I usually configure IKEv1 Site-to-Site IPSec VPNs but I needed to do an IKEv2 this time between a Cisco IOS router and ASA firewall.
You'll need an IOS that supports IKEv2 commands. I've downloaded C7200-ADVENTERPRISEK9-M Version 15.2(4)S to configure IKEv2 in GNS3.
R1#show version
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 20-Jul-12 15:03 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc1)
R1 uptime is 3 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
509K bytes of NVRAM.
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip interface f0/0
R1(config-if)#ip address 200.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jan 10 16:40:02.543: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan 10 16:40:03.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#
R1(config-if)#interface f1/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0 // NOT ADVISABLE TO USE IN PRODUCTION NETWORK
%Default route without gateway, if not a point-to-point interface, may impact performance
R1(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 200.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 192.168.1.1 YES manual up up
R1(config)#crypto ?
call Configure Crypto Call Admission Control
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ikev2 Configure IKEv2 Options
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
xauth X-Auth parameters
R1(config)#crypto ikev2 ?
authorization IKEv2 authorization
certificate-cache Cache for storing certs fetched from HTTP URLs
client IKEv2 client configuration
cookie-challenge Set Cookie-challenge watermark
cts Cisco Trust Security
diagnose IKEV2 diagnose
dpd Enable IKE liveness check for peers
fragmentation Enable fragmentation of ikev2 packets
http-url Enable http URL lookup
keyring Define IKEv2 Keyring
limit Limit the number of maximum and negotiating sa
name-mangler Name mangler
nat NAT-transparency
policy Define IKEV2 policies
profile Define IKEv2 Profiles
proposal Define IKEV2 proposals
redirect IKEv2 Redirect Mechanism for load-balancing
window IKEV2 window size
R1(config)#crypto ikev2 keyring ?
WORD Name of IKEv2 Keyring
R1(config)#crypto ikev2 keyring KEYRING-1
R1(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no Negate a command or set its defaults
peer Configure a Peer and associated keys
R1(config-ikev2-keyring)#peer ?
WORD Name of the peer block
R1(config-ikev2-keyring)#peer ASA1
R1(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4/IPv6 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key
R1(config-ikev2-keyring-peer)#address ?
A.B.C.D IPv4 Address
X:X:X:X::X/<0-128> IPv6 address/prefix
R1(config-ikev2-keyring-peer)#address 200.1.1.2
R1(config-ikev2-keyring-peer)#pre-shared-key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string
local specify signing key
remote specify verifying key
R1(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config)#
R1(config)#crypto ikev2p proposal ?
WORD Name of IKEv2 proposal
R1(config)#crypto ikev2 proposal PROPOSAL-1
IKEv2 proposal MUST have at least an encryption algorithm, an integrity algorithm and a dh group configured
R1(config-ikev2-proposal)#?
IKEv2 Proposal commands:
encryption Set encryption algorithm(s) for proposal
exit Exit from IKEv2 proposal configuration mode
group Set the Diffie-Hellman group(s)
integrity Set integrity hash algorithm(s) for proposal
no Negate a command or set its defaults
R1(config-ikev2-proposal)#encryption ?
3des 3DES
aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256
des DES
R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity ?
md5 Message Digest 5
sha1 Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
R1(config-ikev2-proposal)#integrity sha512
R1(config-ikev2-proposal)#group ?
1 DH 768 MODP
14 DH 2048 MODP
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
2 DH 1024 MODP
20 DH 384 ECP
24 DH 2048 (256 subgroup) MODP
5 DH 1536 MODP
R1(config-ikev2-proposal)#group 5
R1(config-ikev2-proposal)#exit
R1(config)#
R1(config)#crypto iev2 kev2 profile ?
WORD Name of IKEv2 Profile
R1(config)#crypto ikev2 profile PROFILE-1
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
R1(config-ikev2-profile)#?
IKEv2 profile commands:
aaa Specify AAA related configs
authentication Set authentication method
config-exchange config-exchange options
description Specify a description of this profile
dpd Enable IKE liveness check for peers
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use
initial-contact initial-contact processing
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
redirect IKEv2 Redirect Mechanism for load-balancing
virtual-template Specify the virtual-template for dynamic interface
creation.
R1(config-ikev2-profile)#match ?
address IP address
certificate Peer certificate attributes
fvrf fvrf of the profile
identity IKE identity
R1(config-ikev2-profile)#match identity ?
remote Remote identity
R1(config-ikev2-profile)#match identity remote ?
address IP Address(es)
email Fully qualified email string
fqdn Fully qualified domain name string
key-id key-id opaque string
R1(config-ikev2-profile)#match identity remote address ?
A.B.C.D IP address prefix
X:X:X:X::X/<0-128> IPv6 address/prefix-length
R1(config-ikev2-profile)#match identity remote address 200.1.1.1 2 ?
A.B.C.D specify mask
<cr>
R1(config-ikev2-profile)#match identity remote address 200.1.1.1 2 255.255.255.255
R1(config-ikev2-profile)#identity ?
local Specify the local IKE identity to use for the negotiation
R1(config-ikev2-profile)#identity local ?
address address
dn Distinguished Name
email Fully qualified email string
fqdn Fully qualified domain name string
key-id key-id opaque string - proprietary types of identification
R1(config-ikev2-profile)#identity local address ?
A.B.C.D IPv4 address
X:X:X:X::X IPv6 address
R1(config-ikev2-profile)#identity local address 200.1.1.1
R1(config-ikev2-profile)#authentication ?
local Set local authentication method
remote Set remote authentication method
R1(config-ikev2-profile)#authentication remote ?
eap Extended Authentication Protocol
ecdsa-sig ECDSA Signature
pre-share Pre-Shared Key
rsa-sig Rivest-Shamir-Adleman Signature
<cr>
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share
R1(config)#crypto ikev2 policy ?
WORD Name of IKEv2 policy
R1(config)#crypto ikev2 policy POLICY-1
IKEv2 policy MUST have atleast one complete proposal attached
R1(config-ikev2-policy)#?
IKEv2 Policy commands:
exit Exit from IKEv2 policy configuration mode
match Match values of local fields
no Negate a command or set its defaults
proposal Specify Proposal
R1(config-ikev2-policy)#proposal ?
WORD Specify the name of proposal to be attached
R1(config-ikev2-policy)#proposal PROPOSAL-1
R1(config-ikev2-policy)#exit
R1(config)#
R1(config)#crypto ipsec ?
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
R1(config)#crypto ipsec transform-set ?
WORD Transform set tag
R1(config)#crypto ipsec transform-set TSET-1 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
R1(config)#crypto ipsec transform-set TSET-1 aes- esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
R1(config)#crypto ipsec transform-set TSET-1 esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
R1(config)#crypto ipsec transform-set TSET-1 esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
R1(config)#ip access-list ?
extended Extended Access List
helper Access List acts on helper-address
log-update Control access list log updates
logging Control access list logging
match-local-traffic Enable ACL matching for locally generated traffic
resequence Resequence Access List
role-based Role-based Access List
standard Standard Access List
R1(config)#ip access-list extended ?
<100-199> Extended IP access-list number
<2000-2699> Extended IP access-list number (expanded range)
WORD Access-list name
R1(config)#ip access-list extended R1-ASA1-ACL
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 255.2 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#
R1(config)#crypto map ?
WORD Crypto map tag
ipv6 IPv6 crypto map
R1(config)#crypto map CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
R1(config)#crypto map CMAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
R1(config)#crypto map CMAP 10 ipsec-isamp kmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
R1(config-crypto-map)#set ?
identity Identity restriction.
ikev2-profile Specify ikev2 Profile
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
R1(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
R1(config-crypto-map)#set peer 200.1.1.2
R1(config-crypto-map)#set transform-set TSET-1
R1(config-crypto-map)#match ?
address Match address of packets to encrypt.
R1(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
R1(config-crypto-map)#match address R1-ASA1-ACL
R1(config-crypto-map)#exit
R1(config)#
R1(config)#interface f0/00
R1(config-if)#cryto map ypto map ?
ipsec Set IPSec parameters
map Assign a Crypto Map
R1(config-if)#crypto map ?
WORD Crypto Map tag
R1(config-if)#crypto map CMAP
R1(config-if)#
*Jan 10 16:39:10.151: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#end
R1#show run
Building configuration...
Current configuration : 1753 bytes
!
! Last configuration change at 13:57:49 UTC Thu Jan 11 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal PROPOSAL-1
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy POLICY-1
proposal PROPOSAL-1
!
crypto ikev2 keyring KEYRING-1
peer ASA1
address 200.1.1.2
pre-shared-key local cisco
pre-shared-key remote cisco
!
!
!
crypto ikev2 profile PROFILE-1
match identity remote address 200.1.1.2 255.255.255.255
identity local address 200.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local KEYRING-1
!
!
!
ip tcp synwait-time 5
!
!
!
crypto ipsec transform-set TSET-1 esp-aes 256 esp-sha-hmac
mode tunnel // DEFAULT
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set TSET-1
match address R1-ASA1-ACL
!
!
!
!
!
interface FastEthernet0/0
ip address 200.1.1.1 255.255.255.252
duplex full
crypto map CMAP
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 192.168.1.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended R1-ASA1-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
I've used ASA version 8.4 in GNS3 which supports IKEv2.
ASA1# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ASA1 up 1 min 51 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab21.c100, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab21.c101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab21.c102, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab21.c103, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Configuration register is 0x0
Configuration last modified by enable_15 at 08:30:43.269 UTC Wed Jan 10 2018
ciscoasa# configure terminal
ASA1(config)# interface g0ASA1(config-if)# ip address 200.1.1.2 255.255.255.252
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# no shut
ASA1(config-if)# ping 200.1.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/70 ms
ASA1(config-if)# interface g1
ASA1(config-if)# ip address 192.168.2.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# no shut
ASA1(config-if)# route outside 0 0 200.1.1.1
ASA1(config-if)# object network LAN1
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# ex it
ASA1(config)# object network LAN2
ASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA1(config-network-object)# exit
ASA1(config)# nat (inside,outside) source static LAN2 LAN2 destination staticstatic LAN1 LAN1 // IDENTITY NAT FOR SITE-TO-SITE VPN TRAFFIC
ASA1(config)# access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA1(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ASA1(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit Exit from ikev2 policy configuration mode
group Configure one or more DH groups
help Help for ikev2 policy configuration commands
integrity Configure one or more integrity algorithm
lifetime Configure the ikev2 lifetime
no Remove an ikev2 policy configuration item
prf Configure one or more hash algorithm
ASA1(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# integrity sha512
ASA1(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA1(config-ikev2-policy)# group 5
ASA1(config-ikev2-policy)# prf ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# prf sha512 // PSEUDO-RANDOM FUNCTION (PRF) KEYING ALGORITHM; ONLY AVAILABLE IN ASA; CONFIGURE SAME BIT LEVEL WITH INTEGRITY/HASHING
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto
ASA1(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA1(config)# crypto ipsec ikev2 ?
configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?
configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA1(config)# crypto ipsec ikev2 ipsec-proposal P ROPOSAL-1
ASA1(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit Exit from ipsec-proposal configuration mode
help Help for ikev2 IPSec policy configuration commands
no Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA1(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA1(config-ipsec-proposal)# protocol esp ?
ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity Add one or more integrity algorithms for this protocol
ASA1(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# tunnel-group 200.1.1.1 type ipsec-l2l
ASA1(config)# ?
aaa Enable, disable, or view user authentication,
authorization and accounting
aaa-server Configure a AAA server group or a AAA server
access-group Bind an access-list to an interface to filter
traffic
access-list Configure an access control element
arp Change or view ARP table, set ARP timeout
value, view statistics
asdm Configure Device Manager
auth-prompt Customize authentication challenge, reject or
acceptance prompt
auto-update Configure Auto Update
banner Configure login/session banners
boot Set system boot parameters
ca Certification authority
call-home Smart Call-Home Configuration
checkheaps Configure checkheap verification intervals
class-map Configure MPF Class Map
clear Clear
client-update Configure and change client update parameters
clock Configure time-of-day clock
command-alias Create command alias
compression Configure global Compression parameters
config-register Define the configuration register
configure Configure using various methods
console Serial console functions
coredump Configure Coredump options
crashinfo Enable/Disable writing crashinfo to flash
crypto Configure IPSec, ISAKMP, Certification
authority, key
ctl-file Configure a ctl-file instance
ctl-provider Configure a CTL Provider instance
ddns Configure dynamic DNS update method
dhcp-client Configure parameters for DHCP client operation
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
dns Add DNS functionality to an interface
dns-group Set the global DNS server group
dns-guard Enforce one DNS response per query
domain-name Change domain name
dynamic-access-policy-record Dynamic Access Policy configuration commands
dynamic-filter Configure Dynamic Filter
dynamic-map Configure crypto dynamic map
enable Configure password for the enable command
end Exit from configure mode
eou EAP over UDP (NAC Framework) Global
Configuration Commands
established Allow inbound connections based on established
connections
exit Exit from config mode
failover Enable/disable failover feature
filter Enable or disable URL, FTP, HTTPS, Java, and
ActiveX filtering
fips FIPS 140-2 compliance information
firewall Switch to router/transparent mode
fixup Add or delete inspection services
flow-export Configure flow information export through
NetFlow
fragment Configure the IP fragment database
ftp Set FTP mode
ftp-map Configure advanced options for FTP inspection
group-delimiter The delimiter for tunnel-group lookup.
group-policy Configure or remove a group policy
gtp-map Configure advanced options for GTP inspection
h225-map Configure advanced options for H225 inspection
help Interactive help for commands
hostname Change host name of the system
hpm Configure TopN host statistics collection
http Configure http server and https related
commands
http-map This command has been deprecated.
icmp Configure access rules for ICMP traffic
imap4s Configure the imap4s service
interface Select an interface to configure
ip Configure IP addresses, address pools, IDS, etc
ipsec Configure transform-set and IPSec SA lifetime
ipv6 Global IPv6 configuration commands
isakmp Configure ISAKMP options
key Create various configuration keys
l2tp Configure Global L2TP Parameters
lacp LACP configuration
ldap Configure LDAP Mapping
license-server Configure shared license server
logging Configure logging levels, recipients and other
options
logout Logoff from config mode
mac-list Create a mac-list to filter based on MAC
address
management-access Configure management access interface
map Configure crypto map
media-termination Configure a media-termination instance
mgcp-map Configure advanced options for MGCP inspection
migrate Migrate IKEv1 configuration to IKEv2/SSL
mode Toggle between single and multiple security
context modes
monitor-interface Enable or disable failover monitoring on a
specific interface
mount Configure a system mount
mroute Configure static multicast routes
mtu Specify MTU(Maximum Transmission Unit) for an
interface
multicast-routing Enable IP multicast
nac-policy Configure or remove a nac-policy
name Associate a name with an IP address
names Enable/Disable IP address to name mapping
nat Associate a network with a pool of global IP
addresses
no Negate a command or set its defaults
ntp Configure NTP
object Configure an object
object-group Create an object group for use in
'access-list', etc
object-group-search Enables object group search algorithm
pager Control page length for pagination
passwd Change Telnet console access password
password Configure password encryption
phone-proxy Configure a Phone proxy instance
pim Configure Protocol Independent Multicast
policy-map Configure MPF Parameter Map
pop3s Configure the pop3s service
prefix-list Configure prefix lists
priority-queue Enter sub-command mode to set priority-queue
attributes
privilege Configure privilege levels for commands
prompt Configure session prompt display
quit Exit from config mode
regex Define a regular expression
remote-access Configure SNMP trap threshold for VPN
remote-access sessions
route Configure a static route for an interface
route-map Create route-map or enter route-map
configuration mode
router Enable a routing process
routing Configure interface specific unicast routing
parameters
same-security-traffic Enable same security level interfaces to
communicate
service Configure system services
service-policy Configure MPF service policy
setup Pre-configure the system
sla IP Service Level Agreement
smtp-server Configure default SMTP server address to be
used for Email
smtps Configure the smtps service
snmp Configure the SNMP options
snmp-map Configure an snmp-map, to control the operation
of the SNMP inspection
snmp-server Modify SNMP engine parameters
ssh Configure SSH options
ssl Configure SSL options
sunrpc-server Create SUNRPC services table
sysopt Set system functional options
tcp-map Configure advanced options for TCP inspection
telnet Add telnet access to system console or set idle
timeout
terminal Set terminal line parameters
tftp-server Configure default TFTP server address and
directory
threat-detection Show threat detection information
time-range Define time range entries
timeout Configure maximum idle times
tls-proxy Configure a TLS proxy instance or the maximum
sessions
track Object tracking configuration commands
tunnel-group Create and manage the database of connection
specific records for IPSec connections
tunnel-group-map Specify policy by which the tunnel-group name
is derived from the content of a certificate.
uc-ime Configure a Cisco Intercompany Media Engine
(UC-IME) instance
url-block Enable URL pending block buffer and long URL
support
url-cache Enable/Disable URL caching
url-server Configure a URL filtering server
user-identity Configure user-identity firewall
username Configure user authentication local database
virtual Configure address for authentication virtual
servers
vpdn Configure VPDN feature
vpn-addr-assign Global settings for VPN IP address assignment
policy
vpn-sessiondb Configure the VPN Session Manager
vpnsetup Configure VPN Setup Commands
wccp Web-Cache Coordination Protocol Commands
webvpn Configure the WebVPN service
zonelabs-integrity ZoneLabs integrity Firewall Server
Configuration
ASA1(config)# tunnel-group 200.1.1.1 i ipsec-attributes
ASA1(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
ikev2 Configure IKEv2
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA1(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Select the trustpoint that identifies the cert to be sent to
the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
the remote peer
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
ASA1(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
<cr>
ASA1(config)# crypto ikev2 enable outside
ASA1(config)# crypto map ?
configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA1(config)# crypto map CMAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map CMAP 10 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASA1(config)# crypto map CMAP 10 match ?
configure mode commands/options:
address Match address of packets to encrypt
ASA1(config)# crypto map CMAP 10 match address ASA1-R1-ACL
ASA1(config)# crypto map CMAP 10 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
ASA1(config)# crypto map CMAP 10 set peer ?
configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address
ASA1(config)# crypto map CMAP 10 set peer 200.1.1.1 ikev2 ?
configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
connection based on this entry
ASA1(config)# crypto map CMAP 10 set ikev2 i psec-proposal ?
configure mode commands/options:
WORD ipsec-proposal tag
ASA1(config)# crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL1 -1
ASA1(config)# crypto map CMAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map CMAP interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
ASA1(config)# crypto map CMAP interface outside
ASA1(config)# fixup protocol icmp // ENABLE ICMP STATEFUL INSPECTION
INFO: converting 'fixup protocol icmp ' to MPF commands
ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp error
ASA1# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.1.1.2 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network LAN1
subnet 192.168.1.0 255.255.255.0
object network LAN2
subnet 192.168.2.0 255.255.255.0
access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN2 LAN2 destination static LAN1 LAN1
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal PROPOSAL-1
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map CMAP 10 match address ASA1-R1-ACL
crypto map CMAP 10 set peer 200.1.1.1
crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL-1
crypto map CMAP interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:24994b52de47b3fa4716867ab926d840
: end
I ran some debugs on the ASA firewall.
ASA1# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
vpnclient Set EasyVPN client debug levels
ASA1# debug crypto ikev2 ?
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers
ASA1# debug crypto ikev2 protocol ?
<1-255> Specify an optional debug level (default is 1)
<cr>
ASA1# debug crypto ikev2 protocol 255
ASA1# debug crypto ipsec ?
<1-255> Specify an optional debug level (default is 1)
<cr>
ASA1# debug crypto ipsec 255
ASA1# show debug
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
ASA1#
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.2.2, sport=64741, daddr=192.168.1.1, dport=64741
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.2.2, sport=64741, daddr=192.168.1.1, dport=64741
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0xbc40f420,
SCB: 0xBC40C130,
Direction: inbound
SPI : 0x8FB36110
Session ID: 0x0000B000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (11): Getting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (11): Setting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (11): Computing DH public key
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (11): Sending initial message
IKEv2-PROTO-3: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (11): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
IKE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
10 1b 5d 7d ee 22 0a a5 ef 54 be a6 b2 e4 4e 9f
04 1b 7b 4c 63 31 ff 7b b1 85 b0 98 da 09 38 bf
e7 15 e8 70 36 5a a2 63 9e 4a 07 94 7e 21 13 61
48 e7 64 c3 ce 5a 96 b2 53 64 03 d7 99 c3 12 ea
54 45 54 9c 04 5a 53 4a 44 24 4f 87 f5 2f 31 3d
f1 8c 15 58 db e4 40 c2 f9 73 f8 b8 39 47 83 34
fa 17 c3 bb 66 89 a1 fd b9 1f 73 56 93 88 21 1b
fe e9 69 61 f4 af d6 b3 c7 b0 df 4f 7c 5f 92 79
50 3b 86 41 23 0c f0 98 1d ae 8d 93 67 18 95 6b
d2 5e 1e b4 20 39 5a e8 80 90 23 8d 2b 81 b9 b5
89 2e 13 c4 dd d1 a6 21 9f 69 0f c7 76 89 2d 83
4b 8b b8 bc f8 29 cd ec ef b1 46 e2 b9 34 98 25
Next payload: VID, reserved: 0x0, length: 24
65 81 fb 3a b5 e6 b9 33 ad 76 5d 0a d3 fc 2b c7
7c c6 b6 d1
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
55 3b c8 6c 67 a4 c8 55 7b 55 c6 69 8b 3d 5c 79
c2 70 13 98
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
81 a0 7d c2 74 a9 6d a6 90 6b c6 1d 2d 33 86 74
e2 d8 41 42
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (11): Insert SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
16 af 36 bb c5 d5 14 10 e8 37 ce 35 5d ac b7 22
bf cf 9a ff a1 58 b7 49 3c c7 c6 15 a4 37 07 f2
77 5b 40 c0 6c 21 b7 78 9b ed b9 98 35 0f 1e f5
55 25 9a f8 ca 15 b7 1e 3c 02 92 cc ed 71 2a 20
65 f8 3d 20 3a b2 0a a8 41 d1 eb f5 74 30 85 50
9e c7 2a 6b 5e 38 2e 0c fa c0 d7 12 24 13 a4 7f
cc 3f ca 0c a6 e8 e8 a4 ee 82 7a 08 4c 40 17 42
2f 16 e0 ef a4 2b 0b ee 1e f6 e0 d3 7c de 88 b1
83 31 7b a2 ac 53 3a 9b e1 d9 40 20 0a 58 7a d9
37 98 37 24 3f 88 dc 7e 5d f2 83 38 2a 37 fb 7e
43 ea 98 1e b3 40 2b 87 d5 f7 4e a6 92 68 1f 94
62 10 c9 e9 d7 3b 9f 39 90 2f 19 28 c3 92 9c 09
N Next payload: VID, reserved: 0x0, length: 24
81 be 1d 70 eb e5 75 ab b6 3a 17 2a 17 08 2e ed
db 3b 56 8b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: VID, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 21
46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
a7 c8 6d 91 9f 3d b7 6a af fd 76 21 96 5a f7 fa
35 6c ea 3f
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
79 8e 84 e8 a8 16 57 c1 98 78 59 44 6c 27 3f 37
3c 6e c1 e6
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 105
Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED
Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (11): Verify SA init message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (11): Process NAT discovery notify
IKEv2-PROTO-5: (11): Processing nat detect src notify
IKEv2-PROTO-5: (11): Remote address matched
IKEv2-PROTO-5: (11): Processing nat detect dst notify
IKEv2-PROTO-5: (11): Local address matched
IKEv2-PROTO-5: (11): No NAT found
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (11): Check NAT discovery
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (11): Computing DH secret key
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (11): Generate skeyid
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (11): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (11): Complete SA init exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (11): Generate my authentication data
IKEv2-PROTO-3: (11): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (11): Get my authentication method
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (11): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3: ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (11): Building packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20
11 ce cc 39 b9 a5 83 2e 9b 20 27 87 63 ca 5e f0
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
c8 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.2.2, end addr: 192.168.2.2
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.2.0, end addr: 192.168.2.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.1, end addr: 192.168.1.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.0, end addr: 192.168.1.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (11): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 336
ENCR Next payload: VID, reserved: 0x0, length: 308
Encrypted data: 304 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 320
REAL Decrypted packet:Data: 224 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
c7 41 4b cb 9e ff ff b2 9b 20 27 87 63 ca 5e f0
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
c8 01 01 01
AUTH Next payload: SA, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.2.0, end addr: 192.168.2.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.0, end addr: 192.168.1.255
IKEv2-PROTO-5: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE
00 00 00 05
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Decrypted packet:Data: 320 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (11): Process auth response notify
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (11): Getting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (11): Verify peer's policy
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (11): Get peer authentication method
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (11): Get peer's preshared key for 200.1.1.1
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (11): Verify authentication data
IKEv2-PROTO-3: (11): Use preshared key for id 200.1.1.1, key len 5
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (11): Processing auth message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (11): Closing the PKI session
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (11): SA created; inserting SA into database
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (11): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (11): Load IPSEC key material
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (11): Accounting not required
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (11): Checking for duplicate SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (11): Deleting negotiation context for my message ID: 0x1
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey ADD message
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x6DB242F8
IPSEC: New embryonic SA created @ 0xbc40dbd0,
SCB: 0xBC4107A8,
Direction: outbound
SPI : 0x6DB242F8
Session ID: 0x0000B000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x6DB242F8
IPSEC: Creating outbound VPN context, SPI 0x6DB242F8
Flags: 0x00000005
SA : 0xbc40dbd0
SPI : 0x6DB242F8
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x00117A5F
Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5983)
IPSEC: Completed outbound VPN context, SPI 0x6DB242F8
VPN handle: 0x00003c34
IPSEC: New outbound encrypt rule, SPI 0x6DB242F8
Src addr: 192.168.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5088)
IPSEC: Completed outbound encrypt rule, SPI 0x6DB242F8
Rule ID: 0xbc40d518
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New outbound permit rule, SPI 0x6DB242F8
Src addr: 200.1.1.2
Src mask: 255.255.255.255
Dst addr: 200.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6DB242F8
Use SPI: true
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5222)
IPSEC: Completed outbound permit rule, SPI 0x6DB242F8
Rule ID: 0xbc2da200
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey UPDATE message
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0x8FB36110
IPSEC: Completed host IBSA update, SPI 0x8FB36110
IPSEC: Creating inbound VPN context, SPI 0x8FB36110
Flags: 0x00000006
SA : 0xbc40f420
SPI : 0x8FB36110
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00003C34
SCB : 0x000F7F13
Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5898)
IPSEC: Completed inbound VPN context, SPI 0x8FB36110
VPN handle: 0x00004154
IPSEC: Updating outbound VPN context 0x00003C34, SPI 0x6DB242F8
Flags: 0x00000005
SA : 0xbc40dbd0
SPI : 0x6DB242F8
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00004154
SCB : 0x00117A5F
Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5970)
IPSEC: Completed outbound VPN context, SPI 0x6DB242F8
VPN handle: 0x00003c34
IPSEC: Completed outbound inner rule, SPI 0x6DB242F8
Rule ID: 0xbc40d518
IPSEC: Completed outbound outer SPD rule, SPI 0x6DB242F8
Rule ID: 0xbc2da200
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
IPSEC: New inbound tunnel flow rule, SPI 0x8FB36110
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4854)
IPSEC: Completed inbound tunnel flow rule, SPI 0x8FB36110
Rule ID: 0xbc40d778
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New inbound decrypt rule, SPI 0x8FB36110
Src addr: 200.1.1.1
Src mask: 255.255.255.255
Dst addr: 200.1.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x8FB36110
Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4947)
IPSEC: Completed inbound decrypt rule, SPI 0x8FB36110
Rule ID: 0xbc410b08
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New inbound permit rule, SPI 0x8FB36110
Src addr: 200.1.1.1
Src mask: 255.255.255.255
Dst addr: 200.1.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x8FB36110
Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4947)
IPSEC: Completed inbound permit rule, SPI 0x8FB36110
Rule ID: 0xbc412440
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
ASA1# show crypto ?
accelerator Show accelerator operational data
ca Show certification authority policy
debug-condition Show crypto debug filters
ikev1 Show IKEv1 operational data
ikev2 Show IKEv2 operational data
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
ssl Show ssl information
ASA1# show crypto ikev2 ?
sa Show IKEv2 sas
stats Show IKEv2 statistics
ASA1# show crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
96200735 200.1.1.2/500 200.1.1.1/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/51 sec
Child sa: local selector 192.168.2.0/0 - 192.168.2.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x8fb36110/0x6db242f8
ASA1# show crypto ipsec sa
interface: outside
Crypto map tag: CMAP, seq num: 10, local addr: 200.1.1.2
access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 200.1.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.1.1.2/500, remote crypto endpt.: 200.1.1.1/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6DB242F8
current inbound spi : 8FB36110
inbound esp sas:
spi: 0x8FB36110 (2410897680)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (3962880/28733)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6DB242F8 (1840399096)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4101119/28733)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here's the debug output from the router.
R1#debug crypto ?
ber decode ASN.1 BER data
condition Define debug condition filters
engine Crypto Engine Debug
gdoi Crypto GDOI Group Key Management debug
ha Crypto High Availability (generic) debug
ikev2 IKEv2 debugging
ipsec IPSEC processing
ipv6 Crypto IPv6 debug
isakmp ISAKMP Key Management
kmi Crypto Key Management Interface debug
mib IPSEC Management Transactions
pki PKI Client
rmal Crypto RMAL debug
routing IPSEC Route Events
socket Crypto Secure Socket Debug
verbose verbose decode
R1#debug crypto ikev2 ?
client Client
error IKEv2 Error debugging
internal IKEv2 Internal debugging
packet IKEv2 Packet debugging
<cr>
R1#debug crypto ikev2
IKEv2 default debugging is on
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#sh ow debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
*Jan 11 13:57:57.511: IKEv2:Received Packet [From 200.1.1.2:500/To 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Verify SA init message
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Insert SA
*Jan 11 13:57:57.515: IKEv2:Searching Policy with fvrf 0, local address 200.1.1.1
*Jan 11 13:57:57.515: IKEv2:Found Policy 'POLICY-1'
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan
R1# 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Jan 11 13:57:57.655: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 11 13:57:57.659: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Jan 11 13:57:57.659: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 11 13:57:57.663: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SK
R1#EYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 11 13:57:57.663: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Sending Packet [To 200.1.1.2:500/From 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI :
R1# C6414ACB8DC80CF5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Completed SA init exchange
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 11 13:57:57.963: IKEv2:(SA ID = 1):Received Packet [From 200.1.1.2:500/To 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : C6414ACB8DC80CF5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 11 13:57:57.979: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Jan 11 13:57:57.983: IKEv2:(SA ID = 1):Checking NAT discovery
*Jan 11 13:57:57.987: IKEv2:(SA ID = 1):NAT not found
*Jan 11 13:57:57.991: IKEv2:(SA ID = 1):Searching policy based
R1#on peer's identity '200.1.1.2' of type 'IPv4 address'
*Jan 11 13:57:57.995: IKEv2:found matching IKEv2 profile 'PROFILE-1'
*Jan 11 13:57:57.995: ISAKMP:(0):: peer matches PROFILE-1 profile
*Jan 11 13:57:57.999: IKEv2:% Getting preshared key from profile keyring KEYRING-1
*Jan 11 13:57:57.999: IKEv2:% Matched peer block 'ASA1'
*Jan 11 13:57:58.003: IKEv2:Searching Policy with fvrf 0, local address 200.1.1.1
*Jan 11 13:57:58.007: IKEv2:Found Policy 'POLICY-1'
*Jan 11 13:57:58.011: IKEv2:(SA ID = 1):Verify peer's policy
*Jan 11 13:57:58.015: IKEv2:(SA ID = 1):Peer's policy verified
*Jan 11 13:57:58.019: IKEv2:(SA ID = 1):Get peer's authentication method
*Jan 11 13:57:58.023: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Get peer's preshared key for 200.1.1.2
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Verify peer's authentication data
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Use preshared key for id 200.1.1.2, key len 5
*Jan 11 1
R1#3:57:58.027: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 11 13:57:58.027: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 11 13:57:58.031: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Jan 11 13:57:58.031: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Jan 11 13:57:58.035: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Jan 11 13:57:58.035: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Jan 11 13:57:58.039: IPSEC(validate_proposal_request): proposal part #1
*Jan 11 13:57:58.039: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 200.1.1.1:0, remote= 200.1.1.2:0,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 192.168.2.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 11 13:57:58.0
R1#43: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.2.0
protocol : 0
src port : 0
dst port : 0
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Get my authentication method
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Get peer's preshared key for 200.1.1.2
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Generate my authentication data
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Use preshared key for id 200.1.1.1, key len 5
*Jan 11 13:57:58.059: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 11 13:57:58.059: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Get my authentication method
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Constructing IDr payload:
R1#'200.1.1.1' of type 'IPv4 address'
*Jan 11 13:57:58.063: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Jan 11 13:57:58.063: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 11 13:57:58.067: IKEv2:(SA ID = 1):Sending Packet [To 200.1.1.2:500/From 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : C6414ACB8DC80CF5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 11 13:57:58.071: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 11 13:57:58.071: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 11 13:57:58.075: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Jan 11 13:57:58.079: IKEv2:(SA ID = 1):Session with IKE ID PAIR (200.1.1.2, 2
R1#00.1.1.1) is UP
*Jan 11 13:57:58.083: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Jan 11 13:57:58.087: IKEv2:(SA ID = 1):Load IPSEC key material
*Jan 11 13:57:58.091: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Jan 11 13:57:58.095: IKEv2:(SA ID = 1):Asynchronous request queued
*Jan 11 13:57:58.095: IKEv2:(SA ID = 1):
*Jan 11 13:57:58.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 11 13:57:58.103: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.2.0
protocol : 256
src port : 0
dst port : 0
*Jan 11 13:57:58.107: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Jan 11 13:57:58.111: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 200.1.1.2
*Jan 11 13:57:58.131: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.1, sa_proto= 50,
sa_spi= 0x6DB242F8(1840399096),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 1
sa_l
R1#ifetime(k/sec)= (4608000/3600)
*Jan 11 13:57:58.131: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.2, sa_proto= 50,
sa_spi= 0x8FB36110(2410897680),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2
sa_lifetime(k/sec)= (4608000/3600)
*Jan 11 13:57:58.139: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Jan 11 13:57:58.143: IPSEC: Expand action denied, notify RP
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context
R1#show crypto ?
call Show crypto call admission info
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
entropy Entropy sources
gdoi Show crypto gdoi
identity Show crypto identity list
ikev2 Shows ikev2 info
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
R1#show crypto ikev2 ?
authorization Author policy
certificate-cache Show certificates in ikev2 certificate-cache
client Show Client Status
diagnose Shows ikev2 diagnostic
policy Show policies
profile Shows ikev2 profiles
proposal Show proposals
sa Shows ikev2 SAs
session Shows ikev2 active session
stats Shows ikev2 sa stats
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.1.1/500 200.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/32 sec
IPv6 Crypto IKEv2 SA
R1#show crypto ipsec ?
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
spi-lookup IPSEC SPI table
transform-set Crypto transform sets
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 200.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/256/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/256/0)
current_peer 200.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.1.1, remote crypto endpt.: 200.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8FB36110(2410897680)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6DB242F8(1840399096)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4354253/3520)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8FB36110(2410897680)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4354253/3520)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
You'll need an IOS that supports IKEv2 commands. I've downloaded C7200-ADVENTERPRISEK9-M Version 15.2(4)S to configure IKEv2 in GNS3.
R1#show version
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 20-Jul-12 15:03 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc1)
R1 uptime is 3 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
509K bytes of NVRAM.
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip interface f0/0
R1(config-if)#ip address 200.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jan 10 16:40:02.543: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan 10 16:40:03.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#
R1(config-if)#interface f1/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0 // NOT ADVISABLE TO USE IN PRODUCTION NETWORK
%Default route without gateway, if not a point-to-point interface, may impact performance
R1(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 200.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 192.168.1.1 YES manual up up
R1(config)#crypto ?
call Configure Crypto Call Admission Control
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ikev2 Configure IKEv2 Options
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
xauth X-Auth parameters
R1(config)#crypto ikev2 ?
authorization IKEv2 authorization
certificate-cache Cache for storing certs fetched from HTTP URLs
client IKEv2 client configuration
cookie-challenge Set Cookie-challenge watermark
cts Cisco Trust Security
diagnose IKEV2 diagnose
dpd Enable IKE liveness check for peers
fragmentation Enable fragmentation of ikev2 packets
http-url Enable http URL lookup
keyring Define IKEv2 Keyring
limit Limit the number of maximum and negotiating sa
name-mangler Name mangler
nat NAT-transparency
policy Define IKEV2 policies
profile Define IKEv2 Profiles
proposal Define IKEV2 proposals
redirect IKEv2 Redirect Mechanism for load-balancing
window IKEV2 window size
R1(config)#crypto ikev2 keyring ?
WORD Name of IKEv2 Keyring
R1(config)#crypto ikev2 keyring KEYRING-1
R1(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no Negate a command or set its defaults
peer Configure a Peer and associated keys
R1(config-ikev2-keyring)#peer ?
WORD Name of the peer block
R1(config-ikev2-keyring)#peer ASA1
R1(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4/IPv6 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key
R1(config-ikev2-keyring-peer)#address ?
A.B.C.D IPv4 Address
X:X:X:X::X/<0-128> IPv6 address/prefix
R1(config-ikev2-keyring-peer)#address 200.1.1.2
R1(config-ikev2-keyring-peer)#pre-shared-key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string
local specify signing key
remote specify verifying key
R1(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config)#
R1(config)#crypto ikev2p proposal ?
WORD Name of IKEv2 proposal
R1(config)#crypto ikev2 proposal PROPOSAL-1
IKEv2 proposal MUST have at least an encryption algorithm, an integrity algorithm and a dh group configured
R1(config-ikev2-proposal)#?
IKEv2 Proposal commands:
encryption Set encryption algorithm(s) for proposal
exit Exit from IKEv2 proposal configuration mode
group Set the Diffie-Hellman group(s)
integrity Set integrity hash algorithm(s) for proposal
no Negate a command or set its defaults
R1(config-ikev2-proposal)#encryption ?
3des 3DES
aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256
des DES
R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity ?
md5 Message Digest 5
sha1 Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
R1(config-ikev2-proposal)#integrity sha512
R1(config-ikev2-proposal)#group ?
1 DH 768 MODP
14 DH 2048 MODP
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
2 DH 1024 MODP
20 DH 384 ECP
24 DH 2048 (256 subgroup) MODP
5 DH 1536 MODP
R1(config-ikev2-proposal)#group 5
R1(config-ikev2-proposal)#exit
R1(config)#
R1(config)#crypto iev2 kev2 profile ?
WORD Name of IKEv2 Profile
R1(config)#crypto ikev2 profile PROFILE-1
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
R1(config-ikev2-profile)#?
IKEv2 profile commands:
aaa Specify AAA related configs
authentication Set authentication method
config-exchange config-exchange options
description Specify a description of this profile
dpd Enable IKE liveness check for peers
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use
initial-contact initial-contact processing
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
redirect IKEv2 Redirect Mechanism for load-balancing
virtual-template Specify the virtual-template for dynamic interface
creation.
R1(config-ikev2-profile)#match ?
address IP address
certificate Peer certificate attributes
fvrf fvrf of the profile
identity IKE identity
R1(config-ikev2-profile)#match identity ?
remote Remote identity
R1(config-ikev2-profile)#match identity remote ?
address IP Address(es)
email Fully qualified email string
fqdn Fully qualified domain name string
key-id key-id opaque string
R1(config-ikev2-profile)#match identity remote address ?
A.B.C.D IP address prefix
X:X:X:X::X/<0-128> IPv6 address/prefix-length
R1(config-ikev2-profile)#match identity remote address 200.1.1.1 2 ?
A.B.C.D specify mask
<cr>
R1(config-ikev2-profile)#match identity remote address 200.1.1.1 2 255.255.255.255
R1(config-ikev2-profile)#identity ?
local Specify the local IKE identity to use for the negotiation
R1(config-ikev2-profile)#identity local ?
address address
dn Distinguished Name
email Fully qualified email string
fqdn Fully qualified domain name string
key-id key-id opaque string - proprietary types of identification
R1(config-ikev2-profile)#identity local address ?
A.B.C.D IPv4 address
X:X:X:X::X IPv6 address
R1(config-ikev2-profile)#identity local address 200.1.1.1
R1(config-ikev2-profile)#authentication ?
local Set local authentication method
remote Set remote authentication method
R1(config-ikev2-profile)#authentication remote ?
eap Extended Authentication Protocol
ecdsa-sig ECDSA Signature
pre-share Pre-Shared Key
rsa-sig Rivest-Shamir-Adleman Signature
<cr>
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share
R1(config)#crypto ikev2 policy ?
WORD Name of IKEv2 policy
R1(config)#crypto ikev2 policy POLICY-1
IKEv2 policy MUST have atleast one complete proposal attached
R1(config-ikev2-policy)#?
IKEv2 Policy commands:
exit Exit from IKEv2 policy configuration mode
match Match values of local fields
no Negate a command or set its defaults
proposal Specify Proposal
R1(config-ikev2-policy)#proposal ?
WORD Specify the name of proposal to be attached
R1(config-ikev2-policy)#proposal PROPOSAL-1
R1(config-ikev2-policy)#exit
R1(config)#
R1(config)#crypto ipsec ?
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
R1(config)#crypto ipsec transform-set ?
WORD Transform set tag
R1(config)#crypto ipsec transform-set TSET-1 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
R1(config)#crypto ipsec transform-set TSET-1 aes- esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
R1(config)#crypto ipsec transform-set TSET-1 esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
R1(config)#crypto ipsec transform-set TSET-1 esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
R1(config)#ip access-list ?
extended Extended Access List
helper Access List acts on helper-address
log-update Control access list log updates
logging Control access list logging
match-local-traffic Enable ACL matching for locally generated traffic
resequence Resequence Access List
role-based Role-based Access List
standard Standard Access List
R1(config)#ip access-list extended ?
<100-199> Extended IP access-list number
<2000-2699> Extended IP access-list number (expanded range)
WORD Access-list name
R1(config)#ip access-list extended R1-ASA1-ACL
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 255.2 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#
R1(config)#crypto map ?
WORD Crypto map tag
ipv6 IPv6 crypto map
R1(config)#crypto map CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
R1(config)#crypto map CMAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
R1(config)#crypto map CMAP 10 ipsec-isamp kmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
R1(config-crypto-map)#set ?
identity Identity restriction.
ikev2-profile Specify ikev2 Profile
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
R1(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
R1(config-crypto-map)#set peer 200.1.1.2
R1(config-crypto-map)#set transform-set TSET-1
R1(config-crypto-map)#match ?
address Match address of packets to encrypt.
R1(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
R1(config-crypto-map)#match address R1-ASA1-ACL
R1(config-crypto-map)#exit
R1(config)#
R1(config)#interface f0/00
R1(config-if)#cryto map ypto map ?
ipsec Set IPSec parameters
map Assign a Crypto Map
R1(config-if)#crypto map ?
WORD Crypto Map tag
R1(config-if)#crypto map CMAP
R1(config-if)#
*Jan 10 16:39:10.151: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#end
R1#show run
Building configuration...
Current configuration : 1753 bytes
!
! Last configuration change at 13:57:49 UTC Thu Jan 11 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal PROPOSAL-1
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy POLICY-1
proposal PROPOSAL-1
!
crypto ikev2 keyring KEYRING-1
peer ASA1
address 200.1.1.2
pre-shared-key local cisco
pre-shared-key remote cisco
!
!
!
crypto ikev2 profile PROFILE-1
match identity remote address 200.1.1.2 255.255.255.255
identity local address 200.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local KEYRING-1
!
!
!
ip tcp synwait-time 5
!
!
!
crypto ipsec transform-set TSET-1 esp-aes 256 esp-sha-hmac
mode tunnel // DEFAULT
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set TSET-1
match address R1-ASA1-ACL
!
!
!
!
!
interface FastEthernet0/0
ip address 200.1.1.1 255.255.255.252
duplex full
crypto map CMAP
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 192.168.1.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended R1-ASA1-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
I've used ASA version 8.4 in GNS3 which supports IKEv2.
ASA1# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ASA1 up 1 min 51 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab21.c100, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab21.c101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab21.c102, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab21.c103, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Configuration register is 0x0
Configuration last modified by enable_15 at 08:30:43.269 UTC Wed Jan 10 2018
ciscoasa# configure terminal
ASA1(config)# interface g0ASA1(config-if)# ip address 200.1.1.2 255.255.255.252
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# no shut
ASA1(config-if)# ping 200.1.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/70 ms
ASA1(config-if)# interface g1
ASA1(config-if)# ip address 192.168.2.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# no shut
ASA1(config-if)# route outside 0 0 200.1.1.1
ASA1(config-if)# object network LAN1
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# ex it
ASA1(config)# object network LAN2
ASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA1(config-network-object)# exit
ASA1(config)# nat (inside,outside) source static LAN2 LAN2 destination staticstatic LAN1 LAN1 // IDENTITY NAT FOR SITE-TO-SITE VPN TRAFFIC
ASA1(config)# access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA1(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ASA1(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit Exit from ikev2 policy configuration mode
group Configure one or more DH groups
help Help for ikev2 policy configuration commands
integrity Configure one or more integrity algorithm
lifetime Configure the ikev2 lifetime
no Remove an ikev2 policy configuration item
prf Configure one or more hash algorithm
ASA1(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ikev2-policy)# encryption aes-256
ASA1(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# integrity sha512
ASA1(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA1(config-ikev2-policy)# group 5
ASA1(config-ikev2-policy)# prf ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA1(config-ikev2-policy)# prf sha512 // PSEUDO-RANDOM FUNCTION (PRF) KEYING ALGORITHM; ONLY AVAILABLE IN ASA; CONFIGURE SAME BIT LEVEL WITH INTEGRITY/HASHING
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto
ASA1(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA1(config)# crypto ipsec ikev2 ?
configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA1(config)# crypto ipsec ikev2 ipsec-proposal ?
configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA1(config)# crypto ipsec ikev2 ipsec-proposal P ROPOSAL-1
ASA1(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit Exit from ipsec-proposal configuration mode
help Help for ikev2 IPSec policy configuration commands
no Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA1(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA1(config-ipsec-proposal)# protocol esp ?
ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity Add one or more integrity algorithms for this protocol
ASA1(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA1(config-ipsec-proposal)# protocol esp encryption aes-256
ASA1(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
ASA1(config-ipsec-proposal)# protocol esp integrity sha-1
ASA1(config-ipsec-proposal)# exit
ASA1(config)# tunnel-group 200.1.1.1 type ipsec-l2l
ASA1(config)# ?
aaa Enable, disable, or view user authentication,
authorization and accounting
aaa-server Configure a AAA server group or a AAA server
access-group Bind an access-list to an interface to filter
traffic
access-list Configure an access control element
arp Change or view ARP table, set ARP timeout
value, view statistics
asdm Configure Device Manager
auth-prompt Customize authentication challenge, reject or
acceptance prompt
auto-update Configure Auto Update
banner Configure login/session banners
boot Set system boot parameters
ca Certification authority
call-home Smart Call-Home Configuration
checkheaps Configure checkheap verification intervals
class-map Configure MPF Class Map
clear Clear
client-update Configure and change client update parameters
clock Configure time-of-day clock
command-alias Create command alias
compression Configure global Compression parameters
config-register Define the configuration register
configure Configure using various methods
console Serial console functions
coredump Configure Coredump options
crashinfo Enable/Disable writing crashinfo to flash
crypto Configure IPSec, ISAKMP, Certification
authority, key
ctl-file Configure a ctl-file instance
ctl-provider Configure a CTL Provider instance
ddns Configure dynamic DNS update method
dhcp-client Configure parameters for DHCP client operation
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
dns Add DNS functionality to an interface
dns-group Set the global DNS server group
dns-guard Enforce one DNS response per query
domain-name Change domain name
dynamic-access-policy-record Dynamic Access Policy configuration commands
dynamic-filter Configure Dynamic Filter
dynamic-map Configure crypto dynamic map
enable Configure password for the enable command
end Exit from configure mode
eou EAP over UDP (NAC Framework) Global
Configuration Commands
established Allow inbound connections based on established
connections
exit Exit from config mode
failover Enable/disable failover feature
filter Enable or disable URL, FTP, HTTPS, Java, and
ActiveX filtering
fips FIPS 140-2 compliance information
firewall Switch to router/transparent mode
fixup Add or delete inspection services
flow-export Configure flow information export through
NetFlow
fragment Configure the IP fragment database
ftp Set FTP mode
ftp-map Configure advanced options for FTP inspection
group-delimiter The delimiter for tunnel-group lookup.
group-policy Configure or remove a group policy
gtp-map Configure advanced options for GTP inspection
h225-map Configure advanced options for H225 inspection
help Interactive help for commands
hostname Change host name of the system
hpm Configure TopN host statistics collection
http Configure http server and https related
commands
http-map This command has been deprecated.
icmp Configure access rules for ICMP traffic
imap4s Configure the imap4s service
interface Select an interface to configure
ip Configure IP addresses, address pools, IDS, etc
ipsec Configure transform-set and IPSec SA lifetime
ipv6 Global IPv6 configuration commands
isakmp Configure ISAKMP options
key Create various configuration keys
l2tp Configure Global L2TP Parameters
lacp LACP configuration
ldap Configure LDAP Mapping
license-server Configure shared license server
logging Configure logging levels, recipients and other
options
logout Logoff from config mode
mac-list Create a mac-list to filter based on MAC
address
management-access Configure management access interface
map Configure crypto map
media-termination Configure a media-termination instance
mgcp-map Configure advanced options for MGCP inspection
migrate Migrate IKEv1 configuration to IKEv2/SSL
mode Toggle between single and multiple security
context modes
monitor-interface Enable or disable failover monitoring on a
specific interface
mount Configure a system mount
mroute Configure static multicast routes
mtu Specify MTU(Maximum Transmission Unit) for an
interface
multicast-routing Enable IP multicast
nac-policy Configure or remove a nac-policy
name Associate a name with an IP address
names Enable/Disable IP address to name mapping
nat Associate a network with a pool of global IP
addresses
no Negate a command or set its defaults
ntp Configure NTP
object Configure an object
object-group Create an object group for use in
'access-list', etc
object-group-search Enables object group search algorithm
pager Control page length for pagination
passwd Change Telnet console access password
password Configure password encryption
phone-proxy Configure a Phone proxy instance
pim Configure Protocol Independent Multicast
policy-map Configure MPF Parameter Map
pop3s Configure the pop3s service
prefix-list Configure prefix lists
priority-queue Enter sub-command mode to set priority-queue
attributes
privilege Configure privilege levels for commands
prompt Configure session prompt display
quit Exit from config mode
regex Define a regular expression
remote-access Configure SNMP trap threshold for VPN
remote-access sessions
route Configure a static route for an interface
route-map Create route-map or enter route-map
configuration mode
router Enable a routing process
routing Configure interface specific unicast routing
parameters
same-security-traffic Enable same security level interfaces to
communicate
service Configure system services
service-policy Configure MPF service policy
setup Pre-configure the system
sla IP Service Level Agreement
smtp-server Configure default SMTP server address to be
used for Email
smtps Configure the smtps service
snmp Configure the SNMP options
snmp-map Configure an snmp-map, to control the operation
of the SNMP inspection
snmp-server Modify SNMP engine parameters
ssh Configure SSH options
ssl Configure SSL options
sunrpc-server Create SUNRPC services table
sysopt Set system functional options
tcp-map Configure advanced options for TCP inspection
telnet Add telnet access to system console or set idle
timeout
terminal Set terminal line parameters
tftp-server Configure default TFTP server address and
directory
threat-detection Show threat detection information
time-range Define time range entries
timeout Configure maximum idle times
tls-proxy Configure a TLS proxy instance or the maximum
sessions
track Object tracking configuration commands
tunnel-group Create and manage the database of connection
specific records for IPSec connections
tunnel-group-map Specify policy by which the tunnel-group name
is derived from the content of a certificate.
uc-ime Configure a Cisco Intercompany Media Engine
(UC-IME) instance
url-block Enable URL pending block buffer and long URL
support
url-cache Enable/Disable URL caching
url-server Configure a URL filtering server
user-identity Configure user-identity firewall
username Configure user authentication local database
virtual Configure address for authentication virtual
servers
vpdn Configure VPDN feature
vpn-addr-assign Global settings for VPN IP address assignment
policy
vpn-sessiondb Configure the VPN Session Manager
vpnsetup Configure VPN Setup Commands
wccp Web-Cache Coordination Protocol Commands
webvpn Configure the WebVPN service
zonelabs-integrity ZoneLabs integrity Firewall Server
Configuration
ASA1(config)# tunnel-group 200.1.1.1 i ipsec-attributes
ASA1(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
ikev2 Configure IKEv2
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA1(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA1(config-tunnel-ipsec)# ikev2 local-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Select the trustpoint that identifies the cert to be sent to
the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
the remote peer
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
ASA1(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA1(config)# crypto ikev2 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
<cr>
ASA1(config)# crypto ikev2 enable outside
ASA1(config)# crypto map ?
configure mode commands/options:
WORD < 64 char Crypto map template tag
ASA1(config)# crypto map CMAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map CMAP 10 ?
configure mode commands/options:
annotation Specify annotation text - to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASA1(config)# crypto map CMAP 10 match ?
configure mode commands/options:
address Match address of packets to encrypt
ASA1(config)# crypto map CMAP 10 match address ASA1-R1-ACL
ASA1(config)# crypto map CMAP 10 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
ASA1(config)# crypto map CMAP 10 set peer ?
configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address
ASA1(config)# crypto map CMAP 10 set peer 200.1.1.1 ikev2 ?
configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
connection based on this entry
ASA1(config)# crypto map CMAP 10 set ikev2 i psec-proposal ?
configure mode commands/options:
WORD ipsec-proposal tag
ASA1(config)# crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL1 -1
ASA1(config)# crypto map CMAP ?
configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASA1(config)# crypto map CMAP interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
ASA1(config)# crypto map CMAP interface outside
ASA1(config)# fixup protocol icmp // ENABLE ICMP STATEFUL INSPECTION
INFO: converting 'fixup protocol icmp ' to MPF commands
ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp error
ASA1# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.1.1.2 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network LAN1
subnet 192.168.1.0 255.255.255.0
object network LAN2
subnet 192.168.2.0 255.255.255.0
access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN2 LAN2 destination static LAN1 LAN1
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal PROPOSAL-1
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map CMAP 10 match address ASA1-R1-ACL
crypto map CMAP 10 set peer 200.1.1.1
crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL-1
crypto map CMAP interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:24994b52de47b3fa4716867ab926d840
: end
I ran some debugs on the ASA firewall.
ASA1# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
vpnclient Set EasyVPN client debug levels
ASA1# debug crypto ikev2 ?
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers
ASA1# debug crypto ikev2 protocol ?
<1-255> Specify an optional debug level (default is 1)
<cr>
ASA1# debug crypto ikev2 protocol 255
ASA1# debug crypto ipsec ?
<1-255> Specify an optional debug level (default is 1)
<cr>
ASA1# debug crypto ipsec 255
ASA1# show debug
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
ASA1#
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.2.2, sport=64741, daddr=192.168.1.1, dport=64741
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.2.2, sport=64741, daddr=192.168.1.1, dport=64741
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0xbc40f420,
SCB: 0xBC40C130,
Direction: inbound
SPI : 0x8FB36110
Session ID: 0x0000B000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (11): Getting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (11): Setting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (11): Computing DH public key
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (11): Sending initial message
IKEv2-PROTO-3: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (11): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
IKE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
10 1b 5d 7d ee 22 0a a5 ef 54 be a6 b2 e4 4e 9f
04 1b 7b 4c 63 31 ff 7b b1 85 b0 98 da 09 38 bf
e7 15 e8 70 36 5a a2 63 9e 4a 07 94 7e 21 13 61
48 e7 64 c3 ce 5a 96 b2 53 64 03 d7 99 c3 12 ea
54 45 54 9c 04 5a 53 4a 44 24 4f 87 f5 2f 31 3d
f1 8c 15 58 db e4 40 c2 f9 73 f8 b8 39 47 83 34
fa 17 c3 bb 66 89 a1 fd b9 1f 73 56 93 88 21 1b
fe e9 69 61 f4 af d6 b3 c7 b0 df 4f 7c 5f 92 79
50 3b 86 41 23 0c f0 98 1d ae 8d 93 67 18 95 6b
d2 5e 1e b4 20 39 5a e8 80 90 23 8d 2b 81 b9 b5
89 2e 13 c4 dd d1 a6 21 9f 69 0f c7 76 89 2d 83
4b 8b b8 bc f8 29 cd ec ef b1 46 e2 b9 34 98 25
Next payload: VID, reserved: 0x0, length: 24
65 81 fb 3a b5 e6 b9 33 ad 76 5d 0a d3 fc 2b c7
7c c6 b6 d1
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
55 3b c8 6c 67 a4 c8 55 7b 55 c6 69 8b 3d 5c 79
c2 70 13 98
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
81 a0 7d c2 74 a9 6d a6 90 6b c6 1d 2d 33 86 74
e2 d8 41 42
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (11): Insert SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
16 af 36 bb c5 d5 14 10 e8 37 ce 35 5d ac b7 22
bf cf 9a ff a1 58 b7 49 3c c7 c6 15 a4 37 07 f2
77 5b 40 c0 6c 21 b7 78 9b ed b9 98 35 0f 1e f5
55 25 9a f8 ca 15 b7 1e 3c 02 92 cc ed 71 2a 20
65 f8 3d 20 3a b2 0a a8 41 d1 eb f5 74 30 85 50
9e c7 2a 6b 5e 38 2e 0c fa c0 d7 12 24 13 a4 7f
cc 3f ca 0c a6 e8 e8 a4 ee 82 7a 08 4c 40 17 42
2f 16 e0 ef a4 2b 0b ee 1e f6 e0 d3 7c de 88 b1
83 31 7b a2 ac 53 3a 9b e1 d9 40 20 0a 58 7a d9
37 98 37 24 3f 88 dc 7e 5d f2 83 38 2a 37 fb 7e
43 ea 98 1e b3 40 2b 87 d5 f7 4e a6 92 68 1f 94
62 10 c9 e9 d7 3b 9f 39 90 2f 19 28 c3 92 9c 09
N Next payload: VID, reserved: 0x0, length: 24
81 be 1d 70 eb e5 75 ab b6 3a 17 2a 17 08 2e ed
db 3b 56 8b
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: VID, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 21
46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
a7 c8 6d 91 9f 3d b7 6a af fd 76 21 96 5a f7 fa
35 6c ea 3f
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
79 8e 84 e8 a8 16 57 c1 98 78 59 44 6c 27 3f 37
3c 6e c1 e6
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 105
Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED
Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (11): Verify SA init message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (11): Processing initial message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (11): Process NAT discovery notify
IKEv2-PROTO-5: (11): Processing nat detect src notify
IKEv2-PROTO-5: (11): Remote address matched
IKEv2-PROTO-5: (11): Processing nat detect dst notify
IKEv2-PROTO-5: (11): Local address matched
IKEv2-PROTO-5: (11): No NAT found
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (11): Check NAT discovery
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (11): Computing DH secret key
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (11): Generate skeyid
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (11): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (11): Complete SA init exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (11): Generate my authentication data
IKEv2-PROTO-3: (11): Use preshared key for id 200.1.1.2, key len 5
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (11): Get my authentication method
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (11): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3: ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (11): Building packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20
11 ce cc 39 b9 a5 83 2e 9b 20 27 87 63 ca 5e f0
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
c8 01 01 02
AUTH Next payload: SA, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.2.2, end addr: 192.168.2.2
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.2.0, end addr: 192.168.2.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.1, end addr: 192.168.1.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.0, end addr: 192.168.1.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (11): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 336
ENCR Next payload: VID, reserved: 0x0, length: 308
Encrypted data: 304 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 200.1.1.2:500/R 200.1.1.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:13CECD39AA927069 - r: C6414ACB8DC80CF5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 13CECD39AA927069 - rspi: C6414ACB8DC80CF5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 320
REAL Decrypted packet:Data: 224 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
c7 41 4b cb 9e ff ff b2 9b 20 27 87 63 ca 5e f0
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
c8 01 01 01
AUTH Next payload: SA, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 64 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.2.0, end addr: 192.168.2.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 192.168.1.0, end addr: 192.168.1.255
IKEv2-PROTO-5: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE
00 00 00 05
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Decrypted packet:Data: 320 bytes
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (11): Process auth response notify
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (11): Getting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (11): Verify peer's policy
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (11): Get peer authentication method
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (11): Get peer's preshared key for 200.1.1.1
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (11): Verify authentication data
IKEv2-PROTO-3: (11): Use preshared key for id 200.1.1.1, key len 5
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (11): Check for EAP exchange
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (11): Processing auth message
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (11): Closing the PKI session
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (11): SA created; inserting SA into database
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (11): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (11): Load IPSEC key material
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (11): Accounting not required
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (11): Checking for duplicate SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=13CECD39AA927069 R_SPI=C6414ACB8DC80CF5 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (11): Deleting negotiation context for my message ID: 0x1
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey ADD message
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x6DB242F8
IPSEC: New embryonic SA created @ 0xbc40dbd0,
SCB: 0xBC4107A8,
Direction: outbound
SPI : 0x6DB242F8
Session ID: 0x0000B000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x6DB242F8
IPSEC: Creating outbound VPN context, SPI 0x6DB242F8
Flags: 0x00000005
SA : 0xbc40dbd0
SPI : 0x6DB242F8
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x00117A5F
Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5983)
IPSEC: Completed outbound VPN context, SPI 0x6DB242F8
VPN handle: 0x00003c34
IPSEC: New outbound encrypt rule, SPI 0x6DB242F8
Src addr: 192.168.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5088)
IPSEC: Completed outbound encrypt rule, SPI 0x6DB242F8
Rule ID: 0xbc40d518
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New outbound permit rule, SPI 0x6DB242F8
Src addr: 200.1.1.2
Src mask: 255.255.255.255
Dst addr: 200.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6DB242F8
Use SPI: true
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5222)
IPSEC: Completed outbound permit rule, SPI 0x6DB242F8
Rule ID: 0xbc2da200
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey UPDATE message
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0x8FB36110
IPSEC: Completed host IBSA update, SPI 0x8FB36110
IPSEC: Creating inbound VPN context, SPI 0x8FB36110
Flags: 0x00000006
SA : 0xbc40f420
SPI : 0x8FB36110
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00003C34
SCB : 0x000F7F13
Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5898)
IPSEC: Completed inbound VPN context, SPI 0x8FB36110
VPN handle: 0x00004154
IPSEC: Updating outbound VPN context 0x00003C34, SPI 0x6DB242F8
Flags: 0x00000005
SA : 0xbc40dbd0
SPI : 0x6DB242F8
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00004154
SCB : 0x00117A5F
Channel: 0xb62afb20
IPSEC: Increment SA NP ref counter for outbound SPI 0x6DB242F8, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5970)
IPSEC: Completed outbound VPN context, SPI 0x6DB242F8
VPN handle: 0x00003c34
IPSEC: Completed outbound inner rule, SPI 0x6DB242F8
Rule ID: 0xbc40d518
IPSEC: Completed outbound outer SPD rule, SPI 0x6DB242F8
Rule ID: 0xbc2da200
IPSEC: Decrement SA NP ref counter for outbound SPI 0x6DB242F8, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
IPSEC: New inbound tunnel flow rule, SPI 0x8FB36110
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4854)
IPSEC: Completed inbound tunnel flow rule, SPI 0x8FB36110
Rule ID: 0xbc40d778
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New inbound decrypt rule, SPI 0x8FB36110
Src addr: 200.1.1.1
Src mask: 255.255.255.255
Dst addr: 200.1.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x8FB36110
Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4947)
IPSEC: Completed inbound decrypt rule, SPI 0x8FB36110
Rule ID: 0xbc410b08
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: New inbound permit rule, SPI 0x8FB36110
Src addr: 200.1.1.1
Src mask: 255.255.255.255
Dst addr: 200.1.1.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x8FB36110
Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4947)
IPSEC: Completed inbound permit rule, SPI 0x8FB36110
Rule ID: 0xbc412440
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4344)
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8FB36110, old value: 1, new value: 0, (ctm_np_vpn_context_cb:9414)
ASA1# show crypto ?
accelerator Show accelerator operational data
ca Show certification authority policy
debug-condition Show crypto debug filters
ikev1 Show IKEv1 operational data
ikev2 Show IKEv2 operational data
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
ssl Show ssl information
ASA1# show crypto ikev2 ?
sa Show IKEv2 sas
stats Show IKEv2 statistics
ASA1# show crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
96200735 200.1.1.2/500 200.1.1.1/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/51 sec
Child sa: local selector 192.168.2.0/0 - 192.168.2.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x8fb36110/0x6db242f8
ASA1# show crypto ipsec sa
interface: outside
Crypto map tag: CMAP, seq num: 10, local addr: 200.1.1.2
access-list ASA1-R1-ACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 200.1.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.1.1.2/500, remote crypto endpt.: 200.1.1.1/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6DB242F8
current inbound spi : 8FB36110
inbound esp sas:
spi: 0x8FB36110 (2410897680)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (3962880/28733)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6DB242F8 (1840399096)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4101119/28733)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here's the debug output from the router.
R1#debug crypto ?
ber decode ASN.1 BER data
condition Define debug condition filters
engine Crypto Engine Debug
gdoi Crypto GDOI Group Key Management debug
ha Crypto High Availability (generic) debug
ikev2 IKEv2 debugging
ipsec IPSEC processing
ipv6 Crypto IPv6 debug
isakmp ISAKMP Key Management
kmi Crypto Key Management Interface debug
mib IPSEC Management Transactions
pki PKI Client
rmal Crypto RMAL debug
routing IPSEC Route Events
socket Crypto Secure Socket Debug
verbose verbose decode
R1#debug crypto ikev2 ?
client Client
error IKEv2 Error debugging
internal IKEv2 Internal debugging
packet IKEv2 Packet debugging
<cr>
R1#debug crypto ikev2
IKEv2 default debugging is on
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#sh ow debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
*Jan 11 13:57:57.511: IKEv2:Received Packet [From 200.1.1.2:500/To 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Verify SA init message
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Insert SA
*Jan 11 13:57:57.515: IKEv2:Searching Policy with fvrf 0, local address 200.1.1.1
*Jan 11 13:57:57.515: IKEv2:Found Policy 'POLICY-1'
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Jan 11 13:57:57.515: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan
R1# 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 11 13:57:57.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Jan 11 13:57:57.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Jan 11 13:57:57.655: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 11 13:57:57.659: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Jan 11 13:57:57.659: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 11 13:57:57.663: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SK
R1#EYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 11 13:57:57.663: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 11 13:57:57.667: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Sending Packet [To 200.1.1.2:500/From 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI :
R1# C6414ACB8DC80CF5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Completed SA init exchange
*Jan 11 13:57:57.671: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 11 13:57:57.963: IKEv2:(SA ID = 1):Received Packet [From 200.1.1.2:500/To 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : C6414ACB8DC80CF5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 11 13:57:57.979: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Jan 11 13:57:57.983: IKEv2:(SA ID = 1):Checking NAT discovery
*Jan 11 13:57:57.987: IKEv2:(SA ID = 1):NAT not found
*Jan 11 13:57:57.991: IKEv2:(SA ID = 1):Searching policy based
R1#on peer's identity '200.1.1.2' of type 'IPv4 address'
*Jan 11 13:57:57.995: IKEv2:found matching IKEv2 profile 'PROFILE-1'
*Jan 11 13:57:57.995: ISAKMP:(0):: peer matches PROFILE-1 profile
*Jan 11 13:57:57.999: IKEv2:% Getting preshared key from profile keyring KEYRING-1
*Jan 11 13:57:57.999: IKEv2:% Matched peer block 'ASA1'
*Jan 11 13:57:58.003: IKEv2:Searching Policy with fvrf 0, local address 200.1.1.1
*Jan 11 13:57:58.007: IKEv2:Found Policy 'POLICY-1'
*Jan 11 13:57:58.011: IKEv2:(SA ID = 1):Verify peer's policy
*Jan 11 13:57:58.015: IKEv2:(SA ID = 1):Peer's policy verified
*Jan 11 13:57:58.019: IKEv2:(SA ID = 1):Get peer's authentication method
*Jan 11 13:57:58.023: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Get peer's preshared key for 200.1.1.2
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Verify peer's authentication data
*Jan 11 13:57:58.027: IKEv2:(SA ID = 1):Use preshared key for id 200.1.1.2, key len 5
*Jan 11 1
R1#3:57:58.027: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 11 13:57:58.027: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 11 13:57:58.031: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Jan 11 13:57:58.031: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Jan 11 13:57:58.035: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Jan 11 13:57:58.035: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Jan 11 13:57:58.039: IPSEC(validate_proposal_request): proposal part #1
*Jan 11 13:57:58.039: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 200.1.1.1:0, remote= 200.1.1.2:0,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 192.168.2.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 11 13:57:58.0
R1#43: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.2.0
protocol : 0
src port : 0
dst port : 0
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Get my authentication method
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Get peer's preshared key for 200.1.1.2
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Generate my authentication data
*Jan 11 13:57:58.055: IKEv2:(SA ID = 1):Use preshared key for id 200.1.1.1, key len 5
*Jan 11 13:57:58.059: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 11 13:57:58.059: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Get my authentication method
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Jan 11 13:57:58.059: IKEv2:(SA ID = 1):Constructing IDr payload:
R1#'200.1.1.1' of type 'IPv4 address'
*Jan 11 13:57:58.063: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Jan 11 13:57:58.063: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 11 13:57:58.067: IKEv2:(SA ID = 1):Sending Packet [To 200.1.1.2:500/From 200.1.1.1:500/VRF i0:f0]
Initiator SPI : 13CECD39AA927069 - Responder SPI : C6414ACB8DC80CF5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 11 13:57:58.071: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 11 13:57:58.071: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 11 13:57:58.075: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Jan 11 13:57:58.079: IKEv2:(SA ID = 1):Session with IKE ID PAIR (200.1.1.2, 2
R1#00.1.1.1) is UP
*Jan 11 13:57:58.083: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Jan 11 13:57:58.087: IKEv2:(SA ID = 1):Load IPSEC key material
*Jan 11 13:57:58.091: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Jan 11 13:57:58.095: IKEv2:(SA ID = 1):Asynchronous request queued
*Jan 11 13:57:58.095: IKEv2:(SA ID = 1):
*Jan 11 13:57:58.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 11 13:57:58.103: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.2.0
protocol : 256
src port : 0
dst port : 0
*Jan 11 13:57:58.107: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Jan 11 13:57:58.111: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 200.1.1.2
*Jan 11 13:57:58.131: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.1, sa_proto= 50,
sa_spi= 0x6DB242F8(1840399096),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 1
sa_l
R1#ifetime(k/sec)= (4608000/3600)
*Jan 11 13:57:58.131: IPSEC(create_sa): sa created,
(sa) sa_dest= 200.1.1.2, sa_proto= 50,
sa_spi= 0x8FB36110(2410897680),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2
sa_lifetime(k/sec)= (4608000/3600)
*Jan 11 13:57:58.139: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Jan 11 13:57:58.143: IPSEC: Expand action denied, notify RP
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Jan 11 13:57:58.147: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context
R1#show crypto ?
call Show crypto call admission info
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
entropy Entropy sources
gdoi Show crypto gdoi
identity Show crypto identity list
ikev2 Shows ikev2 info
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
R1#show crypto ikev2 ?
authorization Author policy
certificate-cache Show certificates in ikev2 certificate-cache
client Show Client Status
diagnose Shows ikev2 diagnostic
policy Show policies
profile Shows ikev2 profiles
proposal Show proposals
sa Shows ikev2 SAs
session Shows ikev2 active session
stats Shows ikev2 sa stats
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.1.1/500 200.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/32 sec
IPv6 Crypto IKEv2 SA
R1#show crypto ipsec ?
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
spi-lookup IPSEC SPI table
transform-set Crypto transform sets
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 200.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/256/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/256/0)
current_peer 200.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.1.1, remote crypto endpt.: 200.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8FB36110(2410897680)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6DB242F8(1840399096)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4354253/3520)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8FB36110(2410897680)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4354253/3520)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
No comments:
Post a Comment