Troubleshooting VPN Client access on Cisco IOS

Document

Sep 5, 2010 2:34 PM
Sep 5th, 2010
Troubleshooting VPN client on Cisco routers
start with "debug crypto isakmp"
Here few notes to understand the debug
packet from Mac client receivied:
ISAKMP (0:0): received packet from 77.43.61.233 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 77.43.61.233, peer port 500          <---- NAT will be specified later
ISAKMP: New peer created peer = 0x828BCC28 peer_handle = 0x80000020
ISAKMP: Locking peer struct 0x828BCC28, refcount 1 for crypto_isakmp_process_block
ISAKMP:(0):Setting client config settings 837C2CFC
ISAKMP:(0):(Re)Setting client xauth list  and state
ISAKMP/xauth: initializing AAA request
ISAKMP: local port 500, remote port 500
insert sa successfully sa = 83B11D30
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0:0): ID payload
         next-payload : 13
         type         : 11
         group id     : KBH
        protocol     : 0                         <------- No UDP used
         port         : 0

         length       : 11
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): Authentication by xauth preshared               <------- Defined by crypto isakmp policy
IOS processing packet
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600                    <--- Preferred client settings. Good idea to define this isamk policy as first
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      auth XAUTHInitPreShared
ISAKMP:      hash SHA
ISAKMP:      default group 2

ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      auth XAUTHInitPreShared
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      auth XAUTHInitPreShared
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      auth XAUTHInitPreShared
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
ISAKMP:      life type in seconds                              >---- Match found
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      auth XAUTHInitPreShared
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:(0):atts are acceptable. Next payload is 3

ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Basic life_in_seconds:3600
ISAKMP:(0):Returning Actual lifetime: 3600
ISAKMP:(0)::Started lifetime timer: 3600.

ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

ISAKMP:(2008):purging node -709445023
ISAKMP:(2010): constructed NAT-T vendor-rfc3947 ID               >----- Authentication phase 1 begins
ISAKMP:(2010):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
ISAKMP (0:2010): ID payload
         next-payload : 10
         type         : 1
         address      : 91.74.158.78
         protocol     : 0
         port         : 0
         length       : 12
ISAKMP:(2010):Total payload length: 12
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 500 peer_port 500 (R) AG_INIT_EXCH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
ISAKMP:(2010):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
ISAKMP:(2010): processing HASH payload. message ID = 0
ISAKMP:received payload type 20
ISAKMP:received payload type 20
ISAKMP (0:2010): NAT found, the node outside NAT
ISAKMP:(2010): processing NOTIFY INITIAL_CONTACT protocol 1
         spi 0, message ID = 0, sa = 83B11D30
ISAKMP:(2010):SA authentication status:
         authenticated
ISAKMP:(2010):SA has been authenticated with 77.43.61.233
ISAKMP:(2010):Detected port,floating to port = 4500
ISAKMP: Trying to find existing peer 91.74.158.78/77.43.61.233/4500/
ISAKMP:(2010):SA authentication status:
         authenticated
ISAKMP:(2010): Process initial contact,
bring down existing phase 1 and 2 SA's with local 91.74.158.78 remote 77.43.61.233 remote port 4500
ISAKMP:(2010):returning IP addr to the address pool
ISAKMP: Trying to insert a peer 91.74.158.78/77.43.61.233/4500/,  and inserted successfully 828BCC28.
ISAKMP:(2010):Returning Actual lifetime: 3600
ISAKMP: set new node -1715788723 to CONF_XAUTH
ISAKMP:(2010):Sending NOTIFY RESPONDER_LIFETIME protocol 1
         spi 2204213848, message ID = -1715788723
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):purging node -1715788723
ISAKMP: Sending phase 1 responder lifetime 3600

ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(2010):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE               <----- Authenticaion complete
ISAKMP:(2010):Need XAUTH                    <----- Will ask username/password
ISAKMP: set new node 422655679 to CONF_XAUTH
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2010): initiating peer config to 77.43.61.233. ID = 422655679
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_XAUTH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT


ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) CONF_XAUTH          <--- succesfully received from Client
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = 422655679
ISAKMP: Config payload REPLY
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2010):deleting node 422655679 error FALSE reason "Done with xauth request/reply exchange"
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
ISAKMP:(2010):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

ISAKMP: set new node -1850841249 to CONF_XAUTH
ISAKMP:(2010): initiating peer config to 77.43.61.233. ID = -1850841249
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_XAUTH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
ISAKMP:(2010):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) CONF_XAUTH
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = -1850841249
ISAKMP: Config payload ACK
ISAKMP:(2010):       XAUTH ACK Processed
ISAKMP:(2010):deleting node -1850841249 error FALSE reason "Transaction mode done"
ISAKMP:(2010):Talking to a Unity Client
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
ISAKMP:(2010):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

ISAKMP:(2010):IKE_DPD is enabled, initializing timers
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE          <----- Client send Configuration options
ISAKMP: set new node -1447433926 to QM_IDLE
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = -1447433926
ISAKMP: Config payload REQUEST
ISAKMP:(2010):checking request:
ISAKMP:    IP4_ADDRESS
ISAKMP:    IP4_NETMASK
ISAKMP:    IP4_DNS
ISAKMP:    IP4_NBNS
ISAKMP:    ADDRESS_EXPIRY
ISAKMP:    APPLICATION_VERSION
ISAKMP:    MODECFG_BANNER
ISAKMP:    DEFAULT_DOMAIN
ISAKMP:    SPLIT_DNS
ISAKMP:    SPLIT_INCLUDE
ISAKMP:    INCLUDE_LOCAL_LAN
ISAKMP:    PFS
ISAKMP:    MODECFG_SAVEPWD
ISAKMP:    FW_RECORD
ISAKMP:    BACKUP_SERVER
ISAKMP:    MODECFG_BROWSER_PROXY
ISAKMP/author: Author request for group KBHsuccessfully sent to AAA
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

ISAKMP:(2010):attributes sent in message:               <------ IOS process Options
         Address: 0.2.0.0
ISAKMP:(2010):allocating address 192.168.0.6
ISAKMP: Sending private address: 192.168.0.6
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 3593          <---- seven seconds elapsed
ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 23:19 by prod_rel_team
ISAKMP: Sending split include name acl-split network 192.168.0.0 mask 255.255.0.0 protocol 0, src port 0, dst port 0     <---- Split tunnel ACL

ISAKMP: Sending save password reply value 1
ISAKMP:(2010): responding to peer config from 77.43.61.233. ID = -1447433926
ISAKMP: Marking node -1447433926 for late deletion
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_ADDR
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Talking to a Unity Client
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
ISAKMP:(2010):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

ISAKMP:(2010):IKE_DPD is enabled, initializing timers
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE     <--------- IOS process IPsec options
ISAKMP: set new node -225717927 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -225717927
ISAKMP:(2010): processing SA payload. message ID = -225717927
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      encaps is 3 (Tunnel-UDP)
ISAKMP:      key length is 256
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 2, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600               > Client preferred transform set
ISAKMP:      encaps is 3 (Tunnel-UDP)
ISAKMP:      key length is 256
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 3, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      encaps is 3 (Tunnel-UDP)
ISAKMP:      key length is 128
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 4, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      encaps is 3 (Tunnel-UDP)
ISAKMP:      key length is 128
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 5, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      encaps is 3 (Tunnel-UDP)
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1               <----- Match found. Good idea to adjust trasform-set for earlier match
ISAKMP: transform 6, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      encaps is 3 (Tunnel-UDP)
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): processing NONCE payload. message ID = -225717927
ISAKMP:(2010): processing ID payload. message ID = -225717927
ISAKMP:(2010): processing ID payload. message ID = -225717927
ISAKMP:(2010):QM Responder gets spi
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2010):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
ISAKMP:(2010):deleting node -1447433926 error FALSE reason "No Error"
ISAKMP:(2010): Creating IPSec SAs
         inbound SA from 77.43.61.233 to 91.74.158.78 (f/i)  0/ 0
         (proxy 192.168.0.6 to 192.168.0.0)
         has spi 0xDE845FB7 and conn_id 0
         lifetime of 3600 seconds
         outbound SA from 91.74.158.78 to 77.43.61.233 (f/i) 0/0
         (proxy 192.168.0.0 to 192.168.0.6)
         has spi  0x5D47723 and conn_id 0
         lifetime of 3600 seconds

ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE          <----- Succesfully created SA
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(2010):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Sep  5 19:23:40: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 77.43.61.233:4500       Id: KBH

ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE     <--- Ack from Client
ISAKMP:(2010):deleting node -225717927 error FALSE reason "QM done (await)"
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2010):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
ISAKMP:(2008):purging SA., sa=83B13C74, delme=83B13C74

ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE     <---- Periodic keepalive
ISAKMP: set new node -1189760534 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -1189760534
ISAKMP:(2010): processing NOTIFY DPD/R_U_THERE protocol 1
         spi 0, message ID = -1189760534, sa = 83B11D30
ISAKMP:(2010):deleting node -1189760534 error FALSE reason "Informational (in) state 1"
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP:(2010):DPD/R_U_THERE received from peer 77.43.61.233, sequence 0x454
ISAKMP: set new node 404780297 to QM_IDLE
ISAKMP:(2010):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
         spi 2204214032, message ID = 404780297
ISAKMP:(2010): seq. no 0x454
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):purging node 404780297
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE
ISAKMP: set new node -630171406 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -630171406
ISAKMP:(2010): processing DELETE payload. message ID = -630171406
ISAKMP:(2010):peer does not do paranoid keepalives.

ISAKMP:(2010):peer does not do paranoid keepalives.

Debugs from Cisco VPN Client 5.0.6


ISAKMP (0:0): received packet from 93.40.99.100 dport 500 sport 64827 Global (N) NEW SA
ISAKMP: Created a peer struct for 93.40.99.100, peer port 64827
ISAKMP: New peer created peer = 0x832FC670 peer_handle = 0x8000002D
ISAKMP: Locking peer struct 0x832FC670, refcount 1 for crypto_isakmp_process_block
ISAKMP:(0):Setting client config settings 828C0EBC
ISAKMP:(0):(Re)Setting client xauth list  and state
ISAKMP/xauth: initializing AAA request
ISAKMP: local port 500, remote port 64827
insert sa successfully sa = 828BBC8C
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0:0): ID payload
         next-payload : 13
         type         : 11
         group id     : KBH
         protocol     : 17
         port         : 500
         length       : 11
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): processing IKE frag vendor id payload
ISAKMP:(0):Support for IKE Fragmentation not enabled
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): Authentication by xauth preshared
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth XAUTHInitPreShared
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:      keylength of 256
ISAKMP:(0):atts are acceptable. Next payload is 3
ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.

ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

ISAKMP:(2013): constructed NAT-T vendor-02 ID
ISAKMP:(2013):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
ISAKMP (0:2013): ID payload
         next-payload : 10
         type         : 1
         address      : 91.74.158.78
         protocol     : 0
         port         : 0
         length       : 12
ISAKMP:(2013):Total payload length: 12
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 500 peer_port 64827 (R) AG_INIT_EXCH
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
ISAKMP:(2013):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) AG_INIT_EXCH
ISAKMP:(2013): processing HASH payload. message ID = 0
ISAKMP:(2013): processing NOTIFY INITIAL_CONTACT protocol 1
         spi 0, message ID = 0, sa = 828BBC8C
ISAKMP:received payload type 20
ISAKMP:received payload type 20
ISAKMP (0:2013): NAT found, the node outside NAT
ISAKMP:(2013):SA authentication status:
         authenticated
ISAKMP:(2013):SA has been authenticated with 93.40.99.100
ISAKMP:(2013):Detected port,floating to port = 64828
ISAKMP: Trying to find existing peer 91.74.158.78/93.40.99.100/64828/
ISAKMP:(2013):SA authentication status:
         authenticated
ISAKMP:(2013): Process initial contact,
bring down existing phase 1 and 2 SA's with local 91.74.158.78 remote 93.40.99.100 remote port 64828
ISAKMP:(2013):returning IP addr to the address pool
ISAKMP: Trying to insert a peer 91.74.158.78/93.40.99.100/64828/,  and inserted successfully 832FC670.
ISAKMP:(2013):Returning Actual lifetime: 86400
ISAKMP: set new node 1152932245 to CONF_XAUTH
ISAKMP:(2013):Sending NOTIFY RESPONDER_LIFETIME protocol 1
         spi 2204213848, message ID = 1152932245
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):purging node 1152932245
ISAKMP: Sending phase 1 responder lifetime 86400

ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(2013):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

ISAKMP:(2013):Need XAUTH
ISAKMP: set new node -1279173715 to CONF_XAUTH
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2013): initiating peer config to 93.40.99.100. ID = -1279173715
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) CONF_XAUTH
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) CONF_XAUTH
ISAKMP:(2013):processing transaction payload from 93.40.99.100. message ID = -1279173715
ISAKMP: Config payload REPLY
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2013):deleting node -1279173715 error FALSE reason "Done with xauth request/reply exchange"
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
ISAKMP:(2013):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

ISAKMP: set new node 1609531845 to CONF_XAUTH
ISAKMP:(2013): initiating peer config to 93.40.99.100. ID = 1609531845
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) CONF_XAUTH
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
ISAKMP:(2013):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) CONF_XAUTH
ISAKMP:(2013):processing transaction payload from 93.40.99.100. message ID = 1609531845
ISAKMP: Config payload ACK
ISAKMP:(2013):       (blank) XAUTH ACK Processed
ISAKMP:(2013):deleting node 1609531845 error FALSE reason "Transaction mode done"
ISAKMP:(2013):Talking to a Unity Client
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
ISAKMP:(2013):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

ISAKMP:(2013):IKE_DPD is enabled, initializing timers
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP: set new node -606598373 to QM_IDLE
ISAKMP:(2013):processing transaction payload from 93.40.99.100. message ID = -606598373
ISAKMP: Config payload REQUEST
ISAKMP:(2013):checking request:
ISAKMP:    IP4_ADDRESS
ISAKMP:    IP4_NETMASK
ISAKMP:    IP4_DNS
ISAKMP:    IP4_NBNS
ISAKMP:    ADDRESS_EXPIRY
ISAKMP:    MODECFG_BANNER
ISAKMP:    MODECFG_SAVEPWD
ISAKMP:    DEFAULT_DOMAIN
ISAKMP:    SPLIT_INCLUDE
ISAKMP:    SPLIT_DNS
ISAKMP:    PFS
ISAKMP:    MODECFG_BROWSER_PROXY
ISAKMP:    BACKUP_SERVER
ISAKMP:    MODECFG_SMARTCARD_REMOVAL_DISCONNECT
ISAKMP:    APPLICATION_VERSION
ISAKMP:    FW_RECORD
ISAKMP:    MODECFG_HOSTNAME
ISAKMP/author: Author request for group KBHsuccessfully sent to AAA
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

ISAKMP:(2013):attributes sent in message:
         Address: 0.2.0.0
ISAKMP:(2013):allocating address 192.168.0.9
ISAKMP: Sending private address: 192.168.0.9
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86399
ISAKMP: Sending save password reply value 1
ISAKMP: Sending split include name acl-split network 192.168.0.0 mask 255.255.0.0 protocol 0, src port 0, dst port 0

ISAKMP: Sending smartcard_removal_disconnect reply
                   value 0
ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 23:19 by prod_rel_team
ISAKMP (0/2013): Unknown Attr: MODECFG_HOSTNAME (0x700A)
ISAKMP:(2013): responding to peer config from 93.40.99.100. ID = -606598373
ISAKMP: Marking node -606598373 for late deletion
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) CONF_ADDR
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Talking to a Unity Client
ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
ISAKMP:(2013):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

ISAKMP:(2013):IKE_DPD is enabled, initializing timers
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP: set new node -754602312 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = -754602312
ISAKMP:(2013): processing SA payload. message ID = -754602312
ISAKMP:(2013):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 1
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 2
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 2
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 3
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 3
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 4
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 4
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 5
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 6
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 7
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 8
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 9
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 9
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 10
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 10
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 11
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 12
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 61443 (Tunnel-UDP)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): processing NONCE payload. message ID = -754602312
ISAKMP:(2013): processing ID payload. message ID = -754602312
ISAKMP:(2013): processing ID payload. message ID = -754602312
ISAKMP:(2013):QM Responder gets spi
ISAKMP:(2013):Node -754602312, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2013):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
ISAKMP:(2013):deleting node -606598373 error FALSE reason "No Error"
ISAKMP:(2013): Creating IPSec SAs
         inbound SA from 93.40.99.100 to 91.74.158.78 (f/i)  0/ 0
         (proxy 192.168.0.9 to 0.0.0.0)
         has spi 0x57D9DEE7 and conn_id 0
         lifetime of 2147483 seconds
         outbound SA from 91.74.158.78 to 93.40.99.100 (f/i) 0/0
         (proxy 0.0.0.0 to 192.168.0.9)
         has spi  0xFAB1F8B1 and conn_id 0
         lifetime of 2147483 seconds
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Node -754602312, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(2013):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Sep  5 20:38:53: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 93.40.99.100:64828       Id: KBH
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP:(2013):deleting node -754602312 error FALSE reason "QM done (await)"
ISAKMP:(2013):Node -754602312, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2013):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE    <--- Keepalive
ISAKMP: set new node -1985661453 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = -1985661453
ISAKMP:(2013): processing NOTIFY DPD/R_U_THERE protocol 1
         spi 0, message ID = -1985661453, sa = 828BBC8C
ISAKMP:(2013):deleting node -1985661453 error FALSE reason "Informational (in) state 1"
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP:(2013):DPD/R_U_THERE received from peer 93.40.99.100, sequence 0xEEC72B94
ISAKMP: set new node 1781890492 to QM_IDLE
ISAKMP:(2013):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
         spi 2204214032, message ID = 1781890492
ISAKMP:(2013): seq. no 0xEEC72B94
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):purging node 1781890492
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE     <--- Disconnect by Client
ISAKMP: set new node 1627267609 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = 1627267609
ISAKMP:(2013): processing DELETE payload. message ID = 1627267609
ISAKMP:(2013):peer does not do paranoid keepalives.

ISAKMP:(2013):deleting node 1627267609 error FALSE reason "Informational (in) state 1"
Sep  5 20:39:14: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 93.40.99.100:64828       Id: KBH
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP: set new node 2142125117 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = 2142125117
ISAKMP:received payload type 18
ISAKMP:(2013):Processing delete with reason payload
ISAKMP:(2013):delete doi = 0
ISAKMP:(2013):delete protocol id = 1
ISAKMP:(2013):delete spi_size =  16
ISAKMP:(2013):delete num spis = 1
ISAKMP:(2013):delete_reason = 2
ISAKMP:(2013): processing DELETE_WITH_REASON payload, message ID = 2142125117, reason: DELETE_BY_USER_COMMAND
ISAKMP:(2013):peer does not do paranoid keepalives.

ISAKMP:(2013):deleting SA reason "BY user command" state (R) QM_IDLE       (peer 93.40.99.100)
ISAKMP:(2013):deleting node 2142125117 error FALSE reason "Informational (in) state 1"
ISAKMP: set new node -990175086 to QM_IDLE
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):purging node -990175086
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

ISAKMP:(2013):deleting SA reason "BY user command" state (R) QM_IDLE       (peer 93.40.99.100)
ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
ISAKMP (0:2013): returning address 192.168.0.9 to pool
ISAKMP: Unlocking peer struct 0x832FC670 for isadb_mark_sa_deleted(), count 0
ISAKMP: returning address 192.168.0.9 to pool
ISAKMP: Deleting peer node by peer_reap for 93.40.99.100: 832FC670
ISAKMP: returning address 192.168.0.9 to pool
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(2013):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
Minimal configuration:
crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
!
crypto isakmp client configuration group VPNGRP
  key vpnkey
  pool default
  acl acl-split
!
crypto ipsec transform-set vpn-client esp-aes esp-sha-hmac
!
crypto dynamic-map clients 10
  set transform-set vpn-client
  reverse-route
!
!
crypto map CMP client authentication list default
crypto map CMP isakmp authorization list default
crypto map CMP client configuration address respond
crypto map CMP 65535 ipsec-isakmp dynamic clients
Interface x/y
crypto map CMP

ip local pool default 192.168.0.1 192.168.0.100

ip access-list extended acl-split
  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

Average Rating: 1 (2 ratings)

Actions

Login or Register to take actions

This Document

Posted September 5, 2010 at 2:34 PM
Stats:
Comments:0 Avg. Rating:1
Views:7312 Contributors:0
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5