03-14-2011 05:28 AM
Hi All,
I've setup remote VPN access with RADIUS auth. on my cisco test ASA 5505 box. I can connect/authenticate OK but then i cannot access any internal resources and I cannot figure out why.
Config below:
hostname company-moon
domain-name company.inc
enable password password encrypted
names
name 172.31.48.64 vpn-clientpool
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
speed 100
duplex full
!
interface Ethernet0/4
speed 100
duplex full
!
interface Ethernet0/5
speed 100
duplex full
!
interface Ethernet0/6
speed 100
duplex full
!
interface Ethernet0/7
speed 100
duplex full
!
passwd password encrypted
ftp mode passive
clock timezone EST -10
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name company.inc
same-security-traffic permit intra-interface
object-group network testSitetoSite
description testSitetoSite
network-object 172.19.90.0 255.255.255.0
access-list acl_outside extended permit icmp any any
access-list acl_inside extended permit ip any any
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.19.90.0 255.255.255.0
access-list nonat extended permit ip any 192.168.1.96 255.255.255.224
access-list tunnel extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.19.90.0 255.255.255.0
access-list Moon-VPN_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-pool 172.31.48.65-172.31.48.78 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61557.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 vpn-clientpool 255.255.255.240
access-group acl_inside in interface inside
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Moon-VPN protocol radius
aaa-server Moon-VPN host 192.168.1.254
timeout 5
key *******
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map vpn 1 match address outside_1_cryptomap
crypto map vpn 1 set peer IP address
crypto map vpn 1 set transform-set ESP-3DES-SHA
crypto map vpn 10 match address tunnel
crypto map vpn 10 set peer IP address
crypto map vpn 10 set transform-set ESP-AES-256-SHA
crypto map vpn 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
console timeout 0
management-access inside
dhcpd dns 10.0.0.102 10.0.0.107
dhcpd wins 10.0.0.102 10.0.0.107
dhcpd lease 1048575
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy Moon-VPN internal
group-policy Moon-VPN attributes
dns-server value 192.168.1.254
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Moon-VPN_splitTunnelAcl
default-domain value company.inc
tunnel-group IP address type ipsec-l2l
tunnel-group IP address ipsec-attributes
pre-shared-key *
tunnel-group IP address type ipsec-l2l
tunnel-group IP address ipsec-attributes
pre-shared-key *
tunnel-group Moon-VPN type ipsec-ra
tunnel-group Moon-VPN general-attributes
address-pool VPN-pool
authentication-server-group Moon-VPN
default-group-policy Moon-VPN
tunnel-group Moon-VPN ipsec-attributes
pre-shared-key *
tunnel-group Moon-VPN ppp-attributes
authentication ms-chap-v2
prompt hostname context
Any help would be greatly appreciated!
Solved! Go to Solution.
03-14-2011 09:12 AM
We are seeing...
PHASE 1 COMPLETED
PHASE 2 COMPLETED
Please remove this line:
nat (outside) 1 vpn-clientpool 255.255.255.240
Then, disconnect the VPN client and reconnect and try to PING again.
Check the packets encrypted/decrypted on the client side (under statistics for the VPN client).
Federico.
03-14-2011 07:09 AM
Hi,
If you're getting an IP from 172.31.48.x when connected via VPN, then please add:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.31.48.0 255.255.255.0
Also please add this command:
management-access inside
From the VPN client try to PING 192.168.1.1
Then check packets encrypted/decrypted with sh cry ips sa
Hope it helps.
Federico.
03-14-2011 07:22 AM
i've addedd the acl entry but still no change, cannot access anything on the other side or ping
but noticed this error in cisco vpn client log:
1 14:39:11.597 03/14/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.31.48.65, error 0
2 14:39:12.628 03/14/11 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
3 14:39:14.196 03/14/11 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:512)
4 14:39:25.945 03/14/11 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 169.254.0.0
Netmask 255.255.0.0
Gateway 172.31.48.66
Interface 172.31.48.65
5 14:39:25.945 03/14/11 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: a9fe0000, Netmask: ffff0000, Interface: ac1f3041, Gateway: ac1f3
03-14-2011 07:43 AM
Did you also add the management-access inside command as explained?
And... ping the inside IP?
And... check the packets encrypted/decrypted on the output of sh cry ips sa?
Federico.
03-14-2011 07:57 AM
Hi Federico,
1. line already in the config
2. yes and request time out
3. yes:
Crypto map tag: outside_dyn_map, seq num: 20, local addr: Moon-VPN ip address
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.31.48.65/255.255.255.255/0/0)
current_peer: my remote ip address, username: testVPN
dynamic allocated peer ip: 172.31.48.65
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Moon-VPN ip address, remote crypto endpt.: my remote ip address
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7111CEA1
inbound esp sas:
spi: 0x46F2BE37 (1190313527)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 24, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28061
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7111CEA1 (1896992417)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 24, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28061
IV size: 8 bytes
replay detection support: Y
03-14-2011 08:30 AM
Please post the output of:
debug cry isa 127
debug cry ipsec 127
When connecting with the VPN client.
Federico.
03-14-2011 09:02 AM
# debug cry isa 127
# debug cry ipsec 127
Mar 14 00:36:23 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Mes
sage (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VEN
DOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) tota
l length : 853
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing SA payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing ke payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing ISA_KE payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing nonce payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing ID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, Received xauth V6 VID
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, Received DPD VID
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, Received Fragmentation VID
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, IKE Peer included IKE fragment
ation capability flags: Main Mode: True Aggressive Mode: False
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, Received NAT-Traversal ver 02
VID
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, processing VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: IP = my remote ip address, Received Cisco Unity client VI
D
Mar 14 00:36:23 [IKEv1]: IP = my remote ip address, Connection landed on tunnel_group Moon-VPN
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, processing
IKE SA payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, IKE SA Prop
osal # 1, Transform # 10 acceptable Matches global IKE entry # 1
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g ISAKMP SA payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g ke payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g nonce payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Generating
keys for Responder...
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g ID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g hash payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Computing h
ash for ISAKMP
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g Cisco Unity VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g xauth V6 VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g dpd vid payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g Fragmentation VID + extended capabilities payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Send Altiga
/Cisco VPN3000/Cisco ASA GW VID
Mar 14 00:36:23 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR
(13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total l
ength : 368
Mar 14 00:36:23 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=0
) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NON
E (0) total length : 116
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, processing
hash payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Computing h
ash for ISAKMP
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, processing
notify payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, processing
VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Processing
IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, processing
VID payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Received Ci
sco Unity client VID
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g blank hash payload
Mar 14 00:36:23 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, constructin
g qm hash payload
Mar 14 00:36:23 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=b4
7ec744) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=b
47ec744) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 89
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, process_att
r(): Enter!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, IP = my remote ip address, Processing
MODE_CFG Reply attributes.
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: primary DNS = 192.168.1.254
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: secondary DNS = cleared
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: primary WINS = cleared
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: secondary WINS = cleared
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: split tunneling list = Moon-VPN_splitTunnelAcl
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: default domain = company.inc
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: IP Compression = disabled
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, User (testVPN_username) authenticated.
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=49
3ab9e6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=4
93ab9e6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 56
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, process_attr(): Enter!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Processing cfg ACK attributes
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=b
3609784) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 19
7
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, process_attr(): Enter!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Processing cfg Request attributes
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for IPV4 address!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for IPV4 net mask!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for DNS server address!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for WINS server address!
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Received unsupported transaction mode attribute: 5
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Banner!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Save PW setting!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Default Domain Name!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Split Tunnel List!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Split DNS!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for PFS setting!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Client Browser Proxy Setting!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for backup ip-sec peer list!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Client Smartcard Removal Disconnect Set
ting!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Application Version!
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Client Type: WinNT Client Application Version: 5.0.06.0160
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for FWTYPE!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for DHCP hostname for DDNS is: mylaptop!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for UDP Port!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, MODE_CFG: Received request for Local LAN Include!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Obtained IP addr (172.31.48.65) prior to initiating Mode Cfg (XAuth en
abled)
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending subnet mask (255.255.255.240) to remote client
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Assigned private IP address 172.31.48.65 to remote user
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, construct_cfg_set: default domain = company.inc
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Send Client Browser Proxy Attributes!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Browser Proxy set to No-Modify. Browser Proxy data will NOT be include
d in the mode-cfg reply
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Send Cisco Smartcard Removal Disconnect enable!!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=b3
609784) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210
Mar 14 00:36:29 [IKEv1 DECODE]: IP = my remote ip address, IKE Responder starting QM: ms
g id = 976732da
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, PHASE 1 COMPLETED
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, Keep-alive type for this connection:
DPD
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Starting P1 rekey timer: 82080 seconds.
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, sending notify message
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=92
899b7d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
8
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=9
76732da) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5)
+ NONE (0) total length : 1022
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing SA payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing nonce payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing ID payload
Mar 14 00:36:29 [IKEv1 DECODE]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, ID_IPV4_ADDR ID received
172.31.48.65
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received remote Proxy Host data in ID Payload: Address 172.31.48.65, Protocol 0, Port 0
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing ID payload
Mar 14 00:36:29 [IKEv1 DECODE]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0
.0.0.0, Protocol 0, Port 0
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, QM IsRekeyed old sa not found by addr
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Static Crypto Map check, checking map = vpn, seq = 1...
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Static Crypto Map check, map = vpn, seq = 1, ACL does not match proxy IDs sr
c:172.31.48.65 dst:0.0.0.0
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Static Crypto Map check, checking map = vpn, seq = 10...
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Static Crypto Map check, map = vpn, seq = 10, ACL does not match proxy IDs s
rc:172.31.48.65 dst:0.0.0.0
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, IKE Remote Peer configured for crypto map: outside_dyn_map
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing IPSec SA payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IPSec SA Proposal # 12, Transform # 1 acceptable Matches global IPSec
SA entry # 20
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0x03B86600,
SCB: 0x03B05460,
Direction: inbound
SPI : 0x5D84E6BA
Session ID: 0x0000001D
VPIF num : 0x00000002
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKE got SPI from key engine: SPI = 0x5d84e6ba
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, oakley constucting quick mode
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing IPSec SA payload
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing IPSec nonce payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing proxy ID
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Transmitting Proxy Id:
Remote host: 172.31.48.65 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending RESPONDER LIFETIME notification to Initiator
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:36:29 [IKEv1 DECODE]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKE Responder sending 2nd QM pkt: msg id = 976732da
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=97
6732da) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) +
NOTIFY (11) + NONE (0) total length : 176
Mar 14 00:36:29 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=9
76732da) with payloads : HDR + HASH (8) + NONE (0) total length : 48
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, loading all IPSEC SAs
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Generating Quick Mode Key!
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x03B0A588,
SCB: 0x03B8ACB0,
Direction: outbound
SPI : 0xB167D029
Session ID: 0x0000001D
VPIF num : 0x00000002
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xB167D029
IPSEC: Creating outbound VPN context, SPI 0xB167D029
Flags: 0x00000005
SA : 0x03B0A588
SPI : 0xB167D029
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x03B8ACB0
Channel: 0x0176CB68
IPSEC: Completed outbound VPN context, SPI 0xB167D029
VPN handle: 0x01674F9C
IPSEC: New outbound encrypt rule, SPI 0xB167D029
Src addr: 0.0.0.0
Src mask: 0.0.0.0
Dst addr: 172.31.48.65
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xB167D029
Rule ID: 0x03A4F2E0
IPSEC: New outbound permit rule, SPI 0xB167D029
Src addr: Moon-VPN ip address
Src mask: 255.255.255.255
Dst addr: my remote ip address
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xB167D029
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xB167D029
Rule ID: 0x03A48480
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Security negotiation complete for User (testVPN_username) Responder, Inbound SPI =
0x5d84e6ba, Outbound SPI = 0xb167d029
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKE got a KEY_ADD msg for SA: SPI = 0xb167d029
IPSEC: Completed host IBSA update, SPI 0x5D84E6BA
IPSEC: Creating inbound VPN context, SPI 0x5D84E6BA
Flags: 0x00000006
SA : 0x03B86600
SPI : 0x5D84E6BA
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x01674F9C
SCB : 0x03B05460
Channel: 0x0176CB68
IPSEC: Completed inbound VPN context, SPI 0x5D84E6BA
VPN handle: 0x01692E54
IPSEC: Updating outbound VPN context 0x01674F9C, SPI 0xB167D029
Flags: 0x00000005
SA : 0x03B0A588
SPI : 0xB167D029
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x01692E54
SCB : 0x03B8ACB0
Channel: 0x0176CB68
IPSEC: Completed outbound VPN context, SPI 0xB167D029
VPN handle: 0x01674F9C
IPSEC: Completed outbound inner rule, SPI 0xB167D029
Rule ID: 0x03A4F2E0
IPSEC: Completed outbound outer SPD rule, SPI 0xB167D029
Rule ID: 0x03A48480
IPSEC: New inbound tunnel flow rule, SPI 0x5D84E6BA
Src addr: 172.31.48.65
Src mask: 255.255.255.255
Dst addr: 0.0.0.0
Dst mask: 0.0.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x5D84E6BA
Rule ID: 0x0358DF48
IPSEC: New inbound decrypt rule, SPI 0x5D84E6BA
Src addr: my remote ip address
Src mask: 255.255.255.255
Dst addr: Moon-VPN ip address
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x5D84E6BA
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x5D84E6BA
Rule ID: 0x03AEA268
IPSEC: New inbound permit rule, SPI 0x5D84E6BA
Src addr: my remote ip address
Src mask: 255.255.255.255
Dst addr: Moon-VPN ip address
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x5D84E6BA
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x5D84E6BA
Rule ID: 0x03B062B8
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Pitcher: received KEY_UPDATE, spi 0x5d84e6ba
Mar 14 00:36:29 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Starting P2 rekey timer: 27360 seconds.
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Adding static route for client address: 172.31.48.65
Mar 14 00:36:29 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, PHASE 2 COMPLETED (msgid=976732da)
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Starting phase 1 rekey
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE Initiator: Rekeying Phase 1, I
ntf inside, IKE Peer IP address local Proxy Address N/A, remote Proxy Addre
ss N/A, Crypto map (N/A)
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing ISAKMP SA paylo
ad
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing Fragmentation V
ID + extended capabilities payload
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE_DECODE SENDING Message (msgid=
0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE_DECODE RECEIVED Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing SA payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Oakley proposal is acceptabl
e
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Received Fragmentation VID
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, IKE Peer included IKE fragme
ntation capability flags: Main Mode: True Aggressive Mode: True
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing ke payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing nonce payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing Cisco Unity VID
payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing xauth V6 VID pa
yload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Send IOS VID
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Constructing ASA spoofing IO
S Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, constructing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Send Altiga/Cisco VPN3000/Ci
sco ASA GW VID
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE_DECODE SENDING Message (msgid=
0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDO
R (13) + VENDOR (13) + NONE (0) total length : 256
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE_DECODE RECEIVED Message (msgid
=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VEND
OR (13) + VENDOR (13) + NONE (0) total length : 256
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing ke payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing ISA_KE payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing nonce payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Received Cisco Unity client
VID
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Received xauth V6 VID
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Processing VPN3000/ASA spoof
ing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, processing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Received Altiga/Cisco VPN300
0/Cisco ASA GW VID
Mar 14 00:36:35 [IKEv1]: IP = IP address, Connection landed on tunnel_group
IP address
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, Gene
rating keys for Initiator...
