IKEv2 has streamlined the original IKEv1 packet exchanges during Phase 1 and Phase 2 operation (Main mode, Aggressive mode, and Quick mode) used to create IKE and IPsec SAs for a secure communications tunnel. Unlike IKEv1, which uses either nine messages (Main mode = 6 + Quick mode = 3 or 6 messages (Aggressive mode = 3 + Quick mode = 3) for successful operation.
IKEv2 introduces a new packet-exchange process using only four messages (Note that additional child SAs require further packet exchanges, so this number may increase).
A successful IKEv2 message exchange involves a pair of messages for each of the phases listed here, which have been created to replace the older IKEv1 Phase 1 and Phase 2 negotiations. The corresponding IKEv1 "phases" are shown next to the relevant IKEv2 phase for your reference:
* IKE_SA_INIT (Phase 1)
* IKE_AUTH (Phase 1 and 2)
Phase 1
The first exchange, IKE_SA_INIT, is used to negotiate the security parameters by sending IKEv2 proposals, including the configured encryption and integrity protocols, Diffie-Hellman values, and nonces (random) numbers. At this point, the two peers generate SKEYSEED (a seed security key value), from which all future IKE keys are generated. The messages that follow in later exchanges are encrypted and authenticated using keys generated from the SKEYSEED value.
Phase 2
The second exchange, IKE_AUTH, operates over the IKE_SA created by the IKE_SA_INIT exchanges and is used to validate the identity of the peers and negotiate the various encryption, authentication, and integrity protocols to establish the first CHILD_SA for use by ESP or AH in which IPsec communication occurs. Peers are validated using PSKs, certificates, or Extensible Authentication Protocol (EAP) (allowing for legacy authentication methods between peers).
The first CHILD_SA created in the second exchange (Phase 2) is commonly the only SA created for IPsec communication. However, if an application or peer requires the use of additional SAs to secure traffic through an encrypted tunnel, IKEv2 uses the CREATE_CHILD_SA exchange. During the CREATE_CHILD_SA exchange, new Diffie-Hellman values may be generated and cryptographic protocols used (That is, there is no requirement for later SAs to use the same key material created during the initial IKE_SA_INIT exchange). This behavior is similar in function to the use of PFS, whereby during an IKEv1 Quick mode exchange, new Diffie-Hellman values may be used to prevent the reuse of key material created in the previous Phase 1 exchanges. If you do not want to multiplex multiple source/destination traffic pairs over the same SA, you'll usually have multiple CREATE_CHILD_SA exchanges to create multiple SAs for securing data traffic.
ASA1(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ASA1(config)# access-list VPN_ACL ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ASA1(config)# access-list VPN_ACL extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ASA1(config)# access-list VPN_ACL extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ASA1(config)# access-list VPN_ACL extended permit ip ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure destination host
interface Use interface address as destination address
object Keyword to enter destination object name
object-group Network object-group for destination address
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0192.168.0.0 255.255.0.0 // CRYPTO ACL FOR "INTERESTING" TRAFFIC
ASA1(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ASA1(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA1(config)# crypto ipsec ikev2 ?
configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?
configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA1(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit Exit from ipsec-proposal configuration mode
help Help for ikev2 IPSec policy configuration commands
no Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA1(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA1(config-ipsec-proposal)# protocol esp ?
ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity Add one or more integrity algorithms for this protocol
ASA1(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# crypto map ?
configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA1(config)# crypto map S2S_VPN_MAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map S2S_VPN_MAP 1 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASA1(config)# crypto map S2S_VPN_MAP 1 match ?
configure mode commands/options:
address Match address of packets to encrypt
ASA1(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA1(config)# crypto map S2S_VPN_MAP 1 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer ?
configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
ASA1(config)# crypto map S2S_VPN_MAP 1 ikev2 ?
ERROR: % Unrecognized command
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ?
configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config)# crypto map S2S_VPN_MAP interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ASA1(config)# crypto map S2S_VPN_MAP interface outside
ASA1(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit Exit from ikev2 policy configuration mode
group Configure one or more DH groups
help Help for ikev2 policy configuration commands
integrity Configure one or more integrity algorithm
lifetime Configure the ikev2 lifetime
no Remove an ikev2 policy configuration item
prf Configure one or more hash algorithm
ASA1(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# integrity sha256
ASA1(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA1(config-ikev2-policy)# group 2 // DEFAULT DH GROUP
ASA1(config-ikev2-policy)# lifetime ?
ikev2-policy mode commands/options:
seconds Lifetime seconds
ASA1(config-ikev2-policy)# lifetime seconds ?
ikev2-policy mode commands/options:
<120-2147483647> Enter the ikev2 lifetime
none Disable rekey and allow an unlimited rekey period
ASA1(config-ikev2-policy)# lifetime seconds 86400 // LOWEST VALUE BETWEEN VPN PEER WILL BE CHOSEN
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ikev2 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
<cr>
ASA1(config)# crypto ikev2 enable outside
ASA1(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA1(config)# tunnel-group 200.1.1.2 ?
configure mode commands/options:
type Enter the type of this group-policy
ASA1(config)# tunnel-group 200.1.1.2 type ?
configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn WebVPN group (DEPRECATED)
ASA1(config)# tunnel-group 200.1.1.2 type ipsec-l2l
ASA1(config)# tunnel-group 200.1.1.2 ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ASA1(config)# tunnel-group 200.1.1.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
ikev2 Configure IKEv2
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA1(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Require certificate authentication from remote peer
pre-shared-key Require pre-shared-key authentication from remote peer
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 129 char Enter an alphanumeric string between 1-128 characters
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
or certificate to complete authentication.
ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Select the trustpoint that identifies the cert to be sent to
the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
the remote peer
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco123
------
ASA2(config)# access-list VPN_ACL extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0 // "MIRRORED" CRYPTO ACL
ASA2(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1
ASA2(config-ipsec-proposal)# exit
ASA2(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA2(config)# crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
ASA2(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config)# crypto map S2S_VPN_MAP interface outside
ASA2(config)# crypto ikev2 policy 10
ASA2(config-ikev2-policy)# encryption aes-256
ASA2(config-ikev2-policy)# integrity sha256
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# lifetime seconds 86400
ASA2(config-ikev2-policy)# crypto ikev2 enable outside
ASA2(config)# tunnel-group 100.1.1.2 type ipsec-l2l
ASA2(config)# tunnel-group 100.1.1.2 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
INFO: You must configure ikev2 remote-authentication pre-shared-key
and/or certificate to complete authentication.
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco123
--------
ASA1# show run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
ASA1# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1
ASA1# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside
ASA2# show run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
ASA2# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1
ASA2# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside
----
ASA1# show crypto ikev2 sa detail
There are no IKEv2 SAs
ASA1# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
vpnclient Set EasyVPN client debug levels
ASA1# debug crypto ikev2 ?
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers
ASA1# debug crypto ikev2 platform 127
ASA1# debug crypto ikev2 protocol 127
----
ASA1# IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-3: attempting to find tunnel group for IP: 200.1.1.2
IKEv2-PLAT-3: mapped to tunnel group 200.1.1.2 using peer IP
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-3: (1) tp_name set to:
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (1): Setting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (1): Computing DH public key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (1): Sending initial message
IKEv2-PROTO-3: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA256 DH_GROUP_1024_MODP/Group 2
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific
Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct
Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload:
FRAGMENTATIONIKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 394
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
67 fe 46 0c 42 aa f7 c3 9e f6 b1 5d 53 3c 16 8c
2c 30 c1 36 a3 73 7e 19 77 5b a1 eb df 83 03 b6
d5 33 67 3a 32 26 d0 fc 47 72 aa 9b 74 60 ae b5
83 1f 64 5a 6e 9e cf 26 26 60 aa d2 6d f4 88 08
b9 38 5a 4e 2b f1 c7 02 9e 3d 1e 6a e2 45 a3 3e
a5 aa 1e 38 3d ae e5 bf 01 ea dc 5b a7 ef 04 bd
e4 78 22 9d 6c 9f 7d b2 25 ba c8 eb 82 59 03 14
a3 1b f7 f7 24 03 60 8c 93 f5 33 5c 7c ce 62 24
N Next payload: VID, reserved: 0x0, length: 24
7d 03 ed 8b 83 d7 53 49 f2 bd 2b ff bf 24 ed f0
59 c5 c3 37
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
f1 85 22 7a a3 a8 ef bc a8 58 ba d9 f5 8e 9a 44
db 07 7d aa
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
84 63 f4 17 2f 4e 26 7a c1 6d fc c7 71 d9 2e ef
da 6e 51 4f
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (1): Insert SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_SA_INIT] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0xecbd3f4be86f51af MID=00000000
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 394
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
cb 30 95 7d 1b 5e f3 9e 55 35 aa 47 32 ea af 6a
b6 07 6d d6 f9 12 7a c0 22 fe ae da 1a a5 b8 2d
aa 70 cd f7 a5 60 08 8b 4f 0f d2 d5 81 c8 41 8f
48 be 2e b3 c4 f7 bb 13 c8 9c 2a 99 df 65 29 f1
89 a5 d0 d1 70 4b f6 e6 b3 9c 33 4c 67 95 4a 4a
0c 20 49 01 34 b2 6e 15 f8 91 a4 09 ec 7d 95 a5
b1 fb f9 6d 03 92 c4 28 b9 e9 00 9f 3a 57 8d c9
cb bc 20 b0 6e ea c5 b3 38 63 0c ec a8 8b 16 a4
N Next payload: VID, reserved: 0x0, length: 24
fd 2c be 84 ac 7c d3 a2 65 72 8b 3d d5 e3 6e ff
2c 5e e9 4b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0,
length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload:
NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
e7 19 65 24 2c 02 09 2d c0 2c 54 d5 48 a0 0f a7
db 17 8d dc
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)
Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
f8 67 d4 4b f0 62 47 4a 75 82 a0 b3 cd d4 bc 52
38 84 2e a8
IKEv2-PROTO-5: Parse Vendor Specific Payload: FRAGMENTATION VID Next payload: NONE, reserved: 0x0, length:20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Decrypted packet:Data: 394 bytes
IKEv2-PLAT-3: Process custom VID payloads
IKEv2-PLAT-3: Cisco Copyright VID received from peer
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (1): Verify SA init message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (1): Process NAT discovery notify
IKEv2-PROTO-5: (1): Processing nat detect src notify
IKEv2-PROTO-5: (1): Remote address matched
IKEv2-PROTO-5: (1): Processing nat detect dst notify
IKEv2-PROTO-5: (1): Local address matched
IKEv2-PROTO-5: (1): No NAT found
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (1): Check NAT discovery
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (1): Computing DH secret key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (1): Generate skeyid
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (1): Fragmentation is enabled
IKEv2-PROTO-3: (1): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (1): Complete SA init exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (1): Generate my authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 100.1.1.2, key len 8
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get my authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (1): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3: ESP Proposal: 1, SPI size:
4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload:
ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (1): Building
packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20
1b e9 df ba 31 ea 2a ea 62 4f 69 f3 ca 01 6a c2
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
64 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.0.1, end addr: 172.16.0.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.0.0, end addr: 172.16.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.1, end addr: 192.168.1.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.0.0, end addr: 192.168.255.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 288
ENCR Next payload: VID, reserved: 0x0, length: 260
Encrypted data: 256 bytes
IKEv2-PLAT-4: SENT PKT [IKE_AUTH] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_AUTH] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 240
REAL Decrypted packet:Data: 168 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
ee bd 3e 4b fb 58 a2 e8 62 4f 69 f3 ca 01 6a c2
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
c8 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.0.0, end addr: 172.16.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.0.0, end addr: 192.168.255.255
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY,
reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved:
0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Decrypted packet:Data: 240 bytes
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Process auth response notify
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-3: (1) peer auth method set to: 2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PLAT-3: connection initiated with tunnel group 200.1.1.2
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Verify peer's policy
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get peer authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (1): Get peer's preshared key for 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (1): Verify authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (1): Processing auth message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (1): Closing the PKI session
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (1): SA created; inserting SA into database
IKEv2-PLAT-3:
CONNECTION STATUS: UP... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-3: (1) connection auth hdl set to 0
IKEv2-PLAT-3: AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-3: (1) idle timeout set to: 30
IKEv2-PLAT-3: (1) session timeout set to: 0
IKEv2-PLAT-3: (1) group policy set to DfltGrpPolicy
IKEv2-PLAT-3: (1) class attr set
IKEv2-PLAT-3: (1) tunnel protocol set to: 0x5c
IKEv2-PLAT-3: IPv4 filter ID not configured for connection
IKEv2-PLAT-3: (1) group lock set to: none
IKEv2-PLAT-3: IPv6 filter ID not configured for connection
IKEv2-PLAT-3: (1) connection attribues set valid to TRUE
IKEv2-PLAT-3: Successfully retrieved conn attrs
IKEv2-PLAT-3: Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-3:
CONNECTION STATUS: REGISTERED... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-3: (1): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-3: (1) mib_index set to: 501
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (1): Load IPSEC key material
IKEv2-PLAT-3: PROXY MATCH on crypto map S2S_VPN_MAP seq 1
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (1): Accounting not required
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (1): Checking for duplicate SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (1): Deleting negotiation context for my message ID: 0x1
ASA1# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
8900467 100.1.1.2/500 200.1.1.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/15 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 19E9DEBA22DDD9AD Remote spi: ECBD3F4BE86F51AF
Local id: 100.1.1.2
Remote id: 200.1.1.2
Local req mess id: 2 Remote req mess id: 0
Local next mess id: 2 Remote next mess id: 0
Local req queued: 2 Remote req queued: 0
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 172.16.0.0/0 - 172.16.255.255/65535
remote selector 192.168.0.0/0 - 192.168.255.255/65535
ESP spi in/out: 0x761a14dc/0x97dc5e3a
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA2# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
9509961 200.1.1.2/500 100.1.1.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/115 sec
Session-id: 1
Status Description: Negotiation done
Local spi: ECBD3F4BE86F51AF Remote spi: 19E9DEBA22DDD9AD
Local id: 200.1.1.2
Remote id: 100.1.1.2
Local req mess id: 2 Remote req mess id: 5
Local next mess id: 2 Remote next mess id: 5
Local req queued: 2 Remote req queued: 5
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 192.168.0.0/0 - 192.168.255.255/65535
remote selector 172.16.0.0/0 - 172.16.255.255/65535
ESP spi in/out: 0x97dc5e3a/0x761a14dc
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
IKEv2 introduces a new packet-exchange process using only four messages (Note that additional child SAs require further packet exchanges, so this number may increase).
A successful IKEv2 message exchange involves a pair of messages for each of the phases listed here, which have been created to replace the older IKEv1 Phase 1 and Phase 2 negotiations. The corresponding IKEv1 "phases" are shown next to the relevant IKEv2 phase for your reference:
* IKE_SA_INIT (Phase 1)
* IKE_AUTH (Phase 1 and 2)
Phase 1
The first exchange, IKE_SA_INIT, is used to negotiate the security parameters by sending IKEv2 proposals, including the configured encryption and integrity protocols, Diffie-Hellman values, and nonces (random) numbers. At this point, the two peers generate SKEYSEED (a seed security key value), from which all future IKE keys are generated. The messages that follow in later exchanges are encrypted and authenticated using keys generated from the SKEYSEED value.
Phase 2
The second exchange, IKE_AUTH, operates over the IKE_SA created by the IKE_SA_INIT exchanges and is used to validate the identity of the peers and negotiate the various encryption, authentication, and integrity protocols to establish the first CHILD_SA for use by ESP or AH in which IPsec communication occurs. Peers are validated using PSKs, certificates, or Extensible Authentication Protocol (EAP) (allowing for legacy authentication methods between peers).
The first CHILD_SA created in the second exchange (Phase 2) is commonly the only SA created for IPsec communication. However, if an application or peer requires the use of additional SAs to secure traffic through an encrypted tunnel, IKEv2 uses the CREATE_CHILD_SA exchange. During the CREATE_CHILD_SA exchange, new Diffie-Hellman values may be generated and cryptographic protocols used (That is, there is no requirement for later SAs to use the same key material created during the initial IKE_SA_INIT exchange). This behavior is similar in function to the use of PFS, whereby during an IKEv1 Quick mode exchange, new Diffie-Hellman values may be used to prevent the reuse of key material created in the previous Phase 1 exchanges. If you do not want to multiplex multiple source/destination traffic pairs over the same SA, you'll usually have multiple CREATE_CHILD_SA exchanges to create multiple SAs for securing data traffic.
ASA1(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ASA1(config)# access-list VPN_ACL ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ASA1(config)# access-list VPN_ACL extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ASA1(config)# access-list VPN_ACL extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ASA1(config)# access-list VPN_ACL extended permit ip ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure destination host
interface Use interface address as destination address
object Keyword to enter destination object name
object-group Network object-group for destination address
ASA1(config)# access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0192.168.0.0 255.255.0.0 // CRYPTO ACL FOR "INTERESTING" TRAFFIC
ASA1(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ASA1(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA1(config)# crypto ipsec ikev2 ?
configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?
configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA1(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit Exit from ipsec-proposal configuration mode
help Help for ikev2 IPSec policy configuration commands
no Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA1(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA1(config-ipsec-proposal)# protocol esp ?
ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity Add one or more integrity algorithms for this protocol
ASA1(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# crypto map ?
configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA1(config)# crypto map S2S_VPN_MAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map S2S_VPN_MAP 1 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASA1(config)# crypto map S2S_VPN_MAP 1 match ?
configure mode commands/options:
address Match address of packets to encrypt
ASA1(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA1(config)# crypto map S2S_VPN_MAP 1 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer ?
configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address
ASA1(config)# crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
ASA1(config)# crypto map S2S_VPN_MAP 1 ikev2 ?
ERROR: % Unrecognized command
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ?
configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
connection based on this entry
ASA1(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA1(config)# crypto map S2S_VPN_MAP interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ASA1(config)# crypto map S2S_VPN_MAP interface outside
ASA1(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit Exit from ikev2 policy configuration mode
group Configure one or more DH groups
help Help for ikev2 policy configuration commands
integrity Configure one or more integrity algorithm
lifetime Configure the ikev2 lifetime
no Remove an ikev2 policy configuration item
prf Configure one or more hash algorithm
ASA1(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# integrity sha256
ASA1(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA1(config-ikev2-policy)# group 2 // DEFAULT DH GROUP
ASA1(config-ikev2-policy)# lifetime ?
ikev2-policy mode commands/options:
seconds Lifetime seconds
ASA1(config-ikev2-policy)# lifetime seconds ?
ikev2-policy mode commands/options:
<120-2147483647> Enter the ikev2 lifetime
none Disable rekey and allow an unlimited rekey period
ASA1(config-ikev2-policy)# lifetime seconds 86400 // LOWEST VALUE BETWEEN VPN PEER WILL BE CHOSEN
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ikev2 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
<cr>
ASA1(config)# crypto ikev2 enable outside
ASA1(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA1(config)# tunnel-group 200.1.1.2 ?
configure mode commands/options:
type Enter the type of this group-policy
ASA1(config)# tunnel-group 200.1.1.2 type ?
configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn WebVPN group (DEPRECATED)
ASA1(config)# tunnel-group 200.1.1.2 type ipsec-l2l
ASA1(config)# tunnel-group 200.1.1.2 ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ASA1(config)# tunnel-group 200.1.1.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
ikev2 Configure IKEv2
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA1(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Require certificate authentication from remote peer
pre-shared-key Require pre-shared-key authentication from remote peer
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 129 char Enter an alphanumeric string between 1-128 characters
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
or certificate to complete authentication.
ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Select the trustpoint that identifies the cert to be sent to
the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
the remote peer
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco123
------
ASA2(config)# access-list VPN_ACL extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0 // "MIRRORED" CRYPTO ACL
ASA2(config)# crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1
ASA2(config-ipsec-proposal)# exit
ASA2(config)# crypto map S2S_VPN_MAP 1 match address VPN_ACL
ASA2(config)# crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
ASA2(config)# crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
ASA2(config)# crypto map S2S_VPN_MAP interface outside
ASA2(config)# crypto ikev2 policy 10
ASA2(config-ikev2-policy)# encryption aes-256
ASA2(config-ikev2-policy)# integrity sha256
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# lifetime seconds 86400
ASA2(config-ikev2-policy)# crypto ikev2 enable outside
ASA2(config)# tunnel-group 100.1.1.2 type ipsec-l2l
ASA2(config)# tunnel-group 100.1.1.2 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
INFO: You must configure ikev2 remote-authentication pre-shared-key
and/or certificate to complete authentication.
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco123
--------
ASA1# show run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
ASA1# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1
ASA1# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside
ASA2# show run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
ASA2# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1
ASA2# show run crypto map
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 100.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside
----
ASA1# show crypto ikev2 sa detail
There are no IKEv2 SAs
ASA1# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
vpnclient Set EasyVPN client debug levels
ASA1# debug crypto ikev2 ?
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers
ASA1# debug crypto ikev2 platform 127
ASA1# debug crypto ikev2 protocol 127
----
ASA1# IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-3: attempting to find tunnel group for IP: 200.1.1.2
IKEv2-PLAT-3: mapped to tunnel group 200.1.1.2 using peer IP
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-3: (1) tp_name set to:
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (1): Setting configured policies
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (1): Computing DH public key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (1): Sending initial message
IKEv2-PROTO-3: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA256 DH_GROUP_1024_MODP/Group 2
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific
Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct
Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload:
FRAGMENTATIONIKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 394
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
67 fe 46 0c 42 aa f7 c3 9e f6 b1 5d 53 3c 16 8c
2c 30 c1 36 a3 73 7e 19 77 5b a1 eb df 83 03 b6
d5 33 67 3a 32 26 d0 fc 47 72 aa 9b 74 60 ae b5
83 1f 64 5a 6e 9e cf 26 26 60 aa d2 6d f4 88 08
b9 38 5a 4e 2b f1 c7 02 9e 3d 1e 6a e2 45 a3 3e
a5 aa 1e 38 3d ae e5 bf 01 ea dc 5b a7 ef 04 bd
e4 78 22 9d 6c 9f 7d b2 25 ba c8 eb 82 59 03 14
a3 1b f7 f7 24 03 60 8c 93 f5 33 5c 7c ce 62 24
N Next payload: VID, reserved: 0x0, length: 24
7d 03 ed 8b 83 d7 53 49 f2 bd 2b ff bf 24 ed f0
59 c5 c3 37
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
f1 85 22 7a a3 a8 ef bc a8 58 ba d9 f5 8e 9a 44
db 07 7d aa
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
84 63 f4 17 2f 4e 26 7a c1 6d fc c7 71 d9 2e ef
da 6e 51 4f
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (1): Insert SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=0000000000000000 (I) MsgID = 00000000
CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_SA_INIT] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0xecbd3f4be86f51af MID=00000000
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 394
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
cb 30 95 7d 1b 5e f3 9e 55 35 aa 47 32 ea af 6a
b6 07 6d d6 f9 12 7a c0 22 fe ae da 1a a5 b8 2d
aa 70 cd f7 a5 60 08 8b 4f 0f d2 d5 81 c8 41 8f
48 be 2e b3 c4 f7 bb 13 c8 9c 2a 99 df 65 29 f1
89 a5 d0 d1 70 4b f6 e6 b3 9c 33 4c 67 95 4a 4a
0c 20 49 01 34 b2 6e 15 f8 91 a4 09 ec 7d 95 a5
b1 fb f9 6d 03 92 c4 28 b9 e9 00 9f 3a 57 8d c9
cb bc 20 b0 6e ea c5 b3 38 63 0c ec a8 8b 16 a4
N Next payload: VID, reserved: 0x0, length: 24
fd 2c be 84 ac 7c d3 a2 65 72 8b 3d d5 e3 6e ff
2c 5e e9 4b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0,
length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload:
NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
e7 19 65 24 2c 02 09 2d c0 2c 54 d5 48 a0 0f a7
db 17 8d dc
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)
Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
f8 67 d4 4b f0 62 47 4a 75 82 a0 b3 cd d4 bc 52
38 84 2e a8
IKEv2-PROTO-5: Parse Vendor Specific Payload: FRAGMENTATION VID Next payload: NONE, reserved: 0x0, length:20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Decrypted packet:Data: 394 bytes
IKEv2-PLAT-3: Process custom VID payloads
IKEv2-PLAT-3: Cisco Copyright VID received from peer
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (1): Verify SA init message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (1): Processing initial message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (1): Process NAT discovery notify
IKEv2-PROTO-5: (1): Processing nat detect src notify
IKEv2-PROTO-5: (1): Remote address matched
IKEv2-PROTO-5: (1): Processing nat detect dst notify
IKEv2-PROTO-5: (1): Local address matched
IKEv2-PROTO-5: (1): No NAT found
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (1): Check NAT discovery
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (1): Computing DH secret key
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (1): Generate skeyid
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (1): Fragmentation is enabled
IKEv2-PROTO-3: (1): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (1): Complete SA init exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (1): Generate my authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 100.1.1.2, key len 8
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get my authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000000
CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (1): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3: ESP Proposal: 1, SPI size:
4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload:
ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (1): Building
packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20
1b e9 df ba 31 ea 2a ea 62 4f 69 f3 ca 01 6a c2
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
64 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.0.1, end addr: 172.16.0.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.0.0, end addr: 172.16.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.1, end addr: 192.168.1.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.0.0, end addr: 192.168.255.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (1): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 288
ENCR Next payload: VID, reserved: 0x0, length: 260
Encrypted data: 256 bytes
IKEv2-PLAT-4: SENT PKT [IKE_AUTH] [100.1.1.2]:500->[200.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PLAT-4: RECV PKT [IKE_AUTH] [200.1.1.2]:500->[100.1.1.2]:500 InitSPI=0x19e9deba22ddd9ad
RespSPI=0xecbd3f4be86f51af MID=00000001
IKEv2-PROTO-3: Rx [L 100.1.1.2:500/R 200.1.1.2:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:19E9DEBA22DDD9AD - r: ECBD3F4BE86F51AF]
IKEv2-PROTO-4: IKEV2 HDR ispi: 19E9DEBA22DDD9AD - rspi: ECBD3F4BE86F51AF
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 240
REAL Decrypted packet:Data: 168 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
ee bd 3e 4b fb 58 a2 e8 62 4f 69 f3 ca 01 6a c2
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
c8 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.0.0, end addr: 172.16.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.0.0, end addr: 192.168.255.255
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY,
reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved:
0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Decrypted packet:Data: 240 bytes
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (1): Process auth response notify
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-3: (1) peer auth method set to: 2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PLAT-3: connection initiated with tunnel group 200.1.1.2
IKEv2-PLAT-3: (1) tg_name set to: 200.1.1.2
IKEv2-PLAT-3: (1) tunn grp type set to: L2L
IKEv2-PLAT-3: my_auth_method = 2
IKEv2-PLAT-3: supported_peers_auth_method = 2
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (1): Verify peer's policy
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (1): Get peer authentication method
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (1): Get peer's preshared key for 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (1): Verify authentication data
IKEv2-PROTO-3: (1): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (1): Check for EAP exchange
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (1): Processing auth message
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (1): Action: Action_Null
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (1): Closing the PKI session
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (1): SA created; inserting SA into database
IKEv2-PLAT-3:
CONNECTION STATUS: UP... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-3: (1) connection auth hdl set to 0
IKEv2-PLAT-3: AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-3: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-3: (1) idle timeout set to: 30
IKEv2-PLAT-3: (1) session timeout set to: 0
IKEv2-PLAT-3: (1) group policy set to DfltGrpPolicy
IKEv2-PLAT-3: (1) class attr set
IKEv2-PLAT-3: (1) tunnel protocol set to: 0x5c
IKEv2-PLAT-3: IPv4 filter ID not configured for connection
IKEv2-PLAT-3: (1) group lock set to: none
IKEv2-PLAT-3: IPv6 filter ID not configured for connection
IKEv2-PLAT-3: (1) connection attribues set valid to TRUE
IKEv2-PLAT-3: Successfully retrieved conn attrs
IKEv2-PLAT-3: Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-3:
CONNECTION STATUS: REGISTERED... peer: 200.1.1.2:500, phase1_id: 200.1.1.2
IKEv2-PROTO-3: (1): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-3: (1) mib_index set to: 501
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (1): Load IPSEC key material
IKEv2-PLAT-3: PROXY MATCH on crypto map S2S_VPN_MAP seq 1
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PLAT-3: (1) DPD Max Time will be: 10
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (1): Accounting not required
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (1): Checking for duplicate SA
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=19E9DEBA22DDD9AD R_SPI=ECBD3F4BE86F51AF (I) MsgID = 00000001
CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (1): Deleting negotiation context for my message ID: 0x1
ASA1# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
8900467 100.1.1.2/500 200.1.1.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/15 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 19E9DEBA22DDD9AD Remote spi: ECBD3F4BE86F51AF
Local id: 100.1.1.2
Remote id: 200.1.1.2
Local req mess id: 2 Remote req mess id: 0
Local next mess id: 2 Remote next mess id: 0
Local req queued: 2 Remote req queued: 0
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 172.16.0.0/0 - 172.16.255.255/65535
remote selector 192.168.0.0/0 - 192.168.255.255/65535
ESP spi in/out: 0x761a14dc/0x97dc5e3a
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA2# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
9509961 200.1.1.2/500 100.1.1.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/115 sec
Session-id: 1
Status Description: Negotiation done
Local spi: ECBD3F4BE86F51AF Remote spi: 19E9DEBA22DDD9AD
Local id: 200.1.1.2
Remote id: 100.1.1.2
Local req mess id: 2 Remote req mess id: 5
Local next mess id: 2 Remote next mess id: 5
Local req queued: 2 Remote req queued: 5
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 192.168.0.0/0 - 192.168.255.255/65535
remote selector 172.16.0.0/0 - 172.16.255.255/65535
ESP spi in/out: 0x97dc5e3a/0x761a14dc
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
No comments:
Post a Comment