Documentation for cisco asa l2tp ipsec / windows 7

Answered Question

Hello,

I have to configure a few cisco asa 5510's for VPN remote access using l2tp ipsec.  One of the requirements is that no additional vpn clients be used to connect.  We only want to use the client included in Windows 7 x86.  Is there any documentation on how to configure this or a clear statement telling that this isn't supported or possible yet?

thanks

m.

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 6 months ago

Well at least on phase 1 errors anymore.

Basically ASA is saying that it's not chosing any of the proposal given.

Here is what is configured ....
-------

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5

-------

Here is what is proped:

-----

  1)  Payload Proposal

       Protocol-Id: PROTO_IPSEC_ESP

        Transform-Id: ESP_AES

        Encapsulation Mode: UDP Transport
         Key Length: 128
        Authentication Algorithm: SHA1

  2)   Payload Proposal

      Protocol-Id:  PROTO_IPSEC_ESP

        Transform-Id: ESP_3DES

        Encapsulation Mode: UDP Transport
         Authentication Algorithm: SHA1

  3)  Payload Proposal

      Protocol-Id: PROTO_IPSEC_ESP

        Transform-Id: ESP_DES

        Encapsulation Mode: UDP Transport
         Authentication Algorithm: SHA1

------------------

Please also check:

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html

I see you have PFS of 1 set default is 0.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193372

nat-traversal missing?

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

I'm able to connect with a windows xp client.  For windows 7 I get error 789

I attached 2 text files with the output of debug crypto isakmp 250, 1 when connecting with the windows xp machine and 1 when connecting with a windows 7 machine

Any help is more than welcome.

thanks

m.

Here's some errors from the logs I attached

Windows 7

----------------

May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, All SA proposals found unaccept                                             able
May 21 09:43:27 [IKEv1]: IP = 81.11.11.11, Error processing payload: Payload ID:                                              1
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, IKE MM Responder FSM error hist                                             ory (struct &0xd7b288e8)  , :  MM_DONE, EV_ERROR-->MM_START, EV_RC                                             V_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->                                             MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, IKE SA MM:d5d73234 terminating:                                               flags 0x01000002, refcnt 0, tuncnt 0
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, sending delete/delete with reas                                             on message
May 21 09:43:27 [IKEv1]: IP = 81.11.11.11, Removing peer from peer table failed,                                              no match!
May 21 09:43:27 [IKEv1]: IP = 81.11.11.11, Error: Unable to remove PeerTblEntry

Windows XP (still getting an error in phase 1 relate to the DH group)

------------------

May 21 09:46:31 [IKEv1 DEBUG]: IP = 81.11.11.11, processing SA payload
May 21 09:46:31 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

Attachment: 
Marcin Latosiewicz Fri, 05/21/2010 - 02:33

This would be around the time you show us crypto config.

Note that Vista an onwords do not support md5 which XP does.

OK, didn't know vista and windows 7 don t support md5

Here's is the show conf output

hostname hostname
enable password r2.d52YOdvbTM6/l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 100.100.100.10 255.255.255.0 standby 100.100.100.11
!
interface Ethernet0/1
nameif Inside_1
security-level 60
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
!
interface Ethernet0/2
nameif Inside_2
security-level 90
ip address 20.20.20.10 255.255.255.0 standby 20.20.20.11
!
interface Ethernet0/3
nameif DMZ
security-level 30
ip address 30.30.30.10 255.255.255.0 standby 30.30.30.11
!
interface Management0/0
description LAN Failover Interface
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Inside_1_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.0.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside_1 1500
mtu Inside_2 1500
mtu DMZ 1500
ip local pool clientVPNpool 10.0.5.10-10.0.5.150 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface failoverlink Management0/0
failover interface ip failoverlink 20.0.0.2 255.255.255.0 standby 20.0.0.3
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside_1) 0 access-list nonat
nat (Inside_1) 1 0.0.0.0 0.0.0.0
nat (Inside_2) 0 access-list nonat
route Outside 0.0.0.0 0.0.0.0 100.100.100.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 Inside_1
http 20.20.20.0 255.255.255.0 Inside_2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 Inside_1
ssh 20.20.20.0 255.255.255.0 Inside_2
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.10.50 20.20.20.50 vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value 1.local
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username VPNtest password pXVGjB7BA7pQ4yNcDbuXkw== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:19462e1583941462f1a5b6f395e6fd9d
: end

Marcin Latosiewicz Fri, 05/21/2010 - 02:59

To this:

-------

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5

--------

you might also want to add
---------

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

---------

after this re-run the debugs if does not work :-)

well i had to re-run the debug command   same error789

many thanks for helping me on this issue.

Here's the new output

hostname(config)# debug crypto isakmp 255
hostname(config)#

IKE Recv RAW packet dump
15 44 7b 15 f6 60 7f ec 00 00 00 00 00 00 00 00    |  .D{...........
01 10 02 00 00 00 00 00 00 00 01 80 0d 00 00 d4    |  ................
00 00 00 01 00 00 00 01 00 00 00 c8 01 01 00 05    |  ................
03 00 00 28 01 01 00 00 80 01 00 07 80 0e 01 00    |  ...(............
80 02 00 02 80 04 00 14 80 03 00 01 80 0b 00 01    |  ................
00 0c 00 04 00 00 70 80 03 00 00 28 02 01 00 00    |  ......p....(....
80 01 00 07 80 0e 00 80 80 02 00 02 80 04 00 13    |  ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80    |  ..............p.
03 00 00 28 03 01 00 00 80 01 00 07 80 0e 01 00    |  ...(............
80 02 00 02 80 04 00 0e 80 03 00 01 80 0b 00 01    |  ................
00 0c 00 04 00 00 70 80 03 00 00 24 04 01 00 00    |  ......p....$....
80 01 00 05 80 02 00 02 80 04 00 0e 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24    |  ..........p....$
05 01 00 00 80 01 00 05 80 02 00 02 80 04 00 02    |  ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80    |  ..............p.
0d 00 00 18 1e 2b 51 69 05 99 1c 7d 7c 96 fc bf    |  .....+Qi...}|...
b5 87 e4 61 00 00 00 08 0d 00 00 14 4a 13 1c 81    |  ...a........J...
07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14    |  ..XE\W(...E/....
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f    |  ....>.in.c...B{.
0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f    |  ....@H..n...%.
00 d6 c2 d3 0d 00 00 14 fb 1d e3 cd f3 41 b7 ea    |  .............A..
16 b7 e5 be 08 55 f1 20 0d 00 00 14 26 24 4d 38    |  .....U. ....&$M8
ed db 61 b3 17 2a 36 e3 d0 cf b8 19 00 00 00 14    |  ..a..*6.........
e3 a5 96 6a 76 37 9f e7 07 22 82 31 e5 ce 86 52    |  ...jv7...".1...R

RECV PACKET from 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 384
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 212
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 200
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 5
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
      00 00 00 08
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      fb 1d e3 cd f3 41 b7 ea 16 b7 e5 be 08 55 f1 20
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      26 24 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      e3 a5 96 6a 76 37 9f e7 07 22 82 31 e5 ce 86 52
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing SA payload
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Oakley proposal is acceptable
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Received NAT-Traversal RFC VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Received NAT-Traversal ver 02 VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Received Fragmentation VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing IKE SA payload
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 4
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing ISAKMP SA payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing NAT-Traversal VID ver 02 payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing Fragmentation VID + extended capabilities payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

SENDING PACKET to 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 124
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 52
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 40
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 32
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00


IKE Recv RAW packet dump
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a    |  .D{......%.Z.j
04 10 02 00 00 00 00 00 00 00 01 04 0a 00 00 84    |  ................
92 b1 95 89 49 47 2a 4e f7 e1 48 3c df 22 b6 f6    |  ....IG*N..H<."..
c1 db 3f a1 bf ea bb 74 41 06 69 80 25 6c 62 2c    |  ..?....tA.i.%lb,
5a 72 71 b5 08 1c 7f 5c e8 5f e7 e1 e2 8f 5b 3a    |  Zrq..\._....[:
a6 d1 89 98 25 33 07 38 9a 0d 9a c5 4d 72 9d 63    |  ....%3.8....Mr.c
c7 86 c6 eb d0 17 46 7b 26 db 44 00 6b 12 43 98    |  ......F{&.D.k.C.
ea 42 36 7c 49 7b 57 9d 5a 44 5d b4 83 9a e0 ef    |  .B6|I{W.ZD].....
eb 84 a1 24 40 96 f5 8d e5 d9 98 bb fe f3 15 70    |  ...$@..........p
a5 fc da 2e 14 ba ee e7 0c 8b fb 32 f3 95 6c 6e    |  ...........2..ln
82 00 00 34 77 3c 83 91 a8 98 13 7a 13 95 19 23    |  ...4w<.....z...#
72 9b ba e0 fd 73 b7 d9 ed 0b fd 3f 87 48 9c 2e    |  r....s.....?.H..
06 14 64 94 ca 9c 89 30 3f ea c2 ce 45 a0 2a 31    |  ..d....0?...E.*1
7d 54 b1 26 82 00 00 18 cd 58 e6 70 5a a1 36 d0    |  }T.&.....X.pZ.6.
7b d7 d1 0e e1 09 b4 f7 cf 04 94 95 00 00 00 18    |  {...............
6c 88 ce 83 9e ee c4 19 4c 7a 95 49 95 1b b2 c2    |  l.......Lz.I....
38 a7 dc 7f                                        |  8.

RECV PACKET from 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 260
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      92 b1 95 89 49 47 2a 4e f7 e1 48 3c df 22 b6 f6
      c1 db 3f a1 bf ea bb 74 41 06 69 80 25 6c 62 2c
      5a 72 71 b5 08 1c 7f 5c e8 5f e7 e1 e2 8f 5b 3a
      a6 d1 89 98 25 33 07 38 9a 0d 9a c5 4d 72 9d 63
      c7 86 c6 eb d0 17 46 7b 26 db 44 00 6b 12 43 98
      ea 42 36 7c 49 7b 57 9d 5a 44 5d b4 83 9a e0 ef
      eb 84 a1 24 40 96 f5 8d e5 d9 98 bb fe f3 15 70
      a5 fc da 2e 14 ba ee e7 0c 8b fb 32 f3 95 6c 6e
  Payload Nonce
    Next Payload: NAT-D
    Reserved: 00
    Payload Length: 52
    Data:
      77 3c 83 91 a8 98 13 7a 13 95 19 23 72 9b ba e0
      fd 73 b7 d9 ed 0b fd 3f 87 48 9c 2e 06 14 64 94
      ca 9c 89 30 3f ea c2 ce 45 a0 2a 31 7d 54 b1 26
  Payload NAT-D
    Next Payload: NAT-D
    Reserved: 00
    Payload Length: 24
    Data:
      cd 58 e6 70 5a a1 36 d0 7b d7 d1 0e e1 09 b4 f7
      cf 04 94 95
  Payload NAT-D
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
      6c 88 ce 83 9e ee c4 19 4c 7a 95 49 95 1b b2 c2
      38 a7 dc 7f
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 260
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing ke payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing ISA_KE payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing nonce payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing ke payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing nonce payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing Cisco Unity VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing xauth V6 VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Send IOS VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Connection landed on tunnel_group DefaultRAGroup
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Generating keys for Responder...
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

