Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- Troubleshooting VPN Client access on Cisco IOS
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
10896
Views
2
Helpful
0
Comments
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 09-05-2010 02:34 PM
Troubleshooting VPN client on Cisco routers
start with "debug crypto isakmp"
Here few notes to understand the debug
packet from Mac client receivied:
ISAKMP (0:0): received packet from 77.43.61.233 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 77.43.61.233, peer port 500 <---- NAT will be specified later
ISAKMP: New peer created peer = 0x828BCC28 peer_handle = 0x80000020
ISAKMP: Locking peer struct 0x828BCC28, refcount 1 for crypto_isakmp_process_block
ISAKMP:(0):Setting client config settings 837C2CFC
ISAKMP:(0):(Re)Setting client xauth list and state
ISAKMP/xauth: initializing AAA request
ISAKMP: local port 500, remote port 500
insert sa successfully sa = 83B11D30
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : KBH
protocol : 0 <------- No UDP used
port : 0
length : 11
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): Authentication by xauth preshared <------- Defined by crypto isakmp policy
ISAKMP: Created a peer struct for 77.43.61.233, peer port 500 <---- NAT will be specified later
ISAKMP: New peer created peer = 0x828BCC28 peer_handle = 0x80000020
ISAKMP: Locking peer struct 0x828BCC28, refcount 1 for crypto_isakmp_process_block
ISAKMP:(0):Setting client config settings 837C2CFC
ISAKMP:(0):(Re)Setting client xauth list and state
ISAKMP/xauth: initializing AAA request
ISAKMP: local port 500, remote port 500
insert sa successfully sa = 83B11D30
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : KBH
protocol : 0 <------- No UDP used
port : 0
length : 11
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): Authentication by xauth preshared <------- Defined by crypto isakmp policy
IOS processing packet
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600 <--- Preferred client settings. Good idea to define this isamk policy as first
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: life type in seconds >---- Match found
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):atts are acceptable. Next payload is 3
ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Basic life_in_seconds:3600
ISAKMP:(0):Returning Actual lifetime: 3600
ISAKMP:(0)::Started lifetime timer: 3600.
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
ISAKMP:(2008):purging node -709445023
ISAKMP:(2010): constructed NAT-T vendor-rfc3947 ID >----- Authentication phase 1 begins
ISAKMP:(2010):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
ISAKMP (0:2010): ID payload
next-payload : 10
type : 1
address : 91.74.158.78
protocol : 0
port : 0
length : 12
ISAKMP:(2010):Total payload length: 12
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 500 peer_port 500 (R) AG_INIT_EXCH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
ISAKMP:(2010):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
ISAKMP:(2010): processing HASH payload. message ID = 0
ISAKMP:received payload type 20
ISAKMP:received payload type 20
ISAKMP (0:2010): NAT found, the node outside NAT
ISAKMP:(2010): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83B11D30
ISAKMP:(2010):SA authentication status:
authenticated
ISAKMP:(2010):SA has been authenticated with 77.43.61.233
ISAKMP:(2010):Detected port,floating to port = 4500
ISAKMP: Trying to find existing peer 91.74.158.78/77.43.61.233/4500/
ISAKMP:(2010):SA authentication status:
authenticated
ISAKMP:(2010): Process initial contact,
bring down existing phase 1 and 2 SA's with local 91.74.158.78 remote 77.43.61.233 remote port 4500
ISAKMP:(2010):returning IP addr to the address pool
ISAKMP: Trying to insert a peer 91.74.158.78/77.43.61.233/4500/, and inserted successfully 828BCC28.
ISAKMP:(2010):Returning Actual lifetime: 3600
ISAKMP: set new node -1715788723 to CONF_XAUTH
ISAKMP:(2010):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2204213848, message ID = -1715788723
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):purging node -1715788723
ISAKMP: Sending phase 1 responder lifetime 3600
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(2010):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE <----- Authenticaion complete
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600 <--- Preferred client settings. Good idea to define this isamk policy as first
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: life type in seconds >---- Match found
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):atts are acceptable. Next payload is 3
ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Basic life_in_seconds:3600
ISAKMP:(0):Returning Actual lifetime: 3600
ISAKMP:(0)::Started lifetime timer: 3600.
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP (0:0): vendor ID is NAT-T RFC 3947
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
ISAKMP:(2008):purging node -709445023
ISAKMP:(2010): constructed NAT-T vendor-rfc3947 ID >----- Authentication phase 1 begins
ISAKMP:(2010):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
ISAKMP (0:2010): ID payload
next-payload : 10
type : 1
address : 91.74.158.78
protocol : 0
port : 0
length : 12
ISAKMP:(2010):Total payload length: 12
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 500 peer_port 500 (R) AG_INIT_EXCH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
ISAKMP:(2010):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
ISAKMP:(2010): processing HASH payload. message ID = 0
ISAKMP:received payload type 20
ISAKMP:received payload type 20
ISAKMP (0:2010): NAT found, the node outside NAT
ISAKMP:(2010): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83B11D30
ISAKMP:(2010):SA authentication status:
authenticated
ISAKMP:(2010):SA has been authenticated with 77.43.61.233
ISAKMP:(2010):Detected port,floating to port = 4500
ISAKMP: Trying to find existing peer 91.74.158.78/77.43.61.233/4500/
ISAKMP:(2010):SA authentication status:
authenticated
ISAKMP:(2010): Process initial contact,
bring down existing phase 1 and 2 SA's with local 91.74.158.78 remote 77.43.61.233 remote port 4500
ISAKMP:(2010):returning IP addr to the address pool
ISAKMP: Trying to insert a peer 91.74.158.78/77.43.61.233/4500/, and inserted successfully 828BCC28.
ISAKMP:(2010):Returning Actual lifetime: 3600
ISAKMP: set new node -1715788723 to CONF_XAUTH
ISAKMP:(2010):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2204213848, message ID = -1715788723
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):purging node -1715788723
ISAKMP: Sending phase 1 responder lifetime 3600
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(2010):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE <----- Authenticaion complete
ISAKMP:(2010):Need XAUTH <----- Will ask username/password
ISAKMP: set new node 422655679 to CONF_XAUTH
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2010): initiating peer config to 77.43.61.233. ID = 422655679
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_XAUTH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) CONF_XAUTH <--- succesfully received from Client
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = 422655679
ISAKMP: Config payload REPLY
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2010):deleting node 422655679 error FALSE reason "Done with xauth request/reply exchange"
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
ISAKMP:(2010):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
ISAKMP: set new node -1850841249 to CONF_XAUTH
ISAKMP:(2010): initiating peer config to 77.43.61.233. ID = -1850841249
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_XAUTH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
ISAKMP:(2010):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) CONF_XAUTH
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = -1850841249
ISAKMP: Config payload ACK
ISAKMP:(2010): XAUTH ACK Processed
ISAKMP:(2010):deleting node -1850841249 error FALSE reason "Transaction mode done"
ISAKMP:(2010):Talking to a Unity Client
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
ISAKMP:(2010):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
ISAKMP:(2010):IKE_DPD is enabled, initializing timers
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP: set new node 422655679 to CONF_XAUTH
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2010): initiating peer config to 77.43.61.233. ID = 422655679
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_XAUTH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) CONF_XAUTH <--- succesfully received from Client
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = 422655679
ISAKMP: Config payload REPLY
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2010):deleting node 422655679 error FALSE reason "Done with xauth request/reply exchange"
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
ISAKMP:(2010):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
ISAKMP: set new node -1850841249 to CONF_XAUTH
ISAKMP:(2010): initiating peer config to 77.43.61.233. ID = -1850841249
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_XAUTH
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
ISAKMP:(2010):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) CONF_XAUTH
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = -1850841249
ISAKMP: Config payload ACK
ISAKMP:(2010): XAUTH ACK Processed
ISAKMP:(2010):deleting node -1850841249 error FALSE reason "Transaction mode done"
ISAKMP:(2010):Talking to a Unity Client
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
ISAKMP:(2010):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
ISAKMP:(2010):IKE_DPD is enabled, initializing timers
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE <----- Client send Configuration options
ISAKMP: set new node -1447433926 to QM_IDLE
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = -1447433926
ISAKMP: Config payload REQUEST
ISAKMP:(2010):checking request:
ISAKMP: IP4_ADDRESS
ISAKMP: IP4_NETMASK
ISAKMP: IP4_DNS
ISAKMP: IP4_NBNS
ISAKMP: ADDRESS_EXPIRY
ISAKMP: APPLICATION_VERSION
ISAKMP: MODECFG_BANNER
ISAKMP: DEFAULT_DOMAIN
ISAKMP: SPLIT_DNS
ISAKMP: SPLIT_INCLUDE
ISAKMP: INCLUDE_LOCAL_LAN
ISAKMP: PFS
ISAKMP: MODECFG_SAVEPWD
ISAKMP: FW_RECORD
ISAKMP: BACKUP_SERVER
ISAKMP: MODECFG_BROWSER_PROXY
ISAKMP/author: Author request for group KBHsuccessfully sent to AAA
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
ISAKMP:(2010):attributes sent in message: <------ IOS process Options
Address: 0.2.0.0
ISAKMP:(2010):allocating address 192.168.0.6
ISAKMP: Sending private address: 192.168.0.6
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 3593 <---- seven seconds elapsed
ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 23:19 by prod_rel_team
ISAKMP: Sending split include name acl-split network 192.168.0.0 mask 255.255.0.0 protocol 0, src port 0, dst port 0 <---- Split tunnel ACL
ISAKMP: Sending save password reply value 1
ISAKMP:(2010): responding to peer config from 77.43.61.233. ID = -1447433926
ISAKMP: Marking node -1447433926 for late deletion
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_ADDR
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Talking to a Unity Client
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
ISAKMP:(2010):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
ISAKMP:(2010):IKE_DPD is enabled, initializing timers
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE <--------- IOS process IPsec options
ISAKMP: set new node -225717927 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -225717927
ISAKMP:(2010): processing SA payload. message ID = -225717927
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 256
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 2, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600 > Client preferred transform set
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 256
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 3, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 128
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 4, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 128
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 5, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1 <----- Match found. Good idea to adjust trasform-set for earlier match
ISAKMP: transform 6, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): processing NONCE payload. message ID = -225717927
ISAKMP:(2010): processing ID payload. message ID = -225717927
ISAKMP:(2010): processing ID payload. message ID = -225717927
ISAKMP:(2010):QM Responder gets spi
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2010):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP:(2010):deleting node -1447433926 error FALSE reason "No Error"
ISAKMP:(2010): Creating IPSec SAs
inbound SA from 77.43.61.233 to 91.74.158.78 (f/i) 0/ 0
(proxy 192.168.0.6 to 192.168.0.0)
has spi 0xDE845FB7 and conn_id 0
lifetime of 3600 seconds
outbound SA from 91.74.158.78 to 77.43.61.233 (f/i) 0/0
(proxy 192.168.0.0 to 192.168.0.6)
has spi 0x5D47723 and conn_id 0
lifetime of 3600 seconds
ISAKMP: set new node -1447433926 to QM_IDLE
ISAKMP:(2010):processing transaction payload from 77.43.61.233. message ID = -1447433926
ISAKMP: Config payload REQUEST
ISAKMP:(2010):checking request:
ISAKMP: IP4_ADDRESS
ISAKMP: IP4_NETMASK
ISAKMP: IP4_DNS
ISAKMP: IP4_NBNS
ISAKMP: ADDRESS_EXPIRY
ISAKMP: APPLICATION_VERSION
ISAKMP: MODECFG_BANNER
ISAKMP: DEFAULT_DOMAIN
ISAKMP: SPLIT_DNS
ISAKMP: SPLIT_INCLUDE
ISAKMP: INCLUDE_LOCAL_LAN
ISAKMP: PFS
ISAKMP: MODECFG_SAVEPWD
ISAKMP: FW_RECORD
ISAKMP: BACKUP_SERVER
ISAKMP: MODECFG_BROWSER_PROXY
ISAKMP/author: Author request for group KBHsuccessfully sent to AAA
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
ISAKMP:(2010):attributes sent in message: <------ IOS process Options
Address: 0.2.0.0
ISAKMP:(2010):allocating address 192.168.0.6
ISAKMP: Sending private address: 192.168.0.6
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 3593 <---- seven seconds elapsed
ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 23:19 by prod_rel_team
ISAKMP: Sending split include name acl-split network 192.168.0.0 mask 255.255.0.0 protocol 0, src port 0, dst port 0 <---- Split tunnel ACL
ISAKMP: Sending save password reply value 1
ISAKMP:(2010): responding to peer config from 77.43.61.233. ID = -1447433926
ISAKMP: Marking node -1447433926 for late deletion
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) CONF_ADDR
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Talking to a Unity Client
ISAKMP:(2010):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
ISAKMP:(2010):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
ISAKMP:(2010):IKE_DPD is enabled, initializing timers
ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE <--------- IOS process IPsec options
ISAKMP: set new node -225717927 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -225717927
ISAKMP:(2010): processing SA payload. message ID = -225717927
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 256
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 2, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600 > Client preferred transform set
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 256
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 3, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 128
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 4, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: key length is 128
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1
ISAKMP: transform 5, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: authenticator is HMAC-SHA
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010):Checking IPSec proposal 1 <----- Match found. Good idea to adjust trasform-set for earlier match
ISAKMP: transform 6, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: encaps is 3 (Tunnel-UDP)
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(2010):atts are acceptable.
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): IPSec policy invalidated proposal with error 256
ISAKMP:(2010): processing NONCE payload. message ID = -225717927
ISAKMP:(2010): processing ID payload. message ID = -225717927
ISAKMP:(2010): processing ID payload. message ID = -225717927
ISAKMP:(2010):QM Responder gets spi
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2010):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP:(2010):deleting node -1447433926 error FALSE reason "No Error"
ISAKMP:(2010): Creating IPSec SAs
inbound SA from 77.43.61.233 to 91.74.158.78 (f/i) 0/ 0
(proxy 192.168.0.6 to 192.168.0.0)
has spi 0xDE845FB7 and conn_id 0
lifetime of 3600 seconds
outbound SA from 91.74.158.78 to 77.43.61.233 (f/i) 0/0
(proxy 192.168.0.0 to 192.168.0.6)
has spi 0x5D47723 and conn_id 0
lifetime of 3600 seconds
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE <----- Succesfully created SA
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(2010):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Sep 5 19:23:40: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 77.43.61.233:4500 Id: KBH
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE <--- Ack from Client
ISAKMP:(2010):deleting node -225717927 error FALSE reason "QM done (await)"
ISAKMP:(2010):Node -225717927, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2010):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
ISAKMP:(2008):purging SA., sa=83B13C74, delme=83B13C74
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE <---- Periodic keepalive
ISAKMP: set new node -1189760534 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -1189760534
ISAKMP:(2010): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1189760534, sa = 83B11D30
ISAKMP:(2010):deleting node -1189760534 error FALSE reason "Informational (in) state 1"
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2010):DPD/R_U_THERE received from peer 77.43.61.233, sequence 0x454
ISAKMP: set new node 404780297 to QM_IDLE
ISAKMP:(2010):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2204214032, message ID = 404780297
ISAKMP:(2010): seq. no 0x454
ISAKMP:(2010): sending packet to 77.43.61.233 my_port 4500 peer_port 4500 (R) QM_IDLE
ISAKMP:(2010):Sending an IKE IPv4 Packet.
ISAKMP:(2010):purging node 404780297
ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2010): received packet from 77.43.61.233 dport 4500 sport 4500 Global (R) QM_IDLE
ISAKMP: set new node -630171406 to QM_IDLE
ISAKMP:(2010): processing HASH payload. message ID = -630171406
ISAKMP:(2010): processing DELETE payload. message ID = -630171406
ISAKMP:(2010):peer does not do paranoid keepalives.
ISAKMP:(2010):peer does not do paranoid keepalives.
Debugs from Cisco VPN Client 5.0.6
ISAKMP (0:0): received packet from 93.40.99.100 dport 500 sport 64827 Global (N) NEW SA
ISAKMP: Created a peer struct for 93.40.99.100, peer port 64827
ISAKMP: New peer created peer = 0x832FC670 peer_handle = 0x8000002D
ISAKMP: Locking peer struct 0x832FC670, refcount 1 for crypto_isakmp_process_block
ISAKMP:(0):Setting client config settings 828C0EBC
ISAKMP:(0):(Re)Setting client xauth list and state
ISAKMP/xauth: initializing AAA request
ISAKMP: local port 500, remote port 64827
insert sa successfully sa = 828BBC8C
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : KBH
protocol : 17
port : 500
length : 11
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): processing IKE frag vendor id payload
ISAKMP:(0):Support for IKE Fragmentation not enabled
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): Authentication by xauth preshared
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth XAUTHInitPreShared
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 256
ISAKMP:(0):atts are acceptable. Next payload is 3
ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
ISAKMP:(2013): constructed NAT-T vendor-02 ID
ISAKMP:(2013):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
ISAKMP (0:2013): ID payload
next-payload : 10
type : 1
address : 91.74.158.78
protocol : 0
port : 0
length : 12
ISAKMP:(2013):Total payload length: 12
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 500 peer_port 64827 (R) AG_INIT_EXCH
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
ISAKMP:(2013):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) AG_INIT_EXCH
ISAKMP:(2013): processing HASH payload. message ID = 0
ISAKMP:(2013): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 828BBC8C
ISAKMP:received payload type 20
ISAKMP:received payload type 20
ISAKMP (0:2013): NAT found, the node outside NAT
ISAKMP:(2013):SA authentication status:
authenticated
ISAKMP:(2013):SA has been authenticated with 93.40.99.100
ISAKMP:(2013):Detected port,floating to port = 64828
ISAKMP: Trying to find existing peer 91.74.158.78/93.40.99.100/64828/
ISAKMP:(2013):SA authentication status:
authenticated
ISAKMP:(2013): Process initial contact,
bring down existing phase 1 and 2 SA's with local 91.74.158.78 remote 93.40.99.100 remote port 64828
ISAKMP:(2013):returning IP addr to the address pool
ISAKMP: Trying to insert a peer 91.74.158.78/93.40.99.100/64828/, and inserted successfully 832FC670.
ISAKMP:(2013):Returning Actual lifetime: 86400
ISAKMP: set new node 1152932245 to CONF_XAUTH
ISAKMP:(2013):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2204213848, message ID = 1152932245
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):purging node 1152932245
ISAKMP: Sending phase 1 responder lifetime 86400
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(2013):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
ISAKMP:(2013):Need XAUTH
ISAKMP: set new node -1279173715 to CONF_XAUTH
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2013): initiating peer config to 93.40.99.100. ID = -1279173715
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) CONF_XAUTH
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) CONF_XAUTH
ISAKMP:(2013):processing transaction payload from 93.40.99.100. message ID = -1279173715
ISAKMP: Config payload REPLY
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
ISAKMP:(2013):deleting node -1279173715 error FALSE reason "Done with xauth request/reply exchange"
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
ISAKMP:(2013):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
ISAKMP: set new node 1609531845 to CONF_XAUTH
ISAKMP:(2013): initiating peer config to 93.40.99.100. ID = 1609531845
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) CONF_XAUTH
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
ISAKMP:(2013):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) CONF_XAUTH
ISAKMP:(2013):processing transaction payload from 93.40.99.100. message ID = 1609531845
ISAKMP: Config payload ACK
ISAKMP:(2013): (blank) XAUTH ACK Processed
ISAKMP:(2013):deleting node 1609531845 error FALSE reason "Transaction mode done"
ISAKMP:(2013):Talking to a Unity Client
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
ISAKMP:(2013):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
ISAKMP:(2013):IKE_DPD is enabled, initializing timers
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP: set new node -606598373 to QM_IDLE
ISAKMP:(2013):processing transaction payload from 93.40.99.100. message ID = -606598373
ISAKMP: Config payload REQUEST
ISAKMP:(2013):checking request:
ISAKMP: IP4_ADDRESS
ISAKMP: IP4_NETMASK
ISAKMP: IP4_DNS
ISAKMP: IP4_NBNS
ISAKMP: ADDRESS_EXPIRY
ISAKMP: MODECFG_BANNER
ISAKMP: MODECFG_SAVEPWD
ISAKMP: DEFAULT_DOMAIN
ISAKMP: SPLIT_INCLUDE
ISAKMP: SPLIT_DNS
ISAKMP: PFS
ISAKMP: MODECFG_BROWSER_PROXY
ISAKMP: BACKUP_SERVER
ISAKMP: MODECFG_SMARTCARD_REMOVAL_DISCONNECT
ISAKMP: APPLICATION_VERSION
ISAKMP: FW_RECORD
ISAKMP: MODECFG_HOSTNAME
ISAKMP/author: Author request for group KBHsuccessfully sent to AAA
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
ISAKMP:(2013):attributes sent in message:
Address: 0.2.0.0
ISAKMP:(2013):allocating address 192.168.0.9
ISAKMP: Sending private address: 192.168.0.9
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86399
ISAKMP: Sending save password reply value 1
ISAKMP: Sending split include name acl-split network 192.168.0.0 mask 255.255.0.0 protocol 0, src port 0, dst port 0
ISAKMP: Sending smartcard_removal_disconnect reply
value 0
ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 23:19 by prod_rel_team
ISAKMP (0/2013): Unknown Attr: MODECFG_HOSTNAME (0x700A)
ISAKMP:(2013): responding to peer config from 93.40.99.100. ID = -606598373
ISAKMP: Marking node -606598373 for late deletion
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) CONF_ADDR
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Talking to a Unity Client
ISAKMP:(2013):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
ISAKMP:(2013):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
ISAKMP:(2013):IKE_DPD is enabled, initializing timers
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP: set new node -754602312 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = -754602312
ISAKMP:(2013): processing SA payload. message ID = -754602312
ISAKMP:(2013):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 1
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 2
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 2
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 3
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 3
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 4
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 4
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 5
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 6
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 7
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 8
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 9
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 9
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 10
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013):Checking IPSec proposal 10
ISAKMP:(2013):transform 1, IPPCP LZS
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 11
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): IPSec policy invalidated proposal with error 256
ISAKMP:(2013):Checking IPSec proposal 12
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 61443 (Tunnel-UDP)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP:(2013):atts are acceptable.
ISAKMP:(2013): processing NONCE payload. message ID = -754602312
ISAKMP:(2013): processing ID payload. message ID = -754602312
ISAKMP:(2013): processing ID payload. message ID = -754602312
ISAKMP:(2013):QM Responder gets spi
ISAKMP:(2013):Node -754602312, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP:(2013):deleting node -606598373 error FALSE reason "No Error"
ISAKMP:(2013): Creating IPSec SAs
inbound SA from 93.40.99.100 to 91.74.158.78 (f/i) 0/ 0
(proxy 192.168.0.9 to 0.0.0.0)
has spi 0x57D9DEE7 and conn_id 0
lifetime of 2147483 seconds
outbound SA from 91.74.158.78 to 93.40.99.100 (f/i) 0/0
(proxy 0.0.0.0 to 192.168.0.9)
has spi 0xFAB1F8B1 and conn_id 0
lifetime of 2147483 seconds
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):Node -754602312, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(2013):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
Sep 5 20:38:53: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 93.40.99.100:64828 Id: KBH
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP:(2013):deleting node -754602312 error FALSE reason "QM done (await)"
ISAKMP:(2013):Node -754602312, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(2013):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE <--- Keepalive
ISAKMP: set new node -1985661453 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = -1985661453
ISAKMP:(2013): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1985661453, sa = 828BBC8C
ISAKMP:(2013):deleting node -1985661453 error FALSE reason "Informational (in) state 1"
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2013):DPD/R_U_THERE received from peer 93.40.99.100, sequence 0xEEC72B94
ISAKMP: set new node 1781890492 to QM_IDLE
ISAKMP:(2013):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2204214032, message ID = 1781890492
ISAKMP:(2013): seq. no 0xEEC72B94
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):purging node 1781890492
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE <--- Disconnect by Client
ISAKMP: set new node 1627267609 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = 1627267609
ISAKMP:(2013): processing DELETE payload. message ID = 1627267609
ISAKMP:(2013):peer does not do paranoid keepalives.
ISAKMP:(2013):deleting node 1627267609 error FALSE reason "Informational (in) state 1"
Sep 5 20:39:14: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 93.40.99.100:64828 Id: KBH
ISAKMP (0:2013): received packet from 93.40.99.100 dport 4500 sport 64828 Global (R) QM_IDLE
ISAKMP: set new node 2142125117 to QM_IDLE
ISAKMP:(2013): processing HASH payload. message ID = 2142125117
ISAKMP:received payload type 18
ISAKMP:(2013):Processing delete with reason payload
ISAKMP:(2013):delete doi = 0
ISAKMP:(2013):delete protocol id = 1
ISAKMP:(2013):delete spi_size = 16
ISAKMP:(2013):delete num spis = 1
ISAKMP:(2013):delete_reason = 2
ISAKMP:(2013): processing DELETE_WITH_REASON payload, message ID = 2142125117, reason: DELETE_BY_USER_COMMAND
ISAKMP:(2013):peer does not do paranoid keepalives.
ISAKMP:(2013):deleting SA reason "BY user command" state (R) QM_IDLE (peer 93.40.99.100)
ISAKMP:(2013):deleting node 2142125117 error FALSE reason "Informational (in) state 1"
ISAKMP: set new node -990175086 to QM_IDLE
ISAKMP:(2013): sending packet to 93.40.99.100 my_port 4500 peer_port 64828 (R) QM_IDLE
ISAKMP:(2013):Sending an IKE IPv4 Packet.
ISAKMP:(2013):purging node -990175086
ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
ISAKMP:(2013):deleting SA reason "BY user command" state (R) QM_IDLE (peer 93.40.99.100)
ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
ISAKMP (0:2013): returning address 192.168.0.9 to pool
ISAKMP: Unlocking peer struct 0x832FC670 for isadb_mark_sa_deleted(), count 0
ISAKMP: returning address 192.168.0.9 to pool
ISAKMP: Deleting peer node by peer_reap for 93.40.99.100: 832FC670
ISAKMP: returning address 192.168.0.9 to pool
ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(2013):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Minimal configuration:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGRP
key vpnkey
pool default
acl acl-split
!
crypto ipsec transform-set vpn-client esp-aes esp-sha-hmac
!
crypto dynamic-map clients 10
set transform-set vpn-client
reverse-route
!
!
crypto map CMP client authentication list default
crypto map CMP isakmp authorization list default
crypto map CMP client configuration address respond
crypto map CMP 65535 ipsec-isakmp dynamic clients
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGRP
key vpnkey
pool default
acl acl-split
!
crypto ipsec transform-set vpn-client esp-aes esp-sha-hmac
!
crypto dynamic-map clients 10
set transform-set vpn-client
reverse-route
!
!
crypto map CMP client authentication list default
crypto map CMP isakmp authorization list default
crypto map CMP client configuration address respond
crypto map CMP 65535 ipsec-isakmp dynamic clients
Interface x/y
crypto map CMP
ip local pool default 192.168.0.1 192.168.0.100ip access-list extended acl-split
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
Labels:
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Customers Also Viewed These Support Documents