My Network Security Journal: 2014

Saturday, October 11, 2014

ASA 5525-X Reload and VPN Software Bug

I was recently configuring and troubleshooting an IPsec Site-to-Site (IKEv1) VPN between our newly installed ASA 5525-X (my third ASA for this year) and our core ASA 5520 firewalls. I was making some changes to it and wanted to quickly wipe out some of the added command lines. I performed a reload command and a "weird" thing happened. I can't seem to remotely reset the box and tried all possible combinations of the reload command but nothing worked. My remote session was still connected and I can still ping to the box.

So the last resort is to issue a crashinfo force watchdog command from privileged EXEC mode. This command will force the device to crash, generate a crash output and reload the device. It is practically safe to issue this command and you'll still be able to connect remotely after a few minutes (5-7 minutes).

5525-X# reload
Proceed with reload? [confirm]   // STILL CONNECTED

5525-X# reload noconfirm   // STILL CONNECTED

5525-X# reload in 10    // STILL CONNECTED AFTER 10 mins

5525-X# reload
System config has been modified. Save? [Y]es/[N]o:y
Cryptochecksum: c6bd3ee7 cc75760d 6ecf8bd4 d0fe71a2
8505 bytes copied in 0.650 secs
Proceed with reload? [confirm]   // STILL CONNECTED

5525-X# show reload
Shutting down the system right now.

5525-X# debug crypto ikev1 255
Oct 02 22:37:49 [IKEv1]IP = 202.x.x.x, Reboot Underway... dropping new P1 packet.
Oct 02 22:37:57 [IKEv1]IP = 202.x.x.x, Reboot Underway... dropping new P1 packet.
Oct 02 22:38:05 [IKEv1]IP = 202.x.x.x, Reboot Underway... dropping new P1 packet.

5525-X# show crypto isakmp sa
There are no IKEv1 SAs

There are no IKEv2 SAs

5525-X# crashinfo force watchdog     // THIS COMMAND IS A LIFESAVER!
WARNING: This command will force a crash and cause a
         reboot. Do you wish to proceed? [confirm]:y

This seems to be a symptom of a software bug and I was able to resolve (most of the time it does) the reload and debug/show crypto issue by updating the image of the ASA firewall. According to Cisco's website, the recommended and stable code (as of this writing) is the 9.1(5). I can upgrade directly from 9.1(2) to 9.1(5) since it's a minor release code.

5525-X# show flash | inc .bin
110 38191104    Apr 29 2014 14:51:00 asa912-smp-k8.bin
111 18097844    Apr 29 2014 14:52:20 asdm-713.bin
123 37822464    Oct 06 2014 19:21:33 asa915-smp-k8.bin    // DUMPED IMAGE VIA TFTP
5525-X# show run boot
boot system disk0:/asa912-smp-k8.bin

5525-X# configure terminal
5525-X(config)# no boot system disk0:/asa912-smp-k8.bin
5525-X(config)# boot system disk0:/asa915-smp-k8.bin
5525-X(config)# boot system disk0:/asa912-smp-k8.bin     // CAN SPECIFY MULTIPLE BOOT IMAGES IN SEQUENTIAL ORDER
5525-X(config)# end
5525-X# show run boot
boot system disk0:/asa915-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin

5525-X#reload

<OUTPUT TRUNCATED>

5525-X# show version

Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(3)

Compiled on Thu 27-Mar-14 10:19 PDT by builders
System image file is "disk0:/asa915-smp-k8.bin"
Config file at boot was "startup-config"

5525-X up 1 hour 36 mins

5525-X# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 202.x.x.x
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

This is the debug crypto isakmp output taken from the remote peer/ASA firewall:

(5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing ID payload
Oct 07 10:28:07 [IKEv1 DECODE]: Group = 202.x.x.x, IP = 202.x.x.x, ID_IPV4_ADDR ID received 202.x.x.x
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing hash payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Computing hash for ISAKMP
Oct 07 10:28:07 [IKEv1 DEBUG]: IP = 202.x.x.x, Processing IOS keep alive payload: proposal=32767/32767 sec.
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x IP = 202.x.x.x, processing VID payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Received DPD VID
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Oct 07 10:28:07 [IKEv1]: IP = 202.x.x.x, Connection landed on tunnel_group 202.x.x.x
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing ID payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing hash payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Computing hash for ISAKMP
Oct 07 10:28:07 [IKEv1 DEBUG]: IP = 202.176.12.2, Constructing IOS keep alive payload: proposal=32767/32767sec.
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing dpd vid payload
Oct 07 10:28:07 [IKEv1]: IP = 202.176.12.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID

(5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
ac 02 de b5 23 50 bb bf d4 ce ec fe d2 3c c2 81    | ....#P.......<..
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c    | ................
01 11 00 00 ca 4e 10 0e 80 00 00 14 ba 65 ad 93    | .....N.......e..
9a b0 58 4c b3 9f 91 92 af 9b 71 d7 0d 00 00 0c    | ..XL......q.....
80 00 7f ff 80 00 7f ff 00 00 00 14 af ca d7 13    | ..............
68 a1 f1 c9 6b 86 96 fc 77 57 01 00                | h...k...wW..

ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 0
    ID Data: 202.x.x.x
Payload Hash
    Next Payload: IOS Proprietary Keepalive or CHRE
    Reserved: 00
    Payload Length: 20
    Data:
      ba 65 ad 93 9a b0 58 4c b3 9f 91 92 af 9b 71 d7
Payload IOS Proprietary Keepalive or CHRE
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Default Interval: 32767
    Retry Interval: 32767
Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

SENDING PACKET to 202.x.x.x
ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 92
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, PHASE 1 COMPLETED
Oct 07 10:28:07 [IKEv1]: IP = 202.x.x.x, Keep-alive type for this connection: DPD
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Starting P1 rekey timer: 73440 seconds.

IKE Recv RAW packet dump
ac 02 de b5 23 50 bb bf d4 ce ec fe d2 3c c2 81    | ....#P.......<..
08 10 20 01 6d d4 d2 0f 00 00 00 bc 11 6c 79 02    | .. .m........ly.
9f 7d d0 e4 5c 92 48 0f cd 4f 0f d5 57 fe b9 7e    | .}..\.H..O..W..~
de 1b fd 84 db ea 6e 10 08 93 54 88 fc 10 a6 fd    | ......n...T.....
33 a3 d8 90 11 6c e1 97 25 9e 5e 0c 8a 47 26 86    | 3....l..%.^..G&.
50 8d 18 c2 e4 9b 74 3e fe 1d d7 28 d5 67 89 a0    | P.....t>...(.g..
ef ba f3 b1 73 f8 70 cb b9 37 bb 5d 29 28 93 b0    | ....s.p..7.])(..
eb fd 6e 5c 5e bb 17 e2 0b b3 aa 60 05 76 a2 58    | ..n\^......`.v.X
fc 66 48 cc 61 07 eb 67 91 6f 3b 9a 05 93 5d 76    | .fH.a..g.o;...]v
d9 de 0f db 71 22 16 c5 ac 0c 6e 03 34 45 84 1d    | ....q"....n.4E..
18 55 f1 e1 6b 5f 9b 3d 40 76 05 2f ce 46 f7 73    | .U..k_.=@v./.F.s
c1 ba 4e c8 31 e8 fb 06 42 3a b6 d0                | ..N.1...B:..

RECV PACKET from 202.x.x.x
ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 6DD4D20F
Length: 188
Oct 07 10:28:07 [IKEv1 DECODE]: IP = 202.x.x.x, IKE Responder starting QM: msg id = 6dd4d20f

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 6DD4D20F
Length: 188
Payload Hash
    Next Payload: Security Association
    Reserved: 00
    Payload Length: 20
    Data:
      f8 03 04 ee ae b2 d3 a7 e4 f3 92 67 b5 8d a8 78
Payload Security Association
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 60
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 48
      Proposal #: 1
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: b7 52 63 26
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: ESP_3DES
        Reserved2: 0000
        Life Type: Seconds
        Life Duration (Hex): 70 80
        Life Type: Kilobytes
        Life Duration (Hex): 00 46 50 00
        Encapsulation Mode: Tunnel
        Authentication Algorithm: MD5
Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      67 4f f9 1c ee bf da b1 e0 4a ad eb 89 7f 92 91
      62 15 63 80
Payload Identification
    Next Payload: Identification
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: KL-POP
Payload Identification
    Next Payload: Notification
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: core01-Loopback2
Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: STATUS_INITIAL_CONTACT
    SPI:
      ac 02 de b5 23 50 bb bf d4 ce ec fe d2 3c c2 81
Oct 07 10:28:07 [IKEv1]: IP = 202.x.x.x, IKE_DECODE RECEIVED Message (msgid=6dd4d20f) with payloads :

HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Oct 07 10:28:07 [IKEv1 DEBUG]: Group =202.x.x.x, IP = 202.x.x.x, processing hash payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing SA payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing nonce payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing ID payload
Oct 07 10:28:07 [IKEv1 DECODE]: Group = 202.x.x.x, IP = 202.x.x.x, ID_IPV4_ADDR ID received 202.x.x.x
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Received remote Proxy Host data in ID
Payload: Address 202.176.12.3, Protocol 0, Port 0
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing ID payload
Oct 07 10:28:07 [IKEv1 DECODE]: Group = 202.x.x.x, IP = 202.x.x.x, ID_IPV4_ADDR ID received 202.x.x.x
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Received local Proxy Host data in ID
Payload: Address 202.78.20.242, Protocol 0, Port 0
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing notify payload
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, QM IsRekeyed old sa not found by addr
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 10...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes,
seq = 10, ACL does not match proxy IDs src:KL-POP dst:core01-Loopback2
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 11...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes,
seq = 11, ACL does not match proxy IDs src:KL-POP dst:core01-Loopback2
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 13...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes,
seq = 13, ACL does not match proxy IDs src:KL-POP dst:core01-Loopback2
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 20...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes, seq = 20, no ACL configured
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 22...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes, seq = 22, no ACL configured
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 45...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes, seq = 45, ACL does not match proxy IDs src:KL-POP dst:core01-Loopback2
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 88...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map = vpndes, seq = 88, ACL does not match proxy IDs src:KL-POP dst:core01-Loopback2
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, checking map = vpndes, seq = 103...
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Static Crypto Map check, map vpndes, seq = 103 is a successful match
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, IKE Remote Peer configured for crypto map: vpndes
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing IPSec SA payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 103
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x IKE: requesting SPI!
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, IKE got SPI from key engine: SPI = 0xd8f228fb
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, oakley constucting quick mode
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing blank hash payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing IPSec SA payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x2, constructing IPSec nonce payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing proxy ID
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Transmitting Proxy Id:
Remote host: 202.x.x.x Protocol 0 Port 0
Local host: 202.x.x.x Protocol 0 Port 0
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, constructing qm hash payload
Oct 07 10:28:07 [IKEv1 DECODE]: Group = 202.x.x.x, IP = 202.x.x.x, IKE Responder sending 2nd QM pkt: msg id = 6dd4d20f
Oct 07 10:28:07 [IKEv1]: IP = 202.x.x.x, IKE_DECODE SENDING Message (msgid=6dd4d20f) with payloads : HDR

+ HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
ac 02 de b5 23 50 bb bf d4 ce ec fe d2 3c c2 81    | ....#P.......<..
08 10 20 00 0f d2 d4 6d 1c 00 00 00 01 00 00 14    | .. ....m........
2e 99 8f a9 8a 3f 0a 93 eb be d1 c1 8a 9e 5c 34    | .....?........\4
0a 00 00 3c 00 00 00 01 00 00 00 01 00 00 00 30    | ...<...........0
01 03 04 01 d8 f2 28 fb 00 00 00 24 01 03 00 00    | ......(....$....
80 01 00 01 80 02 70 80 80 01 00 02 00 02 00 04    | ......p.........
00 46 50 00 80 04 00 01 80 05 00 01 05 00 00 18    | .FP.............
78 13 f7 fa 8c 32 f7 51 56 09 1a 3d 3b 44 28 92    | x....2.QV..=;D(.
77 cf 0a 56 05 00 00 0c 01 00 00 00 ca b0 0c 03    | w..V............
00 00 00 0c 01 00 00 00 ca 4e 14 f2                | .........N..

ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 0FD2D46D
Length: 469762048
Payload Hash
    Next Payload: Security Association
    Reserved: 00
    Payload Length: 20
    Data:
      2e 99 8f a9 8a 3f 0a 93 eb be d1 c1 8a 9e 5c 34
Payload Security Association
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 60
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 48
      Proposal #: 1
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: d8 f2 28 fb
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: ESP_3DES
        Reserved2: 0000
        Life Type: Seconds
        Life Duration (Hex): 70 80
        Life Type: Kilobytes
        Life Duration (Hex): 00 46 50 00
        Encapsulation Mode: Tunnel
        Authentication Algorithm: MD5
Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      78 13 f7 fa 8c 32 f7 51 56 09 1a 3d 3b 44 28 92
      77 cf 0a 56
Payload Identification
    Next Payload: Identification
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: KL-POP
Payload Identification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: core01-Loopback2

ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 6DD4D20F
Length: 156

IKE Recv RAW packet dump
ac 02 de b5 23 50 bb bf d4 ce ec fe d2 3c c2 81    | ....#P.......<..
08 10 20 01 6d d4 d2 0f 00 00 00 4c 94 64 33 cf    | .. .m......L.d3.
a1 6b 7d 9c e8 4c 6c d3 d5 31 b1 8a fe cb ae 93    | .k}..Ll..1......
44 f5 53 84 51 0d 3e c4 7c 86 c7 62 ca 73 ae 4d    | D.S.Q.>.|..b.s.M
8d a8 e5 b7 03 75 b7 f6 b0 5e c9 63                | .....u...^.c

RECV PACKET from 202.x.x.x
ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 6DD4D20F
Length: 76

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: ac 02 de b5 23 50 bb bf
Responder COOKIE: d4 ce ec fe d2 3c c2 81
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 6DD4D20F
Length: 76
Payload Hash
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
      00 6b 6b bd aa 80 00 05 84 40 9b 93 2f f8 e8 50
Oct 07 10:28:07 [IKEv1]: IP = 202.x.x.x, IKE_DECODE RECEIVED Message (msgid=6dd4d20f) with payloads :

HDR + HASH (8) + NONE (0) total length : 48
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, processing hash payload
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, loading all IPSEC SAs
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Generating Quick Mode Key!
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, NP encrypt rule look up for crypto map vpndes 103 matching ACL Tu4: returned cs_id=cf59b008; rule=ce261a70
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Generating Quick Mode Key!
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, NP encrypt rule look up for crypto

map vpndes 103 matching ACL Tu4: returned cs_id=cf59b008; rule=ce261a70
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x, Security negotiation complete for LAN-
to-LAN Group (202.x.x.x) Responder, Inbound SPI = 0xd8f228fb, Outbound SPI = 0xb7526326
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, IKE got a KEY_ADD msg for SA: SPI = 0xb7526326
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Pitcher: received KEY_UPDATE, spi
0xd8f228fb
Oct 07 10:28:07 [IKEv1 DEBUG]: Group = 202.x.x.x, IP = 202.x.x.x, Starting P2 rekey timer: 24480 seconds.
Oct 07 10:28:07 [IKEv1]: Group = 202.x.x.x, IP = 202.x.x.x PHASE 2 COMPLETED (msgid=6dd4d20f)

Saturday, August 23, 2014

IKEv2 IPsec Site-to-Site VPNs

IKEv2 has streamlined the original IKEv1 packet exchanges during Phase 1 and Phase 2 operation (Main mode, Aggressive mode, and Quick mode) used to create IKE and IPsec SAs for a secure communications tunnel. Unlike IKEv1, which uses either nine messages (Main mode = 6 + Quick mode = 3 or 6 messages (Aggressive mode = 3 + Quick mode = 3) for successful operation.

IKEv2 introduces a new packet-exchange process using only four messages (Note that additional child SAs require further packet exchanges, so this number may increase).

A successful IKEv2 message exchange involves a pair of messages for each of the phases listed here, which have been created to replace the older IKEv1 Phase 1 and Phase 2 negotiations. The corresponding IKEv1 "phases" are shown next to the relevant IKEv2 phase for your reference:

* IKE_SA_INIT (Phase 1)

* IKE_AUTH (Phase 1 and 2)

Phase 1

The first exchange, IKE_SA_INIT, is used to negotiate the security parameters by sending IKEv2 proposals, including the configured encryption and integrity protocols, Diffie-Hellman values, and nonces (random) numbers. At this point, the two peers generate SKEYSEED (a seed security key value), from which all future IKE keys are generated. The messages that follow in later exchanges are encrypted and authenticated using keys generated from the SKEYSEED value.

Phase 2

The second exchange, IKE_AUTH, operates over the IKE_SA created by the IKE_SA_INIT exchanges and is used to validate the identity of the peers and negotiate the various encryption, authentication, and integrity protocols to establish the first CHILD_SA for use by ESP or AH in which IPsec communication occurs. Peers are validated using PSKs, certificates, or Extensible Authentication Protocol (EAP) (allowing for legacy authentication methods between peers).

The first CHILD_SA created in the second exchange (Phase 2) is commonly the only SA created for IPsec communication. However, if an application or peer requires the use of additional SAs to secure traffic through an encrypted tunnel, IKEv2 uses the CREATE_CHILD_SA exchange. During the CREATE_CHILD_SA exchange, new Diffie-Hellman values may be generated and cryptographic protocols used (That is, there is no requirement for later SAs to use the same key material created during the initial IKE_SA_INIT exchange). This behavior is similar in function to the use of PFS, whereby during an IKEv1 Quick mode exchange, new Diffie-Hellman values may be used to prevent the reuse of key material created in the previous Phase 1 exchanges. If you do not want to multiplex multiple source/destination traffic pairs over the same SA, you'll usually have multiple CREATE_CHILD_SA exchanges to create multiple SAs for securing data traffic.

ASA1(config)# access-list ?

configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ASA1(config)# access-list VPN_ACL ?

configure mode commands/options:
deny      Specify packets to reject
extended Configure access policy for IP traffic through the system
line      Use this to specify line number at which ACE should be entered
permit    Specify packets to forward
remark    Specify a comment (remark) for the access-list after this keyword
rename    rename an existing access-list
standard Use this to configure policy having destination host or network
            only
webtype   Use this to configure WebVPN related policy
ASA1(config)# access-list VPN_ACL extended ?

configure mode commands/options:
deny    Specify packets to reject
permit Specify packets to forward
ASA1(config)# access-list VPN_ACL extended permit ?

configure mode commands/options:
<0-255>       Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object        Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ASA1(config)# access-list VPN_ACL extended permit ip ?

configure mode commands/options:
A.B.C.D            Source IP address
any                Abbreviation for source address and mask of 0.0.0.0
                     0.0.0.0
host               Use this keyword to configure source host
interface          Use interface address as source address
object             Keyword to enter source object name
object-group       Network object-group for source address
object-group-user User object-group for source address
user               User for source address [<domain_nickname>\]<user_name>
user-group         User-group for source address
                     [<domain_nickname>\\]<user_group_name>
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0 ?

configure mode commands/options:
A.B.C.D       Destination IP address
any           Abbreviation for destination address and mask of 0.0.0.0
                0.0.0.0
host          Use this keyword to configure destination host
interface     Use interface address as destination address
object        Keyword to enter destination object name
object-group Network object-group for destination address
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0192.168.0.0 255.255.0.0    // CRYPTO ACL FOR "INTERESTING" TRAFFIC
ASA1(config)# crypto ?

configure mode commands/options:
ca           Certification authority
dynamic-map Configure a dynamic crypto map
ikev1        Configure IKEv1 policy
ikev2        Configure IKEv2 policy
ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp       Configure ISAKMP
key          Long term key operations
map          Configure a crypto map

exec mode commands/options:
ca Execute Certification Authority Commands
ASA1(config)# crypto ipsec ?

configure mode commands/options:
df-bit                Set IPsec DF policy
fragmentation         Set IPsec fragmentation policy
ikev1                 Set IKEv1 settings
ikev2                 Set IKEv2 settings
security-association Set security association parameters
ASA1(config)# crypto ipsec ikev2 ?

configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?

configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA1(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config-ipsec-proposal)# ?

ikev2 IPSec Policy configuration commands:
exit      Exit from ipsec-proposal configuration mode
help      Help for ikev2 IPSec policy configuration commands
no        Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA1(config-ipsec-proposal)# protocol ?

ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA1(config-ipsec-proposal)# protocol esp ?

ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity   Add one or more integrity algorithms for this protocol
ASA1(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:
3des     3des encryption
aes      aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des      des encryption
null     null encryption
ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:
md5    set hash md5
sha-1 set hash sha-1
ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# crypto map ?

configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA1(config)# crypto map S2S_VPN_MAP ?

configure mode commands/options:
<1-65535> Sequence to insert into map entry
client     Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map S2S_VPN_MAP 1 ?

configure mode commands/options:
annotation    Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match         Match address of packets to encrypt
set           Specify crypto map settings
ASA1(config)# crypto map S2S_VPN_MAP 1 match ?

configure mode commands/options:
address Match address of packets to encrypt
ASA1(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA1(config)# crypto map S2S_VPN_MAP 1 set ?

configure mode commands/options:
connection-type       Specify connection-type for site-site connection based
                        on this entry
ikev1                 Configure IKEv1 policy
ikev2                 Configure IKEv2 policy
nat-t-disable         Disable nat-t negotiation for connections based on this
                        entry
peer                  Set IP address of peer
pfs                   Specify pfs settings
reverse-route         Enable reverse route injection for connections based on
                        this entry
security-association Security association duration
trustpoint            Specify trustpoint that defines the certificate to be
                        used while initiating a connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer ?

configure mode commands/options:
Hostname or A.B.C.D     IP address
Hostname or X:X:X:X::X IPv6 address
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
ASA1(config)# crypto map S2S_VPN_MAP 1 ikev2 ?
ERROR: % Unrecognized command
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ?

configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
                  connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config)# crypto map S2S_VPN_MAP interface ?

configure mode commands/options:
Current available interface(s):
inside   Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ASA1(config)# crypto map S2S_VPN_MAP interface outside
ASA1(config)# crypto ikev2 ?

configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
                    half-open SAs
enable            Enable IKEv2 on the specified interface
limit             Enable limits on IKEv2 SAs
policy            Set IKEv2 policy suite
redirect          Set IKEv2 redirect
remote-access     Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 policy ?

configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?

ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit        Exit from ikev2 policy configuration mode
group       Configure one or more DH groups
help        Help for ikev2 policy configuration commands
integrity   Configure one or more integrity algorithm
lifetime    Configure the ikev2 lifetime
no          Remove an ikev2 policy configuration item
prf         Configure one or more hash algorithm
ASA1(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
3des     3des encryption
aes      aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des      des encryption
null     null encryption
ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
md5     set hash md5
sha     set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# integrity sha256
ASA1(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA1(config-ikev2-policy)# group 2   // DEFAULT DH GROUP
ASA1(config-ikev2-policy)# lifetime ?

ikev2-policy mode commands/options:
seconds Lifetime seconds
ASA1(config-ikev2-policy)# lifetime seconds ?

ikev2-policy mode commands/options:
<120-2147483647> Enter the ikev2 lifetime
none              Disable rekey and allow an unlimited rekey period
ASA1(config-ikev2-policy)# lifetime seconds 86400   // LOWEST VALUE BETWEEN VPN PEER WILL BE CHOSEN
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ikev2 enable ?

configure mode commands/options:
Type an interface name to enable
inside   Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
<cr>
ASA1(config)# crypto ikev2 enable outside
ASA1(config)# tunnel-group ?

configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA1(config)# tunnel-group 200.1.1.2 ?

configure mode commands/options:
type Enter the type of this group-policy
ASA1(config)# tunnel-group 200.1.1.2 type ?

configure mode commands/options:
ipsec-l2l      IPSec Site to Site group
ipsec-ra       IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn         WebVPN group (DEPRECATED)
ASA1(config)# tunnel-group 200.1.1.2 type ipsec-l2l
ASA1(config)# tunnel-group 200.1.1.2 ?

configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes    Enter the ipsec-attributes sub command mode
ASA1(config)# tunnel-group 200.1.1.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ?

tunnel-group configuration commands:
chain             Enable sending certificate chain
exit              Exit from tunnel-group IPSec attribute configuration mode
help              Help for tunnel group configuration commands
ikev1             Configure IKEv1
ikev2             Configure IKEv2
isakmp            Configure ISAKMP policy
no                Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA1(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:
local-authentication   Configure the local authentication method for IKEv2
                         tunnels
remote-authentication Configure the remote authentication method required of
                         the remote peer for IKEv2 tunnels
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication ?

tunnel-group-ipsec mode commands/options:
certificate     Require certificate authentication from remote peer
pre-shared-key Require pre-shared-key authentication from remote peer
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
0                Specifies an UNENCRYPTED password will follow
8                Specifies an ENCRYPTED password will follow
WORD < 129 char Enter an alphanumeric string between 1-128 characters
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?

tunnel-group-ipsec mode commands/options:
certificate     Select the trustpoint that identifies the cert to be sent to
                  the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
                  the remote peer
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco123

------

ASA2(config)# access-list VPN_ACL extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0    // "MIRRORED" CRYPTO ACL
ASA2(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1
ASA2(config-ipsec-proposal)# exit
ASA2(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA2(config)# crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
ASA2(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config)# crypto map S2S_VPN_MAP interface outside
ASA2(config)# crypto ikev2 policy 10
ASA2(config-ikev2-policy)# encryption aes-256
ASA2(config-ikev2-policy)# integrity sha256
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# lifetime seconds 86400
ASA2(config-ikev2-policy)# crypto ikev2 enable outside
ASA2(config)# tunnel-group 100.1.1.2 type ipsec-l2l
ASA2(config)# tunnel-group 100.1.1.2 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
INFO: You must configure ikev2 remote-authentication pre-shared-key
      and/or certificate to complete authentication.
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco123

--------

ASA1# show run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside

ASA1# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1

ASA1# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside

ASA2# show run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside

ASA2# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1

ASA2# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside

----

ASA1# show crypto ikev2 sa detail

There are no IKEv2 SAs

ASA1# debug crypto ?

ca          Set PKI debug levels
condition   Set IPSec/ISAKMP debug filters
engine      Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1       Set IKEV1 debug levels
ikev2       Set IKEV2 debug levels
ipsec       Set IPSec debug levels
vpnclient   Set EasyVPN client debug levels
ASA1# debug crypto ikev2 ?

ha        debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers    debug the ikev2 timers
ASA1# debug crypto ikev2 platform 127
ASA1# debug crypto ikev2 protocol 127

----

ASA1# IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-3: attempting to find tunnel group for IP: 200.1.1.2
IKEv2-PLAT-3: mapped to tunnel group 200.1.1.2 using peer IP
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-3: (1) tp_name set to:
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (1): Setting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (1): Computing DH public key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (1): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA1   SHA256   DH_GROUP_1024_MODP/Group 2
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific

Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct

Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload:

FRAGMENTATIONIKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 394
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2

KE Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0

     67 fe 46 0c 42 aa f7 c3 9e f6 b1 5d 53 3c 16 8c
     2c 30 c1 36 a3 73 7e 19 77 5b a1 eb df 83 03 b6
     d5 33 67 3a 32 26 d0 fc 47 72 aa 9b 74 60 ae b5
     83 1f 64 5a 6e 9e cf 26 26 60 aa d2 6d f4 88 08
     b9 38 5a 4e 2b f1 c7 02 9e 3d 1e 6a e2 45 a3 3e
     a5 aa 1e 38 3d ae e5 bf 01 ea dc 5b a7 ef 04 bd
     e4 78 22 9d 6c 9f 7d b2 25 ba c8 eb 82 59 03 14
     a3 1b f7 f7 24 03 60 8c 93 f5 33 5c 7c ce 62 24
N Next payload: VID, reserved: 0x0, length: 24

     7d 03 ed 8b 83 d7 53 49 f2 bd 2b ff bf 24 ed f0
     59 c5 c3 37
VID Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     f1 85 22 7a a3 a8 ef bc a8 58 ba d9 f5 8e 9a 44
     db 07 7d aa
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     84 63 f4 17 2f 4e 26 7a c1 6d fc c7 71 d9 2e ef
     da 6e 51 4f
VID Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (1): Insert SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_SA_INIT] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0xecbd3f4be86f51af MID=00000000
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 394

SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2

KE Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0

     cb 30 95 7d 1b 5e f3 9e 55 35 aa 47 32 ea af 6a
     b6 07 6d d6 f9 12 7a c0 22 fe ae da 1a a5 b8 2d
     aa 70 cd f7 a5 60 08 8b 4f 0f d2 d5 81 c8 41 8f
     48 be 2e b3 c4 f7 bb 13 c8 9c 2a 99 df 65 29 f1
     89 a5 d0 d1 70 4b f6 e6 b3 9c 33 4c 67 95 4a 4a
     0c 20 49 01 34 b2 6e 15 f8 91 a4 09 ec 7d 95 a5
     b1 fb f9 6d 03 92 c4 28 b9 e9 00 9f 3a 57 8d c9
     cb bc 20 b0 6e ea c5 b3 38 63 0c ec a8 8b 16 a4
N Next payload: VID, reserved: 0x0, length: 24

     fd 2c be 84 ac 7c d3 a2 65 72 8b 3d d5 e3 6e ff
     2c 5e e9 4b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0,

length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload:

NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     e7 19 65 24 2c 02 09 2d c0 2c 54 d5 48 a0 0f a7
     db 17 8d dc
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)

Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     f8 67 d4 4b f0 62 47 4a 75 82 a0 b3 cd d4 bc 52
     38 84 2e a8
IKEv2-PROTO-5: Parse Vendor Specific Payload: FRAGMENTATION VID Next payload: NONE, reserved: 0x0, length:20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

Decrypted packet:Data: 394 bytes
IKEv2-PLAT-3: Process custom VID payloads
IKEv2-PLAT-3: Cisco Copyright VID received from peer
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (1): Verify SA init message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (1): Process NAT discovery notify
IKEv2-PROTO-5: (1): Processing nat detect src notify
IKEv2-PROTO-5: (1): Remote address matched
IKEv2-PROTO-5: (1): Processing nat detect dst notify
IKEv2-PROTO-5: (1): Local address matched
IKEv2-PROTO-5: (1): No NAT found
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (1): Check NAT discovery
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (1): Computing DH secret key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (1): Generate skeyid
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (1): Fragmentation is enabled
IKEv2-PROTO-3: (1): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (1): Complete SA init exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (1): Generate my authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 100.1.1.2, key len 8
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get my authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (1): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size:

4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload:

ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (1): Building

packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20

     1b e9 df ba 31 ea 2a ea 62 4f 69 f3 ca 01 6a c2
IDi Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     64 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 28
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

TSi Next payload: TSr, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 172.16.0.1, end addr: 172.16.0.1
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 172.16.0.0, end addr: 172.16.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.1.1, end addr: 192.168.1.1
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.0.0, end addr: 192.168.255.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 288
ENCR Next payload: VID, reserved: 0x0, length: 260
Encrypted data: 256 bytes

IKEv2-PLAT-4: SENT PKT [IKE_AUTH] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_AUTH] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 240

REAL Decrypted packet:Data: 168 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20

     ee bd 3e 4b fb 58 a2 e8 62 4f 69 f3 ca 01 6a c2
IDr Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     c8 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 28
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

TSi Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 172.16.0.0, end addr: 172.16.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.0.0, end addr: 192.168.255.255
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY,

reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved:

0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

Decrypted packet:Data: 240 bytes
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Process auth response notify
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-3: (1) peer auth method set to: 2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PLAT-3: connection initiated with tunnel group 200.1.1.2
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Verify peer's policy
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get peer authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (1): Get peer's preshared key for 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (1): Verify authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (1): Processing auth message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (1): Closing the PKI session
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (1): SA created; inserting SA into database
IKEv2-PLAT-3:
CONNECTION STATUS: UP... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-3: (1) connection auth hdl set to 0
IKEv2-PLAT-3: AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-3: (1) idle timeout set to: 30
IKEv2-PLAT-3: (1) session timeout set to: 0
IKEv2-PLAT-3: (1) group policy set to DfltGrpPolicy
IKEv2-PLAT-3: (1) class attr set
IKEv2-PLAT-3: (1) tunnel protocol set to: 0x5c
IKEv2-PLAT-3: IPv4 filter ID not configured for connection
IKEv2-PLAT-3: (1) group lock set to: none
IKEv2-PLAT-3: IPv6 filter ID not configured for connection
IKEv2-PLAT-3: (1) connection attribues set valid to TRUE
IKEv2-PLAT-3: Successfully retrieved conn attrs
IKEv2-PLAT-3: Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-3:
CONNECTION STATUS: REGISTERED... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-3: (1): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-3: (1) mib_index set to: 501
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (1): Load IPSEC key material
IKEv2-PLAT-3: PROXY MATCH on crypto map S2S_VPN_MAP seq 1
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (1): Accounting not required
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (1): Checking for duplicate SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (1): Deleting negotiation context for my message ID: 0x1

ASA1# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
8900467         100.1.1.2/500         200.1.1.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/15 sec
      Session-id: 1
      Status Description: Negotiation done
      Local spi: 19E9DEBA22DDD9AD       Remote spi: ECBD3F4BE86F51AF
      Local id: 100.1.1.2
      Remote id: 200.1.1.2
      Local req mess id: 2              Remote req mess id: 0
      Local next mess id: 2             Remote next mess id: 0
      Local req queued: 2               Remote req queued: 0
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector 172.16.0.0/0 - 172.16.255.255/65535
          remote selector 192.168.0.0/0 - 192.168.255.255/65535
          ESP spi in/out: 0x761a14dc/0x97dc5e3a
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

ASA2# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
9509961         200.1.1.2/500         100.1.1.2/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/115 sec
      Session-id: 1
      Status Description: Negotiation done
      Local spi: ECBD3F4BE86F51AF       Remote spi: 19E9DEBA22DDD9AD
      Local id: 200.1.1.2
      Remote id: 100.1.1.2
      Local req mess id: 2              Remote req mess id: 5
      Local next mess id: 2             Remote next mess id: 5
      Local req queued: 2               Remote req queued: 5
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector 192.168.0.0/0 - 192.168.255.255/65535
          remote selector 172.16.0.0/0 - 172.16.255.255/65535
          ESP spi in/out: 0x97dc5e3a/0x761a14dc
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Saturday, August 16, 2014

IKEv1 IPsec Site-to-Site VPN

IKEv1 provides a framework for the parameter negotiation and key exchange between VPN peers for the correct establishment of a (Security Association) SA.

However, the actual processes of key exchange and parameter negotiation are carried out by two protocols used by IKEv1:

* Internet Security Association and Key Management Protocol (ISAKMP)

* Oakley

ISAKMP takes care of parameter negotiation between peers (for example, DH groups, lifetimes, encryption and authentication). The process of negotiating these parameters between peers is required for the successful establishment of SAs. After an SA has been established, ISAKMP defines the procedures followed for correct maintenance and removal of the SA during connection termination.

Note: You will often find the terms ISAKMP and IKE used interchangeably in earlier versions of ASA (pre 8.4) and IOS reference IKEv1 functions and parameters.

Two mandatory IKEv1 phases (aptly named IKEv1 Phase 1 and IKEv1 Phase 2) must be followed by each peer before a communications tunnel can be established between them and they are ready for successful data transmision:

* IKEv1 Phase 1: During this phase, both peers negotiate parameters (integrity and encryption algorithms, authentication methods) to set up a secure and authenticated tunnel. This is also called a management channel because no user data is flowing through it (and it is actually a bidirectional IKE SA). Its sole scope is to handle secure Phase 2 negotiations. It is called bidirectional because both peers use only one session key to secure both incoming and outgoing traffic. Peer authentication can be carried out by one of the following methods:

- Pre-shared keys

- Digital certificates

* IKEv1 Phase 2: This second mandatory phase uses the negotiated parameters in Phase 1 for secure IPsec SA creation. However, unlike the single bidirectional SA created within Phase 1, the IPsec SA are unidirectional, meaning a different session key is used for each direction (one for inbound, or decrypted, traffic, and one for outbound, or encrypted, traffic). This is applicable for any administrator-configured source-destination network pair. Therefore, you might end up with four unidirectional IPsec SAs if you have two source-destination network pairs defined in a VPN policy.

I used my 871w IOS router and ASA 5505 firewall to establish an IKEv1 IPsec site-to-site VPN tunnel. This will help demonstrate the similarities and differences in configuring and troubleshooting for IKE Phase 1 and IKE Phase 2 VPN policies.

871W(config)#crypto ?
ca            Certification authority
call          Configure Crypto Call Admission Control
ctcp          Configure cTCP encapsulation
dynamic-map   Specify a dynamic crypto map template
engine        Enter a crypto engine configurable menu
gdoi          Configure GDOI policy
identity      Enter a crypto identity list
ipsec         Configure IPSEC policy
isakmp        Configure ISAKMP policy
key           Long term key operations
keyring       Key ring commands
logging       logging messages
map           Enter a crypto map
mib           Configure Crypto-related MIB Parameters
pki           Public Key components
provisioning Secure Device Provisioning
wui           Crypto HTTP configuration interfaces
xauth         X-Auth parameters

871W(config)#crypto isakmp ?
aggressive-mode       Disable ISAKMP aggressive mode
client                Set client configuration policy
enable                Enable ISAKMP
fragmentation         IKE Fragmentation enabled if required
identity              Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive             Set a keepalive interval for use with IOS peers
key                   Set pre-shared key for remote peer
nat                   Set a nat keepalive interval for use with IOS peers
peer                  Set Peer Policy
policy                Set policy for an ISAKMP protection suite
profile               Define ISAKMP Profiles
xauth                 Set Extended Authentication values

871W(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite

871W(config)#crypto isakmp policy 1   // IKE PHASE 1 POLICY; LOWER NUMBER PREFERRED
871W(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default         Set a command to its defaults
encryption      Set encryption algorithm for protection suite
exit            Exit from ISAKMP protection suite configuration mode
group           Set the Diffie-Hellman group
hash            Set hash algorithm for protection suite
lifetime        Set lifetime for ISAKMP security association
no              Negate a command or set its defaults

871W(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr   Rivest-Shamir-Adleman Encryption
rsa-sig    Rivest-Shamir-Adleman Signature

871W(config-isakmp)#authentication pre-share
871W(config-isakmp)#encryption ?
3des Three key triple DES
aes   AES - Advanced Encryption Standard.
des   DES - Data Encryption Standard (56 bit keys).

871W(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>

871W(config-isakmp)#encryption aes 256   // USE STRONGER ALGORITHMS ON LOWER POLICY
871W(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard

871W(config-isakmp)#hash sha
871W(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5

871W(config-isakmp)#group 2   // DEFAULT DH GROUP
871W(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds

871W(config-isakmp)#lifetime 43200    // LOWER LIFETIME WILL BE CHOSEN BETWEEN VPN PEERS
871W(config-isakmp)#exit
871W(config)#crypto isakmp ?
aggressive-mode       Disable ISAKMP aggressive mode
client                Set client configuration policy
enable                Enable ISAKMP
fragmentation         IKE Fragmentation enabled if required
identity              Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive             Set a keepalive interval for use with IOS peers
key                   Set pre-shared key for remote peer
nat                   Set a nat keepalive interval for use with IOS peers
peer                  Set Peer Policy
policy                Set policy for an ISAKMP protection suite
profile               Define ISAKMP Profiles
xauth                 Set Extended Authentication values

871W(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow

871W(config)#crypto isakmp key 6 ?
WORD The HIDDEN user password string

871W(config)#crypto isakmp key 6 cisco ?
address   define shared key with IP address
hostname define shared key with hostname

871W(config)#crypto isakmp key 6 cisco address ?
A.B.C.D Peer IP address
ipv6     define shared key with IPv6 address

871W(config)#crypto isakmp key 6 cisco address 192.168.1.2
871W(config)#crypto ipsec ?
client                Configure a client
df-bit                Handling of encapsulated DF bit.
fragmentation         Handling of fragmentation of near-MTU sized packets
nat-transparency      IPsec NAT transparency model
optional              Enable optional encryption for IPSec
profile               Configure an ipsec policy profile
security-association Security association parameters
transform-set         Define transform and settings

871W(config)#crypto ipsec transform-set ?
WORD Transform set tag

871W(config)#crypto ipsec transform-set 871_IKEv1_TSET ?
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes       ESP transform using AES cipher
esp-des       ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null      ESP transform w/o cipher
esp-seal      ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth

871W(config)#crypto ipsec transform-set 871_IKEv1_TSET esp-aes ?
128           128 bit keys.
192           192 bit keys.
256           256 bit keys.
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>

871W(config)#crypto ipsec transform-set 871_IKEv1_TSET esp-aes 256 ?
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>

871W(config)#crypto ipsec transform-set 871_IKEv1_TSET esp-aes 256 esp-sha-hmac   // IKE PHASE 2 POLICY
871W(cfg-crypto-trans)#exit
871W(config)#access-list ?
<1-99>            IP standard access list
<100-199>         IP extended access list
<1100-1199>       Extended 48-bit MAC address access list
<1300-1999>       IP standard access list (expanded range)
<200-299>         Protocol type-code access list
<2000-2699>       IP extended access list (expanded range)
<700-799>         48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit        Simple rate-limit specific access list

871W(config)#access-list 100 ?
deny     Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit   Specify packets to forward
remark   Access list entry comment

871W(config)#access-list 100 permit ?
<0-255> An IP protocol number
ahp      Authentication Header Protocol
eigrp    Cisco's EIGRP routing protocol
esp      Encapsulation Security Payload
gre      Cisco's GRE tunneling
icmp     Internet Control Message Protocol
igmp     Internet Gateway Message Protocol
ip       Any Internet Protocol
ipinip   IP in IP tunneling
nos      KA9Q NOS compatible IP over IP tunneling
ospf     OSPF routing protocol
pcp      Payload Compression Protocol
tcp      Transmission Control Protocol
udp      User Datagram Protocol

871W(config)#access-list 100 permit ip ?
A.B.C.D Source address
any      Any source host
host     A single source host

871W(config)#access-list 100 permit ip host 192.168.1.1 host 192.168.1.2   // CRYPTO ACL; REMOTE VPN ACL MUST BE REVERSED (MIRRORED)
871W(config)#crypto map ?
WORD Crypto map tag

871W(config)#crypto map 871_IKEv1_CMAP ?
<1-65535>       Sequence to insert into crypto map entry
client          Specify client configuration settings
isakmp          Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address   Interface to use for local address for this crypto map
redundancy      High availability options for this map

871W(config)#crypto map 871_IKEv1_CMAP 1 ?
gdoi          GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>

871W(config)#crypto map 871_IKEv1_CMAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
871W(config-crypto-map)#?
Crypto Map configuration commands:
default        Set a command to its defaults
description    Description of the crypto map statement policy
dialer         Dialer related commands
exit           Exit from crypto map configuration mode
match          Match values.
no             Negate a command or set its defaults
reverse-route Reverse Route Injection.
set            Set values for encryption/decryption

871W(config-crypto-map)#set ?
identity              Identity restriction.
ip                    Interface Internet Protocol config commands
isakmp-profile        Specify isakmp Profile
nat                   Set NAT translation
peer                  Allowed Encryption/Decryption peer.
pfs                   Specify pfs settings
reverse-route         Reverse Route Injection.
security-association Security association parameters
transform-set         Specify list of transform sets in priority order

871W(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD     Host name of the peer

871W(config-crypto-map)#set peer 192.168.1.2
871W(config-crypto-map)#set transform-set ?
WORD Proposal tag

871W(config-crypto-map)#set transform-set 871_IKEv1_TSET
871W(config-crypto-map)#match ?
address Match address of packets to encrypt.

871W(config-crypto-map)#match address ?
<100-199>    IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD         Access-list name

871W(config-crypto-map)#match address 100
871W(config-crypto-map)#exit
871W(config)#interface bvi1
871W(config-if)#ip address 192.168.1.1
871W(config-if)#crypto map 871_IKEv1_CMAP

----

ASA5505(config)# crypto ?

configure mode commands/options:
ca           Certification authority
dynamic-map Configure a dynamic crypto map
ikev1        Configure IKEv1 policy
ikev2        Configure IKEv2 policy
ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp       Configure ISAKMP
key          Long term key operations
map          Configure a crypto map

exec mode commands/options:
ca Certification authority
ASA5505(config)# crypto ikev1 ?

configure mode commands/options:
am-disable      Disable inbound aggressive mode connections
enable          Enable IKEv1 on the specified interface
ipsec-over-tcp Enable and configure IPSec over TCP
policy          Set IKEv1 policy suite
ASA5505(config)# crypto ikev1 enable ?

configure mode commands/options:
Type an interface name to enable
inside   Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# crypto ikev1 enable outside
ASA5505(config)# crypto ikev1 policy ?

configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA5505(config)# crypto ikev1 policy 1   // IKE PHASE 1 POLICY
ASA5505(config-ikev1-policy)# ?

crypto ikev1 policy configuration commands:
authentication Set authentication method (pre-share or rsa-sig)
encryption      Set encryption algorithm (des, 3des, aes-128, aes-192, or
                  aes-256)
exit            Exit from crypto ikev1 policy configuration mode
group           Set Diffie-Hellman group (1,2 or 5)
hash            Set hash algorithm (md5 or sha1)
help            Help for crypto ikev1 policy configuration commands
lifetime        Set IKEV1 SA lifetime (seconds)
no              Negate a command or set its defaults
<cr>
ASA5505(config-ikev1-policy)# authentication ?

ikev1-policy mode commands/options:
crack      set auth crack
pre-share set auth pre-share
rsa-sig    set auth rsa-sig
ASA5505(config-ikev1-policy)# authentication pre-share
ASA5505(config-ikev1-policy)# encryption ?

ikev1-policy mode commands/options:
3des     3des encryption
aes      aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des      des encryption
ASA5505(config-ikev1-policy)# encryption aes-256
ASA5505(config-ikev1-policy)# hash ?

ikev1-policy mode commands/options:
md5 set hash md5
sha set hash sha1
ASA5505(config-ikev1-policy)# hash sha
ASA5505(config-ikev1-policy)# group ?

ikev1-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7 (DEPRECATED)
ASA5505(config-ikev1-policy)# group 2
ASA5505(config-ikev1-policy)# lifetime 86400   // 43200 SECONDS WILL BE CHOSEN
ASA5505(config-ikev1-policy)# exit
ASA5505(config)# crypto ipsec ?

configure mode commands/options:
df-bit                Set IPsec DF policy
fragmentation         Set IPsec fragmentation policy
ikev1                 Set IKEv1 settings
ikev2                 Set IKEv2 settings
security-association Set security association parameters
ASA5505(config)# crypto ipsec ikev1 ?

configure mode commands/options:
transform-set Define transform and settings
ASA5505(config)# crypto ipsec ikev1 transform-set ?

configure mode commands/options:
WORD < 64 char Transform set tag
ASA5505(config)# crypto ipsec ikev1 transform-set 5505_IKEv1_TSET ?

configure mode commands/options:
esp-3des      esp 3des encryption
esp-aes       esp aes 128 encryption
esp-aes-192   esp aes 192 encryption
esp-aes-256   esp aes 256 encryption
esp-des       esp des encryption
esp-md5-hmac esp md5 authentication
esp-none      esp no authentication
esp-null      esp null encryption
esp-sha-hmac esp sha authentication
mode          mode transport
ASA5505(config)# crypto ipsec ikev1 transform-set 5505_IKEv1_TSET esp-aes-256 ?

configure mode commands/options:
esp-3des      esp 3des encryption
esp-aes       esp aes 128 encryption
esp-aes-192   esp aes 192 encryption
esp-aes-256   esp aes 256 encryption
esp-des       esp des encryption
esp-md5-hmac esp md5 authentication
esp-none      esp no authentication
esp-null      esp null encryption
esp-sha-hmac esp sha authentication
<cr>
ASA5505(config)# crypto ipsec ikev1 transform-set 5505_IKEv1_TSET esp-aes-256 esp-sha-hmac // IKE PHASE 2 POLICY
ASA5505(config)# access-list ?

configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ASA5505(config)# access-list 100 ?

configure mode commands/options:
deny      Specify packets to reject
extended Configure access policy for IP traffic through the system
line      Use this to specify line number at which ACE should be entered
permit    Specify packets to forward
remark    Specify a comment (remark) for the access-list after this keyword
rename    rename an existing access-list
standard Use this to configure policy having destination host or network
            only
webtype   Use this to configure WebVPN related policy
ASA5505(config)# access-list 100 extended ?

configure mode commands/options:
deny    Specify packets to reject
permit Specify packets to forward
ASA5505(config)# access-list 100 extended permit ?

configure mode commands/options:
<0-255>       Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object        Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ASA5505(config)# access-list 100 extended permit ip ?

configure mode commands/options:
A.B.C.D                Source IP address
X:X:X:X::X/<0-128>     Source IPv6 address/prefix
any                    Abbreviation for source address/mask of
                         0.0.0.0/0.0.0.0 OR source prefix ::/0
any4                   Abbreviation of source address and mask of 0.0.0.0
                         0.0.0.0
any6                   Abbreviation for source prefix ::/0
host                   Use this keyword to configure source host
interface              Use interface address as source address
object                 Keyword to enter source object name
object-group           Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user      Keyword to specify user object-group for source
security-group         Keyword to specify inline security-group
user                   Keyword to specify user for source
user-group             Keyword to specify user-group for source
ASA5505(config)# access-list 100 extended permit ip host ?

configure mode commands/options:
A.B.C.D     Source host IPv4 address
X:X:X:X::X Source host IPv6 address
ASA5505(config)# access-list 100 extended permit ip host 192.168.1.2 ?

configure mode commands/options:
A.B.C.D                Destination IP address
X:X:X:X::X/<0-128>     Destination IPv6 address/prefix
any                    Abbreviation for destination address/mask of
                         0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4                   Abbreviation for destination address and mask of
                         0.0.0.0 0.0.0.0
any6                   Abbreviation for destination prefix ::/0
host                   Use this keyword to configure destination host
interface              Use interface address as destination address
object                 Keyword to enter destination object name
object-group           Network object-group for destination address
object-group-security Keyword to specify security object-group for
                         destination
security-group         Keyword to specify inline security-group
ASA5505(config)# access-list 100 extended permit ip host 192.168.1.2 host 192.168.1.1
ASA5505(config)# crypto map ?

configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA5505(config)# crypto map 5505_IKEv1_CMAP ?

configure mode commands/options:
<1-65535> Sequence to insert into map entry
client     Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 ?

configure mode commands/options:
annotation    Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match         Match address of packets to encrypt
set           Specify crypto map settings
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 set ?

configure mode commands/options:
connection-type       Specify connection-type for site-site connection based
                        on this entry
df-bit                Set IPsec DF policy
ikev1                 Configure IKEv1 policy
ikev2                 Configure IKEv2 policy
nat-t-disable         Disable nat-t negotiation for connections based on this
                        entry
peer                  Set IP address of peer
pfs                   Specify pfs settings
reverse-route         Enable reverse route injection for connections based on
                        this entry
security-association Security association duration
tfc-packets           Configure TFC packets to mask a tunnel's traffic
                        profile
trustpoint            Specify trustpoint that defines the certificate to be
                        used while initiating a connection based on this entry
validate-icmp-errors Set Validate ICMP Errors
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 set peer ?

configure mode commands/options:
Hostname or A.B.C.D     IP address
Hostname or X:X:X:X::X IPv6 address
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 set peer 192.168.1.1
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 set ikev1 ?

configure mode commands/options:
phase1-mode    Specify mode(main or aggressive) to be used while initiating a
                 connection based on this entry
transform-set Specify list of transform sets in priority order
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 set ikev1 transform-set ?

configure mode commands/options:
WORD Proposal tag
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 set ikev1 transform-set 5505_IKEv1_TSET
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 match ?

configure mode commands/options:
address Match address of packets to encrypt
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 match address ?

configure mode commands/options:
WORD Access-list name
ASA5505(config)# crypto map 5505_IKEv1_CMAP 1 match address 100
ASA5505(config)# crypto map 5505_IKEv1_CMAP ?

configure mode commands/options:
<1-65535> Sequence to insert into map entry
client     Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA5505(config)# crypto map 5505_IKEv1_CMAP interface ?

configure mode commands/options:
Current available interface(s):
inside   Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# crypto map 5505_IKEv1_CMAP interface outside
ASA5505(config)# tunnel-group ?

configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA5505(config)# tunnel-group 192.168.1.1 ?

configure mode commands/options:
type Enter the type of this group-policy
ASA5505(config)# tunnel-group 192.168.1.1 type ?

configure mode commands/options:
ipsec-l2l      IPSec Site to Site group
ipsec-ra       IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn         WebVPN group (DEPRECATED)
ASA5505(config)# tunnel-group 192.168.1.1 type ipsec-l2l
ASA5505(config)# tunnel-group 192.168.1.1 ?

configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes    Enter the ipsec-attributes sub command mode
ASA5505(config)# tunnel-group 192.168.1.1 ipsec-attributes
ASA5505(config-tunnel-ipsec)# ?

tunnel-group configuration commands:
chain             Enable sending certificate chain
exit              Exit from tunnel-group IPSec attribute configuration mode
help              Help for tunnel group configuration commands
ikev1             Configure IKEv1
ikev2             Configure IKEv2
isakmp            Configure ISAKMP policy
no                Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA5505(config-tunnel-ipsec)# ikev1 ?

tunnel-group-ipsec mode commands/options:
pre-shared-key       Associate a pre-shared key with the connection policy
trust-point          Select the trustpoint that identifies the cert to be
                       sent to the IKE peer
user-authentication Set the IKEv1 user authentication method
ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key ?

tunnel-group-ipsec mode commands/options:
0                Specifies an UNENCRYPTED password will follow
8                Specifies an ENCRYPTED password will follow
WORD < 129 char Enter an alphanumeric string between 1-128 characters
ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key cisco

Here are some helpful show and debug commands to troubleshoot IKEv1 IPsec site-to-site VPNs on an ASA and its equivalent commands on an IOS router:

ASA5505# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

ASA5505# show run crypto ipsec
crypto ipsec ikev1 transform-set 5505_IKEv1_TSET esp-aes-256 esp-sha-hmac

ASA5505# show run crypto map
crypto map 5505_IKEv1_CMAP 1 match address 100
crypto map 5505_IKEv1_CMAP 1 set peer 192.168.1.1
crypto map 5505_IKEv1_CMAP 1 set ikev1 transform-set 5505_IKEv1_TSET
crypto map 5505_IKEv1_CMAP interface outside

ASA5505# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE // QM_IDLE ON IOS ROUTER

There are no IKEv2 SAs

ASA5505# show crypto ipsec sa
interface: outside
    Crypto map tag: 5505_IKEv1_CMAP, seq num: 1, local addr: 192.168.1.2

      access-list 100 extended permit ip host 192.168.1.2 host 192.168.1.1
      local ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
      current_peer: 192.168.1.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: A21332F0
      current inbound spi : AF168576

    inbound esp sas:
      spi: 0xAF168576 (2937488758)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: 5505_IKEv1_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/3557)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xA21332F0 (2719167216)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: 5505_IKEv1_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/3557)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.2     192.168.1.1     QM_IDLE           2001    0 ACTIVE

IPv6 Crypto ISAKMP SA

871W#show crypto ipsec sa

interface: BVI1
    Crypto map tag: 871_IKEv1_CMAP, local addr 192.168.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
   current_peer 192.168.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb BVI1
     current outbound spi: 0xAF168576(2937488758)

     inbound esp sas:
      spi: 0xA21332F0(2719167216)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: 871_IKEv1_CMAP
        sa timing: remaining key lifetime (k/sec): (4472107/3511)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAF168576(2937488758)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: 871_IKEv1_CMAP
        sa timing: remaining key lifetime (k/sec): (4472107/3511)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

ASA5505# debug crypto ?

ca          Set PKI debug levels
condition   Set IPSec/ISAKMP debug filters
engine      Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1       Set IKEV1 debug levels
ikev2       Set IKEV2 debug levels
ipsec       Set IPSec debug levels
ss-api      Set Crypto Secure Socket API debug levels
vpnclient   Set EasyVPN client debug levels
ASA5505# debug crypto ikev1 ?

<1-255> Specify an optional debug level (default is 1)
timers   debug the ikev1 timers
<cr>
ASA5505# debug crypto ikev1 255
ASA5505# Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0xfa85369)
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, constructing blank hash payload
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, constructing qm hash payload
Jul 27 15:47:06 [IKEv1]IP = 192.168.1.1, IKE_DECODE SENDING Message (msgid=c2227fd5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44    | ...>!.H...yQF..D
08 10 05 00 d5 7f 22 c2 1c 00 00 00 0b 00 00 18    | .....".........
0b 1c 28 95 78 17 70 07 09 7d 37 14 db 49 8c 48    | ..(.x.p..}7..I.H
ce 14 9a 4b 00 00 00 20 00 00 00 01 01 10 8d 28    | ...K... .......(
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44    | ...>!.H...yQF..D
0f a8 53 69                                        | ..Si

ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: D57F22C2
Length: 469762048
Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      0b 1c 28 95 78 17 70 07 09 7d 37 14 db 49 8c 48
      ce 14 9a 4b
Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 32
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: R_U_THERE
    SPI:
      8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
    Data: 0f a8 53 69

ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: C2227FD5
Length: 92

IKE Recv RAW packet dump
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44    | ...>!.H...yQF..D
08 10 05 01 1f 35 1f 3c 00 00 00 5c 00 4d bb 90    | .....5.<...\.M..
f3 85 9b 86 93 bb ab 22 d6 23 ef 7e e2 ad 16 65    | .......".#.~...e
62 1d 69 00 82 5c 34 86 74 fb c9 3a 6b 49 ab 08    | b.i..\4.t..:kI..
2c ff 94 d2 83 bb d4 1a 0c e7 53 29 ea b4 80 95    | ,.........S)....
13 31 8c 09 39 12 1a a4 76 bc d4 dd                | .1..9...v...

RECV PACKET from 192.168.1.1
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 1F351F3C
Length: 92

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 1F351F3C
Length: 92
Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      88 af 61 fc 7e ee 2c 17 b5 85 99 47 2a e5 96 e4
      3d ce a7 94
Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 32
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: R_U_THERE_ACK
    SPI:
      8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
    Data: 0f a8 53 69
Jul 27 15:47:06 [IKEv1]IP = 192.168.1.1, IKE_DECODE RECEIVED Message (msgid=1f351f3c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing hash payload
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing notify payload
Jul 27 15:47:06 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xfa85369)
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0xfa8536a)
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, constructing blank hash payload
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, constructing qm hash payload
Jul 27 15:47:16 [IKEv1]IP = 192.168.1.1, IKE_DECODE SENDING Message (msgid=86feac10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44    | ...>!.H...yQF..D
08 10 05 00 10 ac fe 86 1c 00 00 00 0b 00 00 18    | ................
e9 ee f3 46 cb a6 4b 95 0d f0 c7 83 48 a5 75 50    | ...F..K.....H.uP
a0 49 b4 d9 00 00 00 20 00 00 00 01 01 10 8d 28    | .I..... .......(
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44    | ...>!.H...yQF..D
0f a8 53 6a                                        | ..Sj

ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 10ACFE86
Length: 469762048
Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      e9 ee f3 46 cb a6 4b 95 0d f0 c7 83 48 a5 75 50
      a0 49 b4 d9
Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 32
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: R_U_THERE
    SPI:
      8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
    Data: 0f a8 53 6a

ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 86FEAC10
Length: 92

IKE Recv RAW packet dump
8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44    | ...>!.H...yQF..D
08 10 05 01 9c c2 18 86 00 00 00 5c e2 d6 cb 79    | ...........\...y
77 f5 33 51 aa 10 b5 7f 7c 9c 08 da e2 7a 18 d7    | w.3Q...|....z..
93 8f ff 73 bf ce 66 40 8c 81 28 ec 50 ad 58 af    | ...s..f@..(.P.X.
8c 64 42 b1 88 ea 12 2b 50 ce cf c8 d7 4e 5c 6e    | .dB....+P....N\n
e0 48 b8 b9 a5 d6 f2 b8 c7 d8 1e 16                | .H..........

RECV PACKET from 192.168.1.1
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 9CC21886
Length: 92

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8e f0 e6 3e 21 0f 48 19
Responder COOKIE: f9 0b 79 51 46 e5 b2 44
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 9CC21886
Length: 92
Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      9e 3b ae fa 17 d3 f0 0d a3 80 7a 6f 04 13 e0 b8
      d4 00 6e ba
Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 32
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: R_U_THERE_ACK
    SPI:
      8e f0 e6 3e 21 0f 48 19 f9 0b 79 51 46 e5 b2 44
    Data: 0f a8 53 6a
Jul 27 15:47:16 [IKEv1]IP = 192.168.1.1, IKE_DECODE RECEIVED Message (msgid=9cc21886) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing hash payload
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, processing notify payload
Jul 27 15:47:16 [IKEv1 DEBUG]Group = 192.168.1.1, IP = 192.168.1.1, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xfa8536a)