04-13-2013 04:07 PM - edited 02-21-2020 06:49 PM
Hello!
First, sorry about my bad english.
I am new in IPSec VPN, I have a 2610 router with c2600-ik9o3s3-mz.123-26.bin ios.
I successfully setup remote access vpn (UDP), i can connect to the router and i can ping my inside networks (split tunnel work).
I add an access-list entry to the split tunnel acl, to reach everything from the vpn client's network.
But i can't ping or browse outside addresses. Is it possible that if packets come from clients on the WAN port and NAT back to WAN ?
I would like to browse through my home router.
Thanks
04-14-2013 09:52 AM
Pls upload the config.
Sent from Cisco Technical Support Android App
04-14-2013 10:25 AM
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service compress-config
service pt-vty-logging
!
hostname c2610
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging rate-limit
enable secret 5 ************
!
memory-size iomem 15
clock timezone GMT 1
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name ZZZ
ip name-server 4.2.2.2
ip dhcp excluded-address 172.16.100.193 172.16.100.195
ip dhcp excluded-address 172.16.100.200 172.16.100.210
!
ip dhcp pool mine192
network 172.16.100.192 255.255.255.224
default-router 172.16.100.193
dns-server 172.16.100.193
!
ip audit po max-events 250
!
username *****
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_CLIENTS
key *******
dns 172.16.100.193
pool IPSEC
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
reverse-route
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
interface Ethernet0/0
description OUTSIDE_PORT
ip address 172.19.10.2 255.255.0.0
ip nat outside
half-duplex
no cdp enable
crypto map EXT_MAP
!
interface Ethernet1/0
ip address 172.16.100.193 255.255.255.224
ip nat inside
half-duplex
ntp multicast
!
ip local pool IPSEC 172.16.100.130 172.16.100.158
ip nat inside source list 101 interface Ethernet0/0 overload
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 172.19.10.1
!
ip dns server
!
!
access-list 101 deny ip 172.16.100.0 0.0.0.31 172.16.100.128 0.0.0.31
access-list 101 deny ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31
access-list 101 deny ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31
access-list 101 permit ip any any
access-list 110 permit ip 172.16.100.0 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip 172.16.100.128 0.0.0.31 172.16.100.128 0.0.0.31
access-list 110 permit ip any 172.16.100.128 0.0.0.31
!
!
dial-peer cor custom
!
!
end
Thanks
04-14-2013 10:43 AM
After connecting the client what do u get when u try to ping
Ping 4.2.2.2
Sent from Cisco Technical Support Android App
04-14-2013 10:52 AM
"request timed out"
I tried with traceroute and the client send it to 172.19.10.2.
04-14-2013 11:11 AM
Interesting. Enable the following debugs on the router:
debug cry isa
debug cry ipsec
Also enable logging on the vpn client at level 3
Once debugs and logs r enable, connect the client and upload the info here.
Sent from Cisco Technical Support Android App
04-14-2013 11:44 AM
I reconnected several times, the client ip changed.
debug cry isa
Crypto ISAKMP debugging is on
c2610#
Apr 14 20:27:54: ISAKMP (0:0): received packet from 31.46.217.152 dport 500 sport 64923 Global (N) NEW SA
Apr 14 20:27:54: ISAKMP: Created a peer struct for 31.46.217.152, peer port 64923
Apr 14 20:27:54: ISAKMP: Locking peer struct 0x827CC194, IKE refcount 1 for Responding to new initiation
Apr 14 20:27:54: ISAKMP (0:0): Setting client config settings 8319C440
Apr 14 20:27:54: ISAKMP (0:0): (Re)Setting client xauth list and state
Apr 14 20:27:54: ISAKMP: local port 500, remote port 64923
Apr 14 20:27:54: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 828088C4
Apr 14 20:27:54: ISAKMP (0:5): processing SA payload. message ID = 0
Apr 14 20:27:54: ISAKMP (0:5): processing ID payload. message ID = 0
Apr 14 20:27:54: ISAKMP (0:5): ID payload
next-payload : 13
type : 11
group id : VPN_CLIENTS
protocol : 17
port : 500
length : 19
Apr 14 20:27:54: ISAKMP (0:5): peer matches *none* of the profiles
Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload
Apr 14 20:27:54: ISAKMP (0:5): vendor ID seems Unity/DPD but major 215 mismatch
Apr 14 20:27:54: ISAKMP (0:5): vendor ID is XAUTH
Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload
Apr 14 20:27:54: ISAKMP (0:5): vendor ID is DPD
Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload
Apr 14 20:27:54: ISAKMP (0:5): vendor ID seems Unity/DPD but major 194 mismatch
Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload
Apr 14 20:27:54: ISAKMP (0:5): vendor ID seems Unity/DPD but major 123 mismatch
Apr 14 20:27:54: ISAKMP (0:5): vendor ID is NAT-T v2
Apr 14 20:27:54: ISAKMP (0:5): processing vendor id payload
Apr 14 20:27:54: ISAKMP (0:5): vendor ID is Unity
Apr 14 20:27:54: ISAKMP (0:5) Authentication by xauth preshared
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 1 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash SHA
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth XAUTHInitPreShared
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 256
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 2 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash MD5
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth XAUTHInitPreShared
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 256
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 3 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash SHA
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth pre-share
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 256
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 4 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash MD5
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth pre-share
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 256
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 5 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash SHA
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth XAUTHInitPreShared
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 128
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 6 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash MD5
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth XAUTHInitPreShared
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 128
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 7 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash SHA
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth pre-share
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 128
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 8 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption AES-CBC
Apr 14 20:27:54: ISAKMP: hash MD5
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth pre-share
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP: keylength of 128
Apr 14 20:27:54: ISAKMP (0:5): Encryption algorithm offered does not match policy!
Apr 14 20:27:54: ISAKMP (0:5): atts are not acceptable. Next payload is 3
Apr 14 20:27:54: ISAKMP (0:5): Checking ISAKMP transform 9 against priority 10 policy
Apr 14 20:27:54: ISAKMP: encryption 3DES-CBC
Apr 14 20:27:54: ISAKMP: hash SHA
Apr 14 20:27:54: ISAKMP: default group 2
Apr 14 20:27:54: ISAKMP: auth XAUTHInitPreShared
Apr 14 20:27:54: ISAKMP: life type in seconds
Apr 14 20:27:54: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:27:54: ISAKMP (0:5): atts are acceptable. Next payload is 3
Apr 14 20:27:55: ISAKMP (0:5): processing KE payload. message ID = 0
Apr 14 20:27:55: ISAKMP (0:5): processing NONCE payload. message ID = 0
Apr 14 20:27:55: ISAKMP (0:5): vendor ID is NAT-T v2
Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
Apr 14 20:27:55: ISAKMP: got callback 1
Apr 14 20:27:55: ISAKMP (0:5): SKEYID state generated
Apr 14 20:27:55: ISAKMP (0:5): constructed NAT-T vendor-02 ID
Apr 14 20:27:55: ISAKMP (0:5): SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Apr 14 20:27:55: ISAKMP (0:5): ID payload
next-payload : 10
type : 1
address : 172.19.10.2
protocol : 17
port : 0
length : 12
Apr 14 20:27:55: ISAKMP (5): Total payload length: 12
Apr 14 20:27:55: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 500 peer_port 64923 (R) AG_INIT_EXCH
Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
Apr 14 20:27:55: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) AG_INIT_EXCH
Apr 14 20:27:55: ISAKMP (0:5): processing HASH payload. message ID = 0
Apr 14 20:27:55: ISAKMP (0:5): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 828088C4
Apr 14 20:27:55: ISAKMP (0:5): SA authentication status:
authenticated
Apr 14 20:27:55: ISAKMP (0:5): Process initial contact,
bring down existing phase 1 and 2 SA's with local 172.19.10.2 remote 31.46.217.152 remote port 64924
Apr 14 20:27:55: ISAKMP (0:5): returning IP addr to the address pool
Apr 14 20:27:55: ISAKMP:received payload type 20
Apr 14 20:27:55: ISAKMP (0:5): NAT found, the node inside NAT
Apr 14 20:27:55: ISAKMP:received payload type 20
Apr 14 20:27:55: ISAKMP (0:5): NAT found, both nodes are all located inside NAT
Apr 14 20:27:55: ISAKMP (0:5): SA authentication status:
authenticated
Apr 14 20:27:55: ISAKMP (0:5): SA has been authenticated with 31.46.217.152
Apr 14 20:27:55: ISAKMP (0:5): Detected port floating to port = 64924
Apr 14 20:27:55: ISAKMP (0:5): Setting UDP ENC peer struct 0x8280C828 sa= 0x828088C4
Apr 14 20:27:55: ISAKMP: set new node -1361117581 to CONF_XAUTH
Apr 14 20:27:55: ISAKMP (0:5): Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2197425896, message ID = -1361117581
Apr 14 20:27:55: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE
Apr 14 20:27:55: ISAKMP (0:5): purging node -1361117581
Apr 14 20:27:55: ISAKMP: Sending phase 1 responder lifetime 86400
Apr 14 20:27:55: ISAKMP (0:5): peer matches *none* of the profiles
Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
Apr 14 20:27:55: ISAKMP (0:5): Need XAUTH
Apr 14 20:27:55: ISAKMP (0:5): FSM action returned error: 4
Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT
Apr 14 20:27:55: ISAKMP: got callback 1
Apr 14 20:27:55: ISAKMP: set new node -1345840736 to CONF_XAUTH
Apr 14 20:27:55: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
c2610#
Apr 14 20:27:55: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Apr 14 20:27:55: ISAKMP (0:5): initiating peer config to 31.46.217.152. ID = -1345840736
Apr 14 20:27:55: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) CONF_XAUTH
Apr 14 20:27:55: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
Apr 14 20:27:55: ISAKMP (0:5): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
c2610#
Apr 14 20:27:57: ISAKMP (0:4): purging SA., sa=8330DC08, delme=8330DC08
c2610#
Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) CONF_XAUTH
Apr 14 20:28:00: ISAKMP (0:5): processing transaction payload from 31.46.217.152. message ID = -1345840736
Apr 14 20:28:00: ISAKMP: Config payload REPLY
Apr 14 20:28:00: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Apr 14 20:28:00: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Apr 14 20:28:00: ISAKMP (0:5): deleting node -1345840736 error FALSE reason "done with xauth request/reply exchange"
Apr 14 20:28:00: ISAKMP (0:5): FSM action returned error: 4
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
Apr 14 20:28:00: ISAKMP: got callback 1
Apr 14 20:28:00: ISAKMP: set new node 1135617684 to CONF_XAUTH
Apr 14 20:28:00: ISAKMP (0:5): initiating peer config to 31.46.217.152. ID = 1135617684
Apr 14 20:28:00: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) CONF_XAUTH
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) CONF_XAUTH
Apr 14 20:28:00: ISAKMP (0:5): processing transaction payload from 31.46.217.152. message ID = 1135617684
Apr 14 20:28:00: ISAKMP: Config payload ACK
Apr 14 20:28:00: ISAKMP (0:5): blank XAUTH ACK Processed
Apr 14 20:28:00: ISAKMP (0:5): deleting node 1135617684 error FALSE reason "done with transaction"
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE
Apr 14 20:28:00: ISAKMP: set new node -2147038172 to QM_IDLE
Apr 14 20:28:00: ISAKMP (0:5): processing transaction payload from 31.46.217.152. message ID = -2147038172
Apr 14 20:28:00: ISAKMP: Config payload REQUEST
Apr 14 20:28:00: ISAKMP (0:5): checking request:
Apr 14 20:28:00: ISAKMP: IP4_ADDRESS
Apr 14 20:28:00: ISAKMP: IP4_NETMASK
Apr 14 20:28:00: ISAKMP: IP4_DNS
Apr 14 20:28:00: ISAKMP: IP4_NBNS
Apr 14 20:28:00: ISAKMP: ADDRESS_EXPIRY
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x7000
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x7001
Apr 14 20:28:00: ISAKMP: DEFAULT_DOMAIN
Apr 14 20:28:00: ISAKMP: SPLIT_INCLUDE
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x7003
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x7007
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x700B
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x7009
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x700C
Apr 14 20:28:00: ISAKMP: APPLICATION_VERSION
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x7008
Apr 14 20:28:00: ISAKMP: UNKNOWN Unknown Attr: 0x700A
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
Apr 14 20:28:00: ISAKMP: got callback 1
Apr 14 20:28:00: ISAKMP (0:5): attributes sent in message:
Apr 14 20:28:00: Address: 0.2.0.0
Apr 14 20:28:00: ISAKMP (0:5): allocating address 172.16.100.139
Apr 14 20:28:00: ISAKMP: Sending private address: 172.16.100.139
Apr 14 20:28:00: ISAKMP: Sending IP4_DNS server address: 172.16.100.193
Apr 14 20:28:00: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86394
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7000)
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7001)
Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.0 mask 255.255.255.224 protocol 0, src port 0, dst port 0
Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.32 mask 255.255.255.224 protocol 0, src port 0, dst port 0
Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.192 mask 255.255.255.224 protocol 0, src port 0, dst port 0
Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 172.16.100.128 mask 255.255.255.224 protocol 0, src port 0, dst port 0
Apr 14 20:28:00: ISAKMP: Sending split include name 110 network 0.0.0.0 mask 0.0.0.0 protocol 0, src port 0, dst port 0
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7003)
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7007)
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x700B)
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7009)
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x700C)
Apr 14 20:28:00: ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 15:23 by dchih
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x7008)
Apr 14 20:28:00: ISAKMP (0/5): Unknown Attr: UNKNOWN (0x700A)
Apr 14 20:28:00: ISAKMP (0:5): responding to peer config from 31.46.217.152. ID = -2147038172
Apr 14 20:28:00: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) CONF_ADDR
Apr 14 20:28:00: ISAKMP (0:5): deleting node -2147038172 error FALSE reason ""
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
Apr 14 20:28:00: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE
Apr 14 20:28:00: ISAKMP: set new node -1484822979 to QM_IDLE
Apr 14 20:28:00: ISAKMP (0:5): processing HASH payload. message ID = -1484822979
Apr 14 20:28:00: ISAKMP (0:5): processing SA payload. message ID = -1484822979
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 1
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-MD5
Apr 14 20:28:00: ISAKMP: key length is 256
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 1
Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 2
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-SHA
Apr 14 20:28:00: ISAKMP: key length is 256
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 2
Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 3
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-MD5
Apr 14 20:28:00: ISAKMP: key length is 128
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 3
Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 4
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-SHA
Apr 14 20:28:00: ISAKMP: key length is 128
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 4
Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 5
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-MD5
Apr 14 20:28:00: ISAKMP: key length is 256
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 6
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-SHA
Apr 14 20:28:00: ISAKMP: key length is 256
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 7
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-MD5
Apr 14 20:28:00: ISAKMP: key length is 128
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 8
Apr 14 20:28:00: ISAKMP: transform 1, ESP_AES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-SHA
Apr 14 20:28:00: ISAKMP: key length is 128
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 9
Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-MD5
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 9
Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 10
Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-SHA
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 10
Apr 14 20:28:00: ISAKMP (0:5): transform 1, IPPCP LZS
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 11
Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-MD5
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): IPSec policy invalidated proposal
Apr 14 20:28:00: ISAKMP (0:5): Checking IPSec proposal 12
Apr 14 20:28:00: ISAKMP: transform 1, ESP_3DES
Apr 14 20:28:00: ISAKMP: attributes in transform:
Apr 14 20:28:00: ISAKMP: authenticator is HMAC-SHA
Apr 14 20:28:00: ISAKMP: encaps is 61443 (Tunnel-UDP)
Apr 14 20:28:00: ISAKMP: SA life type in seconds
Apr 14 20:28:00: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Apr 14 20:28:00: ISAKMP (0:5): atts are acceptable.
Apr 14 20:28:00: ISAKMP (0:5): processing NONCE payload. message ID = -1484822979
Apr 14 20:28:00: ISAKMP (0:5): processing ID payload. message ID = -1484822979
Apr 14 20:28:00: ISAKMP (0:5): processing ID payload. message ID = -1484822979
Apr 14 20:28:00: ISAKMP (0:5): asking for 1 spis from ipsec
Apr 14 20:28:00: ISAKMP (0:5): Node -1484822979, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Apr 14 20:28:00: ISAKMP: received ke message (2/1)
Apr 14 20:28:00: ISAKMP: Locking peer struct 0x827CC194, IPSEC refcount 1 for for stuff_ke
Apr 14 20:28:00: ISAKMP (0:5): Creating IPSec SAs
Apr 14 20:28:00: inbound SA from 31.46.217.152 to 172.19.10.2 (f/i) 0/ 0
(proxy 172.16.100.139 to 0.0.0.0)
Apr 14 20:28:00: has spi 0x8FD2904D and conn_id 2000 and flags 400
Apr 14 20:28:00: lifetime of 2147483 seconds
Apr 14 20:28:00: has client flags 0x10
Apr 14 20:28:00: outbound SA from 172.19.10.2 to 31.46.217.152 (f/i) 0/ 0 (proxy 0.0.0.0 to 172.16.100.139 )
Apr 14 20:28:00: has spi -6302958 and conn_id 2001 and flags 408
Apr 14 20:28:00: lifetime of 2147483 seconds
Apr 14 20:28:00: has client flags 0x10
Apr 14 20:28:00: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE
Apr 14 20:28:00: ISAKMP (0:5): Node -1484822979, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
c2610#
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Apr 14 20:28:00: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE
Apr 14 20:28:00: ISAKMP (0:5): deleting node -1484822979 error FALSE reason "quick mode done (await)"
Apr 14 20:28:00: ISAKMP (0:5): Node -1484822979, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Apr 14 20:28:00: ISAKMP (0:5): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
c2610#
Apr 14 20:28:20: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE
Apr 14 20:28:20: ISAKMP: set new node 1889257039 to QM_IDLE
Apr 14 20:28:20: ISAKMP (0:5): processing HASH payload. message ID = 1889257039
Apr 14 20:28:20: ISAKMP (0:5): processing NOTIFY R_U_THERE protocol 1
spi 0, message ID = 1889257039, sa = 828088C4
Apr 14 20:28:20: ISAKMP (0:5): deleting node 1889257039 error FALSE reason "informational (in) state 1"
Apr 14 20:28:20: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 14 20:28:20: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
c2610#
Apr 14 20:28:20: ISAKMP (0:5): DPD/R_U_THERE received from peer 31.46.217.152, sequence 0xE598AC55
Apr 14 20:28:20: ISAKMP: set new node 7247466 to QM_IDLE
Apr 14 20:28:20: ISAKMP (0:5): Sending NOTIFY R_U_THERE_ACK protocol 1
spi 2197426064, message ID = 7247466 seq. no 0xE598AC55
Apr 14 20:28:20: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE
Apr 14 20:28:20: ISAKMP (0:5): purging node 7247466
Apr 14 20:28:20: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Apr 14 20:28:20: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
c2610#
Apr 14 20:28:30: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE
Apr 14 20:28:30: ISAKMP: set new node -1909867826 to QM_IDLE
Apr 14 20:28:30: ISAKMP (0:5): processing HASH payload. message ID = -1909867826
Apr 14 20:28:30: ISAKMP (0:5): processing NOTIFY R_U_THERE protocol 1
spi 0, message ID = -1909867826, sa = 828088C4
Apr 14 20:28:30: ISAKMP (0:5): deleting node -1909867826 error FALSE reason "informational (in) state 1"
Apr 14 20:28:30: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 14 20:28:30: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
c2610#
Apr 14 20:28:30: ISAKMP (0:5): DPD/R_U_THERE received from peer 31.46.217.152, sequence 0xE598AC56
Apr 14 20:28:30: ISAKMP: set new node -1394998765 to QM_IDLE
Apr 14 20:28:30: ISAKMP (0:5): Sending NOTIFY R_U_THERE_ACK protocol 1
spi 2197426064, message ID = -1394998765 seq. no 0xE598AC56
Apr 14 20:28:30: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE
Apr 14 20:28:30: ISAKMP (0:5): purging node -1394998765
Apr 14 20:28:30: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Apr 14 20:28:30: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
c2610#u
Apr 14 20:28:41: ISAKMP (0:5): received packet from 31.46.217.152 dport 4500 sport 64924 Global (R) QM_IDLE
Apr 14 20:28:41: ISAKMP: set new node -237402655 to QM_IDLE
Apr 14 20:28:41: ISAKMP (0:5): processing HASH payload. message ID = -237402655
Apr 14 20:28:41: ISAKMP (0:5): processing NOTIFY R_U_THERE protocol 1
spi 0, message ID = -237402655, sa = 828088C4
Apr 14 20:28:41: ISAKMP (0:5): deleting node -237402655 error FALSE reason "informational (in) state 1"
Apr 14 20:28:41: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 14 20:28:41: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
c2610#u
Apr 14 20:28:41: ISAKMP (0:5): DPD/R_U_THERE received from peer 31.46.217.152, sequence 0xE598AC57
Apr 14 20:28:41: ISAKMP: set new node 1199170187 to QM_IDLE
Apr 14 20:28:41: ISAKMP (0:5): Sending NOTIFY R_U_THERE_ACK protocol 1
spi 2197426064, message ID = 1199170187 seq. no 0xE598AC57
Apr 14 20:28:41: ISAKMP (0:5): sending packet to 31.46.217.152 my_port 4500 peer_port 64924 (R) QM_IDLE
Apr 14 20:28:41: ISAKMP (0:5): purging node 1199170187
Apr 14 20:28:41: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Apr 14 20:28:41: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
debug cry ipsec
Crypto IPSEC debugging is on
c2610#
Apr 14 20:23:24: IPSEC(key_engine): got a queue event...
c2610#
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac comp-lzs }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac comp-lzs }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac comp-lzs }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac comp-lzs }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac comp-lzs }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac comp-lzs }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
Apr 14 20:23:30: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND
c2610#local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(key_engine): got a queue event...
Apr 14 20:23:30: IPSEC(spi_response): getting spi 4230764129 for SA
from 172.19.10.2 to 31.46.217.152 for prot 3
Apr 14 20:23:30: IPSEC(key_engine): got a queue event...
Apr 14 20:23:30: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel-UDP),
lifedur= 2147483s and 0kb,
spi= 0xFC2C5661(4230764129), conn_id= 2000, keysize= 0, flags= 0x400
Apr 14 20:23:30: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.19.10.2, remote= 31.46.217.152,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.100.138/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel-UDP),
lifedur= 2147483s and 0kb,
spi= 0xE455ACA(239426250), conn_id= 2001, keysize= 0, flags= 0x408
Apr 14 20:23:30: IPSEC(kei_proxy): head = EXT_MAP, map->ivrf = , kei->ivrf =
Apr 14 20:23:30: IPSEC(rte_mgr): VPN Route Added 172.16.100.138 255.255.255.255 via 31.46.217.152 in IP DEFAULT TABLE
Apr 14 20:23:30: IPSEC(add mtree): src 0.0.0.0, dest 172.16.100.138, dest_port 0
Apr 14 20:23:30: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.19.10.2, sa_prot= 50,
sa_spi= 0xFC2C5661(4230764129),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
Apr 14 20:23:30: IPSEC(create_sa): sa created
c2610#,
(sa) sa_dest= 31.46.217.152, sa_prot= 50,
sa_spi= 0xE455ACA(239426250),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
Apr 14 20:23:31: IPSEC(key_engine): got a queue event...
Apr 14 20:23:31: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Apr 14 20:23:31: IPSEC(key_engine_enable_outbound): enable SA with spi 239426250/50 for 31.46.217.152
###################################################################################################
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 20:22:27.568 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.136, error 0
2 20:22:28.568 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
3 20:22:28.927 04/14/13 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
4 20:22:48.318 04/14/13 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.2.0
Netmask 255.255.255.0
Gateway 172.16.0.1
Interface 172.16.100.137
5 20:22:48.318 04/14/13 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a80200, Netmask: ffffff00, Interface: ac106489, Gateway: ac100001.
6 20:23:11.630 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.137, error 0
7 20:23:12.661 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
8 20:23:13.193 04/14/13 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
9 20:23:34.036 04/14/13 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.2.0
Netmask 255.255.255.0
Gateway 172.16.0.1
Interface 172.16.100.138
10 20:23:34.036 04/14/13 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a80200, Netmask: ffffff00, Interface: ac10648a, Gateway: ac100001.
11 20:26:44.349 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.138, error 0
12 20:26:45.349 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
13 20:26:45.818 04/14/13 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
14 20:28:02.239 04/14/13 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.2.0
Netmask 255.255.255.0
Gateway 172.16.0.1
Interface 172.16.100.139
15 20:28:02.255 04/14/13 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a80200, Netmask: ffffff00, Interface: ac10648b, Gateway: ac100001.
16 20:30:29.489 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.100.139, error 0
17 20:30:30.489 04/14/13 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
18 20:30:30.818 04/14/13 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
04-14-2013 12:16 PM
For testing remove the last line of the split acl 110 that say permit ip any.....
Once removed connect the client and test again
Sent from Cisco Technical Support Android App
04-14-2013 12:23 PM
i removed, the VPN client software, show only
172.16.100.0
172.16.100.32
172.16.100.128
172.16.100.192 networks and the client use its local gateway to ping.
04-14-2013 10:46 PM
If you want all the vpn-traffic, including internet traffic, go through the tunnel, you don't need the split-tunnel acl at all.
Just remove acl string from crypto-isakmp client configuration group:
crypto isakmp client configuration group VPN_CLIENTS
no acl 110
Plus, when writing rules for split tunnel acl, you should do it from perspective of a server and you don't have to include destinations (wich is addresses from vpn-pool) in that ACLs.
For example, if you want traffic to network 10.0.0.0/24 (inside network) go through the tunnel, your split ACL should look like this:
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
04-15-2013 10:52 AM
I removed split acl. I try to ping 4.2.2.2, nothing, router's local addresses ok.
With traceroute, the client sent to 172.19.10.2, but after that * * * request timed out.
04-18-2013 09:27 AM
Any idea ?
04-18-2013 11:34 AM
Generally, the problem is that traffic from vpn-client doesn't get translated, when going from outside interface of the vpn-gateway. That's because in order for packets to be translated, they should go throug interfaces, marked as inside and outside. In this case, traffic from vpn-client dosn't traverse through the inside interface and doesn't get translated.
To solve this, your task is to direct traffic from vpn-client to go to, for example, some loopback interface of the vpn-gateway, marked as nat inside. You can use route-map do accomplish this.
Look through this link to understand it better, and try to modify your config correspondingly.
http://www.packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/
I'll try to put here the correct config for your case if i have time to test it.
04-21-2013 11:53 AM
Thank you! I thought that the problem is probably the NAT. I add route-map and the VPN work perfectly. Thanks again!!!
04-21-2013 03:24 PM
After I add everything it worked fine, but if i start downloading from the inside network, the cpu IP INPUT become very high.
Here is what I add to config:
interface Loopback2
ip address 172.16.100.129 255.255.255.224
ip nat inside
!
access-list 102 permit ip 172.16.100.128 0.0.0.31 any
access-list 102 deny ip any any
!
route-map ROUTEMAP permit 10
match ip address 102
set interface Loopback2
+ ip policy route-map ROUTEMAP /TO WAN INTERFACE/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide