05-20-2010 11:43 PM - edited 02-21-2020 04:39 PM
Hello,
I have to configure a few cisco asa 5510's for VPN remote access using l2tp ipsec. One of the requirements is that no additional vpn clients be used to connect. We only want to use the client included in Windows 7 x86. Is there any documentation on how to configure this or a clear statement telling that this isn't supported or possible yet?
thanks
m.
Solved! Go to Solution.
05-21-2010 04:40 AM
Well at least on phase 1 errors anymore.
Basically ASA is saying that it's not chosing any of the proposal given.
Here is what is configured ....
-------
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
-------
Here is what is proped:
-----
1) Payload Proposal
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_AES
Encapsulation Mode: UDP Transport
Key Length: 128
Authentication Algorithm: SHA1
2) Payload Proposal
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_3DES
Encapsulation Mode: UDP Transport
Authentication Algorithm: SHA1
3) Payload Proposal
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_DES
Encapsulation Mode: UDP Transport
Authentication Algorithm: SHA1
------------------
Please also check:
https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html
I see you have PFS of 1 set default is 0.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193372
nat-traversal missing?
https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
05-21-2010 02:17 AM
I'm able to connect with a windows xp client. For windows 7 I get error 789
I attached 2 text files with the output of debug crypto isakmp 250, 1 when connecting with the windows xp machine and 1 when connecting with a windows 7 machine
Any help is more than welcome.
thanks
m.
Here's some errors from the logs I attached
Windows 7
----------------
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, All SA proposals found unaccept able
May 21 09:43:27 [IKEv1]: IP = 81.11.11.11, Error processing payload: Payload ID: 1
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, IKE MM Responder FSM error hist ory (struct &0xd7b288e8)
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, IKE SA MM:d5d73234 terminating: flags 0x01000002, refcnt 0, tuncnt 0
May 21 09:43:27 [IKEv1 DEBUG]: IP = 81.11.11.11, sending delete/delete with reas on message
May 21 09:43:27 [IKEv1]: IP = 81.11.11.11, Removing peer from peer table failed, no match!
May 21 09:43:27 [IKEv1]: IP = 81.11.11.11, Error: Unable to remove PeerTblEntry
Windows XP (still getting an error in phase 1 relate to the DH group)
------------------
May 21 09:46:31 [IKEv1 DEBUG]: IP = 81.11.11.11, processing SA payload
May 21 09:46:31 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
May 21 09:46:31 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
05-21-2010 02:33 AM
This would be around the time you show us crypto config.
Note that Vista an onwords do not support md5 which XP does.
05-21-2010 02:51 AM
OK, didn't know vista and windows 7 don t support md5
Here's is the show conf output
hostname hostname
enable password r2.d52YOdvbTM6/l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 100.100.100.10 255.255.255.0 standby 100.100.100.11
!
interface Ethernet0/1
nameif Inside_1
security-level 60
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
!
interface Ethernet0/2
nameif Inside_2
security-level 90
ip address 20.20.20.10 255.255.255.0 standby 20.20.20.11
!
interface Ethernet0/3
nameif DMZ
security-level 30
ip address 30.30.30.10 255.255.255.0 standby 30.30.30.11
!
interface Management0/0
description LAN Failover Interface
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list Inside_1_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.0.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside_1 1500
mtu Inside_2 1500
mtu DMZ 1500
ip local pool clientVPNpool 10.0.5.10-10.0.5.150 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface failoverlink Management0/0
failover interface ip failoverlink 20.0.0.2 255.255.255.0 standby 20.0.0.3
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside_1) 0 access-list nonat
nat (Inside_1) 1 0.0.0.0 0.0.0.0
nat (Inside_2) 0 access-list nonat
route Outside 0.0.0.0 0.0.0.0 100.100.100.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 Inside_1
http 20.20.20.0 255.255.255.0 Inside_2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 Inside_1
ssh 20.20.20.0 255.255.255.0 Inside_2
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.10.50 20.20.20.50 vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value 1.local
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username VPNtest password pXVGjB7BA7pQ4yNcDbuXkw== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:19462e1583941462f1a5b6f395e6fd9d
: end
05-21-2010 02:59 AM
To this:
-------
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
--------
you might also want to add
---------
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
---------
after this re-run the debugs if does not work :-)
05-21-2010 03:14 AM
well i had to re-run the debug command same error789
many thanks for helping me on this issue.
Here's the new output
hostname(config)# debug crypto isakmp 255
hostname(config)#
IKE Recv RAW packet dump
15 44 7b 15 f6 60 7f ec 00 00 00 00 00 00 00 00 | .D{...........
