Saturday, May 23, 2015

Cisco Easy VPN (EZVPN)

I was asked to setup a central VPN server wherein remote or spoke routers will be connecting back to our corporate network. The remote routers will be connected and get its dynamic IP address from a 4G cellular modem. I did a blog about EZVPN a year ago and this is my first EZVPN implementation in the real world.

The decision was to setup an Easy VPN (EZVPN) server on an IOS router and it will be assigned with a public IP address. It will also be configured with a VPN policy template that will be used by the spoke router when it tries to associate with the EZVPN server. I used my 871W home router for testing and configured it as an EZVPN client.


2811-EZVPN#show run interface f0/1                                     
Building configuration...

Current configuration : 172 bytes
!
interface FastEthernet0/1
 description To Internet
 ip address 202.78.8.22 255.255.255.248   
 duplex full
 speed 100
end

2811-EZVPN(config)#aaa authentication login ?
  WORD     Named authentication list (max 31 characters, longer will be rejected).
  default  The default authentication list.

2811-EZVPN(config)#aaa authentication login X-AUTH ?
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5           Use Kerberos 5 authentication.
  krb5-telnet    Allow logins only if already authenticated via Kerberos V Telnet.
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

2811-EZVPN(config)#aaa authentication login X-AUTH local
2811-EZVPN(config)#aaa authorization network ?
  WORD     Named authorization list (max 31 characters, longer will be rejected).
  default  The default authorization list.

2811-EZVPN(config)#aaa authorization network EZVPN_AUTHORIZATION ?
  group             Use server-group.
  if-authenticated  Succeed if user has authenticated.
  local             Use local database.
  none              No authorization (always succeeds).

2811-EZVPN(config)#aaa authorization network EZVPN_AUTHORIZATION local
2811-EZVPN(config)#username ezvpn password ?                         
  0     Specifies an UNENCRYPTED password will follow
  7     Specifies a HIDDEN password will follow
  LINE  The UNENCRYPTED (cleartext) user password

2811-EZVPN(config)#username ezvpn password 0 ezvpn
2811-EZVPN(config)#crypto isakmp policy 10           
2811-EZVPN(config-isakmp)#?
ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults

2811-EZVPN(config-isakmp)#encryption ?
  3des  Three key triple DES
  aes   AES - Advanced Encryption Standard.
  des   DES - Data Encryption Standard (56 bit keys).

2811-EZVPN(config-isakmp)#encryption 3des
2811-EZVPN(config-isakmp)#hash ?        
  md5  Message Digest 5
  sha  Secure Hash Standard

2811-EZVPN(config-isakmp)#hash sha
2811-EZVPN(config-isakmp)#authentication ?
  pre-share  Pre-Shared Key
  rsa-encr   Rivest-Shamir-Adleman Encryption
  rsa-sig    Rivest-Shamir-Adleman Signature

2811-EZVPN(config-isakmp)#authentication pre-share
2811-EZVPN(config-isakmp)#group ?       
  1   Diffie-Hellman group 1 (768 bit)
  14  Diffie-Hellman group 14 (2048 bit)
  15  Diffie-Hellman group 15 (3072 bit)
  16  Diffie-Hellman group 16 (4096 bit)
  2   Diffie-Hellman group 2 (1024 bit)
  5   Diffie-Hellman group 5 (1536 bit)

2811-EZVPN(config-isakmp)#group 2
2811-EZVPN(config)#crypto isakmp ?
  aggressive-mode       Disable ISAKMP aggressive mode
  client                Set client configuration policy
  default               ISAKMP default policy
  enable                Enable ISAKMP
  fragmentation         IKE Fragmentation enabled if required
  identity              Set the identity which ISAKMP will use
  invalid-spi-recovery  Initiate IKE and send Invalid SPI Notify
  keepalive             Set a keepalive interval for use with IOS peers
  key                   Set pre-shared key for remote peer
  nat                   Set a nat  keepalive interval for use with IOS peers
  peer                  Set Peer Policy
  policy                Set policy for an ISAKMP protection suite
  profile               Define ISAKMP Profiles
  xauth                 Set Extended Authentication values

2811-EZVPN(config)#crypto isakmp client ?
  configuration  Set client configuration policy
  firewall       Define client firewall

2811-EZVPN(config)#crypto isakmp client configuration ?
  address-pool   Set network address for client
  browser-proxy  Set browser proxy attributes for client
  group          Set group profile attributes for client

2811-EZVPN(config)#crypto isakmp client configuration group ?
  WORD  group name

2811-EZVPN(config)#crypto isakmp client configuration group EZVPN_GRP
2811-EZVPN(config-isakmp-group)#?
ISAKMP group policy config commands:
  access-restrict               Restrict clients in this group to an interface
  acl                           Specify split tunneling inclusion access-list number
  auto-update                   Configure auto-upgrade
  backup-gateway                Specify backup gateway
  banner                        Specify mode config banner
  browser-proxy                 Configure browser-proxy
  configuration                 Push configuration to the client
  crypto                        Client group crypto aaa attribute list
  dhcp                          Configure DHCP parameters
  dns                           Specify DNS Addresses
  domain                        Set default domain name to send to client
  exit                          Exit from ISAKMP client group policy configuration mode
  firewall                      Enforce group firewall feature
  group-lock                    Enforce group lock feature
  include-local-lan             Enable Local LAN Access with no split tunnel
  key                           pre-shared key/IKE password
  max-logins                    Set maximum simultaneous logins for users in this group
  max-users                     Set maximum number of users for this group
  netmask                       netmask used by the client for local connectivity
  no                            Negate a command or set its defaults
  pfs                           The client should propose PFS
  pool                          Set name of address pool
  save-password                 Allows remote client to save XAUTH password
  smartcard-removal-disconnect  Enables smartcard-removal-disconnect
  split-dns                     DNS name to append for resolution
  wins                          Specify WINS Addresses

2811-EZVPN(config-isakmp-group)#key ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  WORD  The UNENCRYPTED (cleartext) user password

2811-EZVPN(config-isakmp-group)#key ezvpn
2811-EZVPN(config-isakmp-group)#save-password
2811-EZVPN(config)#crypto ipsec transform-set ?
  WORD  Transform set tag

2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS esp-3des ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

2811-EZVPN(config)#crypto ipsec transform-set EZVPN-TS esp-3des ah-sha-hmac
2811-EZVPN(config)#crypto dynamic-map ?
  WORD  Dynamic crypto map template tag

2811-EZVPN(config)#crypto dynamic-map EZVPN_DMAP 10
2811-EZVPN(config-crypto-map)#set ?
  identity              Identity restriction.
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  reverse-route         Reverse Route Injection.
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order
2811-EZVPN(config-crypto-map)#?  
Crypto Map configuration commands:
  default        Set a command to its defaults
  description    Description of the crypto map statement policy
  dialer         Dialer related commands
  exit           Exit from crypto map configuration mode
  match          Match values.
  no             Negate a command or set its defaults
  qos            Quality of Service related commands
  reverse-route  Reverse Route Injection.
  set            Set values for encryption/decryption

2811-EZVPN(config-crypto-map)#set ? 
  identity              Identity restriction.
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  reverse-route         Reverse Route Injection.
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order

2811-EZVPN(config-crypto-map)#set transform-set ?
  WORD  Proposal tag

2811-EZVPN(config-crypto-map)#set transform-set EZVPN-TS

2811-EZVPN(config)#crypto map ?
  WORD  Crypto map tag

2811-EZVPN(config)#crypto map EZVPN_CMAP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  gdoi            Configure crypto map gdoi features
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

2811-EZVPN(config)#crypto map EZVPN_CMAP client ?
  accounting      Accounting parameters.
  authentication  Use Extended Authentication
  configuration   Specify client configuration settings

2811-EZVPN(config)#crypto map EZVPN_CMAP client authentication ?
  list  AAA authentication list to use

2811-EZVPN(config)#crypto map EZVPN_CMAP client authentication X-AUTH
2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp ?                   
  authorization  Authorization parameters.

2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp authorization ?
  list  AAA authorization list to use

2811-EZVPN(config)#crypto map EZVPN_CMAP isakmp authorization list ?
  WORD  Named authorization list.

2811-EZVPN1(config)#crypto map EZVPN_CMAP isakmp authorization list EZVPN_AUTHORIZATION
SIN1-EZVPN01(config)#crypto map EZVPN_CMAP ?                                           
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  gdoi            Configure crypto map gdoi features
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ?
  gdoi          GDOI
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp ?
  dynamic  Enable dynamic crypto map support
  profile  Enable crypto map as a crypto-profile
  <cr>

2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp dynamic ?
  WORD  Name of dynamic-map template

2811-EZVPN(config)#crypto map EZVPN_CMAP 10 ipsec-isakmp dynamic EZVPN_DMAP
2811-EZVPN(config)#interface f0/1
2811-EZVPN(config-if)#crypto  ?
  ipsec  Set IPSec parameters
  map    Assign a Crypto Map

2811-EZVPN(config-if)#crypto map ?
  WORD  Crypto Map tag
  <cr>

2811-EZVPN(config-if)#crypto map EZVPN_CMAP


----

871W#ping 202.78.8.22

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.78.8.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/84 ms

871W#show run interface f4
Building configuration...

Current configuration : 252 bytes
!
interface FastEthernet4
 description To Cable Modem
 ip dhcp client client-id hex 002699C6DB2E
 ip dhcp client hostname 871W
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
end

871W#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.1.1     YES NVRAM  up                    up     
Dot11Radio0                unassigned      YES NVRAM  up                    up     
FastEthernet0              unassigned      YES unset  up                    down   
FastEthernet1              unassigned      YES unset  administratively down down   
FastEthernet2              unassigned      YES unset  administratively down down   
FastEthernet3              unassigned      YES unset  administratively down down   
FastEthernet4              222.165.6.20 YES DHCP   up                    up     
Group-Async4               unassigned      YES NVRAM  down                  down   
NVI0                       unassigned      YES unset  administratively down down   
Vlan1                      unassigned      YES NVRAM  up                    down  

871W(config)#crypto ipsec ?
  client                Configure a client
  df-bit                Handling of encapsulated DF bit.
  fragmentation         Handling of fragmentation of near-MTU sized packets
  nat-transparency      IPsec NAT transparency model
  optional              Enable optional encryption for IPSec
  profile               Configure an ipsec policy profile
  security-association  Security association parameters
  transform-set         Define transform and settings

871W(config)#crypto ipsec client ?
  ezvpn  Configure an EzVPN client

871W(config)#crypto ipsec client
871W(config)#crypto ipsec client ezvpn ?
  WORD  crypto-ezvpn name

871W(config)#crypto ipsec client ezvpn EZVPN_CLIENT
871W(config-crypto-ezvpn)#connect auto
871W(config-crypto-ezvpn)#group ?
  WORD  Group Name

871W(config-crypto-ezvpn)#group EZVPN_GRP key ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  WORD  The UNENCRYPTED (cleartext) user password

871W(config-crypto-ezvpn)#group EZVPN_GRP key ezvpn
871W(config-crypto-ezvpn)#mode network-extension
871W(config-crypto-ezvpn)#peer 202.78.8.22     // ENSURE A STATIC ROUTE IS CONFIGURED TO REACH THE EZVPN SERVER
871W(config-crypto-ezvpn)#username ?
  WORD  User Name

871W(config-crypto-ezvpn)#username ezvpn ?
  password  Password

871W(config-crypto-ezvpn)#username ezvpn password ezvpn
871W(config-crypto-ezvpn)#xauth userid ?
  mode  The source of user credential collection

871W(config-crypto-ezvpn)#xauth userid m
871W(config-crypto-ezvpn)#xauth userid mode ?
  http-intercept  Intercept user's HTTP requests to prompt
  interactive     Prompt the user on the console
  local           Use locally saved username and password

871W(config-crypto-ezvpn)#xauth userid mode local

871W(config-if)#crypto ipsec ?
  client         Client
  df-bit         Handling of encapsulated DF bit.
  fragmentation  Handling of fragmentation of near-MTU sized packets

871W(config-if)#crypto ipsec client ?
  ezvpn  Assign an EzVPN configuration
871W(config-if)#crypto ipsec client ezvpn ?
  WORD  Crypto EzVPN name

871W(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT ?
  inside   inside
  outside  outside
  <cr>
871W(config-if)#crypto ipsec client ezvpn ?
  WORD  Crypto EzVPN name

871W(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT inside
871W(config-if)#interface f4
871W(config-if)#
*May 20 05:12:38.312 SGT: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT) Server does not allow save password option, enter your username and password manually
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): *** Logic Error ***
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Current State: READY
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Event: MODE_CONFIG_REPLY
*May 20 05:12:40.388 SGT: EZVPN(EZVPN_CLIENT): Resetting the EZVPN state machine to recover
*May 20 05:12:40.388 SGT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=EZVPN_GRP  Client_public_addr=222.165.6.20  Server_public_addr=202.78.8.22 
*May 20 05:12:41.996 SGT: EZVPN(EZVPN_CLIENT) Server does not allow save password option,enter your username and password manually

871W#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : EZVPN_CLIENT
Inside interface list: BVI1
Outside interface: FastEthernet4
Current State: CONNECT_REQUIRED
Last Event: CONNECT
Save Password: Disallowed
Current EzVPN Peer: 202.78.8.22

871W# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.78.8.22   222.165.6.20 MM_NO_STATE       2062    0 ACTIVE (deleted)


I wasn't able to establish a successful IPsec VPN tunnel with the EZVPN server right away. I got an error on the EZVPN client router which said, "Server does not allow save password" although I thought I've configured the EZVPN server to save its password. After adding the configuration line below on the EZVPN server, everything seemed to work.

2811-EZVPN(config)#crypto map EZVPN_CMAP client ?
  accounting      Accounting parameters.
  authentication  Use Extended Authentication
  configuration   Specify client configuration settings

2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration ?
  address  Specify client network address configuration

2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration address ?
  initiate  Push the network address to the client
  respond   Respond to network address requests from the client

2811-EZVPN(config)#crypto map EZVPN_CMAP client configuration address respond


871W#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : EZVPN_CLIENT
Inside interface list: BVI1
Outside interface: FastEthernet4
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 202.78.8.22

871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                  src                  state                    conn-id slot status
202.78.8.22   222.165.6.20 QM_IDLE           2256    0 ACTIVE


Here's the debug output from both VPN nodes.

871W#debug crypto isakmp sa
Crypto ISAKMP debugging is on
871W# debug crypto isakmp psec
Crypto IPSEC debugging is on
871W#clear crypto isakmp
871W#
*May 20 05:23:27.815 SGT: del_node src 222.165.6.20:500 dst 202.78.8.22:500 fvrf 0x0, ivrf 0x0
*May 20 05:23:27.815 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:27.815 SGT: ISAKMP:(2256):deleting SA reason "Death by tree-walk" state (I) QM_IDLE  (peer 202.78.8.22)
*May 20 05:23:27.819 SGT: ISAKMP: set new node -451076264 to QM_IDLE     
*May 20 05:23:27.819 SGT: ISAKMP:(2256): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE     
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Sending an IKE IPv4 Packet.
*May 20 05:23:27.819 SGT: ISAKMP:(2256):purging node -451076264
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 20 05:23:27.819 SGT: ISAKMP:(2256):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
*May 20 05:23:27.819 SGT: ISAKMP:(2256):deleting SA reason "Death by tree-walk" state (I) QM_IDLE       (peer 202.78.8.22)
*May 20 05:23:27.823 SGT: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*May 20 05:23:27.823 SGT: ISAKMP: Unlocking peer struĆ£arkr isadb_m_sa_deleted(), count 0
*May 20 05:23:27.823 SGT: ISAKMP:(2256):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 20 05:23:27.823 SGT: ISAKMP:(2256):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
*May 20 05:23:27.823 SGT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=ezvpn  Group=EZVPN_GRP  Client_public_addr=222.165.6.20  Server_public_addr=202.78.8.22 
*May 20 05:23:27.827 SGT: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 222.165.6.20, sa_proto= 50,
    sa_spi= 0xDAA24285(3668066949),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1,
  (identity) local= 222.165.6.20, remote= 202.78.8.22,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:27.827 SGT: IPSEC(update_current_outbound_sa): updated peer 202.78.8.22 current outbound sa to SPI 0
*May 20 05:23:27.827 SGT: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 202.78.8.22, sa_proto= 50,
    sa_spi= 0x7393F327(1939075879),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2,
  (identity) local= 222.165.6.20, remote= 202.78.8.22,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:27.831 SGT: ISAKMP: Deleting peer node by peer_reap for 202.78.8.22: 829FF504
*May 20 05:23:27.831 SGT: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 222.165.6.20 dst 202.78.8.22 for SPI 0xDAA24285
*May 20 05:23:27.831 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:27.831 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 20 05:23:27.911 SGT: ISAKMP (0:2256): received packet from 202.78.8.22 dport 500 sport 500 Global (I) MM_NO_STATE
*May 20 05:23:28.935 SGT: del_node src 222.165.6.20:500 dst 202.78.8.22:500 fvrf 0x0, ivrf 0x0
*May 20 05:23:28.935 SGT: ISAKMP:(2256):peer does not do paranoid keepalives.
*May 20 05:23:28.935 SGT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 20 05:23:28.935 SGT: ISAKMP:(0): SA request profile is (NULL)
*May 20 05:23:28.935 SGT: ISAKMP: Created a peer struct for 202.78.8.22, peer port 500
*May 20 05:23:28.935 SGT: ISAKMP: New peer created peer = 0x829FF504 peer_handle = 0x80000102
*May 20 05:23:28.935 SGT: ISAKMP: Locking peer struct 0x829FF504, refcount 1 for isakmp_initiator
*May 20 05:23:28.935 SGT: ISAKMP:(0):Setting client config settings 828F9B80
*May 20 05:23:28.935 SGT: ISAKMP: local port 500, remote port 500
*May 20 05:23:28.935 SGT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83C9EE00
*May 20 05:23:28.935 SGT: ISAKMP:(0): client mode configured.
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 20 05:23:28.939 SGT: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 20 05:23:28.939 SGT: ISKAMP: growing send buffer from 1024 to 3072
*May 20 05:23:28.939 SGT: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*May 20 05:23:28.939 SGT: ISAKMP (0:0): ID payload
    next-payload : 13
    type         : 11
    group id     : EZVPN_GRP
    protocol     : 17
    port         : 0
    length       : 17
*May 20 05:23:28.939 SGT: ISAKMP:(0):Total payload length: 17
*May 20 05:23:28.939 SGT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*May 20 05:23:28.939 SGT: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*May 20 05:23:28.939 SGT: ISAKMP:(0): beginning Aggressive Mode exchange
*May 20 05:23:28.939 SGT: ISAKMP:(0): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*May 20 05:23:28.939 SGT: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 20 05:23:29.075 SGT: ISAKMP (0:0): received packet from 202.78.8.22 dport 500 sport 500 Global (I) AG_INIT_EXCH
*May 20 05:23:29.075 SGT: ISAKMP:(0): processing SA payload. message ID = 0
*May 20 05:23:29.075 SGT: ISAKMP:(0): processing ID payload. message ID = 0
*May 20 05:23:29.079 SGT: ISAKMP (0:0): ID payload
    next-payload : 10
    type         : 1
    address      : 202.78.8.22
    protocol     : 0
    port         : 0
    length       : 12
*May 20 05:23:29.079 SGT: ISAKMP:(0):: peer matches *none* of the profiles
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): vendor ID is Unity
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): vendor ID is DPD
*May 20 05:23:29.079 SGT: ISAKMP:(0): processing vendor id payload
*May 20 05:23:29.079 SGT: ISAKMP:(0): speaking to another IOS box!
*May 20 05:23:29.079 SGT: ISAKMP:(0): local preshared key found
*May 20 05:23:29.079 SGT: ISAKMP : Scanning profiles for xauth ...
*May 20 05:23:29.079 SGT: ISAKMP:(0): Authentication by xauth preshared
*May 20 05:23:29.079 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65515 policy
*May 20 05:23:29.079 SGT: ISAKMP:      encryption 3DES-CBC
*May 20 05:23:29.079 SGT: ISAKMP:      hash SHA
*May 20 05:23:29.079 SGT: ISAKMP:      default group 2
*May 20 05:23:29.079 SGT: ISAKMP:      auth XAUTHInitPreShared
*May 20 05:23:29.079 SGT: ISAKMP:      life type in seconds
*May 20 05:23:29.079 SGT: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*May 20 05:23:29.079 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.079 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 05:23:29.079 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65516 policy
*May 20 05:23:29.079 SGT: ISAKMP:      encryption 3DES-CBC
*May 20 05:23:29.079 SGT: ISAKMP:      hash SHA
*May 20 05:23:29.079 SGT: ISAKMP:      default group 2
*May 20 05:23:29.079 SGT: ISAKMP:      auth XAUTHInitPreShared
*May 20 05:23:29.083 SGT: ISAKMP:      life type in seconds
*May 20 05:23:29.083 SGT: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*May 20 05:23:29.083 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.083 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 05:23:29.083 SGT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65517 policy
*May 20 05:23:29.083 SGT: ISAKMP:      encryption 3DES-CBC
*May 20 05:23:29.083 SGT: ISAKMP:      hash SHA
*May 20 05:23:29.083 SGT: ISAKMP:      default group 2
*May 20 05:23:29.083 SGT: ISAKMP:      auth XAUTHInitPreShared
*May 20 05:23:29.083 SGT: ISAKMP:      life type in seconds
*May 20 05:23:29.083 SGT: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*May 20 05:23:29.083 SGT: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 05:23:29.083 SGT: ISAKMP:(0):atts are not acceptable. Next payload is 0

<OUTPUT TRUNCATED>

*May 20 05:23:29.091 SGT: ISAKMP:      encryption 3DES-CBC
*May 20 05:23:29.091 SGT: ISAKMP:      hash SHA
*May 20 05:23:29.091 SGT: ISAKMP:      default group 2
*May 20 05:23:29.091 SGT: ISAKMP:      auth XAUTHInitPreShared
*May 20 05:23:29.091 SGT: ISAKMP:      life type in seconds
*May 20 05:23:29.091 SGT: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*May 20 05:23:29.091 SGT: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 20 05:23:29.091 SGT: ISAKMP:(0):Acceptable atts:actual life: 2147483
*May 20 05:23:29.091 SGT: ISAKMP:(0):Acceptable atts:life: 0
*May 20 05:23:29.095 SGT: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 20 05:23:29.095 SGT: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*May 20 05:23:29.095 SGT: ISAKMP:(0):Returning Actual lifetime: 2147483
*May 20 05:23:29.095 SGT: ISAKMP:(0)::Started lifetime timer: 2147483.

*May 20 05:23:29.095 SGT: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*May 20 05:23:29.095 SGT: ISAKMP:(0): processing KE payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:(2257): processing HASH payload. message ID = 0
*May 20 05:23:29.143 SGT: ISAKMP:received payload type 20
*May 20 05:23:29.143 SGT: ISAKMP:received payload type 20
*May 20 05:23:29.147 SGT: ISAKMP:(2257):SA authentication status:
    authenticated
*May 20 05:23:29.147 SGT: ISAKMP:(2257):SA has been authenticated with 202.78.8.22
*May 20 05:23:29.147 SGT: ISAKMP: Trying to insert a peer 222.165.6.20/202.78.8.22/500/,  and inserted successfully 829FF504.
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Send initial contact
*May 20 05:23:29.147 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*May 20 05:23:29.147 SGT: ISAKMP:(2257):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Need XAUTH
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.151 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*May 20 05:23:29.239 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH  
*May 20 05:23:29.239 SGT: ISAKMP: set new node -1146939845 to CONF_XAUTH  
*May 20 05:23:29.239 SGT: ISAKMP:(2257): processing HASH payload. message ID = -1146939845
*May 20 05:23:29.243 SGT: ISAKMP:(2257): processing NOTIFY RESPONDER_LIFETIME protocol 1 spi 0, message ID = -1146939845, sa = 83C9EE00
*May 20 05:23:29.243 SGT: ISAKMP:(2257):SA authentication status: authenticated
*May 20 05:23:29.243 SGT: ISAKMP:(2257): processing responder lifetime
*May 20 05:23:29.243 SGT: ISAKMP:(2257): start processing isakmp responder lifetime
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Returning Actual lifetime: 2147483
*May 20 05:23:29.243 SGT: ISAKMP:(2257): restart ike sa timer to 86400 secs
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Started lifetime timer: 0.
*May 20 05:23:29.243 SGT: ISAKMP:(2257):deleting node -1146939845 error FALSE reason "Informational (in) state 1"
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 20 05:23:29.243 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*May 20 05:23:29.243 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH  
*May 20 05:23:29.243 SGT: ISAKMP: set new node 752671264 to CONF_XAUTH  
*May 20 05:23:29.247 SGT: ISAKMP:(2257):processing transaction payload from 202.78.8.22. message ID = 752671264
*May 20 05:23:29.247 SGT: ISAKMP: Config payload REQUEST
*May 20 05:23:29.247 SGT: ISAKMP:(2257):checking request:
*May 20 05:23:29.247 SGT: ISAKMP:    XAUTH_USER_NAME_V2
*May 20 05:23:29.247 SGT: ISAKMP:    XAUTH_USER_PASSWORD_V2
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Xauth process request
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*May 20 05:23:29.247 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REPLY_AWAIT
*May 20 05:23:29.247 SGT:         username: ezvpn
*May 20 05:23:29.247 SGT:         password: <ezpn>
*May 20 05:23:29.247 SGT: ISAKMP:(2257): responding to peer config from 202.78.8.22. ID = 752671264
*May 20 05:23:29.247 SGT: ISAKMP: Marking node 752671264 for late deletion
*May 20 05:23:29.251 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_XAUTH  
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR
*May 20 05:23:29.251 SGT: ISAKMP:(2257):Old State = IKE_XAUTH_REPLY_AWAIT  New State = IKE_XAUTH_REPLY_SENT
*May 20 05:23:29.335 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_XAUTH  
*May 20 05:23:29.335 SGT: ISAKMP: set new node -1569794741 to CONF_XAUTH  
*May 20 05:23:29.335 SGT: ISAKMP:(2257):processing transaction payload from 202.78.8.22. message ID = -1569794741
*May 20 05:23:29.339 SGT: ISAKMP: Config payload SET
*May 20 05:23:29.339 SGT: ISAKMP:(2257):Xauth process set, status = 1
*May 20 05:23:29.339 SGT: ISAKMP:(2257):checking SET:
*May 20 05:23:29.339 SGT: ISAKMP:    XAUTH_STATUS_V2 XAUTH-OK
*May 20 05:23:29.339 SGT: ISAKMP:(2257):attributes sent in message:
*May 20 05:23:29.339 SGT:         Status: 1
*May 20 05:23:29.339 SGT: ISAKMP:(2257):deleting node 752671264 error FALSE reason "Done with xauth request/reply exchange"
*May 20 05:23:29.347 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_XAUTH  
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.347 SGT: ISAKMP:(2257):deleting node -1569794741 error FALSE reason "No Error"
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_SET
*May 20 05:23:29.347 SGT: ISAKMP:(2257):Old State = IKE_XAUTH_REPLY_SENT  New State = IKE_P1_COMPLETE
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Need config/address
*May 20 05:23:29.351 SGT: ISAKMP: set new node 286147054 to CONF_ADDR   
*May 20 05:23:29.351 SGT: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 23:35 by prod_rel_team
*May 20 05:23:29.351 SGT: ISAKMP:(2257): initiating peer config to 202.78.8.22. ID = 286147054
*May 20 05:23:29.351 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) CONF_ADDR   
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.351 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT
*May 20 05:23:29.443 SGT: ISAKMP (0:2257): received packet from 202.78.8.22 dport 500 sport 500 Global (I) CONF_ADDR   
*May 20 05:23:29.443 SGT: ISAKMP:(2257):processing transaction payload from 202.78.18.228. message ID = 286147054
*May 20 05:23:29.443 SGT: ISAKMP: Config payload REPLY
*May 20 05:23:29.443 SGT: ISAKMP(0:2257) process config reply
*May 20 05:23:29.443 SGT: ISAKMP:(2257):deleting node 286147054 error FALSE reason "Transaction mode done"
*May 20 05:23:29.443 SGT: ISAKMP:(2257):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*May 20 05:23:29.443 SGT: ISAKMP:(2257):Old State = IKE_CONFIG_MODE_REQ_SENT  New State = IKE_P1_COMPLETE
*May 20 05:23:29.451 SGT: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*May 20 05:23:29.451 SGT: ISAKMP:(2257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 20 05:23:29.451 SGT: ISAKMP:(2257):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*May 20 05:23:29.451 SGT: IPSEC(recalculate_mtu): reset sadb_root 834A48F8 mtu to 1500
*May 20 05:23:29.451 SGT: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 2147483s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2000

<OUTPUT TRUNCATED>

*May 20 05:23:29.463 SGT: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 2147483s and 4608000kb,
    spi= 0x0(0), conn_id= 0, kall
Translating "uall"...domain server (202.156.1.16)eysize= 0, flags= 0x2000
*May 20 05:23:29.467 SGT: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 222.165.6.20, remote= 202.78.8.22,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*May 20 05:23:29.475 SGT: ISAKMP:(2257):beginning Quick Mode exchange, M-ID of -1472151107
*May 20 05:23:29.483 SGT: ISAKMP:(2257):QM Initiator gets spi
*May 20 05:23:29.487 SGT: ISKAMP: growing send buf [OK]
Trying uall.lagura.com (69.172.201.208)... fer from 1024 to 3072
*May 20 05:23:29.491 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE     
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Sending an IKE IPv4 Packet.
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Node -1472151107, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 20 05:23:29.491 SGT: ISAKMP:(2257):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*May 20 05:23:29.767 SGT: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=ezvpn  Group=EZVPN_GRP  Client_public_addr=222.165.6.20  Server_public_addr=202.78.8.22  NEM_Remote_Subnets=192.168.1.0/255.255.255.0   
*May 20 05:23:30.515 SGT: ISAKMP: set new node -23251054 to QM_IDLE     
*May 20 05:23:30.515 SGT: ISAKMP:(2257):Sending NOTIFY CLIENT_UPDATE protocol 1 spi 0, message ID = -23251054
*May 20 05:23:30.515 SGT: ISAKMP:(2257): sending packet to 202.78.8.22 my_port 500 peer_port 500 (I) QM_IDLE     


871W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
202.78.8.22  222.165.6.20 QM_IDLE           1258 ACTIVE


2811-EZVPN#debug crypto isakmp
Crypto ISAKMP debugging is on
2811-EZVPN#debug crypto isakmp psec
Crypto IPSEC debugging is on
2811-EZVPN#
May  7 22:46:02.574 UTC: ISAKMP (1257): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE     
May  7 22:46:02.574 UTC: ISAKMP: set new node 451843303 to QM_IDLE     
May  7 22:46:02.574 UTC: ISAKMP:(1257): processing HASH payload. message ID = 451843303
May  7 22:46:02.574 UTC: ISAKMP:received payload type 18
May  7 22:46:02.574 UTC: ISAKMP:(1257):Processing delete with reason payload
May  7 22:46:02.574 UTC: ISAKMP:(1257):delete doi = 1
May  7 22:46:02.574 UTC: ISAKMP:(1257):delete protocol id = 1
May  7 22:46:02.574 UTC: ISAKMP:(1257):delete spi_size =  16
May  7 22:46:02.574 UTC: ISAKMP:(1257):delete num spis = 1
May  7 22:46:02.574 UTC: ISAKMP:(1257):delete_reason = 8
May  7 22:46:02.574 UTC: ISAKMP:(1257): processing DELETE_WITH_REASON payload, message ID = 451843303, reason: Unknown delete reason!
May  7 22:46:02.574 UTC: ISAKMP:(1257):peer does not do paranoid keepalives.
May  7 22:46:02.574 UTC: ISAKMP:(1257):peer does not do paranoid keepalives.
May  7 22:46:02.574 UTC: ISAKMP:(1257):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer 222.165.6.20)
May  7 22:46:02.574 UTC: ISAKMP:(1257):deleting node 451843303 error FALSE reason "Informational (in) state 1"
May  7 22:46:02.578 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May  7 22:46:02.578 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May  7 22:46:02.578 UTC: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 222.165.6.20
May  7 22:46:02.578 UTC: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 202.78.8.22, sa_proto= 50,
    sa_spi= 0xDE86ACB(233335499),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2003
    sa_lifetime(k/sec)= (4384309/3600),
  (identity) local= 202.78.8.22, remote= 222.165.6.20,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
May  7 22:46:02.578 UTC: IPSEC(update_current_outbound_sa): updated peer 222.165.6.20 current outbound sa to SPI 0
May  7 22:46:02.578 UTC: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 222.165.6.20, sa_proto= 50,
    sa_spi= 0x55D3CE9B(1439944347),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2004
    sa_lifetime(k/sec)= (4384309/3600),
  (identity) local= 202.78.8.22, remote= 222.165.6.20,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
May  7 22:46:02.582 UTC: ISAKMP: set new node -95419328 to QM_IDLE     
May  7 22:46:02.582 UTC: ISAKMP:(1257): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) QM_IDLE     
May  7 22:46:02.582 UTC: ISAKMP:(1257):Sending an IKE IPv4 Packet.
May  7 22:46:02.582 UTC: ISAKMP:(1257):purging node -95419328
May  7 22:46:02.582 UTC: ISAKMP:(1257):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May  7 22:46:02.582 UTC: ISAKMP:(1257):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
May  7 22:46:02.586 UTC: ISAKMP:(1257):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer 222.165.6.20)
May  7 22:46:02.586 UTC: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
May  7 22:46:02.586 UTC: ISAKMP: Unlocking peer struct 0x47BD3278 for isadb_mark_sa_deleted(), count 0
May  7 22:46:02.586 UTC: ISAKMP: Deleting peer node by peer_reap for 222.165.6.20: 47BD3278
May  7 22:46:02.586 UTC: ISAKMP:(1257):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May  7 22:46:02.586 UTC: ISAKMP:(1257):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
May  7 22:46:02.586 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May  7 22:46:04.586 UTC: ISAKMP (0): received packet from 222.165.6.20 dport 500 sport 500 Global (N) NEW SA
May  7 22:46:04.590 UTC: ISAKMP: Created a peer struct for 222.165.6.20, peer port 500
May  7 22:46:04.590 UTC: ISAKMP: New peer created peer = 0x47BD3278 peer_handle = 0x80000103
May  7 22:46:04.590 UTC: ISAKMP: Locking peer struct 0x47BD3278, refcount 1 for crypto_isakmp_process_block
May  7 22:46:04.590 UTC: ISAKMP:(0):Setting client config settings 47BD2C70
May  7 22:46:04.590 UTC: ISAKMP:(0):(Re)Setting client xauth list  and state
May  7 22:46:04.590 UTC: ISAKMP/xauth: initializing AAA request
May  7 22:46:04.590 UTC: ISAKMP: local port 500, remote port 500
May  7 22:46:04.590 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 47C66308
May  7 22:46:04.590 UTC: ISAKMP:(0): processing SA payload. message ID = 0
May  7 22:46:04.590 UTC: ISAKMP:(0): processing ID payload. message ID = 0
May  7 22:46:04.590 UTC: ISAKMP (0): ID payload
    next-payload : 13
    type         : 11
    group id     : EZVPN_GRP
    protocol     : 17
    port         : 0
    length       : 17
May  7 22:46:04.590 UTC: ISAKMP:(0):: peer matches *none* of the profiles
May  7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May  7 22:46:04.590 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
May  7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May  7 22:46:04.590 UTC: ISAKMP (0): vendor ID is NAT-T v7
May  7 22:46:04.590 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.590 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May  7 22:46:04.594 UTC: ISAKMP:(0): vendor ID is NAT-T v3
May  7 22:46:04.594 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.594 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May  7 22:46:04.594 UTC: ISAKMP:(0): vendor ID is NAT-T v2
May  7 22:46:04.594 UTC: ISAKMP:(0): Authentication by xauth preshared
May  7 22:46:04.594 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
May  7 22:46:04.594 UTC: ISAKMP:      encryption AES-CBC
May  7 22:46:04.594 UTC: ISAKMP:      keylength of 128
May  7 22:46:04.594 UTC: ISAKMP:      hash SHA
May  7 22:46:04.594 UTC: ISAKMP:      default group 2
May  7 22:46:04.594 UTC: ISAKMP:      auth XAUTHInitPreShared
May  7 22:46:04.594 UTC: ISAKMP:      life type in seconds
May  7 22:46:04.594 UTC: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May  7 22:46:04.594 UTC: ISAKMP:(0):Encryption algorithm offered does not match policy!
May  7 22:46:04.594 UTC: ISAKMP:(0):atts are not acceptable. Next payload is 3

<OUTPUT TRUNCATED>

May  7 22:46:04.602 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
May  7 22:46:04.602 UTC: ISAKMP:      encryption 3DES-CBC
May  7 22:46:04.602 UTC: ISAKMP:      hash SHA
May  7 22:46:04.602 UTC: ISAKMP:      default group 2
May  7 22:46:04.602 UTC: ISAKMP:      auth XAUTHInitPreShared
May  7 22:46:04.602 UTC: ISAKMP:      life type in seconds
May  7 22:46:04.602 UTC: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
May  7 22:46:04.602 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
May  7 22:46:04.602 UTC: ISAKMP:(0):Acceptable atts:actual life: 86400
May  7 22:46:04.602 UTC: ISAKMP:(0):Acceptable atts:life: 0
May  7 22:46:04.602 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
May  7 22:46:04.602 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
May  7 22:46:04.602 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
May  7 22:46:04.602 UTC: ISAKMP:(0)::Started lifetime timer: 86400.

May  7 22:46:04.602 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.602 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
May  7 22:46:04.606 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
May  7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
May  7 22:46:04.606 UTC: ISAKMP (0): vendor ID is NAT-T v7
May  7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
May  7 22:46:04.606 UTC: ISAKMP:(0): vendor ID is NAT-T v3
May  7 22:46:04.606 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.606 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May  7 22:46:04.606 UTC: ISAKMP:(0): vendor ID is NAT-T v2
May  7 22:46:04.606 UTC: ISAKMP:(0): processing KE payload. message ID = 0
May  7 22:46:04.654 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
May  7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is DPD
May  7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.654 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 126 mismatch
May  7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is XAUTH
May  7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.654 UTC: ISAKMP:(0): claimed IOS but failed authentication
May  7 22:46:04.654 UTC: ISAKMP:(0): processing vendor id payload
May  7 22:46:04.654 UTC: ISAKMP:(0): vendor ID is Unity
May  7 22:46:04.654 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May  7 22:46:04.654 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT
May  7 22:46:04.658 UTC: ISAKMP:(1258): constructed NAT-T vendor-rfc3947 ID
May  7 22:46:04.658 UTC: ISAKMP:(1258):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
May  7 22:46:04.658 UTC: ISAKMP (1258): ID payload
    next-payload : 10
    type         : 1
    address      : 202.78.8.22
    protocol     : 0
    port         : 0
    length       : 12
May  7 22:46:04.658 UTC: ISAKMP:(1258):Total payload length: 12
May  7 22:46:04.658 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) AG_INIT_EXCH
May  7 22:46:04.662 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May  7 22:46:04.662 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
May  7 22:46:04.662 UTC: ISAKMP:(1258):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2
May  7 22:46:04.786 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) AG_INIT_EXCH
May  7 22:46:04.790 UTC: ISAKMP:(1258): processing HASH payload. message ID = 0
May  7 22:46:04.790 UTC: ISAKMP:received payload type 20
May  7 22:46:04.790 UTC: ISAKMP (1258): His hash no match - this node outside NAT
May  7 22:46:04.790 UTC: ISAKMP:received payload type 20
May  7 22:46:04.790 UTC: ISAKMP (1258): No NAT Found for self or peer
May  7 22:46:04.790 UTC: ISAKMP:(1258): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 47C66308
May  7 22:46:04.790 UTC: ISAKMP:(1258):SA authentication status: authenticated
May  7 22:46:04.790 UTC: ISAKMP:(1258):SA has been authenticated with 222.165.6.20
May  7 22:46:04.790 UTC: ISAKMP:(1258):SA authentication status: authenticated
May  7 22:46:04.790 UTC: ISAKMP:(1258): Process initial contact,
bring down existing phase 1 and 2 SA's with local 202.78.8.22 remote 222.165.6.20 remote port 500
May  7 22:46:04.790 UTC: ISAKMP:(1258):returning IP addr to the address pool
May  7 22:46:04.790 UTC: ISAKMP: Trying to insert a peer 202.78.8.22/222.165.6.20/500/,  and inserted successfully 47BD3278.
May  7 22:46:04.790 UTC: ISAKMP:(1258):Returning Actual lifetime: 86400
May  7 22:46:04.794 UTC: ISAKMP: set new node 319690623 to CONF_XAUTH  
May  7 22:46:04.794 UTC: ISAKMP:(1258):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 1215728240, message ID = 319690623
May  7 22:46:04.794 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) QM_IDLE     
May  7 22:46:04.794 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May  7 22:46:04.794 UTC: ISAKMP:(1258):purging node 319690623
May  7 22:46:04.794 UTC: ISAKMP: Sending phase 1 responder lifetime 86400
May  7 22:46:04.794 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May  7 22:46:04.794 UTC: ISAKMP:(1258):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE
May  7 22:46:04.794 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May  7 22:46:04.798 UTC: ISAKMP:(1258):Need XAUTH
May  7 22:46:04.798 UTC: ISAKMP: set new node -980807588 to CONF_XAUTH  
May  7 22:46:04.798 UTC: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
May  7 22:46:04.798 UTC: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
May  7 22:46:04.798 UTC: ISAKMP:(1258): initiating peer config to 222.165.6.20. ID = -980807588
May  7 22:46:04.798 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_XAUTH  
May  7 22:46:04.798 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May  7 22:46:04.798 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May  7 22:46:04.798 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT
May  7 22:46:04.886 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) CONF_XAUTH  
May  7 22:46:04.886 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = -980807588
May  7 22:46:04.886 UTC: ISAKMP: Config payload REPLY
May  7 22:46:04.886 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
May  7 22:46:04.886 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
May  7 22:46:04.886 UTC: ISAKMP:(1258):deleting node -980807588 error FALSE reason "Done with xauth request/reply exchange"
May  7 22:46:04.886 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
May  7 22:46:04.886 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
May  7 22:46:04.890 UTC: ISAKMP: set new node 1760571115 to CONF_XAUTH  
May  7 22:46:04.890 UTC: ISAKMP:(1258): initiating peer config to 222.165.6.20. ID = 1760571115
May  7 22:46:04.890 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_XAUTH  
May  7 22:46:04.890 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May  7 22:46:04.890 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
May  7 22:46:04.890 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT
May  7 22:46:04.978 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) CONF_XAUTH  
May  7 22:46:04.978 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = 1760571115
May  7 22:46:04.978 UTC: ISAKMP: Config payload ACK
May  7 22:46:04.978 UTC: ISAKMP:(1258):       XAUTH ACK Processed
May  7 22:46:04.982 UTC: ISAKMP:(1258):deleting node 1760571115 error FALSE reason "Transaction mode done"
May  7 22:46:04.982 UTC: ISAKMP:(1258):Talking to a Unity Client
May  7 22:46:04.982 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
May  7 22:46:04.982 UTC: ISAKMP:(1258):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE
May  7 22:46:04.982 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May  7 22:46:04.982 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
May  7 22:46:04.982 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE     
May  7 22:46:04.982 UTC: ISAKMP: set new node 170683285 to QM_IDLE     
May  7 22:46:04.986 UTC: ISAKMP:(1258):processing transaction payload from 222.165.6.20. message ID = 170683285
May  7 22:46:04.986 UTC: ISAKMP: Config payload REQUEST
May  7 22:46:04.986 UTC: ISAKMP:(1258):checking request:
May  7 22:46:04.986 UTC: ISAKMP:    MODECFG_CONFIG_URL
May  7 22:46:04.986 UTC: ISAKMP:    MODECFG_CONFIG_VERSION
May  7 22:46:04.986 UTC: ISAKMP:    IP4_DNS
May  7 22:46:04.986 UTC: ISAKMP:    IP4_DNS
May  7 22:46:04.986 UTC: ISAKMP:    IP4_NBNS
May  7 22:46:04.986 UTC: ISAKMP:    IP4_NBNS
May  7 22:46:04.986 UTC: ISAKMP:    SPLIT_INCLUDE
May  7 22:46:04.986 UTC: ISAKMP:    SPLIT_DNS
May  7 22:46:04.986 UTC: ISAKMP:    DEFAULT_DOMAIN
May  7 22:46:04.986 UTC: ISAKMP:    MODECFG_SAVEPWD
May  7 22:46:04.986 UTC: ISAKMP:    INCLUDE_LOCAL_LAN
May  7 22:46:04.986 UTC: ISAKMP:    PFS
May  7 22:46:04.986 UTC: ISAKMP:    BACKUP_SERVER
May  7 22:46:04.986 UTC: ISAKMP:    APPLICATION_VERSION
May  7 22:46:04.986 UTC: ISAKMP:    MODECFG_BANNER
May  7 22:46:04.986 UTC: ISAKMP:    MODECFG_IPSEC_INT_CONF
May  7 22:46:04.986 UTC: ISAKMP:    MODECFG_HOSTNAME
May  7 22:46:04.986 UTC: ISAKMP/author: Author request for group EZVPN_GRPsuccessfully sent to AAA
May  7 22:46:04.986 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
May  7 22:46:04.986 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
May  7 22:46:04.990 UTC: ISAKMP:(1258):attributes sent in message:
May  7 22:46:04.990 UTC: ISAKMP: Sending save password reply value 1
May  7 22:46:04.990 UTC: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 03:52 by prod_rel_team
May  7 22:46:04.990 UTC: ISAKMP: Sending IPsec Interface Config reply value 0
May  7 22:46:04.990 UTC: ISAKMP (1258): Unknown Attr: MODECFG_HOSTNAME (0x700A)
May  7 22:46:04.990 UTC: ISAKMP:(1258): responding to peer config from 222.165.6.20. ID = 170683285
May  7 22:46:04.990 UTC: ISAKMP: Marking node 170683285 for late deletion
May  7 22:46:04.990 UTC: ISAKMP:(1258): sending packet to 222.165.6.20 my_port 500 peer_port 500 (R) CONF_ADDR   
May  7 22:46:04.990 UTC: ISAKMP:(1258):Sending an IKE IPv4 Packet.
May  7 22:46:04.994 UTC: ISAKMP:(1258):Talking to a Unity Client
May  7 22:46:04.994 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
May  7 22:46:04.994 UTC: ISAKMP:(1258):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE
May  7 22:46:04.994 UTC: ISAKMP:FSM error - Message from AAA grp/user.
May  7 22:46:04.994 UTC: ISAKMP:(1258):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May  7 22:46:04.994 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
May  7 22:46:05.094 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE     
May  7 22:46:05.094 UTC: ISAKMP: set new node -636079618 to QM_IDLE     
May  7 22:46:05.098 UTC: ISAKMP:(1258): processing HASH payload. message ID = -636079618
May  7 22:46:05.098 UTC: ISAKMP:(1258): processing SA payload. message ID = -636079618
May  7 22:46:05.098 UTC: ISAKMP:(1258):Checking IPSec proposal 1
May  7 22:46:05.098 UTC: ISAKMP: transform 1, ESP_AES
May  7 22:46:05.098 UTC: ISAKMP:   attributes in transform:
May  7 22:46:05.098 UTC: ISAKMP:      encaps is 1 (Tunnel)
May  7 22:46:05.098 UTC: ISAKMP:      SA life type in seconds
May  7 22:46:05.098 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
May  7 22:46:05.098 UTC: ISAKMP:      SA life type in kilobytes
May  7 22:46:05.098 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
May  7 22:46:05.098 UTC: ISAKMP:      authenticator is HMAC-SHA
May  7 22:46:05.098 UTC: ISAKMP:      key length is 128
May  7 22:46:05.098 UTC: ISAKMP:(1258):atts are acceptable.
May  7 22:46:05.098 UTC: IPSEC(validate_proposal_request): proposal part #1
May  7 22:46:05.098 UTC: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 202.78.8.22, remote= 222.165.6.20,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May  7 22:46:05.102 UTC: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
May  7 22:46:05.102 UTC: ISAKMP:(1258): IPSec policy invalidated proposal with error 256

<OUTPUT TRUNCATED>

May  7 22:46:05.110 UTC: ISAKMP:(1258):Checking IPSec proposal 6
May  7 22:46:05.110 UTC: ISAKMP: transform 1, ESP_AES
May  7 22:46:05.110 UTC: ISAKMP:   attributes in transform:
May  7 22:46:05.110 UTC: ISAKMP:      encaps is 1 (Tunnel)
May  7 22:46:05.110 UTC: ISAKMP:      SA life type in seconds
May  7 22:46:05.110 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
May  7 22:46:05.114 UTC: ISAKMP:      SA life type in kilobytes
May  7 22:46:05.114 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
May  7 22:46:05.114 UTC: ISAKMP:      authenticator is HMAC-MD5
May  7 22:46:05.114 UTC: ISAKMP:      key length is 192
May  7 22:46:05.114 UTC: ISAKMP:(1258):atts are acceptable.
May  7 22:46:05.282 UTC: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
May  7 22:46:05.282 UTC: IPSEC(key_engine_enable_outbound): enable SA with spi 2335958642/50
May  7 22:46:05.282 UTC: IPSEC(update_current_outbound_sa): updated peer 222.165.6.20 current outbound sa to SPI 8B3BE672
May  7 22:46:05.826 UTC: ISAKMP (1258): received packet from 222.165.6.20 dport 500 sport 500 Global (R) QM_IDLE     
May  7 22:46:05.826 UTC: ISAKMP: set new node 1010137477 to QM_IDLE     
May  7 22:46:05.826 UTC: ISAKMP:(1258): processing HASH payload. message ID = 1010137477
May  7 22:46:05.826 UTC: ISAKMP:(1258): processing NOTIFY CLIENT_UPDATE protocol 1
    spi 0, message ID = 1010137477, sa = 47C66308
May  7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_HOSTNAME, length = 15
May  7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_PLATFORM_NAME, length = 10
May  7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_HARDWARE_SERIAL, length = 11
May  7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_MEMORY_SIZE, length = 9
May  7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_AVAILABLE_MEMORY, length = 8
May  7 22:46:05.826 UTC: ISAKMP:(0):Attribute type CLIENT_IMAGE_VERSION, length = 42
May  7 22:46:05.826 UTC: ISAKMP:(1258):deleting node 1010137477 error FALSE reason "Informational (in) state 1"
May  7 22:46:05.826 UTC: ISAKMP:(1258):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
May  7 22:46:05.826 UTC: ISAKMP:(1258):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

2811-EZVPN#show crypto isakmp sa
 IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
202.78.8.22   222.165.6.20 QM_IDLE           1258 ACTIVE

No comments:

Post a Comment