Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2400
Views
0
Helpful
14
Replies

Remote access IPsec

mzolee166
Level 1
Level 1

‎04-13-2013 04:07 PM - edited ‎02-21-2020 06:49 PM

Hello!

First, sorry about my bad english.

I am new in IPSec VPN, I have a 2610 router with c2600-ik9o3s3-mz.123-26.bin ios.

I successfully setup remote access vpn (UDP), i can connect to the router and i can ping my inside networks (split tunnel work).

I add an access-list entry to the split tunnel acl, to reach everything from the vpn client's network.

But i can't ping or browse outside addresses. Is it possible that if packets come from clients on the WAN port and NAT back to WAN ?

I would like to browse through my home router.

Thanks

Labels:
0 Helpful
14 Replies 14

Simerjeet Singh
Cisco Employee
Cisco Employee

‎04-14-2013 09:52 AM

Pls upload the config.


Sent from Cisco Technical Support Android App

0 Helpful

mzolee166
Level 1
Level 1
In response to Simerjeet Singh

‎04-14-2013 10:25 AM

!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service compress-config
service pt-vty-logging
!
hostname c2610
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging rate-limit
enable secret 5 ************
!
memory-size iomem 15
clock timezone GMT 1
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name ZZZ
ip name-server 4.2.2.2
ip dhcp excluded-address 172.16.100.193 172.16.100.195
ip dhcp excluded-address 172.16.100.200 172.16.100.210
!
ip dhcp pool mine192
network 172.16.100.192 255.255.255.224
default-router 172.16.100.193
dns-server 172.16.100.193
!
ip audit po max-events 250

!
username *****
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_CLIENTS
key *******
dns 172.16.100.193
pool IPSEC
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
reverse-route
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
interface Ethernet0/0
description OUTSIDE_PORT
ip address 172.19.10.2 255.255.0.0
ip nat outside
half-duplex
no cdp enable
crypto map EXT_MAP
!
interface Ethernet1/0
ip address 172.16.100.193 255.255.255.224
ip nat inside
half-duplex
ntp multicast
!
ip local pool IPSEC 172.16.100.130 172.16.100.158
ip nat inside source list 101 interface Ethernet0/0 overload
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 172.19.10.1
!
ip dns server
!
!
access-list 101 deny   ip 172.16.100.0 0.0.0.31 172.16.100.128 0.0.0.31
access-list 101 deny   ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31
access-list 101 deny   ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31
access-list 101 permit ip any any
access-list 110 permit ip 172.16.100.0 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip 172.16.100.128 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip any 172.16.100.128 0.0.0.31
!
!
dial-peer cor custom
!
!
end

Thanks

0 Helpful

Simerjeet Singh
Cisco Employee
Cisco Employee

‎04-14-2013 10:43 AM

After connecting the client what do u get when u try to ping

Ping 4.2.2.2


Sent from Cisco Technical Support Android App

0 Helpful

mzolee166
Level 1
Level 1
In response to Simerjeet Singh

‎04-14-2013 10:52 AM

"request timed out"

I tried with traceroute and the client send it to 172.19.10.2.

0 Helpful

Simerjeet Singh
Cisco Employee
Cisco Employee

‎04-14-2013 11:11 AM

Interesting. Enable the following debugs on the router:

debug cry isa
debug cry ipsec

Also enable logging on the vpn client at level 3

Once debugs and logs r enable, connect the client and upload the info here.


Sent from Cisco Technical Support Android App

0 Helpful

mzolee166
Level 1
Level 1
In response to Simerjeet Singh

‎04-14-2013 11:44 AM

I reconnected several times, the client ip changed.

debug cry isa

Crypto ISAKMP debugging is on

c2610#

Apr 14 20:27:54: ISAKMP (0:0): received packet from 31.46.217.152 dport 500 sport 64923 Global (N) NEW SA

Apr 14 20:27:54: ISAKMP: Created a peer struct for 31.46.217.152, peer port 64923

Apr 14 20:27:54: ISAKMP: Locking peer struct 0x827CC194, IKE refcount 1 for Responding to new initiation

Apr 14 20:27:54: ISAKMP (0:0): Setting client config settings 8319C440

Apr 14 20:27:54: ISAKMP (0:0): (Re)Setting client xauth list  and state

Apr 14 20:27:54: ISAKMP: local port 500, remote port 64923

Apr 14 20:27:54: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 828088C4

Apr 14 20:27:54: ISAKMP (0:5): processing SA payload. message ID = 0

Apr 14 20:27:54: ISAKMP (0:5): processing ID payload. message ID = 0

Apr 14 20:27:54: ISAKMP (0:5): ID payload

next-payload : 13

type         : 11

group id     : VPN_CLIENTS

protocol     : 17

port         : 500

length       : 19

Apr 14 20:27:54: ISAKMP (0:5): peer matches *none* of the profiles

Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload

Apr 14 20:27:54: ISAKMP (0:5): vendor ID seems Unity/DPD but major 215 mismatch

Apr 14 20:27:54: ISAKMP (0:5): vendor ID is XAUTH

Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload

Apr 14 20:27:54: ISAKMP (0:5): vendor ID is DPD

Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload

Apr 14 20:27:54: ISAKMP (0:5): vendor ID seems Unity/DPD but major 194 mismatch

Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload

Apr 14 20:27:54: ISAKMP (0:5): vendor ID seems Unity/DPD but major 123 mismatch

Apr 14 20:27:54: ISAKMP (0:5): vendor ID is NAT-T v2

Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload

Apr 14 20:27:54: ISAKMP (0:5): vendor ID is Unity

Apr 14 20:27:54: ISAKMP (0:5) Authentication by xauth preshared

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 1 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash SHA

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth XAUTHInitPreShared

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 256

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 2 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash MD5

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth XAUTHInitPreShared

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 256

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 3 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash SHA

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth pre-share

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 256

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 4 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash MD5

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth pre-share

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 256

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 5 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash SHA

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth XAUTHInitPreShared

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 128

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 6 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash MD5

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth XAUTHInitPreShared

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 128

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 7 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash SHA

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth pre-share

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 128

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 8 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption AES-CBC

Apr 14 20:27:54: ISAKMP:      hash MD5

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth pre-share

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP:      keylength of 128

Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!

Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3

Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 9 against priority 10 policy

Apr 14 20:27:54: ISAKMP:      encryption 3DES-CBC

Apr 14 20:27:54: ISAKMP:      hash SHA

Apr 14 20:27:54: ISAKMP:      default group 2

Apr 14 20:27:54: ISAKMP:      auth XAUTHInitPreShared

Apr 14 20:27:54: ISAKMP:      life type in seconds

Apr 14 20:27:54: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:27:54: ISAKMP (0:5): atts are acceptable. Next payload is 3

Apr 14 20:27:55: ISAKMP (0:5): processing KE payload. message ID = 0

Apr 14 20:27:55: ISAKMP (0:5): processing NONCE payload. message ID = 0

Apr 14 20:27:55: ISAKMP (0:5): vendor ID is NAT-T v2

Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

Apr 14 20:27:55: ISAKMP: got callback 1

Apr 14 20:27:55: ISAKMP (0:5): SKEYID state generated

Apr 14 20:27:55: ISAKMP (0:5): constructed NAT-T vendor-02 ID

Apr 14 20:27:55: ISAKMP (0:5): SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

Apr 14 20:27:55: ISAKMP (0:5): ID payload

next-payload : 10

type         : 1

address      : 172.19.10.2

protocol     : 17

port         : 0

length       : 12

Apr 14 20:27:55: ISAKMP (5): Total payload length: 12

Apr 14 20:27:55: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 500 peer_port 64923 (R) AG_INIT_EXCH

Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

Apr 14 20:27:55: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) AG_INIT_EXCH

Apr 14 20:27:55: ISAKMP (0:5): processing HASH payload. message ID = 0

Apr 14 20:27:55: ISAKMP (0:5): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 828088C4

Apr 14 20:27:55: ISAKMP (0:5): SA authentication status:

authenticated

Apr 14 20:27:55: ISAKMP (0:5): Process initial contact,

bring down existing phase 1 and 2 SA's with local 172.19.10.2 remote 31.46.217.152 remote port 64924

Apr 14 20:27:55: ISAKMP (0:5): returning IP addr to the address pool

Apr 14 20:27:55: ISAKMP:received payload type 20

Apr 14 20:27:55: ISAKMP (0:5): NAT found, the node inside NAT

Apr 14 20:27:55: ISAKMP:received payload type 20

Apr 14 20:27:55: ISAKMP (0:5): NAT found, both nodes are all located inside NAT

Apr 14 20:27:55: ISAKMP (0:5): SA authentication status:

authenticated

Apr 14 20:27:55: ISAKMP (0:5): SA has been authenticated with 31.46.217.152

Apr 14 20:27:55: ISAKMP (0:5): Detected port floating to port = 64924

Apr 14 20:27:55: ISAKMP (0:5): Setting UDP ENC peer struct 0x8280C828 sa= 0x828088C4

Apr 14 20:27:55: ISAKMP: set new node -1361117581 to CONF_XAUTH

Apr 14 20:27:55: ISAKMP (0:5): Sending NOTIFY RESPONDER_LIFETIME protocol 1

spi 2197425896, message ID = -1361117581

Apr 14 20:27:55: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE

Apr 14 20:27:55: ISAKMP (0:5): purging node -1361117581

Apr 14 20:27:55: ISAKMP: Sending phase 1 responder lifetime 86400

Apr 14 20:27:55: ISAKMP (0:5): peer matches *none* of the profiles

Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

Apr 14 20:27:55: ISAKMP (0:5): Need XAUTH

Apr 14 20:27:55: ISAKMP (0:5): FSM action returned error: 4

Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT

Apr 14 20:27:55: ISAKMP: got callback 1

Apr 14 20:27:55: ISAKMP: set new node -1345840736 to CONF_XAUTH

Apr 14 20:27:55: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

c2610#

Apr 14 20:27:55: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

Apr 14 20:27:55: ISAKMP (0:5): initiating peer config to 31.46.217.152. ID = -1345840736

Apr 14 20:27:55: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) CONF_XAUTH

Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN

Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT  New State = IKE_XAUTH_REQ_SENT

c2610#

Apr 14 20:27:57: ISAKMP (0:4): purging SA., sa=8330DC08, delme=8330DC08

c2610#

Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) CONF_XAUTH

Apr 14 20:28:00: ISAKMP (0:5): processing transaction payload from 31.46.217.152. message ID = -1345840736

Apr 14 20:28:00: ISAKMP: Config payload REPLY

Apr 14 20:28:00: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

Apr 14 20:28:00: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

Apr 14 20:28:00: ISAKMP (0:5): deleting node -1345840736 error FALSE reason "done with xauth request/reply exchange"

Apr 14 20:28:00: ISAKMP (0:5): FSM action returned error: 4

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

Apr 14 20:28:00: ISAKMP: got callback 1

Apr 14 20:28:00: ISAKMP: set new node 1135617684 to CONF_XAUTH

Apr 14 20:28:00: ISAKMP (0:5): initiating peer config to 31.46.217.152. ID = 1135617684

Apr 14 20:28:00: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) CONF_XAUTH

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) CONF_XAUTH

Apr 14 20:28:00: ISAKMP (0:5): processing transaction payload from 31.46.217.152. message ID = 1135617684

Apr 14 20:28:00: ISAKMP: Config payload ACK

Apr 14 20:28:00: ISAKMP (0:5):  blank XAUTH ACK Processed

Apr 14 20:28:00: ISAKMP (0:5): deleting node 1135617684 error FALSE reason "done with transaction"

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE

Apr 14 20:28:00: ISAKMP: set new node -2147038172 to QM_IDLE

Apr 14 20:28:00: ISAKMP (0:5): processing transaction payload from 31.46.217.152. message ID = -2147038172

Apr 14 20:28:00: ISAKMP: Config payload REQUEST

Apr 14 20:28:00: ISAKMP (0:5): checking request:

Apr 14 20:28:00: ISAKMP:    IP4_ADDRESS

Apr 14 20:28:00: ISAKMP:    IP4_NETMASK

Apr 14 20:28:00: ISAKMP:    IP4_DNS

Apr 14 20:28:00: ISAKMP:    IP4_NBNS

Apr 14 20:28:00: ISAKMP:    ADDRESS_EXPIRY

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x7000

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x7001

Apr 14 20:28:00: ISAKMP:    DEFAULT_DOMAIN

Apr 14 20:28:00: ISAKMP:    SPLIT_INCLUDE

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x7003

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x7007

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x700B

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x7009

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x700C

Apr 14 20:28:00: ISAKMP:    APPLICATION_VERSION

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x7008

Apr 14 20:28:00: ISAKMP:    UNKNOWN Unknown Attr: 0x700A

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

Apr 14 20:28:00: ISAKMP: got callback 1

Apr 14 20:28:00: ISAKMP (0:5): attributes sent in message:

Apr 14 20:28:00:         Address: 0.2.0.0

Apr 14 20:28:00: ISAKMP (0:5): allocating address 172.16.100.139

Apr 14 20:28:00: ISAKMP: Sending private address: 172.16.100.139

Apr 14 20:28:00: ISAKMP: Sending IP4_DNS server address: 172.16.100.193

Apr 14 20:28:00: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86394

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7000)

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7001)

Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.0 mask 255.255.255.224 protocol 0, src port 0, dst port 0

Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.32 mask 255.255.255.224 protocol 0, src port 0, dst port 0

Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.192 mask 255.255.255.224 protocol 0, src port 0, dst port 0

Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.128 mask 255.255.255.224 protocol 0, src port 0, dst port 0

Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 0.0.0.0 mask 0.0.0.0 protocol 0, src port 0, dst port 0

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7003)

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7007)

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x700B)

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7009)

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x700C)

Apr 14 20:28:00: ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(26), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by cisco Systems, Inc.

Compiled Mon 17-Mar-08 15:23 by dchih

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7008)

Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x700A)

Apr 14 20:28:00: ISAKMP (0:5): responding to peer config from 31.46.217.152. ID = -2147038172

Apr 14 20:28:00: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) CONF_ADDR

Apr 14 20:28:00: ISAKMP (0:5): deleting node -2147038172 error FALSE reason ""

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE

Apr 14 20:28:00: ISAKMP: set new node -1484822979 to QM_IDLE

Apr 14 20:28:00: ISAKMP (0:5): processing HASH payload. message ID = -1484822979

Apr 14 20:28:00: ISAKMP (0:5): processing SA payload. message ID = -1484822979

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 1

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-MD5

Apr 14 20:28:00: ISAKMP:      key length is 256

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 1

Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 2

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-SHA

Apr 14 20:28:00: ISAKMP:      key length is 256

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 2

Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 3

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-MD5

Apr 14 20:28:00: ISAKMP:      key length is 128

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 3

Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 4

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-SHA

Apr 14 20:28:00: ISAKMP:      key length is 128

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 4

Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 5

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-MD5

Apr 14 20:28:00: ISAKMP:      key length is 256

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 6

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-SHA

Apr 14 20:28:00: ISAKMP:      key length is 256

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 7

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-MD5

Apr 14 20:28:00: ISAKMP:      key length is 128

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 8

Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-SHA

Apr 14 20:28:00: ISAKMP:      key length is 128

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 9

Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-MD5

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 9

Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 10

Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-SHA

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 10

Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 11

Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-MD5

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal

Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 12

Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES

Apr 14 20:28:00: ISAKMP:   attributes in transform:

Apr 14 20:28:00: ISAKMP:      authenticator is HMAC-SHA

Apr 14 20:28:00: ISAKMP:      encaps is 61443 (Tunnel-UDP)

Apr 14 20:28:00: ISAKMP:      SA life type in seconds

Apr 14 20:28:00: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.

Apr 14 20:28:00: ISAKMP (0:5): processing NONCE payload. message ID = -1484822979

Apr 14 20:28:00: ISAKMP (0:5): processing ID payload. message ID = -1484822979

Apr 14 20:28:00: ISAKMP (0:5): processing ID payload. message ID = -1484822979

Apr 14 20:28:00: ISAKMP (0:5): asking for 1 spis from ipsec

Apr 14 20:28:00: ISAKMP (0:5): Node -1484822979, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

Apr 14 20:28:00: ISAKMP: received ke message (2/1)

Apr 14 20:28:00: ISAKMP: Locking peer struct 0x827CC194, IPSEC refcount 1 for for stuff_ke

Apr 14 20:28:00: ISAKMP (0:5): Creating IPSec SAs

Apr 14 20:28:00:         inbound SA from 31.46.217.152 to 172.19.10.2 (f/i)  0/ 0

(proxy 172.16.100.139 to 0.0.0.0)

Apr 14 20:28:00:         has spi 0x8FD2904D and conn_id 2000 and flags 400

Apr 14 20:28:00:         lifetime of 2147483 seconds

Apr 14 20:28:00:         has client flags 0x10

Apr 14 20:28:00:         outbound SA from 172.19.10.2     to 31.46.217.152   (f/i)  0/ 0 (proxy 0.0.0.0         to 172.16.100.139 )

Apr 14 20:28:00:         has spi -6302958 and conn_id 2001 and flags 408

Apr 14 20:28:00:         lifetime of 2147483 seconds

Apr 14 20:28:00:         has client flags 0x10

Apr 14 20:28:00: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE

Apr 14 20:28:00: ISAKMP (0:5): Node -1484822979, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY

c2610#

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE

Apr 14 20:28:00: ISAKMP (0:5): deleting node -1484822979 error FALSE reason "quick mode done (await)"

Apr 14 20:28:00: ISAKMP (0:5): Node -1484822979, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

c2610#

Apr 14 20:28:20: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE

Apr 14 20:28:20: ISAKMP: set new node 1889257039 to QM_IDLE

Apr 14 20:28:20: ISAKMP (0:5): processing HASH payload. message ID = 1889257039

Apr 14 20:28:20: ISAKMP (0:5): processing NOTIFY R_U_THERE protocol 1

spi 0, message ID = 1889257039, sa = 828088C4

Apr 14 20:28:20: ISAKMP (0:5): deleting node 1889257039 error FALSE reason "informational (in) state 1"

Apr 14 20:28:20: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Apr 14 20:28:20: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

c2610#

Apr 14 20:28:20: ISAKMP (0:5): DPD/R_U_THERE received from peer 31.46.217.152, sequence 0xE598AC55

Apr 14 20:28:20: ISAKMP: set new node 7247466 to QM_IDLE

Apr 14 20:28:20: ISAKMP (0:5): Sending NOTIFY R_U_THERE_ACK protocol 1

spi 2197426064, message ID = 7247466 seq. no 0xE598AC55

Apr 14 20:28:20: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE

Apr 14 20:28:20: ISAKMP (0:5): purging node 7247466

Apr 14 20:28:20: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Apr 14 20:28:20: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

c2610#

Apr 14 20:28:30: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE

Apr 14 20:28:30: ISAKMP: set new node -1909867826 to QM_IDLE

Apr 14 20:28:30: ISAKMP (0:5): processing HASH payload. message ID = -1909867826

Apr 14 20:28:30: ISAKMP (0:5): processing NOTIFY R_U_THERE protocol 1

spi 0, message ID = -1909867826, sa = 828088C4

Apr 14 20:28:30: ISAKMP (0:5): deleting node -1909867826 error FALSE reason "informational (in) state 1"

Apr 14 20:28:30: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Apr 14 20:28:30: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

c2610#

Apr 14 20:28:30: ISAKMP (0:5): DPD/R_U_THERE received from peer 31.46.217.152, sequence 0xE598AC56

Apr 14 20:28:30: ISAKMP: set new node -1394998765 to QM_IDLE

Apr 14 20:28:30: ISAKMP (0:5): Sending NOTIFY R_U_THERE_ACK protocol 1

spi 2197426064, message ID = -1394998765 seq. no 0xE598AC56

Apr 14 20:28:30: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE

Apr 14 20:28:30: ISAKMP (0:5): purging node -1394998765

Apr 14 20:28:30: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Apr 14 20:28:30: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

c2610#u

Apr 14 20:28:41: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE

Apr 14 20:28:41: ISAKMP: set new node -237402655 to QM_IDLE

Apr 14 20:28:41: ISAKMP (0:5): processing HASH payload. message ID = -237402655

Apr 14 20:28:41: ISAKMP (0:5): processing NOTIFY R_U_THERE protocol 1

spi 0, message ID = -237402655, sa = 828088C4

Apr 14 20:28:41: ISAKMP (0:5): deleting node -237402655 error FALSE reason "informational (in) state 1"

Apr 14 20:28:41: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Apr 14 20:28:41: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

c2610#u  

Apr 14 20:28:41: ISAKMP (0:5): DPD/R_U_THERE received from peer 31.46.217.152, sequence 0xE598AC57

Apr 14 20:28:41: ISAKMP: set new node 1199170187 to QM_IDLE

Apr 14 20:28:41: ISAKMP (0:5): Sending NOTIFY R_U_THERE_ACK protocol 1

spi 2197426064, message ID = 1199170187 seq. no 0xE598AC57

Apr 14 20:28:41: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE

Apr 14 20:28:41: ISAKMP (0:5): purging node 1199170187

Apr 14 20:28:41: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Apr 14 20:28:41: ISAKMP (0:5): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

debug cry ipsec

Crypto IPSEC debugging is on

c2610#

Apr 14 20:23:24: IPSEC(key_engine): got a queue event...

c2610#

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes 256 esp-md5-hmac comp-lzs }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes 256 esp-sha-hmac comp-lzs }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes esp-md5-hmac comp-lzs }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes esp-sha-hmac comp-lzs }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes 256 esp-md5-hmac }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes 256 esp-sha-hmac }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes esp-md5-hmac }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-aes esp-sha-hmac }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac comp-lzs }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-sha-hmac comp-lzs }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac }

Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND

c2610#local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(key_engine): got a queue event...

Apr 14 20:23:30: IPSEC(spi_response): getting spi 4230764129 for SA

from 172.19.10.2     to 31.46.217.152   for prot 3

Apr 14 20:23:30: IPSEC(key_engine): got a queue event...

Apr 14 20:23:30: IPSEC(initialize_sas): ,

(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),

lifedur= 2147483s and 0kb,

spi= 0xFC2C5661(4230764129), conn_id= 2000, keysize= 0, flags= 0x400

Apr 14 20:23:30: IPSEC(initialize_sas): ,

(key eng. msg.) OUTBOUND local= 172.19.10.2, remote= 31.46.217.152,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.16.100.138/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),

lifedur= 2147483s and 0kb,

spi= 0xE455ACA(239426250), conn_id= 2001, keysize= 0, flags= 0x408

Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =

Apr 14 20:23:30: IPSEC(rte_mgr): VPN Route Added 172.16.100.138 255.255.255.255 via 31.46.217.152 in IP DEFAULT TABLE

Apr 14 20:23:30: IPSEC(add mtree): src 0.0.0.0, dest 172.16.100.138, dest_port 0

Apr 14 20:23:30: IPSEC(create_sa): sa created,

(sa) sa_dest= 172.19.10.2, sa_prot= 50,

sa_spi= 0xFC2C5661(4230764129),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000

Apr 14 20:23:30: IPSEC(create_sa): sa created

c2610#,

(sa) sa_dest= 31.46.217.152, sa_prot= 50,

sa_spi= 0xE455ACA(239426250),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

Apr 14 20:23:31: IPSEC(key_engine): got a queue event...

Apr 14 20:23:31: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Apr 14 20:23:31: IPSEC(key_engine_enable_outbound): enable SA with spi 239426250/50 for 31.46.217.152

###################################################################################################

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      20:22:27.568  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.136, error 0

2      20:22:28.568  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

3      20:22:28.927  04/14/13  Sev=Warning/2     IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)

4      20:22:48.318  04/14/13  Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.2.0
Netmask     255.255.255.0
Gateway     172.16.0.1
Interface     172.16.100.137

5      20:22:48.318  04/14/13  Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a80200, Netmask: ffffff00, Interface: ac106489, Gateway: ac100001.

6      20:23:11.630  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.137, error 0

7      20:23:12.661  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

8      20:23:13.193  04/14/13  Sev=Warning/2     IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)

9      20:23:34.036  04/14/13  Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.2.0
Netmask     255.255.255.0
Gateway     172.16.0.1
Interface     172.16.100.138

10     20:23:34.036  04/14/13  Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a80200, Netmask: ffffff00, Interface: ac10648a, Gateway: ac100001.

11     20:26:44.349  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.138, error 0

12     20:26:45.349  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

13     20:26:45.818  04/14/13  Sev=Warning/2     IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)

14     20:28:02.239  04/14/13  Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.2.0
Netmask     255.255.255.0
Gateway     172.16.0.1
Interface     172.16.100.139

15     20:28:02.255  04/14/13  Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a80200, Netmask: ffffff00, Interface: ac10648b, Gateway: ac100001.

16     20:30:29.489  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.139, error 0

17     20:30:30.489  04/14/13  Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

18     20:30:30.818  04/14/13  Sev=Warning/2     IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)

0 Helpful

Simerjeet Singh
Cisco Employee
Cisco Employee

‎04-14-2013 12:16 PM

For testing remove the last line of the split acl 110 that say permit ip any.....

Once removed connect the client and test again


Sent from Cisco Technical Support Android App

0 Helpful

mzolee166
Level 1
Level 1
In response to Simerjeet Singh

‎04-14-2013 12:23 PM

i removed, the VPN client software, show only

172.16.100.0

172.16.100.32

172.16.100.128

172.16.100.192 networks and the client use its local gateway to ping.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to mzolee166

‎04-14-2013 10:46 PM

If you want all the vpn-traffic, including internet traffic, go through the tunnel, you don't need the split-tunnel acl at all.

Just remove acl string from crypto-isakmp client configuration group:

crypto isakmp client configuration group VPN_CLIENTS

no acl 110

Plus, when writing rules for split tunnel acl, you should do it from perspective of a server and you don't have to include destinations (wich is addresses from vpn-pool) in that ACLs.

For example, if you want traffic to network 10.0.0.0/24 (inside network) go through the tunnel, your split ACL should look like this:

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

0 Helpful

mzolee166
Level 1
Level 1
In response to Andrew Phirsov

‎04-15-2013 10:52 AM

I removed split acl. I try to ping 4.2.2.2, nothing, router's local addresses ok.

With traceroute, the client sent to 172.19.10.2, but after that * * * request timed out.

0 Helpful

mzolee166
Level 1
Level 1
In response to mzolee166

‎04-18-2013 09:27 AM

Any idea ?

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to mzolee166

‎04-18-2013 11:34 AM

Generally, the problem is that traffic from vpn-client doesn't get translated, when going from outside interface of the vpn-gateway. That's because in order for packets to be translated, they should go throug interfaces, marked as inside and outside. In this case, traffic from vpn-client dosn't traverse through the inside interface and doesn't get translated.

To solve this, your task is to direct traffic from vpn-client to go to, for example, some loopback interface of the vpn-gateway, marked as nat inside. You can use route-map do accomplish this.

Look through this link to understand it better, and try to modify your config correspondingly.

http://www.packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/

I'll try to put here the correct config for your case if i have time to test it.

0 Helpful

mzolee166
Level 1
Level 1
In response to Andrew Phirsov

‎04-21-2013 11:53 AM

Thank you! I thought that the problem is probably the NAT. I add route-map and the VPN work perfectly. Thanks again!!!

0 Helpful

mzolee166
Level 1
Level 1
In response to mzolee166

‎04-21-2013 03:24 PM

After I add everything it worked fine, but if i start downloading from the inside network, the cpu IP INPUT become very high.

Here is what I add to config:

interface Loopback2

ip address 172.16.100.129 255.255.255.224

ip nat inside

!

access-list 102 permit ip 172.16.100.128 0.0.0.31 any

access-list 102 deny ip any any

!

route-map ROUTEMAP permit 10

match ip address 102

set interface Loopback2

+ ip policy route-map ROUTEMAP /TO WAN INTERFACE/

0 Helpful
Customers Also Viewed These Support Documents