Hello everybody,

I have build a VPN network between 3 offices connected together in the form of a triangle, all equiped with 1710 routers. The config is learnt from samples from this very helpfull forum (many thanks to all of you!!!) and output of configmaker 2.6.

Each of the offices uses its own router to connect to the Internet as well as to the other two offices via VPN. This worked fine, until I did set up router1 to accept a client 3.6 connection from the INET to. The connection between client and router1 works fine, but router1 is unable to connect to router2 and router3 anymore. router2 and router3 which don't have client access (yet) still work together.

From what i understand, i did everything right as sugested by refmanuals and samples. From what little i could read from the debug output, my router1 tries to conncect to the others with the dynamic settings for the client and just ignores the static entries for the two other routers. As soon as i remove the line

"crypto map my-cr-map client configuration address respond"

from my router1 config, everthing works fine again (except for the client i supose, had no chance to test client connectivity whithout this line).

The attached configs are commented by me for my own documentation and from what i understand how it works. I am an absolut newbee to this and if my comments are absolutely off from what realy happens, i will be most thankfull for corrections.

Thanks a lot,

Christoph

-----

(lan1 192.168.210.0) --- (192.168.210.1 router1 210.210.210.1) --- (INET)

(lan2 192.168.220.0) --- (192.168.220.1 router2 220.220.220.1) --- (INET)

(lan3 192.168.230.0) --- (192.168.230.1 router3 230.230.230.1) --- (INET)

(VPN Client 250.250.250.1) --- (INET)

The client has a fixed, official IP-adress and gets private IP 192.168.250.100

assigned from router1 on connect

First of all the configs of router 1, 2 and 3, setups are identical, only that router1 has the aaa and client stuff added.

!######### ROUTER 1 START #####################################################

!

version 12.2

hostname router1

ip domain-name mydomain.name

aaa new-model

aaa authentication login default line

aaa authentication login AAAUsers local

aaa authorization network AAAGroups local

aaa session-id common

username MyRemoteUser password 7 xxxxxxxxxxxxxxxxxxxxxxxxx

! These are the rules for statefull inspection firewall

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 900

ip inspect one-minute high 1100

ip inspect one-minute low 900

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 sqlnet

crypto isakmp enable

crypto isakmp identity address

! This defines policies for the authentification of packets between the

! VPN-routers. Both routers must agree on one policy, so you need to have

! at least one matching policy on each router or they will not connect.

! I decided on a single policy for all connections, which becommes mandatory

! that way. The used preshared keys are then defined next.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

! Preshared-Key router1 to router2

crypto isakmp key key4conn_1_2 address 220.220.220.1 no-xauth

!

! Preshared-Key router1 to router3

crypto isakmp key key4conn_1_3 address 230.230.230.1 no-xauth

!

crypto isakmp client configuration group MyRemoteUser

key MyRemoteKey

dns 192.168.210.100

domain mydomain.name

pool MyIpPool

! The Transform-Set is the policy for the encryption of packets between the

! VPN-routers. As above, both routers need to have a matching policy on each

! router or they will not connect. You may define more than one transform-set

! for different purposes, but you can use the same for many connections as well.

! Set for Router to Router

crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des

!

! Dynamic Set for VPN Client

crypto ipsec transform-set tfs_DYN esp-3des esp-md5-hmac

! The Crypto-Map binds together the encryption policy with the IP-adress

! of the peer router and and the access-list (# 120 in this example)

! which defines wich packet are allowed to go to that peer

crypto dynamic-map my-dyn-map 10

set transform-set tfs_DYN

!

! The entries for authetication of the remote user

crypto map my-cr-map client authentication list AAAUsers

crypto map my-cr-map isakmp authorization list AAAGroups

crypto map my-cr-map client configuration address respond

!

!

crypto map my-cr-map 1 ipsec-isakmp

set peer 220.220.220.1

set transform-set tfs_3DES

match address 120

!

! same as above for net 3 and access-list 130

crypto map my-cr-map 2 ipsec-isakmp

set peer 230.230.230.1

set transform-set tfs_3DES

match address 130

!

crypto map my-cr-map 10 ipsec-isakmp dynamic my-dyn-map

! The INET Interface gets the crypto-map aplied and has a policy for

! incoming connections, which is defined in access-list 101

interface Ethernet0

description connected to Internet

ip address 210.210.210.1 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map my-cr-map

!

! LAN is allowed everything outgoing into the INET, on the way back things

! are inspected as defined in the IP INSPECT rules above

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.210.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

!

router rip

version 2

passive-interface Ethernet0

network 192.168.210.0

no auto-summary

! I just have one Client, so a range of one Adress is sufficient

ip local pool MyIpPool 192.168.250.100

! This statement allows only those packets to be NATed which fit to

! the route-map with the name noNAT (this ist CaSe sensitive) defined

! at the end of this config file and the according rulset 110. Only if it

! fit's to the rule the packet get the adress of the interface Ethernet0

! applied.

ip nat inside source route-map noNAT interface Ethernet0 overload

! This is my providers DSL router, which receives all trafic to the INET

! which is not otherwise defined (this is the default route)

ip route 0.0.0.0 0.0.0.0 210.210.210.2

! This list allows incomming trafic from the INET. This is where I had the

! big problem to connect my networks. I only got it to work, when I turned the

! logic in these rules around, so against all other rules the local part of the

! entry is on the back and the incomming host is named first.

!

! Router of net 2 and the private net 2 are allowed all IP inbound

access-list 101 permit ip host 220.220.220.1 host 210.210.210.1

access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! Router of net 3 and the private net 3 are allowed all IP inbound

access-list 101 permit ip host 230.230.230.1 host 210.210.210.1

access-list 101 permit ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! My VPN Clients static and known IP and the IP-Pool Adress are allowed all

! IP inbound

access-list 101 permit ip host 250.250.250.1 host 210.210.210.1

access-list 101 permit ip host 192.168.250.100 192.168.210.0 0.0.0.255

! This List denies NAT for connections to the 2 private networks which are

! connected through encrypted IPSEC-tunnel, so the private IPs are not seen

! outside, but only the real IP of the router, who is sending the encrypted

! packets. Any packets not sent to 192.168.220, 192.168.230 or the VPN-Client

! are NATed and sent to the INET unencrypted.

! This list is used for the route-map statement following below.

access-list 110 deny ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 110 deny ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255

access-list 110 deny ip 192.168.210.0 0.0.0.255 host 192.168.250.100

access-list 110 permit ip 192.168.210.0 0.0.0.255 any

! This rule allows only packets to the private net 192.168.220.0 to become

! encrypted and then be sent in the tunnel to router 220.220.220.1, who

! decrypts them and passed them on to his local network again.

! This works together with the first crypto map statement above

access-list 120 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

!

! Same as obove for the second net

! This works together with the second crypto map statement above

access-list 130 permit ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255

! This route map deciedes, if a packet is NATed or not. If it is permited in

! rule 110, it gets NATed, if it's denied, then it stays as it is.

route-map noNAT permit 10

match ip address 110

!

!######### ROUTER 1 END #######################################################

!######### ROUTER 2 START #####################################################

!

version 12.2

hostname router2

ip domain-name mydomain.name

! These are the rules for statefull inspection firewall

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 900

ip inspect one-minute high 1100

ip inspect one-minute low 900

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 sqlnet

crypto isakmp enable

crypto isakmp identity address

! This defines policies for the authentification of packets between the

! VPN-routers. Both routers must agree on one policy, so you need to have

! at least one matching policy on each router or they will not connect.

! I decided on a single policy for all connections, which becommes mandatory

! that way. The used preshared keys are then defined next.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

! Preshared-Key router2 to router1 and IP-adress of peer-router

crypto isakmp key key4conn_1_2 address 210.210.210.1 no-xauth

!

! Preshared-Key router2 to router3 and IP-adress of peer-router

crypto isakmp key key4conn_2_3 address 230.230.230.1 no-xauth

! The Transform-Set is the policy for the encryption of packets between the

! VPN-routers. As above, both routers need to have a matching policy on each

! router or they will not connect. You may define more than one transform-set

! for different purposes, but you can use the same for many connections as well.

crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des

! The Crypto-Map binds together the encryption policy with the IP-adress

! of the peer router and and the access-list (# 120 in this example)

! which defines wich packet are allowed to go to that peer

crypto map my-cr-map 1 ipsec-isakmp

set peer 210.210.210.1

set transform-set tfs_3DES

match address 120

!

! same as above for net 3 and access-list 130

crypto map my-cr-map 2 ipsec-isakmp

set peer 230.230.230.1

set transform-set tfs_3DES

match address 130

! The INET Interface gets the crypto-map aplied and has a policy for

! incoming connections, which is defined in access-list 101

interface Ethernet0

description connected to Internet

ip address 220.220.220.1 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map my-cr-map

!

! LAN is allowed everything outgoing into the INET, on the way back things

! are inspected as defined in the IP INSPECT rules above

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.220.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

!

router rip

version 2

passive-interface Ethernet0

network 192.168.220.0

no auto-summary

! This statement allows only those packets to be NATed which fit to

! the route-map with the name noNAT (this ist CaSe sensitive) defined

! at the end of this config file and the according rulset 110. Only if it

! fit's to the rule the packet get the adress of the interface Ethernet0

! applied.

ip nat inside source route-map noNAT interface Ethernet0 overload

! This is my providers DSL router, which receives all trafic to the INET

! which is not otherwise defined (this is the default route)

ip route 0.0.0.0 0.0.0.0 220.220.220.2

! This list allows incomming trafic from the INET.

!

! Router of net 1 and the private net 1 are allowed all IP inbound

access-list 101 permit ip host 210.210.210.1 host 220.220.220.1

access-list 101 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

!

! Router of net 3 and the private net 3 are allowed all IP inbound

access-list 101 permit ip host 230.230.230.1 host 220.220.220.1

access-list 101 permit ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255

! This List denies NAT for connections to the 2 private networks which are

! connected through encrypted IPSEC-tunnel, so the private IPs are not seen

! outside, but only the real IP of the router, who is sending the encrypted

! packets. Any packets not sent to 192.168.220 or 192.168.230 are NATed and

! sent to the INET unencrypted.

! This list is used for the route-map statement following below.

access-list 110 deny ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 110 deny ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255

access-list 110 permit ip 192.168.220.0 0.0.0.255 any

! This rule allows only packets to the private net 192.168.210.0 to become

! encrypted and then be sent in the tunnel to router 220.220.210.1, who

! decrypts them and passed them on to his local network again.

! This works together with the first crypto map statement above

access-list 120 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! Same as obove for the second net

! This works together with the second crypto map statement above

access-list 130 permit ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255

! This route map deciedes, if a packet is NATed or not. If it is permited in

! rule 110, it gets NATed, if it's denied, then it stays as it is.

route-map noNAT permit 10

match ip address 110

!

!######### ROUTER 2 END #######################################################

!######### ROUTER 3 START #####################################################

!

version 12.2

hostname router3

ip domain-name mydomain.name

! These are the rules for statefull inspection firewall

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 900

ip inspect one-minute high 1100

ip inspect one-minute low 900

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 sqlnet

crypto isakmp enable

crypto isakmp identity address

! This defines policies for the authentification of packets between the

! VPN-routers. Both routers must agree on one policy, so you need to have

! at least one matching policy on each router or they will not connect.

! I decided on a single policy for all connections, which becommes mandatory

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

! Preshared-Key router3 to router1

crypto isakmp key key4conn_1_3 address 210.210.210.1 no-xauth

!

! Preshared-Key router3 to router2

crypto isakmp key key4conn_2_3 address 220.220.220.1 no-xauth

! The Transform-Set is the policy for the encryption of packets between the

! VPN-routers. As above, both routers need to have a matching policy on each

! router or they will not connect. You may define more than one transform-set

! for different purposes, but you can use the same for many connections as well.

crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des

! The Crypto-Map binds together the encryption policy with the IP-adress

! of the peer router and and the access-list (# 120 in this example)

! which defines wich packet are allowed to go to that peer

crypto map my-cr-map 1 ipsec-isakmp

set peer 210.210.210.1

set transform-set tfs_3DES

match address 120

!

! same as above for net 2 and access-list 130

crypto map my-cr-map 2 ipsec-isakmp

set peer 220.220.220.1

set transform-set tfs_3DES

match address 130

! The INET Interface gets the crypto-map aplied and has a policy for

! incoming connections, which is defined in access-list 101

interface Ethernet0

description connected to Internet

ip address 230.230.230.1 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map my-cr-map

!

! LAN is allowed everything outgoing into the INET, on the way back things

! are inspected as defined in the IP INSPECT rules above

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.230.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

!

router rip

version 2

passive-interface Ethernet0

network 192.168.230.0

no auto-summary

! This statement allows only those packets to be NATed which fit to

! the route-map with the name noNAT (this ist CaSe sensitive) defined

! at the end of this config file and the according rulset 110. Only if it

! fit's to the rule the packet get the adress of the interface Ethernet0

! applied.

ip nat inside source route-map noNAT interface Ethernet0 overload

! This is my providers DSL router, which receives all trafic to the INET

! which is not otherwise defined (this is the default route)

ip route 0.0.0.0 0.0.0.0 230.230.230.2

! This list allows incomming trafic from the INET. This is where I had the

! big problem to connect my networks. I only got it to work, when I turned the

! logic in these rules around, so against all other rules the local part of the

! entry is on the back and the incomming host is named first.

!

! Router of net 1 and the private net 1 are allowed all IP inbound

access-list 101 permit ip host 210.210.210.1 host 230.230.230.1

access-list 101 permit ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255

!

! Router of net 2 and the private net 2 are allowed all IP inbound

access-list 101 permit ip host 220.220.220.1 host 230.230.230.1

access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255

! This List denies NAT for connections to the 2 private networks which are

! connected through encrypted IPSEC-tunnel, so the private IPs are not seen

! outside, but only the real IP of the router, who is sending the encrypted

! packets. Any packets not sent to 192.168.210 or 192.168.220 are NATed and

! sent to the INET unencrypted.

! This list is used for the route-map statement following below.

access-list 110 deny ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 110 deny ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 110 permit ip 192.168.230.0 0.0.0.255 any

! This rule allows only packets to the private net 192.168.210.0 to become

! encrypted and then be sent in the tunnel to router 220.220.210.1, who

! decrypts them and passed them on to his local network again.

! This works together with the first crypto map statement above

access-list 120 permit ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! Same as obove for the second net

! This works together with the second crypto map statement above

access-list 130 permit ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255

! This route map deciedes, if a packet is NATed or not. If it is permited in

! rule 110, it gets NATed, if it's denied, then it stays as it is.

route-map noNAT permit 10

match ip address 110

!

!######### ROUTER 3 END #######################################################

The following is the debug output of a conversation between router1 and router2, initiated by router2:

###

### Call outgoing from router2 into router1

###

router2 323: 01:24:47: IPSEC(sa_request): ,

router2 324: (key eng. msg.) OUTBOUND local= 220.220.220.1, remote= 210.210.210.1,

router2 325: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 326: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4),

router2 327: protocol= AH, transform= ah-sha-hmac ,

router2 328: lifedur= 3600s and 4608000kb,

router2 329: spi= 0xAE729078(2926743672), conn_id= 0, keysize= 0, flags= 0x400C

router2 330: 01:24:47: IPSEC(sa_request): ,

router2 331: (key eng. msg.) OUTBOUND local= 220.220.220.1, remote= 210.210.210.1,

router2 332: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 333: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)

router2 334: ,

router2 335: protocol= ESP, transform= esp-3des ,

router2 336: lifedur= 3600s and 4608000kb,

router2 337: spi= 0x4F0A6DFC(1326083580), conn_id= 0, keysize= 0, flags= 0x400C

router2 338: 01:24:47: ISAKMP: received ke message (1/2)

router2 339: 01:24:47: ISAKMP: local port 500, remote port 500

router2 340: 01:24:47: ISAKMP: set new node 0 to QM_IDLE

router2 341: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

router2 342: Old State = IKE_READY New State = IKE_I_MM1

router2 343:

router2 344: 01:24:47: ISAKMP (0:1): beginning Main Mode exchange

router2 345: 01:24:47: ISAKMP (0:1): sending packet to 210.210.210.1 (I) MM_NO_STATE

router2 346: 01:24:47: ISAKMP (0:1): received packet from 210.210.210.1 (I) MM_NO_STATE

router2 347: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router2 348:

router2 349: Old State = IKE_I_MM1 New State = IKE_I_MM2

router2 350:

router2 351: 01:24:47: ISAKMP (0:1): processing SA payload. message ID = 0

router2 352: 01:24:47: ISAKMP (0:1): found peer pre-shared key matching 210.210.210.1

router2 353: 01:24:47: ISAKMP (0:1) local preshared key found

router2 354: 01:24:47: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

router2 355: 01:24:47: ISAKMP: encryption 3DES-CBC

router2 356: 01:24:47: ISAKMP: hash MD5

router2 357: 01:24:47: ISAKMP: default group 2

router2 358: 01:24:47: ISAKMP: auth pre-share

router2 359: 01:24:47: ISAKMP: life type in seconds

router2 360: 01:24:47: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

router2 361: 01:24:47: ISAKMP (0:1): atts are acceptable. Next payload is 0

router2 362: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

router2 363: Old State = IKE_I_MM2 New State = IKE_I_MM2

router2 364:

router2 365: 01:24:47: ISAKMP (0:1): sending packet to 210.210.210.1 (I) MM_SA_SETUP

router2 366: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

router2 367: Old State = IKE_I_MM2 New State = IKE_I_MM3

router2 368:

router2 369: 01:24:47: ISAKMP (0:1): received packet from 210.210.210.1 (I) MM_SA_SETUP

router2 370: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router2 371: Old State = IKE_I_MM3 New State = IKE_I_MM4

router2 372:

router2 373: 01:24:47: ISAKMP (0:1): processing KE payload. message ID = 0

router2 374: 01:24:48: ISAKMP (0:1): processing NONCE payload. message ID = 0

router2 375: 01:24:48: ISAKMP (0:1): found peer pre-shared key matching 210.210.210.1

router2 376: 01:24:48: ISAKMP (0:1): SKEYID state generated

router2 377: 01:24:48: ISAKMP (0:1): processing vendor id payload

router2 378: 01:24:48: ISAKMP (0:1): vendor ID is Unity

router2 379: 01:24:48: ISAKMP (0:1): processing vendor id payload

router2 380: 01:24:48: ISAKMP (0:1): vendor ID is DPD

router2 381: 01:24:48: ISAKMP (0:1): processing vendor id payload

router2 382: 01:24:48: ISAKMP (0:1): speaking to another IOS box!

router2 383: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

router2 384: Old State = IKE_I_MM4 New State = IKE_I_MM4

router2 385:

router2 386: 01:24:48: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

router2 387: 01:24:48: ISAKMP (1): ID payload

router2 388: ^Inext-payload : 8

router2 389: ^Itype : 1

router2 390: ^Iprotocol : 17

router2 391: ^Iport : 500

router2 392: ^Ilength : 8

router2 393: 01:24:48: ISAKMP (1): Total payload length: 12

router2 394: 01:24:48: ISAKMP (0:1): sending packet to 210.210.210.1 (I) MM_KEY_EXCH

router2 395: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

router2 396: Old State = IKE_I_MM4 New State = IKE_I_MM5

router2 397:

router2 398: 01:24:48: IPSEC(key_engine): got a queue event...

router2 399: 01:24:48: IPSec: Key engine got KEYENG_IKMP_MORE_SAS message

router2 400: 01:24:48: ISAKMP: received ke message (6/1)

router2 401: 01:24:48: ISAKMP: received KEYENG_IKMP_MORE_SAS message

router2 402: 01:24:48: ISAKMP (0:1): received packet from 210.210.210.1 (I) MM_KEY_EXCH

router2 403: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router2 404: Old State = IKE_I_MM5 New State = IKE_I_MM6

router2 405:

router2 406: 01:24:48: ISAKMP (0:1): processing ID payload. message ID = 0

router2 407: 01:24:48: ISAKMP (0:1): processing HASH payload. message ID = 0

router2 408: 01:24:48: ISAKMP (0:1): SA has been authenticated with 210.210.210.1

router2 409: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

router2 410: Old State = IKE_I_MM6 New State = IKE_I_MM6

router2 411:

router2 412: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

router2 413: Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

router2 414:

router2 415: 01:24:48: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 2114054612

router2 416: 01:24:48: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 417: 01:24:48: ISAKMP (0:1): Node 2114054612, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

router2 418: Old State = IKE_QM_READY New State = IKE_QM_I_QM1

router2 419:

router2 420: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

router2 421: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

router2 422:

router2 423: 01:24:58: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 2114054612 ...

router2 424: 01:24:58: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

router2 425: 01:24:58: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

router2 426: 01:24:58: ISAKMP (0:1): retransmitting phase 2 2114054612 QM_IDLE

router2 427: 01:24:58: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 428: 01:25:08: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 2114054612 ...

router2 429: 01:25:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

router2 430: 01:25:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

router2 431: 01:25:08: ISAKMP (0:1): retransmitting phase 2 2114054612 QM_IDLE

router2 432: 01:25:08: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 433: 01:25:14: IPSEC(sa_aging): lifetime expiring,

router2 434: (sa) sa_dest= 210.210.210.1, sa_prot= 51,

router2 435: sa_spi= 0x6436491C(1681279260),

router2 436: sa_trans= ah-sha-hmac , sa_conn_id= 201,

router2 437: (identity) local= 220.220.220.1, remote= 210.210.210.1,

router2 438: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 439: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)

router2 440: 01:25:14: IPSEC(delete_sa): deleting SA,

router2 441: (sa) sa_dest= 220.220.220.1, sa_prot= 51,

router2 442: sa_spi= 0x8B106C49(2333109321),

router2 443: sa_trans= ah-sha-hmac , sa_conn_id= 200

router2 444: 01:25:14: IPSEC(delete_sa): deleting SA

router2 445: ,

router2 446: (sa) sa_dest= 210.210.210.1, sa_prot= 51,

router2 447: sa_spi= 0x6436491C(1681279260),

router2 448: sa_trans= ah-sha-hmac , sa_conn_id= 201

router2 449: 01:25:14: IPSEC(delete_sa): deleting SA,

router2 450: (sa) sa_dest= 220.220.220.1, sa_prot= 50,

router2 451: sa_spi= 0x5A82D302(1518523138),

router2 452: sa_trans= esp-3des , sa_conn_id= 202

router2 453: 01:25:14: IPSEC(delete_sa): deleting SA,

router2 454: (sa) sa_dest= 210.210.210.1, sa_prot= 50,

router2 455: sa_spi= 0x96D1083A(2530281530),

router2 456: sa_trans= esp-3des , sa_conn_id= 203

router2 457: 01:25:14: ISAKMP: received ke message (3/2)

