Purpose
The output the debug crypto isakmp command is very verbose, so I've omitted some of it
[IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload (1)
[IKEv1 DEBUG]: IP = 192.1.1.40, Oakley proposal is acceptable
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, Received NAT-Traversal ver 03 VID (2)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, processing IKE SA (3)
[IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA Proposal # 1, (4)
Transform # 1 acceptable Matches global IKE entry # 2
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ISA_SA for isakmp (5)
output omitted
[IKEv1 DEBUG]: IP = 192.1.1.40, processing ke payload
[IKEv1 DEBUG]: IP = 192.1.1.40, processing ISA_KE
[IKEv1 DEBUG]: IP = 192.1.1.40, processing nonce payload
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received Cisco Unity client VID
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received DPD VID
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS/PIX Vendor ID payload
(version: 1.0.0, capabilities: 0000077f)
[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Received xauth V6 VID
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ke payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing nonce payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing Cisco Unity VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing xauth V6 VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Send IOS VID
[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing ASA spoofing IOS Vendor
ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]: IP = 192.1.1.40, constructing VID payload
[IKEv1 DEBUG]: IP = 192.1.1.40, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group (6)
192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating keys
for Responder...
[IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (msgid=0) with
payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) +
NOTIFY (11) + NONE (0) total length : 112
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID (7)
[IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, processing hash
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash
[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS keep alive payload:
proposal=30/10 sec.
[IKEv1 DEBUG]: IP = 192.1.1.40, Starting IOS keepalive monitor:
80 sec.
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing
Notify payload
[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group
192.1.1.40
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, constructing ID
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, construct hash
payload
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash
[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing IOS keep alive (8)
payload: proposal=32767/32767 sec.
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40,
constructing dpd vid payload
output omitted
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 1 COMPLETED (9)
[IKEv1]: IP = 192.1.1.40, Keep-alive type for this connection: DPD
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Starting
phase 1 rekey timer: 82080000 (ms)
[IKEv1 DECODE]: IP = 192.1.1.40, IKE Responder starting QM:
msg id = 4a9a7c8b
[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (10)
(msgid=4a9a7c8b) with payloads : HDR + HASH (8) + SA (1) +
NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
output omitted
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-- (11)
192.168.0.0--255.255.255.0
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received remote IP
Proxy Subnet data in ID Payload: Address 192.168.0.0,
Mask 255.255.255.0, Protocol 0, Port 0
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--
192.168.2.0--255.255.255.0
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received local IP Proxy
Subnet data in ID Payload: Address 192.168.2.0,
Mask 255.255.255.0, Protocol 0, Port 0
[IKEv1]: QM IsRekeyed old sa not found by addr
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map (12)
check, checking map = mymap, seq = 10...
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map
check, map mymap, seq = 10 is a successful match
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE Remote Peer
configured for SA: mymap
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, processing IPSEC SA
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, IPsec SA (13)
Proposal # 1, Transform # 1 acceptable Matches global IPsec
SA entry # 10
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE: requesting SPI!
[IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xcc3dcb5a
output omitted
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Transmitting (14)
Proxy Id: Remote subnet: 192.168.0.0 Mask 255.255.255.0
Protocol 0 Port 0 Local subnet: 192.168.2.0
mask 255.255.255.0 Protocol 0 Port 0
output omitted
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, loading all (15)
IPSEC SAs
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating
Quick Mode Key!
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating
Quick Mode Key!
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Security (16)
negotiation complete for LAN-to-LAN Group (192.1.1.40)
Responder, Inbound SPI = 0xcc3dcb5a, Outbound SPI = 0x382e1cb2
[IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x382e1cb2
[IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xcc3dcb5a
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Starting P2 Rekey timer
to expire in 3420 seconds
[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 2 COMPLETED (17)
(msgid=4a9a7c8b)
[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Sending (18)
keep-alive of type DPD R-U-THERE (seq number 0x3252ed2c)
Here's a brief description of the debugs:
Main mode exchange is beginning; no policies have been shared yet and the peers are still in an MM_NO_STATE. | |
2. | The remote peer is testing for the use of NAT-T. |
3. | The comparison of ISAKMP/IKE policies begins here. |
4. | This message indicates that a matching policy has been found. |
5. | The management connection is being built. |
6. | The peer is associated with the "192.1.1.40" L2L tunnel group and the encryption and hash keys are being generated. |
7. | This is where authentication begins with pre-shared keys: remember that authentication occurs on both peers, and thus you'll see two sets of corresponding authentication processes. |
8. | DPD is being negotiated. |
9. | Phase 1 is complete. |
10. | Phase 2 (quick mode) begins. |
11. | The remote subnet (192.168.0.0/24) is received and compared to the local subnet (192.168.2.0/24). |
12. | A matching static crypto entry is looked for and found. |
13. | The appliance finds a matching data transform for the data connections. |
14. | A check is performed for mirrored crypto ACLs. |
15. | Keys are generated for the data SAs. |
16. | SPIs are assigned to the data SAs. |
17. | Phase 2 completes. |
18. | A DPD keepalive is being sent to the remote peer on the management connection. |
References----
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml