Saturday, May 5, 2018

Site-to-Site IKEv2 IPSec VPN between Cisco IOS Router and ASA Firewall

I usually configure IKEv1 Site-to-Site IPSec VPNs but I needed to do an IKEv2 this time between a Cisco IOS router and ASA firewall.


You'll need an IOS that supports IKEv2 commands. I've downloaded C7200-ADVENTERPRISEK9-M Version 15.2(4)S to configure IKEv2 in GNS3.

R1#show version
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 20-Jul-12 15:03 by prod_rel_team

ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc1)

R1 uptime is 3 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1

Last reset from power-on

PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.

PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.

Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.

3 FastEthernet interfaces
509K bytes of NVRAM.

8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES unset  administratively down down   
FastEthernet1/0        unassigned      YES unset  administratively down down   
FastEthernet1/1        unassigned      YES unset  administratively down down   


R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip interface f0/0
R1(config-if)#ip address 200.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jan 10 16:40:02.543: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan 10 16:40:03.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#
R1(config-if)#interface f1/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0    // NOT ADVISABLE TO USE IN PRODUCTION NETWORK
%Default route without gateway, if not a point-to-point interface, may impact performance   
R1(config)#do show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        200.1.1.1       YES manual up                    up     
FastEthernet1/0        unassigned      YES unset  administratively down down   
FastEthernet1/1       192.168.1.1     YES manual up                    up 
R1(config)#crypto ?
  call         Configure Crypto Call Admission Control
  dynamic-map  Specify a dynamic crypto map template
  engine       Enter a crypto engine configurable menu
  gdoi         Configure GDOI policy
  identity     Enter a crypto identity list
  ikev2        Configure IKEv2 Options
  ipsec        Configure IPSEC policy
  isakmp       Configure ISAKMP policy
  key          Long term key operations
  keyring      Key ring commands
  logging      logging messages
  map          Enter a crypto map
  mib          Configure Crypto-related MIB Parameters
  pki          Public Key components
  xauth        X-Auth parameters

R1(config)#crypto ikev2 ?
  authorization      IKEv2 authorization
  certificate-cache  Cache for storing certs fetched from HTTP URLs
  client             IKEv2 client configuration
  cookie-challenge   Set Cookie-challenge watermark
  cts                Cisco Trust Security
  diagnose           IKEV2 diagnose
  dpd                Enable IKE liveness check for peers
  fragmentation      Enable fragmentation of ikev2 packets
  http-url           Enable http URL lookup
  keyring            Define IKEv2 Keyring
  limit              Limit the number of maximum and negotiating sa
  name-mangler       Name mangler
  nat                NAT-transparency
  policy             Define IKEV2 policies
  profile            Define IKEv2 Profiles
  proposal           Define IKEV2 proposals
  redirect           IKEv2 Redirect Mechanism for load-balancing
  window             IKEV2 window size

R1(config)#crypto ikev2 keyring ?
  WORD  Name of IKEv2 Keyring

R1(config)#crypto ikev2 keyring KEYRING-1
R1(config-ikev2-keyring)#?
IKEv2 Keyring commands:
  exit  Exit from crypto ikev2 keyring sub mode
  no    Negate a command or set its defaults
  peer  Configure a Peer and associated keys

R1(config-ikev2-keyring)#peer ?
  WORD  Name of the peer block

R1(config-ikev2-keyring)#peer ASA1
R1(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
  address         Specify IPv4/IPv6 address of peer
  description     Specify a description of this peer
  exit            Exit from crypto ikev2 keyring peer sub mode
  hostname        Hostname of peer
  identity        Specify IKE identity to use
  no              Negate values of a command
  pre-shared-key  specify the pre-shared key

R1(config-ikev2-keyring-peer)#address ?
  A.B.C.D             IPv4 Address
  X:X:X:X::X/<0-128>  IPv6 address/prefix

R1(config-ikev2-keyring-peer)#address 200.1.1.2
R1(config-ikev2-keyring-peer)#pre-shared-key ?
  0       Specifies an UNENCRYPTED password will follow
  6       Specifies an ENCRYPTED password will follow
  LINE    The UNENCRYPTED (cleartext) user password
  hex     Key entered in hex string
  local   specify signing key
  remote  specify verifying key

R1(config-ikev2-keyring-peer)#pre-shared-key local ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  LINE  The UNENCRYPTED (cleartext) user password
  hex   Key entered in hex string

R1(config-ikev2-keyring-peer)#pre-shared-key local cisco
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config)#
R1(config)#crypto ikev2p proposal ?
  WORD  Name of IKEv2 proposal

R1(config)#crypto ikev2 proposal PROPOSAL-1
IKEv2 proposal MUST have at least an encryption algorithm, an integrity algorithm and a dh group configured
R1(config-ikev2-proposal)#?
IKEv2 Proposal commands:
  encryption  Set encryption algorithm(s) for proposal
  exit        Exit from IKEv2 proposal configuration mode
  group       Set the Diffie-Hellman group(s)
  integrity   Set integrity hash algorithm(s) for proposal
  no          Negate a command or set its defaults

R1(config-ikev2-proposal)#encryption ?
  3des         3DES
  aes-cbc-128  AES-CBC-128
  aes-cbc-192  AES-CBC-192
  aes-cbc-256  AES-CBC-256
  des          DES

R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity ?
  md5     Message Digest 5
  sha1    Secure Hash Standard
  sha256  Secure Hash Standard 2 (256 bit)
  sha384  Secure Hash Standard 2 (384 bit)
  sha512  Secure Hash Standard 2 (512 bit)

R1(config-ikev2-proposal)#integrity sha512
R1(config-ikev2-proposal)#group ?
  1   DH 768 MODP
  14  DH 2048 MODP
  15  DH 3072 MODP
  16  DH 4096 MODP
  19  DH 256 ECP
  2   DH 1024 MODP
  20  DH 384 ECP
  24  DH 2048 (256 subgroup) MODP
  5   DH 1536 MODP

R1(config-ikev2-proposal)#group 5
R1(config-ikev2-proposal)#exit
R1(config)#
R1(config)#crypto iev2 kev2 profile ?
  WORD  Name of IKEv2 Profile

R1(config)#crypto ikev2 profile PROFILE-1
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
R1(config-ikev2-profile)#?
IKEv2 profile commands:
  aaa               Specify AAA related configs
  authentication    Set authentication method
  config-exchange   config-exchange options
  description       Specify a description of this profile
  dpd               Enable IKE liveness check for peers
  exit              Exit from crypto ikev2 profile sub mode
  identity          Specify IKE identity to use
  initial-contact   initial-contact processing
  ivrf              I-VRF of the profile
  keyring           Specify keyring to use
  lifetime          Set lifetime for ISAKMP security association
  match             Match values of peer
  nat               NAT-transparency
  no                Negate a command or set its defaults
  pki               Specify certificate authorities to trust
  redirect          IKEv2 Redirect Mechanism for load-balancing
  virtual-template  Specify the virtual-template for dynamic interface
                    creation.

