Hi
Can you from follwing VPN3015 debug output see what is the problem with the VPN LAN-to-LAN connection.
Thanks
Gert Schaarup
My VPN 3015 setup.
Digital Certificate:Preshared Keys
Authentication: ESP/SHA/HMAC-160
Encryption:3DES-168
IKE Proposal:IKE-3DES-SHA-DH2
Remote VPN box:
IPsec protocol/encryption: esp-3des
IPsec protocol/Authentication: esp-sha-hmac
ISAKMP authenticaion: pre-share
ISAKMP identity: address
ISAKMP Diffie-Hellman group: 2 (1024 bits)
---------------------------------------
NB When I compare the debug below with a debug of a VPN LAN-to-LAN that works I see that "Received Altiga GW VID" is missing, is this an issue?
Debug output:
-----------------------
SEV=4 IKE/41 RPT=3183 62.243.213.30 IKE Initiator: New Phase 1, Intf 2, IKE Peer 62.243.213.30 local Proxy Address 195.7.21.10, remote Proxy Address 192.168.141.0, SA (L2L: LokalForsikring)
SEV=9 IKEDBG/0 RPT=12001 62.243.213.30 constructing ISA_SA for isakmp
SEV=9 IKEDBG/46 RPT=181 62.243.213.30 constructing Fragmentation VID + extended capabilities payload
SEV=8 IKEDBG/0 RPT=12002 62.243.213.30 SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) total length : 104
SEV=8 IKEDECODE/0 RPT=6757 62.243.213.30 ISAKMP HEADER : ( Version 1.0 ) Initiator Cookie(8): C5 47 EA A5 A0 3A E4 6C Responder Cookie(8): BD 7B D7 00 48 F8 8A BE Next Payload : SA (1) Exchange Type : Oakley Main Mode Flags : 0 Message ID : 0 Length : 80
SEV=8 IKEDBG/0 RPT=12003 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
SEV=8 IKEDBG/0 RPT=12004 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
SEV=9 IKEDBG/0 RPT=12005 62.243.213.30 processing SA payload
SEV=8 IKEDECODE/0 RPT=6758 62.243.213.30 SA Payload Decode : DOI : IPSEC (1) Situation : Identity Only (1) Length : 52
SEV=8 IKEDECODE/0 RPT=6759 62.243.213.30 Proposal Decode: Proposal # : 1 Protocol ID : ISAKMP (1) #of Transforms: 1 Length : 40
SEV=8 IKEDECODE/0 RPT=6760 62.243.213.30 Transform # 1 Decode for Proposal # 1: Transform # : 1 Transform ID : IKE (1) Length : 32
IKEDECODE/0 RPT=6761 62.243.213.30 Phase 1 SA Attribute Decode for Transform # 1: Encryption Alg: Triple-DES (5) Hash Alg : SHA (2) DH Group : Oakley Group 2 (2) Auth Method : Preshared Key (1) Life Time : 28800 seconds
SEV=12 IKEDECODE/0 RPT=6762 IKE Decode of received SA attributes follows: 0000: 80010005 80020002 80040002 80030001 ................ 0010: 800B0001 800C7080 ......p.
SEV=7 IKEDBG/0 RPT=12006 62.243.213.30 Oakley proposal is acceptable
SEV=9 IKEDBG/0 RPT=12007 62.243.213.30 constructing ke payload
SEV=9 IKEDBG/1 RPT=604 62.243.213.30 constructing nonce payload
SEV=9 IKEDBG/46 RPT=182 62.243.213.30 constructing Cisco Unity VID payload
SEV=9 IKEDBG/46 RPT=183 62.243.213.30 constructing xauth V6 VID payload
SEV=9 IKEDBG/48 RPT=50 62.243.213.30 Send IOS VID
SEV=9 IKEDBG/38 RPT=26 62.243.213.30 Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
SEV=9 IKEDBG/46 RPT=184 62.243.213.30 constructing VID payload
SEV=9 IKEDBG/48 RPT=51 62.243.213.30 Send Altiga GW VID
SEV=8 IKEDBG/0 RPT=12008 62.243.213.30 SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) total length : 256
SEV=8 IKEDECODE/0 RPT=6763 62.243.213.30 ISAKMP HEADER : ( Version 1.0 ) Initiator Cookie(8): C5 47 EA A5 A0 3A E4 6C Responder Cookie(8): BD 7B D7 00 48 F8 8A BE Next Payload : KE (4) Exchange Type : Oakley Main Mode Flags : 0 Message ID : 0 Length : 256
SEV=8 IKEDBG/0 RPT=12009 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SEV=8 IKEDBG/0 RPT=12010 62.243.213.30 RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SEV=9 IKEDBG/0 RPT=12011 62.243.213.30 processing ke payload
SEV=9 IKEDBG/0 RPT=12012 62.243.213.30 processing ISA_KE
SEV=9 IKEDBG/1 RPT=605 62.243.213.30 processing nonce payload
SEV=9 IKEDBG/47 RPT=119 62.243.213.30 processing VID payload
SEV=9 IKEDBG/49 RPT=106 62.243.213.30 Received xauth V6 VID
SEV=9 IKEDBG/47 RPT=120 62.243.213.30 processing VID payload
SEV=9 IKEDBG/49 RPT=107 62.243.213.30 Received DPD VID
SEV=9 IKEDBG/47 RPT=121 62.243.213.30 processing VID payload
SEV=9 IKEDBG/49 RPT=108 62.243.213.30 Received Cisco Unity client VID
SEV=9 IKEDBG/47 RPT=122 62.243.213.30 processing VID payload
SEV=9 IKEDBG/38 RPT=27 62.243.213.30 Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)
SEV=9 IKEDBG/0 RPT=12013 62.243.213.30 Generating keys for Initiator...
SEV=9 IKEDBG/1 RPT=606 62.243.213.30 Group [62.243.213.30] constructing ID
SEV=9 IKEDBG/0 RPT=12014 Group [62.243.213.30] construct hash payload
SEV=9 IKEDBG/0 RPT=12015 62.243.213.30 Group [62.243.213.30] computing hash
SEV=9 IKEDBG/34 RPT=13 62.243.213.30 Constructing IOS keep alive payload: proposal=32767/32767 sec.
SEV=9 IKEDBG/46 RPT=185 62.243.213.30 Group [62.243.213.30] constructing dpd vid payload
SEV=8 IKEDBG/0 RPT=12016 62.243.213.30 SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) total length : 96
SEV=7 IPSECDBG/10 RPT=20 IPSEC ipsec_output() can call key_acquire() because 1 seconds have elapsed since last IKE negotiation began (src 0xc307150a, dst 0x01beb224)
SEV=7 IPSECDBG/14 RPT=20 Sending KEY_ACQUIRE to IKE for src 195.7.21.10, dst 192.168.141.17
SEV=8 IKEDBG/0 RPT=12017 pitcher: received a key acquire message!
SEV=7 IKEDBG/13 RPT=22 Tunnel negotiation in progress for destination 62.243.213.30, discarding data
SEV=7 IPSECDBG/10 RPT=21 IPSEC ipsec_output() can call key_acquire() because 1 seconds have elapsed since last IKE negotiation began (src 0xc307150a, dst 0x01beb224)
SEV=7 IPSECDBG/14 RPT=21 Sending KEY_ACQUIRE to IKE for src 195.7.21.10, dst 192.168.141.17
SEV=8 IKEDBG/0 RPT=12018 pitcher: received a key acquire message!
SEV=7 IKEDBG/13 RPT=23 Tunnel negotiation in progress for destination 62.243.213.30, discarding data