SENDING PACKET to 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 304
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      93 89 b2 6c 96 e8 f7 9e 4d e6 ef 18 c8 70 77 f1
      50 af c2 19 54 8f e3 dd b5 f4 da 92 37 84 55 e9
      a2 cf 08 61 58 cc 66 f8 20 d2 8e 52 1a 6d 83 47
      2d 80 a1 eb a6 49 5a ee ba f8 91 46 ef 83 00 f6
      b7 6a b5 cc 44 1d 98 19 0a 17 9a 79 69 27 7a 37
      75 3b bc 6c 11 c3 25 59 15 55 b2 e4 b6 86 bc 0e
      e1 eb 51 d3 bc 5a 56 c4 81 02 32 04 4d 11 7b f0
      43 dc 0c d1 17 fb 3d 79 bb 85 3f 37 0b 87 53 c0
  Payload Nonce
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      17 e8 74 f3 b8 c6 e9 18 61 d6 a3 94 de f0 91 6c
      84 57 1f 97
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      e3 30 11 38 d2 5b cf 6a d7 7e 80 9d a7 c6 bd 0d
  Payload Vendor ID
    Next Payload: NAT-D
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  Payload NAT-D
    Next Payload: NAT-D
    Reserved: 00
    Payload Length: 24
    Data:
      39 7f 03 6e 3a b6 5b 50 cd 01 27 f1 f6 87 db b4
      f7 1f 30 a8
  Payload NAT-D
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
      cd 58 e6 70 5a a1 36 d0 7b d7 d1 0e e1 09 b4 f7
      cf 04 94 95

RECV PACKET from 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 68

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 68
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: 192.168.0.103
  Payload Hash
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
      5a b3 ad 02 fa c7 f9 c0 13 63 42 f4 0d 05 2d 62
      8c 2c 25 0c
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing ID payload
May 21 11:55:27 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 11.11.11.11, ID_IPV4_ADDR ID received
192.168.0.103
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Computing hash for ISAKMP
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Connection landed on tunnel_group DefaultRAGroup
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing ID payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Computing hash for ISAKMP
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing dpd vid payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a    |  .D{......%.Z.j
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c    |  ................
01 11 00 00 d5 c5 3c b2 0d 00 00 18 5a 52 1f de    |  ......<.....ZR..
2b 9e bc 16 80 b3 67 60 03 3e fe cd fe 55 9c e0    |  +.....g`.>...U..
00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc    |  ........h...k...
77 57 01 00                                        |  wW..

ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 469762048
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 0
    ID Data: 213.197.60.178
  Payload Hash
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      5a 52 1f de 2b 9e bc 16 80 b3 67 60 03 3e fe cd
      fe 55 9c e0
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

SENDING PACKET to 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTMay 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, PHASE 1 COMPLETED
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Keep-alive type for this connection: None
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Keep-alives configured on but peer does not support keep-alives (type = None)
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Starting P1 rekey timer: 21600 seconds.

RECV PACKET from 11.11.11.11
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 316
May 21 11:55:27 [IKEv1 DECODE]: IP = 11.11.11.11, IKE Responder starting QM: msg id = 00000001

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 316
  Payload Hash
    Next Payload: Security Association
    Reserved: 00
    Payload Length: 24
    Data:
      c6 62 5b b3 8d c7 7c d9 ba 6d 74 af a7 8b bc 27
      8f e0 08 eb
  Payload Security Association
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 172
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: Proposal
      Reserved: 00
      Payload Length: 56
      Proposal #: 1
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: 6c 4f 73 f5
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 44
        Transform #: 1
        Transform-Id: ESP_AES
        Reserved2: 0000
        Encapsulation Mode: UDP Transport
        Key Length: 128
        Authentication Algorithm: SHA1
        Life Type: Seconds
        Life Duration (Hex): 00 00 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
    Payload Proposal
      Next Payload: Proposal
      Reserved: 00
      Payload Length: 52
      Proposal #: 2
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: 6c 4f 73 f5
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: ESP_3DES
        Reserved2: 0000
        Encapsulation Mode: UDP Transport
        Authentication Algorithm: SHA1
        Life Type: Seconds
        Life Duration (Hex): 00 00 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 52
      Proposal #: 3
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: 6c 4f 73 f5
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: ESP_DES
        Reserved2: 0000
        Encapsulation Mode: UDP Transport
        Authentication Algorithm: SHA1
        Life Type: Seconds
        Life Duration (Hex): 00 00 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 52
    Data:
      1a 46 aa 1d 47 93 ce 0e a9 b8 a1 b8 1c 44 f1 6c
      95 d4 e6 a3 e6 f2 aa 06 d0 54 e6 2b eb 4e 91 25
      77 54 2c ba 11 b3 13 d6 b8 6a fc 4d c3 cd 22 a3
  Payload Identification
    Next Payload: Identification
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 1701
    ID Data: 192.168.0.103
  Payload Identification
    Next Payload: Private Use
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 1701
    ID Data: 213.197.60.178
  Payload Private Use
    Next Payload: None
    Reserved: 00
    Payload Length: 12
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 312
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing SA payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing nonce payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing ID payload
May 21 11:55:27 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 11.11.11.11, ID_IPV4_ADDR ID received
192.168.0.103
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Received remote Proxy Host data in ID Payload:  Address 192.168.0.103, Protocol 17, Port 1701
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing ID payload
May 21 11:55:27 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 11.11.11.11, ID_IPV4_ADDR ID received
213.197.60.178
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Received local Proxy Host data in ID Payload:  Address 213.197.60.178, Protocol 17, Port 1701
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, L2TP/IPSec session detected.
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing NAT-Original-Address payload
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, QM IsRekeyed old sa not found by addr
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE Remote Peer configured for crypto map: outside_dyn_map
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing IPSec SA payload
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, All IPSec SA proposals found unacceptable!
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, sending notify message
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing blank hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing ipsec notify payload for msg id 1
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing qm hash payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=3c866194) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a    |  .D{......%.Z.j
08 10 05 00 94 61 86 3c 1c 00 00 00 0b 00 00 18    |  .....a.<........
47 6c 82 39 de 18 99 96 31 da 18 a8 6f a4 7e 89    |  Gl.9....1...o.~.
63 1d 26 29 00 00 00 20 00 00 00 01 03 10 00 0e    |  c.&)... ........
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a    |  .D{......%.Z.j
00 00 00 01                                        |  ....

ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 9461863C
  Length: 469762048
  Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      47 6c 82 39 de 18 99 96 31 da 18 a8 6f a4 7e 89
      63 1d 26 29
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 32
    DOI: IPsec
    Protocol-ID: PROTO_IPSEC_ESP
    Spi Size: 16
    Notify Type: NO_PROPOSAL_CHOSEN
    SPI:
      15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a
    Data: 00 00 00 01

ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: 3C866194
  Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTMay 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, QM FSM error (P2 struct &0xd7a04e38, mess id 0x1)!
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE QM Responder FSM error history (struct &0xd7a04e38)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, sending delete/delete with reason message
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Removing peer from correlator table failed, no match!
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE SA MM:25b6f716 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE SA MM:25b6f716 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, sending delete/delete with reason message
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing blank hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing IKE delete payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing qm hash payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=e4b9d029) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a    |  .D{......%.Z.j
08 10 05 00 29 d0 b9 e4 1c 00 00 00 0c 00 00 18    |  ....)...........
0c 0e 06 e4 b0 1b b1 b0 e1 0c ec 23 08 37 5f 13    |  ...........#.7_.
1d db 35 3d 00 00 00 1c 00 00 00 01 01 10 00 01    |  ..5=............
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a    |  .D{......%.Z.j

ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 29D0B9E4
  Length: 469762048
  Payload Hash
    Next Payload: Delete
    Reserved: 00
    Payload Length: 24
    Data:
      0c 0e 06 e4 b0 1b b1 b0 e1 0c ec 23 08 37 5f 13
      1d db 35 3d
  Payload Delete
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    # of SPIs: 1
    SPI (Hex dump):
      15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a

ISAKMP Header
  Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
  Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: E4B9D029
  Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTMay 21 11:55:27 [IKEv1]: Ignoring msg to mark SA with dsID 36864 dead because SA deleted


IKE Recv RAW packet dump
54 5c 33 cf cc a5 1b b9 00 00 00 00 00 00 00 00    |  T\3.............
01 10 02 00 00 00 00 00 00 00 01 80 0d 00 00 d4    |  ................
00 00 00 01 00 00 00 01 00 00 00 c8 01 01 00 05    |  ................
03 00 00 28 01 01 00 00 80 01 00 07 80 0e 01 00    |  ...(............
80 02 00 02 80 04 00 14 80 03 00 01 80 0b 00 01    |  ................
00 0c 00 04 00 00 70 80 03 00 00 28 02 01 00 00    |  ......p....(....
80 01 00 07 80 0e 00 80 80 02 00 02 80 04 00 13    |  ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80    |  ..............p.
03 00 00 28 03 01 00 00 80 01 00 07 80 0e 01 00    |  ...(............
80 02 00 02 80 04 00 0e 80 03 00 01 80 0b 00 01    |  ................
00 0c 00 04 00 00 70 80 03 00 00 24 04 01 00 00    |  ......p....$....
80 01 00 05 80 May 21 11:55:35 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

ISAKMP Header
  Initiator COOKIE: 54 5c 33 cf cc a5 1b b9
  Responder COOKIE: 63 83 71 06 12 ab 3e 4d
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 124
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 52
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 40
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 32
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
May 21 11:55:43 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

ISAKMP Header
  Initiator COOKIE: 54 5c 33 cf cc a5 1b b9
  Responder COOKIE: 63 83 71 06 12 ab 3e 4d
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 124
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 52
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 40
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 32
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
May 21 11:55:51 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

ISAKMP Header
  Initiator COOKIE: 54 5c 33 cf cc a5 1b b9
  Responder COOKIE: 63 83 71 06 12 ab 3e 4d
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 124
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 52
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 40
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 32
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
May 21 11:55:59 [IKEv1 DEBUG]: IP = 11.11.11.11, IKE MM Responder FSM error history (struct &0xd7b288e8)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
May 21 11:55:59 [IKEv1 DEBUG]: IP = 11.11.11.11, IKE SA MM:06718363 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
May 21 11:55:59 [IKEv1 DEBUG]: IP = 11.11.11.11, sending delete/delete with reason message
May 21 11:55:59 [IKEv1]: IP = 11.11.11.11, Removing peer from peer table failed, no match!
May 21 11:55:59 [IKEv1]: IP = 11.11.11.11, Error: Unable to remove PeerTblEntry

I changed the mode for 2 aes crypto transform-sets to transport.  Still the same error 789....


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA mode transport

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA mode transport

Correct Answer
Marcin Latosiewicz Fri, 05/21/2010 - 04:40

Well at least on phase 1 errors anymore.

Basically ASA is saying that it's not chosing any of the proposal given.

Here is what is configured ....
-------

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5

-------

Here is what is proped:

-----

  1)  Payload Proposal

       Protocol-Id: PROTO_IPSEC_ESP

        Transform-Id: ESP_AES

        Encapsulation Mode: UDP Transport
         Key Length: 128
        Authentication Algorithm: SHA1

  2)   Payload Proposal

      Protocol-Id:  PROTO_IPSEC_ESP

        Transform-Id: ESP_3DES

        Encapsulation Mode: UDP Transport
         Authentication Algorithm: SHA1

  3)  Payload Proposal

      Protocol-Id: PROTO_IPSEC_ESP

        Transform-Id: ESP_DES

        Encapsulation Mode: UDP Transport
         Authentication Algorithm: SHA1

------------------

Please also check:

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html

I see you have PFS of 1 set default is 0.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193372

nat-traversal missing?

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

m.ramsgaard Wed, 05/26/2010 - 06:36

Hi.

I am trying the same as you and can't get it to work.

What did solve it for you?

Perhaps you have a working Configuration?

How did you setup the VPN client in Windows 7?

Did you make any changes to the Windows 7, IPSec settings or Firewall?

Best regards

M2

Amir Mehri Wed, 08/24/2011 - 22:24

hello dear

i have the same problem, would you please tell me how to figure your problem out ?

thank you

Actions

This Discussion