cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
6
Replies

VPN Site To Site with gre tunnel and one device with nat.

Hi, 

I having problem to configure a VPN Site to Site between to routers cisco, 877 and 2911. looks like the phase 1 is ok, but the phase two has problem. 

I have nat transpareny configured on both router but is not working. i think that the problem is by the nat. 

here is the information about the router and show.

---------------------------------------------------------------------------------------------------------------------

Router with nat ( does not have ip public).

Router BCN

crypto keyring MAD-BCN
pre-shared-key address x.x.x.x key 6 asdfadsfdsaf
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp nat keepalive 20
crypto isakmp profile MAD-BCN-ITL_VRF
keyring MAD-BCN
self-identity address
match identity address x.x.x.x 255.255.255.255
!
!
crypto ipsec transform-set VPN-ITL esp-3des esp-md5-hmac
mode transport
!
crypto map CM-VPN-MAQUETA 10 ipsec-isakmp
description Crypto map para VPN-ITL-BCN-MAD
set peer x.x.x.x
set transform-set VPN-ITL
set isakmp-profile MAD-BCN-ITL_VRF
match address ACL-VPN-ITL

interface Tunnel1
description CONEXION ITL BCN-MAD
ip address 172.16.30.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
ip flow ingress
tunnel source Vlan19
tunnel destination x.x.x.x
tunnel mode ipip
!

interface Vlan19
ip address 10.219.219.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto map CM-VPN-MAQUETA

ip access-list extended ACL-VPN-ITL
permit ip host 10.219.219.2 host 212.170.173.253

----------------------------------------------------

Router without nat ( this router has other vpn site to site working)

crypto keyring BCN-MAD_VRF vrf VPN-MAQUETA
pre-shared-key address x.x.x.x key 6 asdfasdfad

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 40
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 FIZ`PI`[IZaiVgdbiWYD`NJLPZYcI[JXeHGT address 0.0.0.0
crypto isakmp identity hostname
crypto isakmp nat keepalive 20

crypto isakmp profile MAD-BCN-ITL_VRF
vrf VPN-MAQUETA
keyring BCN-MAD_VRF
self-identity address
match identity address x.x.x.x 255.255.255.255 VPN-MAQUETA

crypto ipsec transform-set VPN-ITL_VRF esp-3des esp-md5-hmac
mode transport

crypto map CM-VPN-MAQUETA 80 ipsec-isakmp
description Crypto map para VPN-ITL-BCN-MAD
set peer x.x.x.x
set transform-set VPN-ITL_VRF
set isakmp-profile MAD-BCN-ITL_VRF
match address ACL-VPN-ITL_VRF

interface Tunnel8
description CONEXION ITL BCN-MAD_VRF
ip vrf forwarding VPN-MAQUETA
ip address 172.16.30.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
ip flow ingress
tunnel source Dialer1
tunnel mode ipip
tunnel destination x.x.x.x
tunnel vrf VPN-MAQUETA

interface Dialer1
mtu 1492
ip vrf forwarding VPN-MAQUETA
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname adslppp@telefonicanetpa
ppp chap password 7 0207004807161F31
ppp pap sent-username adslppp@telefonicanetpa password 7 12
crypto map CM-VPN-MAQUETA
!

ip access-list extended ACL-VPN-ITL_VRF
permit ip host 212.x.x.x.253 host 79.x.x.x

------------------------------------------------------------------------------

Show crypto from Router with the nat

ITALTEL_BCN#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.219.219.2 212.170.173.253 QM_IDLE 2496 0 ACTIVE
10.219.219.2 212.170.173.253 MM_NO_STATE 2495 0 ACTIVE (deleted)
10.219.219.2 212.170.173.253 MM_NO_STATE 2494 0 ACTIVE (deleted)

ITALTEL_BCN#show crypto session
Crypto session current status

Interface: Vlan19
Session status: DOWN
Peer: 212.170.173.253 port 500
IPSEC FLOW: permit ip host 10.219.219.2 host 212.170.173.253
Active SAs: 0, origin: crypto map

Interface: Vlan19
Profile: MAD-BCN-ITL_VRF
Session status: UP-IDLE
Peer: 212.170.173.253 port 4500
IKE SA: local 10.219.219.2/4500 remote 212.170.173.253/4500 Active
IKE SA: local 10.219.219.2/4500 remote 212.170.173.253/4500 Inactive
IKE SA: local 10.219.219.2/4500 remote 212.170.173.253/4500 Inactive

ITALTEL_BCN#show crypto ipsec sa

interface: Vlan19
Crypto map tag: CM-VPN-MAQUETA, local addr 10.219.219.2

protected vrf: (none)
local ident (addr/mask/prot/port): (10.219.219.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (212.170.173.253/255.255.255.255/0/0)
current_peer 212.170.173.253 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 34, #recv errors 0

local crypto endpt.: 10.219.219.2, remote crypto endpt.: 212.170.173.253
path mtu 1500, ip mtu 1500, ip mtu idb Vlan19
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

-----------------------------------------------------------------------------------------------------------------------

Debug Output

Oct 28 03:22:35.139: ISAKMP:(2490):purging SA., sa=84BEB4C0, delme=84BEB4C0is
ITALTEL_BCN#debug c
Oct 28 03:22:39.996: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (N) NEW SA
Oct 28 03:22:39.996: ISAKMP: Created a peer struct for 212.170.173.253, peer port 500
Oct 28 03:22:39.996: ISAKMP: New peer created peer = 0x83AB1968 peer_handle = 0x80000302
Oct 28 03:22:39.996: ISAKMP: Locking peer struct 0x83AB1968, refcount 1 for crypto_isakmp_process_block
Oct 28 03:22:39.996: ISAKMP: local port 500, remote port 500
Oct 28 03:22:39.996: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 84BEB4C0
Oct 28 03:22:39.996: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:22:39.996: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Oct 28 03:22:40.000: ISAKMP:(0): processing SA payload. message ID = 0
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:22:40.000: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:22:40.000: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:22:40.000: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:22:40.000: ISAKMP:(0): local preshared key found
Oct 28 03:22:40.000: ISAKMP : Scanning profiles for xauth ... MAD-BCN-ITL_VRF
Oct 28 03:22:40.000: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Oct 28 03:22:40.000: ISAKMP: encryption 3DES-CBC
Oct 28 03:22:40.000: ISAKMP: hash MD5
Oct 28 03:22:40.000: ISAKMP: default group 2
Oct 28 03:22:40.000: ISAKMP: auth pre-share
Oct 28 03:22:40.000: ISAKMP: life type in seconds
Oct 28 03:22:40.000: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 28 03:22:40.004: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 28 03:22:40.004: ISAKMP:(0):Acceptable atts:actual life: 3600
Oct 28 03:22:40.004: ISAKMP:(0):Acceptable atts:life: 0
Oct 28 03:22:40.004: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 28 03:22:40.004: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 28 03:22:40.004: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 28 03:22:40.004: ISAKMP:(0)::Started lifetime timer: 3600.

Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:22:40.004: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:22:40.004: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:22:40.004: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:22:40.004: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Oct 28 03:22:40.008: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 28 03:22:40.008: ISAKMP:(0): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 28 03:22:40.008: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.008: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:22:40.008: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Oct 28 03:22:40.024: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 28 03:22:40.024: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:22:40.029: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Oct 28 03:22:40.029: ISAKMP:(0): processing KE payload. message ID = 0
Oct 28 03:22:40.029: crypto_engine: Create DH shared secret
Oct 28 03:22:40.073: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 28 03:22:40.073: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:22:40.073: crypto_engine: Create IKE SA
Oct 28 03:22:40.073: crypto engine: deleting DH phase 2 SW:498
Oct 28 03:22:40.073: crypto_engine: Delete DH shared secret
Oct 28 03:22:40.073: ISAKMP:(2493): processing vendor id payload
Oct 28 03:22:40.077: ISAKMP:(2493): vendor ID is DPD
Oct 28 03:22:40.077: ISAKMP:(2493): processing vendor id payload
Oct 28 03:22:40.077: ISAKMP:(2493): speaking to another IOS box!
Oct 28 03:22:40.077: ISAKMP:(2493): processing vendor id payload
Oct 28 03:22:40.077: ISAKMP:(2493): vendor ID seems Unity/DPD but major 37 mismatch
Oct 28 03:22:40.077: ISAKMP:(2493): vendor ID is XAUTH
Oct 28 03:22:40.077: ISAKMP:received payload type 20
Oct 28 03:22:40.077: ISAKMP (0:2493): NAT found, the node inside NAT
Oct 28 03:22:40.077: ISAKMP:received payload type 20
Oct 28 03:22:40.077: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:22:40.077: ISAKMP:(2493):Old State = IKE_R_MM3 New State = IKE_R_MM3

Oct 28 03:22:40.077: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 28 03:22:40.077: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.077: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:22:40.081: ISAKMP:(2493):Old State = IKE_R_MM3 New State = IKE_R_MM4

Oct 28 03:22:40.121: ISAKMP (0:2493): received packet from 212.170.173.253 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Oct 28 03:22:40.121: crypto_engine: Decrypt IKE packet
Oct 28 03:22:40.121: ISAKMP:(2493):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:22:40.121: ISAKMP:(2493):Old State = IKE_R_MM4 New State = IKE_R_MM5

Oct 28 03:22:40.125: ISAKMP:(2493): processing ID payload. message ID = 0
Oct 28 03:22:40.125: ISAKMP (0:2493): ID payload
next-payload : 8
type : 1
address : 212.170.173.253
protocol : 17
port : 0
length : 12
Oct 28 03:22:40.125: ISAKMP:(0):: peer matches MAD-BCN-ITL_VRF profile
Oct 28 03:22:40.125: ISAKMP:(2493):Found ADDRESS key in keyring MAD-BCN
Oct 28 03:22:40.125: ISAKMP:(2493): processing HASH payload. message ID = 0
Oct 28 03:22:40.125: crypto_engine: Generate IKE hash
Oct 28 03:22:40.125: ISAKMP:(2493): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 84BEB4C0
Oct 28 03:22:40.125: ISAKMP:(2493):SA authentication status:
authenticated
Oct 28 03:22:40.125: ISAKMP:(2493):SA has been authenticated with 212.170.173.253
Oct 28 03:22:40.125: ISAKMP:(2493):Detected port floating to port = 4500
Oct 28 03:22:40.125: ISAKMP: Trying to find existing peer 10.219.219.2/212.170.173.253/4500/ and found existing peer 832A0A80 to reuse, free 83AB1968
Oct 28 03:22:40.125: ISAKMP: Unlocking peer struct 0x83AB1968 Reuse existing peer, count 0
Oct 28 03:22:40.125: ISAKMP: Deleting peer node by peer_reap for 212.170.173.253: 83AB1968
Oct 28 03:22:40.125: ISAKMP: Locking peer struct 0x832A0A80, refcount 2 for Reuse existing peer
Oct 28 03:22:40.129: ISAKMP:(2493):SA authentication status:
authenticated
Oct 28 03:22:40.129: ISAKMP:(2493): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.219.219.2 remote 212.170.173.253 remote port 4500
Oct 28 03:22:40.129: ISAKMP:(2492):received initial contact, deleting SA
Oct 28 03:22:40.129: ISAKMP:(2492):peer does not do paranoid keepalives.

Oct 28 03:22:40.129: ISAKMP:(2492):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:22:40.129: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Oct 28 03:22:40.129: ISAKMP:(2493):Setting UDP ENC peer struct 0x0 sa= 0x84BEB4C0
Oct 28 03:22:40.129: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:22:40.129: ISAKMP:(2493):Old State = IKE_R_MM5 New State = IKE_R_MM5

Oct 28 03:22:40.129: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:22:40.129: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:22:40.129: ISAKMP: set new node -1784468210 to QM_IDLE
Oct 28 03:22:40.129: crypto_engine: Generate IKE hash
Oct 28 03:22:40.133: crypto_engine: Encrypt IKE packet
Oct 28 03:22:40.133: ISAKMP:(2492): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) QM_IDLE
Oct 28 03:22:40.133: ISAKMP:(2492):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.133: ISAKMP:(2492):purging node -1784468210
Oct 28 03:22:40.133: ISAKMP:(2492):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 28 03:22:40.133: ISAKMP:(2492):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Oct 28 03:22:40.133: ISAKMP:(2493):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 28 03:22:40.133: ISAKMP (0:2493): ID payload
next-payload : 8
type : 1
address : 10.219.219.2
protocol : 17
port : 0
length : 12
Oct 28 03:22:40.133: ISAKMP:(2493):Total payload length: 12
Oct 28 03:22:40.133: crypto_engine: Generate IKE hash
Oct 28 03:22:40.137: crypto_engine: Encrypt IKE packet
Oct 28 03:22:40.137: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:22:40.137: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.137: ISAKMP:(2493):Returning Actual lifetime: 3600
Oct 28 03:22:40.137: ISAKMP: set new node -1839478786 to QM_IDLE
Oct 28 03:22:40.137: crypto_engine: Generate IKE hash
Oct 28 03:22:40.137: ISAKMP:(2493):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2213332560, message ID = -1839478786
Oct 28 03:22:40.137: crypto_engine: Encrypt IKE packet
Oct 28 03:22:40.137: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:22:40.137: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.137: ISAKMP:(2493):purging node -1839478786
Oct 28 03:22:40.137: ISAKMP: Sending phase 1 responder lifetime 3600

Oct 28 03:22:40.141: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:22:40.141: ISAKMP:(2493):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Oct 28 03:22:40.141: ISAKMP:(2492):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:22:40.141: ISAKMP: Unlocking peer struct 0x832A0A80 for isadb_mark_sa_deleted(), count 1
Oct 28 03:22:40.141: crypto engine: deleting IKE SA SW:492
Oct 28 03:22:40.141: crypto_engine: Delete IKE SA
Oct 28 03:22:40.141: ISAKMP:(2492):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHry
ITALTEL_BCN#debug crypto
Oct 28 03:22:40.141: ISAKMP:(2492):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Oct 28 03:22:40.145: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 28 03:22:40.145: ISAKMP:(2493):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Oct 28 03:23:09.996: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (N) NEW SA
Oct 28 03:23:09.996: ISAKMP: Created a peer struct for 212.170.173.253, peer port 500
Oct 28 03:23:09.996: ISAKMP: New peer created peer = 0x83AB1968 peer_handle = 0x80000304
Oct 28 03:23:09.996: ISAKMP: Locking peer struct 0x83AB1968, refcount 1 for crypto_isakmp_process_block
Oct 28 03:23:10.000: ISAKMP: local port 500, remote port 500
Oct 28 03:23:10.000: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 84C60AFC
Oct 28 03:23:10.000: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:10.000: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Oct 28 03:23:10.000: ISAKMP:(0): processing SA payload. message ID = 0
Oct 28 03:23:10.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:23:10.000: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:23:10.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:23:10.000: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:23:10.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:23:10.000: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:23:10.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:23:10.004: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:23:10.004: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:23:10.004: ISAKMP:(0): local preshared key found
Oct 28 03:23:10.004: ISAKMP : Scanning profiles for xauth ... MAD-BCN-ITL_VRF
Oct 28 03:23:10.004: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Oct 28 03:23:10.004: ISAKMP: encryption 3DES-CBC
Oct 28 03:23:10.004: ISAKMP: hash MD5
Oct 28 03:23:10.004: ISAKMP: default group 2
Oct 28 03:23:10.004: ISAKMP: auth pre-share
Oct 28 03:23:10.004: ISAKMP: life type in seconds
Oct 28 03:23:10.004: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 28 03:23:10.004: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 28 03:23:10.004: ISAKMP:(0):Acceptable atts:actual life: 3600
Oct 28 03:23:10.004: ISAKMP:(0):Acceptable atts:life: 0
Oct 28 03:23:10.004: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 28 03:23:10.004: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 28 03:23:10.004: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 28 03:23:10.004: ISAKMP:(0)::Started lifetime timer: 3600.

Oct 28 03:23:10.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:23:10.004: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:23:10.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:23:10.008: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:23:10.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:23:10.008: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:23:10.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:10.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:23:10.008: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:23:10.008: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:23:10.008: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Oct 28 03:23:10.008: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 28 03:23:10.008: ISAKMP:(0): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 28 03:23:10.008: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 28 03:23:10.012: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:23:10.012: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Oct 28 03:23:10.028: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 28 03:23:10.028: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:10.028: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Oct 28 03:23:10.028: ISAKMP:(0): processing KE payload. message ID = 0
Oct 28 03:23:10.028: crypto_engine: Create DH shared secret
Oct 28 03:23:10.084: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 28 03:23:10.084: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:23:10.084: crypto_engine: Create IKE SA
Oct 28 03:23:10.084: crypto engine: deleting DH phase 2 SW:499
Oct 28 03:23:10.084: crypto_engine: Delete DH shared secret
Oct 28 03:23:10.084: ISAKMP:(2494): processing vendor id payload
Oct 28 03:23:10.084: ISAKMP:(2494): vendor ID is DPD
Oct 28 03:23:10.084: ISAKMP:(2494): processing vendor id payload
Oct 28 03:23:10.084: ISAKMP:(2494): speaking to another IOS box!
Oct 28 03:23:10.084: ISAKMP:(2494): processing vendor id payload
Oct 28 03:23:10.084: ISAKMP:(2494): vendor ID seems Unity/DPD but major 250 mismatch
Oct 28 03:23:10.088: ISAKMP:(2494): vendor ID is XAUTH
Oct 28 03:23:10.088: ISAKMP:received payload type 20
Oct 28 03:23:10.088: ISAKMP (0:2494): NAT found, the node inside NAT
Oct 28 03:23:10.088: ISAKMP:received payload type 20
Oct 28 03:23:10.088: ISAKMP:(2494):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:23:10.088: ISAKMP:(2494):Old State = IKE_R_MM3 New State = IKE_R_MM3

Oct 28 03:23:10.092: ISAKMP:(2494): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 28 03:23:10.092: ISAKMP:(2494):Sending an IKE IPv4 Packet.
Oct 28 03:23:10.096: ISAKMP:(2494):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:23:10.096: ISAKMP:(2494):Old State = IKE_R_MM3 New State = IKE_R_MM4

Oct 28 03:23:10.136: ISAKMP (0:2494): received packet from 212.170.173.253 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Oct 28 03:23:10.140: crypto_engine: Decrypt IKE packet
Oct 28 03:23:10.140: ISAKMP:(2494):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:10.140: ISAKMP:(2494):Old State = IKE_R_MM4 New State = IKE_R_MM5

Oct 28 03:23:10.140: ISAKMP:(2494): processing ID payload. message ID = 0
Oct 28 03:23:10.140: ISAKMP (0:2494): ID payload
next-payload : 8
type : 1
address : 212.170.173.253
protocol : 17
port : 0
length : 12
Oct 28 03:23:10.140: ISAKMP:(0):: peer matches MAD-BCN-ITL_VRF profile
Oct 28 03:23:10.140: ISAKMP:(2494):Found ADDRESS key in keyring MAD-BCN
Oct 28 03:23:10.140: ISAKMP:(2494): processing HASH payload. message ID = 0
Oct 28 03:23:10.140: crypto_engine: Generate IKE hash
Oct 28 03:23:10.140: ISAKMP:(2494): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 84C60AFC
Oct 28 03:23:10.140: ISAKMP:(2494):SA authentication status:
authenticated
Oct 28 03:23:10.140: ISAKMP:(2494):SA has been authenticated with 212.170.173.253
Oct 28 03:23:10.140: ISAKMP:(2494):Detected port floating to port = 4500
Oct 28 03:23:10.144: ISAKMP: Trying to find existing peer 10.219.219.2/212.170.173.253/4500/ and found existing peer 832A0A80 to reuse, free 83AB1968
Oct 28 03:23:10.144: ISAKMP: Unlocking peer struct 0x83AB1968 Reuse existing peer, count 0
Oct 28 03:23:10.144: ISAKMP: Deleting peer node by peer_reap for 212.170.173.253: 83AB1968
Oct 28 03:23:10.144: ISAKMP: Locking peer struct 0x832A0A80, refcount 2 for Reuse existing peer
Oct 28 03:23:10.144: ISAKMP:(2494):SA authentication status:
authenticated
Oct 28 03:23:10.144: ISAKMP:(2494): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.219.219.2 remote 212.170.173.253 remote port 4500
Oct 28 03:23:10.144: ISAKMP:(2493):received initial contact, deleting SA
Oct 28 03:23:10.144: ISAKMP:(2493):peer does not do paranoid keepalives.

Oct 28 03:23:10.144: ISAKMP:(2493):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:23:10.144: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Oct 28 03:23:10.144: ISAKMP:(2494):Setting UDP ENC peer struct 0x0 sa= 0x84C60AFC
Oct 28 03:23:10.144: ISAKMP:(2494):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:23:10.144: ISAKMP:(2494):Old State = IKE_R_MM5 New State = IKE_R_MM5

Oct 28 03:23:10.144: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:23:10.148: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:23:10.148: ISAKMP: set new node 1975556578 to QM_IDLE
Oct 28 03:23:10.148: crypto_engine: Generate IKE hash
Oct 28 03:23:10.148: crypto_engine: Encrypt IKE packet
Oct 28 03:23:10.148: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) QM_IDLE
Oct 28 03:23:10.148: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:23:10.148: ISAKMP:(2493):purging node 1975556578
Oct 28 03:23:10.148: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 28 03:23:10.148: ISAKMP:(2493):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Oct 28 03:23:10.148: ISAKMP:(2491):purging SA., sa=83AE20B8, delme=83AE20B8
Oct 28 03:23:10.152: ISAKMP:(2494):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 28 03:23:10.152: ISAKMP (0:2494): ID payload
next-payload : 8
type : 1
address : 10.219.219.2
protocol : 17
port : 0
length : 12
Oct 28 03:23:10.152: ISAKMP:(2494):Total payload length: 12
Oct 28 03:23:10.152: crypto_engine: Generate IKE hash
Oct 28 03:23:10.152: crypto_engine: Encrypt IKE packet
Oct 28 03:23:10.152: ISAKMP:(2494): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:23:10.152: ISAKMP:(2494):Sending an IKE IPv4 Packet.
Oct 28 03:23:10.152: ISAKMP:(2494):Returning Actual lifetime: 3600
Oct 28 03:23:10.152: ISAKMP: set new node -1498503987 to QM_IDLE
Oct 28 03:23:10.152: crypto_engine: Generate IKE hash
Oct 28 03:23:10.152: ISAKMP:(2494):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2213332560, message ID = -1498503987
Oct 28 03:23:10.156: crypto_engine: Encrypt IKE packet
Oct 28 03:23:10.156: ISAKMP:(2494): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:23:10.156: ISAKMP:(2494):Sending an IKE IPv4 Packet.
Oct 28 03:23:10.156: ISAKMP:(2494):purging node -1498503987
Oct 28 03:23:10.156: ISAKMP: Sending phase 1 responder lifetime 3600

Oct 28 03:23:10.156: ISAKMP:(2494):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:23:10.156: ISAKMP:(2494):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Oct 28 03:23:10.156: ISAKMP:(2493):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:23:10.156: ISAKMP: Unlocking peer struct 0x832A0A80 for isadb_mark_sa_deleted(), count 1
Oct 28 03:23:10.160: crypto engine: deleting IKE SA SW:493
Oct 28 03:23:10.160: crypto_engine: Delete IKE SA
Oct 28 03:23:10.160: ISAKMP:(2493):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:10.160: ISAKMP:(2493):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Oct 28 03:23:10.160: ISAKMP:(2494):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 28 03:23:10.160: ISAKMP:(2494):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Oct 28 03:23:39.996: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (N) NEW SA
Oct 28 03:23:39.996: ISAKMP: Created a peer struct for 212.170.173.253, peer port 500
Oct 28 03:23:39.996: ISAKMP: New peer created peer = 0x83AB1968 peer_handle = 0x80000306
Oct 28 03:23:39.996: ISAKMP: Locking peer struct 0x83AB1968, refcount 1 for crypto_isakmp_process_block
Oct 28 03:23:39.996: ISAKMP: local port 500, remote port 500
Oct 28 03:23:40.000: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83ABDBFC
Oct 28 03:23:40.000: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:40.000: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Oct 28 03:23:40.000: ISAKMP:(0): processing SA payload. message ID = 0
Oct 28 03:23:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:23:40.000: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:23:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:23:40.000: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:23:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:23:40.000: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:23:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:23:40.000: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:23:40.004: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:23:40.004: ISAKMP:(0): local preshared key found
Oct 28 03:23:40.004: ISAKMP : Scanning profiles for xauth ... MAD-BCN-ITL_VRF
Oct 28 03:23:40.004: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Oct 28 03:23:40.004: ISAKMP: encryption 3DES-CBC
Oct 28 03:23:40.004: ISAKMP: hash MD5
Oct 28 03:23:40.004: ISAKMP: default group 2
Oct 28 03:23:40.004: ISAKMP: auth pre-share
Oct 28 03:23:40.004: ISAKMP: life type in seconds
Oct 28 03:23:40.004: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 28 03:23:40.004: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 28 03:23:40.004: ISAKMP:(0):Acceptable atts:actual life: 3600
Oct 28 03:23:40.004: ISAKMP:(0):Acceptable atts:life: 0
Oct 28 03:23:40.004: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 28 03:23:40.004: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 28 03:23:40.004: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 28 03:23:40.004: ISAKMP:(0)::Started lifetime timer: 3600.

Oct 28 03:23:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:23:40.004: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:23:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:23:40.004: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:23:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:23:40.008: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:23:40.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:23:40.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:23:40.008: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:23:40.008: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:23:40.008: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Oct 28 03:23:40.008: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 28 03:23:40.008: ISAKMP:(0): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 28 03:23:40.008: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 28 03:23:40.008: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:23:40.008: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Oct 28 03:23:40.028: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 28 03:23:40.028: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:40.028: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Oct 28 03:23:40.028: ISAKMP:(0): processing KE payload. message ID = 0
Oct 28 03:23:40.028: crypto_engine: Create DH shared secret
Oct 28 03:23:40.072: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 28 03:23:40.076: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:23:40.076: crypto_engine: Create IKE SA
Oct 28 03:23:40.076: crypto engine: deleting DH phase 2 SW:500
Oct 28 03:23:40.076: crypto_engine: Delete DH shared secret
Oct 28 03:23:40.076: ISAKMP:(2495): processing vendor id payload
Oct 28 03:23:40.076: ISAKMP:(2495): vendor ID is DPD
Oct 28 03:23:40.076: ISAKMP:(2495): processing vendor id payload
Oct 28 03:23:40.076: ISAKMP:(2495): speaking to another IOS box!
Oct 28 03:23:40.076: ISAKMP:(2495): processing vendor id payload
Oct 28 03:23:40.076: ISAKMP:(2495): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:23:40.076: ISAKMP:(2495): vendor ID is XAUTH
Oct 28 03:23:40.076: ISAKMP:received payload type 20
Oct 28 03:23:40.076: ISAKMP (0:2495): NAT found, the node inside NAT
Oct 28 03:23:40.076: ISAKMP:received payload type 20
Oct 28 03:23:40.076: ISAKMP:(2495):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:23:40.076: ISAKMP:(2495):Old State = IKE_R_MM3 New State = IKE_R_MM3

Oct 28 03:23:40.080: ISAKMP:(2495): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 28 03:23:40.080: ISAKMP:(2495):Sending an IKE IPv4 Packet.
Oct 28 03:23:40.080: ISAKMP:(2495):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:23:40.080: ISAKMP:(2495):Old State = IKE_R_MM3 New State = IKE_R_MM4

Oct 28 03:23:40.124: ISAKMP (0:2495): received packet from 212.170.173.253 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Oct 28 03:23:40.124: crypto_engine: Decrypt IKE packet
Oct 28 03:23:40.124: ISAKMP:(2495):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:40.124: ISAKMP:(2495):Old State = IKE_R_MM4 New State = IKE_R_MM5

Oct 28 03:23:40.124: ISAKMP:(2495): processing ID payload. message ID = 0
Oct 28 03:23:40.124: ISAKMP (0:2495): ID payload
next-payload : 8
type : 1
address : 212.170.173.253
protocol : 17
port : 0
length : 12
Oct 28 03:23:40.124: ISAKMP:(0):: peer matches MAD-BCN-ITL_VRF profile
Oct 28 03:23:40.124: ISAKMP:(2495):Found ADDRESS key in keyring MAD-BCN
Oct 28 03:23:40.124: ISAKMP:(2495): processing HASH payload. message ID = 0
Oct 28 03:23:40.124: crypto_engine: Generate IKE hash
Oct 28 03:23:40.124: ISAKMP:(2495): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83ABDBFC
Oct 28 03:23:40.128: ISAKMP:(2495):SA authentication status:
authenticated
Oct 28 03:23:40.128: ISAKMP:(2495):SA has been authenticated with 212.170.173.253
Oct 28 03:23:40.128: ISAKMP:(2495):Detected port floating to port = 4500
Oct 28 03:23:40.128: ISAKMP: Trying to find existing peer 10.219.219.2/212.170.173.253/4500/ and found existing peer 832A0A80 to reuse, free 83AB1968
Oct 28 03:23:40.128: ISAKMP: Unlocking peer struct 0x83AB1968 Reuse existing peer, count 0
Oct 28 03:23:40.128: ISAKMP: Deleting peer node by peer_reap for 212.170.173.253: 83AB1968
Oct 28 03:23:40.128: ISAKMP: Locking peer struct 0x832A0A80, refcount 2 for Reuse existing peer
Oct 28 03:23:40.128: ISAKMP:(2495):SA authentication status:
authenticated
Oct 28 03:23:40.128: ISAKMP:(2495): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.219.219.2 remote 212.170.173.253 remote port 4500
Oct 28 03:23:40.128: ISAKMP:(2494):received initial contact, deleting SA
Oct 28 03:23:40.128: ISAKMP:(2494):peer does not do paranoid keepalives.

Oct 28 03:23:40.128: ISAKMP:(2494):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:23:40.128: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Oct 28 03:23:40.128: ISAKMP:(2495):Setting UDP ENC peer struct 0x0 sa= 0x83ABDBFC
Oct 28 03:23:40.128: ISAKMP:(2495):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:23:40.128: ISAKMP:(2495):Old State = IKE_R_MM5 New State = IKE_R_MM5

Oct 28 03:23:40.132: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:23:40.132: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:23:40.132: ISAKMP: set new node -985841793 to QM_IDLE
Oct 28 03:23:40.132: crypto_engine: Generate IKE hash
Oct 28 03:23:40.132: crypto_engine: Encrypt IKE packet
Oct 28 03:23:40.132: ISAKMP:(2494): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) QM_IDLE
Oct 28 03:23:40.132: ISAKMP:(2494):Sending an IKE IPv4 Packet.
Oct 28 03:23:40.132: ISAKMP:(2494):purging node -985841793
Oct 28 03:23:40.132: ISAKMP:(2494):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 28 03:23:40.132: ISAKMP:(2494):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Oct 28 03:23:40.136: ISAKMP:(2495):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 28 03:23:40.136: ISAKMP (0:2495): ID payload
next-payload : 8
type : 1
address : 10.219.219.2
protocol : 17
port : 0
length : 12
Oct 28 03:23:40.136: ISAKMP:(2495):Total payload length: 12
Oct 28 03:23:40.136: crypto_engine: Generate IKE hash
Oct 28 03:23:40.136: crypto_engine: Encrypt IKE packet
Oct 28 03:23:40.136: ISAKMP:(2495): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:23:40.136: ISAKMP:(2495):Sending an IKE IPv4 Packet.
Oct 28 03:23:40.136: ISAKMP:(2495):Returning Actual lifetime: 3600
Oct 28 03:23:40.136: ISAKMP: set new node 893648941 to QM_IDLE
Oct 28 03:23:40.136: crypto_engine: Generate IKE hash
Oct 28 03:23:40.140: ISAKMP:(2495):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2213332560, message ID = 893648941
Oct 28 03:23:40.140: crypto_engine: Encrypt IKE packet
Oct 28 03:23:40.140: ISAKMP:(2495): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:23:40.140: ISAKMP:(2495):Sending an IKE IPv4 Packet.
Oct 28 03:23:40.140: ISAKMP:(2495):purging node 893648941
Oct 28 03:23:40.140: ISAKMP: Sending phase 1 responder lifetime 3600

Oct 28 03:23:40.140: ISAKMP:(2495):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:23:40.140: ISAKMP:(2495):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Oct 28 03:23:40.140: ISAKMP:(2494):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:23:40.140: ISAKMP: Unlocking peer struct 0x832A0A80 for isadb_mark_sa_deleted(), count 1
Oct 28 03:23:40.140: crypto engine: deleting IKE SA SW:494
Oct 28 03:23:40.144: crypto_engine: Delete IKE SA
Oct 28 03:23:40.144: ISAKMP:(2494):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:23:40.144: ISAKMP:(2494):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Oct 28 03:23:40.144: ISAKMP:(2492):purging SA., sa=84BE08FC, delme=84BE08FC
Oct 28 03:23:40.144: ISAKMP:(2495):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 28 03:23:40.144: ISAKMP:(2495):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Oct 28 03:24:10.163: ISAKMP:(2493):purging SA., sa=84BEB4C0, delme=84BEB4C0
Oct 28 03:24:15.004: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (N) NEW SA
Oct 28 03:24:15.004: ISAKMP: Created a peer struct for 212.170.173.253, peer port 500
Oct 28 03:24:15.004: ISAKMP: New peer created peer = 0x83AB1968 peer_handle = 0x80000308
Oct 28 03:24:15.004: ISAKMP: Locking peer struct 0x83AB1968, refcount 1 for crypto_isakmp_process_block
Oct 28 03:24:15.004: ISAKMP: local port 500, remote port 500
Oct 28 03:24:15.004: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83AE20B8
Oct 28 03:24:15.004: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:24:15.004: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Oct 28 03:24:15.004: ISAKMP:(0): processing SA payload. message ID = 0
Oct 28 03:24:15.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:24:15.008: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:24:15.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:24:15.008: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:24:15.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:24:15.008: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:24:15.008: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:24:15.008: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:24:15.008: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:24:15.008: ISAKMP:(0): local preshared key found
Oct 28 03:24:15.008: ISAKMP : Scanning profiles for xauth ... MAD-BCN-ITL_VRF
Oct 28 03:24:15.008: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Oct 28 03:24:15.008: ISAKMP: encryption 3DES-CBC
Oct 28 03:24:15.008: ISAKMP: hash MD5
Oct 28 03:24:15.008: ISAKMP: default group 2
Oct 28 03:24:15.008: ISAKMP: auth pre-share
Oct 28 03:24:15.008: ISAKMP: life type in seconds
Oct 28 03:24:15.008: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 28 03:24:15.012: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 28 03:24:15.012: ISAKMP:(0):Acceptable atts:actual life: 3600
Oct 28 03:24:15.012: ISAKMP:(0):Acceptable atts:life: 0
Oct 28 03:24:15.012: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 28 03:24:15.012: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 28 03:24:15.012: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 28 03:24:15.012: ISAKMP:(0)::Started lifetime timer: 3600.

Oct 28 03:24:15.012: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:24:15.012: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:24:15.012: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:24:15.012: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:24:15.012: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:24:15.012: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:24:15.012: ISAKMP:(0): processing vendor id payload
Oct 28 03:24:15.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:24:15.012: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:24:15.012: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:24:15.012: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Oct 28 03:24:15.016: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 28 03:24:15.016: ISAKMP:(0): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 28 03:24:15.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 28 03:24:15.016: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:24:15.016: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Oct 28 03:24:15.036: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 28 03:24:15.036: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:24:15.036: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Oct 28 03:24:15.036: ISAKMP:(0): processing KE payload. message ID = 0
Oct 28 03:24:15.036: crypto_engine: Create DH shared secret
Oct 28 03:24:15.080: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 28 03:24:15.080: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:24:15.080: crypto_engine: Create IKE SA
Oct 28 03:24:15.084: crypto engine: deleting DH phase 2 SW:501
Oct 28 03:24:15.084: crypto_engine: Delete DH shared secret
Oct 28 03:24:15.084: ISAKMP:(2496): processing vendor id payload
Oct 28 03:24:15.084: ISAKMP:(2496): vendor ID is DPD
Oct 28 03:24:15.084: ISAKMP:(2496): processing vendor id payload
Oct 28 03:24:15.084: ISAKMP:(2496): speaking to another IOS box!
Oct 28 03:24:15.084: ISAKMP:(2496): processing vendor id payload
Oct 28 03:24:15.084: ISAKMP:(2496): vendor ID seems Unity/DPD but major 174 mismatch
Oct 28 03:24:15.084: ISAKMP:(2496): vendor ID is XAUTH
Oct 28 03:24:15.084: ISAKMP:received payload type 20
Oct 28 03:24:15.084: ISAKMP (0:2496): NAT found, the node inside NAT
Oct 28 03:24:15.084: ISAKMP:received payload type 20
Oct 28 03:24:15.084: ISAKMP:(2496):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:24:15.084: ISAKMP:(2496):Old State = IKE_R_MM3 New State = IKE_R_MM3

Oct 28 03:24:15.084: ISAKMP:(2496): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 28 03:24:15.088: ISAKMP:(2496):Sending an IKE IPv4 Packet.
Oct 28 03:24:15.088: ISAKMP:(2496):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:24:15.088: ISAKMP:(2496):Old State = IKE_R_MM3 New State = IKE_R_MM4

Oct 28 03:24:15.128: ISAKMP (0:2496): received packet from 212.170.173.253 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Oct 28 03:24:15.128: crypto_engine: Decrypt IKE packet
Oct 28 03:24:15.128: ISAKMP:(2496):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:24:15.128: ISAKMP:(2496):Old State = IKE_R_MM4 New State = IKE_R_MM5

Oct 28 03:24:15.132: ISAKMP:(2496): processing ID payload. message ID = 0
Oct 28 03:24:15.132: ISAKMP (0:2496): ID payload
next-payload : 8
type : 1
address : 212.170.173.253
protocol : 17
port : 0
length : 12
Oct 28 03:24:15.132: ISAKMP:(0):: peer matches MAD-BCN-ITL_VRF profile
Oct 28 03:24:15.132: ISAKMP:(2496):Found ADDRESS key in keyring MAD-BCN
Oct 28 03:24:15.132: ISAKMP:(2496): processing HASH payload. message ID = 0
Oct 28 03:24:15.132: crypto_engine: Generate IKE hash
Oct 28 03:24:15.132: ISAKMP:(2496): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83AE20B8
Oct 28 03:24:15.132: ISAKMP:(2496):SA authentication status:
authenticated
Oct 28 03:24:15.132: ISAKMP:(2496):SA has been authenticated with 212.170.173.253
Oct 28 03:24:15.132: ISAKMP:(2496):Detected port floating to port = 4500
Oct 28 03:24:15.132: ISAKMP: Trying to find existing peer 10.219.219.2/212.170.173.253/4500/ and found existing peer 832A0A80 to reuse, free 83AB1968
Oct 28 03:24:15.132: ISAKMP: Unlocking peer struct 0x83AB1968 Reuse existing peer, count 0
Oct 28 03:24:15.132: ISAKMP: Deleting peer node by peer_reap for 212.170.173.253: 83AB1968
Oct 28 03:24:15.132: ISAKMP: Locking peer struct 0x832A0A80, refcount 2 for Reuse existing peer
Oct 28 03:24:15.132: ISAKMP:(2496):SA authentication status:
authenticated
Oct 28 03:24:15.132: ISAKMP:(2496): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.219.219.2 remote 212.170.173.253 remote port 4500
Oct 28 03:24:15.136: ISAKMP:(2495):received initial contact, deleting SA
Oct 28 03:24:15.136: ISAKMP:(2495):peer does not do paranoid keepalives.

Oct 28 03:24:15.136: ISAKMP:(2495):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:24:15.136: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Oct 28 03:24:15.136: ISAKMP:(2496):Setting UDP ENC peer struct 0x0 sa= 0x83AE20B8
Oct 28 03:24:15.136: ISAKMP:(2496):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:24:15.136: ISAKMP:(2496):Old State = IKE_R_MM5 New State = IKE_R_MM5

Oct 28 03:24:15.136: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:24:15.136: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:24:15.136: ISAKMP: set new node 1526978771 to QM_IDLE
Oct 28 03:24:15.136: crypto_engine: Generate IKE hash
Oct 28 03:24:15.136: crypto_engine: Encrypt IKE packet
Oct 28 03:24:15.140: ISAKMP:(2495): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) QM_IDLE
Oct 28 03:24:15.140: ISAKMP:(2495):Sending an IKE IPv4 Packet.
Oct 28 03:24:15.140: ISAKMP:(2495):purging node 1526978771
Oct 28 03:24:15.140: ISAKMP:(2495):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 28 03:24:15.140: ISAKMP:(2495):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Oct 28 03:24:15.140: ISAKMP:(2496):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 28 03:24:15.140: ISAKMP (0:2496): ID payload
next-payload : 8
type : 1
address : 10.219.219.2
protocol : 17
port : 0
length : 12
Oct 28 03:24:15.140: ISAKMP:(2496):Total payload length: 12
Oct 28 03:24:15.140: crypto_engine: Generate IKE hash
Oct 28 03:24:15.140: crypto_engine: Encrypt IKE packet
Oct 28 03:24:15.144: ISAKMP:(2496): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:24:15.144: ISAKMP:(2496):Sending an IKE IPv4 Packet.
Oct 28 03:24:15.144: ISAKMP:(2496):Returning Actual lifetime: 3600
Oct 28 03:24:15.144: ISAKMP: set new node -105946210 to QM_IDLE
Oct 28 03:24:15.144: crypto_engine: Generate IKE hash
Oct 28 03:24:15.144: ISAKMP:(2496):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2213332560, message ID = -105946210
Oct 28 03:24:15.144: crypto_engine: Encrypt IKE packet
Oct 28 03:24:15.144: ISAKMP:(2496): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:24:15.144: ISAKMP:(2496):Sending an IKE IPv4 Packet.
Oct 28 03:24:15.144: ISAKMP:(2496):purging node -105946210
Oct 28 03:24:15.144: ISAKMP: Sending phase 1 responder lifetime 3600

Oct 28 03:24:15.144: ISAKMP:(2496):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:24:15.148: ISAKMP:(2496):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Oct 28 03:24:15.148: ISAKMP:(2495):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:24:15.148: ISAKMP: Unlocking peer struct 0x832A0A80 for isadb_mark_sa_deleted(), count 1
Oct 28 03:24:15.148: crypto engine: deleting IKE SA SW:495
Oct 28 03:24:15.148: crypto_engine: Delete IKE SA
Oct 28 03:24:15.148: ISAKMP:(2495):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:24:15.148: ISAKMP:(2495):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Oct 28 03:24:15.148: ISAKMP:(2496):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 28 03:24:15.148: ISAKMP:(2496):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Please, i need help to resolve this problem

Br,

Fidel Gonzalez

6 Replies 6

AllertGen
Level 3
Level 3

Hello.

Could you try "mode tunnel" at the transform set.

Also if your tunnel interfaces use a site to site VPN than you need to change MTU.

Best Regards.

Hi AllertGen, 

thanks for the info,  i am going to do this modification and i will inform you.

Thanks you,

Br,

Fidel Gonzalez

Hi AllertGen,

I modified the transport mode to tunnel mode and the problem persist, looks like is a problem on phase 2, i tried to modify the access-list but is not working. 

in my access-list i have on the router that has the nat, i am using the private ip in the access-list. is this correct, even i have use the public ip and does not works.

attached you the log, after the modification.

Br,

Fidel Gonzalez

Ok, I think problem could be at this point: match address ACL-VPN-ITL_VRF. To be more precise the problem at the ACL. Site to site VPN mean that it sends traffic between networks. And you determinate networks at the ACL.

It work like this: if traffic (source and destination of the packet) match condition of ACL it should be send by VPN. But you are using your external IP addresses so you internal traffic newer hits match rule.

And I don't see destination addresses of your tunnel interfaces, but I can gues that you want to establish them by this VPN site to site VPN. At this case it's better to look at the IPSec over GRE solution.

PS Your are elso mixed a few site to site VPN solutions to the one configuration.

Best Regards.

Hi,

Have specified in the access list the remote local network, now i have ping but the traffic is not encrypted, the interface tunnel is allowed me access not the vpn. 

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)
current_peer 212.170.173.253 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.219.219.2, remote crypto endpt.: 212.170.173.253
path mtu 1500, ip mtu 1500, ip mtu idb Vlan19
current outbound spi: 0x0(0)

Br,

Fidel Gonzalez

You should use GRE (tunnel) or Site to site VPN. GRE work before crypto map (because you're using as next hop address the IP of GRE tunnel of the other site). GRE is changing IP header of the packet and it doesn't hit match rules.

So if you don't use protocols that need broacast or multicast technology (like EIGRP, OSPF, etc) than you can use site to site VPN. If you need GRE then look at this example: https://learningnetwork.cisco.com/docs/DOC-2457

If you need another example try to find GRE over IPSec. But the important point: for NAT traffic use ESP protocol and tunnel mode. Without NAT you can use any solution.

Best Regards.