01 10 02 00 00 00 00 00 00 00 01 80 0d 00 00 d4 | ................
00 00 00 01 00 00 00 01 00 00 00 c8 01 01 00 05 | ................
03 00 00 28 01 01 00 00 80 01 00 07 80 0e 01 00 | ...(............
80 02 00 02 80 04 00 14 80 03 00 01 80 0b 00 01 | ................
00 0c 00 04 00 00 70 80 03 00 00 28 02 01 00 00 | ......p....(....
80 01 00 07 80 0e 00 80 80 02 00 02 80 04 00 13 | ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80 | ..............p.
03 00 00 28 03 01 00 00 80 01 00 07 80 0e 01 00 | ...(............
80 02 00 02 80 04 00 0e 80 03 00 01 80 0b 00 01 | ................
00 0c 00 04 00 00 70 80 03 00 00 24 04 01 00 00 | ......p....$....
80 01 00 05 80 02 00 02 80 04 00 0e 80 03 00 01 | ................
80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24 | ..........p....$
05 01 00 00 80 01 00 05 80 02 00 02 80 04 00 02 | ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80 | ..............p.
0d 00 00 18 1e 2b 51 69 05 99 1c 7d 7c 96 fc bf | .....+Qi...}|...
b5 87 e4 61 00 00 00 08 0d 00 00 14 4a 13 1c 81 | ...a........J...
07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | ..XE\W(...E/....
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | ....>.in.c...B{.
0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | ....@H..n...%.
00 d6 c2 d3 0d 00 00 14 fb 1d e3 cd f3 41 b7 ea | .............A..
16 b7 e5 be 08 55 f1 20 0d 00 00 14 26 24 4d 38 | .....U. ....&$M8
ed db 61 b3 17 2a 36 e3 d0 cf b8 19 00 00 00 14 | ..a..*6.........
e3 a5 96 6a 76 37 9f e7 07 22 82 31 e5 ce 86 52 | ...jv7...".1...R
RECV PACKET from 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 384
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 212
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 200
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 5
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Group Description: Unknown
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Group Description: Unknown
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Group Description: Unknown
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Unknown
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
00 00 00 08
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
fb 1d e3 cd f3 41 b7 ea 16 b7 e5 be 08 55 f1 20
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
26 24 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
e3 a5 96 6a 76 37 9f e7 07 22 82 31 e5 ce 86 52
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing SA payload
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Oakley proposal is acceptable
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Received NAT-Traversal RFC VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Received NAT-Traversal ver 02 VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Received Fragmentation VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing IKE SA payload
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 4
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing ISAKMP SA payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing NAT-Traversal VID ver 02 payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing Fragmentation VID + extended capabilities payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
SENDING PACKET to 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 124
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a | .D{......%.Z.j
04 10 02 00 00 00 00 00 00 00 01 04 0a 00 00 84 | ................
92 b1 95 89 49 47 2a 4e f7 e1 48 3c df 22 b6 f6 | ....IG*N..H<."..
c1 db 3f a1 bf ea bb 74 41 06 69 80 25 6c 62 2c | ..?....tA.i.%lb,
5a 72 71 b5 08 1c 7f 5c e8 5f e7 e1 e2 8f 5b 3a | Zrq..\._....[:
a6 d1 89 98 25 33 07 38 9a 0d 9a c5 4d 72 9d 63 | ....%3.8....Mr.c
c7 86 c6 eb d0 17 46 7b 26 db 44 00 6b 12 43 98 | ......F{&.D.k.C.
ea 42 36 7c 49 7b 57 9d 5a 44 5d b4 83 9a e0 ef | .B6|I{W.ZD].....
eb 84 a1 24 40 96 f5 8d e5 d9 98 bb fe f3 15 70 | ...$@..........p
a5 fc da 2e 14 ba ee e7 0c 8b fb 32 f3 95 6c 6e | ...........2..ln
82 00 00 34 77 3c 83 91 a8 98 13 7a 13 95 19 23 | ...4w<.....z...#
72 9b ba e0 fd 73 b7 d9 ed 0b fd 3f 87 48 9c 2e | r....s.....?.H..
06 14 64 94 ca 9c 89 30 3f ea c2 ce 45 a0 2a 31 | ..d....0?...E.*1
7d 54 b1 26 82 00 00 18 cd 58 e6 70 5a a1 36 d0 | }T.&.....X.pZ.6.
7b d7 d1 0e e1 09 b4 f7 cf 04 94 95 00 00 00 18 | {...............
6c 88 ce 83 9e ee c4 19 4c 7a 95 49 95 1b b2 c2 | l.......Lz.I....
38 a7 dc 7f | 8.
RECV PACKET from 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 260
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
92 b1 95 89 49 47 2a 4e f7 e1 48 3c df 22 b6 f6
c1 db 3f a1 bf ea bb 74 41 06 69 80 25 6c 62 2c
5a 72 71 b5 08 1c 7f 5c e8 5f e7 e1 e2 8f 5b 3a
a6 d1 89 98 25 33 07 38 9a 0d 9a c5 4d 72 9d 63
c7 86 c6 eb d0 17 46 7b 26 db 44 00 6b 12 43 98
ea 42 36 7c 49 7b 57 9d 5a 44 5d b4 83 9a e0 ef
eb 84 a1 24 40 96 f5 8d e5 d9 98 bb fe f3 15 70
a5 fc da 2e 14 ba ee e7 0c 8b fb 32 f3 95 6c 6e
Payload Nonce
Next Payload: NAT-D
Reserved: 00
Payload Length: 52
Data:
77 3c 83 91 a8 98 13 7a 13 95 19 23 72 9b ba e0
fd 73 b7 d9 ed 0b fd 3f 87 48 9c 2e 06 14 64 94
ca 9c 89 30 3f ea c2 ce 45 a0 2a 31 7d 54 b1 26
Payload NAT-D
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
cd 58 e6 70 5a a1 36 d0 7b d7 d1 0e e1 09 b4 f7
cf 04 94 95
Payload NAT-D
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
6c 88 ce 83 9e ee c4 19 4c 7a 95 49 95 1b b2 c2
38 a7 dc 7f
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 260
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing ke payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing ISA_KE payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing nonce payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, processing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing ke payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing nonce payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing Cisco Unity VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing xauth V6 VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Send IOS VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing VID payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, constructing NAT-Discovery payload
May 21 11:55:27 [IKEv1 DEBUG]: IP = 11.11.11.11, computing NAT Discovery hash
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Connection landed on tunnel_group DefaultRAGroup
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Generating keys for Responder...
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
SENDING PACKET to 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 304
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
93 89 b2 6c 96 e8 f7 9e 4d e6 ef 18 c8 70 77 f1
50 af c2 19 54 8f e3 dd b5 f4 da 92 37 84 55 e9
a2 cf 08 61 58 cc 66 f8 20 d2 8e 52 1a 6d 83 47
2d 80 a1 eb a6 49 5a ee ba f8 91 46 ef 83 00 f6
b7 6a b5 cc 44 1d 98 19 0a 17 9a 79 69 27 7a 37
75 3b bc 6c 11 c3 25 59 15 55 b2 e4 b6 86 bc 0e
e1 eb 51 d3 bc 5a 56 c4 81 02 32 04 4d 11 7b f0
43 dc 0c d1 17 fb 3d 79 bb 85 3f 37 0b 87 53 c0
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
17 e8 74 f3 b8 c6 e9 18 61 d6 a3 94 de f0 91 6c
84 57 1f 97
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
e3 30 11 38 d2 5b cf 6a d7 7e 80 9d a7 c6 bd 0d
Payload Vendor ID
Next Payload: NAT-D
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
Payload NAT-D
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
39 7f 03 6e 3a b6 5b 50 cd 01 27 f1 f6 87 db b4
f7 1f 30 a8
Payload NAT-D
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
cd 58 e6 70 5a a1 36 d0 7b d7 d1 0e e1 09 b4 f7
cf 04 94 95
RECV PACKET from 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 192.168.0.103
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
5a b3 ad 02 fa c7 f9 c0 13 63 42 f4 0d 05 2d 62
8c 2c 25 0c
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing ID payload
May 21 11:55:27 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 11.11.11.11, ID_IPV4_ADDR ID received
192.168.0.103
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Computing hash for ISAKMP
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Connection landed on tunnel_group DefaultRAGroup
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing ID payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Computing hash for ISAKMP
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing dpd vid payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a | .D{......%.Z.j
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 00 00 d5 c5 3c b2 0d 00 00 18 5a 52 1f de | ......<.....ZR..
2b 9e bc 16 80 b3 67 60 03 3e fe cd fe 55 9c e0 | +.....g`.>...U..
00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | ........h...k...
77 57 01 00 | wW..
