Marcin,

Absolutely , tunnel-group based on IP address and the debug is previous issue (Phase 1 is not completed). I'm just confusing about reporting in the debug Certificate was successfully validated ....I didn't see DH take over and create shared session key ...I think some wrong ...and the result is not completed Phase 1

Regards,

Tran

Tran,

Big question for me is - why was it working with microsoft CA and not with IOS CA :-)

If I'll find a moment today. I'll lab it just to have peace of mind and remember again my CCIE times.

Marcin

Marcin, Thank you for exchanging info to me. And see you another case

Thank you very much.

Marcin,

the info for you:

%ASA-7-713906: IP = 136.1.122.200, Trying to find group via OU...
%ASA-3-713020: IP = 136.1.122.200, No Group found by matching OU(s) from ID payload:   ou=CCIEsec,
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IKE ID...
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 136.1.122.200, Connection landed on tunnel_group 136.1.122.200
%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, peer ID type 2 received (FQDN)
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing ID payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing cert payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing RSA signature
%ASA-7-715076: Group = 136.1.122.200, IP = 136.1.122.200, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 256
%ASA-7-713906: Constructed Signature:
0000: 6A49AAB4 CA2006C0 068D840F 3BAEF907     jI... ......;...
0010: 5A47D830 E7EF7594 10FA4F54 ED3A38D7     ZG.0..u...OT.:8.
0020: D1B2D85D 67B65BD1 5C5510BE 038618CB     ...]g.[.\U......
0030: 81F35050 EDF77594 4F06D6B7 FAE036D4     ..PP..u.O.....6.
0040: 93C2A291 345F6575 8BC6C056 54102958     ....4_eu...VT.)X
0050: 3717AE54 43508589 E7B27A3E F3526CDC     7..TCP....z>.Rl.
0060: 6B9C0F44 F1A6BD6F F9203245 C860FCBB     k..D...o. 2E.`..
0070: F5A3DA2C 51A749BF 75C4DC36%ASA-7-715034: IP = 136.1.122.200, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing dpd vid payload
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1311
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 136.1.122.200
%ASA-5-713119: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 1 COMPLETED
%ASA-7-713121: IP = 136.1.122.200, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P1 rekey timer: 64800 seconds.
%ASA-7-714003: IP = 136.1.122.200, IKE Responder starting QM: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing SA payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing nonce payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--33.33.33.0--255.255.255.0
%ASA-7-713035: Group = 136.1.122.200, IP = 136.1.122.200, Received remote IP Proxy Subnet data in ID Payload:   Address 33.33.33.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--11.11.11.0--255.255.255.0
%ASA-7-713034: Group = 136.1.122.200, IP = 136.1.122.200, Received local IP Proxy Subnet data in ID Payload:   Address 11.11.11.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, checking map = VPN, seq = 10...
%ASA-7-713225: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, map VPN, seq = 10 is a successful match
%ASA-7-713066: Group = 136.1.122.200, IP = 136.1.122.200, IKE Remote Peer configured for crypto map: VPN
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing IPSec SA payload
%ASA-7-715027: Group = 136.1.122.200, IP = 136.1.122.200, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 10
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, IKE: requesting SPI!
%ASA-7-715006: Group = 136.1.122.200, IP = 136.1.122.200, IKE got SPI from key engine: SPI = 0xd05eafc9
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, oakley constucting quick mode
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing blank hash payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec SA payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec nonce payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing proxy ID
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, Transmitting Proxy Id:
  Remote subnet: 33.33.33.0  Mask 255.255.255.0 Protocol 0  Port 0
  Local subnet:  11.11.11.0  mask 255.255.255.0 Protocol 0  Port 0
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing qm hash payload
%ASA-7-714005: Group = 136.1.122.200, IP = 136.1.122.200, IKE Responder sending 2nd QM pkt: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + NONE (0) total length : 48
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, loading all IPSEC SAs
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3E4CFCCD) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-5-713049: Group = 136.1.122.200, IP = 136.1.122.200, Security negotiation complete for LAN-to-LAN Group (136.1.122.200)  Responder, Inbound SPI = 0xd05eafc9, Outbound SPI = 0x3e4cfccd
%ASA-7-715007: Group = 136.1.122.200, IP = 136.1.122.200, IKE got a KEY_ADD msg for SA: SPI = 0x3e4cfccd
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD05EAFC9) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-7-715077: Group = 136.1.122.200, IP = 136.1.122.200, Pitcher: received KEY_UPDATE, spi 0xd05eafc9
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P2 rekey timer: 3060 seconds.
%ASA-5-713120: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 2 COMPLETED (msgid=907cc977)