The Cisco Easy VPN solution allows your remote clients to connect into your environment using a secure VPN tunnel, and requires only basic configuration parameters being entered onto your ASA device.
It can enable a hardware device or software client to connect to an environment using a minimal IPsec configuration. A central site can push policy information and updates to the connecting device or client, providing a scalable and manageable solution when working with multiple remote sites.
An Easy VPN solution contains the following three components:
* Easy VPN Remote: The connecting device, which can be a hardware router (800, 1700, 1800, 1900, 2800, 2900, or 3800 and UBR900) or a firewall appliance (ASA 5505, PIX 501, and 506E). Easy VPN can enable these devices to connect to the Easy VPN server and receive policy information with as little as an IP address and password configured.
* Easy VPN Client: The Cisco IPsec VPN client software that can be used by remote and mobile workers to connect to the Easy VPN server.
* Easy VPN Server: The terminating device, situated at a central site, cna run on either a router (800, 1700, 1800, 1900, 2800, 2900, 3800, 3900, ASR1000, 6500 or 7600 with VPN SPA, 7200, 7301 series) or a firewall (Cisco ASA 5500 and PIX appliances). The Easy VPN Server uses the IKEv1 Mode-Config mechanism to push policy attributes - for example, DNS addresses, split-tunneling configuration, banners, firewall policies, and IP addressing information for VPN client software - to Easy VPN Remote clients each time they connect.
For this scenario, I've used my Cisco 871w router for Easy VPN server and ASA 5505 firewall as the hardware client. The Easy VPN remote hardware client mode is only available on the ASA 5505 platform due to its Small Office/Home Office (SOHO) design but it can also operate as an Easy VPN server.The ASA 5510 and higher platform can only act as an Easy VPN server.
871W(config)#aaa new-model // REQUIRED FOR EZVPN CRYPTO MAP
871W(config)#aaa ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
OLD commands.)
pod POD processing
route Static route downloading
server Local AAA server
session-id AAA Session ID
traceback Traceback recording
user AAA user definitions
871W(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username
871W(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.
871W(config)#aaa authentication login EZVPN_AUTHENTICATION ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
871W(config)#aaa authentication login EZVPN_AUTHENTICATION local
871W(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
cache For AAA cache configuration
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
console For enabling console authorization
exec For starting an exec (shell).
ipmobile For Mobile IP services.
multicast For downloading Multicast configurations from an AAA server
network For network services. (PPP, SLIP, ARAP)
prepaid For diameter prepaid services.
reverse-access For reverse access connections
template Enable template authorization
871W(config)#aaa authorization network ?
WORD Named authorization list.
default The default authorization list.
871W(config)#aaa authorization network EZVPN_AUTHORIZATION ?
group Use server-group.
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
871W(config)#aaa authorization network EZVPN_AUTHORIZATION local
871W(config)#username ?
WORD User name
871W(config)#username ezvpnuser ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
871W(config)#username ezvpnuser password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
871W(config)#username ezvpnuser password cisco // NEED TO INPUT ON EZVPN CLIENT
871W(config)#
871W(config)#crypto ?
ca Certification authority
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
871W(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
871W(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
871W(config)#crypto isakmp policy 10
871W(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
871W(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
871W(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>
871W(config-isakmp)#encryption aes 256
871W(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
871W(config-isakmp)#authentication pre-share
871W(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
871W(config-isakmp)#group 2
871W(config-isakmp)#exit
871W(config)#crypto isakmp client ?
configuration Set client configuration policy
firewall Define client firewall
871W(config)#crypto isakmp client configuration ?
address-pool Set network address for client
browser-proxy Set browser proxy attributes for client
group Set group profile attributes for client
871W(config)#crypto isakmp client configuration grup ?
% Unrecognized command
871W(config)#crypto isakmp client configuration group ?
WORD group name
871W(config)#crypto isakmp client configuration group EZVPN // NEED TO INPUT IN EZVPN CLIENT
871W(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list
number
auto-update Configure auto-upgrade
backup-gateway Specify backup gateway
banner Specify mode config banner
browser-proxy Configure browser-proxy
configuration Push configuration to the client
crypto Client group crypto aaa attribute list
dhcp Configure DHCP parameters
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy
configuration mode
firewall Enforce group firewall feature
group-lock Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key pre-shared key/IKE password
max-logins Set maximum simultaneous logins for users in
this group
max-users Set maximum number of users for this group
netmask netmask used by the client for local
connectivity
no Negate a command or set its defaults
pfs The client should propose PFS
pool Set name of address pool
save-password Allows remote client to save XAUTH password
smartcard-removal-disconnect Enables smartcard-removal-disconnect
split-dns DNS name to append for resolution
wins Specify WINS Addresses
871W(config-isakmp-group)#key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
871W(config-isakmp-group)#key cisco // NEED TO INPUT IN EZVPN CLIENT
871W(config-isakmp-group)#save-password // ALLOWS EZVPN CLIENT TO SAVE PASSWORD IN AN AUTOMATIC VPN CONNECTION
871W(config-isakmp-group)#exit
871W(config)#crypto ipsec ?
client Configure a client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
871W(config)#crypto ipsec transform-set ?
WORD Transform set tag
871W(config)#crypto ipsec transform-set EZVPN_TSET ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
871W(config)#crypto ipsec transform-set EZVPN_TSET esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
871W(config)#crypto ipsec transform-set EZVPN_TSET esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
871W(config)#crypto ipsec transform-set EZVPN_TSET esp-aes 256 esp-sha-hmac
871W(cfg-crypto-trans)#ex
871W(config)#crypto dynamic-map ?
WORD Dynamic crypto map template tag
871W(config)#crypto dynamic-map EZVPN_MAP ?
<1-65535> Sequence to insert into dynamic-map entry
871W(config)#crypto dynamic-map EZVPN_MAP 10
871W(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
871W(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
871W(config-crypto-map)#set transform-set ?
WORD Proposal tag
871W(config-crypto-map)#set transform-set EZVPN_TSET
871W(config-crypto-map)#exit
871W(config)#crypto map EZVPN_CLIENT_MAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
871W(config)#crypto map EZVPN_CLIENT_MAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
871W(config)#crypto map EZVPN_CLIENT_MAP client authentication ?
list AAA authentication list to use
871W(config)#crypto map EZVPN_CLIENT_MAP client authentication list EZVPN_AUTHENTICATION
871W(config)#crypto map EZVPN_CLIENT_MAP isakmp ?
authorization Authorization parameters.
871W(config)#crypto map EZVPN_CLIENT_MAP isakmp authorization ?
list AAA authorization list to use
871W(config)#crypto map EZVPN_CLIENT_MAP isakmp authorization list EZVPN_AUTHORIZATION
871W(config)#crypto map EZVPN_CLIENT_MAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
871W(config)#crypto map EZVPN_CLIENT_MAP client configuration ?
address Specify client network address configuration
871W(config)#crypto map EZVPN_CLIENT_MAP client configuration address ?
initiate Push the network address to the client
respond Respond to network address requests from the client
871W(config)#crypto map EZVPN_CLIENT_MAP client configuration address respond
871W(config)#crypto map EZVPN_CLIENT_MAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ipsec-isakmp ?
dynamic Enable dynamic crypto map support
profile Enable crypto map as a crypto-profile
<cr>
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ipsec-isakmp dynamic ?
WORD Name of dynamic-map template
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ipsec-isakmp dynamic EZVPN_MAP
871W(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset administratively down down
FastEthernet4 222.165.117.23 YES DHCP up up
Group-Async4 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up up
871W(config)#interface bv1
871W(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
871W(config-if)#crypto map EZVPN_CLIENT_MAP
871W(config-if)#end
Below are the screenshots and CLI commands to configure the Easy VPN remote hardware client on an ASA 5505. I chose network extension mode so that the ASA 5505 can communicate directly to other remote sites. This is typical in a hub-and-spoke network environment. Also, I've created a local user account (ezvpnuser) for automatic x-auth to be applied each time the VPN connection is initiated.
ASA5505(config)# vpnclient ?
configure mode commands/options:
enable Enables/disables the Easy VPN connection
ipsec-over-tcp Configures the Easy VPN client to use TCP encapsulation
mac-exempt Configures MAC addresses that are exempt from Easy VPN
user authentication
management Configures remote management of the Easy VPN client
connection over a tunnel
mode Configures the Easy VPN client connection as client mode
or network extension mode
nem-st-autoconnect Configures a network extension Easy VPN client to
automatically connect to the configured server list
server Configures a server list to be used for access by the
Easy VPN client connection
server-certificate Configures the Easy VPN client to accept specific server
certificates
trustpoint Configures the Easy VPN client to use a specific identity
certificate
username Configures a user name for the Easy VPN client
vpngroup Configures a VPN group name for the Easy VPN client
exec mode commands/options:
connect Establishes an Easy VPN connection
disconnect Disconnects an Easy VPN connection
ASA5505(config)# vpnclient mode ?
configure mode commands/options:
client-mode Easy VPN client mode
network-extension-mode Easy VPN network extension mode
ASA5505(config)# vpnclient mode network-extension-mode
ASA5505(config)# vpnclient nem-st-autoconnect
ASA5505(config)# vpnclient vpngroup ?
configure mode commands/options:
WORD < 65 char Enter group name that corresponds to the tunnel-group on the
headend device.
ASA5505(config)# vpnclient vpngroup EZVPN ?
configure mode commands/options:
password Enter keyword to configure a VPN group password for the Easy VPN
Client
ASA5505(config)# vpnclient vpngroup EZVPN password ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 129 char Enter the password for this group
ASA5505(config)# vpnclient vpngroup EZVPN password cisco
ASA5505(config)# vpnclient username ezvpnuser ?
configure mode commands/options:
password Enter keyword to configure a user password for the Easy VPN Client
ASA5505(config)# vpnclient username ezvpnuser password ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 65 char Enter the password for this user
ASA5505(config)# vpnclient username ezvpnuser password cisco
ASA5505(config)# vpnclient server ?
configure mode commands/options:
Hostname or A.B.C.D The IP address or name of the primary server
WORD < 129 char The DNS host name of the primary server
ASA5505(config)# vpnclient server 192.168.1.1
ASA5505(config)# vpnclient enable
Here are some useful show commands issued from both the Easy VPN server (871w) and Easy VPN remote hardware client (ASA 5505):
871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 2001 0 ACTIVE // QM_IDLE STATES THAT SECURITY ASSOCIATION (SA) WITH ITS PEER IS AUTHENTICATED
IPv6 Crypto ISAKMP SA
871W#show crypto ipsec sa
interface: BVI1
Crypto map tag: EZVPN_CLIENT_MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb BVI1
current outbound spi: 0x5BA21DD1(1537351121)
inbound esp sas:
spi: 0xFE147998(4262754712)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: Motorola SEC 1.0:3, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4489183/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5BA21DD1(1537351121)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: Motorola SEC 1.0:4, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4489183/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={}
#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb BVI1
current outbound spi: 0xF9CC2A0E(4190906894)
inbound esp sas:
spi: 0x6A97941F(1788318751)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4463025/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF9CC2A0E(4190906894)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4463024/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={}
#pkts encaps: 200, #pkts encrypt: 200, #pkts digest: 200
#pkts decaps: 200, #pkts decrypt: 200, #pkts verify: 200
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb BVI1
current outbound spi: 0xDAAFA04C(3668942924)
inbound esp sas:
spi: 0x5DD0BFFD(1573961725)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4488095/3230)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDAAFA04C(3668942924)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4488095/3230)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
We issue the identical show crypto commands on the ASA:
ASA5505# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.1.1
Type : user Role : initiator
Rekey : no State : AM_ACTIVE // AGRESSIVE MODE WAS USED TO SET UP THE TUNNEL FOR IKE PHASE 1
There are no IKEv2 SAs
ASA5505# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.2
access-list _vpnc_acl extended permit ip 172.16.1.0 255.255.255.0 any
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 192.168.1.1, username: 192.168.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6A97941F
current inbound spi : F9CC2A0E
inbound esp sas:
spi: 0xF9CC2A0E (4190906894)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3372
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6A97941F (1788318751)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3372
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.2
access-list _vpnc_acl extended permit ip host 192.168.1.2 host 192.168.1.1
local ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
current_peer: 192.168.1.1, username: 192.168.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 100, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5DD0BFFD
current inbound spi : DAAFA04C
inbound esp sas:
spi: 0xDAAFA04C (3668942924)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3367
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5DD0BFFD (1573961725)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3367
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.2
access-list _vpnc_acl extended permit ip host 192.168.1.2 any
local ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 192.168.1.1, username: 192.168.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FE147998
current inbound spi : 5BA21DD1
inbound esp sas:
spi: 0x5BA21DD1 (1537351121)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3370
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFE147998 (4262754712)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3370
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5505# show vpn-sessiondb ra-ikev1-ipsec
Session Type: IKEv1 IPsec
Index : 1
Assigned IP : 172.16.1.0 Peer IP : 192.168.1.1
Protocol : IKEv1 IPsec
License : Other VPN
Encryption : IKEv1: (1)AES256 IPsec: (3)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 10000 Bytes Rx : 10300
Login Time : 11:58:28 SGT Sun Jun 22 2014
Duration : 0h:05m:01s
Inactivity : 0h:00m:00s
Here's a debug output from the Easy VPN server. Notice that the connection ID changed from 2001 to 2002 since I reset the interface with the applied EZVPN crypto map. You'll also observe the sequence for IKE Phase 1 and Phase 2.
871W#terminal monitor
871W#debug crypto isakmp
Crypto ISAKMP debugging is on
871W#debug crypto ipsec
Crypto IPSEC debugging is on
Jun 22 12:15:36.699 SGT: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA // IKE UDP PORT 500
Jun 22 12:15:36.699 SGT: ISAKMP: Found a peer struct for 192.168.1.2, peer port 500
Jun 22 12:15:36.699 SGT: ISAKMP: Locking peer struct 0x8376E10C, refcount 2 for crypto_isakmp_process_block
Jun 22 12:15:36.699 SGT: ISAKMP:(0):(Re)Setting client xauth list EZVPN and state
Jun 22 12:15:36.699 SGT: ISAKMP/xauth: initializing AAA request
Jun 22 12:15:36.699 SGT: ISAKMP: local port 500, remote port 500
Jun 22 12:15:36.703 SGT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 828EB9E8
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing SA payload. message ID = 0
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing ID payload. message ID = 0
Jun 22 12:15:36.703 SGT: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : EZVPN
protocol : 0
port : 0
length : 13
Jun 22 12:15:36.703 SGT: ISAKMP:(0):: peer matches *none* of the profiles
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is Unity
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is XAUTH
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is NAT-T v2
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is NAT-T v3
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing IKE frag vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 22 12:15:36.703 SGT: ISAKMP:(0): local preshared key found
Jun 22 12:15:36.703 SGT: ISAKMP:(0): Authentication by xauth preshared
Jun 22 12:15:36.703 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jun 22 12:15:36.707 SGT: ISAKMP: default group 2
Jun 22 12:15:36.707 SGT: ISAKMP: encryption AES-CBC
Jun 22 12:15:36.707 SGT: ISAKMP: keylength of 256
Jun 22 12:15:36.707 SGT: ISAKMP: hash SHA
Jun 22 12:15:36.707 SGT: ISAKMP: auth XAUTHInitPreShared
Jun 22 12:15:36.707 SGT: ISAKMP: life type in seconds
Jun 22 12:15:36.707 SGT: ISAKMP: life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:36.707 SGT: ISAKMP:(0):atts are acceptable. Next payload is 3
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Acceptable atts:actual life: 86400
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Acceptable atts:life: 0
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Fill atts in sa vpi_length:4
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483647
Jun 22 12:15:36.7
871W#07 SGT: ISAKMP:(0):Returning Actual lifetime: 86400
Jun 22 12:15:36.707 SGT: ISAKMP:(0)::Started lifetime timer: 86400.
Jun 22 12:15:36.707 SGT: ISAKMP:(0): processing KE payload. message ID = 0
Jun 22 12:15:36.755 SGT: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID is Unity
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 128 mismatch
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID is XAUTH
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 123 mismatch
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID is NAT-T v2
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 157 mismatch
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): vendor ID is NAT-T v3
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 69 mismatch
Jun 22 12:15:36.759 SGT: ISAKMP (0:2002): vendor ID is NAT-T RFC 3947
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing IKE frag vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):Support for IKE Fragmentation not enabled
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): constructed NAT-T vendor-rfc3947 ID
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Jun 22 12:15:36.759 SGT: ISAKMP (0:2002): ID payload
next-payload : 10
type : 1
address : 192.168.1.1
protocol : 0
port : 0
length : 12
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):Total payload length: 12
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.763 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jun 22 12:15:36.763 SGT: ISAKMP:(2002):Old State = IKE_READY New State = IKE_R_AM2
Jun 22 12:15:36.767 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) AG_INIT_EXCH
Jun 22 12:15:36.767 SGT: ISAKMP:(2002): processing HASH payload. message ID = 0
Jun 22 12:15:36.767 SGT: ISAKMP:received payload type 20
Jun 22 12:15:36.767 SGT: ISAKMP:received payload type 20
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 828EB9E8
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): vendor ID is DPD
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):SA authentication status:
authenticated
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):SA has been authenticated with 192.168.1.2
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):SA authentication status:
authenticated
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.1 remote 192.168.1.2 remote port 500
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):returning IP addr to the address pool
Jun 22 12:15:36.771 SGT: ISAKMP:(2001):received initial contact, deleting SA
Jun 22 12:15:36.771 SGT: ISAKMP:(2001):peer does not do paranoid keepalives.
Jun 22 12:15:36.771 SGT: ISAKMP:(2001):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 192.168.1.2)
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):Returning Actual lifetime: 86400
Jun 22 12:15:36.771 SGT: ISAKMP: set new node -254195553 to CONF_XAUTH
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2203
871W#782408, message ID = -254195553
Jun 22 12:15:36.775 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):purging node -254195553
Jun 22 12:15:36.775 SGT: ISAKMP: Sending phase 1 responder lifetime 86400
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
Jun 22 12:15:36.775 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:36.775 SGT: ISAKMP: set new node -1021527948 to CONF_XAUTH
Jun 22 12:15:36.779 SGT: ISAKMP:(2001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):purging node -1021527948
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Jun 22 12:15:36.779 SGT: ISAKMP:(2002):Need XAUTH
Jun 22 12:15:36.779 SGT: ISAKMP: set new node 478590654 to CONF_XAUTH
Jun 22 12:15:36.779 SGT: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Jun 22 12:15:36.779 SGT: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Jun 22 12:15:36.779 SGT: ISAKMP:(2002): initiating peer config to 192.168.1.2. ID = 478590654
Jun 22 12:15:36.783 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 22 12:15:36.783 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.783 SGT: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 22 12:15:36.783 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Jun 22 12:15:36.783 SGT: ISAKMP:(2001):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 192.168.1.2)
Jun 22 12:15:36.783 SGT: ISAKMP: Unlocking peer struct 0x8376E10C for isadb_mark_sa_deleted(), count 1
Jun 22 12:15:36.787 SGT: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 22 12:15:36.787 SGT: ISAKMP:(2001):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jun 22 12:15:36.787 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 22 12:15:36.787 SGT: ISAKMP:(2002):processing transaction payload from 192.168.1.2. message ID = 478590654
Jun 22 12:15:36.791 SGT: ISAKMP: Config payload REPLY
Jun 22 12:15:36.791 SGT: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Jun 22 12:15:36.791 SGT: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):deleting node 478590654 error FALSE reason "Done with xauth request/reply exchange"
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
Jun 22 12:15:36.791 SGT: ISAKMP: set new node 905676590 to CONF_XAUTH
Jun 22 12:15:36.791 SGT: ISAKMP:(2002): initiating peer config to 192.168.1.2. ID = 905676590
Jun 22 12:15:36.791 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.795 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
Jun 22 12:15:36.795 SGT: ISAKMP:(2002):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
Jun 22 12:15:36.795 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):processing transaction payload from 192.168.1.2. message ID = 905676590
Jun 22 12:15:36.799 SGT: ISAKMP: Config payload ACK
Jun 22 12:15:36.799 SGT: ISAKMP:(2002): (blank) XAUTH ACK Processed
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):deleting node 905676590 error FALSE reason "Transaction mode done"
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Talking to a Unity Client
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 22 12:15:36.803 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:36.803 SGT: ISAKMP: set new node 1574535261 to QM_IDLE
Jun 22 12:15:36.803 SGT: ISAKMP:(2002):processing transaction payload from 192.168.1.2. message ID = 1574535261
Jun 22 12:15:36.803 SGT: ISAKMP: Config payload REQUEST
Jun 22 12:15:36.803 SGT: ISAKMP:(2002):checking request:
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_DNS
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_DNS
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_NBNS
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_NBNS
Jun 22 12:15:36.803 SGT: ISAKMP: SPLIT_INCLUDE
Jun 22 12:15:36.803 SGT: ISAKMP: DEFAULT_DOMAIN
Jun 22 12:15:36.803 SGT: ISAKMP: SPLIT_DNS
Jun 22 12:15:36.803 SGT: ISAKMP: PFS
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7800
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7801
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7802
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7803
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7804
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7805
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7806
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7807
Jun 22 12:15:36.807 SGT: ISAKMP: BACKUP_SERVER
Jun 22 12:15:36.807 SGT: ISAKMP: APPLICATION_VERSION
Jun 22 12:15:36.807 SGT: ISAKMP: MODECFG_BANNER
Jun 22 12:15:36.807 SGT: ISAKMP/author: Author request for group EZVPNsuccessfully sent to AAA
Jun 22 12:15:36.807 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Jun 22 12:15:36.807 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
Jun 22 12:15:36.807 SGT: ISAKMP:(2002):attributes sent in message:
Jun 22 12:15:36.807 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7800)
Jun 22 12:15:36.807 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7801)
Jun 22 12:15:36.807 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7802)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7803)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7804)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7805)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7806)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7807)
Jun 22 12:15:36.811 SGT: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 23:35 by prod_rel_team
Jun 22 12:15:36.811 SGT: ISAKMP:(2002): responding to peer config from 192.168.1.2. ID = 1574535261
Jun 22 12:15:36.811 SGT: ISAKMP: Marking node 1574535261 for late deletion
Jun 22 12:15:36.811 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) CONF_ADDR
Jun 22 12:15:36.811 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.811 SGT: ISAKMP
871W#:(2002):Talking to a Unity Client
Jun 22 12:15:36.811 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
Jun 22 12:15:36.811 SGT: ISAKMP:(2002):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
Jun 22 12:15:36.815 SGT: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 22 12:15:36.815 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 22 12:15:36.951 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:36.951 SGT: ISAKMP: set new node 712876033 to QM_IDLE
Jun 22 12:15:36.951 SGT: ISAKMP:(2002): processing HASH payload. message ID = 712876033
Jun 22 12:15:36.951 SGT: ISAKMP:(2002): processing SA payload. message ID = 712876033
Jun 22 12:15:36.951 SGT: ISAKMP:(2002):Checking IPSec proposal 1
Jun 22 12:15:36.951 SGT: ISAKMP: transform 1, ESP_AES
Jun 22 12:15:36.951 SGT: ISAKMP: attributes in transform:
Jun 22 12:15:36.951 SGT: ISAKMP: SA life type in seconds
Jun 22 12:15:36.951 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:36.951 SGT: ISAKMP: SA life type in kilobytes
Jun 22 12:15:36.951 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:36.955 SGT: ISAKMP: encaps is 1 (Tunnel)
Jun 22 12:15:36.955 SGT: ISAKMP: authenticator is HMAC-SHA
Jun 22 12:15:36.955 SGT: ISAKMP: key length is 256
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):atts are acceptable. // IKE PHASE 2/IPSEC TRANSFORM SET
Jun 22 12:15:36.955 SGT: IPSEC(validate_proposal_request): proposal part #1
Jun 22 12:15:36.955 SGT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jun 22 12:15:36.955 SGT: ISAKMP:(2002): processing NONCE payload. message ID = 712876033
Jun 22 12:15:36.955 SGT: ISAKMP:(2002): processing ID payload. message ID = 712876033
Jun 22 12:15:36.955 SGT: ISAKMP:(2002): processing ID payload. message ID = 712876033
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):QM Responder gets spi
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):Node 712876033, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):deleting node 1574535261 error FALSE reason "No Error"
Jun 22 12:15:36.959 SGT: ISAKMP:(2002): Creating IPSec SAs
Jun 22 12:15:36.959 SGT: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 192.168.1.2 to 192.168.1.1)
Jun 22 12:15:36.959 SGT: has spi 0x855E47E7 and conn_id 0
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:36.959 SGT: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 192.168.1.1 to 192.168.1.2)
Jun 22 12:15:36.959 SGT: has spi 0xCCE1EB5 and conn_id 0
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:36.959 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:36.959 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.959 SGT: ISAKMP:(2002):Node 712876033, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 22 12:15:36.959 SGT: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Jun 22 12:15:36.963 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:36.963 SGT: IPSEC(policy_db_add_ident): src 192.168.1.1, dest 192.168.1.2, dest_port 0
Jun 22 12:15:36.963 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x855E47E7(2237548519),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 7
Jun 22 12:15:36.963 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0xCCE1EB5(214834869),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 8
Jun 22 12:15:36.971 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:36.971 SGT: ISAKMP:(2002):deleting node 712876033 error FALSE reason "QM done (await)"
Jun 22 12:15:36.971 SGT: ISAKMP:(2002):Node 712876033, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:36.971 SGT: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 22 12:15:36.975 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:36.975 SGT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 22 12:15:36.975 SGT: IPSEC(key_engine_enable_outbound): enable SA with spi 214834869/50
Jun 22 12:15:36.975 SGT: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI CCE1EB5
Jun 22 12:15:39.840 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.840 SGT: ISAKMP: set new node -1137516018 to QM_IDLE
Jun 22 12:15:39.840 SGT: ISAKMP:(2002): processing HASH payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing SA payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):Checking IPSec proposal 1
Jun 22 12:15:39.844 SGT: ISAKMP: transform 1, ESP_AES
Jun 22 12:15:39.844 SGT: ISAKMP: attributes in transform:
Jun 22 12:15:39.844 SGT: ISAKMP: SA life type in seconds
Jun 22 12:15:39.844 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.844 SGT: ISAKMP: SA life type in kilobytes
Jun 22 12:15:39.844 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.844 SGT: ISAKMP: encaps is 1 (Tunnel)
Jun 22 12:15:39.844 SGT: ISAKMP: authenticator is HMAC-SHA
Jun 22 12:15:39.844 SGT: ISAKMP: key length is 256
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):atts are acceptable.
Jun 22 12:15:39.844 SGT: IPSEC(validate_proposal_request): proposal part #1
Jun 22 12:15:39.844 SGT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing NONCE payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing ID payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing ID payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):QM Responder gets spi
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):Node -1137516018, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 22 12:15:39.848 SGT: ISAKMP:(2002): Creating IPSec SAs
Jun 22 12:15:39.848 SGT: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 192.168.1.2 to 0.0.0.0)
Jun 22 12:15:39.848 SGT: has spi 0x5C2D543D and conn_id 0
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.848 SGT: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 0.0.0.0 to 192.168.1.2)
Jun 22 12:15:39.848 SGT: has spi 0x65A12EF9 and conn_id 0
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.848 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:39.848 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:39.848 SGT: ISAKMP:(2002):Node -1137516018, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 22 12:15:39.848 SGT: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Jun 22 12:15:39.852 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.852 SGT: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 192.168.1.2, dest_port 0
Jun 22 12:15:39.852 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x5C2D543D(1546474557),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 9
Jun 22 12:15:39.852 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x65A12EF9(1705062137),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 10
Jun 22 12:15:39.856 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.856 SGT: ISAKMP: set new node 1401152323 to QM_IDLE
Jun 22 12:15:39.856 SGT: ISAKMP:(2002): processing HASH payload. message ID = 1401152323
Jun 22 12:15:39.856 SGT: ISAKMP:(2002): processing SA payload. message ID = 1401152323
Jun 22 12:15:39.856 SGT: ISAKMP:(2002):Checking IPSec proposal 1
Jun 22 12:15:39.856 SGT: ISAKMP: transform 1, ESP_AES
Jun 22 12:15:39.856 SGT: ISAKMP: attributes in transform:
Jun 22 12:15:39.856 SGT: ISAKMP: SA life type in seconds
Jun 22 12:15:39.856 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.856 SGT: ISAKMP: SA life type in kilobytes
Jun 22 12:15:39.856 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.856 SGT: ISAKMP: encaps is 1 (Tunnel)
Jun 22 12:15:39.856 SGT: ISAKMP: authenticator is HMAC-SHA
Jun 22 12:15:39.860 SGT: ISAKMP: key length is 256
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):atts are acceptable.
Jun 22 12:15:39.860 SGT: IPSEC(validate_proposal_request): proposal part #1
Jun 22 12:15:39.860 SGT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jun 22 12:15:39.860 SGT: ISAKMP:(2002): processing NONCE payload. message ID = 1401152323
Jun 22 12:15:39.860 SGT: ISAKMP:(2002): processing ID payload. message ID = 1401152323
Jun 22 12:15:39.860 SGT: ISAKMP:(2002): processing ID payload. message ID = 1401152323
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):QM Responder gets spi
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):Node 1401152323, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 22 12:15:39.864 SGT: ISAKMP:(2002): Creating IPSec SAs
Jun 22 12:15:39.864 SGT: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 172.16.1.0 to 0.0.0.0)
Jun 22 12:15:39.864 SGT: has spi 0xDD6DA6BB and conn_id 0
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.864 SGT: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 0.0.0.0 to 172.16.1.0)
Jun 22 12:15:39.864 SGT: has spi 0x4C55A974 and conn_id 0
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.864 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:39.864 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:39.868 SGT: ISAKMP:(2002):Node 1401152323, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 22 12:15:39.868 SGT: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Jun 22 12:15:39.868 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.868 SGT: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 172.16.1.0, dest_port 0
Jun 22 12:15:39.868 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xDD6DA6BB(3714950843),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 11
Jun 22 12:15:39.868 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x4C55A974(1280682356),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 12
Jun 22 12:15:39.872 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.872 SGT: ISAKMP:(2002):deleting node -1137516018 error FALSE reason "QM done (await)"
Jun 22 12:15:39.872 SGT: ISAKMP:(2002):Node -1137516018, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.872 SGT: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 22 12:15:39.876 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.876 SGT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 22 12:15:39.876 SGT: IPSEC(key_engine_enable_outbound): enable SA with spi 1705062137/50
Jun 22 12:15:39.876 SGT: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 65A12EF9
Jun 22 12:15:39.884 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.884 SGT: ISAKMP:(2002):deleting node 1401152323 error FALSE reason "QM done (await)"
Jun 22 12:15:39.884 SGT: ISAKMP:(2002):Node 1401152323, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.884 SGT: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 22 12:15:39.884 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.884 SGT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 22 12:15:39.884 SGT: IPSEC(key_engine_enable_outbound): enable SA with spi 1280682356/50
Jun 22 12:15:39.884 SGT: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 4C55A974
It can enable a hardware device or software client to connect to an environment using a minimal IPsec configuration. A central site can push policy information and updates to the connecting device or client, providing a scalable and manageable solution when working with multiple remote sites.
An Easy VPN solution contains the following three components:
* Easy VPN Remote: The connecting device, which can be a hardware router (800, 1700, 1800, 1900, 2800, 2900, or 3800 and UBR900) or a firewall appliance (ASA 5505, PIX 501, and 506E). Easy VPN can enable these devices to connect to the Easy VPN server and receive policy information with as little as an IP address and password configured.
* Easy VPN Client: The Cisco IPsec VPN client software that can be used by remote and mobile workers to connect to the Easy VPN server.
* Easy VPN Server: The terminating device, situated at a central site, cna run on either a router (800, 1700, 1800, 1900, 2800, 2900, 3800, 3900, ASR1000, 6500 or 7600 with VPN SPA, 7200, 7301 series) or a firewall (Cisco ASA 5500 and PIX appliances). The Easy VPN Server uses the IKEv1 Mode-Config mechanism to push policy attributes - for example, DNS addresses, split-tunneling configuration, banners, firewall policies, and IP addressing information for VPN client software - to Easy VPN Remote clients each time they connect.
For this scenario, I've used my Cisco 871w router for Easy VPN server and ASA 5505 firewall as the hardware client. The Easy VPN remote hardware client mode is only available on the ASA 5505 platform due to its Small Office/Home Office (SOHO) design but it can also operate as an Easy VPN server.The ASA 5510 and higher platform can only act as an Easy VPN server.
871W(config)#aaa new-model // REQUIRED FOR EZVPN CRYPTO MAP
871W(config)#aaa ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
OLD commands.)
pod POD processing
route Static route downloading
server Local AAA server
session-id AAA Session ID
traceback Traceback recording
user AAA user definitions
871W(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username
871W(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.
871W(config)#aaa authentication login EZVPN_AUTHENTICATION ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
871W(config)#aaa authentication login EZVPN_AUTHENTICATION local
871W(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
cache For AAA cache configuration
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
console For enabling console authorization
exec For starting an exec (shell).
ipmobile For Mobile IP services.
multicast For downloading Multicast configurations from an AAA server
network For network services. (PPP, SLIP, ARAP)
prepaid For diameter prepaid services.
reverse-access For reverse access connections
template Enable template authorization
871W(config)#aaa authorization network ?
WORD Named authorization list.
default The default authorization list.
871W(config)#aaa authorization network EZVPN_AUTHORIZATION ?
group Use server-group.
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
871W(config)#aaa authorization network EZVPN_AUTHORIZATION local
871W(config)#username ?
WORD User name
871W(config)#username ezvpnuser ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
871W(config)#username ezvpnuser password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
871W(config)#username ezvpnuser password cisco // NEED TO INPUT ON EZVPN CLIENT
871W(config)#
871W(config)#crypto ?
ca Certification authority
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
871W(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
871W(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
871W(config)#crypto isakmp policy 10
871W(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
871W(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
871W(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>
871W(config-isakmp)#encryption aes 256
871W(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
871W(config-isakmp)#authentication pre-share
871W(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
871W(config-isakmp)#group 2
871W(config-isakmp)#exit
871W(config)#crypto isakmp client ?
configuration Set client configuration policy
firewall Define client firewall
871W(config)#crypto isakmp client configuration ?
address-pool Set network address for client
browser-proxy Set browser proxy attributes for client
group Set group profile attributes for client
871W(config)#crypto isakmp client configuration grup ?
% Unrecognized command
871W(config)#crypto isakmp client configuration group ?
WORD group name
871W(config)#crypto isakmp client configuration group EZVPN // NEED TO INPUT IN EZVPN CLIENT
871W(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list
number
auto-update Configure auto-upgrade
backup-gateway Specify backup gateway
banner Specify mode config banner
browser-proxy Configure browser-proxy
configuration Push configuration to the client
crypto Client group crypto aaa attribute list
dhcp Configure DHCP parameters
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy
configuration mode
firewall Enforce group firewall feature
group-lock Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key pre-shared key/IKE password
max-logins Set maximum simultaneous logins for users in
this group
max-users Set maximum number of users for this group
netmask netmask used by the client for local
connectivity
no Negate a command or set its defaults
pfs The client should propose PFS
pool Set name of address pool
save-password Allows remote client to save XAUTH password
smartcard-removal-disconnect Enables smartcard-removal-disconnect
split-dns DNS name to append for resolution
wins Specify WINS Addresses
871W(config-isakmp-group)#key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
871W(config-isakmp-group)#key cisco // NEED TO INPUT IN EZVPN CLIENT
871W(config-isakmp-group)#save-password // ALLOWS EZVPN CLIENT TO SAVE PASSWORD IN AN AUTOMATIC VPN CONNECTION
871W(config-isakmp-group)#exit
871W(config)#crypto ipsec ?
client Configure a client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
871W(config)#crypto ipsec transform-set ?
WORD Transform set tag
871W(config)#crypto ipsec transform-set EZVPN_TSET ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
871W(config)#crypto ipsec transform-set EZVPN_TSET esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
871W(config)#crypto ipsec transform-set EZVPN_TSET esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
871W(config)#crypto ipsec transform-set EZVPN_TSET esp-aes 256 esp-sha-hmac
871W(cfg-crypto-trans)#ex
871W(config)#crypto dynamic-map ?
WORD Dynamic crypto map template tag
871W(config)#crypto dynamic-map EZVPN_MAP ?
<1-65535> Sequence to insert into dynamic-map entry
871W(config)#crypto dynamic-map EZVPN_MAP 10
871W(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
871W(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
871W(config-crypto-map)#set transform-set ?
WORD Proposal tag
871W(config-crypto-map)#set transform-set EZVPN_TSET
871W(config-crypto-map)#exit
871W(config)#crypto map EZVPN_CLIENT_MAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
871W(config)#crypto map EZVPN_CLIENT_MAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
871W(config)#crypto map EZVPN_CLIENT_MAP client authentication ?
list AAA authentication list to use
871W(config)#crypto map EZVPN_CLIENT_MAP client authentication list EZVPN_AUTHENTICATION
871W(config)#crypto map EZVPN_CLIENT_MAP isakmp ?
authorization Authorization parameters.
871W(config)#crypto map EZVPN_CLIENT_MAP isakmp authorization ?
list AAA authorization list to use
871W(config)#crypto map EZVPN_CLIENT_MAP isakmp authorization list EZVPN_AUTHORIZATION
871W(config)#crypto map EZVPN_CLIENT_MAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
871W(config)#crypto map EZVPN_CLIENT_MAP client configuration ?
address Specify client network address configuration
871W(config)#crypto map EZVPN_CLIENT_MAP client configuration address ?
initiate Push the network address to the client
respond Respond to network address requests from the client
871W(config)#crypto map EZVPN_CLIENT_MAP client configuration address respond
871W(config)#crypto map EZVPN_CLIENT_MAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ipsec-isakmp ?
dynamic Enable dynamic crypto map support
profile Enable crypto map as a crypto-profile
<cr>
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ipsec-isakmp dynamic ?
WORD Name of dynamic-map template
871W(config)#crypto map EZVPN_CLIENT_MAP 10 ipsec-isakmp dynamic EZVPN_MAP
871W(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset administratively down down
FastEthernet4 222.165.117.23 YES DHCP up up
Group-Async4 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up up
871W(config)#interface bv1
871W(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
871W(config-if)#crypto map EZVPN_CLIENT_MAP
871W(config-if)#end
Below are the screenshots and CLI commands to configure the Easy VPN remote hardware client on an ASA 5505. I chose network extension mode so that the ASA 5505 can communicate directly to other remote sites. This is typical in a hub-and-spoke network environment. Also, I've created a local user account (ezvpnuser) for automatic x-auth to be applied each time the VPN connection is initiated.
ASA5505(config)# vpnclient ?
configure mode commands/options:
enable Enables/disables the Easy VPN connection
ipsec-over-tcp Configures the Easy VPN client to use TCP encapsulation
mac-exempt Configures MAC addresses that are exempt from Easy VPN
user authentication
management Configures remote management of the Easy VPN client
connection over a tunnel
mode Configures the Easy VPN client connection as client mode
or network extension mode
nem-st-autoconnect Configures a network extension Easy VPN client to
automatically connect to the configured server list
server Configures a server list to be used for access by the
Easy VPN client connection
server-certificate Configures the Easy VPN client to accept specific server
certificates
trustpoint Configures the Easy VPN client to use a specific identity
certificate
username Configures a user name for the Easy VPN client
vpngroup Configures a VPN group name for the Easy VPN client
exec mode commands/options:
connect Establishes an Easy VPN connection
disconnect Disconnects an Easy VPN connection
ASA5505(config)# vpnclient mode ?
configure mode commands/options:
client-mode Easy VPN client mode
network-extension-mode Easy VPN network extension mode
ASA5505(config)# vpnclient mode network-extension-mode
ASA5505(config)# vpnclient nem-st-autoconnect
ASA5505(config)# vpnclient vpngroup ?
configure mode commands/options:
WORD < 65 char Enter group name that corresponds to the tunnel-group on the
headend device.
ASA5505(config)# vpnclient vpngroup EZVPN ?
configure mode commands/options:
password Enter keyword to configure a VPN group password for the Easy VPN
Client
ASA5505(config)# vpnclient vpngroup EZVPN password ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 129 char Enter the password for this group
ASA5505(config)# vpnclient vpngroup EZVPN password cisco
ASA5505(config)# vpnclient username ezvpnuser ?
configure mode commands/options:
password Enter keyword to configure a user password for the Easy VPN Client
ASA5505(config)# vpnclient username ezvpnuser password ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 65 char Enter the password for this user
ASA5505(config)# vpnclient username ezvpnuser password cisco
ASA5505(config)# vpnclient server ?
configure mode commands/options:
Hostname or A.B.C.D The IP address or name of the primary server
WORD < 129 char The DNS host name of the primary server
ASA5505(config)# vpnclient server 192.168.1.1
ASA5505(config)# vpnclient enable
Here are some useful show commands issued from both the Easy VPN server (871w) and Easy VPN remote hardware client (ASA 5505):
871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 2001 0 ACTIVE // QM_IDLE STATES THAT SECURITY ASSOCIATION (SA) WITH ITS PEER IS AUTHENTICATED
IPv6 Crypto ISAKMP SA
871W#show crypto ipsec sa
interface: BVI1
Crypto map tag: EZVPN_CLIENT_MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb BVI1
current outbound spi: 0x5BA21DD1(1537351121)
inbound esp sas:
spi: 0xFE147998(4262754712)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: Motorola SEC 1.0:3, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4489183/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5BA21DD1(1537351121)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: Motorola SEC 1.0:4, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4489183/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={}
#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb BVI1
current outbound spi: 0xF9CC2A0E(4190906894)
inbound esp sas:
spi: 0x6A97941F(1788318751)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4463025/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF9CC2A0E(4190906894)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4463024/3233)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={}
#pkts encaps: 200, #pkts encrypt: 200, #pkts digest: 200
#pkts decaps: 200, #pkts decrypt: 200, #pkts verify: 200
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path mtu 1500, ip mtu 1500, ip mtu idb BVI1
current outbound spi: 0xDAAFA04C(3668942924)
inbound esp sas:
spi: 0x5DD0BFFD(1573961725)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4488095/3230)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDAAFA04C(3668942924)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: EZVPN_CLIENT_MAP
sa timing: remaining key lifetime (k/sec): (4488095/3230)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
We issue the identical show crypto commands on the ASA:
ASA5505# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.1.1
Type : user Role : initiator
Rekey : no State : AM_ACTIVE // AGRESSIVE MODE WAS USED TO SET UP THE TUNNEL FOR IKE PHASE 1
There are no IKEv2 SAs
ASA5505# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.2
access-list _vpnc_acl extended permit ip 172.16.1.0 255.255.255.0 any
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 192.168.1.1, username: 192.168.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6A97941F
current inbound spi : F9CC2A0E
inbound esp sas:
spi: 0xF9CC2A0E (4190906894)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3372
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6A97941F (1788318751)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3372
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.2
access-list _vpnc_acl extended permit ip host 192.168.1.2 host 192.168.1.1
local ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
current_peer: 192.168.1.1, username: 192.168.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 100, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5DD0BFFD
current inbound spi : DAAFA04C
inbound esp sas:
spi: 0xDAAFA04C (3668942924)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3367
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5DD0BFFD (1573961725)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3367
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.2
access-list _vpnc_acl extended permit ip host 192.168.1.2 any
local ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 192.168.1.1, username: 192.168.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FE147998
current inbound spi : 5BA21DD1
inbound esp sas:
spi: 0x5BA21DD1 (1537351121)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3370
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFE147998 (4262754712)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 3370
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5505# show vpn-sessiondb ra-ikev1-ipsec
Session Type: IKEv1 IPsec
Index : 1
Assigned IP : 172.16.1.0 Peer IP : 192.168.1.1
Protocol : IKEv1 IPsec
License : Other VPN
Encryption : IKEv1: (1)AES256 IPsec: (3)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 10000 Bytes Rx : 10300
Login Time : 11:58:28 SGT Sun Jun 22 2014
Duration : 0h:05m:01s
Inactivity : 0h:00m:00s
Here's a debug output from the Easy VPN server. Notice that the connection ID changed from 2001 to 2002 since I reset the interface with the applied EZVPN crypto map. You'll also observe the sequence for IKE Phase 1 and Phase 2.
871W#terminal monitor
871W#debug crypto isakmp
Crypto ISAKMP debugging is on
871W#debug crypto ipsec
Crypto IPSEC debugging is on
Jun 22 12:15:36.699 SGT: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA // IKE UDP PORT 500
Jun 22 12:15:36.699 SGT: ISAKMP: Found a peer struct for 192.168.1.2, peer port 500
Jun 22 12:15:36.699 SGT: ISAKMP: Locking peer struct 0x8376E10C, refcount 2 for crypto_isakmp_process_block
Jun 22 12:15:36.699 SGT: ISAKMP:(0):(Re)Setting client xauth list EZVPN and state
Jun 22 12:15:36.699 SGT: ISAKMP/xauth: initializing AAA request
Jun 22 12:15:36.699 SGT: ISAKMP: local port 500, remote port 500
Jun 22 12:15:36.703 SGT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 828EB9E8
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing SA payload. message ID = 0
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing ID payload. message ID = 0
Jun 22 12:15:36.703 SGT: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : EZVPN
protocol : 0
port : 0
length : 13
Jun 22 12:15:36.703 SGT: ISAKMP:(0):: peer matches *none* of the profiles
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is Unity
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is XAUTH
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is NAT-T v2
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID is NAT-T v3
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jun 22 12:15:36.703 SGT: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0): processing IKE frag vendor id payload
Jun 22 12:15:36.703 SGT: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 22 12:15:36.703 SGT: ISAKMP:(0): local preshared key found
Jun 22 12:15:36.703 SGT: ISAKMP:(0): Authentication by xauth preshared
Jun 22 12:15:36.703 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jun 22 12:15:36.707 SGT: ISAKMP: default group 2
Jun 22 12:15:36.707 SGT: ISAKMP: encryption AES-CBC
Jun 22 12:15:36.707 SGT: ISAKMP: keylength of 256
Jun 22 12:15:36.707 SGT: ISAKMP: hash SHA
Jun 22 12:15:36.707 SGT: ISAKMP: auth XAUTHInitPreShared
Jun 22 12:15:36.707 SGT: ISAKMP: life type in seconds
Jun 22 12:15:36.707 SGT: ISAKMP: life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:36.707 SGT: ISAKMP:(0):atts are acceptable. Next payload is 3
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Acceptable atts:actual life: 86400
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Acceptable atts:life: 0
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Fill atts in sa vpi_length:4
Jun 22 12:15:36.707 SGT: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483647
Jun 22 12:15:36.7
871W#07 SGT: ISAKMP:(0):Returning Actual lifetime: 86400
Jun 22 12:15:36.707 SGT: ISAKMP:(0)::Started lifetime timer: 86400.
Jun 22 12:15:36.707 SGT: ISAKMP:(0): processing KE payload. message ID = 0
Jun 22 12:15:36.755 SGT: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID is Unity
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 128 mismatch
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID is XAUTH
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 123 mismatch
Jun 22 12:15:36.755 SGT: ISAKMP:(2002): vendor ID is NAT-T v2
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 157 mismatch
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): vendor ID is NAT-T v3
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): vendor ID seems Unity/DPD but major 69 mismatch
Jun 22 12:15:36.759 SGT: ISAKMP (0:2002): vendor ID is NAT-T RFC 3947
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): processing IKE frag vendor id payload
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):Support for IKE Fragmentation not enabled
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): constructed NAT-T vendor-rfc3947 ID
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Jun 22 12:15:36.759 SGT: ISAKMP (0:2002): ID payload
next-payload : 10
type : 1
address : 192.168.1.1
protocol : 0
port : 0
length : 12
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):Total payload length: 12
Jun 22 12:15:36.759 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Jun 22 12:15:36.759 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.763 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jun 22 12:15:36.763 SGT: ISAKMP:(2002):Old State = IKE_READY New State = IKE_R_AM2
Jun 22 12:15:36.767 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) AG_INIT_EXCH
Jun 22 12:15:36.767 SGT: ISAKMP:(2002): processing HASH payload. message ID = 0
Jun 22 12:15:36.767 SGT: ISAKMP:received payload type 20
Jun 22 12:15:36.767 SGT: ISAKMP:received payload type 20
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 828EB9E8
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): processing vendor id payload
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): vendor ID is DPD
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):SA authentication status:
authenticated
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):SA has been authenticated with 192.168.1.2
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):SA authentication status:
authenticated
Jun 22 12:15:36.771 SGT: ISAKMP:(2002): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.1 remote 192.168.1.2 remote port 500
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):returning IP addr to the address pool
Jun 22 12:15:36.771 SGT: ISAKMP:(2001):received initial contact, deleting SA
Jun 22 12:15:36.771 SGT: ISAKMP:(2001):peer does not do paranoid keepalives.
Jun 22 12:15:36.771 SGT: ISAKMP:(2001):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 192.168.1.2)
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):Returning Actual lifetime: 86400
Jun 22 12:15:36.771 SGT: ISAKMP: set new node -254195553 to CONF_XAUTH
Jun 22 12:15:36.771 SGT: ISAKMP:(2002):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2203
871W#782408, message ID = -254195553
Jun 22 12:15:36.775 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):purging node -254195553
Jun 22 12:15:36.775 SGT: ISAKMP: Sending phase 1 responder lifetime 86400
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jun 22 12:15:36.775 SGT: ISAKMP:(2002):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
Jun 22 12:15:36.775 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:36.775 SGT: ISAKMP: set new node -1021527948 to CONF_XAUTH
Jun 22 12:15:36.779 SGT: ISAKMP:(2001): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):purging node -1021527948
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 22 12:15:36.779 SGT: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Jun 22 12:15:36.779 SGT: ISAKMP:(2002):Need XAUTH
Jun 22 12:15:36.779 SGT: ISAKMP: set new node 478590654 to CONF_XAUTH
Jun 22 12:15:36.779 SGT: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Jun 22 12:15:36.779 SGT: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Jun 22 12:15:36.779 SGT: ISAKMP:(2002): initiating peer config to 192.168.1.2. ID = 478590654
Jun 22 12:15:36.783 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 22 12:15:36.783 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.783 SGT: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 22 12:15:36.783 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Jun 22 12:15:36.783 SGT: ISAKMP:(2001):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 192.168.1.2)
Jun 22 12:15:36.783 SGT: ISAKMP: Unlocking peer struct 0x8376E10C for isadb_mark_sa_deleted(), count 1
Jun 22 12:15:36.787 SGT: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 22 12:15:36.787 SGT: ISAKMP:(2001):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jun 22 12:15:36.787 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 22 12:15:36.787 SGT: ISAKMP:(2002):processing transaction payload from 192.168.1.2. message ID = 478590654
Jun 22 12:15:36.791 SGT: ISAKMP: Config payload REPLY
Jun 22 12:15:36.791 SGT: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Jun 22 12:15:36.791 SGT: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):deleting node 478590654 error FALSE reason "Done with xauth request/reply exchange"
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
Jun 22 12:15:36.791 SGT: ISAKMP: set new node 905676590 to CONF_XAUTH
Jun 22 12:15:36.791 SGT: ISAKMP:(2002): initiating peer config to 192.168.1.2. ID = 905676590
Jun 22 12:15:36.791 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) CONF_XAUTH
Jun 22 12:15:36.791 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.795 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
Jun 22 12:15:36.795 SGT: ISAKMP:(2002):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
Jun 22 12:15:36.795 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) CONF_XAUTH
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):processing transaction payload from 192.168.1.2. message ID = 905676590
Jun 22 12:15:36.799 SGT: ISAKMP: Config payload ACK
Jun 22 12:15:36.799 SGT: ISAKMP:(2002): (blank) XAUTH ACK Processed
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):deleting node 905676590 error FALSE reason "Transaction mode done"
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Talking to a Unity Client
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 22 12:15:36.799 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 22 12:15:36.803 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:36.803 SGT: ISAKMP: set new node 1574535261 to QM_IDLE
Jun 22 12:15:36.803 SGT: ISAKMP:(2002):processing transaction payload from 192.168.1.2. message ID = 1574535261
Jun 22 12:15:36.803 SGT: ISAKMP: Config payload REQUEST
Jun 22 12:15:36.803 SGT: ISAKMP:(2002):checking request:
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_DNS
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_DNS
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_NBNS
Jun 22 12:15:36.803 SGT: ISAKMP: IP4_NBNS
Jun 22 12:15:36.803 SGT: ISAKMP: SPLIT_INCLUDE
Jun 22 12:15:36.803 SGT: ISAKMP: DEFAULT_DOMAIN
Jun 22 12:15:36.803 SGT: ISAKMP: SPLIT_DNS
Jun 22 12:15:36.803 SGT: ISAKMP: PFS
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7800
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7801
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7802
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7803
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7804
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7805
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7806
Jun 22 12:15:36.803 SGT: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x7807
Jun 22 12:15:36.807 SGT: ISAKMP: BACKUP_SERVER
Jun 22 12:15:36.807 SGT: ISAKMP: APPLICATION_VERSION
Jun 22 12:15:36.807 SGT: ISAKMP: MODECFG_BANNER
Jun 22 12:15:36.807 SGT: ISAKMP/author: Author request for group EZVPNsuccessfully sent to AAA
Jun 22 12:15:36.807 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Jun 22 12:15:36.807 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
Jun 22 12:15:36.807 SGT: ISAKMP:(2002):attributes sent in message:
Jun 22 12:15:36.807 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7800)
Jun 22 12:15:36.807 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7801)
Jun 22 12:15:36.807 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7802)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7803)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7804)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7805)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7806)
Jun 22 12:15:36.811 SGT: ISAKMP (0/2002): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7807)
Jun 22 12:15:36.811 SGT: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 23:35 by prod_rel_team
Jun 22 12:15:36.811 SGT: ISAKMP:(2002): responding to peer config from 192.168.1.2. ID = 1574535261
Jun 22 12:15:36.811 SGT: ISAKMP: Marking node 1574535261 for late deletion
Jun 22 12:15:36.811 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) CONF_ADDR
Jun 22 12:15:36.811 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.811 SGT: ISAKMP
871W#:(2002):Talking to a Unity Client
Jun 22 12:15:36.811 SGT: ISAKMP:(2002):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
Jun 22 12:15:36.811 SGT: ISAKMP:(2002):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
Jun 22 12:15:36.815 SGT: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 22 12:15:36.815 SGT: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 22 12:15:36.951 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:36.951 SGT: ISAKMP: set new node 712876033 to QM_IDLE
Jun 22 12:15:36.951 SGT: ISAKMP:(2002): processing HASH payload. message ID = 712876033
Jun 22 12:15:36.951 SGT: ISAKMP:(2002): processing SA payload. message ID = 712876033
Jun 22 12:15:36.951 SGT: ISAKMP:(2002):Checking IPSec proposal 1
Jun 22 12:15:36.951 SGT: ISAKMP: transform 1, ESP_AES
Jun 22 12:15:36.951 SGT: ISAKMP: attributes in transform:
Jun 22 12:15:36.951 SGT: ISAKMP: SA life type in seconds
Jun 22 12:15:36.951 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:36.951 SGT: ISAKMP: SA life type in kilobytes
Jun 22 12:15:36.951 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:36.955 SGT: ISAKMP: encaps is 1 (Tunnel)
Jun 22 12:15:36.955 SGT: ISAKMP: authenticator is HMAC-SHA
Jun 22 12:15:36.955 SGT: ISAKMP: key length is 256
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):atts are acceptable. // IKE PHASE 2/IPSEC TRANSFORM SET
Jun 22 12:15:36.955 SGT: IPSEC(validate_proposal_request): proposal part #1
Jun 22 12:15:36.955 SGT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 192.168.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jun 22 12:15:36.955 SGT: ISAKMP:(2002): processing NONCE payload. message ID = 712876033
Jun 22 12:15:36.955 SGT: ISAKMP:(2002): processing ID payload. message ID = 712876033
Jun 22 12:15:36.955 SGT: ISAKMP:(2002): processing ID payload. message ID = 712876033
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):QM Responder gets spi
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):Node 712876033, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 22 12:15:36.955 SGT: ISAKMP:(2002):deleting node 1574535261 error FALSE reason "No Error"
Jun 22 12:15:36.959 SGT: ISAKMP:(2002): Creating IPSec SAs
Jun 22 12:15:36.959 SGT: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 192.168.1.2 to 192.168.1.1)
Jun 22 12:15:36.959 SGT: has spi 0x855E47E7 and conn_id 0
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:36.959 SGT: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 192.168.1.1 to 192.168.1.2)
Jun 22 12:15:36.959 SGT: has spi 0xCCE1EB5 and conn_id 0
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:36.959 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:36.959 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:36.959 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:36.959 SGT: ISAKMP:(2002):Node 712876033, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 22 12:15:36.959 SGT: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Jun 22 12:15:36.963 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:36.963 SGT: IPSEC(policy_db_add_ident): src 192.168.1.1, dest 192.168.1.2, dest_port 0
Jun 22 12:15:36.963 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x855E47E7(2237548519),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 7
Jun 22 12:15:36.963 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0xCCE1EB5(214834869),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 8
Jun 22 12:15:36.971 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:36.971 SGT: ISAKMP:(2002):deleting node 712876033 error FALSE reason "QM done (await)"
Jun 22 12:15:36.971 SGT: ISAKMP:(2002):Node 712876033, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:36.971 SGT: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 22 12:15:36.975 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:36.975 SGT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 22 12:15:36.975 SGT: IPSEC(key_engine_enable_outbound): enable SA with spi 214834869/50
Jun 22 12:15:36.975 SGT: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI CCE1EB5
Jun 22 12:15:39.840 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.840 SGT: ISAKMP: set new node -1137516018 to QM_IDLE
Jun 22 12:15:39.840 SGT: ISAKMP:(2002): processing HASH payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing SA payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):Checking IPSec proposal 1
Jun 22 12:15:39.844 SGT: ISAKMP: transform 1, ESP_AES
Jun 22 12:15:39.844 SGT: ISAKMP: attributes in transform:
Jun 22 12:15:39.844 SGT: ISAKMP: SA life type in seconds
Jun 22 12:15:39.844 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.844 SGT: ISAKMP: SA life type in kilobytes
Jun 22 12:15:39.844 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.844 SGT: ISAKMP: encaps is 1 (Tunnel)
Jun 22 12:15:39.844 SGT: ISAKMP: authenticator is HMAC-SHA
Jun 22 12:15:39.844 SGT: ISAKMP: key length is 256
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):atts are acceptable.
Jun 22 12:15:39.844 SGT: IPSEC(validate_proposal_request): proposal part #1
Jun 22 12:15:39.844 SGT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing NONCE payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing ID payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002): processing ID payload. message ID = -1137516018
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):QM Responder gets spi
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):Node -1137516018, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.844 SGT: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 22 12:15:39.848 SGT: ISAKMP:(2002): Creating IPSec SAs
Jun 22 12:15:39.848 SGT: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 192.168.1.2 to 0.0.0.0)
Jun 22 12:15:39.848 SGT: has spi 0x5C2D543D and conn_id 0
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.848 SGT: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 0.0.0.0 to 192.168.1.2)
Jun 22 12:15:39.848 SGT: has spi 0x65A12EF9 and conn_id 0
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.848 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.848 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:39.848 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:39.848 SGT: ISAKMP:(2002):Node -1137516018, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 22 12:15:39.848 SGT: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Jun 22 12:15:39.852 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.852 SGT: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 192.168.1.2, dest_port 0
Jun 22 12:15:39.852 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0x5C2D543D(1546474557),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 9
Jun 22 12:15:39.852 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x65A12EF9(1705062137),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 10
Jun 22 12:15:39.856 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.856 SGT: ISAKMP: set new node 1401152323 to QM_IDLE
Jun 22 12:15:39.856 SGT: ISAKMP:(2002): processing HASH payload. message ID = 1401152323
Jun 22 12:15:39.856 SGT: ISAKMP:(2002): processing SA payload. message ID = 1401152323
Jun 22 12:15:39.856 SGT: ISAKMP:(2002):Checking IPSec proposal 1
Jun 22 12:15:39.856 SGT: ISAKMP: transform 1, ESP_AES
Jun 22 12:15:39.856 SGT: ISAKMP: attributes in transform:
Jun 22 12:15:39.856 SGT: ISAKMP: SA life type in seconds
Jun 22 12:15:39.856 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.856 SGT: ISAKMP: SA life type in kilobytes
Jun 22 12:15:39.856 SGT: ISAKMP: SA life duration (VPI) of 0x7F 0xFF 0xFF 0xFF
Jun 22 12:15:39.856 SGT: ISAKMP: encaps is 1 (Tunnel)
Jun 22 12:15:39.856 SGT: ISAKMP: authenticator is HMAC-SHA
Jun 22 12:15:39.860 SGT: ISAKMP: key length is 256
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):atts are acceptable.
Jun 22 12:15:39.860 SGT: IPSEC(validate_proposal_request): proposal part #1
Jun 22 12:15:39.860 SGT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.1.2,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jun 22 12:15:39.860 SGT: ISAKMP:(2002): processing NONCE payload. message ID = 1401152323
Jun 22 12:15:39.860 SGT: ISAKMP:(2002): processing ID payload. message ID = 1401152323
Jun 22 12:15:39.860 SGT: ISAKMP:(2002): processing ID payload. message ID = 1401152323
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):QM Responder gets spi
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):Node 1401152323, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.860 SGT: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 22 12:15:39.864 SGT: ISAKMP:(2002): Creating IPSec SAs
Jun 22 12:15:39.864 SGT: inbound SA from 192.168.1.2 to 192.168.1.1 (f/i) 0/ 0
(proxy 172.16.1.0 to 0.0.0.0)
Jun 22 12:15:39.864 SGT: has spi 0xDD6DA6BB and conn_id 0
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.864 SGT: outbound SA from 192.168.1.1 to 192.168.1.2 (f/i) 0/0
(proxy 0.0.0.0 to 172.16.1.0)
Jun 22 12:15:39.864 SGT: has spi 0x4C55A974 and conn_id 0
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 seconds
Jun 22 12:15:39.864 SGT: lifetime of 2147483647 kilobytes
Jun 22 12:15:39.864 SGT: ISAKMP:(2002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 22 12:15:39.864 SGT: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 22 12:15:39.868 SGT: ISAKMP:(2002):Node 1401152323, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 22 12:15:39.868 SGT: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Jun 22 12:15:39.868 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.868 SGT: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 172.16.1.0, dest_port 0
Jun 22 12:15:39.868 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xDD6DA6BB(3714950843),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 11
Jun 22 12:15:39.868 SGT: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.2, sa_proto= 50,
sa_spi= 0x4C55A974(1280682356),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 12
Jun 22 12:15:39.872 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.872 SGT: ISAKMP:(2002):deleting node -1137516018 error FALSE reason "QM done (await)"
Jun 22 12:15:39.872 SGT: ISAKMP:(2002):Node -1137516018, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.872 SGT: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 22 12:15:39.876 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.876 SGT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 22 12:15:39.876 SGT: IPSEC(key_engine_enable_outbound): enable SA with spi 1705062137/50
Jun 22 12:15:39.876 SGT: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 65A12EF9
Jun 22 12:15:39.884 SGT: ISAKMP (0:2002): received packet from 192.168.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 22 12:15:39.884 SGT: ISAKMP:(2002):deleting node 1401152323 error FALSE reason "QM done (await)"
Jun 22 12:15:39.884 SGT: ISAKMP:(2002):Node 1401152323, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 22 12:15:39.884 SGT: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 22 12:15:39.884 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 22 12:15:39.884 SGT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 22 12:15:39.884 SGT: IPSEC(key_engine_enable_outbound): enable SA with spi 1280682356/50
Jun 22 12:15:39.884 SGT: IPSEC(update_current_outbound_sa): updated peer 192.168.1.2 current outbound sa to SPI 4C55A974
No comments:
Post a Comment