quick reference 10.0.0.188 = VPN Router Internal IP 10.0.0.191 = ASA IP address 10.0.12.0/24 = VPN Client IP Pool ================================================================== This is the RA-VPN router configuration ================================================================== sh run Building configuration... Current configuration : 1790 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPNRouter ! boot-start-marker boot-end-marker ! enable secret 5 xxxxxxxxxxxxxxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common resource policy ! ! ! ip cef ! ! ! ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username xxxxxxxx privilege 15 secret 5 xxxxxxxxxx ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 60 ! crypto isakmp client configuration group LA_BASE key 123456789test pool LA_POOL save-password crypto isakmp profile VPNC match identity group LA_BASE client authentication list LA_BASE isakmp authorization list LA_BASE client configuration address respond ! crypto ipsec security-association idle-time 1000 ! crypto ipsec transform-set TS esp-3des esp-sha-hmac ! crypto dynamic-map DMAP 10 set transform-set TS set isakmp-profile VPNC reverse-route ! (I tried to put match address 100 in here to define encrypted traffic, but cannot connect to vpn at all when this line is added) ! ! crypto map CMAP 15 ipsec-isakmp dynamic DMAP ! ! ! ! ! interface FastEthernet0/0 ip address 10.0.0.188 255.255.255.0 duplex auto speed auto crypto map CMAP ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip local pool LA_POOL 10.0.12.1 10.0.12.100 ip route 0.0.0.0 0.0.0.0 10.0.0.191 (.191 is ASAC1) ! ! ip http server no ip http secure-server ! access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.12.0 0.0.0.255 access-list 100 deny ip 10.0.0.0 0.0.255.255 any ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous line aux 0 line vty 0 4 ! scheduler allocate 20000 1000 ! end ======================================================================= ASA-config ACL is applied on outside interface inbound ======================================================================= access-list outside_INT_INBOUND extended permit udp any host x.x.x.86 eq 4500 access-list outside_INT_INBOUND extended permit udp any host x.x.x.86 eq isakmp access-list outside_INT_INBOUND extended permit esp any host x.x.x.86 static (inside,outside) x.x.x.86 10.0.0.188 netmask 255.255.255.255 route outside 0.0.0.0 0.0.0.0 x.x.x.91 1 route inside 10.0.12.0 255.255.255.0 10.0.0.188 1 ====================================================================== VPN Debug output (Without ACL 100 applied) ====================================================================== sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status IPv6 Crypto ISAKMP SA VPNRA#sh crypto isakmp saclear crypto isakmp sh crypto isakmp sa psec sa  VPNRA# *Jul 8 16:10:14.720: ISAKMP (0:0): received packet from x.x.x..82 dport 500 sport 63301 Global (N) NEW SA *Jul 8 16:10:14.720: ISAKMP: Created a peer struct for x.x.x..82, peer port 63301 *Jul 8 16:10:14.720: ISAKMP: New peer created peer = 0x4675C13C peer_handle = 0x80000025 *Jul 8 16:10:14.720: ISAKMP: Locking peer struct 0x4675C13C, refcount 1 for crypto_isakmp_process_block *Jul 8 16:10:14.720: ISAKMP: local port 500, remote port 63301 *Jul 8 16:10:14.720: insert sa successfully sa = 47D57E18 *Jul 8 16:10:14.720: ISAKMP:(0): processing SA payload. message ID = 0 *Jul 8 16:10:14.720: ISAKMP:(0): processing ID payload. message ID = 0 *Jul 8 16:10:14.720: ISAKMP (0:0): ID payload next-payload : 13 type : 11 group id : LA_BASE protocol : 17 port : 500 length : 15 *Jul 8 16:10:14.720: ISAKMP:(0):: peer matches VPNC profile *Jul 8 16:10:14.720: ISAKMP:(0):Setting client config settings 474FC4D8 *Jul 8 16:10:14 VPNRA#.724: ISAKMP:(0):(Re)Setting client xauth list and state *Jul 8 16:10:14.724: ISAKMP/xauth: initializing AAA request *Jul 8 16:10:14.724: ISAKMP:(0): processing vendor id payload *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID is XAUTH *Jul 8 16:10:14.724: ISAKMP:(0): processing vendor id payload *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID is DPD *Jul 8 16:10:14.724: ISAKMP:(0): processing vendor id payload *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Jul 8 16:10:14.724: ISAKMP:(0): processing vendor id payload *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID is NAT-T v2 *Jul 8 16:10:14.724: ISAKMP:(0): processing vendor id payload *Jul 8 16:10:14.724: ISAKMP:(0): vendor ID is Unity *Jul 8 16:10:14.724: ISAKMP:(0): Authentication by xauth preshared *Jul 8 16:10:14.724: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Jul 8 16:10:14.724: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.724: ISAKMP: hash SHA *Jul 8 16:10:14.724: ISAKMP: default group 2 *Jul 8 16:10:14.724: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:10:14.724: ISAKMP: life type in seconds *Jul 8 16:10:14.724: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.724: ISAKMP: keylength of 256 *Jul 8 16:10:14.724: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.724: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.724: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy *Jul 8 16:10:14.724: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.724: ISAKMP: hash MD5 *Jul 8 16:10:14.724: ISAKMP: default group 2 *Jul 8 16:10:14.724: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:10:14.724: ISAKMP: life type in seconds *Jul 8 16:10:14.724: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.724: ISAKMP: keylength of 256 *Jul 8 16:10:14.724: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.728: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.728: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy *Jul 8 16:10:14.728: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.728: ISAKMP: hash SHA *Jul 8 16:10:14.728: ISAKMP: default group 2 *Jul 8 16:10:14.728: ISAKMP: auth pre-share *Jul 8 16:10:14.728: ISAKMP: life type in seconds *Jul 8 16:10:14.728: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.728: ISAKMP: keylength of 256 *Jul 8 16:10:14.728: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.728: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.728: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy *Jul 8 16:10:14.728: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.728: ISAKMP: hash MD5 *Jul 8 16:10:14.728: ISAKMP: default group 2 *Jul 8 16:10:14.728: ISAKMP: auth pre-share *Jul 8 16:10:14.728: ISAKMP: life type in seconds *Jul 8 16:10:14.728: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.728: ISAKMP: keylength of 256 *Jul 8 16:10:14.728: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.728: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.728: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy *Jul 8 16:10:14.728: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.728: ISAKMP: hash SHA *Jul 8 16:10:14.728: ISAKMP: default group 2 *Jul 8 16:10:14.728: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:10:14.728: ISAKMP: life type in seconds *Jul 8 16:10:14.728: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.728: ISAKMP: keylength of 128 *Jul 8 16:10:14.728: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.728: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.728: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy *Jul 8 16:10:14.728: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.728: ISAKMP: hash MD5 *Jul 8 16:10:14.728: ISAKMP: default group 2 *Jul 8 16:10:14.728: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:10:14.728: ISAKMP: life type in seconds *Jul 8 16:10:14.728: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.728: ISAKMP: keylength of 128 *Jul 8 16:10:14.728: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.728: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.728: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy *Jul 8 16:10:14.728: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.728: ISAKMP: hash SHA *Jul 8 16:10:14.728: ISAKMP: default group 2 *Jul 8 16:10:14.728: ISAKMP: auth pre-share *Jul 8 16:10:14.728: ISAKMP: life type in seconds *Jul 8 16:10:14.728: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.728: ISAKMP: keylength of 128 *Jul 8 16:10:14.728: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.728: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.728: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy *Jul 8 16:10:14.728: ISAKMP: encryption AES-CBC *Jul 8 16:10:14.728: ISAKMP: hash MD5 *Jul 8 16:10:14.728: ISAKMP: default group 2 *Jul 8 16:10:14.728: ISAKMP: auth pre-share *Jul 8 16:10:14.728: ISAKMP: life type in seconds *Jul 8 16:10:14.728: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.732: ISAKMP: keylength of 128 *Jul 8 16:10:14.732: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:10:14.732: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:10:14.732: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy *Jul 8 16:10:14.732: ISAKMP: encryption 3DES-CBC *Jul 8 16:10:14.732: ISAKMP: hash SHA *Jul 8 16:10:14.732: ISAKMP: default group 2 *Jul 8 16:10:14.732: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:10:14.732: ISAKMP: life type in seconds *Jul 8 16:10:14.732: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:14.732: ISAKMP:(0):atts are acceptable. Next payload is 3 *Jul 8 16:10:14.732: ISAKMP:(0): processing KE payload. message ID = 0 *Jul 8 16:10:14.780: ISAKMP:(0): processing NONCE payload. message ID = 0 *Jul 8 16:10:14.780: ISAKMP:(0): vendor ID is NAT-T v2 *Jul 8 16:10:14.780: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Jul 8 16:10:14.780: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT *Jul 8 16:10:14.784: ISAKMP:(1036): constructed NAT-T vendor-02 ID *Jul 8 16:10:14.784: ISAKMP:(1036):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR *Jul 8 16:10:14.784: ISAKMP (0:1036): ID payload next-payload : 10 type : 1 address : 10.0.0.188 protocol : 17 port : 0 length : 12 *Jul 8 16:10:14.784: ISAKMP:(1036):Total payload length: 12 *Jul 8 16:10:14.784: ISAKMP:(1036): sending packet to x.x.x..82 my_port 500 peer_port 63301 (R) AG_INIT_EXCH *Jul 8 16:10:14.784: ISAKMP:(1036):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY *Jul 8 16:10:14.784: ISAKMP:(1036):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 *Jul 8 16:10:15.848: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) AG_INIT_EXCH *Jul 8 16:10:15.848: ISAKMP:(1036): processing HASH payload. message ID = 0 *Jul 8 16:10:15.848: ISAKMP:(1036): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 47D57E18 *Jul 8 16:10:15.848: ISAKMP:received payload type 20 *Jul 8 16:10:15.848: ISAKMP (0:1036): NAT found, the node inside NAT *Jul 8 16:10:15.848: ISAKMP:received payload type 20 *Jul 8 16:10:15.848: ISAKMP (0:1036): NAT found, both nodes are all located inside NAT *Jul 8 16:10:15.848: ISAKMP:(1036):SA authentication status: authenticated *Jul 8 16:10:15.848: ISAKMP:(1036):SA has been authenticated with x.x.x..82 *Jul 8 16:10:15.848: ISAKMP:(1036):Detected port,floating to port = 63302 *Jul 8 16:10:15.848: ISAKMP: Trying to find existing peer 10.0.0.188/x.x.x..82/63302/ *Jul 8 16:10:15.848: ISAKMP:(1036):SA authentication status: authenticated *Jul 8 16:10:15.848: ISAKMP:(1036): Process initial contact, bring down existing phase 1 and 2 SA's with local 10.0.0.188 remote x.x.x..82 remote port 63302 *Jul 8 16:10:15.848: ISAKMP:(1036):returning IP addr to the address pool *Jul 8 16:10:15.852: ISAKMP: Trying to insert a peer 10.0.0.188/x.x.x..82/63302/, and inserted successfully 4675C13C. *Jul 8 16:10:15.852: ISAKMP:(1036):Setting UDP ENC peer struct 0x466EB4D4 sa= 0x47D57E18 *Jul 8 16:10:15.852: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 8 16:10:15.852: ISAKMP: set new node 1880925051 to CONF_XAUTH *Jul 8 16:10:15.852: ISAKMP:(1036):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 1201351416, message ID = 1880925051 *Jul 8 16:10:15.852: ISAKMP:(1036): sending packet to x.x.x..82 my_port 4500 peer_port 63302 (R) QM_IDLE *Jul 8 16:10:15.852: ISAKMP:(1036):purging node 1880925051 *Jul 8 16:10:15.852: ISAKMP: Sending phase 1 responder lifetime 86400 *Jul 8 16:10:15.856: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Jul 8 16:10:15.856: ISAKMP:(1036):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE *Jul 8 16:10:15.856: ISAKMP:(1036):Need XAUTH *Jul 8 16:10:15.856: ISAKMP: set new node -183242711 to CONF_XAUTH *Jul 8 16:10:15.856: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 *Jul 8 16:10:15.856: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 *Jul 8 16:10:15.856: ISAKMP:(1036): initiating peer config to x.x.x..82. ID = -183242711 *Jul 8 16:10:15.856: ISAKMP:(1036): sending packet to x.x.x..82 my_port 4500 peer_port 63302 (R) CONF_XAUTH *Jul 8 16:10:15.856: ISAKMP:(1036):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 16:10:15.856: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT *Jul 8 16:10:15.864: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) CONF_XAUTH *Jul 8 16:10:15.864: ISAKMP:(1036):processing transaction payload from x.x.x..82. message ID = -183242711 *Jul 8 16:10:15.864: ISAKMP: Config payload REPLY *Jul 8 16:10:15.864: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 *Jul 8 16:10:15.864: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2 *Jul 8 16:10:15.864: ISAKMP:(1036):deleting node -183242711 error FALSE reason "Done with xauth request/reply exchange" *Jul 8 16:10:15.864: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY *Jul 8 16:10:15.864: ISAKMP:(1036):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT *Jul 8 16:10:15.876: ISAKMP: set new node -1293161026 to CONF_XAUTH *Jul 8 16:10:15.876: ISAKMP:(1036): initiating peer config to x.x.x..82. ID = -1293161026 *Jul 8 16:10:15.876: ISAKMP:(1036): sending packet to x.x.x..82 my_port 4500 peer_port 63302 (R) CONF_XAUTH *Jul 8 16:10:15.876: ISAKMP:(1036):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN *Jul 8 16:10:15.876: ISAKMP:(1036):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT *Jul 8 16:10:15.880: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) CONF_XAUTH *Jul 8 16:10:15.880: ISAKMP:(1036):processing transaction payload from x.x.x..82. message ID = -1293161026 *Jul 8 16:10:15.884: ISAKMP: Config payload ACK *Jul 8 16:10:15.884: ISAKMP:(1036): (blank) XAUTH ACK Processed *Jul 8 16:10:15.884: ISAKMP:(1036):deleting node -1293161026 error FALSE reason "Transaction mode done" *Jul 8 16:10:15.884: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK *Jul 8 16:10:15.884: ISAKMP:(1036):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE *Jul 8 16:10:15.884: ISAKMP:(1036):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 16:10:15.884: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:10:15.908: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) QM_IDLE *Jul 8 16:10:15.908: ISAKMP: set new node -2072232156 to QM_IDLE *Jul 8 16:10:15.908: ISAKMP:(1036):processing transaction payload from x.x.x..82. message ID = -2072232156 *Jul 8 16:10:15.908: ISAKMP: Config payload REQUEST *Jul 8 16:10:15.908: ISAKMP:(1036):checking request: *Jul 8 16:10:15.908: ISAKMP: IP4_ADDRESS *Jul 8 16:10:15.908: ISAKMP: IP4_NETMASK *Jul 8 16:10:15.908: ISAKMP: IP4_DNS *Jul 8 16:10:15.908: ISAKMP: IP4_NBNS *Jul 8 16:10:15.908: ISAKMP: ADDRESS_EXPIRY *Jul 8 16:10:15.908: ISAKMP: MODECFG_BANNER *Jul 8 16:10:15.908: ISAKMP: MODECFG_SAVEPWD *Jul 8 16:10:15.908: ISAKMP: DEFAULT_DOMAIN *Jul 8 16:10:15.908: ISAKMP: SPLIT_INCLUDE *Jul 8 16:10:15.908: ISAKMP: SPLIT_DNS *Jul 8 16:10:15.912: ISAKMP: PFS *Jul 8 16:10:15.912: ISAKMP: MODECFG_BROWSER_PROXY *Jul 8 16:10:15.912: ISAKMP: BACKUP_SERVER *Jul 8 16:10:15.912: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x700C *Jul 8 16:10:15.912: ISAKMP: APPLICATION_VERSION *Jul 8 16:10:15.912: ISAKMP: FW_RECORD *Jul 8 16:10:15.912: ISAKMP: MODECFG_HOSTNAME *Jul 8 16:10:15.912: ISAKMP/author: Author request for group LA_BASEsuccessfully sent to AAA *Jul 8 16:10:15.912: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST *Jul 8 16:10:15.912: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT *Jul 8 16:10:15.912: ISAKMP:(1036):attributes sent in message: *Jul 8 16:10:15.912: Address: 0.2.0.0 *Jul 8 16:10:15.912: ISAKMP:(1036):allocating address 10.0.12.35 *Jul 8 16:10:15.916: ISAKMP: Sending private address: 10.0.12.35 *Jul 8 16:10:15.916: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86398 *Jul 8 16:10:15.916: ISAKMP: Sending save password reply value 1 *Jul 8 16:10:15.916: ISAKMP (0/1036): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C) *Jul 8 16:10:15.916: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Wed 30-Aug-06 16:22 by prod_rel_team *Jul 8 16:10:15.916: ISAKMP (0/1036): Unknown Attr: MODECFG_HOSTNAME (0x700A) *Jul 8 16:10:15.916: ISAKMP:(1036): responding to peer config from x.x.x..82. ID = -2072232156 *Jul 8 16:10:15.916: ISAKMP:(1036): sending packet to x.x.x..82 my_port 4500 peer_port 63302 (R) CONF_ADDR *Jul 8 16:10:15.916: ISAKMP:(1036):deleting node -2072232156 error FALSE reason "No Error" *Jul 8 16:10:15.916: ISAKMP:(1036):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR *Jul 8 16:10:15.916: ISAKMP:(1036):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE *Jul 8 16:10:15.916: ISAKMP:(1036):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 16:10:15.916: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:10:15.936: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) QM_IDLE *Jul 8 16:10:15.936: ISAKMP: set new node 605473272 to QM_IDLE *Jul 8 16:10:15.936: ISAKMP:(1036): processing HASH payload. message ID = 605473272 *Jul 8 16:10:15.936: ISAKMP:(1036): processing SA payload. message ID = 605473272 *Jul 8 16:10:15.936: ISAKMP:(1036):Checking IPSec proposal 1 *Jul 8 16:10:15.936: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.936: ISAKMP: attributes in transform: *Jul 8 16:10:15.936: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:10:15.936: ISAKMP: key length is 256 *Jul 8 16:10:15.936: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.936: ISAKMP: SA life type in seconds *Jul 8 16:10:15.936: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.936: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.940: ISAKMP:(1036):Checking IPSec proposal 1 *Jul 8 16:10:15.940: ISAKMP:(1036):transform 1, IPPCP LZS *Jul 8 16:10:15.940: ISAKMP: attributes in transform: *Jul 8 16:10:15.940: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.940: ISAKMP: SA life type in seconds *Jul 8 16:10:15.940: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.940: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.940: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.940: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:10:15.940: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:10:15.940: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:10:15.940: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-md5-hmac comp-lzs } *Jul 8 16:10:15.940: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.940: ISAKMP:(1036):Checking IPSec proposal 2 *Jul 8 16:10:15.940: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.940: ISAKMP: attributes in transform: *Jul 8 16:10:15.940: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:10:15.940: ISAKMP: key length is 256 *Jul 8 16:10:15.940: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.940: ISAKMP: SA life type in seconds *Jul 8 16:10:15.940: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.940: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.940: ISAKMP:(1036):Checking IPSec proposal 2 *Jul 8 16:10:15.940: ISAKMP:(1036):transform 1, IPPCP LZS *Jul 8 16:10:15.940: ISAKMP: attributes in transform: *Jul 8 16:10:15.940: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.940: ISAKMP: SA life type in seconds *Jul 8 16:10:15.940: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.940: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.940: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.940: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:10:15.944: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:10:15.944: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:10:15.944: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha-hmac comp-lzs } *Jul 8 16:10:15.944: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.944: ISAKMP:(1036):Checking IPSec proposal 3 *Jul 8 16:10:15.944: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.944: ISAKMP: attributes in transform: *Jul 8 16:10:15.944: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:10:15.944: ISAKMP: key length is 128 *Jul 8 16:10:15.944: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.944: ISAKMP: SA life type in seconds *Jul 8 16:10:15.944: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.944: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.944: ISAKMP:(1036):Checking IPSec proposal 3 *Jul 8 16:10:15.944: ISAKMP:(1036):transform 1, IPPCP LZS *Jul 8 16:10:15.944: ISAKMP: attributes in transform: *Jul 8 16:10:15.944: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.944: ISAKMP: SA life type in seconds *Jul 8 16:10:15.944: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.944: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.944: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.944: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:10:15.944: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:10:15.944: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:10:15.944: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-md5-hmac comp-lzs } *Jul 8 16:10:15.944: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.944: ISAKMP:(1036):Checking IPSec proposal 4 *Jul 8 16:10:15.944: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.944: ISAKMP: attributes in transform: *Jul 8 16:10:15.944: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:10:15.944: ISAKMP: key length is 128 *Jul 8 16:10:15.944: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.948: ISAKMP: SA life type in seconds *Jul 8 16:10:15.948: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.948: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.948: ISAKMP:(1036):Checking IPSec proposal 4 *Jul 8 16:10:15.948: ISAKMP:(1036):transform 1, IPPCP LZS *Jul 8 16:10:15.948: ISAKMP: attributes in transform: *Jul 8 16:10:15.948: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.948: ISAKMP: SA life type in seconds *Jul 8 16:10:15.948: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.948: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.948: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.948: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:10:15.948: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:10:15.948: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:10:15.948: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-sha-hmac comp-lzs } *Jul 8 16:10:15.948: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.948: ISAKMP:(1036):Checking IPSec proposal 5 *Jul 8 16:10:15.948: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.948: ISAKMP: attributes in transform: *Jul 8 16:10:15.948: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:10:15.948: ISAKMP: key length is 256 *Jul 8 16:10:15.948: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.948: ISAKMP: SA life type in seconds *Jul 8 16:10:15.948: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.948: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.948: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.948: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:10:15.948: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-md5-hmac } *Jul 8 16:10:15.948: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.948: ISAKMP:(1036):Checking IPSec proposal 6 *Jul 8 16:10:15.948: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.948: ISAKMP: attributes in transform: *Jul 8 16:10:15.948: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:10:15.948: ISAKMP: key length is 256 *Jul 8 16:10:15.948: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.948: ISAKMP: SA life type in seconds *Jul 8 16:10:15.952: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.952: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.952: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.952: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:10:15.952: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha-hmac } *Jul 8 16:10:15.952: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.952: ISAKMP:(1036):Checking IPSec proposal 7 *Jul 8 16:10:15.952: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.952: ISAKMP: attributes in transform: *Jul 8 16:10:15.952: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:10:15.952: ISAKMP: key length is 128 *Jul 8 16:10:15.952: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.952: ISAKMP: SA life type in seconds *Jul 8 16:10:15.952: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.952: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.952: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.952: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:10:15.952: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-md5-hmac } *Jul 8 16:10:15.952: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.952: ISAKMP:(1036):Checking IPSec proposal 8 *Jul 8 16:10:15.952: ISAKMP: transform 1, ESP_AES *Jul 8 16:10:15.952: ISAKMP: attributes in transform: *Jul 8 16:10:15.952: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:10:15.952: ISAKMP: key length is 128 *Jul 8 16:10:15.952: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.952: ISAKMP: SA life type in seconds *Jul 8 16:10:15.952: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.952: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.952: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.952: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:10:15.952: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-sha-hmac } *Jul 8 16:10:15.952: ISAKMP:(1036): IPSec policy invalidated proposal with error 256 *Jul 8 16:10:15.952: ISAKMP:(1036):Checking IPSec proposal 9 *Jul 8 16:10:15.952: ISAKMP: transform 1, ESP_3DES *Jul 8 16:10:15.952: ISAKMP: attributes in transform: *Jul 8 16:10:15.952: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:10:15.952: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.952: ISAKMP: SA life type in seconds *Jul 8 16:10:15.952: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.956: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.956: ISAKMP:(1036):Checking IPSec proposal 9 *Jul 8 16:10:15.956: ISAKMP:(1036):transform 1, IPPCP LZS *Jul 8 16:10:15.956: ISAKMP: attributes in transform: *Jul 8 16:10:15.956: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:10:15.956: ISAKMP: SA life type in seconds *Jul 8 16:10:15.956: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:10:15.956: ISAKMP:(1036):atts are acceptable. *Jul 8 16:10:15.956: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:10:15.956: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:10:15.956: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:10:15.956: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x..82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.35/255.255.255.255/0/0 (type=1) *Jul 8 16:10:15.976: IPSEC(update_current_outbound_sa): updated peer x.x.x..82 current outbound sa to SPI 6B99F47A *Jul 8 16:10:19.808: IPSEC(epa_des_crypt): decrypted packet failed SA identity check *Jul 8 16:10:22.816: IPSEC(epa_des_crypt): decrypted packet failed SA identity check *Jul 8 16:10:26.168: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) QM_IDLE *Jul 8 16:10:26.168: ISAKMP: set new node 2085708219 to QM_IDLE *Jul 8 16:10:26.168: ISAKMP:(1036): processing HASH payload. message ID = 2085708219 *Jul 8 16:10:26.168: ISAKMP:(1036): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 2085708219, sa = 47D57E18 *Jul 8 16:10:26.168: ISAKMP:(1036):deleting node 2085708219 error FALSE reason "Informational (in) state 1" *Jul 8 16:10:26.168: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jul 8 16:10:26.168: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:10:26.172: ISAKMP:(1036):DPD/R_U_THERE received from peer x.x.x..82, sequence 0x27F61728 *Jul 8 16:10:26.172: ISAKMP: set new node -1759110363 to QM_IDLE *Jul 8 16:10:26.172: ISAKMP:(1036):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 1201351968, message ID = -1759110363 *Jul 8 16:10:26.172: ISAKMP:(1036): seq. no 0x27F61728 *Jul 8 16:10:26.172: ISAKMP:(1036): sending packet to x.x.x..82 my_port 4500 peer_port 63302 (R) QM_IDLE *Jul 8 16:10:26.172: ISAKMP:(1036):purging node -1759110363 *Jul 8 16:10:26.172: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jul 8 16:10:26.172: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:10:36.184: ISAKMP (0:1036): received packet from x.x.x..82 dport 4500 sport 63302 Global (R) QM_IDLE *Jul 8 16:10:36.184: ISAKMP: set new node 1381428655 to QM_IDLE *Jul 8 16:10:36.184: ISAKMP:(1036): processing HASH payload. message ID = 1381428655 *Jul 8 16:10:36.184: ISAKMP:(1036): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1381428655, sa = 47D57E18 *Jul 8 16:10:36.184: ISAKMP:(1036):deleting node 1381428655 error FALSE reason "Informational (in) state 1" *Jul 8 16:10:36.184: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jul 8 16:10:36.184: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:10:36.184: ISAKMP:(1036):DPD/R_U_THERE received from peer x.x.x..82, sequence 0x27F61729 *Jul 8 16:10:36.184: ISAKMP: set new node -808157763 to QM_IDLE *Jul 8 16:10:36.188: ISAKMP:(1036):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 1201351968, message ID = -808157763 *Jul 8 16:10:36.188: ISAKMP:(1036): seq. no 0x27F61729 *Jul 8 16:10:36.188: ISAKMP:(1036): sending packet to x.x.x..82 my_port 4500 peer_port 63302 (R) QM_IDLE *Jul 8 16:10:36.188: ISAKMP:(1036):purging node -808157763 *Jul 8 16:10:36.188: ISAKMP:(1036):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jul 8 16:10:36.188: ISAKMP:(1036):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE VPNRA# VPNRA# ======================================================================================== ADDING ACL 100 to Dynamic MAP VPNRA(config)#crypto dynamic-map DMAP 10 VPNRA(config-crypto-map)#match ? address Match address of packets to encrypt. VPNRA(config-crypto-map)#match address 100 ======================================================================================= *Jul 8 16:21:37.224: ISAKMP (0:0): received packet from x.x.x.82 dport 500 sport 64914 Global (N) NEW SA *Jul 8 16:21:37.224: ISAKMP: Created a peer struct for x.x.x.82, peer port 64914 *Jul 8 16:21:37.224: ISAKMP: New peer created peer = 0x47D30C20 peer_handle = 0x80000026 *Jul 8 16:21:37.228: ISAKMP: Locking peer struct 0x47D30C20, refcount 1 for crypto_isakmp_process_block *Jul 8 16:21:37.228: ISAKMP: local port 500, remote port 64914 *Jul 8 16:21:37.228: insert sa successfully sa = 47D57190 *Jul 8 16:21:37.228: ISAKMP:(0): processing SA payload. message ID = 0 *Jul 8 16:21:37.228: ISAKMP:(0): processing ID payload. message ID = 0 *Jul 8 16:21:37.228: ISAKMP (0:0): ID payload next-payload : 13 type : 11 group id : LA_BASE protocol : 17 port : 500 length : 15 *Jul 8 16:21:37.228: ISAKMP:(0):: peer matches VPNC profile *Jul 8 16:21:37.228: ISAKMP:(0):Setting client config settings 474FC4D8 *Jul 8 16:21:37 VPNRA#.228: ISAKMP:(0):(Re)Setting client xauth list and state *Jul 8 16:21:37.228: ISAKMP/xauth: initializing AAA request *Jul 8 16:21:37.228: ISAKMP:(0): processing vendor id payload *Jul 8 16:21:37.228: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Jul 8 16:21:37.228: ISAKMP:(0): vendor ID is XAUTH *Jul 8 16:21:37.228: ISAKMP:(0): processing vendor id payload *Jul 8 16:21:37.228: ISAKMP:(0): vendor ID is DPD *Jul 8 16:21:37.228: ISAKMP:(0): processing vendor id payload *Jul 8 16:21:37.228: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Jul 8 16:21:37.228: ISAKMP:(0): processing vendor id payload *Jul 8 16:21:37.228: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Jul 8 16:21:37.228: ISAKMP:(0): vendor ID is NAT-T v2 *Jul 8 16:21:37.228: ISAKMP:(0): processing vendor id payload *Jul 8 16:21:37.232: ISAKMP:(0): vendor ID is Unity *Jul 8 16:21:37.232: ISAKMP:(0): Authentication by xauth preshared *Jul 8 16:21:37.232: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Jul 8 16:21:37.232: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.232: ISAKMP: hash SHA *Jul 8 16:21:37.232: ISAKMP: default group 2 *Jul 8 16:21:37.232: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:21:37.232: ISAKMP: life type in seconds *Jul 8 16:21:37.232: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.232: ISAKMP: keylength of 256 *Jul 8 16:21:37.232: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.232: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.232: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy *Jul 8 16:21:37.232: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.232: ISAKMP: hash MD5 *Jul 8 16:21:37.232: ISAKMP: default group 2 *Jul 8 16:21:37.232: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:21:37.232: ISAKMP: life type in seconds *Jul 8 16:21:37.232: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.232: ISAKMP: keylength of 256 *Jul 8 16:21:37.232: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.232: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.232: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy *Jul 8 16:21:37.232: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.232: ISAKMP: hash SHA *Jul 8 16:21:37.232: ISAKMP: default group 2 *Jul 8 16:21:37.232: ISAKMP: auth pre-share *Jul 8 16:21:37.232: ISAKMP: life type in seconds *Jul 8 16:21:37.232: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.232: ISAKMP: keylength of 256 *Jul 8 16:21:37.232: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.232: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.232: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy *Jul 8 16:21:37.232: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.232: ISAKMP: hash MD5 *Jul 8 16:21:37.232: ISAKMP: default group 2 *Jul 8 16:21:37.232: ISAKMP: auth pre-share *Jul 8 16:21:37.232: ISAKMP: life type in seconds *Jul 8 16:21:37.232: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.232: ISAKMP: keylength of 256 *Jul 8 16:21:37.232: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.232: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.232: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy *Jul 8 16:21:37.232: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.232: ISAKMP: hash SHA *Jul 8 16:21:37.232: ISAKMP: default group 2 *Jul 8 16:21:37.232: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:21:37.232: ISAKMP: life type in seconds *Jul 8 16:21:37.236: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.236: ISAKMP: keylength of 128 *Jul 8 16:21:37.236: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.236: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.236: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy *Jul 8 16:21:37.236: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.236: ISAKMP: hash MD5 *Jul 8 16:21:37.236: ISAKMP: default group 2 *Jul 8 16:21:37.236: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:21:37.236: ISAKMP: life type in seconds *Jul 8 16:21:37.236: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.236: ISAKMP: keylength of 128 *Jul 8 16:21:37.236: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.236: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.236: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy *Jul 8 16:21:37.236: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.236: ISAKMP: hash SHA *Jul 8 16:21:37.236: ISAKMP: default group 2 *Jul 8 16:21:37.236: ISAKMP: auth pre-share *Jul 8 16:21:37.236: ISAKMP: life type in seconds *Jul 8 16:21:37.236: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.236: ISAKMP: keylength of 128 *Jul 8 16:21:37.236: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.236: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.236: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy *Jul 8 16:21:37.236: ISAKMP: encryption AES-CBC *Jul 8 16:21:37.236: ISAKMP: hash MD5 *Jul 8 16:21:37.236: ISAKMP: default group 2 *Jul 8 16:21:37.236: ISAKMP: auth pre-share *Jul 8 16:21:37.236: ISAKMP: life type in seconds *Jul 8 16:21:37.236: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.236: ISAKMP: keylength of 128 *Jul 8 16:21:37.236: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 16:21:37.236: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 16:21:37.236: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy *Jul 8 16:21:37.236: ISAKMP: encryption 3DES-CBC *Jul 8 16:21:37.236: ISAKMP: hash SHA *Jul 8 16:21:37.236: ISAKMP: default group 2 *Jul 8 16:21:37.236: ISAKMP: auth XAUTHInitPreShared *Jul 8 16:21:37.236: ISAKMP: life type in seconds *Jul 8 16:21:37.236: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.236: ISAKMP:(0):atts are acceptable. Next payload is 3 *Jul 8 16:21:37.236: ISAKMP:(0): processing KE payload. message ID = 0 *Jul 8 16:21:37.284: ISAKMP:(0): processing NONCE payload. message ID = 0 *Jul 8 16:21:37.284: ISAKMP:(0): vendor ID is NAT-T v2 *Jul 8 16:21:37.288: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Jul 8 16:21:37.288: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT *Jul 8 16:21:37.288: ISAKMP:(1037): constructed NAT-T vendor-02 ID *Jul 8 16:21:37.288: ISAKMP:(1037):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR *Jul 8 16:21:37.288: ISAKMP (0:1037): ID payload next-payload : 10 type : 1 address : 10.0.0.188 protocol : 17 port : 0 length : 12 *Jul 8 16:21:37.288: ISAKMP:(1037):Total payload length: 12 *Jul 8 16:21:37.292: ISAKMP:(1037): sending packet to x.x.x.82 my_port 500 peer_port 64914 (R) AG_INIT_EXCH *Jul 8 16:21:37.292: ISAKMP:(1037):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY *Jul 8 16:21:37.292: ISAKMP:(1037):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 *Jul 8 16:21:37.320: ISAKMP (0:1037): received packet from x.x.x.82 dport 4500 sport 64915 Global (R) AG_INIT_EXCH *Jul 8 16:21:37.320: ISAKMP:(1037): processing HASH payload. message ID = 0 *Jul 8 16:21:37.320: ISAKMP:(1037): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 47D57190 *Jul 8 16:21:37.320: ISAKMP:received payload type 20 *Jul 8 16:21:37.320: ISAKMP (0:1037): NAT found, the node inside NAT *Jul 8 16:21:37.320: ISAKMP:received payload type 20 *Jul 8 16:21:37.324: ISAKMP (0:1037): NAT found, both nodes are all located inside NAT *Jul 8 16:21:37.324: ISAKMP:(1037):SA authentication status: authenticated *Jul 8 16:21:37.324: ISAKMP:(1037):SA has been authenticated with x.x.x.82 *Jul 8 16:21:37.324: ISAKMP:(1037):Detected port,floating to port = 64915 *Jul 8 16:21:37.324: ISAKMP: Trying to find existing peer 10.0.0.188/x.x.x.82/64915/ *Jul 8 16:21:37.324: ISAKMP:(1037):SA authentication status: authenticated *Jul 8 16:21:37.324: ISAKMP:(1037): Process initial contact, bring down existing phase 1 and 2 SA's with local 10.0.0.188 remote x.x.x.82 remote port 64915 *Jul 8 16:21:37.324: ISAKMP:(1037):returning IP addr to the address pool *Jul 8 16:21:37.324: ISAKMP: Trying to insert a peer 10.0.0.188/x.x.x.82/64915/, and inserted successfully 47D30C20. *Jul 8 16:21:37.324: ISAKMP:(1037):Setting UDP ENC peer struct 0x466EB4D4 sa= 0x47D57190 *Jul 8 16:21:37.324: ISAKMP: set new node 492797814 to CONF_XAUTH *Jul 8 16:21:37.324: ISAKMP:(1037):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 1201351416, message ID = 492797814 *Jul 8 16:21:37.324: ISAKMP:(1037): sending packet to x.x.x.82 my_port 4500 peer_port 64915 (R) QM_IDLE *Jul 8 16:21:37.324: ISAKMP:(1037):purging node 492797814 *Jul 8 16:21:37.328: ISAKMP: Sending phase 1 responder lifetime 86400 *Jul 8 16:21:37.328: ISAKMP:(1037):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Jul 8 16:21:37.328: ISAKMP:(1037):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE *Jul 8 16:21:37.328: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 8 16:21:37.328: ISAKMP:(1037):Need XAUTH *Jul 8 16:21:37.328: ISAKMP: set new node -1461154872 to CONF_XAUTH *Jul 8 16:21:37.328: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 *Jul 8 16:21:37.328: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 *Jul 8 16:21:37.328: ISAKMP:(1037): initiating peer config to x.x.x.82. ID = -1461154872 *Jul 8 16:21:37.328: ISAKMP:(1037): sending packet to x.x.x.82 my_port 4500 peer_port 64915 (R) CONF_XAUTH *Jul 8 16:21:37.332: ISAKMP:(1037):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 16:21:37.332: ISAKMP:(1037):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT *Jul 8 16:21:37.340: ISAKMP (0:1037): received packet from x.x.x.82 dport 4500 sport 64915 Global (R) CONF_XAUTH *Jul 8 16:21:37.340: ISAKMP:(1037):processing transaction payload from x.x.x.82. message ID = -1461154872 *Jul 8 16:21:37.340: ISAKMP: Config payload REPLY *Jul 8 16:21:37.340: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 *Jul 8 16:21:37.340: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2 *Jul 8 16:21:37.340: ISAKMP:(1037):deleting node -1461154872 error FALSE reason "Done with xauth request/reply exchange" *Jul 8 16:21:37.340: ISAKMP:(1037):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY *Jul 8 16:21:37.340: ISAKMP:(1037):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT *Jul 8 16:21:37.352: ISAKMP: set new node -1541276471 to CONF_XAUTH *Jul 8 16:21:37.352: ISAKMP:(1037): initiating peer config to x.x.x.82. ID = -1541276471 *Jul 8 16:21:37.352: ISAKMP:(1037): sending packet to x.x.x.82 my_port 4500 peer_port 64915 (R) CONF_XAUTH *Jul 8 16:21:37.352: ISAKMP:(1037):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN *Jul 8 16:21:37.352: ISAKMP:(1037):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT *Jul 8 16:21:37.360: ISAKMP (0:1037): received packet from x.x.x.82 dport 4500 sport 64915 Global (R) CONF_XAUTH *Jul 8 16:21:37.364: ISAKMP:(1037):processing transaction payload from x.x.x.82. message ID = -1541276471 *Jul 8 16:21:37.364: ISAKMP: Config payload ACK *Jul 8 16:21:37.364: ISAKMP:(1037): (blank) XAUTH ACK Processed *Jul 8 16:21:37.364: ISAKMP:(1037):deleting node -1541276471 error FALSE reason "Transaction mode done" *Jul 8 16:21:37.364: ISAKMP:(1037):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK *Jul 8 16:21:37.364: ISAKMP:(1037):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE *Jul 8 16:21:37.364: ISAKMP:(1037):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 16:21:37.364: ISAKMP:(1037):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:21:37.388: ISAKMP (0:1037): received packet from x.x.x.82 dport 4500 sport 64915 Global (R) QM_IDLE *Jul 8 16:21:37.388: ISAKMP: set new node 550043433 to QM_IDLE *Jul 8 16:21:37.388: ISAKMP:(1037):processing transaction payload from x.x.x.82. message ID = 550043433 *Jul 8 16:21:37.388: ISAKMP: Config payload REQUEST *Jul 8 16:21:37.388: ISAKMP:(1037):checking request: *Jul 8 16:21:37.388: ISAKMP: IP4_ADDRESS *Jul 8 16:21:37.388: ISAKMP: IP4_NETMASK *Jul 8 16:21:37.388: ISAKMP: IP4_DNS *Jul 8 16:21:37.388: ISAKMP: IP4_NBNS *Jul 8 16:21:37.388: ISAKMP: ADDRESS_EXPIRY *Jul 8 16:21:37.388: ISAKMP: MODECFG_BANNER *Jul 8 16:21:37.388: ISAKMP: MODECFG_SAVEPWD *Jul 8 16:21:37.388: ISAKMP: DEFAULT_DOMAIN *Jul 8 16:21:37.388: ISAKMP: SPLIT_INCLUDE *Jul 8 16:21:37.392: ISAKMP: SPLIT_DNS *Jul 8 16:21:37.392: ISAKMP: PFS *Jul 8 16:21:37.392: ISAKMP: MODECFG_BROWSER_PROXY *Jul 8 16:21:37.392: ISAKMP: BACKUP_SERVER *Jul 8 16:21:37.392: ISAKMP: CONFIG_MODE_UNKNOWN Unknown Attr: 0x700C *Jul 8 16:21:37.392: ISAKMP: APPLICATION_VERSION *Jul 8 16:21:37.392: ISAKMP: FW_RECORD *Jul 8 16:21:37.392: ISAKMP: MODECFG_HOSTNAME *Jul 8 16:21:37.392: ISAKMP/author: Author request for group LA_BASEsuccessfully sent to AAA *Jul 8 16:21:37.392: ISAKMP:(1037):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST *Jul 8 16:21:37.392: ISAKMP:(1037):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT *Jul 8 16:21:37.392: ISAKMP:(1037):attributes sent in message: *Jul 8 16:21:37.392: Address: 0.2.0.0 *Jul 8 16:21:37.392: ISAKMP:(1037):allocating address 10.0.12.36 *Jul 8 16:21:37.396: ISAKMP: Sending private address: 10.0.12.36 *Jul 8 16:21:37.396: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86399 *Jul 8 16:21:37.396: ISAKMP: Sending save password reply value 1 *Jul 8 16:21:37.396: ISAKMP (0/1037): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C) *Jul 8 16:21:37.396: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Wed 30-Aug-06 16:22 by prod_rel_team *Jul 8 16:21:37.396: ISAKMP (0/1037): Unknown Attr: MODECFG_HOSTNAME (0x700A) *Jul 8 16:21:37.396: ISAKMP:(1037): responding to peer config from x.x.x.82. ID = 550043433 *Jul 8 16:21:37.396: ISAKMP:(1037): sending packet to x.x.x.82 my_port 4500 peer_port 64915 (R) CONF_ADDR *Jul 8 16:21:37.396: ISAKMP:(1037):deleting node 550043433 error FALSE reason "No Error" *Jul 8 16:21:37.396: ISAKMP:(1037):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR *Jul 8 16:21:37.396: ISAKMP:(1037):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE *Jul 8 16:21:37.396: ISAKMP:(1037):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 16:21:37.396: ISAKMP:(1037):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 16:21:37.412: ISAKMP (0:1037): received packet from x.x.x.82 dport 4500 sport 64915 Global (R) QM_IDLE *Jul 8 16:21:37.412: ISAKMP: set new node 1121751058 to QM_IDLE *Jul 8 16:21:37.416: ISAKMP:(1037): processing HASH payload. message ID = 1121751058 *Jul 8 16:21:37.416: ISAKMP:(1037): processing SA payload. message ID = 1121751058 *Jul 8 16:21:37.416: ISAKMP:(1037):Checking IPSec proposal 1 *Jul 8 16:21:37.416: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.416: ISAKMP: attributes in transform: *Jul 8 16:21:37.416: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:21:37.416: ISAKMP: key length is 256 *Jul 8 16:21:37.416: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.416: ISAKMP: SA life type in seconds *Jul 8 16:21:37.416: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.416: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.416: ISAKMP:(1037):Checking IPSec proposal 1 *Jul 8 16:21:37.416: ISAKMP:(1037):transform 1, IPPCP LZS *Jul 8 16:21:37.416: ISAKMP: attributes in transform: *Jul 8 16:21:37.416: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.416: ISAKMP: SA life type in seconds *Jul 8 16:21:37.416: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.416: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.416: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.416: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:21:37.416: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:21:37.416: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:21:37.416: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.416: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.416: map_db_find_best did not find matching map *Jul 8 16:21:37.416: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.416: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.416: ISAKMP:(1037):Checking IPSec proposal 2 *Jul 8 16:21:37.416: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.416: ISAKMP: attributes in transform: *Jul 8 16:21:37.416: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:21:37.416: ISAKMP: key length is 256 *Jul 8 16:21:37.416: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.420: ISAKMP: SA life type in seconds *Jul 8 16:21:37.420: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.420: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.420: ISAKMP:(1037):Checking IPSec proposal 2 *Jul 8 16:21:37.420: ISAKMP:(1037):transform 1, IPPCP LZS *Jul 8 16:21:37.420: ISAKMP: attributes in transform: *Jul 8 16:21:37.420: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.420: ISAKMP: SA life type in seconds *Jul 8 16:21:37.420: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.420: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.420: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.420: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:21:37.420: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:21:37.420: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:21:37.420: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.420: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.420: map_db_find_best did not find matching map *Jul 8 16:21:37.420: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.420: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.420: ISAKMP:(1037):Checking IPSec proposal 3 *Jul 8 16:21:37.420: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.420: ISAKMP: attributes in transform: *Jul 8 16:21:37.420: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:21:37.420: ISAKMP: key length is 128 *Jul 8 16:21:37.420: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.420: ISAKMP: SA life type in seconds *Jul 8 16:21:37.420: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.420: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.420: ISAKMP:(1037):Checking IPSec proposal 3 *Jul 8 16:21:37.420: ISAKMP:(1037):transform 1, IPPCP LZS *Jul 8 16:21:37.420: ISAKMP: attributes in transform: *Jul 8 16:21:37.420: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.420: ISAKMP: SA life type in seconds *Jul 8 16:21:37.420: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.424: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:21:37.424: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.424: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.424: map_db_find_best did not find matching map *Jul 8 16:21:37.424: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.424: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.424: ISAKMP:(1037):Checking IPSec proposal 4 *Jul 8 16:21:37.424: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.424: ISAKMP: attributes in transform: *Jul 8 16:21:37.424: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:21:37.424: ISAKMP: key length is 128 *Jul 8 16:21:37.424: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.424: ISAKMP: SA life type in seconds *Jul 8 16:21:37.424: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.424: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.424: ISAKMP:(1037):Checking IPSec proposal 4 *Jul 8 16:21:37.424: ISAKMP:(1037):transform 1, IPPCP LZS *Jul 8 16:21:37.424: ISAKMP: attributes in transform: *Jul 8 16:21:37.424: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.424: ISAKMP: SA life type in seconds *Jul 8 16:21:37.424: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.424: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #2 *Jul 8 16:21:37.424: IPSEC(validate_proposal_request): proposal part #2, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= PCP, transform= comp-lzs (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 16:21:37.424: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.424: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.424: map_db_find_best did not find matching map *Jul 8 16:21:37.424: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.424: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.424: ISAKMP:(1037):Checking IPSec proposal 5 *Jul 8 16:21:37.428: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.428: ISAKMP: attributes in transform: *Jul 8 16:21:37.428: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:21:37.428: ISAKMP: key length is 256 *Jul 8 16:21:37.428: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.428: ISAKMP: SA life type in seconds *Jul 8 16:21:37.428: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.428: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.428: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.428: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:21:37.428: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.428: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.428: map_db_find_best did not find matching map *Jul 8 16:21:37.428: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.428: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.428: ISAKMP:(1037):Checking IPSec proposal 6 *Jul 8 16:21:37.428: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.428: ISAKMP: attributes in transform: *Jul 8 16:21:37.428: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:21:37.428: ISAKMP: key length is 256 *Jul 8 16:21:37.428: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.428: ISAKMP: SA life type in seconds *Jul 8 16:21:37.428: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.428: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.428: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.428: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 16:21:37.428: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.428: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.428: map_db_find_best did not find matching map *Jul 8 16:21:37.428: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.428: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.428: ISAKMP:(1037):Checking IPSec proposal 7 *Jul 8 16:21:37.428: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.428: ISAKMP: attributes in transform: *Jul 8 16:21:37.428: ISAKMP: authenticator is HMAC-MD5 *Jul 8 16:21:37.428: ISAKMP: key length is 128 *Jul 8 16:21:37.428: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.428: ISAKMP: SA life type in seconds *Jul 8 16:21:37.428: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.428: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.428: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 16:21:37.428: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.188, remote= x.x.x.82, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.0.12.36/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 16:21:37.432: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.432: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 10.0.12.36 protocol : 0 src port : 0 dst port : 0 *Jul 8 16:21:37.432: map_db_find_best did not find matching map *Jul 8 16:21:37.432: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported *Jul 8 16:21:37.432: ISAKMP:(1037): IPSec policy invalidated proposal with error 32 *Jul 8 16:21:37.432: ISAKMP:(1037):Checking IPSec proposal 8 *Jul 8 16:21:37.432: ISAKMP: transform 1, ESP_AES *Jul 8 16:21:37.432: ISAKMP: attributes in transform: *Jul 8 16:21:37.432: ISAKMP: authenticator is HMAC-SHA *Jul 8 16:21:37.432: ISAKMP: key length is 128 *Jul 8 16:21:37.432: ISAKMP: encaps is 61443 (Tunnel-UDP) *Jul 8 16:21:37.432: ISAKMP: SA life type in seconds *Jul 8 16:21:37.432: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B *Jul 8 16:21:37.432: ISAKMP:(1037):atts are acceptable. *Jul 8 16:21:37.456: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP VPNRA# VPNRA#