I was asked to setup a central VPN server wherein remote or spoke routers will be connecting back to our corporate network. The remote routers will be connected and get its dynamic IP address from a 4G cellular modem. I did a blog about EZVPN a year ago and this is my first EZVPN implementation in the real world.
The decision was to setup an Easy VPN (EZVPN) server on an IOS router and it will be assigned with a public IP address. It will also be configured with a VPN policy template that will be used by the spoke router when it tries to associate with the EZVPN server. I used my 871W home router for testing and configured it as an EZVPN client.
2811-EZVPN#show run interface f0/1
Building configuration...
Current configuration : 172 bytes
!
interface FastEthernet0/1
description To Internet
ip address 202.78.8.22 255.255.255.248
duplex full
speed 100
end
2811-EZVPN(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be rejected).
default The default authentication list.
2811-EZVPN(config)#aaa authentication login X-AUTH ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
2811-EZVPN(config)#aaa authentication login X-AUTH local
2811-EZVPN(config)#aaa authorization network ?
WORD Named authorization list (max 31 characters, longer will be rejected).
default The default authorization list.
2811-EZVPN(config)#aaa authorization network EZVPN_AUTHORIZATION ?
group Use server-group.
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
2811-EZVPN(config)#aaa authorization network EZVPN_AUTHORIZATION local
2811-EZVPN(config)#username ezvpn password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
2811-EZVPN(config)#username ezvpn password 0 ezvpn
2811-EZVPN(config)#crypto isakmp policy 10
2811-EZVPN(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
2811-EZVPN(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
2811-EZVPN(config-isakmp)#encryption 3des
2811-EZVPN(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
2811-EZVPN(config-isakmp)#hash sha
2811-EZVPN(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
2811-EZVPN(config-isakmp)#authentication pre-share
2811-EZVPN(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
2 Diffie-Hellman group 2 (1024 bit)
5 Diffie-Hellman group 5 (1536 bit)
2811-EZVPN(config-isakmp)#group 2
2811-EZVPN(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
2811-EZVPN(config)#crypto isakmp client ?
configuration Set client configuration policy
firewall Define client firewall
2811-EZVPN(config)#crypto isakmp client configuration ?
address-pool Set network address for client
browser-proxy Set browser proxy attributes for client
group Set group profile attributes for client
2811-EZVPN(config)#crypto isakmp client configuration group ?
WORD group name
2811-EZVPN(config)#crypto isakmp client configuration group EZVPN_GRP
2811-EZVPN(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list number
auto-update Configure auto-upgrade
backup-gateway Specify backup gateway
banner Specify mode config banner
browser-proxy Configure browser-proxy
configuration Push configuration to the client
crypto Client group crypto aaa attribute list
dhcp Configure DHCP parameters
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy configuration mode
firewall Enforce group firewall feature
group-lock Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key pre-shared key/IKE password
max-logins Set maximum simultaneous logins for users in this group
max-users Set maximum number of users for this group
netmask netmask used by the client for local connectivity
no Negate a command or set its defaults
pfs The client should propose PFS
pool Set name of address pool
save-password Allows remote client to save XAUTH password
smartcard-removal-disconnect Enables smartcard-removal-disconnect
split-dns DNS name to append for resolution
wins Specify WINS Addresses
2811-EZVPN(config-isakmp-group)#key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
2811-EZVPN(config-isakmp-group)#key ezvpn
2811-EZVPN(config-isakmp-group)#save-password
2811-EZVPN(config)#crypto ipsec transform-set ?
WORD Transform set tag
2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS esp-3des ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS esp-3des ah-sha-hmac
2811-EZVPN(config)#crypto dynamic-map ?
WORD Dynamic crypto map template tag
2811-EZVPN(config)#crypto dynamic-map EZVPN_DMAP 10
2811-EZVPN(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
2811-EZVPN(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
2811-EZVPN(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
2811-EZVPN(config-crypto-map)#set transform-set ?
WORD Proposal tag
2811-EZVPN(config-crypto-map)#set transform-set EZVPN-TS
2811-EZVPN(config)#crypto map ?
WORD Crypto map tag
2811-EZVPN(config)#crypto map EZVPN_CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
2811-EZVPN(config)#crypto map EZVPN_CMAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
2811-EZVPN(config)#crypto map EZVPN_CMAP client authentication ?
list AAA authentication list to use
2811-EZVPN(config)#crypto map EZVPN_CMAP client authentication X-AUTH
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp ?
authorization Authorization parameters.
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp authorization ?
list AAA authorization list to use
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp authorization list ?
WORD Named authorization list.
2811-EZVPN1(config)#crypto map EZVPN_CMAP isakmp authorization list EZVPN_AUTHORIZATION
SIN1-EZVPN01(config)#crypto map EZVPN_CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp ?
dynamic Enable dynamic crypto map support
profile Enable crypto map as a crypto-profile
<cr>
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp dynamic ?
WORD Name of dynamic-map template
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp dynamic EZVPN_DMAP
2811-EZVPN(config)#interface f0/1
2811-EZVPN(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
2811-EZVPN(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
2811-EZVPN(config-if)#crypto map EZVPN_CMAP
----
871W#ping 202.78.8.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.78.8.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/84 ms
871W#show run interface f4
Building configuration...
Current configuration : 252 bytes
!
interface FastEthernet4
description To Cable Modem
ip dhcp client client-id hex 002699C6DB2E
ip dhcp client hostname 871W
ip address dhcp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
end
871W#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset administratively down down
FastEthernet4 222.165.6.20 YES DHCP up up
Group-Async4 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up down
871W(config)#crypto ipsec ?
client Configure a client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
871W(config)#crypto ipsec client ?
ezvpn Configure an EzVPN client
871W(config)#crypto ipsec client
871W(config)#crypto ipsec client ezvpn ?
WORD crypto-ezvpn name
871W(config)#crypto ipsec client ezvpn EZVPN_CLIENT
871W(config-crypto-ezvpn)#connect auto
871W(config-crypto-ezvpn)#group ?
WORD Group Name
871W(config-crypto-ezvpn)#group EZVPN_GRP key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
871W(config-crypto-ezvpn)#group EZVPN_GRP key ezvpn
871W(config-crypto-ezvpn)#mode network-extension
871W(config-crypto-ezvpn)#peer 202.78.8.22 // ENSURE A STATIC ROUTE IS CONFIGURED TO REACH THE EZVPN SERVER
871W(config-crypto-ezvpn)#username ?
WORD User Name
871W(config-crypto-ezvpn)#username ezvpn ?
password Password
871W(config-crypto-ezvpn)#username ezvpn password ezvpn
871W(config-crypto-ezvpn)#xauth userid ?
mode The source of user credential collection
871W(config-crypto-ezvpn)#xauth userid m
871W(config-crypto-ezvpn)#xauth userid mode ?
http-intercept Intercept user's HTTP requests to prompt
interactive Prompt the user on the console
local Use locally saved username and password
871W(config-crypto-ezvpn)#xauth userid mode local
871W(config-if)#crypto ipsec ?
client Client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
871W(config-if)#crypto ipsec client ?
ezvpn Assign an EzVPN configuration
871W(config-if)#crypto ipsec client ezvpn ?
WORD Crypto EzVPN name
871W(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT ?
inside inside
outside outside
<cr>
871W(config-if)#crypto ipsec client ezvpn ?
WORD Crypto EzVPN name
871W(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT inside
871W(config-if)#interface f4
871W(config-if)#
*May 20 05:12:38.312 SGT: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT) Server does not allow save password option, enter your username and password manually
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): *** Logic Error ***
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Current State: READY
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Event: MODE_CONFIG_REPLY
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Resetting the EZVPN state machine to recover
*May 20 05:12:40.388 SGT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZVPN_GRP Client_public_addr=222.165.6.20 Server_public_addr=202.78.8.22
*May 20 05:12:41.996 SGT: EZVPN(EZVPN_CLIENT) Server does not allow save password option,enter your username and password manually
871W#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN_CLIENT
Inside interface list: BVI1
Outside interface: FastEthernet4
Current State: CONNECT_REQUIRED
Last Event: CONNECT
Save Password: Disallowed
Current EzVPN Peer: 202.78.8.22
871W# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.78.8.22 222.165.6.20 MM_NO_STATE 2062 0 ACTIVE (deleted)
I wasn't able to establish a successful IPsec VPN tunnel with the EZVPN server right away. I got an error on the EZVPN client router which said, "Server does not allow save password" although I thought I've configured the EZVPN server to save its password. After adding the configuration line below on the EZVPN server, everything seemed to work.
2811-EZVPN(config)#crypto map EZVPN_CMAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration ?
address Specify client network address configuration
2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration address ?
initiate Push the network address to the client
respond Respond to network address requests from the client
2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration address respond
871W#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN_CLIENT
Inside interface list: BVI1
Outside interface: FastEthernet4
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 202.78.8.22
871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.78.8.22 222.165.6.20 QM_IDLE 2256 0 ACTIVE
Here's the debug output from both VPN nodes.
871W#debug crypto isakmp sa
Crypto ISAKMP debugging is on
871W# debug crypto isakmp psec
Crypto IPSEC debugging is on
871W#clear crypto isakmp
871W#
*May 20 05:23:27.815 SGT: del_node src 222.165.6.20:500 dst 202.78.8.22:500 fvrf 0x0, ivrf 0x0
*May 20 05:23:27.815 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:27.815 SGT: ISAKMP:(2256):deleting SA reason "Death by tree-walk" state (I) QM_IDLE (peer 202.78.8.22)
*May 20 05:23:27.819 SGT: ISAKMP: set new node -451076264 to QM_IDLE
*May 20 05:23:27.819 SGT: ISAKMP:(2256): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Sending an IKE IPv4 Packet.
*May 20 05:23:27.819 SGT: ISAKMP:(2256):purging node -451076264
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*May 20 05:23:27.819 SGT: ISAKMP:(2256):deleting SA reason "Death by tree-walk" state (I) QM_IDLE (peer 202.78.8.22)
*May 20 05:23:27.823 SGT: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*May 20 05:23:27.823 SGT: ISAKMP: Unlocking peer struĆ£arkr isadb_m_sa_deleted(), count 0
*May 20 05:23:27.823 SGT: ISAKMP:(2256):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 20 05:23:27.823 SGT: ISAKMP:(2256):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*May 20 05:23:27.823 SGT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=ezvpn Group=EZVPN_GRP Client_public_addr=222.165.6.20 Server_public_addr=202.78.8.22
*May 20 05:23:27.827 SGT: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 222.165.6.20, sa_proto= 50,
sa_spi= 0xDAA24285(3668066949),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1,
(identity) local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:27.827 SGT: IPSEC(update_current_outbound_sa): updated peer 202.78.8.22 current outbound sa to SPI 0
*May 20 05:23:27.827 SGT: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 202.78.8.22, sa_proto= 50,
sa_spi= 0x7393F327(1939075879),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2,
(identity) local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:27.831 SGT: ISAKMP: Deleting peer node by peer_reap for 202.78.8.22: 829FF504
*May 20 05:23:27.831 SGT: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 222.165.6.20 dst 202.78.8.22 for SPI 0xDAA24285
*May 20 05:23:27.831 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:27.831 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 20 05:23:27.911 SGT: ISAKMP (0:2256): received packet from 202.78.8.22 dport 500 sport 500 Global (I) MM_NO_STATE
*May 20 05:23:28.935 SGT: del_node src 222.165.6.20:500 dst 202.78.8.22:500 fvrf 0x0, ivrf 0x0
*May 20 05:23:28.935 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:28.935 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 20 05:23:28.935 SGT: ISAKMP:(0): SA request profile is (NULL)
*May 20 05:23:28.935 SGT: ISAKMP: Created a peer struct for 202.78.8.22, peer port 500
*May 20 05:23:28.935 SGT: ISAKMP: New peer created peer = 0x829FF504 peer_handle = 0x80000102
*May 20 05:23:28.935 SGT: ISAKMP: Locking peer struct 0x829FF504, refcount 1 for isakmp_initiator
*May 20 05:23:28.935 SGT: ISAKMP:(0):Setting client config settings 828F9B80
*May 20 05:23:28.935 SGT: ISAKMP: local port 500, remote port 500
*May 20 05:23:28.935 SGT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83C9EE00
*May 20 05:23:28.935 SGT: ISAKMP:(0): client mode configured.
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 20 05:23:28.939 SGT: ISKAMP: growing send buffer from 1024 to 3072
*May 20 05:23:28.939 SGT: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*May 20 05:23:28.939 SGT: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : EZVPN_GRP
protocol : 17
port : 0
length : 17
*May 20 05:23:28.939 SGT: ISAKMP:(0):Total payload length: 17
*May 20 05:23:28.939 SGT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*May 20 05:23:28.939 SGT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
*May 20 05:23:28.939 SGT: ISAKMP:(0): beginning Aggressive Mode exchange
*May 20 05:23:28.939 SGT: ISAKMP:(0): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*May 20 05:23:28.939 SGT: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 20 05:23:29.075 SGT: ISAKMP (0:0): received packet from 202.78.8.22 dport 500 sport 500 Global (I) AG_INIT_EXCH
*May 20 05:23:29.075 SGT: ISAKMP:(0): processing SA payload. message ID = 0
*May 20 05:23:29.075 SGT: ISAKMP:(0): processing ID payload. message ID = 0
*May 20 05:23:29.079 SGT: ISAKMP (0:0): ID payload
next-payload : 10
type : 1
address : 202.78.8.22
protocol : 0
port : 0
length : 12
*May 20 05:23:29.079 SGT: ISAKMP:(0):: peer matches *none* of the profiles
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): vendor ID is Unity
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): vendor ID is DPD
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): speaking to another IOS box!
*May 20 05:23:29.079 SGT: ISAKMP:(0): local preshared key found
*May 20 05:23:29.079 SGT: ISAKMP : Scanning profiles for xauth ...
*May 20 05:23:29.079 SGT: ISAKMP:(0): Authentication by xauth preshared
*May 20 05:23:29.079 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65515 policy
*May 20 05:23:29.079 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.079 SGT: ISAKMP: hash SHA
*May 20 05:23:29.079 SGT: ISAKMP: default group 2
*May 20 05:23:29.079 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.079 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.079 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.079 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.079 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 05:23:29.079 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65516 policy
*May 20 05:23:29.079 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.079 SGT: ISAKMP: hash SHA
*May 20 05:23:29.079 SGT: ISAKMP: default group 2
*May 20 05:23:29.079 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.083 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.083 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.083 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.083 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 05:23:29.083 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65517 policy
*May 20 05:23:29.083 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.083 SGT: ISAKMP: hash SHA
*May 20 05:23:29.083 SGT: ISAKMP: default group 2
*May 20 05:23:29.083 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.083 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.083 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.083 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.083 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
<OUTPUT TRUNCATED>
*May 20 05:23:29.091 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.091 SGT: ISAKMP: hash SHA
*May 20 05:23:29.091 SGT: ISAKMP: default group 2
*May 20 05:23:29.091 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.091 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.091 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.091 SGT: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 20 05:23:29.091 SGT: ISAKMP:(0):Acceptable atts:actual life: 2147483
*May 20 05:23:29.091 SGT: ISAKMP:(0):Acceptable atts:life: 0
*May 20 05:23:29.095 SGT: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 20 05:23:29.095 SGT: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*May 20 05:23:29.095 SGT: ISAKMP:(0):Returning Actual lifetime: 2147483
*May 20 05:23:29.095 SGT: ISAKMP:(0)::Started lifetime timer: 2147483.
*May 20 05:23:29.095 SGT: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*May 20 05:23:29.095 SGT: ISAKMP:(0): processing KE payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:(2257): processing HASH payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:received payload type 20
*May 20 05:23:29.143 SGT: ISAKMP:received payload type 20
*May 20 05:23:29.147 SGT: ISAKMP:(2257):SA authentication status:
authenticated
*May 20 05:23:29.147 SGT: ISAKMP:(2257):SA has been authenticated with 202.78.8.22
*May 20 05:23:29.147 SGT: ISAKMP: Trying to insert a peer 222.165.6.20/202.78.8.22/500/, and inserted successfully 829FF504.
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Send initial contact
*May 20 05:23:29.147 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Need XAUTH
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 20 05:23:29.239 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH
*May 20 05:23:29.239 SGT: ISAKMP: set new node -1146939845 to CONF_XAUTH
*May 20 05:23:29.239 SGT: ISAKMP:(2257): processing HASH payload. message ID = -1146939845
*May 20 05:23:29.243 SGT: ISAKMP:(2257): processing NOTIFY RESPONDER_LIFETIME protocol 1 spi 0, message ID = -1146939845, sa = 83C9EE00
*May 20 05:23:29.243 SGT: ISAKMP:(2257):SA authentication status: authenticated
*May 20 05:23:29.243 SGT: ISAKMP:(2257): processing responder lifetime
*May 20 05:23:29.243 SGT: ISAKMP:(2257): start processing isakmp responder lifetime
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Returning Actual lifetime: 2147483
*May 20 05:23:29.243 SGT: ISAKMP:(2257): restart ike sa timer to 86400 secs
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Started lifetime timer: 0.
*May 20 05:23:29.243 SGT: ISAKMP:(2257):deleting node -1146939845 error FALSE reason "Informational (in) state 1"
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 20 05:23:29.243 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH
*May 20 05:23:29.243 SGT: ISAKMP: set new node 752671264 to CONF_XAUTH
*May 20 05:23:29.247 SGT: ISAKMP:(2257):processing transaction payload from 202.78.8.22. message ID = 752671264
*May 20 05:23:29.247 SGT: ISAKMP: Config payload REQUEST
*May 20 05:23:29.247 SGT: ISAKMP:(2257):checking request:
*May 20 05:23:29.247 SGT: ISAKMP: XAUTH_USER_NAME_V2
*May 20 05:23:29.247 SGT: ISAKMP: XAUTH_USER_PASSWORD_V2
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Xauth process request
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REPLY_AWAIT
*May 20 05:23:29.247 SGT: username: ezvpn
*May 20 05:23:29.247 SGT: password: <ezpn>
*May 20 05:23:29.247 SGT: ISAKMP:(2257): responding to peer config from 202.78.8.22. ID = 752671264
*May 20 05:23:29.247 SGT: ISAKMP: Marking node 752671264 for late deletion
*May 20 05:23:29.251 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_XAUTH
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Old State = IKE_XAUTH_REPLY_AWAIT New State = IKE_XAUTH_REPLY_SENT
*May 20 05:23:29.335 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH
*May 20 05:23:29.335 SGT: ISAKMP: set new node -1569794741 to CONF_XAUTH
*May 20 05:23:29.335 SGT: ISAKMP:(2257):processing transaction payload from 202.78.8.22. message ID = -1569794741
*May 20 05:23:29.339 SGT: ISAKMP: Config payload SET
*May 20 05:23:29.339 SGT: ISAKMP:(2257):Xauth process set, status = 1
*May 20 05:23:29.339 SGT: ISAKMP:(2257):checking SET:
*May 20 05:23:29.339 SGT: ISAKMP: XAUTH_STATUS_V2 XAUTH-OK
*May 20 05:23:29.339 SGT: ISAKMP:(2257):attributes sent in message:
*May 20 05:23:29.339 SGT: Status: 1
*May 20 05:23:29.339 SGT: ISAKMP:(2257):deleting node 752671264 error FALSE reason "Done with xauth request/reply exchange"
*May 20 05:23:29.347 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_XAUTH
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.347 SGT: ISAKMP:(2257):deleting node -1569794741 error FALSE reason "No Error"
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_SET
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Old State = IKE_XAUTH_REPLY_SENT New State = IKE_P1_COMPLETE
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Need config/address
*May 20 05:23:29.351 SGT: ISAKMP: set new node 286147054 to CONF_ADDR
*May 20 05:23:29.351 SGT: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 23:35 by prod_rel_team
*May 20 05:23:29.351 SGT: ISAKMP:(2257): initiating peer config to 202.78.8.22. ID = 286147054
*May 20 05:23:29.351 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_ADDR
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT
*May 20 05:23:29.443 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_ADDR
*May 20 05:23:29.443 SGT: ISAKMP:(2257):processing transaction payload from 202.78.18.228. message ID = 286147054
*May 20 05:23:29.443 SGT: ISAKMP: Config payload REPLY
*May 20 05:23:29.443 SGT: ISAKMP(0:2257) process config reply
*May 20 05:23:29.443 SGT: ISAKMP:(2257):deleting node 286147054 error FALSE reason "Transaction mode done"
*May 20 05:23:29.443 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*May 20 05:23:29.443 SGT: ISAKMP:(2257):Old State = IKE_CONFIG_MODE_REQ_SENT New State = IKE_P1_COMPLETE
*May 20 05:23:29.451 SGT: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*May 20 05:23:29.451 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.451 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 20 05:23:29.451 SGT: IPSEC(recalculate_mtu): reset sadb_root 834A48F8 mtu to 1500
*May 20 05:23:29.451 SGT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 2147483s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2000
<OUTPUT TRUNCATED>
*May 20 05:23:29.463 SGT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 2147483s and 4608000kb,
spi= 0x0(0), conn_id= 0, kall
Translating "uall"...domain server (202.156.1.16)eysize= 0, flags= 0x2000
*May 20 05:23:29.467 SGT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:29.475 SGT: ISAKMP:(2257):beginning Quick Mode exchange, M-ID of -1472151107
*May 20 05:23:29.483 SGT: ISAKMP:(2257):QM Initiator gets spi
*May 20 05:23:29.487 SGT: ISKAMP: growing send buf [OK]
Trying uall.lagura.com (69.172.201.208)... fer from 1024 to 3072
*May 20 05:23:29.491 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Node -1472151107, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 20 05:23:29.767 SGT: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=ezvpn Group=EZVPN_GRP Client_public_addr=222.165.6.20 Server_public_addr=202.78.8.22 NEM_Remote_Subnets=192.168.1.0/255.255.255.0
*May 20 05:23:30.515 SGT: ISAKMP: set new node -23251054 to QM_IDLE
*May 20 05:23:30.515 SGT: ISAKMP:(2257):Sending NOTIFY CLIENT_UPDATE protocol 1 spi 0, message ID = -23251054
*May 20 05:23:30.515 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE
871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.78.8.22 222.165.6.20 QM_IDLE 1258 ACTIVE
2811-EZVPN#debug crypto isakmp
Crypto ISAKMP debugging is on
2811-EZVPN#debug crypto isakmp psec
Crypto IPSEC debugging is on
2811-EZVPN#
May 7 22:46:02.574 UTC: ISAKMP (1257): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:02.574 UTC: ISAKMP: set new node 451843303 to QM_IDLE
May 7 22:46:02.574 UTC: ISAKMP:(1257): processing HASH payload. message ID = 451843303
May 7 22:46:02.574 UTC: ISAKMP:received payload type 18
May 7 22:46:02.574 UTC: ISAKMP:(1257):Processing delete with reason payload
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete doi = 1
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete protocol id = 1
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete spi_size = 16
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete num spis = 1
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete_reason = 8
May 7 22:46:02.574 UTC: ISAKMP:(1257): processing DELETE_WITH_REASON payload, message ID = 451843303, reason: Unknown delete reason!
May 7 22:46:02.574 UTC: ISAKMP:(1257):peer does not do paranoid keepalives.
May 7 22:46:02.574 UTC: ISAKMP:(1257):peer does not do paranoid keepalives.
May 7 22:46:02.574 UTC: ISAKMP:(1257):deleting SA reason "Death by tree-walk" state (R) QM_IDLE (peer 222.165.6.20)
May 7 22:46:02.574 UTC: ISAKMP:(1257):deleting node 451843303 error FALSE reason "Informational (in) state 1"
May 7 22:46:02.578 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 7 22:46:02.578 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May 7 22:46:02.578 UTC: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 222.165.6.20
May 7 22:46:02.578 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 202.78.8.22, sa_proto= 50,
sa_spi= 0xDE86ACB(233335499),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (4384309/3600),
(identity) local= 202.78.8.22, remote= 222.165.6.20,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
May 7 22:46:02.578 UTC: IPSEC(update_current_outbound_sa): updated peer 222.165.6.20 current outbound sa to SPI 0
May 7 22:46:02.578 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 222.165.6.20, sa_proto= 50,
sa_spi= 0x55D3CE9B(1439944347),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4384309/3600),
(identity) local= 202.78.8.22, remote= 222.165.6.20,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
May 7 22:46:02.582 UTC: ISAKMP: set new node -95419328 to QM_IDLE
May 7 22:46:02.582 UTC: ISAKMP:(1257): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) QM_IDLE
May 7 22:46:02.582 UTC: ISAKMP:(1257):Sending an IKE IPv4 Packet.
May 7 22:46:02.582 UTC: ISAKMP:(1257):purging node -95419328
May 7 22:46:02.582 UTC: ISAKMP:(1257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 22:46:02.582 UTC: ISAKMP:(1257):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 22:46:02.586 UTC: ISAKMP:(1257):deleting SA reason "Death by tree-walk" state (R) QM_IDLE (peer 222.165.6.20)
May 7 22:46:02.586 UTC: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
May 7 22:46:02.586 UTC: ISAKMP: Unlocking peer struct 0x47BD3278 for isadb_mark_sa_deleted(), count 0
May 7 22:46:02.586 UTC: ISAKMP: Deleting peer node by peer_reap for 222.165.6.20: 47BD3278
May 7 22:46:02.586 UTC: ISAKMP:(1257):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 22:46:02.586 UTC: ISAKMP:(1257):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 22:46:02.586 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 7 22:46:04.586 UTC: ISAKMP (0): received packet from 222.165.6.20 dport 500 sport 500 Global (N) NEW SA
May 7 22:46:04.590 UTC: ISAKMP: Created a peer struct for 222.165.6.20, peer port 500
May 7 22:46:04.590 UTC: ISAKMP: New peer created peer = 0x47BD3278 peer_handle = 0x80000103
May 7 22:46:04.590 UTC: ISAKMP: Locking peer struct 0x47BD3278, refcount 1 for crypto_isakmp_process_block
May 7 22:46:04.590 UTC: ISAKMP:(0):Setting client config settings 47BD2C70
May 7 22:46:04.590 UTC: ISAKMP:(0):(Re)Setting client xauth list and state
May 7 22:46:04.590 UTC: ISAKMP/xauth: initializing AAA request
May 7 22:46:04.590 UTC: ISAKMP: local port 500, remote port 500
May 7 22:46:04.590 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 47C66308
May 7 22:46:04.590 UTC: ISAKMP:(0): processing SA payload. message ID = 0
May 7 22:46:04.590 UTC: ISAKMP:(0): processing ID payload. message ID = 0
May 7 22:46:04.590 UTC: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : EZVPN_GRP
protocol : 17
port : 0
length : 17
May 7 22:46:04.590 UTC: ISAKMP:(0):: peer matches *none* of the profiles
May 7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 22:46:04.590 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
May 7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 22:46:04.590 UTC: ISAKMP (0): vendor ID is NAT-T v7
May 7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 22:46:04.594 UTC: ISAKMP:(0): vendor ID is NAT-T v3
May 7 22:46:04.594 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.594 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 22:46:04.594 UTC: ISAKMP:(0): vendor ID is NAT-T v2
May 7 22:46:04.594 UTC: ISAKMP:(0): Authentication by xauth preshared
May 7 22:46:04.594 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
May 7 22:46:04.594 UTC: ISAKMP: encryption AES-CBC
May 7 22:46:04.594 UTC: ISAKMP: keylength of 128
May 7 22:46:04.594 UTC: ISAKMP: hash SHA
May 7 22:46:04.594 UTC: ISAKMP: default group 2
May 7 22:46:04.594 UTC: ISAKMP: auth XAUTHInitPreShared
May 7 22:46:04.594 UTC: ISAKMP: life type in seconds
May 7 22:46:04.594 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:04.594 UTC: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 7 22:46:04.594 UTC: ISAKMP:(0):atts are not acceptable. Next payload is 3
<OUTPUT TRUNCATED>
May 7 22:46:04.602 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
May 7 22:46:04.602 UTC: ISAKMP: encryption 3DES-CBC
May 7 22:46:04.602 UTC: ISAKMP: hash SHA
May 7 22:46:04.602 UTC: ISAKMP: default group 2
May 7 22:46:04.602 UTC: ISAKMP: auth XAUTHInitPreShared
May 7 22:46:04.602 UTC: ISAKMP: life type in seconds
May 7 22:46:04.602 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:04.602 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
May 7 22:46:04.602 UTC: ISAKMP:(0):Acceptable atts:actual life: 86400
May 7 22:46:04.602 UTC: ISAKMP:(0):Acceptable atts:life: 0
May 7 22:46:04.602 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
May 7 22:46:04.602 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
May 7 22:46:04.602 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
May 7 22:46:04.602 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
May 7 22:46:04.602 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.602 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 22:46:04.606 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
May 7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 22:46:04.606 UTC: ISAKMP (0): vendor ID is NAT-T v7
May 7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID is NAT-T v3
May 7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID is NAT-T v2
May 7 22:46:04.606 UTC: ISAKMP:(0): processing KE payload. message ID = 0
May 7 22:46:04.654 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is DPD
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 126 mismatch
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is XAUTH
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): claimed IOS but failed authentication
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is Unity
May 7 22:46:04.654 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May 7 22:46:04.654 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
May 7 22:46:04.658 UTC: ISAKMP:(1258): constructed NAT-T vendor-rfc3947 ID
May 7 22:46:04.658 UTC: ISAKMP:(1258):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
May 7 22:46:04.658 UTC: ISAKMP (1258): ID payload
next-payload : 10
type : 1
address : 202.78.8.22
protocol : 0
port : 0
length : 12
May 7 22:46:04.658 UTC: ISAKMP:(1258):Total payload length: 12
May 7 22:46:04.658 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) AG_INIT_EXCH
May 7 22:46:04.662 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.662 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
May 7 22:46:04.662 UTC: ISAKMP:(1258):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
May 7 22:46:04.786 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) AG_INIT_EXCH
May 7 22:46:04.790 UTC: ISAKMP:(1258): processing HASH payload. message ID = 0
May 7 22:46:04.790 UTC: ISAKMP:received payload type 20
May 7 22:46:04.790 UTC: ISAKMP (1258): His hash no match - this node outside NAT
May 7 22:46:04.790 UTC: ISAKMP:received payload type 20
May 7 22:46:04.790 UTC: ISAKMP (1258): No NAT Found for self or peer
May 7 22:46:04.790 UTC: ISAKMP:(1258): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 47C66308
May 7 22:46:04.790 UTC: ISAKMP:(1258):SA authentication status: authenticated
May 7 22:46:04.790 UTC: ISAKMP:(1258):SA has been authenticated with 222.165.6.20
May 7 22:46:04.790 UTC: ISAKMP:(1258):SA authentication status: authenticated
May 7 22:46:04.790 UTC: ISAKMP:(1258): Process initial contact,
bring down existing phase 1 and 2 SA's with local 202.78.8.22 remote 222.165.6.20 remote port 500
May 7 22:46:04.790 UTC: ISAKMP:(1258):returning IP addr to the address pool
May 7 22:46:04.790 UTC: ISAKMP: Trying to insert a peer 202.78.8.22/222.165.6.20/500/, and inserted successfully 47BD3278.
May 7 22:46:04.790 UTC: ISAKMP:(1258):Returning Actual lifetime: 86400
May 7 22:46:04.794 UTC: ISAKMP: set new node 319690623 to CONF_XAUTH
May 7 22:46:04.794 UTC: ISAKMP:(1258):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 1215728240, message ID = 319690623
May 7 22:46:04.794 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) QM_IDLE
May 7 22:46:04.794 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.794 UTC: ISAKMP:(1258):purging node 319690623
May 7 22:46:04.794 UTC: ISAKMP: Sending phase 1 responder lifetime 86400
May 7 22:46:04.794 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May 7 22:46:04.794 UTC: ISAKMP:(1258):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
May 7 22:46:04.794 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 7 22:46:04.798 UTC: ISAKMP:(1258):Need XAUTH
May 7 22:46:04.798 UTC: ISAKMP: set new node -980807588 to CONF_XAUTH
May 7 22:46:04.798 UTC: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
May 7 22:46:04.798 UTC: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
May 7 22:46:04.798 UTC: ISAKMP:(1258): initiating peer config to 222.165.6.20. ID = -980807588
May 7 22:46:04.798 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_XAUTH
May 7 22:46:04.798 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.798 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 22:46:04.798 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
May 7 22:46:04.886 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) CONF_XAUTH
May 7 22:46:04.886 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = -980807588
May 7 22:46:04.886 UTC: ISAKMP: Config payload REPLY
May 7 22:46:04.886 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
May 7 22:46:04.886 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
May 7 22:46:04.886 UTC: ISAKMP:(1258):deleting node -980807588 error FALSE reason "Done with xauth request/reply exchange"
May 7 22:46:04.886 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
May 7 22:46:04.886 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
May 7 22:46:04.890 UTC: ISAKMP: set new node 1760571115 to CONF_XAUTH
May 7 22:46:04.890 UTC: ISAKMP:(1258): initiating peer config to 222.165.6.20. ID = 1760571115
May 7 22:46:04.890 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_XAUTH
May 7 22:46:04.890 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.890 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
May 7 22:46:04.890 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
May 7 22:46:04.978 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) CONF_XAUTH
May 7 22:46:04.978 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = 1760571115
May 7 22:46:04.978 UTC: ISAKMP: Config payload ACK
May 7 22:46:04.978 UTC: ISAKMP:(1258): XAUTH ACK Processed
May 7 22:46:04.982 UTC: ISAKMP:(1258):deleting node 1760571115 error FALSE reason "Transaction mode done"
May 7 22:46:04.982 UTC: ISAKMP:(1258):Talking to a Unity Client
May 7 22:46:04.982 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
May 7 22:46:04.982 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
May 7 22:46:04.982 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 22:46:04.982 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 22:46:04.982 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:04.982 UTC: ISAKMP: set new node 170683285 to QM_IDLE
May 7 22:46:04.986 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = 170683285
May 7 22:46:04.986 UTC: ISAKMP: Config payload REQUEST
May 7 22:46:04.986 UTC: ISAKMP:(1258):checking request:
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_CONFIG_URL
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_CONFIG_VERSION
May 7 22:46:04.986 UTC: ISAKMP: IP4_DNS
May 7 22:46:04.986 UTC: ISAKMP: IP4_DNS
May 7 22:46:04.986 UTC: ISAKMP: IP4_NBNS
May 7 22:46:04.986 UTC: ISAKMP: IP4_NBNS
May 7 22:46:04.986 UTC: ISAKMP: SPLIT_INCLUDE
May 7 22:46:04.986 UTC: ISAKMP: SPLIT_DNS
May 7 22:46:04.986 UTC: ISAKMP: DEFAULT_DOMAIN
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_SAVEPWD
May 7 22:46:04.986 UTC: ISAKMP: INCLUDE_LOCAL_LAN
May 7 22:46:04.986 UTC: ISAKMP: PFS
May 7 22:46:04.986 UTC: ISAKMP: BACKUP_SERVER
May 7 22:46:04.986 UTC: ISAKMP: APPLICATION_VERSION
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_BANNER
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_IPSEC_INT_CONF
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_HOSTNAME
May 7 22:46:04.986 UTC: ISAKMP/author: Author request for group EZVPN_GRPsuccessfully sent to AAA
May 7 22:46:04.986 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
May 7 22:46:04.986 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
May 7 22:46:04.990 UTC: ISAKMP:(1258):attributes sent in message:
May 7 22:46:04.990 UTC: ISAKMP: Sending save password reply value 1
May 7 22:46:04.990 UTC: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 03:52 by prod_rel_team
May 7 22:46:04.990 UTC: ISAKMP: Sending IPsec Interface Config reply value 0
May 7 22:46:04.990 UTC: ISAKMP (1258): Unknown Attr: MODECFG_HOSTNAME (0x700A)
May 7 22:46:04.990 UTC: ISAKMP:(1258): responding to peer config from 222.165.6.20. ID = 170683285
May 7 22:46:04.990 UTC: ISAKMP: Marking node 170683285 for late deletion
May 7 22:46:04.990 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_ADDR
May 7 22:46:04.990 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.994 UTC: ISAKMP:(1258):Talking to a Unity Client
May 7 22:46:04.994 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
May 7 22:46:04.994 UTC: ISAKMP:(1258):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
May 7 22:46:04.994 UTC: ISAKMP:FSM error - Message from AAA grp/user.
May 7 22:46:04.994 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 22:46:04.994 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 22:46:05.094 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:05.094 UTC: ISAKMP: set new node -636079618 to QM_IDLE
May 7 22:46:05.098 UTC: ISAKMP:(1258): processing HASH payload. message ID = -636079618
May 7 22:46:05.098 UTC: ISAKMP:(1258): processing SA payload. message ID = -636079618
May 7 22:46:05.098 UTC: ISAKMP:(1258):Checking IPSec proposal 1
May 7 22:46:05.098 UTC: ISAKMP: transform 1, ESP_AES
May 7 22:46:05.098 UTC: ISAKMP: attributes in transform:
May 7 22:46:05.098 UTC: ISAKMP: encaps is 1 (Tunnel)
May 7 22:46:05.098 UTC: ISAKMP: SA life type in seconds
May 7 22:46:05.098 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:05.098 UTC: ISAKMP: SA life type in kilobytes
May 7 22:46:05.098 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 7 22:46:05.098 UTC: ISAKMP: authenticator is HMAC-SHA
May 7 22:46:05.098 UTC: ISAKMP: key length is 128
May 7 22:46:05.098 UTC: ISAKMP:(1258):atts are acceptable.
May 7 22:46:05.098 UTC: IPSEC(validate_proposal_request): proposal part #1
May 7 22:46:05.098 UTC: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 202.78.8.22, remote= 222.165.6.20,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 7 22:46:05.102 UTC: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
May 7 22:46:05.102 UTC: ISAKMP:(1258): IPSec policy invalidated proposal with error 256
<OUTPUT TRUNCATED>
May 7 22:46:05.110 UTC: ISAKMP:(1258):Checking IPSec proposal 6
May 7 22:46:05.110 UTC: ISAKMP: transform 1, ESP_AES
May 7 22:46:05.110 UTC: ISAKMP: attributes in transform:
May 7 22:46:05.110 UTC: ISAKMP: encaps is 1 (Tunnel)
May 7 22:46:05.110 UTC: ISAKMP: SA life type in seconds
May 7 22:46:05.110 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:05.114 UTC: ISAKMP: SA life type in kilobytes
May 7 22:46:05.114 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 7 22:46:05.114 UTC: ISAKMP: authenticator is HMAC-MD5
May 7 22:46:05.114 UTC: ISAKMP: key length is 192
May 7 22:46:05.114 UTC: ISAKMP:(1258):atts are acceptable.
May 7 22:46:05.282 UTC: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
May 7 22:46:05.282 UTC: IPSEC(key_engine_enable_outbound): enable SA with spi 2335958642/50
May 7 22:46:05.282 UTC: IPSEC(update_current_outbound_sa): updated peer 222.165.6.20 current outbound sa to SPI 8B3BE672
May 7 22:46:05.826 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:05.826 UTC: ISAKMP: set new node 1010137477 to QM_IDLE
May 7 22:46:05.826 UTC: ISAKMP:(1258): processing HASH payload. message ID = 1010137477
May 7 22:46:05.826 UTC: ISAKMP:(1258): processing NOTIFY CLIENT_UPDATE protocol 1
spi 0, message ID = 1010137477, sa = 47C66308
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_HOSTNAME, length = 15
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_PLATFORM_NAME, length = 10
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_HARDWARE_SERIAL, length = 11
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_MEMORY_SIZE, length = 9
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_AVAILABLE_MEMORY, length = 8
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_IMAGE_VERSION, length = 42
May 7 22:46:05.826 UTC: ISAKMP:(1258):deleting node 1010137477 error FALSE reason "Informational (in) state 1"
May 7 22:46:05.826 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
May 7 22:46:05.826 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
2811-EZVPN#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.78.8.22 222.165.6.20 QM_IDLE 1258 ACTIVE
The decision was to setup an Easy VPN (EZVPN) server on an IOS router and it will be assigned with a public IP address. It will also be configured with a VPN policy template that will be used by the spoke router when it tries to associate with the EZVPN server. I used my 871W home router for testing and configured it as an EZVPN client.
2811-EZVPN#show run interface f0/1
Building configuration...
Current configuration : 172 bytes
!
interface FastEthernet0/1
description To Internet
ip address 202.78.8.22 255.255.255.248
duplex full
speed 100
end
2811-EZVPN(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be rejected).
default The default authentication list.
2811-EZVPN(config)#aaa authentication login X-AUTH ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
2811-EZVPN(config)#aaa authentication login X-AUTH local
2811-EZVPN(config)#aaa authorization network ?
WORD Named authorization list (max 31 characters, longer will be rejected).
default The default authorization list.
2811-EZVPN(config)#aaa authorization network EZVPN_AUTHORIZATION ?
group Use server-group.
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
2811-EZVPN(config)#aaa authorization network EZVPN_AUTHORIZATION local
2811-EZVPN(config)#username ezvpn password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
2811-EZVPN(config)#username ezvpn password 0 ezvpn
2811-EZVPN(config)#crypto isakmp policy 10
2811-EZVPN(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
2811-EZVPN(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
2811-EZVPN(config-isakmp)#encryption 3des
2811-EZVPN(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
2811-EZVPN(config-isakmp)#hash sha
2811-EZVPN(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
2811-EZVPN(config-isakmp)#authentication pre-share
2811-EZVPN(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
2 Diffie-Hellman group 2 (1024 bit)
5 Diffie-Hellman group 5 (1536 bit)
2811-EZVPN(config-isakmp)#group 2
2811-EZVPN(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
2811-EZVPN(config)#crypto isakmp client ?
configuration Set client configuration policy
firewall Define client firewall
2811-EZVPN(config)#crypto isakmp client configuration ?
address-pool Set network address for client
browser-proxy Set browser proxy attributes for client
group Set group profile attributes for client
2811-EZVPN(config)#crypto isakmp client configuration group ?
WORD group name
2811-EZVPN(config)#crypto isakmp client configuration group EZVPN_GRP
2811-EZVPN(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list number
auto-update Configure auto-upgrade
backup-gateway Specify backup gateway
banner Specify mode config banner
browser-proxy Configure browser-proxy
configuration Push configuration to the client
crypto Client group crypto aaa attribute list
dhcp Configure DHCP parameters
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy configuration mode
firewall Enforce group firewall feature
group-lock Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key pre-shared key/IKE password
max-logins Set maximum simultaneous logins for users in this group
max-users Set maximum number of users for this group
netmask netmask used by the client for local connectivity
no Negate a command or set its defaults
pfs The client should propose PFS
pool Set name of address pool
save-password Allows remote client to save XAUTH password
smartcard-removal-disconnect Enables smartcard-removal-disconnect
split-dns DNS name to append for resolution
wins Specify WINS Addresses
2811-EZVPN(config-isakmp-group)#key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
2811-EZVPN(config-isakmp-group)#key ezvpn
2811-EZVPN(config-isakmp-group)#save-password
2811-EZVPN(config)#crypto ipsec transform-set ?
WORD Transform set tag
2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS esp-3des ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS esp-3des ah-sha-hmac
2811-EZVPN(config)#crypto dynamic-map ?
WORD Dynamic crypto map template tag
2811-EZVPN(config)#crypto dynamic-map EZVPN_DMAP 10
2811-EZVPN(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
2811-EZVPN(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
2811-EZVPN(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
2811-EZVPN(config-crypto-map)#set transform-set ?
WORD Proposal tag
2811-EZVPN(config-crypto-map)#set transform-set EZVPN-TS
2811-EZVPN(config)#crypto map ?
WORD Crypto map tag
2811-EZVPN(config)#crypto map EZVPN_CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
2811-EZVPN(config)#crypto map EZVPN_CMAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
2811-EZVPN(config)#crypto map EZVPN_CMAP client authentication ?
list AAA authentication list to use
2811-EZVPN(config)#crypto map EZVPN_CMAP client authentication X-AUTH
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp ?
authorization Authorization parameters.
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp authorization ?
list AAA authorization list to use
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp authorization list ?
WORD Named authorization list.
2811-EZVPN1(config)#crypto map EZVPN_CMAP isakmp authorization list EZVPN_AUTHORIZATION
SIN1-EZVPN01(config)#crypto map EZVPN_CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp ?
dynamic Enable dynamic crypto map support
profile Enable crypto map as a crypto-profile
<cr>
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp dynamic ?
WORD Name of dynamic-map template
2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp dynamic EZVPN_DMAP
2811-EZVPN(config)#interface f0/1
2811-EZVPN(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
2811-EZVPN(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
2811-EZVPN(config-if)#crypto map EZVPN_CMAP
----
871W#ping 202.78.8.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.78.8.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/84 ms
871W#show run interface f4
Building configuration...
Current configuration : 252 bytes
!
interface FastEthernet4
description To Cable Modem
ip dhcp client client-id hex 002699C6DB2E
ip dhcp client hostname 871W
ip address dhcp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
end
871W#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset administratively down down
FastEthernet4 222.165.6.20 YES DHCP up up
Group-Async4 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up down
871W(config)#crypto ipsec ?
client Configure a client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
871W(config)#crypto ipsec client ?
ezvpn Configure an EzVPN client
871W(config)#crypto ipsec client
871W(config)#crypto ipsec client ezvpn ?
WORD crypto-ezvpn name
871W(config)#crypto ipsec client ezvpn EZVPN_CLIENT
871W(config-crypto-ezvpn)#connect auto
871W(config-crypto-ezvpn)#group ?
WORD Group Name
871W(config-crypto-ezvpn)#group EZVPN_GRP key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
871W(config-crypto-ezvpn)#group EZVPN_GRP key ezvpn
871W(config-crypto-ezvpn)#mode network-extension
871W(config-crypto-ezvpn)#peer 202.78.8.22 // ENSURE A STATIC ROUTE IS CONFIGURED TO REACH THE EZVPN SERVER
871W(config-crypto-ezvpn)#username ?
WORD User Name
871W(config-crypto-ezvpn)#username ezvpn ?
password Password
871W(config-crypto-ezvpn)#username ezvpn password ezvpn
871W(config-crypto-ezvpn)#xauth userid ?
mode The source of user credential collection
871W(config-crypto-ezvpn)#xauth userid m
871W(config-crypto-ezvpn)#xauth userid mode ?
http-intercept Intercept user's HTTP requests to prompt
interactive Prompt the user on the console
local Use locally saved username and password
871W(config-crypto-ezvpn)#xauth userid mode local
871W(config-if)#crypto ipsec ?
client Client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
871W(config-if)#crypto ipsec client ?
ezvpn Assign an EzVPN configuration
871W(config-if)#crypto ipsec client ezvpn ?
WORD Crypto EzVPN name
871W(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT ?
inside inside
outside outside
<cr>
871W(config-if)#crypto ipsec client ezvpn ?
WORD Crypto EzVPN name
871W(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT inside
871W(config-if)#interface f4
871W(config-if)#
*May 20 05:12:38.312 SGT: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT) Server does not allow save password option, enter your username and password manually
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): *** Logic Error ***
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Current State: READY
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Event: MODE_CONFIG_REPLY
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Resetting the EZVPN state machine to recover
*May 20 05:12:40.388 SGT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZVPN_GRP Client_public_addr=222.165.6.20 Server_public_addr=202.78.8.22
*May 20 05:12:41.996 SGT: EZVPN(EZVPN_CLIENT) Server does not allow save password option,enter your username and password manually
871W#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN_CLIENT
Inside interface list: BVI1
Outside interface: FastEthernet4
Current State: CONNECT_REQUIRED
Last Event: CONNECT
Save Password: Disallowed
Current EzVPN Peer: 202.78.8.22
871W# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.78.8.22 222.165.6.20 MM_NO_STATE 2062 0 ACTIVE (deleted)
I wasn't able to establish a successful IPsec VPN tunnel with the EZVPN server right away. I got an error on the EZVPN client router which said, "Server does not allow save password" although I thought I've configured the EZVPN server to save its password. After adding the configuration line below on the EZVPN server, everything seemed to work.
2811-EZVPN(config)#crypto map EZVPN_CMAP client ?
accounting Accounting parameters.
authentication Use Extended Authentication
configuration Specify client configuration settings
2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration ?
address Specify client network address configuration
2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration address ?
initiate Push the network address to the client
respond Respond to network address requests from the client
2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration address respond
871W#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN_CLIENT
Inside interface list: BVI1
Outside interface: FastEthernet4
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 202.78.8.22
871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.78.8.22 222.165.6.20 QM_IDLE 2256 0 ACTIVE
Here's the debug output from both VPN nodes.
871W#debug crypto isakmp sa
Crypto ISAKMP debugging is on
871W# debug crypto isakmp psec
Crypto IPSEC debugging is on
871W#clear crypto isakmp
871W#
*May 20 05:23:27.815 SGT: del_node src 222.165.6.20:500 dst 202.78.8.22:500 fvrf 0x0, ivrf 0x0
*May 20 05:23:27.815 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:27.815 SGT: ISAKMP:(2256):deleting SA reason "Death by tree-walk" state (I) QM_IDLE (peer 202.78.8.22)
*May 20 05:23:27.819 SGT: ISAKMP: set new node -451076264 to QM_IDLE
*May 20 05:23:27.819 SGT: ISAKMP:(2256): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Sending an IKE IPv4 Packet.
*May 20 05:23:27.819 SGT: ISAKMP:(2256):purging node -451076264
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*May 20 05:23:27.819 SGT: ISAKMP:(2256):deleting SA reason "Death by tree-walk" state (I) QM_IDLE (peer 202.78.8.22)
*May 20 05:23:27.823 SGT: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*May 20 05:23:27.823 SGT: ISAKMP: Unlocking peer struĆ£arkr isadb_m_sa_deleted(), count 0
*May 20 05:23:27.823 SGT: ISAKMP:(2256):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 20 05:23:27.823 SGT: ISAKMP:(2256):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*May 20 05:23:27.823 SGT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=ezvpn Group=EZVPN_GRP Client_public_addr=222.165.6.20 Server_public_addr=202.78.8.22
*May 20 05:23:27.827 SGT: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 222.165.6.20, sa_proto= 50,
sa_spi= 0xDAA24285(3668066949),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1,
(identity) local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:27.827 SGT: IPSEC(update_current_outbound_sa): updated peer 202.78.8.22 current outbound sa to SPI 0
*May 20 05:23:27.827 SGT: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 202.78.8.22, sa_proto= 50,
sa_spi= 0x7393F327(1939075879),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2,
(identity) local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:27.831 SGT: ISAKMP: Deleting peer node by peer_reap for 202.78.8.22: 829FF504
*May 20 05:23:27.831 SGT: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 222.165.6.20 dst 202.78.8.22 for SPI 0xDAA24285
*May 20 05:23:27.831 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:27.831 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 20 05:23:27.911 SGT: ISAKMP (0:2256): received packet from 202.78.8.22 dport 500 sport 500 Global (I) MM_NO_STATE
*May 20 05:23:28.935 SGT: del_node src 222.165.6.20:500 dst 202.78.8.22:500 fvrf 0x0, ivrf 0x0
*May 20 05:23:28.935 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:28.935 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 20 05:23:28.935 SGT: ISAKMP:(0): SA request profile is (NULL)
*May 20 05:23:28.935 SGT: ISAKMP: Created a peer struct for 202.78.8.22, peer port 500
*May 20 05:23:28.935 SGT: ISAKMP: New peer created peer = 0x829FF504 peer_handle = 0x80000102
*May 20 05:23:28.935 SGT: ISAKMP: Locking peer struct 0x829FF504, refcount 1 for isakmp_initiator
*May 20 05:23:28.935 SGT: ISAKMP:(0):Setting client config settings 828F9B80
*May 20 05:23:28.935 SGT: ISAKMP: local port 500, remote port 500
*May 20 05:23:28.935 SGT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83C9EE00
*May 20 05:23:28.935 SGT: ISAKMP:(0): client mode configured.
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 20 05:23:28.939 SGT: ISKAMP: growing send buffer from 1024 to 3072
*May 20 05:23:28.939 SGT: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*May 20 05:23:28.939 SGT: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : EZVPN_GRP
protocol : 17
port : 0
length : 17
*May 20 05:23:28.939 SGT: ISAKMP:(0):Total payload length: 17
*May 20 05:23:28.939 SGT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*May 20 05:23:28.939 SGT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
*May 20 05:23:28.939 SGT: ISAKMP:(0): beginning Aggressive Mode exchange
*May 20 05:23:28.939 SGT: ISAKMP:(0): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*May 20 05:23:28.939 SGT: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 20 05:23:29.075 SGT: ISAKMP (0:0): received packet from 202.78.8.22 dport 500 sport 500 Global (I) AG_INIT_EXCH
*May 20 05:23:29.075 SGT: ISAKMP:(0): processing SA payload. message ID = 0
*May 20 05:23:29.075 SGT: ISAKMP:(0): processing ID payload. message ID = 0
*May 20 05:23:29.079 SGT: ISAKMP (0:0): ID payload
next-payload : 10
type : 1
address : 202.78.8.22
protocol : 0
port : 0
length : 12
*May 20 05:23:29.079 SGT: ISAKMP:(0):: peer matches *none* of the profiles
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): vendor ID is Unity
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): vendor ID is DPD
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): speaking to another IOS box!
*May 20 05:23:29.079 SGT: ISAKMP:(0): local preshared key found
*May 20 05:23:29.079 SGT: ISAKMP : Scanning profiles for xauth ...
*May 20 05:23:29.079 SGT: ISAKMP:(0): Authentication by xauth preshared
*May 20 05:23:29.079 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65515 policy
*May 20 05:23:29.079 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.079 SGT: ISAKMP: hash SHA
*May 20 05:23:29.079 SGT: ISAKMP: default group 2
*May 20 05:23:29.079 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.079 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.079 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.079 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.079 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 05:23:29.079 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65516 policy
*May 20 05:23:29.079 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.079 SGT: ISAKMP: hash SHA
*May 20 05:23:29.079 SGT: ISAKMP: default group 2
*May 20 05:23:29.079 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.083 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.083 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.083 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.083 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 05:23:29.083 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65517 policy
*May 20 05:23:29.083 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.083 SGT: ISAKMP: hash SHA
*May 20 05:23:29.083 SGT: ISAKMP: default group 2
*May 20 05:23:29.083 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.083 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.083 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.083 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.083 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
<OUTPUT TRUNCATED>
*May 20 05:23:29.091 SGT: ISAKMP: encryption 3DES-CBC
*May 20 05:23:29.091 SGT: ISAKMP: hash SHA
*May 20 05:23:29.091 SGT: ISAKMP: default group 2
*May 20 05:23:29.091 SGT: ISAKMP: auth XAUTHInitPreShared
*May 20 05:23:29.091 SGT: ISAKMP: life type in seconds
*May 20 05:23:29.091 SGT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 20 05:23:29.091 SGT: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 20 05:23:29.091 SGT: ISAKMP:(0):Acceptable atts:actual life: 2147483
*May 20 05:23:29.091 SGT: ISAKMP:(0):Acceptable atts:life: 0
*May 20 05:23:29.095 SGT: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 20 05:23:29.095 SGT: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*May 20 05:23:29.095 SGT: ISAKMP:(0):Returning Actual lifetime: 2147483
*May 20 05:23:29.095 SGT: ISAKMP:(0)::Started lifetime timer: 2147483.
*May 20 05:23:29.095 SGT: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*May 20 05:23:29.095 SGT: ISAKMP:(0): processing KE payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:(2257): processing HASH payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:received payload type 20
*May 20 05:23:29.143 SGT: ISAKMP:received payload type 20
*May 20 05:23:29.147 SGT: ISAKMP:(2257):SA authentication status:
authenticated
*May 20 05:23:29.147 SGT: ISAKMP:(2257):SA has been authenticated with 202.78.8.22
*May 20 05:23:29.147 SGT: ISAKMP: Trying to insert a peer 222.165.6.20/202.78.8.22/500/, and inserted successfully 829FF504.
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Send initial contact
*May 20 05:23:29.147 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Need XAUTH
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 20 05:23:29.239 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH
*May 20 05:23:29.239 SGT: ISAKMP: set new node -1146939845 to CONF_XAUTH
*May 20 05:23:29.239 SGT: ISAKMP:(2257): processing HASH payload. message ID = -1146939845
*May 20 05:23:29.243 SGT: ISAKMP:(2257): processing NOTIFY RESPONDER_LIFETIME protocol 1 spi 0, message ID = -1146939845, sa = 83C9EE00
*May 20 05:23:29.243 SGT: ISAKMP:(2257):SA authentication status: authenticated
*May 20 05:23:29.243 SGT: ISAKMP:(2257): processing responder lifetime
*May 20 05:23:29.243 SGT: ISAKMP:(2257): start processing isakmp responder lifetime
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Returning Actual lifetime: 2147483
*May 20 05:23:29.243 SGT: ISAKMP:(2257): restart ike sa timer to 86400 secs
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Started lifetime timer: 0.
*May 20 05:23:29.243 SGT: ISAKMP:(2257):deleting node -1146939845 error FALSE reason "Informational (in) state 1"
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 20 05:23:29.243 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH
*May 20 05:23:29.243 SGT: ISAKMP: set new node 752671264 to CONF_XAUTH
*May 20 05:23:29.247 SGT: ISAKMP:(2257):processing transaction payload from 202.78.8.22. message ID = 752671264
*May 20 05:23:29.247 SGT: ISAKMP: Config payload REQUEST
*May 20 05:23:29.247 SGT: ISAKMP:(2257):checking request:
*May 20 05:23:29.247 SGT: ISAKMP: XAUTH_USER_NAME_V2
*May 20 05:23:29.247 SGT: ISAKMP: XAUTH_USER_PASSWORD_V2
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Xauth process request
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REPLY_AWAIT
*May 20 05:23:29.247 SGT: username: ezvpn
*May 20 05:23:29.247 SGT: password: <ezpn>
*May 20 05:23:29.247 SGT: ISAKMP:(2257): responding to peer config from 202.78.8.22. ID = 752671264
*May 20 05:23:29.247 SGT: ISAKMP: Marking node 752671264 for late deletion
*May 20 05:23:29.251 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_XAUTH
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Old State = IKE_XAUTH_REPLY_AWAIT New State = IKE_XAUTH_REPLY_SENT
*May 20 05:23:29.335 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH
*May 20 05:23:29.335 SGT: ISAKMP: set new node -1569794741 to CONF_XAUTH
*May 20 05:23:29.335 SGT: ISAKMP:(2257):processing transaction payload from 202.78.8.22. message ID = -1569794741
*May 20 05:23:29.339 SGT: ISAKMP: Config payload SET
*May 20 05:23:29.339 SGT: ISAKMP:(2257):Xauth process set, status = 1
*May 20 05:23:29.339 SGT: ISAKMP:(2257):checking SET:
*May 20 05:23:29.339 SGT: ISAKMP: XAUTH_STATUS_V2 XAUTH-OK
*May 20 05:23:29.339 SGT: ISAKMP:(2257):attributes sent in message:
*May 20 05:23:29.339 SGT: Status: 1
*May 20 05:23:29.339 SGT: ISAKMP:(2257):deleting node 752671264 error FALSE reason "Done with xauth request/reply exchange"
*May 20 05:23:29.347 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_XAUTH
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.347 SGT: ISAKMP:(2257):deleting node -1569794741 error FALSE reason "No Error"
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_SET
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Old State = IKE_XAUTH_REPLY_SENT New State = IKE_P1_COMPLETE
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Need config/address
*May 20 05:23:29.351 SGT: ISAKMP: set new node 286147054 to CONF_ADDR
*May 20 05:23:29.351 SGT: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 23:35 by prod_rel_team
*May 20 05:23:29.351 SGT: ISAKMP:(2257): initiating peer config to 202.78.8.22. ID = 286147054
*May 20 05:23:29.351 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_ADDR
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT
*May 20 05:23:29.443 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_ADDR
*May 20 05:23:29.443 SGT: ISAKMP:(2257):processing transaction payload from 202.78.18.228. message ID = 286147054
*May 20 05:23:29.443 SGT: ISAKMP: Config payload REPLY
*May 20 05:23:29.443 SGT: ISAKMP(0:2257) process config reply
*May 20 05:23:29.443 SGT: ISAKMP:(2257):deleting node 286147054 error FALSE reason "Transaction mode done"
*May 20 05:23:29.443 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*May 20 05:23:29.443 SGT: ISAKMP:(2257):Old State = IKE_CONFIG_MODE_REQ_SENT New State = IKE_P1_COMPLETE
*May 20 05:23:29.451 SGT: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*May 20 05:23:29.451 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.451 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 20 05:23:29.451 SGT: IPSEC(recalculate_mtu): reset sadb_root 834A48F8 mtu to 1500
*May 20 05:23:29.451 SGT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 2147483s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2000
<OUTPUT TRUNCATED>
*May 20 05:23:29.463 SGT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 2147483s and 4608000kb,
spi= 0x0(0), conn_id= 0, kall
Translating "uall"...domain server (202.156.1.16)eysize= 0, flags= 0x2000
*May 20 05:23:29.467 SGT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:29.475 SGT: ISAKMP:(2257):beginning Quick Mode exchange, M-ID of -1472151107
*May 20 05:23:29.483 SGT: ISAKMP:(2257):QM Initiator gets spi
*May 20 05:23:29.487 SGT: ISKAMP: growing send buf [OK]
Trying uall.lagura.com (69.172.201.208)... fer from 1024 to 3072
*May 20 05:23:29.491 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Node -1472151107, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 20 05:23:29.767 SGT: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=ezvpn Group=EZVPN_GRP Client_public_addr=222.165.6.20 Server_public_addr=202.78.8.22 NEM_Remote_Subnets=192.168.1.0/255.255.255.0
*May 20 05:23:30.515 SGT: ISAKMP: set new node -23251054 to QM_IDLE
*May 20 05:23:30.515 SGT: ISAKMP:(2257):Sending NOTIFY CLIENT_UPDATE protocol 1 spi 0, message ID = -23251054
*May 20 05:23:30.515 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE
871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.78.8.22 222.165.6.20 QM_IDLE 1258 ACTIVE
2811-EZVPN#debug crypto isakmp
Crypto ISAKMP debugging is on
2811-EZVPN#debug crypto isakmp psec
Crypto IPSEC debugging is on
2811-EZVPN#
May 7 22:46:02.574 UTC: ISAKMP (1257): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:02.574 UTC: ISAKMP: set new node 451843303 to QM_IDLE
May 7 22:46:02.574 UTC: ISAKMP:(1257): processing HASH payload. message ID = 451843303
May 7 22:46:02.574 UTC: ISAKMP:received payload type 18
May 7 22:46:02.574 UTC: ISAKMP:(1257):Processing delete with reason payload
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete doi = 1
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete protocol id = 1
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete spi_size = 16
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete num spis = 1
May 7 22:46:02.574 UTC: ISAKMP:(1257):delete_reason = 8
May 7 22:46:02.574 UTC: ISAKMP:(1257): processing DELETE_WITH_REASON payload, message ID = 451843303, reason: Unknown delete reason!
May 7 22:46:02.574 UTC: ISAKMP:(1257):peer does not do paranoid keepalives.
May 7 22:46:02.574 UTC: ISAKMP:(1257):peer does not do paranoid keepalives.
May 7 22:46:02.574 UTC: ISAKMP:(1257):deleting SA reason "Death by tree-walk" state (R) QM_IDLE (peer 222.165.6.20)
May 7 22:46:02.574 UTC: ISAKMP:(1257):deleting node 451843303 error FALSE reason "Informational (in) state 1"
May 7 22:46:02.578 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 7 22:46:02.578 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May 7 22:46:02.578 UTC: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 222.165.6.20
May 7 22:46:02.578 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 202.78.8.22, sa_proto= 50,
sa_spi= 0xDE86ACB(233335499),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (4384309/3600),
(identity) local= 202.78.8.22, remote= 222.165.6.20,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
May 7 22:46:02.578 UTC: IPSEC(update_current_outbound_sa): updated peer 222.165.6.20 current outbound sa to SPI 0
May 7 22:46:02.578 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 222.165.6.20, sa_proto= 50,
sa_spi= 0x55D3CE9B(1439944347),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4384309/3600),
(identity) local= 202.78.8.22, remote= 222.165.6.20,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
May 7 22:46:02.582 UTC: ISAKMP: set new node -95419328 to QM_IDLE
May 7 22:46:02.582 UTC: ISAKMP:(1257): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) QM_IDLE
May 7 22:46:02.582 UTC: ISAKMP:(1257):Sending an IKE IPv4 Packet.
May 7 22:46:02.582 UTC: ISAKMP:(1257):purging node -95419328
May 7 22:46:02.582 UTC: ISAKMP:(1257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 22:46:02.582 UTC: ISAKMP:(1257):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 22:46:02.586 UTC: ISAKMP:(1257):deleting SA reason "Death by tree-walk" state (R) QM_IDLE (peer 222.165.6.20)
May 7 22:46:02.586 UTC: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
May 7 22:46:02.586 UTC: ISAKMP: Unlocking peer struct 0x47BD3278 for isadb_mark_sa_deleted(), count 0
May 7 22:46:02.586 UTC: ISAKMP: Deleting peer node by peer_reap for 222.165.6.20: 47BD3278
May 7 22:46:02.586 UTC: ISAKMP:(1257):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 22:46:02.586 UTC: ISAKMP:(1257):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 22:46:02.586 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 7 22:46:04.586 UTC: ISAKMP (0): received packet from 222.165.6.20 dport 500 sport 500 Global (N) NEW SA
May 7 22:46:04.590 UTC: ISAKMP: Created a peer struct for 222.165.6.20, peer port 500
May 7 22:46:04.590 UTC: ISAKMP: New peer created peer = 0x47BD3278 peer_handle = 0x80000103
May 7 22:46:04.590 UTC: ISAKMP: Locking peer struct 0x47BD3278, refcount 1 for crypto_isakmp_process_block
May 7 22:46:04.590 UTC: ISAKMP:(0):Setting client config settings 47BD2C70
May 7 22:46:04.590 UTC: ISAKMP:(0):(Re)Setting client xauth list and state
May 7 22:46:04.590 UTC: ISAKMP/xauth: initializing AAA request
May 7 22:46:04.590 UTC: ISAKMP: local port 500, remote port 500
May 7 22:46:04.590 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 47C66308
May 7 22:46:04.590 UTC: ISAKMP:(0): processing SA payload. message ID = 0
May 7 22:46:04.590 UTC: ISAKMP:(0): processing ID payload. message ID = 0
May 7 22:46:04.590 UTC: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : EZVPN_GRP
protocol : 17
port : 0
length : 17
May 7 22:46:04.590 UTC: ISAKMP:(0):: peer matches *none* of the profiles
May 7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 22:46:04.590 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
May 7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 22:46:04.590 UTC: ISAKMP (0): vendor ID is NAT-T v7
May 7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 22:46:04.594 UTC: ISAKMP:(0): vendor ID is NAT-T v3
May 7 22:46:04.594 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.594 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 22:46:04.594 UTC: ISAKMP:(0): vendor ID is NAT-T v2
May 7 22:46:04.594 UTC: ISAKMP:(0): Authentication by xauth preshared
May 7 22:46:04.594 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
May 7 22:46:04.594 UTC: ISAKMP: encryption AES-CBC
May 7 22:46:04.594 UTC: ISAKMP: keylength of 128
May 7 22:46:04.594 UTC: ISAKMP: hash SHA
May 7 22:46:04.594 UTC: ISAKMP: default group 2
May 7 22:46:04.594 UTC: ISAKMP: auth XAUTHInitPreShared
May 7 22:46:04.594 UTC: ISAKMP: life type in seconds
May 7 22:46:04.594 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:04.594 UTC: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 7 22:46:04.594 UTC: ISAKMP:(0):atts are not acceptable. Next payload is 3
<OUTPUT TRUNCATED>
May 7 22:46:04.602 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
May 7 22:46:04.602 UTC: ISAKMP: encryption 3DES-CBC
May 7 22:46:04.602 UTC: ISAKMP: hash SHA
May 7 22:46:04.602 UTC: ISAKMP: default group 2
May 7 22:46:04.602 UTC: ISAKMP: auth XAUTHInitPreShared
May 7 22:46:04.602 UTC: ISAKMP: life type in seconds
May 7 22:46:04.602 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:04.602 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
May 7 22:46:04.602 UTC: ISAKMP:(0):Acceptable atts:actual life: 86400
May 7 22:46:04.602 UTC: ISAKMP:(0):Acceptable atts:life: 0
May 7 22:46:04.602 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
May 7 22:46:04.602 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
May 7 22:46:04.602 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
May 7 22:46:04.602 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
May 7 22:46:04.602 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.602 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 22:46:04.606 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
May 7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 22:46:04.606 UTC: ISAKMP (0): vendor ID is NAT-T v7
May 7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID is NAT-T v3
May 7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 22:46:04.606 UTC: ISAKMP:(0): vendor ID is NAT-T v2
May 7 22:46:04.606 UTC: ISAKMP:(0): processing KE payload. message ID = 0
May 7 22:46:04.654 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is DPD
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 126 mismatch
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is XAUTH
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): claimed IOS but failed authentication
May 7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May 7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is Unity
May 7 22:46:04.654 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May 7 22:46:04.654 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
May 7 22:46:04.658 UTC: ISAKMP:(1258): constructed NAT-T vendor-rfc3947 ID
May 7 22:46:04.658 UTC: ISAKMP:(1258):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
May 7 22:46:04.658 UTC: ISAKMP (1258): ID payload
next-payload : 10
type : 1
address : 202.78.8.22
protocol : 0
port : 0
length : 12
May 7 22:46:04.658 UTC: ISAKMP:(1258):Total payload length: 12
May 7 22:46:04.658 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) AG_INIT_EXCH
May 7 22:46:04.662 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.662 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
May 7 22:46:04.662 UTC: ISAKMP:(1258):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
May 7 22:46:04.786 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) AG_INIT_EXCH
May 7 22:46:04.790 UTC: ISAKMP:(1258): processing HASH payload. message ID = 0
May 7 22:46:04.790 UTC: ISAKMP:received payload type 20
May 7 22:46:04.790 UTC: ISAKMP (1258): His hash no match - this node outside NAT
May 7 22:46:04.790 UTC: ISAKMP:received payload type 20
May 7 22:46:04.790 UTC: ISAKMP (1258): No NAT Found for self or peer
May 7 22:46:04.790 UTC: ISAKMP:(1258): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 47C66308
May 7 22:46:04.790 UTC: ISAKMP:(1258):SA authentication status: authenticated
May 7 22:46:04.790 UTC: ISAKMP:(1258):SA has been authenticated with 222.165.6.20
May 7 22:46:04.790 UTC: ISAKMP:(1258):SA authentication status: authenticated
May 7 22:46:04.790 UTC: ISAKMP:(1258): Process initial contact,
bring down existing phase 1 and 2 SA's with local 202.78.8.22 remote 222.165.6.20 remote port 500
May 7 22:46:04.790 UTC: ISAKMP:(1258):returning IP addr to the address pool
May 7 22:46:04.790 UTC: ISAKMP: Trying to insert a peer 202.78.8.22/222.165.6.20/500/, and inserted successfully 47BD3278.
May 7 22:46:04.790 UTC: ISAKMP:(1258):Returning Actual lifetime: 86400
May 7 22:46:04.794 UTC: ISAKMP: set new node 319690623 to CONF_XAUTH
May 7 22:46:04.794 UTC: ISAKMP:(1258):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 1215728240, message ID = 319690623
May 7 22:46:04.794 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) QM_IDLE
May 7 22:46:04.794 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.794 UTC: ISAKMP:(1258):purging node 319690623
May 7 22:46:04.794 UTC: ISAKMP: Sending phase 1 responder lifetime 86400
May 7 22:46:04.794 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May 7 22:46:04.794 UTC: ISAKMP:(1258):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
May 7 22:46:04.794 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 7 22:46:04.798 UTC: ISAKMP:(1258):Need XAUTH
May 7 22:46:04.798 UTC: ISAKMP: set new node -980807588 to CONF_XAUTH
May 7 22:46:04.798 UTC: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
May 7 22:46:04.798 UTC: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
May 7 22:46:04.798 UTC: ISAKMP:(1258): initiating peer config to 222.165.6.20. ID = -980807588
May 7 22:46:04.798 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_XAUTH
May 7 22:46:04.798 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.798 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 22:46:04.798 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
May 7 22:46:04.886 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) CONF_XAUTH
May 7 22:46:04.886 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = -980807588
May 7 22:46:04.886 UTC: ISAKMP: Config payload REPLY
May 7 22:46:04.886 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
May 7 22:46:04.886 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
May 7 22:46:04.886 UTC: ISAKMP:(1258):deleting node -980807588 error FALSE reason "Done with xauth request/reply exchange"
May 7 22:46:04.886 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
May 7 22:46:04.886 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
May 7 22:46:04.890 UTC: ISAKMP: set new node 1760571115 to CONF_XAUTH
May 7 22:46:04.890 UTC: ISAKMP:(1258): initiating peer config to 222.165.6.20. ID = 1760571115
May 7 22:46:04.890 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_XAUTH
May 7 22:46:04.890 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.890 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
May 7 22:46:04.890 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
May 7 22:46:04.978 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) CONF_XAUTH
May 7 22:46:04.978 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = 1760571115
May 7 22:46:04.978 UTC: ISAKMP: Config payload ACK
May 7 22:46:04.978 UTC: ISAKMP:(1258): XAUTH ACK Processed
May 7 22:46:04.982 UTC: ISAKMP:(1258):deleting node 1760571115 error FALSE reason "Transaction mode done"
May 7 22:46:04.982 UTC: ISAKMP:(1258):Talking to a Unity Client
May 7 22:46:04.982 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
May 7 22:46:04.982 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
May 7 22:46:04.982 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 22:46:04.982 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 22:46:04.982 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:04.982 UTC: ISAKMP: set new node 170683285 to QM_IDLE
May 7 22:46:04.986 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = 170683285
May 7 22:46:04.986 UTC: ISAKMP: Config payload REQUEST
May 7 22:46:04.986 UTC: ISAKMP:(1258):checking request:
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_CONFIG_URL
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_CONFIG_VERSION
May 7 22:46:04.986 UTC: ISAKMP: IP4_DNS
May 7 22:46:04.986 UTC: ISAKMP: IP4_DNS
May 7 22:46:04.986 UTC: ISAKMP: IP4_NBNS
May 7 22:46:04.986 UTC: ISAKMP: IP4_NBNS
May 7 22:46:04.986 UTC: ISAKMP: SPLIT_INCLUDE
May 7 22:46:04.986 UTC: ISAKMP: SPLIT_DNS
May 7 22:46:04.986 UTC: ISAKMP: DEFAULT_DOMAIN
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_SAVEPWD
May 7 22:46:04.986 UTC: ISAKMP: INCLUDE_LOCAL_LAN
May 7 22:46:04.986 UTC: ISAKMP: PFS
May 7 22:46:04.986 UTC: ISAKMP: BACKUP_SERVER
May 7 22:46:04.986 UTC: ISAKMP: APPLICATION_VERSION
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_BANNER
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_IPSEC_INT_CONF
May 7 22:46:04.986 UTC: ISAKMP: MODECFG_HOSTNAME
May 7 22:46:04.986 UTC: ISAKMP/author: Author request for group EZVPN_GRPsuccessfully sent to AAA
May 7 22:46:04.986 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
May 7 22:46:04.986 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
May 7 22:46:04.990 UTC: ISAKMP:(1258):attributes sent in message:
May 7 22:46:04.990 UTC: ISAKMP: Sending save password reply value 1
May 7 22:46:04.990 UTC: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 03:52 by prod_rel_team
May 7 22:46:04.990 UTC: ISAKMP: Sending IPsec Interface Config reply value 0
May 7 22:46:04.990 UTC: ISAKMP (1258): Unknown Attr: MODECFG_HOSTNAME (0x700A)
May 7 22:46:04.990 UTC: ISAKMP:(1258): responding to peer config from 222.165.6.20. ID = 170683285
May 7 22:46:04.990 UTC: ISAKMP: Marking node 170683285 for late deletion
May 7 22:46:04.990 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_ADDR
May 7 22:46:04.990 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May 7 22:46:04.994 UTC: ISAKMP:(1258):Talking to a Unity Client
May 7 22:46:04.994 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
May 7 22:46:04.994 UTC: ISAKMP:(1258):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
May 7 22:46:04.994 UTC: ISAKMP:FSM error - Message from AAA grp/user.
May 7 22:46:04.994 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 22:46:04.994 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 22:46:05.094 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:05.094 UTC: ISAKMP: set new node -636079618 to QM_IDLE
May 7 22:46:05.098 UTC: ISAKMP:(1258): processing HASH payload. message ID = -636079618
May 7 22:46:05.098 UTC: ISAKMP:(1258): processing SA payload. message ID = -636079618
May 7 22:46:05.098 UTC: ISAKMP:(1258):Checking IPSec proposal 1
May 7 22:46:05.098 UTC: ISAKMP: transform 1, ESP_AES
May 7 22:46:05.098 UTC: ISAKMP: attributes in transform:
May 7 22:46:05.098 UTC: ISAKMP: encaps is 1 (Tunnel)
May 7 22:46:05.098 UTC: ISAKMP: SA life type in seconds
May 7 22:46:05.098 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:05.098 UTC: ISAKMP: SA life type in kilobytes
May 7 22:46:05.098 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 7 22:46:05.098 UTC: ISAKMP: authenticator is HMAC-SHA
May 7 22:46:05.098 UTC: ISAKMP: key length is 128
May 7 22:46:05.098 UTC: ISAKMP:(1258):atts are acceptable.
May 7 22:46:05.098 UTC: IPSEC(validate_proposal_request): proposal part #1
May 7 22:46:05.098 UTC: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 202.78.8.22, remote= 222.165.6.20,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 7 22:46:05.102 UTC: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
May 7 22:46:05.102 UTC: ISAKMP:(1258): IPSec policy invalidated proposal with error 256
<OUTPUT TRUNCATED>
May 7 22:46:05.110 UTC: ISAKMP:(1258):Checking IPSec proposal 6
May 7 22:46:05.110 UTC: ISAKMP: transform 1, ESP_AES
May 7 22:46:05.110 UTC: ISAKMP: attributes in transform:
May 7 22:46:05.110 UTC: ISAKMP: encaps is 1 (Tunnel)
May 7 22:46:05.110 UTC: ISAKMP: SA life type in seconds
May 7 22:46:05.110 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 7 22:46:05.114 UTC: ISAKMP: SA life type in kilobytes
May 7 22:46:05.114 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 7 22:46:05.114 UTC: ISAKMP: authenticator is HMAC-MD5
May 7 22:46:05.114 UTC: ISAKMP: key length is 192
May 7 22:46:05.114 UTC: ISAKMP:(1258):atts are acceptable.
May 7 22:46:05.282 UTC: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
May 7 22:46:05.282 UTC: IPSEC(key_engine_enable_outbound): enable SA with spi 2335958642/50
May 7 22:46:05.282 UTC: IPSEC(update_current_outbound_sa): updated peer 222.165.6.20 current outbound sa to SPI 8B3BE672
May 7 22:46:05.826 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE
May 7 22:46:05.826 UTC: ISAKMP: set new node 1010137477 to QM_IDLE
May 7 22:46:05.826 UTC: ISAKMP:(1258): processing HASH payload. message ID = 1010137477
May 7 22:46:05.826 UTC: ISAKMP:(1258): processing NOTIFY CLIENT_UPDATE protocol 1
spi 0, message ID = 1010137477, sa = 47C66308
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_HOSTNAME, length = 15
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_PLATFORM_NAME, length = 10
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_HARDWARE_SERIAL, length = 11
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_MEMORY_SIZE, length = 9
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_AVAILABLE_MEMORY, length = 8
May 7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_IMAGE_VERSION, length = 42
May 7 22:46:05.826 UTC: ISAKMP:(1258):deleting node 1010137477 error FALSE reason "Informational (in) state 1"
May 7 22:46:05.826 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
May 7 22:46:05.826 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
2811-EZVPN#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.78.8.22 222.165.6.20 QM_IDLE 1258 ACTIVE