R1(config-ikev2-profile)#match ?
  address      IP address
  certificate  Peer certificate attributes
  fvrf         fvrf of the profile
  identity     IKE identity

R1(config-ikev2-profile)#match identity ?
  remote  Remote identity

R1(config-ikev2-profile)#match identity remote ?
  address  IP Address(es)
  email    Fully qualified email string
  fqdn     Fully qualified domain name string
  key-id   key-id opaque string

R1(config-ikev2-profile)#match identity remote address ?
  A.B.C.D             IP address prefix
  X:X:X:X::X/<0-128>  IPv6 address/prefix-length

R1(config-ikev2-profile)#match identity remote address 200.1.1.1 2 ?
  A.B.C.D  specify mask
  <cr>

R1(config-ikev2-profile)#match identity remote address 200.1.1.1 2 255.255.255.255
R1(config-ikev2-profile)#identity ?
  local  Specify the local IKE identity to use for the negotiation

R1(config-ikev2-profile)#identity local ?
  address  address
  dn       Distinguished Name
  email    Fully qualified email string
  fqdn     Fully qualified domain name string
  key-id   key-id opaque string - proprietary types of identification

R1(config-ikev2-profile)#identity local address ?
  A.B.C.D     IPv4 address
  X:X:X:X::X  IPv6 address

R1(config-ikev2-profile)#identity local address 200.1.1.1
R1(config-ikev2-profile)#authentication ?
  local   Set local authentication method
  remote  Set remote authentication method

R1(config-ikev2-profile)#authentication remote ?
  eap        Extended Authentication Protocol
  ecdsa-sig  ECDSA Signature
  pre-share  Pre-Shared Key
  rsa-sig    Rivest-Shamir-Adleman Signature
  <cr>

R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share
R1(config)#crypto ikev2 policy ?
  WORD  Name of IKEv2 policy

R1(config)#crypto ikev2 policy  POLICY-1
IKEv2 policy MUST have atleast one complete proposal attached
R1(config-ikev2-policy)#?
IKEv2 Policy commands:
  exit      Exit from IKEv2 policy configuration mode
  match     Match values of local fields
  no        Negate a command or set its defaults
  proposal  Specify Proposal

R1(config-ikev2-policy)#proposal ?
  WORD  Specify the name of proposal to be attached

R1(config-ikev2-policy)#proposal PROPOSAL-1
R1(config-ikev2-policy)#exit
R1(config)#
R1(config)#crypto ipsec ?
  df-bit                Handling of encapsulated DF bit.
  fragmentation         Handling of fragmentation of near-MTU sized packets
  nat-transparency      IPsec NAT transparency model
  optional              Enable optional encryption for IPSec
  profile               Configure an ipsec policy profile
  security-association  Security association parameters
  transform-set         Define transform and settings

R1(config)#crypto ipsec transform-set ?
  WORD  Transform set tag

R1(config)#crypto ipsec transform-set TSET-1 ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-gcm          ESP transform using GCM cipher
  esp-gmac         ESP transform using GMAC cipher
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

R1(config)#crypto ipsec transform-set TSET-1 aes- esp-aes ?
  128              128 bit keys.
  192              192 bit keys.
  256              256 bit keys.
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth
  <cr>

R1(config)#crypto ipsec transform-set TSET-1 esp-aes 256 ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth
  <cr>

R1(config)#crypto ipsec transform-set TSET-1 esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
R1(config)#ip access-list ?
  extended             Extended Access List
  helper               Access List acts on helper-address
  log-update           Control access list log updates
  logging              Control access list logging
  match-local-traffic  Enable ACL matching for locally generated traffic
  resequence           Resequence Access List
  role-based           Role-based Access List
  standard             Standard Access List

R1(config)#ip access-list extended ?
  <100-199>    Extended IP access-list number
  <2000-2699>  Extended IP access-list number (expanded range)
  WORD         Access-list name

R1(config)#ip access-list extended R1-ASA1-ACL
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 255.2 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#
R1(config)#crypto map ?
  WORD  Crypto map tag
  ipv6  IPv6 crypto map

R1(config)#crypto map CMAP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  gdoi            Configure crypto map gdoi features
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

R1(config)#crypto map CMAP 10 ?
  gdoi          GDOI
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

R1(config)#crypto map CMAP 10 ipsec-isamp kmp
% NOTE: This new crypto map will remain disabled until a peer
    and a valid access list have been configured.
R1(config-crypto-map)#?
Crypto Map configuration commands:
  default        Set a command to its defaults
  description    Description of the crypto map statement policy
  dialer         Dialer related commands
  exit           Exit from crypto map configuration mode
  match          Match values.
  no             Negate a command or set its defaults
  qos            Quality of Service related commands
  reverse-route  Reverse Route Injection.
  set            Set values for encryption/decryption

R1(config-crypto-map)#set ?
  identity              Identity restriction.
  ikev2-profile         Specify ikev2 Profile
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  reverse-route         Reverse Route Injection.
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order

R1(config-crypto-map)#set peer ?
  A.B.C.D  IP address of peer
  WORD     Host name of the peer

R1(config-crypto-map)#set peer 200.1.1.2
R1(config-crypto-map)#set transform-set TSET-1
R1(config-crypto-map)#match ?
  address  Match address of packets to encrypt.

R1(config-crypto-map)#match address ?
  <100-199>    IP access-list number
  <2000-2699>  IP access-list number (expanded range)
  WORD         Access-list name

R1(config-crypto-map)#match address R1-ASA1-ACL
R1(config-crypto-map)#exit
R1(config)#
R1(config)#interface f0/00
R1(config-if)#cryto map ypto map ?
  ipsec  Set IPSec parameters
  map    Assign a Crypto Map

R1(config-if)#crypto map ?
  WORD  Crypto Map tag

R1(config-if)#crypto map CMAP
R1(config-if)#
*Jan 10 16:39:10.151: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#end
   
R1#show run
Building configuration...

Current configuration : 1753 bytes
!
! Last configuration change at 13:57:49 UTC Thu Jan 11 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal PROPOSAL-1
 encryption aes-cbc-256
 integrity sha512
 group 5
!
crypto ikev2 policy POLICY-1
 proposal PROPOSAL-1
!
crypto ikev2 keyring KEYRING-1
 peer ASA1
  address 200.1.1.2
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!
crypto ikev2 profile PROFILE-1
 match identity remote address 200.1.1.2 255.255.255.255
 identity local address 200.1.1.1
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING-1
!
!
!
ip tcp synwait-time 5
!
!
!
crypto ipsec transform-set TSET-1 esp-aes 256 esp-sha-hmac
 mode tunnel      // DEFAULT
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 200.1.1.2
 set transform-set TSET-1
 match address R1-ASA1-ACL
!
!
!
!
!
interface FastEthernet0/0
 ip address 200.1.1.1 255.255.255.252
 duplex full
 crypto map CMAP
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 ip address 192.168.1.1 255.255.255.0
 speed auto
 duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended R1-ASA1-ACL
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end


I've used ASA version 8.4 in GNS3 which supports IKEv2.

ASA1# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ASA1 up 1 min 51 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab21.c100, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab21.c101, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab21.c102, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab21.c103, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 10             perpetual
Total UC Proxy Sessions           : 10             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Enabled        perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Configuration register is 0x0
Configuration last modified by enable_15 at 08:30:43.269 UTC Wed Jan 10 2018

ciscoasa# configure terminal
ASA1(config)# interface g0ASA1(config-if)# ip address 200.1.1.2 255.255.255.252
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# no shut
ASA1(config-if)# ping 200.1.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/70 ms

ASA1(config-if)# interface g1
ASA1(config-if)# ip address 192.168.2.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# no shut
ASA1(config-if)# route outside 0 0 200.1.1.1
ASA1(config-if)# object network LAN1
ASA1(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# ex it
ASA1(config)# object network LAN2
ASA1(config-network-object)#  subnet 192.168.2.0 255.255.255.0
ASA1(config-network-object)# exit
ASA1(config)# nat (inside,outside) source static LAN2 LAN2 destination staticstatic LAN1 LAN1    // IDENTITY NAT FOR SITE-TO-SITE VPN TRAFFIC
ASA1(config)# access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA1(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Execute Certification Authority Commands

ASA1(config)# crypto ikev2 ?

configure mode commands/options:
  cookie-challenge  Enable and configure IKEv2 cookie challenges based on
                    half-open SAs
  enable            Enable IKEv2 on the specified interface
  limit             Enable limits on IKEv2 SAs
  policy            Set IKEv2 policy suite
  redirect          Set IKEv2 redirect
  remote-access     Configure IKEv2 for Remote Access

ASA1(config)# crypto ikev2 policy ?

configure mode commands/options:
  <1-65535>  Policy suite priority(1 highest, 65535 lowest)

ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?

ikev2 policy configuration commands:
  encryption  Configure one or more encryption algorithm
  exit        Exit from ikev2 policy configuration mode
  group       Configure one or more DH groups
  help        Help for ikev2 policy configuration commands
  integrity   Configure one or more integrity algorithm
  lifetime    Configure the ikev2 lifetime
  no          Remove an ikev2 policy configuration item
  prf         Configure one or more hash algorithm

ASA1(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption

ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

ASA1(config-ikev2-policy)# integrity sha512
ASA1(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5

ASA1(config-ikev2-policy)# group 5
ASA1(config-ikev2-policy)# prf ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

ASA1(config-ikev2-policy)# prf sha512        //  PSEUDO-RANDOM FUNCTION (PRF) KEYING ALGORITHM; ONLY AVAILABLE IN ASA; CONFIGURE SAME BIT LEVEL WITH INTEGRITY/HASHING

ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto

ASA1(config)# crypto ipsec ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters

ASA1(config)# crypto ipsec ikev2 ?

configure mode commands/options:
  ipsec-proposal  Configure IKEv2 IPSec Policy

ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the ipsec-proposal

ASA1(config)# crypto ipsec ikev2 ipsec-proposal P ROPOSAL-1

ASA1(config-ipsec-proposal)# ?

ikev2 IPSec Policy configuration commands:
  exit      Exit from ipsec-proposal configuration mode
  help      Help for ikev2 IPSec policy configuration commands
  no        Remove an ikev2 IPSec policy configuration item
  protocol  Configure a protocol for the IPSec proposal

ASA1(config-ipsec-proposal)# protocol ?

ipsec-proposal mode commands/options:
  esp  IPsec Encapsulating Security Payload

ASA1(config-ipsec-proposal)# protocol esp ?

ipsec-proposal mode commands/options:
  encryption  Add one or more encryption algorithms for this protocol
  integrity   Add one or more integrity algorithms for this protocol

ASA1(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption

ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:
  md5    set hash md5
  sha-1  set hash sha-1

ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# tunnel-group 200.1.1.1 type ipsec-l2l
ASA1(config)# ?
  aaa                           Enable, disable, or view user authentication,
                                authorization and accounting
  aaa-server                    Configure a AAA server group or a AAA server
  access-group                  Bind an access-list to an interface to filter
                                traffic
  access-list                   Configure an access control element
  arp                           Change or view ARP table, set ARP timeout
                                value, view statistics
  asdm                          Configure Device Manager
  auth-prompt                   Customize authentication challenge, reject or
                                acceptance prompt
  auto-update                   Configure Auto Update
  banner                        Configure login/session banners
  boot                          Set system boot parameters
  ca                            Certification authority
  call-home                     Smart Call-Home Configuration
  checkheaps                    Configure checkheap verification intervals
  class-map                     Configure MPF Class Map
  clear                         Clear
  client-update                 Configure and change client update parameters
  clock                         Configure time-of-day clock
  command-alias                 Create command alias
  compression                   Configure global Compression parameters
  config-register               Define the configuration register
  configure                     Configure using various methods
  console                       Serial console functions
  coredump                      Configure Coredump options
  crashinfo                     Enable/Disable writing crashinfo to flash
  crypto                        Configure IPSec, ISAKMP, Certification
                                authority, key
  ctl-file                      Configure a ctl-file instance
  ctl-provider                  Configure a CTL Provider instance
  ddns                          Configure dynamic DNS update method
  dhcp-client                   Configure parameters for DHCP client operation
  dhcpd                         Configure DHCP Server
  dhcprelay                     Configure DHCP Relay Agent
  dns                           Add DNS functionality to an interface
  dns-group                     Set the global DNS server group
  dns-guard                     Enforce one DNS response per query
  domain-name                   Change domain name
  dynamic-access-policy-record  Dynamic Access Policy configuration commands
  dynamic-filter                Configure Dynamic Filter
  dynamic-map                   Configure crypto dynamic map
  enable                        Configure password for the enable command
  end                           Exit from configure mode
  eou                           EAP over UDP (NAC Framework) Global
                                Configuration Commands
  established                   Allow inbound connections based on established
                                connections
  exit                          Exit from config mode
  failover                      Enable/disable failover feature
  filter                        Enable or disable URL, FTP, HTTPS, Java, and
                                ActiveX filtering
  fips                          FIPS 140-2 compliance information
  firewall                      Switch to router/transparent mode
  fixup                         Add or delete inspection services
  flow-export                   Configure flow information export through
                                NetFlow
  fragment                      Configure the IP fragment database
  ftp                           Set FTP mode
  ftp-map                       Configure advanced options for FTP inspection
  group-delimiter               The delimiter for tunnel-group lookup.
  group-policy                  Configure or remove a group policy
  gtp-map                       Configure advanced options for GTP inspection
  h225-map                      Configure advanced options for H225 inspection
  help                          Interactive help for commands
  hostname                      Change host name of the system
  hpm                           Configure TopN host statistics collection
  http                          Configure http server and https related
                                commands
  http-map                      This command has been deprecated.
  icmp                          Configure access rules for ICMP traffic
  imap4s                        Configure the imap4s service
  interface                     Select an interface to configure
  ip                            Configure IP addresses, address pools, IDS, etc
  ipsec                         Configure transform-set and IPSec SA lifetime
  ipv6                          Global IPv6 configuration commands
  isakmp                        Configure ISAKMP options
  key                           Create various configuration keys
  l2tp                          Configure Global L2TP Parameters
  lacp                          LACP configuration
  ldap                          Configure LDAP Mapping
  license-server                Configure shared license server
  logging                       Configure logging levels, recipients and other
                                options
  logout                        Logoff from config mode
  mac-list                      Create a mac-list to filter based on MAC
                                address
  management-access             Configure management access interface
  map                           Configure crypto map
  media-termination             Configure a media-termination instance
  mgcp-map                      Configure advanced options for MGCP inspection
  migrate                       Migrate IKEv1 configuration to IKEv2/SSL
  mode                          Toggle between single and multiple security
                                context modes
  monitor-interface             Enable or disable failover monitoring on a
                                specific interface
  mount                         Configure a system mount
  mroute                        Configure static multicast routes
  mtu                           Specify MTU(Maximum Transmission Unit) for an
                                interface
  multicast-routing             Enable IP multicast
  nac-policy                    Configure or remove a nac-policy
  name                          Associate a name with an IP address
  names                         Enable/Disable IP address to name mapping
  nat                           Associate a network with a pool of global IP
                                addresses
  no                            Negate a command or set its defaults
  ntp                           Configure NTP
  object                        Configure an object
  object-group                  Create an object group for use in
                                'access-list', etc
  object-group-search           Enables object group search algorithm
  pager                         Control page length for pagination
  passwd                        Change Telnet console access password
  password                      Configure password encryption
  phone-proxy                   Configure a Phone proxy instance
  pim                           Configure Protocol Independent Multicast
  policy-map                    Configure MPF Parameter Map
  pop3s                         Configure the pop3s service
  prefix-list                   Configure prefix lists
  priority-queue                Enter sub-command mode to set priority-queue
                                attributes
  privilege                     Configure privilege levels for commands
  prompt                        Configure session prompt display
  quit                          Exit from config mode
  regex                         Define a regular expression
  remote-access                 Configure SNMP trap threshold for VPN
                                remote-access sessions
  route                         Configure a static route for an interface
  route-map                     Create route-map or enter route-map
                                configuration mode
  router                        Enable a routing process
  routing                       Configure interface specific unicast routing
                                parameters
  same-security-traffic         Enable same security level interfaces to
                                communicate
  service                       Configure system services
  service-policy                Configure MPF service policy
  setup                         Pre-configure the system
  sla                           IP Service Level Agreement
  smtp-server                   Configure default SMTP server address to be
                                used for Email
  smtps                         Configure the smtps service
  snmp                          Configure the SNMP options
  snmp-map                      Configure an snmp-map, to control the operation
                                of the SNMP inspection
  snmp-server                   Modify SNMP engine parameters
  ssh                           Configure SSH options
  ssl                           Configure SSL options
  sunrpc-server                 Create SUNRPC services table
  sysopt                        Set system functional options
  tcp-map                       Configure advanced options for TCP inspection
  telnet                        Add telnet access to system console or set idle
                                timeout
  terminal                      Set terminal line parameters
  tftp-server                   Configure default TFTP server address and
                                directory
  threat-detection              Show threat detection information
  time-range                    Define time range entries
  timeout                       Configure maximum idle times
  tls-proxy                     Configure a TLS proxy instance or the maximum
                                sessions
  track                         Object tracking configuration commands
  tunnel-group                  Create and manage the database of connection
                                specific records for IPSec connections
  tunnel-group-map              Specify policy by which the tunnel-group name
                                is derived from the content of a certificate.
  uc-ime                        Configure a Cisco Intercompany Media Engine
                                (UC-IME) instance
  url-block                     Enable URL pending block buffer and long URL
                                support
  url-cache                     Enable/Disable URL caching
  url-server                    Configure a URL filtering server
  user-identity                 Configure user-identity firewall
  username                      Configure user authentication local database
  virtual                       Configure address for authentication virtual
                                servers
  vpdn                          Configure VPDN feature
  vpn-addr-assign               Global settings for VPN IP address assignment
                                policy
  vpn-sessiondb                 Configure the VPN Session Manager
  vpnsetup                      Configure VPN Setup Commands
  wccp                          Web-Cache Coordination Protocol Commands
  webvpn                        Configure the WebVPN service
  zonelabs-integrity            ZoneLabs integrity Firewall Server
                                Configuration

ASA1(config)# tunnel-group 200.1.1.1 i ipsec-attributes
ASA1(config-tunnel-ipsec)# ?

tunnel-group configuration commands:
  chain             Enable sending certificate chain
  exit              Exit from tunnel-group IPSec attribute configuration mode
  help              Help for tunnel group configuration commands
  ikev1             Configure IKEv1
  ikev2             Configure IKEv2
  isakmp            Configure ISAKMP policy
  no                Remove an attribute value pair
  peer-id-validate  Validate identity of the peer using the peer's certificate

ASA1(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:
  local-authentication   Configure the local authentication method for IKEv2
                         tunnels
  remote-authentication  Configure the remote authentication method required of
                         the remote peer for IKEv2 tunnels

ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?

tunnel-group-ipsec mode commands/options:
  certificate     Select the trustpoint that identifies the cert to be sent to
                  the IKE peer
  pre-shared-key  Configure the local pre-shared-key used to authenticate to
                  the remote peer

ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
  0  Specifies an UNENCRYPTED password will follow
  8  Specifies an ENCRYPTED password will follow

ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco

ASA1(config)# crypto ikev2 ?

configure mode commands/options:
  cookie-challenge  Enable and configure IKEv2 cookie challenges based on
                    half-open SAs
  enable            Enable IKEv2 on the specified interface
  limit             Enable limits on IKEv2 SAs
  policy            Set IKEv2 policy suite
  redirect          Set IKEv2 redirect
  remote-access     Configure IKEv2 for Remote Access

ASA1(config)# crypto ikev2 enable ?

configure mode commands/options:
Type an interface name to enable
  inside   Name of interface GigabitEthernet1
  outside  Name of interface GigabitEthernet0
  <cr>

ASA1(config)# crypto ikev2 enable outside
ASA1(config)# crypto map ?

configure mode commands/options:
  WORD < 64 char  Crypto map template tag

ASA1(config)# crypto map CMAP ?

configure mode commands/options:
  <1-65535>  Sequence to insert into map entry
  client     Enable IKE extended authentication (Xauth)
  interface  Name of interface to apply the crypto map to

ASA1(config)# crypto map CMAP 10 ?

configure mode commands/options:
  annotation    Specify annotation text - to be used by ASDM only
  ipsec-isakmp  IPSec w/ISAKMP
  match         Match address of packets to encrypt
  set           Specify crypto map settings

ASA1(config)# crypto map CMAP 10 match ?

configure mode commands/options:
  address  Match address of packets to encrypt

ASA1(config)# crypto map CMAP 10 match address ASA1-R1-ACL
ASA1(config)# crypto map CMAP 10 set ?

configure mode commands/options:
  connection-type       Specify connection-type for site-site connection based
                        on this entry
  ikev1                 Configure IKEv1 policy
  ikev2                 Configure IKEv2 policy
  nat-t-disable         Disable nat-t negotiation for connections based on this
                        entry
  peer                  Set IP address of peer
  pfs                   Specify pfs settings
  reverse-route         Enable reverse route injection for connections based on
                        this entry
  security-association  Security association duration
  trustpoint            Specify trustpoint that defines the certificate to be
                        used while initiating a connection based on this entry

ASA1(config)# crypto map CMAP 10 set peer ?

configure mode commands/options:
  Hostname or A.B.C.D     IP address
  Hostname or X:X:X:X::X  IPv6 address

ASA1(config)# crypto map CMAP 10 set peer 200.1.1.1 ikev2 ?

configure mode commands/options:
  ipsec-proposal  Specify list of IPSec proposals in priority order
  pre-shared-key  Specify a pre-shared key to be used while initiating a
                  connection based on this entry

ASA1(config)# crypto map CMAP 10 set ikev2 i psec-proposal ?

configure mode commands/options:
  WORD  ipsec-proposal tag

ASA1(config)# crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL1 -1
ASA1(config)# crypto map CMAP ?

configure mode commands/options:
  <1-65535>  Sequence to insert into map entry
  client     Enable IKE extended authentication (Xauth)
  interface  Name of interface to apply the crypto map to

ASA1(config)# crypto map CMAP interface ?

configure mode commands/options:
Current available interface(s):
  inside   Name of interface GigabitEthernet1
  outside  Name of interface GigabitEthernet0

ASA1(config)# crypto map CMAP interface outside
ASA1(config)# fixup protocol icmp       // ENABLE ICMP STATEFUL INSPECTION
INFO: converting 'fixup protocol icmp ' to MPF commands
ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp error

ASA1# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 200.1.1.2 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network LAN1
 subnet 192.168.1.0 255.255.255.0
object network LAN2
 subnet 192.168.2.0 255.255.255.0
access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN2 LAN2 destination static LAN1 LAN1
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal PROPOSAL-1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map CMAP 10 match address ASA1-R1-ACL
crypto map CMAP 10 set peer 200.1.1.1
crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL-1
crypto map CMAP interface outside
crypto ikev2 policy 10
 encryption aes-256
 integrity sha512
 group 5
 prf sha512
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco
 ikev2 local-authentication pre-shared-key cisco
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:24994b52de47b3fa4716867ab926d840
: end


I ran some debugs on the ASA firewall.

ASA1# debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  vpnclient   Set EasyVPN client debug levels

ASA1# debug crypto ikev2 ?

  ha        debug the ikev2 ha
  platform  debug the ikev2 platform
  protocol  debug the ikev2 protocol
  timers    debug the ikev2 timers

ASA1# debug crypto ikev2 protocol ?

  <1-255>  Specify an optional debug level (default is 1)
  <cr>

ASA1# debug crypto ikev2 protocol 255
ASA1# debug crypto ipsec ?

  <1-255>  Specify an optional debug level (default is 1)
  <cr>

ASA1# debug crypto ipsec 255
ASA1# show debug
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255


ASA1#
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.2.2, sport=64741, daddr=192.168.1.1, dport=64741
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.2.2, sport=64741, daddr=192.168.1.1, dport=64741
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0xbc40f420,
    SCB: 0xBC40C130,
    Direction: inbound
    SPI      : 0x8FB36110
    Session ID: 0x0000B000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (11): Getting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (11): Setting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (11): Computing DH public key
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (11): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (11): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
 IKE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0
     10 1b 5d 7d ee 22 0a a5 ef 54 be a6 b2 e4 4e 9f
     04 1b 7b 4c 63 31 ff 7b b1 85 b0 98 da 09 38 bf
     e7 15 e8 70 36 5a a2 63 9e 4a 07 94 7e 21 13 61
     48 e7 64 c3 ce 5a 96 b2 53 64 03 d7 99 c3 12 ea
     54 45 54 9c 04 5a 53 4a 44 24 4f 87 f5 2f 31 3d
     f1 8c 15 58 db e4 40 c2 f9 73 f8 b8 39 47 83 34
     fa 17 c3 bb 66 89 a1 fd b9 1f 73 56 93 88 21 1b
     fe e9 69 61 f4 af d6 b3 c7 b0 df 4f 7c 5f 92 79
     50 3b 86 41 23 0c f0 98 1d ae 8d 93 67 18 95 6b
     d2 5e 1e b4 20 39 5a e8 80 90 23 8d 2b 81 b9 b5
     89 2e 13 c4 dd d1 a6 21 9f 69 0f c7 76 89 2d 83
     4b 8b b8 bc f8 29 cd ec ef b1 46 e2 b9 34 98 25
 Next payload: VID, reserved: 0x0, length: 24
     65 81 fb 3a b5 e6 b9 33 ad 76 5d 0a d3 fc 2b c7
     7c c6 b6 d1
 VID  Next payload: VID, reserved: 0x0, length: 23
     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59
     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
     55 3b c8 6c 67 a4 c8 55 7b 55 c6 69 8b 3d 5c 79
     c2 70 13 98
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
     81 a0 7d c2 74 a9 6d a6 90 6b c6 1d 2d 33 86 74
     e2 d8 41 42
 VID  Next payload: NONE, reserved: 0x0, length: 20
     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (11): Insert SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0
     16 af 36 bb c5 d5 14 10 e8 37 ce 35 5d ac b7 22
     bf cf 9a ff a1 58 b7 49 3c c7 c6 15 a4 37 07 f2
     77 5b 40 c0 6c 21 b7 78 9b ed b9 98 35 0f 1e f5
     55 25 9a f8 ca 15 b7 1e 3c 02 92 cc ed 71 2a 20
     65 f8 3d 20 3a b2 0a a8 41 d1 eb f5 74 30 85 50
     9e c7 2a 6b 5e 38 2e 0c fa c0 d7 12 24 13 a4 7f
     cc 3f ca 0c a6 e8 e8 a4 ee 82 7a 08 4c 40 17 42
     2f 16 e0 ef a4 2b 0b ee 1e f6 e0 d3 7c de 88 b1
     83 31 7b a2 ac 53 3a 9b e1 d9 40 20 0a 58 7a d9
     37 98 37 24 3f 88 dc 7e 5d f2 83 38 2a 37 fb 7e
     43 ea 98 1e b3 40 2b 87 d5 f7 4e a6 92 68 1f 94
     62 10 c9 e9 d7 3b 9f 39 90 2f 19 28 c3 92 9c 09
 N  Next payload: VID, reserved: 0x0, length: 24
     81 be 1d 70 eb e5 75 ab b6 3a 17 2a 17 08 2e ed
     db 3b 56 8b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23
     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59
     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21
     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
     a7 c8 6d 91 9f 3d b7 6a af fd 76 21 96 5a f7 fa
     35 6c ea 3f
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
     79 8e 84 e8 a8 16 57 c1 98 78 59 44 6c 27 3f 37
     3c 6e c1 e6
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED
Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (11): Verify SA init message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (11): Process NAT discovery notify
IKEv2-PROTO-5: (11): Processing nat detect src notify
IKEv2-PROTO-5: (11): Remote address matched
IKEv2-PROTO-5: (11): Processing nat detect dst notify
IKEv2-PROTO-5: (11): Local address matched
IKEv2-PROTO-5: (11): No NAT found
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (11): Check NAT discovery
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (11): Computing DH secret key
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (11): Generate skeyid
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (11): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (11): Complete SA init exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (11): Generate my authentication data
IKEv2-PROTO-3: (11): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (11): Get my authentication method
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (11): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96  
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (11): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20
     11 ce cc 39 b9 a5 83 2e 9b 20 27 87 63 ca 5e f0
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0
     c8 01 01 02
 AUTH  Next payload: SA, reserved: 0x0, length: 72
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:
 TSi  Next payload: TSr, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.2.2, end addr: 192.168.2.2
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.2.0, end addr: 192.168.2.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 40
    Num of TSs: 2, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.1.1, end addr: 192.168.1.1
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.1.0, end addr: 192.168.1.255
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (11): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 336
 ENCR  Next payload: VID, reserved: 0x0, length: 308
Encrypted data: 304 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 320

REAL Decrypted packet:Data: 224 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20
     c7 41 4b cb 9e ff ff b2 9b 20 27 87 63 ca 5e f0
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0
     c8 01 01 01
 AUTH  Next payload: SA, reserved: 0x0, length: 72
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:
 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.2.0, end addr: 192.168.2.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 192.168.1.0, end addr: 192.168.1.255
IKEv2-PROTO-5: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE)  Next payload: NOTIFY, reserved: 0x0, length: 12
    Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE
     00 00 00 05
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Decrypted packet:Data: 320 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (11): Process auth response notify
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (11): Getting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (11): Verify peer's policy
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (11): Get peer authentication method
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (11): Get peer's preshared key for 200.1.1.1
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (11): Verify authentication data
IKEv2-PROTO-3: (11): Use preshared key for id 200.1.1.1, key len 5
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (11): Processing auth message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (11): Closing the PKI session
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (11): SA created; inserting SA into database
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (11): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (11): Load IPSEC key material
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (11): Accounting not required
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (11): Checking for duplicate SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (11): Deleting negotiation context for my message ID: 0x1
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey ADD message
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x6DB242F8
IPSEC: New embryonic SA created @ 0xbc40dbd0,
    SCB: 0xBC4107A8,
    Direction: outbound
    SPI      : 0x6DB242F8
    Session ID: 0x0000B000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x6DB242F8
IPSEC: Creating outbound VPN context, SPI 0x6DB242F8
    Flags: 0x00000005
    SA   : 0xbc40dbd0
    SPI  : 0x6DB242F8
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x00117A5F
    Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5983)
IPSEC: Completed outbound VPN context, SPI 0x6DB242F8
    VPN handle: 0x00003c34
IPSEC: New outbound encrypt rule, SPI 0x6DB242F8
    Src addr: 192.168.2.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.1.0
    Dst mask: 255.255.255.0

    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5088)
IPSEC: Completed outbound encrypt rule, SPI 0x6DB242F8
    Rule ID: 0xbc40d518
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New outbound permit rule, SPI 0x6DB242F8
    Src addr: 200.1.1.2
    Src mask: 255.255.255.255
    Dst addr: 200.1.1.1
    Dst mask: 255.255.255.255

    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x6DB242F8
    Use SPI: true
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5222)
IPSEC: Completed outbound permit rule, SPI 0x6DB242F8
    Rule ID: 0xbc2da200
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey UPDATE message
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0x8FB36110
IPSEC: Completed host IBSA update, SPI 0x8FB36110
IPSEC: Creating inbound VPN context, SPI 0x8FB36110
    Flags: 0x00000006
    SA   : 0xbc40f420
    SPI  : 0x8FB36110
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x00003C34
    SCB  : 0x000F7F13
    Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5898)
IPSEC: Completed inbound VPN context, SPI 0x8FB36110
    VPN handle: 0x00004154
IPSEC: Updating outbound VPN context 0x00003C34, SPI 0x6DB242F8
    Flags: 0x00000005
    SA   : 0xbc40dbd0
    SPI  : 0x6DB242F8
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00004154
    SCB  : 0x00117A5F
    Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5970)
IPSEC: Completed outbound VPN context, SPI 0x6DB242F8
    VPN handle: 0x00003c34
IPSEC: Completed outbound inner rule, SPI 0x6DB242F8
    Rule ID: 0xbc40d518
IPSEC: Completed outbound outer SPD rule, SPI 0x6DB242F8
    Rule ID: 0xbc2da200
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
IPSEC: New inbound tunnel flow rule, SPI 0x8FB36110
    Src addr: 192.168.1.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4854)
IPSEC: Completed inbound tunnel flow rule, SPI 0x8FB36110
    Rule ID: 0xbc40d778
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New inbound decrypt rule, SPI 0x8FB36110
    Src addr: 200.1.1.1
    Src mask: 255.255.255.255
    Dst addr: 200.1.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x8FB36110
    Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4947)
IPSEC: Completed inbound decrypt rule, SPI 0x8FB36110
    Rule ID: 0xbc410b08
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New inbound permit rule, SPI 0x8FB36110
    Src addr: 200.1.1.1
    Src mask: 255.255.255.255
    Dst addr: 200.1.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x8FB36110
    Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4947)
IPSEC: Completed inbound permit rule, SPI 0x8FB36110
    Rule ID: 0xbc412440
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)


ASA1# show crypto ?

  accelerator      Show accelerator operational data
  ca               Show certification authority policy
  debug-condition  Show crypto debug filters
  ikev1            Show IKEv1 operational data
  ikev2            Show IKEv2 operational data
  ipsec            Show IPsec operational data
  isakmp           Show ISAKMP operational data
  key              Show long term public keys
  protocol         Show protocol statistics
  ssl              Show ssl information

ASA1# show crypto ikev2 ?

  sa     Show IKEv2 sas
  stats  Show IKEv2 statistics

ASA1# show crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 96200735         200.1.1.2/500         200.1.1.1/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/51 sec
Child sa: local selector  192.168.2.0/0 - 192.168.2.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8fb36110/0x6db242f8


ASA1# show crypto ipsec sa
interface: outside
    Crypto map tag: CMAP, seq num: 10, local addr: 200.1.1.2

      access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 200.1.1.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.1.1.2/500, remote crypto endpt.: 200.1.1.1/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 6DB242F8
      current inbound spi : 8FB36110

    inbound esp sas:
      spi: 0x8FB36110 (2410897680)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 45056, crypto-map: CMAP
         sa timing: remaining key lifetime (kB/sec): (3962880/28733)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x6DB242F8 (1840399096)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: CMAP
         sa timing: remaining key lifetime (kB/sec): (4101119/28733)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


Here's the debug output from the router.

R1#debug crypto ?
  ber        decode ASN.1 BER data
  condition  Define debug condition filters
  engine     Crypto Engine Debug
  gdoi       Crypto GDOI Group Key Management debug
  ha         Crypto High Availability (generic) debug
  ikev2      IKEv2 debugging
  ipsec      IPSEC processing
  ipv6       Crypto IPv6 debug
  isakmp     ISAKMP Key Management
  kmi        Crypto Key Management Interface debug
  mib        IPSEC Management Transactions
  pki        PKI Client
  rmal       Crypto RMAL debug
  routing    IPSEC Route Events
  socket     Crypto Secure Socket Debug
  verbose    verbose decode

R1#debug crypto ikev2 ?
  client    Client
  error     IKEv2 Error debugging
  internal  IKEv2 Internal debugging
  packet    IKEv2 Packet debugging
  <cr>

R1#debug crypto ikev2
IKEv2 default debugging is on

R1#debug crypto isakmp
Crypto ISAKMP debugging is on

R1#debug crypto ipsec
Crypto IPSEC debugging is on

R1#sh ow debug
Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto IPSEC debugging is on
IKEV2:
  IKEv2 error debugging is on
  IKEv2 default debugging is on

*Jan 11 13:57:57.511: IKEv2:Received Packet [From 200.1.1.2:500/To 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Verify SA init message
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Insert SA
*Jan 11 13:57:57.515: IKEv2:Searching Policy with fvrf 0, local address 200.1.1.1
*Jan 11 13:57:57.515: IKEv2:Found Policy 'POLICY-1'

*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'  
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan
R1# 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Jan 11 13:57:57.655: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Jan 11 13:57:57.659: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Jan 11 13:57:57.659: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 11 13:57:57.663: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SK
R1#EYSEED calculation and creation of rekeyed IKEv2 SA PASSED

*Jan 11 13:57:57.663: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'  
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Sending Packet [To 200.1.1.2:500/From 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI :
R1# C6414ACB8DC80CF5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Completed SA init exchange
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 11 13:57:57.963: IKEv2:(SA ID = 1):Received Packet [From 200.1.1.2:500/To 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : C6414ACB8DC80CF5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 11 13:57:57.979: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Jan 11 13:57:57.983: IKEv2:(SA ID = 1):Checking NAT discovery
*Jan 11 13:57:57.987: IKEv2:(SA ID = 1):NAT not found
*Jan 11 13:57:57.991: IKEv2:(SA ID = 1):Searching policy based
R1#on peer's identity '200.1.1.2' of type 'IPv4 address'
*Jan 11 13:57:57.995: IKEv2:found matching IKEv2 profile 'PROFILE-1'
*Jan 11 13:57:57.995: ISAKMP:(0):: peer matches PROFILE-1 profile
*Jan 11 13:57:57.999: IKEv2:% Getting preshared key from profile keyring KEYRING-1
*Jan 11 13:57:57.999: IKEv2:% Matched peer block 'ASA1'
*Jan 11 13:57:58.003: IKEv2:Searching Policy with fvrf 0, local address 200.1.1.1
*Jan 11 13:57:58.007: IKEv2:Found Policy 'POLICY-1'
*Jan 11 13:57:58.011: IKEv2:(SA ID = 1):Verify peer's policy
*Jan 11 13:57:58.015: IKEv2:(SA ID = 1):Peer's policy verified
*Jan 11 13:57:58.019: IKEv2:(SA ID = 1):Get peer's authentication method
*Jan 11 13:57:58.023: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Get peer's preshared key for 200.1.1.2
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Verify peer's authentication data
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Use preshared key for id 200.1.1.2, key len 5
*Jan 11 1
R1#3:57:58.027: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 11 13:57:58.027: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 11 13:57:58.031: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED

*Jan 11 13:57:58.031: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Jan 11 13:57:58.035: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Jan 11 13:57:58.035: IKEv2:KMI/verify policy/sending to IPSec:
     prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Jan 11 13:57:58.039: IPSEC(validate_proposal_request): proposal part #1
*Jan 11 13:57:58.039: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 200.1.1.1:0, remote= 200.1.1.2:0,
    local_proxy= 192.168.1.0/255.255.255.0/256/0,
    remote_proxy= 192.168.2.0/255.255.255.0/256/0,

    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 11 13:57:58.0
R1#43: Crypto mapdb : proxy_match
    src addr     : 192.168.1.0
    dst addr     : 192.168.2.0

    protocol     : 0
    src port     : 0
    dst port     : 0
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Get my authentication method
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Get peer's preshared key for 200.1.1.2
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Generate my authentication data
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Use preshared key for id 200.1.1.1, key len 5
*Jan 11 13:57:58.059: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 11 13:57:58.059: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Get my authentication method
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Constructing IDr payload:
R1#'200.1.1.1' of type 'IPv4 address'
*Jan 11 13:57:58.063: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96   Don't use ESN
*Jan 11 13:57:58.063: IKEv2:(SA ID = 1):Building packet for encryption. 
Payload contents:
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 11 13:57:58.067: IKEv2:(SA ID = 1):Sending Packet [To 200.1.1.2:500/From 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : C6414ACB8DC80CF5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR
*Jan 11 13:57:58.071: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 11 13:57:58.071: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 11 13:57:58.075: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Jan 11 13:57:58.079: IKEv2:(SA ID = 1):Session with IKE ID PAIR (200.1.1.2, 2
R1#00.1.1.1) is UP

*Jan 11 13:57:58.083: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Jan 11 13:57:58.087: IKEv2:(SA ID = 1):Load IPSEC key material
*Jan 11 13:57:58.091: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Jan 11 13:57:58.095: IKEv2:(SA ID = 1):Asynchronous request queued
*Jan 11 13:57:58.095: IKEv2:(SA ID = 1):
*Jan 11 13:57:58.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 11 13:57:58.103: Crypto mapdb : proxy_match
    src addr     : 192.168.1.0
    dst addr     : 192.168.2.0
    protocol     : 256
    src port     : 0
    dst port     : 0
*Jan 11 13:57:58.107: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Jan 11 13:57:58.111: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 200.1.1.2
*Jan 11 13:57:58.131: IPSEC(create_sa): sa created,
  (sa) sa_dest= 200.1.1.1, sa_proto= 50,
    sa_spi= 0x6DB242F8(1840399096),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 1
    sa_l
R1#ifetime(k/sec)= (4608000/3600)
*Jan 11 13:57:58.131: IPSEC(create_sa): sa created,
  (sa) sa_dest= 200.1.1.2, sa_proto= 50,
    sa_spi= 0x8FB36110(2410897680),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (4608000/3600)
*Jan 11 13:57:58.139: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Jan 11 13:57:58.143: IPSEC: Expand action denied, notify RP
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context


R1#show crypto ?
  call             Show crypto call admission info
  datapath         Data Path
  debug-condition  Debug Condition filters
  dynamic-map      Crypto map templates
  eli              Encryption Layer Interface
  engine           Show crypto engine info
  entropy          Entropy sources
  gdoi             Show crypto gdoi
  identity         Show crypto identity list
  ikev2            Shows ikev2 info
  ipsec            Show IPSEC policy
  isakmp           Show ISAKMP
  key              Show long term public keys
  map              Crypto maps
  mib              Show Crypto-related MIB Parameters
  optional         Optional Encryption Status
  pki              Show PKI
  route            Show crypto VPN routes
  ruleset          Show crypto rules on outgoing packets
  session          Show crypto sessions (tunnels)
  sockets          Secure Socket Information
  tech-support     Displays relevant crypto information
      
R1#show crypto ikev2 ?
  authorization      Author policy
  certificate-cache  Show certificates in ikev2 certificate-cache
  client             Show Client Status
  diagnose           Shows ikev2 diagnostic
  policy             Show policies
  profile            Shows ikev2 profiles
  proposal           Show proposals
  sa                 Shows ikev2 SAs
  session            Shows ikev2 active session
  stats              Shows ikev2 sa stats

R1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         200.1.1.1/500         200.1.1.2/500         none/none            READY 
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/32 sec

 IPv6 Crypto IKEv2  SA


R1#show crypto ipsec ?
  policy                Show IPSEC client policies
  profile               Show ipsec profile information
  sa                    IPSEC SA table
  security-association  Show parameters for IPSec security associations
  spi-lookup            IPSEC SPI table
  transform-set         Crypto transform sets

R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: CMAP, local addr 200.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/256/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/256/0)
   current_peer 200.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 200.1.1.1, remote crypto endpt.: 200.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x8FB36110(2410897680)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x6DB242F8(1840399096)
 transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4354253/3520)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8FB36110(2410897680)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4354253/3520)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas: 
     outbound pcp sas:

No comments:

Post a Comment