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, cons
tructing ID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, cons
tructing hash payload
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, Comp
uting hash for ISAKMP
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Constructing IOS keep alive
payload: proposal=32767/32767 sec.
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, cons
tructing dpd vid payload
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE_DECODE SENDING Message (msgid=
0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) +
NONE (0) total length : 92
Mar 14 00:36:35 [IKEv1]: IP = IP address, IKE_DECODE RECEIVED Message (msgid
=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13)
+ NONE (0) total length : 92
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, proc
essing ID payload
Mar 14 00:36:35 [IKEv1 DECODE]: Group = IP address, IP = IP address, ID_
IPV4_ADDR ID received
IP address
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, proc
essing hash payload
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, Comp
uting hash for ISAKMP
Mar 14 00:36:35 [IKEv1 DEBUG]: IP = IP address, Processing IOS keep alive pa
yload: proposal=32767/32767 sec.
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, proc
essing VID payload
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, Rece
ived DPD VID
Mar 14 00:36:35 [IKEv1]: IP = IP address, Connection landed on tunnel_group
IP address
Mar 14 00:36:35 [IKEv1]: Group = IP address, IP = IP address, Freeing pr
eviously allocated memory for authorization-dn-attributes
Mar 14 00:36:35 [IKEv1]: Group = IP address, IP = IP address, PHASE 1 CO
MPLETED
Mar 14 00:36:35 [IKEv1]: IP = IP address, Keep-alive type for this connectio
n: DPD
Mar 14 00:36:35 [IKEv1 DEBUG]: Group = IP address, IP = IP address, Star
ting P1 rekey timer: 3060 seconds.
Mar 14 00:36:40 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=8
07a1201) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :
80
Mar 14 00:36:40 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:36:40 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing notify payload
Mar 14 00:36:40 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received keep-alive of type DPD R-U-THERE (seq number 0x5bb3539)
Mar 14 00:36:40 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x5bb3539)
Mar 14 00:36:40 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:36:40 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:36:40 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=98
6f5d50) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:36:50 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=9
32a39a7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :
80
Mar 14 00:36:50 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:36:50 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing notify payload
Mar 14 00:36:50 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received keep-alive of type DPD R-U-THERE (seq number 0x5bb353a)
Mar 14 00:36:50 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x5bb353a)
Mar 14 00:36:50 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:36:50 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:36:50 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=c6
778309) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:00 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=4
218b276) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :
80
Mar 14 00:37:00 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:37:00 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing notify payload
Mar 14 00:37:00 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received keep-alive of type DPD R-U-THERE (seq number 0x5bb353b)
Mar 14 00:37:00 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x5bb353b)
Mar 14 00:37:00 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:37:00 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:37:00 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=2e
f806d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:07 [IKEv1 DEBUG]: Group = IP address, IP = IP address, IKE
SA MM:17888616 terminating: flags 0x0120c026, refcnt 0, tuncnt 0
Mar 14 00:37:07 [IKEv1 DEBUG]: Group = IP address, IP = IP address, send
ing delete/delete with reason message
Mar 14 00:37:07 [IKEv1 DEBUG]: Group = IP address, IP = IP address, cons
tructing blank hash payload
Mar 14 00:37:07 [IKEv1 DEBUG]: Group = IP address, IP = IP address, cons
tructing IKE delete payload
Mar 14 00:37:07 [IKEv1 DEBUG]: Group = IP address, IP = IP address, cons
tructing qm hash payload
Mar 14 00:37:07 [IKEv1]: IP = IP address, IKE_DECODE SENDING Message (msgid=
3e3079f5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
76
Mar 14 00:37:10 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=e
b818fe) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:10 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:37:10 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing notify payload
Mar 14 00:37:10 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received keep-alive of type DPD R-U-THERE (seq number 0x5bb353c)
Mar 14 00:37:10 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x5bb353c)
Mar 14 00:37:10 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:37:10 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:37:10 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=19
8c70e3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:20 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=9
f03a9d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:20 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:37:20 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing notify payload
Mar 14 00:37:20 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received keep-alive of type DPD R-U-THERE (seq number 0x5bb353d)
Mar 14 00:37:20 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x5bb353d)
Mar 14 00:37:20 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:37:20 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:37:20 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=49
f6387b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:30 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=b
57197af) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :
80
Mar 14 00:37:30 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:37:30 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing notify payload
Mar 14 00:37:30 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Received keep-alive of type DPD R-U-THERE (seq number 0x5bb353e)
Mar 14 00:37:30 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x5bb353e)
Mar 14 00:37:30 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing blank hash payload
Mar 14 00:37:30 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, constructing qm hash payload
Mar 14 00:37:30 [IKEv1]: IP = my remote ip address, IKE_DECODE SENDING Message (msgid=fb
904417) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 8
0
Mar 14 00:37:35 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=f
5f49248) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
68
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing delete
Mar 14 00:37:35 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
18, Connection terminated for peer testVPN_username. Reason: Peer Terminate Remote Pro
xy 172.31.48.65, Local Proxy 0.0.0.0
Mar 14 00:37:35 [IKEv1]: IP = my remote ip address, IKE_DECODE RECEIVED Message (msgid=a
7eb743) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 7
6
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing hash payload
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, processing delete
Mar 14 00:37:35 [IKEv1]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Connection terminated for peer testVPN_username. Reason: Peer Terminate Remote Pro
xy N/A, Local Proxy N/A
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, Active unit receives a delete event for remote peer my remote ip address.
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKE Deleting SA: Remote Proxy 172.31.48.65, Local Proxy 0.0.0.0
Mar 14 00:37:35 [IKEv1]: MSG_FSM_QM lookup failed (handle 976732da)!
Mar 14 00:37:35 [IKEv1 DEBUG]: Group = Moon-VPN, Username = testVPN_username, IP = my remote ip address
, IKE SA AM:aa141a6f terminating: flags 0x0961d801, refcnt 0, tuncnt 0
IPSEC: Deleted inbound decrypt rule, SPI 0x5D84E6BA
Rule ID: 0x03AEA268
IPSEC: Deleted inbound permit rule, SPI 0x5D84E6BA
Rule ID: 0x03B062B8
IPSEC: Deleted inbound tunnel flow rule, SPI 0x5D84E6BA
Rule ID: 0x0358DF48
IPSEC: Deleted inbound VPN context, SPI 0x5D84E6BA
VPN handle: 0x01692E54
Mar 14 00:37:35 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x5d84e6ba
IPSEC: Deleted outbound encrypt rule, SPI 0xB167D029
Rule ID: 0x03A4F2E0
IPSEC: Deleted outbound permit rule, SPI 0xB167D029
Rule ID: 0x03A48480
IPSEC: Deleted outbound VPN context, SPI 0xB167D029
VPN handle: 0x01674F9C
Mar 14 00:37:35 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb167d029
03-14-2011 09:12 AM
We are seeing...
PHASE 1 COMPLETED
PHASE 2 COMPLETED
Please remove this line:
nat (outside) 1 vpn-clientpool 255.255.255.240
Then, disconnect the VPN client and reconnect and try to PING again.
Check the packets encrypted/decrypted on the client side (under statistics for the VPN client).
Federico.
03-14-2011 09:31 AM
03-14-2011 09:37 AM
Do you lose Internet when the VPN client connects?
Can you attach a route print from the VPN client?
Federico.
03-14-2011 09:50 AM
03-15-2011 09:17 PM
Hi Andrew,
please add the following statement:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.31.48.0 255.255.255.0
Also i don't see a route on the ASA.
could you please paste the output of "sh run route" from the ASA. what is the default gateway.
The problem that you are having is that route adddition on the client is not happening.
could you try the disconnection and reconnection after the changes on the ASA and let me know the results.
Also after reconnecting can you please attach a screenshot of vpn client > statistics > route details.
Regards,
Anisha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide