46:13: ISAKMP: (0):purging SA., sa=80007FA2CA37CC38, delme=80007FA2CA37CC38
Jan 18 08:46:13: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 08:46:33: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 08:47:03: ISAKMP: (0):purging SA., sa=80007FA2D694C7B0, delme=80007FA2D694C7B0
Jan 18 08:47:13: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (N) NEW SA
Jan 18 08:47:13: ISAKMP: (0):Created a peer struct for "remote IP", peer port 500
Jan 18 08:47:13: ISAKMP: (0):New peer created peer = 0x80007FA2D6DD5288 peer_handle = 0x8000000080004654
Jan 18 08:47:13: ISAKMP: (0):Locking peer struct 0x80007FA2D6DD5288, refcount 1 for crypto_isakmp_process_block
Jan 18 08:47:13: ISAKMP: (0):local port 500, remote port 500
Jan 18 08:47:13: ISAKMP: (0):insert sa successfully sa = 80007FA2D693BA10
Jan 18 08:47:13: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 08:47:13: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 18 08:47:13: ISAKMP: (0):processing SA payload. message ID = 0
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID is DPD
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:47:13: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:47:13: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:47:13: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:47:13: ISAKMP: (0):found peer pre-shared key matching "remote IP"
Jan 18 08:47:13: ISAKMP: (0):local preshared key found
Jan 18 08:47:13: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1 policy
Jan 18 08:47:13: ISAKMP: (0):      life type in seconds
Jan 18 08:47:13: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:47:13: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:47:13: ISAKMP: (0):      hash SHA
Jan 18 08:47:13: ISAKMP: (0):      auth pre-share
Jan 18 08:47:13: ISAKMP: (0):      default group 2
Jan 18 08:47:13: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:47:13: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:47:13: ISAKMP: (0):Checking ISAKMP transform 0 against priority 2 policy
Jan 18 08:47:13: ISAKMP: (0):      life type in seconds
Jan 18 08:47:13: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:47:13: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:47:13: ISAKMP: (0):      hash SHA
Jan 18 08:47:13: ISAKMP: (0):      auth pre-share
Jan 18 08:47:13: ISAKMP: (0):      default group 2
Jan 18 08:47:13: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:47:13: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:47:13: ISAKMP: (0):Checking ISAKMP transform 0 against priority 10 policy
Jan 18 08:47:13: ISAKMP: (0):      life type in seconds
Jan 18 08:47:13: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:47:13: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:47:13: ISAKMP: (0):      hash SHA
Jan 18 08:47:13: ISAKMP: (0):      auth pre-share
Jan 18 08:47:13: ISAKMP: (0):      default group 2
Jan 18 08:47:13: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Jan 18 08:47:13: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:47:13: ISAKMP-ERROR: (0):no offers accepted!
Jan 18 08:47:13: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local "Router IP" remote "remote IP")
Jan 18 08:47:13: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 18 08:47:13: ISAKMP-PAK: (0):sending packet to "remote IP" my_port 500 peer_port 500 (R) MM_NO_STATE
Jan 18 08:47:13: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 18 08:47:13: ISAKMP: (0):peer does not do paranoid keepalives.
Jan 18 08:47:13: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID is DPD
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:47:13: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:47:13: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:47:13: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:47:13: ISAKMP: (0):processing vendor id payload
Jan 18 08:47:13: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:47:13: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Jan 18 08:47:13: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 08:47:13: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 18 08:47:13: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:47:13: ISAKMP: (0):Unlocking peer struct 0x80007FA2D6DD5288 for isadb_mark_sa_deleted(), count 0
Jan 18 08:47:13: ISAKMP: (0):Deleting peer node by peer_reap for "remote IP"80007FA2D6DD5288
Jan 18 08:47:13: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 18 08:47:13: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

Jan 18 08:47:53: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 08:48:03: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (N) NEW SA
Jan 18 08:48:03: ISAKMP: (0):Created a peer struct for "remote IP", peer port 500
Jan 18 08:48:03: ISAKMP: (0):New peer created peer = 0x80007FA2CA3E1C20 peer_handle = 0x8000000080003781
Jan 18 08:48:03: ISAKMP: (0):Locking peer struct 0x80007FA2CA3E1C20, refcount 1 for crypto_isakmp_process_block
Jan 18 08:48:03: ISAKMP: (0):local port 500, remote port 500
Jan 18 08:48:03: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007FA2D6E00DF0
Jan 18 08:48:03: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 08:48:03: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 18 08:48:03: ISAKMP: (0):processing SA payload. message ID = 0
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID is DPD
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:48:03: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:48:03: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:48:03: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:48:03: ISAKMP: (0):found peer pre-shared key matching 209.235.70.147
Jan 18 08:48:03: ISAKMP: (0):local preshared key found
Jan 18 08:48:03: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1 policy
Jan 18 08:48:03: ISAKMP: (0):      life type in seconds
Jan 18 08:48:03: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:48:03: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:48:03: ISAKMP: (0):      hash SHA
Jan 18 08:48:03: ISAKMP: (0):      auth pre-share
Jan 18 08:48:03: ISAKMP: (0):      default group 2
Jan 18 08:48:03: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:48:03: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:48:03: ISAKMP: (0):Checking ISAKMP transform 0 against priority 2 policy
Jan 18 08:48:03: ISAKMP: (0):      life type in seconds
Jan 18 08:48:03: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:48:03: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:48:03: ISAKMP: (0):      hash SHA
Jan 18 08:48:03: ISAKMP: (0):      auth pre-share
Jan 18 08:48:03: ISAKMP: (0):      default group 2
Jan 18 08:48:03: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 08:48:03: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:48:03: ISAKMP: (0):Checking ISAKMP transform 0 against priority 10 policy
Jan 18 08:48:03: ISAKMP: (0):      life type in seconds
Jan 18 08:48:03: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 08:48:03: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 08:48:03: ISAKMP: (0):      hash SHA
Jan 18 08:48:03: ISAKMP: (0):      auth pre-share
Jan 18 08:48:03: ISAKMP: (0):      default group 2
Jan 18 08:48:03: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Jan 18 08:48:03: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 08:48:03: ISAKMP-ERROR: (0):no offers accepted!
Jan 18 08:48:03: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local "Router IP" remote "remote IP")
Jan 18 08:48:03: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 18 08:48:03: ISAKMP-PAK: (0):sending packet to "remote IP" my_port 500 peer_port 500 (R) MM_NO_STATE
Jan 18 08:48:03: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 18 08:48:03: ISAKMP: (0):peer does not do paranoid keepalives.
Jan 18 08:48:03: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID is DPD
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 08:48:03: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 08:48:03: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 08:48:03: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 08:48:03: ISAKMP: (0):processing vendor id payload
Jan 18 08:48:03: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 08:48:03: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Jan 18 08:48:03: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 08:48:03: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 18 08:48:03: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 209.235.70.147)
Jan 18 08:48:03: ISAKMP: (0):Unlocking peer struct 0x80007FA2CA3E1C20 for isadb_mark_sa_deleted(), count 0
Jan 18 08:48:03: ISAKMP: (0):Deleting peer node by peer_reap for "remote IP": 80007FA2CA3E1C20
Jan 18 08:48:03: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 18 08:48:03: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

Jan 18 08:48:13: ISAKMP: (0):purging SA., sa=80007FA2D693BA10, delme=80007FA2D693BA10
Jan 18 08:48:13: ISAKMP-PAK: (0):received packet from "remote IP"dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 08:48:33: ISAKMP-PAK: (0):received packet from "remote IP" dport 500 sport 500 Global (R) MM_NO_STATE

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mike Buyarski

‎01-18-2019 07:21 AM

Ok, "phase 1 SA policy not acceptable!"

The ISAKMP Policy appear to be different. You need to confirm between yourself and the provider what you've both configured on each end.

Go to solution
Mike Buyarski
Level 3
Level 3
In response to Rob Ingram

‎01-18-2019 07:39 AM

Thanks We are definitely getting closer. looks like we got past phase one possibly phase 2.

changes:

crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!

 

*DEBUGS*

Log Buffer (100000 bytes):

Jan 18 09:33:31: ISAKMP: (17044):peer does not do paranoid keepalives.
Jan 18 09:33:31: ISAKMP: (17044):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer "Remote IP")
Jan 18 09:33:31: ISAKMP: (17044):set new node 3082544749 to QM_IDLE
Jan 18 09:33:31: ISAKMP-PAK: (17044):sending packet to "Remote IP" my_port 500 peer_port 500 (R) QM_IDLE
Jan 18 09:33:31: ISAKMP: (17044):Sending an IKE IPv4 Packet.
Jan 18 09:33:31: ISAKMP: (17044):purging node 3082544749
Jan 18 09:33:31: ISAKMP: (17044):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 18 09:33:31: ISAKMP: (17044):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jan 18 09:33:31: ISAKMP: (17044):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer "Remote IP")
Jan 18 09:33:31: ISAKMP: (0):Unlocking peer struct 0x80007FA2D6CFF658 for isadb_mark_sa_deleted(), count 0
Jan 18 09:33:31: ISAKMP: (0):Deleting peer node by peer_reap for "Remote IP": 80007FA2D6CFF658
Jan 18 09:33:31: ISAKMP: (17044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 09:33:31: ISAKMP: (17044):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Jan 18 09:33:31: ISAKMP-PAK: (17044):received packet from "Remote IP" dport 500 sport 500 Global (R) MM_NO_STATE
Jan 18 09:33:33: ISAKMP-PAK: (0):received packet from "Remote IP" dport 500 sport 500 Global (N) NEW SA
Jan 18 09:33:33: ISAKMP: (0):Created a peer struct for "Remote IP", peer port 500
Jan 18 09:33:33: ISAKMP: (0):New peer created peer = 0x80007FA2D5AD24F8 peer_handle = 0x800000008000385F
Jan 18 09:33:33: ISAKMP: (0):Locking peer struct 0x80007FA2D5AD24F8, refcount 1 for crypto_isakmp_process_block
Jan 18 09:33:33: ISAKMP: (0):local port 500, remote port 500
Jan 18 09:33:33: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007FA2D6B54250
Jan 18 09:33:33: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 09:33:33: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 18 09:33:33: ISAKMP: (0):processing SA payload. message ID = 0
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID is DPD
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 09:33:33: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 09:33:33: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 09:33:33: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 09:33:33: ISAKMP: (0):found peer pre-shared key matching 209.235.70.147
Jan 18 09:33:33: ISAKMP: (0):local preshared key found
Jan 18 09:33:33: ISAKMP: (0):Checking ISAKMP transform 0 against priority 1 policy
Jan 18 09:33:33: ISAKMP: (0):      life type in seconds
Jan 18 09:33:33: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 09:33:33: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 09:33:33: ISAKMP: (0):      hash SHA
Jan 18 09:33:33: ISAKMP: (0):      auth pre-share
Jan 18 09:33:33: ISAKMP: (0):      default group 2
Jan 18 09:33:33: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Jan 18 09:33:33: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Jan 18 09:33:33: ISAKMP: (0):Checking ISAKMP transform 0 against priority 2 policy
Jan 18 09:33:33: ISAKMP: (0):      life type in seconds
Jan 18 09:33:33: ISAKMP: (0):      life duration (basic) of 28800
Jan 18 09:33:33: ISAKMP: (0):      encryption 3DES-CBC
Jan 18 09:33:33: ISAKMP: (0):      hash SHA
Jan 18 09:33:33: ISAKMP: (0):      auth pre-share
Jan 18 09:33:33: ISAKMP: (0):      default group 2
Jan 18 09:33:33: ISAKMP: (0):atts are acceptable. Next payload is 0
Jan 18 09:33:33: ISAKMP: (0):Acceptable atts:actual life: 86400
Jan 18 09:33:33: ISAKMP: (0):Acceptable atts:life: 0
Jan 18 09:33:33: ISAKMP: (0):Basic life_in_seconds:28800
Jan 18 09:33:33: ISAKMP: (0):Returning Actual lifetime: 28800
Jan 18 09:33:33: ISAKMP: (0):Started lifetime timer: 28800.

Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 0 mismatch
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID is DPD
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Jan 18 09:33:33: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
Jan 18 09:33:33: ISAKMP: (0):vendor ID is NAT-T v3
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 18 09:33:33: ISAKMP: (0):vendor ID is NAT-T v2
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Jan 18 09:33:33: ISAKMP: (0):processing vendor id payload
Jan 18 09:33:33: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Jan 18 09:33:33: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 09:33:33: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 18 09:33:33: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Jan 18 09:33:33: ISAKMP-PAK: (0):sending packet to "Remote IP" my_port 500 peer_port 500 (R) MM_SA_SETUP
Jan 18 09:33:33: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 18 09:33:33: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 18 09:33:33: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Jan 18 09:33:33: ISAKMP-PAK: (0):received packet from "Remote IP" dport 500 sport 500 Global (R) MM_SA_SETUP
Jan 18 09:33:33: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 09:33:33: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Jan 18 09:33:33: ISAKMP: (0):processing KE payload. message ID = 0
Jan 18 09:33:33: ISAKMP: (0):processing NONCE payload. message ID = 0
Jan 18 09:33:33: ISAKMP: (0):found peer pre-shared key matching 209.235.70.147
Jan 18 09:33:33: ISAKMP: (17045):received payload type 20
Jan 18 09:33:33: ISAKMP: (17045):His hash no match - this node outside NAT
Jan 18 09:33:33: ISAKMP: (17045):received payload type 20
Jan 18 09:33:33: ISAKMP: (17045):No NAT Found for self or peer
Jan 18 09:33:33: ISAKMP: (17045):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_R_MM3  New State = IKE_R_MM3

Jan 18 09:33:33: ISAKMP-PAK: (17045):sending packet to "Remote IP" my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Sending an IKE IPv4 Packet.
Jan 18 09:33:33: ISAKMP: (17045):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_R_MM3  New State = IKE_R_MM4

Jan 18 09:33:33: ISAKMP-PAK: (17045):received packet from "Remote IP" dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_R_MM4  New State = IKE_R_MM5

Jan 18 09:33:33: ISAKMP: (17045):processing ID payload. message ID = 0
Jan 18 09:33:33: ISAKMP: (17045):ID payload
        next-payload : 8
        type         : 1
Jan 18 09:33:33: ISAKMP: (17045):       address      : "Remote IP"
Jan 18 09:33:33: ISAKMP: (17045):       protocol     : 0
        port         : 0
        length       : 12
Jan 18 09:33:33: ISAKMP: (17045):Found ADDRESS key in keyring Navisite
Jan 18 09:33:33: ISAKMP: (17045):processing HASH payload. message ID = 0
Jan 18 09:33:33: ISAKMP: (17045):SA authentication status:
        authenticated
Jan 18 09:33:33: ISAKMP: (17045):SA has been authenticated with "Remote IP"
Jan 18 09:33:33: ISAKMP: (0):Trying to insert a peer "Router IP"/"Remote IP"/500/,
Jan 18 09:33:33: ISAKMP: (0): and inserted successfully 80007FA2D5AD24F8.
Jan 18 09:33:33: ISAKMP: (17045):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_R_MM5  New State = IKE_R_MM5

Jan 18 09:33:33: ISAKMP: (17045):SA is doing
Jan 18 09:33:33: ISAKMP: (17045):pre-shared key authentication using id type ID_IPV4_ADDR
Jan 18 09:33:33: ISAKMP: (17045):ID payload
        next-payload : 8
        type         : 1
Jan 18 09:33:33: ISAKMP: (17045):       address      : "Router IP"
Jan 18 09:33:33: ISAKMP: (17045):       protocol     : 17
        port         : 500
        length       : 12
Jan 18 09:33:33: ISAKMP: (17045):Total payload length: 12
Jan 18 09:33:33: ISAKMP-PAK: (17045):sending packet to "Remote IP" my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Sending an IKE IPv4 Packet.
Jan 18 09:33:33: ISAKMP: (17045):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Jan 18 09:33:33: ISAKMP: (17045):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 18 09:33:33: ISAKMP-PAK: (17045):received packet from "Remote IP" dport 500 sport 500 Global (R) QM_IDLE     
Jan 18 09:33:33: ISAKMP: (17045):set new node 3935253500 to QM_IDLE
Jan 18 09:33:33: ISAKMP: (17045):processing HASH payload. message ID = 3935253500
Jan 18 09:33:33: ISAKMP: (17045):processing SA payload. message ID = 3935253500
Jan 18 09:33:33: ISAKMP: (17045):Checking IPSec proposal 0
Jan 18 09:33:33: ISAKMP: (17045):transform 0, ESP_3DES
Jan 18 09:33:33: ISAKMP: (17045):   attributes in transform:
Jan 18 09:33:33: ISAKMP: (17045):      group is 2
Jan 18 09:33:33: ISAKMP: (17045):      encaps is 1 (Tunnel)
Jan 18 09:33:33: ISAKMP: (17045):      SA life type in seconds
Jan 18 09:33:33: ISAKMP: (17045):      SA life duration (basic) of 3600
Jan 18 09:33:33: ISAKMP: (17045):      authenticator is HMAC-SHA
Jan 18 09:33:33: ISAKMP: (17045):atts are acceptable.
Jan 18 09:33:33: ISAKMP: (17045):processing NONCE payload. message ID = 3935253500
Jan 18 09:33:33: ISAKMP: (17045):processing KE payload. message ID = 3935253500
Jan 18 09:33:33: ISAKMP: (17045):processing ID payload. message ID = 3935253500
Jan 18 09:33:33: ISAKMP: (17045):processing ID payload. message ID = 3935253500
Jan 18 09:33:33: ISAKMP: (17045):QM Responder gets spi
Jan 18 09:33:33: ISAKMP: (17045):Node 3935253500, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Jan 18 09:33:33: ISAKMP: (17045):Node 3935253500, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
Jan 18 09:33:33: ISAKMP-PAK: (17045):received packet from 209.235.70.147 dport 500 sport 500 Global (R) QM_IDLE     
Jan 18 09:33:33: ISAKMP: (17045):set new node 1686563950 to QM_IDLE
Jan 18 09:33:33: ISAKMP: (17045):processing HASH payload. message ID = 1686563950
Jan 18 09:33:33: ISAKMP: (17045):processing SA payload. message ID = 1686563950
Jan 18 09:33:33: ISAKMP: (17045):Checking IPSec proposal 0
Jan 18 09:33:33: ISAKMP: (17045):transform 0, ESP_3DES
Jan 18 09:33:33: ISAKMP: (17045):   attributes in transform:
Jan 18 09:33:33: ISAKMP: (17045):      group is 2
Jan 18 09:33:33: ISAKMP: (17045):      encaps is 1 (Tunnel)
Jan 18 09:33:33: ISAKMP: (17045):      SA life type in seconds
Jan 18 09:33:33: ISAKMP: (17045):      SA life duration (basic) of 3600
Jan 18 09:33:33: ISAKMP: (17045):      authenticator is HMAC-SHA
Jan 18 09:33:33: ISAKMP: (17045):atts are acceptable.
Jan 18 09:33:33: ISAKMP: (17045):processing NONCE payload. message ID = 1686563950
Jan 18 09:33:33: ISAKMP: (17045):processing KE payload. message ID = 1686563950
Jan 18 09:33:33: ISAKMP: (17045):processing ID payload. message ID = 1686563950
Jan 18 09:33:33: ISAKMP: (17045):processing ID payload. message ID = 1686563950
Jan 18 09:33:33: ISAKMP: (17045):QM Responder gets spi
Jan 18 09:33:33: ISAKMP: (17045):Node 1686563950, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Jan 18 09:33:33: ISAKMP: (17045):Node 1686563950, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
Jan 18 09:33:33: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Jan 18 09:33:33: ISAKMP: (17045):Received IPSec Install callback... proceeding with the negotiation
Jan 18 09:33:33: ISAKMP: (17045):Successfully installed IPSEC SA (SPI:0xF4665758) on GigabitEthernet0/0/0
Jan 18 09:33:33: ISAKMP-PAK: (17045):sending packet to 209.235.70.147 my_port 500 peer_port 500 (R) QM_IDLE
Jan 18 09:33:33: ISAKMP: (17045):Sending an IKE IPv4 Packet.
Jan 18 09:33:33: ISAKMP: (17045):Node 3935253500, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
Jan 18 09:33:33: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Jan 18 09:33:33: ISAKMP: (17045):Received IPSec Install callback... proceeding with the negotiation
Jan 18 09:33:33: ISAKMP: (17045):Successfully installed IPSEC SA (SPI:0x31910073) on GigabitEthernet0/0/0
Jan 18 09:33:33: ISAKMP-PAK: (17045):sending packet to "Remote IP" my_port 500 peer_port 500 (R) QM_IDLE
Jan 18 09:33:33: ISAKMP: (17045):Sending an IKE IPv4 Packet.
Jan 18 09:33:33: ISAKMP: (17045):Node 1686563950, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
Jan 18 09:33:33: ISAKMP-PAK: (17045):received packet from "Remote IP" dport 500 sport 500 Global (R) QM_IDLE     
Jan 18 09:33:33: ISAKMP: (17045):deleting node 3935253500 error FALSE reason "QM done (await)"
Jan 18 09:33:33: ISAKMP: (17045):Node 3935253500, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Jan 18 09:33:33: ISAKMP-PAK: (17045):received packet from 209.235.70.147 dport 500 sport 500 Global (R) QM_IDLE     
Jan 18 09:33:33: ISAKMP: (17045):deleting node 1686563950 error FALSE reason "QM done (await)"
Jan 18 09:33:33: ISAKMP: (17045):Node 1686563950, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 18 09:33:33: ISAKMP: (17045):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

 

 

0 Helpful
Customers Also Viewed These Support Documents