Saturday, August 29, 2015

Cisco ASA 5505 Boot (RAM) Problem

My ASA 5505 lab firewall suddenly died on me when I was preparing it for my CCNA Security lab. I saw the Status LED light became amber, which means Power-On Self Test (POST) had failed. I tried to reseat the RAM a couple of times and the ASA booted up again.


The Active LED light became solid green after POST and ASA image boots up.


Below is the internal circuitry of an ASA 5505 chassis and the RAM slot is located near the front faceplate and highlighted in yellow.


This is not the first time I reseated a RAM module. I did this for my Cisco 2511 router's RAM and it booted up afterwards. This seems to be common especially on old or refurb device and when you often move them in different places and the internal parts get shaken. Below is the complete bootup on my ASA 5505 firewall.


CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge
 00  0F  02   1022   2092  IDE Controller
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa901-k8.bin... Booting...
Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9928
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 460 files, 28778/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 343932928, Reserved memory: 62914560

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: c84c.7596.e7c5
88E6095 rev 2 Ethernet @ index 07 MAC: c84c.7596.e7c4
88E6095 rev 2 Ethernet @ index 06 MAC: c84c.7596.e7c3
88E6095 rev 2 Ethernet @ index 05 MAC: c84c.7596.e7c2
88E6095 rev 2 Ethernet @ index 04 MAC: c84c.7596.e7c1
88E6095 rev 2 Ethernet @ index 03 MAC: c84c.7596.e7c0
88E6095 rev 2 Ethernet @ index 02 MAC: c84c.7596.e7bf
88E6095 rev 2 Ethernet @ index 01 MAC: c84c.7596.e7be
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: c84c.7596.e7c6
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc108009a
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abfcf80

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        91 days
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08

Cisco Adaptive Security Appliance Software Version 9.0(1)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.

This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.

Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.

Cisco Adapative Security Appliance Software, version 9.0,
Copyright (c) 1996-2012 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.0 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1.  The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY.  You can
redistribute and/or modify such LGPL code under the terms of LGP(http://www.gnu.org/licenses/lgpl-2.1.html).  See User Manual for licensing
details.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!!!....Warning: unexpected configuration tag 'timeout-alert' (line=131,column=5,position=5927)

*** Output from config line 254, " enable outside"
..
Cryptochecksum (unchanged): 68173df4 8d6682e2 aecca03a 09d84505
+--------------------------------------------------------------+
| This equipment is privately owned and monitored.             |
| Disconnect immediately if you are not an authorized user.    |
+--------------------------------------------------------------+
Type help or '?' for a list of available commands.
ASA5505>      // STARTUP-CONFIG STILL INTACT

Saturday, August 22, 2015

Configuring a Remote Access VPN Server and Client

The Cisco VPN client is already a legacy application and has been replaced by AnyConnect Secure Mobility Solutions. Although it's still a good VPN client for testing in a lab environment. I've been using AnyConnect on my laptop to VPN into our corporate network since we've migrated from the Cisco VPN 3000 concentrator last year. The only drawback is that there's no VPN client support on iPhone since our corporate ASA firewall don't have the AnyConnect mobile license installed.



Router(config)#hostname R1
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 27 12:34:05.607: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 27 12:34:06.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
*Jun 27 12:34:26.831: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 27 12:34:27.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2


Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 27 12:34:56.803: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 27 12:34:57.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1


Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 27 12:39:41.255: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 27 12:39:42.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#do ping 10.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2


R1(config)#security passwords min-length 10
R1(config)#enable secret cisco12345
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login


R2(config)#security passwords min-length 10
R2(config)#enable secret cisco12345
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login


R3(config)#security passwords min-length 10
R3(config)#enable secret cisco12345
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login


R1(config)#service password-encryption


R2(config)#service password-encryption


R3(config)#service password-encryption


R3(config)#ip http server
R3(config)#username admin01 privilege 15 password 0 admin01pass
R3(config)#ip http authentication local








C:\Users\PC-C>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.3.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.3.1

C:\Users\PC-C>ping 10.2.2.2     // R2 S0/0/1; STATEFUL ICMP ANY ANY ALLOWED

Pinging 10.2.2.2 with 32 bytes of data:
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254

Ping statistics for 10.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 18ms, Average = 18ms


C:\Users\PC-C>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1


C:\Users\PC-C>ping 192.168.3.1    // CAN'T PING R3 DUE TO ZBF

Pinging 192.168.3.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.3.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),





















R3#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            192.168.3.1     YES NVRAM  up                    up 
Serial0/0/0                unassigned      YES NVRAM  administratively down down
Serial0/0/1                10.2.2.1        YES NVRAM  up                    up 
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Template1          10.2.2.1        YES TFTP   down                  down  
R3#
*Jun 27 23:38:13.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

R3#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            192.168.3.1     YES NVRAM  up                    up 
Serial0/0/0                unassigned      YES NVRAM  administratively down down
Serial0/0/1                10.2.2.1        YES NVRAM  up                    up 
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Template1          10.2.2.1        YES TFTP   down                  down
Virtual-Access2            10.2.2.1        YES TFTP   up                    up

R3#
*Jun 27 23:39:08.739: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.2.2.1, prot=50, spi=0x94040000(2483290112), srcaddr=192.168.1.3
R3#
*Jun 27 23:39:08.739: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.2.2.1 dst 192.168.1.3 for SPI 0x94040000
R3#
*Jun 27 23:39:18.883: ISAKMP (0:1001): received packet from 192.168.1.3 dport 500 sport 65306 Global (R) QM_IDLE
*Jun 27 23:39:18.883: ISAKMP: set new node -697361896 to QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001): processing HASH payload. message ID = -697361896
*Jun 27 23:39:18.887: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -697361896, sa = 652801E4
*Jun 27 23:39:18.887: ISAKMP:(1001):deleting node -697361896 error FALSE reason "Informational (in) state 1"
*Jun 27 23:39:18.887: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 27 23:39:18.887: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Jun 27 23:39:18.887: ISAKMP:(1001):DPD/R_U_THERE received from peer 192.168.1.3, sequence 0x4C6CE159
*Jun 27 23:39:18.887: ISAKMP: set new node 738064527 to QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1701105672, message ID = 738064527
*Jun 27 23:39:18.887: ISAKMP:(1001): seq. no 0x4C6CE159
*Jun 27 23:39:18.887: ISAKMP:(1001): sending packet to 192.168.1.3 my_port 500 peer_port 65306 (R) QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 27 23:39:18.887: ISAKMP:(1001):purging node 738064527
R3#
*Jun 27 23:39:18.891: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jun 27 23:39:18.891: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE






C:\Users\PC-A>telnet 192.168.3.1

User Access Verification

Username: admin01
Password:

R3#show users
    Line       User       Host(s)              Idle       Location
   0 con 0     admin01    idle                 00:04:04
*194 vty 0     admin01    idle                 00:00:00 192.168.3.100  

  Interface    User               Mode         Idle     Peer Address

Saturday, August 15, 2015

Configuring a Site-to-Site VPN Using Cisco IOS and CCP

I recently configured another Cisco ASA firewall for site-to-site IPsec VPN (for pure remote management) for our Bangalore India point-of-presence (POP) back to our HQ. I thought we wouldn't be able to finish the VPN setup as ISP advised us that their government instructed not to run VPN back to any foreign country due to APT and rise in hacking incidents. But due to persistent discussions with the ISP, we were allowed to run VPN in the end.


The only added complexity for this setup was the failover since we don't have any out-of-band (OOB) management for our core devices. Aside from the public Internet access, we also ordered an international private lease circuit (IPLC) back to our campus in London and turned it into an MPLS circuit. Whenever the IPsec VPN tunnel fails, the route will go via the MPLS. This was accomplished simply by using the IP SLA configuration. Below is the site-to-site VPN lab I did while studying for my CompTIA Security+.


Router(config)#hostname R1
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 21 05:56:30.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#clock rate 64000
R1(config-if)#
*Jun 21 05:57:00.039: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#no ip domain-lookup
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary


Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 21 05:57:56.695: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 21 05:57:57.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#clock rate
*Jun 21 05:58:32.439: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
R2(config-router)#
*Jun 21 05:59:02.479: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#
*Jun 21 05:59:21.323: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is resync: summary configured


Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 21 06:04:41.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface seria0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jun 21 06:05:23.671: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 21 06:05:24.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3(config-if)#exit
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
*Jun 21 06:05:59.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is up: new adjacency
R3(config-router)#no auto-summary
R3(config-router)#
*Jun 21 06:06:12.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is resync: summary configured


R1#ping 192.168.3.1    // R1 TO R3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms


C:\Users\PC-A>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\PC-A>ping 192.168.3.3    // PING PC-A TO PC-C

Pinging 192.168.3.3 with 32 bytes of data:
Reply from 192.168.3.3: bytes=32 time=36ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=36ms TTL=253

Ping statistics for 192.168.3.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 36ms, Average = 35ms


R1(config)#security passwords min-length 10
R1(config)#service password-encryption
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login


R2(config)#security passwords min-length 10
R2(config)#service password-encryption
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login


R3(config)#security passwords min-length 10
R3(config)#service password-encryption
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login


C:\Users\PC-A>ping 192.168.3.3    // PING PC-C

Pinging 192.168.3.3 with 32 bytes of data:
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253

Ping statistics for 192.168.3.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 35ms, Average = 35ms


R1(config)#crypto isakmp ?
  aggressive-mode       Disable ISAKMP aggressive mode
  client                Set client configuration policy
  default               ISAKMP default policy
  enable                Enable ISAKMP
  fragmentation         IKE Fragmentation enabled if required
  identity              Set the identity which ISAKMP will use
  invalid-spi-recovery  Initiate IKE and send Invalid SPI Notify
  keepalive             Set a keepalive interval for use with IOS peers
  key                   Set pre-shared key for remote peer
  nat                   Set a nat  keepalive interval for use with IOS peers
  peer                  Set Peer Policy
  policy                Set policy for an ISAKMP protection suite
  profile               Define ISAKMP Profiles
  xauth                 Set Extended Authentication values

R1(config)#crypto isakmp enable    // ENABLED BY DEFAULT


R3(config)#crypto isakmp enable


R1(config)#crypto isakmp policy ?
  <1-10000>  Priority of protection suite

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#?
ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults

R1(config-isakmp)#authentication ?
  pre-share  Pre-Shared Key
  rsa-encr   Rivest-Shamir-Adleman Encryption
  rsa-sig    Rivest-Shamir-Adleman Signature

R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption ?
  3des  Three key triple DES
  aes   AES - Advanced Encryption Standard.
  des   DES - Data Encryption Standard (56 bit keys).

R1(config-isakmp)#encryption aes ?
  128  128 bit keys.
  192  192 bit keys.
  256  256 bit keys.
  <cr>

R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash ?
  md5  Message Digest 5
  sha  Secure Hash Standard

R1(config-isakmp)#hash sha
R1(config-isakmp)#group ?
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5

R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime ?
  <60-86400>  lifetime in seconds

R1(config-isakmp)#lifetime 3600


R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 3600


R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit

R1(config)#crypto isakmp key ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  WORD  The UNENCRYPTED (cleartext) user password

R1(config)#crypto isakmp key cisco123 ?
  address   define shared key with IP address
  hostname  define shared key with hostname

R1(config)#crypto isakmp key cisco123 address ?
  A.B.C.D  Peer IP address
  ipv6     define shared key with IPv6 address

R1(config)#crypto isakmp key cisco123 address 10.2.2.1


R3(config)#crypto isakmp key cisco123 address 10.1.1.1


R1(config)#crypto ipsec ?
  client                Configure a client
  default               Default transform-set
  df-bit                Handling of encapsulated DF bit.
  fragmentation         Handling of fragmentation of near-MTU sized packets
  nat-transparency      IPsec NAT transparency model
  optional              Enable optional encryption for IPSec
  profile               Configure an ipsec policy profile
  security-association  Security association parameters
  transform-set         Define transform and settings

R1(config)#crypto ipsec transform-set ?
  WORD  Transform set tag

R1(config)#crypto ipsec transform-set 50 ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set 50 esp-aes ?
  128           128 bit keys.
  192           192 bit keys.
  256           256 bit keys.
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

R1(config)#crypto ipsec transform-set 50 esp-aes 256 ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac


R3(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac


R1(config)#crypto ipsec security-association ?
  idle-time  Automatically delete IPSec SAs after a given idle period.
  lifetime   security association lifetime
  replay     Set replay checking.

R1(config)#crypto ipsec security-association lifetime ?
  kilobytes  Volume-based key duration
  seconds    Time-based key duration

R1(config)#crypto ipsec security-association lifetime seconds ?
  <120-86400>  Security association duration in seconds

R1(config)#crypto ipsec security-association lifetime seconds 1800    // DEFUALT 3600 SECONDS (1 HOUR)


R3(config)#crypto ipsec security-association lifetime seconds 1800


R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255    // DEFINE
INTERESTING TRAFFIC; TRAFFIC TO ENCRYPT; SUBNET NOT DEFINED IN CRYPTO ACL IS SENT UNENCRYPTED

R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255


R1(config)#crypto map ?
  WORD  Crypto map tag

R1(config)#crypto map CMAP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

R1(config)#crypto map CMAP 10 ?
  gdoi          GDOI
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

R1(config)#crypto map CMAP 10 ipsec-isakmp     // ASSOCIATES TRAFFIC THAT MATCHES CRYPTO ACL AND IPSEC SETTINGS
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#?
Crypto Map configuration commands:
  default        Set a command to its defaults
  description    Description of the crypto map statement policy
  dialer         Dialer related commands
  exit           Exit from crypto map configuration mode
  match          Match values.
  no             Negate a command or set its defaults
  qos            Quality of Service related commands
  reverse-route  Reverse Route Injection.
  set            Set values for encryption/decryption

R1(config-crypto-map)#match ?
  address  Match address of packets to encrypt.

R1(config-crypto-map)#match address ?
  <100-199>    IP access-list number
  <2000-2699>  IP access-list number (expanded range)
  WORD         Access-list name

R1(config-crypto-map)#match address 101   // CRYPTO ACL
R1(config-crypto-map)#set ?
  identity              Identity restriction.
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  reverse-route         Reverse Route Injection.
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order

R1(config-crypto-map)#set peer ?
  A.B.C.D  IP address of peer
  WORD     Host name of the peer

R1(config-crypto-map)#set peer 10.2.2.1     // R3 VPN ENDPOINT INTERFACE IP
R1(config-crypto-map)#set pfs ?
  group1  D-H Group1 (768-bit modp)
  group2  D-H Group2 (1024-bit modp)
  group5  D-H Group5 (1536-bit modp)
  <cr>

R1(config-crypto-map)#set pfs group5
R1(config-crypto-map)#set transform-set ?
  WORD  Proposal tag

R1(config-crypto-map)#set transform-set 50
R1(config-crypto-map)#set security-association ?
  idle-time  Automatically delete IPSec SAs after a given idle period.
  level      specify a security association granularity level for identities
  lifetime   security association lifetime
  replay     Set replay checking.

R1(config-crypto-map)#set security-association lifetime ?
  kilobytes  Volume-based key duration
  seconds    Time-based key duration

R1(config-crypto-map)#set security-association lifetime seconds ?
  <120-86400>  Security association duration in seconds

R1(config-crypto-map)#set security-association lifetime seconds 900
R1(config-crypto-map)#exi
R1(config)#interface serial0/0/0    // SECURITY ASSOCIATIONS (SA) WILL NOT FORM UNTIL CRYPTO MAP IS ACTIVATED BY INTERESTING TRAFFIC (CRYPTO ACL)
R1(config-if)#crypto ?
  ipsec  Set IPSec parameters
  map    Assign a Crypto Map

R1(config-if)#crypto map ?
  WORD  Crypto Map tag
  <cr>

R1(config-if)#crypto map CMAP
R1(config-if)#
*Jun 26 14:18:23.659: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON  


R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set pfs group5
R3(config-crypto-map)#set transform-set 50
R3(config-crypto-map)#set security-association lifetime seconds 900
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map CMAP
R3(config-if)#
*Jun 26 14:19:51.635: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


R1#show crypto ipsec ?
  client                Show Client Status
  default               Default crypto transform sets
  policy                Show IPSEC client policies
  profile               Show ipsec profile information
  sa                    IPSEC SA table
  security-association  Show parameters for IPSec security associations
  spi-lookup            IPSEC SPI table
  transform-set         Crypto transform sets

R1#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },

R1#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
        Peer = 10.2.2.1
        Extended IP access list 101
            access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
        Current peer: 10.2.2.1
        Security association lifetime: 4608000 kilobytes/900 seconds
        PFS (Y/N): Y
        DH group:  group5
        Transform sets={
                50:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map CMAP:
                Serial0/0/0


R3#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit
R3#
R3#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },

R3#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
        Peer = 10.1.1.1
        Extended IP access list 101
            access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 10.1.1.1
        Security association lifetime: 4608000 kilobytes/900 seconds
        PFS (Y/N): Y
        DH group:  group5
        Transform sets={
                50:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map CMAP:
                Serial0/0/1


R1#show crypto isakmp ?
  default  Show ISAKMP default
  key      Show ISAKMP preshared keys
  peers    Show ISAKMP peer structures
  policy   Show ISAKMP protection suite policy
  profile  Show ISAKMP profiles
  sa       Show ISAKMP Security Associations

R1#show crypto isakmp sa     // NO IKE SA EXIST YET
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status   

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

interface: Serial0/0/0
    Crypto map tag: CMAP, local addr 10.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

R1#ping 10.2.2.1    // PING R3 S0/0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms

R1#show crypto isakmp sa    // NO SA CREATED SINCE IT DOESN'T FALL IN CRYPTO ACL
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status   

IPv6 Crypto ISAKMP SA


R1#debug eigrp packets
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R1#
*Jun 26 14:25:37.983: EIGRP: Sending HELLO on FastEthernet0/1
*Jun 26 14:25:37.983:   AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jun 26 14:25:38.843: EIGRP: Received HELLO on Serial0/0/0 nbr 10.1.1.2
*Jun 26 14:25:38.843:   AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#
*Jun 26 14:25:39.923: EIGRP: Sending HELLO on Serial0/0/0
*Jun 26 14:25:39.923:   AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R1#undebug all
All possible debugging has been turned off

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA


R1#ping      // EXTENDED PING TO ALLOW CONTROL THE SOURCE ADDRESS OF PACKETS
Protocol [ip]:
Target IP address: 192.168.3.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
..!!!   
Success rate is 60 percent (3/5), round-trip min/avg/max = 92/92/92 ms

R1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.2.2.1        10.1.1.1        QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

interface: Serial0/0/0
    Crypto map tag: CMAP, local addr 10.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
     current outbound spi: 0x6FB8F66B(1874392683)

     inbound esp sas:
      spi: 0x31F658DC(838228188)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: FPGA:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4443187/830)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6FB8F66B(1874392683)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: FPGA:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4443187/830)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


R1(config)#username admin privilege 15 secret cisco12345
R1(config)#ip http server
R1(config)#ip http authentication local


R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http server
R3(config)#ip http authentication local










R3(config)#crypto isakmp policy 1    // COPY/PASTE MIRROR CONFIG GENRATED BY CCP
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encr 3des
R3(config-isakmp)# hash sha
R3(config-isakmp)# group 2
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit
R3(config)#crypto isakmp policy 10
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encr aes 256
R3(config-isakmp)# hash md5
R3(config-isakmp)# group 5
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit
R3(config)#crypto isakmp key cisco12345 address 10.1.1.1
R3(config)#crypto ipsec transform-set LAB_TSET esp-sha-hmac esp-aes 256
R3(cfg-crypto-trans)# mode tunnel
R3(cfg-crypto-trans)# exit
R3(config)#ip access-list extended SDM_1
R3(config-ext-nacl)# remark CCP_ACL Category=4
R3(config-ext-nacl)# remark IPSec Rule
R3(config-ext-nacl)# permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config-ext-nacl)# exit
R3(config)#crypto map SDM_CMAP_1 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#$ IP address 10.2.2.1 that connects to this router.
R3(config-crypto-map)# set transform-set LAB_TSET
R3(config-crypto-map)# set peer 10.1.1.1
R3(config-crypto-map)# match address SDM_1
R3(config-crypto-map)# exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:00:58.043: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit

R3#show crypto ipsec transform-set
Transform set LAB_TSET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  }

R3#show crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Apply the crypto map on the peer router's interface having IP address 10.2.2.1

that connects to this router.
        Peer = 10.1.1.1
        Extended IP access list SDM_1
            access-list SDM_1 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 10.1.1.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                LAB_TSET:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map SDM_CMAP_1:
                Serial0/0/1


R1(config)#interface serial0/0/0
R1(config-if)#no crypto map SDM_CMAP_1
R1(config-if)#
*Jun 26 23:05:39.607: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config-if)#no crypto map SDM_CMAP_1 1
R1(config-if)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#description Tunnel to 10.2.2.1
R1(config-crypto-map)#set peer 10.2.2.1
R1(config-crypto-map)#set transform-set LAB_TSET
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config)#do show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            192.168.1.1     YES NVRAM  up                    up 
Serial0/0/0                10.1.1.1        YES NVRAM  up                    up 
Serial0/0/1                unassigned      YES NVRAM  administratively down down
Serial0/1/0                unassigned      YES NVRAM  administratively down down
Serial0/1/1                unassigned      YES NVRAM  administratively down down
R1(config)#interface serial0/0/0
R1(config-if)#crypto map SDM_CMAP_1
R1(config-if)#
*Jun 26 23:07:18.195: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


R3(config)#interface serial0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:08:22.543: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R3(config-if)#exit
R3(config)#no crypto map SDM_CMAP_1 1
R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#description Tunnel to 10.1.1.1
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set transform-set LAB_TSET
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:09:41.931: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3#show crypto isakmp sa    // IKE PHASE 2 NOT ESTABLISHING
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.2.2.1        10.1.1.1        QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA


crypto ipsec transform-set LAB_TSET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 10 ipsec-isakmp
 ! Incomplete  
 description Tunnel to 10.1.1.1
 set peer 10.1.1.1
 set transform-set LAB_TSET
 match address 100     // THERE'S NO ACL 100 ON R3

ip access-list extended SDM_1   
 remark CCP_ACL Category=4
 remark IPSec Rule
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#no match address 100
R3(config-crypto-map)#match address SDM_1   


R3(config)#int serial0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
*Jun 26 23:38:59.903: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:39:04.611: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


R1#clear crypto sa     // IPSEC VPN ESTABLISHED AFTER CLEARING SA


R3#clear crypto sa



R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.2.2.1        10.1.1.1        QM_IDLE           1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

interface: Serial0/0/0
    Crypto map tag: SDM_CMAP_1, local addr 10.1.1.1   

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)  
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)   
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29  
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29  
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1  
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
     current outbound spi: 0xF480B720(4102076192)

     inbound esp sas:
      spi: 0x27C0C9B(41684123)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: FPGA:1, crypto map: SDM_CMAP_1  
        sa timing: remaining key lifetime (k/sec): (4607750/3470)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF480B720(4102076192)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: FPGA:2, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4607750/3470)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R1#
*Jun 26 23:42:28.723: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.2.2.1,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 26 23:42:28.723: ISAKMP: local port 500, remote port 500
*Jun 26 23:42:28.723: ISAKMP: set new node 0 to QM_IDLE
*Jun 26 23:42:28.723: insert sa successfully sa = 64B9665C
*Jun 26 23:42:28.723: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 26 23:42:28.723: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 26 23:42:28.727: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 26 23:42:28.727: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
*Jun 26 23:42:28.727: ISAKMP:(0): beginning Main Mode exchange
*Jun 26 23:42:28.727: ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_NO_STATE
*Jun 26 23:42:28.727: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 26 23:42:28.827: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I)
MM_NO_STATE
*Jun 26 23:42:28.827: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:28.827: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
*Jun 26 23:42:28.831: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 26 23:42:28.831: ISAKMP:(0): processing vendor id payload
*Jun 26 23:42:28.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 26 23:42:28.831: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 26 23:42:28.831: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:28.831: ISAK
R1#MP:(0): local preshared key found
*Jun 26 23:42:28.831: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 26 23:42:28.831: ISAKMP:      encryption 3DES-CBC
*Jun 26 23:42:28.831: ISAKMP:      hash SHA
*Jun 26 23:42:28.831: ISAKMP:      default group 2
*Jun 26 23:42:28.831: ISAKMP:      auth pre-share
*Jun 26 23:42:28.831: ISAKMP:      life type in seconds
*Jun 26 23:42:28.831: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Jun 26 23:42:28.831: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 26 23:42:28.831: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 26 23:42:28.831: ISAKMP:(0):Acceptable atts:life: 0
*Jun 26 23:42:28.831: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 26 23:42:28.831: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 26 23:42:28.831: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 26 23:42:28.831: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 26 23:42:28.831: ISAKMP:(0): processing vendor id payload
*Jun 26 23:42:28.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 26 23:42:28.831: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 26 23:42:28.831: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:28.831: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
*Jun 26 23:42:28.835: ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_SA_SETUP
*Jun 26 23:42:28.835: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 26 23:42:28.835: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:28.835: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
*Jun 26 23:42:29.075: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I)
MM_SA_SETUP
*Jun 26 23:42:29.075: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:29.075: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
*Jun 26 23:42:29.075: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 26 23:42:29.075: crypto_engine: Create DH shared secret
*Jun 26 23:42:29.143: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 26 23:42:29.143: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:29.147: crypto_engine: Create IKE SA
*Jun 26 23:42:29.147: crypto engine: deleting DH phase 2 SW:3
*Jun 26 23:42:29.147: crypto_engine: Delete DH shared secret
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): vendor ID is Unity
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): vendor ID is DPD
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): speaking to another IOS box!
*Jun 26 23:42:29.147: ISAKMP:received payload type 20
*Jun 26 23:42:29.147: ISAKMP (1002): His hash no match - this node outside NAT
*Jun 26 23:42:29.147: ISAKMP:received payload type 20
*Jun 26 23:42:29.147: ISAKMP (1002): No NAT Found for self or peer
*Jun 26 23:42:29.147: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:29.147: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4
*Jun 26 23:42:29.147: ISAKMP:(1002):Send initial contact
*Jun 26 23:42:29.147: ISAKMP:(1002):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Jun 26 23:42:29.151: ISAKMP (0:1002): ID payload
        next-payload : 8
        type         : 1
        address      : 10.1.1.1
        protocol     : 17
        port         : 500
        length       : 12
*Jun 26 23:42:29.151: ISAKMP:(1002):Total payload length: 12
*Jun 26 23:42:29.151: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.151: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.151: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_KEY_EXCH
*Jun 26 23:42:29.151: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.151: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:29.151: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM5
*Jun 26 23:42:29.219: ISAKMP (0:1002): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 26 23:42:29.219: crypto_engine: Decrypt IKE packet
*Jun 26 23:42:29.219: ISAKMP:(1002): processing ID payload. message ID = 0
*Jun 26 23:42:29.219: ISAKMP (0:1002): ID payload
        next-payload : 8
        type         : 1
        address      : 10.2.2.1
        protocol     : 17
        port         : 500
        length       : 12
*Jun 26 23:42:29.219: ISAKMP:(1002): processing HASH payload. message ID = 0
*Jun 26 23:42:29.219: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.219: ISAKMP:(1002):SA authentication status: authenticated
*Jun 26 23:42:29.219: ISAKMP:(1002):SA has been authenticated with 10.2.2.1
*Jun 26 23:42:29.219: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:29.219: ISAKMP:(1002):Old State = IKE_I_MM5  New State = IKE_I_MM6
*Jun 26 23:42:29.219: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:29.219: ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_I_MM6
*Jun 26 23:42:29.223: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:29.223: ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
*Jun 26 23:42:29.223: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -39302567
*Jun 26 23:42:29.223: ISAKMP:(1002):QM Initiator gets spi
*Jun 26 23:42:29.223: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.223: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.223: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 26 23:42:29.223: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.223: ISAKMP:(1002):Node -39302567, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 26 23:42:29.227: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Jun 26 23:42:29.227: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 26 23:42:29.227: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Jun 26 23:42:29.343: ISAKMP (0:1002): received packet from 10.2.2.1 dport 500 sport 500 Global (I) QM_IDLE
*Jun 26 23:42:29.343: crypto_engine: Decrypt IKE packet
*Jun 26 23:42:29.343: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.347: ISAKMP:(1002): processing HASH payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing SA payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002):Checking IPSec proposal 1
*Jun 26 23:42:29.347: ISAKMP: transform 1, ESP_AES
*Jun 26 23:42:29.347: ISAKMP:   attributes in transform:
*Jun 26 23:42:29.347: ISAKMP:      encaps is 1 (Tunnel)
*Jun 26 23:42:29.347: ISAKMP:      SA life type in seconds
*Jun 26 23:42:29.347: ISAKMP:      SA life duration (basic) of 3600
*Jun 26 23:42:29.347: ISAKMP:      SA life type in kilobytes
*Jun 26 23:42:29.347: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Jun 26 23:42:29.347: ISAKMP:      authenticator is HMAC-SHA
*Jun 26 23:42:29.347: ISAKMP:      key length is 256
*Jun 26 23:42:29.347: ISAKMP:(1002):atts are acceptable.
*Jun 26 23:42:29.347: ISAKMP:(1002): processing NONCE payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing ID payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing ID payload. message ID = -39302567
*Jun 26 23:42:29.347: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.347: crypto_engine: Generate IKE QM keys
*Jun 26 23:42:29.347: crypto_engine: Create IPSec SA (by keys)
*Jun 26 23:42:29.347: crypto_engine: Generate IKE QM keys
*Jun 26 23:42:29.351: crypto_engine: Create IPSec SA (by keys)
*Jun 26 23:42:29.351: ISAKMP:(1002): Creating IPSec SAs
*Jun 26 23:42:29.351:         inbound SA from 10.2.2.1 to 10.1.1.1 (f/i)  0/ 0
        (proxy 192.168.3.0 to 192.168.1.0)
*Jun 26 23:42:29.351:         has spi 0x27C0C9B and conn_id 0
*Jun 26 23:42:29.351:         lifetime of 3600 seconds
*Jun 26 23:42:29.351:         lifetime of 4608000 kilobytes
*Jun 26 23:42:29.351:         outbound SA from 10.1.1.1 to 10.2.2.1 (f/i) 0/0
        (proxy 192.168.1.0 to 192.168.3.0)
*Jun 26 23:42:29.351:         has spi  0xF480B720 and conn_id 0
*Jun 26 23:42:29.351:         lifetime of 3600 seconds
*Jun 26 23:42:29.351:         lifetime of 4608000 kilobytes
*Jun 26 23:42:29.351: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.351: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 26 23:42:29.351: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.351: ISAKMP:(1002):deleting node -39302567 error FALSE reason "No Error"
*Jun 26 23:42:29.351: ISAKMP:(1002):Node -39302567, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 26 23:42:29.351: ISAKMP:(1002):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Jun 26 23:42:29.355: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2.2.1
*Jun 26 23:42:29.355: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 192.168.3.0, dest_port 0
*Jun 26 23:42:29.355: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.1.1.1, sa_proto= 50,
    sa_spi= 0x27C0C9B(41684123),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2001
*Jun 26 23:42:29.355: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.2.2.1, sa_proto= 50,
    sa_spi= 0xF480B720(4102076192),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2002
*Jun 26 23:42:29.355: crypto engine: updating MTU size of IPSec SA FPGA:2
*Jun 26 23:42:29.355: crypto_engine: Set IPSec MTU
*Jun 26 23:42:29.355: IPSEC(update_current_outbound_sa): updated peer 10.2.2.1 current outbound sa to SPI F480B720