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 0
ID Data: 213.197.60.178
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
5a 52 1f de 2b 9e bc 16 80 b3 67 60 03 3e fe cd
fe 55 9c e0
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
SENDING PACKET to 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTMay 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, PHASE 1 COMPLETED
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Keep-alive type for this connection: None
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, Keep-alives configured on but peer does not support keep-alives (type = None)
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Starting P1 rekey timer: 21600 seconds.
RECV PACKET from 11.11.11.11
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 316
May 21 11:55:27 [IKEv1 DECODE]: IP = 11.11.11.11, IKE Responder starting QM: msg id = 00000001
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 316
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
c6 62 5b b3 8d c7 7c d9 ba 6d 74 af a7 8b bc 27
8f e0 08 eb
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 172
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 6c 4f 73 f5
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: UDP Transport
Key Length: 128
Authentication Algorithm: SHA1
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 2
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 6c 4f 73 f5
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Encapsulation Mode: UDP Transport
Authentication Algorithm: SHA1
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 3
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 6c 4f 73 f5
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_DES
Reserved2: 0000
Encapsulation Mode: UDP Transport
Authentication Algorithm: SHA1
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 52
Data:
1a 46 aa 1d 47 93 ce 0e a9 b8 a1 b8 1c 44 f1 6c
95 d4 e6 a3 e6 f2 aa 06 d0 54 e6 2b eb 4e 91 25
77 54 2c ba 11 b3 13 d6 b8 6a fc 4d c3 cd 22 a3
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 1701
ID Data: 192.168.0.103
Payload Identification
Next Payload: Private Use
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 1701
ID Data: 213.197.60.178
Payload Private Use
Next Payload: None
Reserved: 00
Payload Length: 12
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 312
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing SA payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing nonce payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing ID payload
May 21 11:55:27 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 11.11.11.11, ID_IPV4_ADDR ID received
192.168.0.103
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Received remote Proxy Host data in ID Payload: Address 192.168.0.103, Protocol 17, Port 1701
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing ID payload
May 21 11:55:27 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 11.11.11.11, ID_IPV4_ADDR ID received
213.197.60.178
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Received local Proxy Host data in ID Payload: Address 213.197.60.178, Protocol 17, Port 1701
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, L2TP/IPSec session detected.
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing NAT-Original-Address payload
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, QM IsRekeyed old sa not found by addr
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE Remote Peer configured for crypto map: outside_dyn_map
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, processing IPSec SA payload
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, All IPSec SA proposals found unacceptable!
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, sending notify message
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing blank hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing ipsec notify payload for msg id 1
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing qm hash payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=3c866194) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a | .D{......%.Z.j
08 10 05 00 94 61 86 3c 1c 00 00 00 0b 00 00 18 | .....a.<........
47 6c 82 39 de 18 99 96 31 da 18 a8 6f a4 7e 89 | Gl.9....1...o.~.
63 1d 26 29 00 00 00 20 00 00 00 01 03 10 00 0e | c.&)... ........
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a | .D{......%.Z.j
00 00 00 01 | ....
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 9461863C
Length: 469762048
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
47 6c 82 39 de 18 99 96 31 da 18 a8 6f a4 7e 89
63 1d 26 29
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 16
Notify Type: NO_PROPOSAL_CHOSEN
SPI:
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a
Data: 00 00 00 01
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 3C866194
Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTMay 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, QM FSM error (P2 struct &0xd7a04e38, mess id 0x1)!
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE QM Responder FSM error history (struct &0xd7a04e38)
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, sending delete/delete with reason message
May 21 11:55:27 [IKEv1]: Group = DefaultRAGroup, IP = 11.11.11.11, Removing peer from correlator table failed, no match!
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE SA MM:25b6f716 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, IKE SA MM:25b6f716 terminating: flags 0x01000002, refcnt 0, tuncnt 0
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, sending delete/delete with reason message
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing blank hash payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing IKE delete payload
May 21 11:55:27 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 11.11.11.11, constructing qm hash payload
May 21 11:55:27 [IKEv1]: IP = 11.11.11.11, IKE_DECODE SENDING Message (msgid=e4b9d029) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a | .D{......%.Z.j
08 10 05 00 29 d0 b9 e4 1c 00 00 00 0c 00 00 18 | ....)...........
0c 0e 06 e4 b0 1b b1 b0 e1 0c ec 23 08 37 5f 13 | ...........#.7_.
1d db 35 3d 00 00 00 1c 00 00 00 01 01 10 00 01 | ..5=............
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a | .D{......%.Z.j
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 29D0B9E4
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
0c 0e 06 e4 b0 1b b1 b0 e1 0c ec 23 08 37 5f 13
1d db 35 3d
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
15 44 7b 15 f6 60 7f ec 16 f7 b6 25 d2 5a cf 6a
ISAKMP Header
Initiator COOKIE: 15 44 7b 15 f6 60 7f ec
Responder COOKIE: 16 f7 b6 25 d2 5a cf 6a
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: E4B9D029
Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTMay 21 11:55:27 [IKEv1]: Ignoring msg to mark SA with dsID 36864 dead because SA deleted
IKE Recv RAW packet dump
54 5c 33 cf cc a5 1b b9 00 00 00 00 00 00 00 00 | T\3.............
01 10 02 00 00 00 00 00 00 00 01 80 0d 00 00 d4 | ................
00 00 00 01 00 00 00 01 00 00 00 c8 01 01 00 05 | ................
03 00 00 28 01 01 00 00 80 01 00 07 80 0e 01 00 | ...(............
80 02 00 02 80 04 00 14 80 03 00 01 80 0b 00 01 | ................
00 0c 00 04 00 00 70 80 03 00 00 28 02 01 00 00 | ......p....(....
80 01 00 07 80 0e 00 80 80 02 00 02 80 04 00 13 | ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80 | ..............p.
03 00 00 28 03 01 00 00 80 01 00 07 80 0e 01 00 | ...(............
80 02 00 02 80 04 00 0e 80 03 00 01 80 0b 00 01 | ................
00 0c 00 04 00 00 70 80 03 00 00 24 04 01 00 00 | ......p....$....
80 01 00 05 80 May 21 11:55:35 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
ISAKMP Header
Initiator COOKIE: 54 5c 33 cf cc a5 1b b9
Responder COOKIE: 63 83 71 06 12 ab 3e 4d
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 124
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
May 21 11:55:43 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
ISAKMP Header
Initiator COOKIE: 54 5c 33 cf cc a5 1b b9
Responder COOKIE: 63 83 71 06 12 ab 3e 4d
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 124
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
May 21 11:55:51 [IKEv1]: IP = 11.11.11.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
ISAKMP Header
Initiator COOKIE: 54 5c 33 cf cc a5 1b b9
Responder COOKIE: 63 83 71 06 12 ab 3e 4d
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 124
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
May 21 11:55:59 [IKEv1 DEBUG]: IP = 11.11.11.11, IKE MM Responder FSM error history (struct &0xd7b288e8)
May 21 11:55:59 [IKEv1 DEBUG]: IP = 11.11.11.11, IKE SA MM:06718363 terminating: flags 0x01000002, refcnt 0, tuncnt 0
May 21 11:55:59 [IKEv1 DEBUG]: IP = 11.11.11.11, sending delete/delete with reason message
May 21 11:55:59 [IKEv1]: IP = 11.11.11.11, Removing peer from peer table failed, no match!
May 21 11:55:59 [IKEv1]: IP = 11.11.11.11, Error: Unable to remove PeerTblEntry
05-21-2010 04:07 AM
I changed the mode for 2 aes crypto transform-sets to transport. Still the same error 789....
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA mode transport
05-21-2010 04:40 AM
Well at least on phase 1 errors anymore.
Basically ASA is saying that it's not chosing any of the proposal given.
Here is what is configured ....
-------
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
-------
Here is what is proped:
-----
1) Payload Proposal
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_AES
Encapsulation Mode: UDP Transport
Key Length: 128
Authentication Algorithm: SHA1
2) Payload Proposal
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_3DES
Encapsulation Mode: UDP Transport
Authentication Algorithm: SHA1
3) Payload Proposal
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_DES
Encapsulation Mode: UDP Transport
Authentication Algorithm: SHA1
------------------
Please also check:
https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html
I see you have PFS of 1 set default is 0.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193372
nat-traversal missing?
https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
05-21-2010 05:24 AM
thanks a lot. It's connecting now using Windows 7. I still have to configure the internal traffic but I suppose i ll have to read the nat traversal part ?
Thanks again
m.
ps: i ll post my final show conf when everything is OK
05-26-2010 06:36 AM
Hi.
I am trying the same as you and can't get it to work.
What did solve it for you?
Perhaps you have a working Configuration?
How did you setup the VPN client in Windows 7?
Did you make any changes to the Windows 7, IPSec settings or Firewall?
Best regards
M2
08-24-2011 10:24 PM
hello dear
i have the same problem, would you please tell me how to figure your problem out ?
thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: