Saturday, August 23, 2014

IKEv2 IPsec Site-to-Site VPNs

IKEv2 has streamlined the original IKEv1 packet exchanges during Phase 1 and Phase 2 operation (Main mode, Aggressive mode, and Quick mode) used to create IKE and IPsec SAs for a secure communications tunnel. Unlike IKEv1, which uses either nine messages (Main mode = 6 + Quick mode = 3 or 6 messages (Aggressive mode = 3 + Quick mode = 3) for successful operation.

IKEv2 introduces a new packet-exchange process using only four messages (Note that additional child SAs require further packet exchanges, so this number may increase).

A successful IKEv2 message exchange involves a pair of messages for each of the phases listed here, which have been created to replace the older IKEv1 Phase 1 and Phase 2 negotiations. The corresponding IKEv1 "phases" are shown next to the relevant IKEv2 phase for your reference:

* IKE_SA_INIT (Phase 1)

* IKE_AUTH (Phase 1 and 2)


Phase 1

The first exchange, IKE_SA_INIT, is used to negotiate the security parameters by sending IKEv2 proposals, including the configured encryption and integrity protocols, Diffie-Hellman values, and nonces (random) numbers. At this point, the two peers generate SKEYSEED (a seed security key value), from which all future IKE keys are generated. The messages that follow in later exchanges are encrypted and authenticated using keys generated from the SKEYSEED value.


Phase 2

The second exchange, IKE_AUTH, operates over the IKE_SA created by the IKE_SA_INIT exchanges and is used to validate the identity of the peers and negotiate the various encryption, authentication, and integrity protocols to establish the first CHILD_SA for use by ESP or AH in which IPsec communication occurs. Peers are validated using PSKs, certificates, or Extensible Authentication Protocol (EAP) (allowing for legacy authentication methods between peers).

The first CHILD_SA created in the second exchange (Phase 2) is commonly the only SA created for IPsec communication. However, if an application or peer requires the use of additional SAs to secure traffic through an encrypted tunnel, IKEv2 uses the CREATE_CHILD_SA exchange. During the CREATE_CHILD_SA exchange, new Diffie-Hellman values may be generated and cryptographic protocols used (That is, there is no requirement for later SAs to use the same key material created during the initial IKE_SA_INIT exchange). This behavior is similar in function to the use of PFS, whereby during an IKEv1 Quick mode exchange, new Diffie-Hellman values may be used to prevent the reuse of key material created in the previous Phase 1 exchanges. If you do not want to multiplex multiple source/destination traffic pairs over the same SA, you'll usually have multiple CREATE_CHILD_SA exchanges to create multiple SAs for securing data traffic.


ASA1(config)# access-list ?

configure mode commands/options:
  WORD < 241 char  Access list identifier
  alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
  deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ASA1(config)# access-list VPN_ACL ?

configure mode commands/options:
  deny      Specify packets to reject
  extended  Configure access policy for IP traffic through the system
  line      Use this to specify line number at which ACE should be entered
  permit    Specify packets to forward
  remark    Specify a comment (remark) for the access-list after this keyword
  rename    rename an existing access-list
  standard  Use this to configure policy having destination host or network
            only
  webtype   Use this to configure WebVPN related policy
ASA1(config)# access-list VPN_ACL extended ?

configure mode commands/options:
  deny    Specify packets to reject
  permit  Specify packets to forward
ASA1(config)# access-list VPN_ACL extended permit ?

configure mode commands/options:
  <0-255>       Enter protocol number (0 - 255)
  ah
  eigrp
  esp
  gre
  icmp
  icmp6
  igmp
  igrp
  ip
  ipinip
  ipsec
  nos
  object        Specify a service object after this keyword
  object-group  Specify a service or protocol object-group after this keyword
  ospf
  pcp
  pim
  pptp
  snp
  tcp
  udp
ASA1(config)# access-list VPN_ACL extended permit ip ?

configure mode commands/options:
  A.B.C.D            Source IP address
  any                Abbreviation for source address and mask of 0.0.0.0
                     0.0.0.0
  host               Use this keyword to configure source host
  interface          Use interface address as source address
  object             Keyword to enter source object name
  object-group       Network object-group for source address
  object-group-user  User object-group for source address
  user               User for source address [<domain_nickname>\]<user_name>
  user-group         User-group for source address
                     [<domain_nickname>\\]<user_group_name>
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0 ?

configure mode commands/options:
  A.B.C.D       Destination IP address
  any           Abbreviation for destination address and mask of 0.0.0.0
                0.0.0.0
  host          Use this keyword to configure destination host
  interface     Use interface address as destination address
  object        Keyword to enter destination object name
  object-group  Network object-group for destination address
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0192.168.0.0 255.255.0.0    // CRYPTO ACL FOR "INTERESTING" TRAFFIC
ASA1(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Execute Certification Authority Commands
ASA1(config)# crypto ipsec ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters
ASA1(config)# crypto ipsec ikev2 ?

configure mode commands/options:
  ipsec-proposal  Configure IKEv2 IPSec Policy
ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the ipsec-proposal
ASA1(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config-ipsec-proposal)# ?

ikev2 IPSec Policy configuration commands:
  exit      Exit from ipsec-proposal configuration mode
  help      Help for ikev2 IPSec policy configuration commands
  no        Remove an ikev2 IPSec policy configuration item
  protocol  Configure a protocol for the IPSec proposal
ASA1(config-ipsec-proposal)# protocol ?

ipsec-proposal mode commands/options:
  esp  IPsec Encapsulating Security Payload
ASA1(config-ipsec-proposal)# protocol esp ?

ipsec-proposal mode commands/options:
  encryption  Add one or more encryption algorithms for this protocol
  integrity   Add one or more integrity algorithms for this protocol
ASA1(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption
ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:
  md5    set hash md5
  sha-1  set hash sha-1
ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# crypto map ?

configure mode commands/options:
  WORD < 64 char  Crypto map template tag
ASA1(config)# crypto map S2S_VPN_MAP ?

configure mode commands/options:
  <1-65535>  Sequence to insert into map entry
  client     Enable IKE extended authentication (Xauth)
  interface  Name of interface to apply the crypto map to
ASA1(config)# crypto map S2S_VPN_MAP 1 ?

configure mode commands/options:
  annotation    Specify annotation text - to be used by ASDM only
  ipsec-isakmp  IPSec w/ISAKMP
  match         Match address of packets to encrypt
  set           Specify crypto map settings
ASA1(config)# crypto map S2S_VPN_MAP 1 match ?

configure mode commands/options:
  address  Match address of packets to encrypt
ASA1(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA1(config)# crypto map S2S_VPN_MAP 1 set ?

configure mode commands/options:
  connection-type       Specify connection-type for site-site connection based
                        on this entry
  ikev1                 Configure IKEv1 policy
  ikev2                 Configure IKEv2 policy
  nat-t-disable         Disable nat-t negotiation for connections based on this
                        entry
  peer                  Set IP address of peer
  pfs                   Specify pfs settings
  reverse-route         Enable reverse route injection for connections based on
                        this entry
  security-association  Security association duration
  trustpoint            Specify trustpoint that defines the certificate to be
                        used while initiating a connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer ?

configure mode commands/options:
  Hostname or A.B.C.D     IP address
  Hostname or X:X:X:X::X  IPv6 address
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
ASA1(config)# crypto map S2S_VPN_MAP 1 ikev2 ?
ERROR: % Unrecognized command
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ?

configure mode commands/options:
  ipsec-proposal  Specify list of IPSec proposals in priority order
  pre-shared-key  Specify a pre-shared key to be used while initiating a
                  connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config)# crypto map S2S_VPN_MAP interface ?

configure mode commands/options:
Current available interface(s):
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet1
ASA1(config)# crypto map S2S_VPN_MAP interface outside
ASA1(config)# crypto ikev2 ?

configure mode commands/options:
  cookie-challenge  Enable and configure IKEv2 cookie challenges based on
                    half-open SAs
  enable            Enable IKEv2 on the specified interface
  limit             Enable limits on IKEv2 SAs
  policy            Set IKEv2 policy suite
  redirect          Set IKEv2 redirect
  remote-access     Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 policy ?

configure mode commands/options:
  <1-65535>  Policy suite priority(1 highest, 65535 lowest)
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?

ikev2 policy configuration commands:
  encryption  Configure one or more encryption algorithm
  exit        Exit from ikev2 policy configuration mode
  group       Configure one or more DH groups
  help        Help for ikev2 policy configuration commands
  integrity   Configure one or more integrity algorithm
  lifetime    Configure the ikev2 lifetime
  no          Remove an ikev2 policy configuration item
  prf         Configure one or more hash algorithm
ASA1(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption
ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512
ASA1(config-ikev2-policy)# integrity sha256
ASA1(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5
ASA1(config-ikev2-policy)# group 2   // DEFAULT DH GROUP
ASA1(config-ikev2-policy)# lifetime ?

ikev2-policy mode commands/options:
  seconds  Lifetime seconds
ASA1(config-ikev2-policy)# lifetime seconds ?

ikev2-policy mode commands/options:
  <120-2147483647>  Enter the ikev2 lifetime
  none              Disable rekey and allow an unlimited rekey period
ASA1(config-ikev2-policy)# lifetime seconds 86400   // LOWEST VALUE BETWEEN VPN PEER WILL BE CHOSEN
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ikev2 enable ?

configure mode commands/options:
Type an interface name to enable
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet1
  <cr>
ASA1(config)# crypto ikev2 enable outside
ASA1(config)# tunnel-group ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the tunnel group
ASA1(config)# tunnel-group 200.1.1.2 ?

configure mode commands/options:
  type  Enter the type of this group-policy
ASA1(config)# tunnel-group 200.1.1.2 type ?

configure mode commands/options:
  ipsec-l2l      IPSec Site to Site group
  ipsec-ra       IPSec Remote Access group (DEPRECATED)
  remote-access  Remote access (IPSec and WebVPN) group
  webvpn         WebVPN group (DEPRECATED)
ASA1(config)# tunnel-group 200.1.1.2 type ipsec-l2l
ASA1(config)# tunnel-group 200.1.1.2 ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode
ASA1(config)# tunnel-group 200.1.1.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ?

tunnel-group configuration commands:
  chain             Enable sending certificate chain
  exit              Exit from tunnel-group IPSec attribute configuration mode
  help              Help for tunnel group configuration commands
  ikev1             Configure IKEv1
  ikev2             Configure IKEv2
  isakmp            Configure ISAKMP policy
  no                Remove an attribute value pair
  peer-id-validate  Validate identity of the peer using the peer's certificate
ASA1(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:
  local-authentication   Configure the local authentication method for IKEv2
                         tunnels
  remote-authentication  Configure the remote authentication method required of
                         the remote peer for IKEv2 tunnels
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication ?

tunnel-group-ipsec mode commands/options:
  certificate     Require certificate authentication from remote peer
  pre-shared-key  Require pre-shared-key authentication from remote peer
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
  0                Specifies an UNENCRYPTED password will follow
  8                Specifies an ENCRYPTED password will follow
  WORD < 129 char  Enter an alphanumeric string between 1-128 characters
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?

tunnel-group-ipsec mode commands/options:
  certificate     Select the trustpoint that identifies the cert to be sent to
                  the IKE peer
  pre-shared-key  Configure the local pre-shared-key used to authenticate to
                  the remote peer
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
  0  Specifies an UNENCRYPTED password will follow
  8  Specifies an ENCRYPTED password will follow
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco123


------


ASA2(config)# access-list VPN_ACL extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0    // "MIRRORED" CRYPTO ACL
ASA2(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1
ASA2(config-ipsec-proposal)# exit
ASA2(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA2(config)# crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
ASA2(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config)# crypto map S2S_VPN_MAP interface outside
ASA2(config)# crypto ikev2 policy 10
ASA2(config-ikev2-policy)# encryption aes-256
ASA2(config-ikev2-policy)# integrity sha256
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# lifetime seconds 86400
ASA2(config-ikev2-policy)# crypto ikev2 enable outside
ASA2(config)# tunnel-group 100.1.1.2 type ipsec-l2l
ASA2(config)# tunnel-group 100.1.1.2 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
INFO: You must configure ikev2 remote-authentication pre-shared-key
      and/or certificate to complete authentication.
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco123


--------


ASA1# show run crypto ikev2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside

ASA1# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
 protocol esp encryption aes-256
 protocol esp integrity sha-1

ASA1# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside



ASA2# show run crypto ikev2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside

ASA2# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
 protocol esp encryption aes-256
 protocol esp integrity sha-1

ASA2# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside


----


ASA1# show crypto ikev2 sa detail

There are no IKEv2 SAs


ASA1# debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  vpnclient   Set EasyVPN client debug levels
ASA1# debug crypto ikev2 ?

  ha        debug the ikev2 ha
  platform  debug the ikev2 platform
  protocol  debug the ikev2 protocol
  timers    debug the ikev2 timers
ASA1# debug crypto ikev2 platform 127
ASA1# debug crypto ikev2 protocol 127


----


ASA1# IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-3: attempting to find tunnel group for IP: 200.1.1.2
IKEv2-PLAT-3: mapped to tunnel group 200.1.1.2 using peer IP
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-3: (1) tp_name set to:
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (1): Setting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (1): Computing DH public key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (1): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA1   SHA256   DH_GROUP_1024_MODP/Group 2
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific

Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct

Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload:

FRAGMENTATIONIKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 394
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2

 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0

     67 fe 46 0c 42 aa f7 c3 9e f6 b1 5d 53 3c 16 8c
     2c 30 c1 36 a3 73 7e 19 77 5b a1 eb df 83 03 b6
     d5 33 67 3a 32 26 d0 fc 47 72 aa 9b 74 60 ae b5
     83 1f 64 5a 6e 9e cf 26 26 60 aa d2 6d f4 88 08
     b9 38 5a 4e 2b f1 c7 02 9e 3d 1e 6a e2 45 a3 3e
     a5 aa 1e 38 3d ae e5 bf 01 ea dc 5b a7 ef 04 bd
     e4 78 22 9d 6c 9f 7d b2 25 ba c8 eb 82 59 03 14
     a3 1b f7 f7 24 03 60 8c 93 f5 33 5c 7c ce 62 24
 N  Next payload: VID, reserved: 0x0, length: 24

     7d 03 ed 8b 83 d7 53 49 f2 bd 2b ff bf 24 ed f0
     59 c5 c3 37
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     f1 85 22 7a a3 a8 ef bc a8 58 ba d9 f5 8e 9a 44
     db 07 7d aa
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     84 63 f4 17 2f 4e 26 7a c1 6d fc c7 71 d9 2e ef
     da 6e 51 4f
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (1): Insert SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000

CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_SA_INIT] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0xecbd3f4be86f51af MID=00000000
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 394

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2

 KE  Next payload: N, reserved: 0x0, length: 136
    DH group: 2, Reserved: 0x0

     cb 30 95 7d 1b 5e f3 9e 55 35 aa 47 32 ea af 6a
     b6 07 6d d6 f9 12 7a c0 22 fe ae da 1a a5 b8 2d
     aa 70 cd f7 a5 60 08 8b 4f 0f d2 d5 81 c8 41 8f
     48 be 2e b3 c4 f7 bb 13 c8 9c 2a 99 df 65 29 f1
     89 a5 d0 d1 70 4b f6 e6 b3 9c 33 4c 67 95 4a 4a
     0c 20 49 01 34 b2 6e 15 f8 91 a4 09 ec 7d 95 a5
     b1 fb f9 6d 03 92 c4 28 b9 e9 00 9f 3a 57 8d c9
     cb bc 20 b0 6e ea c5 b3 38 63 0c ec a8 8b 16 a4
 N  Next payload: VID, reserved: 0x0, length: 24

     fd 2c be 84 ac 7c d3 a2 65 72 8b 3d d5 e3 6e ff
     2c 5e e9 4b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0,

length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload:

NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     e7 19 65 24 2c 02 09 2d c0 2c 54 d5 48 a0 0f a7
     db 17 8d dc
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) 

Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     f8 67 d4 4b f0 62 47 4a 75 82 a0 b3 cd d4 bc 52
     38 84 2e a8
IKEv2-PROTO-5: Parse Vendor Specific Payload: FRAGMENTATION VID  Next payload: NONE, reserved: 0x0, length:20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

Decrypted packet:Data: 394 bytes
IKEv2-PLAT-3: Process custom VID payloads
IKEv2-PLAT-3: Cisco Copyright VID received from peer
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (1): Verify SA init message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (1): Process NAT discovery notify
IKEv2-PROTO-5: (1): Processing nat detect src notify
IKEv2-PROTO-5: (1): Remote address matched
IKEv2-PROTO-5: (1): Processing nat detect dst notify
IKEv2-PROTO-5: (1): Local address matched
IKEv2-PROTO-5: (1): No NAT found
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (1): Check NAT discovery
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (1): Computing DH secret key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (1): Generate skeyid
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (1): Fragmentation is enabled
IKEv2-PROTO-3: (1): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (1): Complete SA init exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (1): Generate my authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 100.1.1.2, key len 8
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get my authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000

CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (1): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size:

4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload:

ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (1): Building

packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     1b e9 df ba 31 ea 2a ea 62 4f 69 f3 ca 01 6a c2
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     64 01 01 02
 AUTH  Next payload: SA, reserved: 0x0, length: 28
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 172.16.0.1, end addr: 172.16.0.1
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 172.16.0.0, end addr: 172.16.255.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.1.1, end addr: 192.168.1.1
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.0.0, end addr: 192.168.255.255
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 288
 ENCR  Next payload: VID, reserved: 0x0, length: 260
Encrypted data: 256 bytes

IKEv2-PLAT-4: SENT PKT [IKE_AUTH] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_AUTH] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad

RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 240

REAL Decrypted packet:Data: 168 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     ee bd 3e 4b fb 58 a2 e8 62 4f 69 f3 ca 01 6a c2
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     c8 01 01 02
 AUTH  Next payload: SA, reserved: 0x0, length: 28
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 172.16.0.0, end addr: 172.16.255.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.0.0, end addr: 192.168.255.255
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY,

reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved:

0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

Decrypted packet:Data: 240 bytes
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Process auth response notify
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-3: (1) peer auth method set to: 2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PLAT-3: connection initiated with tunnel group 200.1.1.2
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Verify peer's policy
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get peer authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (1): Get peer's preshared key for 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (1): Verify authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (1): Processing auth message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (1): Closing the PKI session
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (1): SA created; inserting SA into database
IKEv2-PLAT-3:
CONNECTION STATUS: UP... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-3: (1) connection auth hdl set to 0
IKEv2-PLAT-3: AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-3: (1) idle timeout set to: 30
IKEv2-PLAT-3: (1) session timeout set to: 0
IKEv2-PLAT-3: (1) group policy set to DfltGrpPolicy
IKEv2-PLAT-3: (1) class attr set
IKEv2-PLAT-3: (1) tunnel protocol set to: 0x5c
IKEv2-PLAT-3: IPv4 filter ID not configured for connection
IKEv2-PLAT-3: (1) group lock set to: none
IKEv2-PLAT-3: IPv6 filter ID not configured for connection
IKEv2-PLAT-3: (1) connection attribues set valid to TRUE
IKEv2-PLAT-3: Successfully retrieved conn attrs
IKEv2-PLAT-3: Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-3:
CONNECTION STATUS: REGISTERED... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-3: (1): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-3: (1) mib_index set to: 501
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (1): Load IPSEC key material
IKEv2-PLAT-3: PROXY MATCH on crypto map S2S_VPN_MAP seq 1
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (1): Accounting not required
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (1): Checking for duplicate SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001

CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (1): Deleting negotiation context for my message ID: 0x1

ASA1# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
  8900467         100.1.1.2/500         200.1.1.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/15 sec
      Session-id: 1
      Status Description: Negotiation done
      Local spi: 19E9DEBA22DDD9AD       Remote spi: ECBD3F4BE86F51AF
      Local id: 100.1.1.2
      Remote id: 200.1.1.2
      Local req mess id: 2              Remote req mess id: 0
      Local next mess id: 2             Remote next mess id: 0
      Local req queued: 2               Remote req queued: 0
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  172.16.0.0/0 - 172.16.255.255/65535
          remote selector 192.168.0.0/0 - 192.168.255.255/65535
          ESP spi in/out: 0x761a14dc/0x97dc5e3a
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel


ASA2# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
  9509961         200.1.1.2/500         100.1.1.2/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/115 sec
      Session-id: 1
      Status Description: Negotiation done
      Local spi: ECBD3F4BE86F51AF       Remote spi: 19E9DEBA22DDD9AD
      Local id: 200.1.1.2
      Remote id: 100.1.1.2
      Local req mess id: 2              Remote req mess id: 5
      Local next mess id: 2             Remote next mess id: 5
      Local req queued: 2               Remote req queued: 5
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  192.168.0.0/0 - 192.168.255.255/65535
          remote selector 172.16.0.0/0 - 172.16.255.255/65535
          ESP spi in/out: 0x97dc5e3a/0x761a14dc
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

No comments:

Post a Comment