router2 458: 01:25:14: ISAKMP: set new node -1194574075 to QM_IDLE

router2 459: 01:25:14: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 460: 01:25:14: ISAKMP (0:1): purging node -1194574075

router2 461: 01:25:14: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

router2 462: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

router2 463:

router2 464: 01:25:17: IPSEC(key_engine): request timer fired: count = 1,

router2 465: (identity) local= 220.220.220.1, remote= 210.210.210.1,

router2 466: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 467: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)

router2 468: 01:25:17: IPSEC(sa_request): ,

router2 469: (key eng. msg.) OUTBOUND local= 220.220.220.1, remote= 210.210.210.1,

router2 470: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 471: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4),

router2 472: protocol= AH, transform= ah-sha-hmac ,

router2 473: lifedur= 3600s and 4608000kb,

router2 474: spi= 0x500900FC(1342767356), conn_id= 0, keysize= 0, flags= 0x400C

router2 475: 01:25:17: IPSEC(sa_request): ,

router2 476: (key eng. msg.) OUTBOUND

router2 477: local= 220.220.220.1, remote= 210.210.210.1,

router2 478: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 479: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4),

router2 480: protocol= ESP, transform= esp-3des ,

router2 481: lifedur= 3600s and 4608000kb,

router2 482: spi= 0x6C2BF3EE(1814819822), conn_id= 0, keysize= 0, flags= 0x400C

router2 483: 01:25:17: ISAKMP: received ke message (1/2)

router2 484: 01:25:17: ISAKMP: set new node 0 to QM_IDLE

router2 485: 01:25:17: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE )

router2 486: 01:25:17: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1199502796

router2 487: 01:25:17: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 488: 01:25:17: ISAKMP (0:1): Node -1199502796, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

router2 489: Old State = IKE_QM_READY New State = IKE_QM_I_QM1

router2 490:

router2 491: 01:25:18: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 2114054612 ...

router2 492: 01:25:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

router2 493: 01:25:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

router2 494: 01:25:18: ISAKMP (0:1): retransmitting phase 2 2114054612 QM_IDLE

router2 495: 01:25:18: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 496: 01:25:27: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1199502796 ...

router2 497: 01:25:27: ISAKMP (0:1): peer does not do paranoid keepalives.

router2 498:

router2 499: 01:25:27: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (I) QM_IDLE (peer 210.210.210.1) input queue 0

router2 500: 01:25:27: ISAKMP: set new node 1293943581 to QM_IDLE

router2 501: 01:25:27: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE

router2 502: 01:25:27: ISAKMP (0:1): purging node 1293943581

router2 503: 01:25:27: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

router2 504: Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

router2 505:

router2 506: 01:25:27: ISAKMP (0:1): deleting SA reason "" state (I) QM_IDLE (peer 210.210.210.1) input queue 0

router2 507: 01:25:27: ISAKMP (0:1): deleting node 2114054612 error FALSE reason ""

router2 508: 01:25:27: ISAKMP (0:1): deleting node -1199502796 error FALSE reason ""

router2 509: 01:25:27: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router2 510: Old State = IKE_DEST_SA New State = IKE_DEST_SA

router2 511:

router2 512: 01:25:47: IPSEC(key_engine): request timer fired: count = 2,

router2 513: (identity) local= 220.220.220.1, remote= 210.210.210.1,

router2 514: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),

router2 515: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)

router2 516: 01:25:47: ISAKMP: received ke message (3/1)

router2 517: 01:25:47: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 220.220.220.1 dst 210.210.210.1 for SPI 0x0

router2 518: 01:26:17: ISAKMP (0:1): purging node 2114054612

router2 519: 01:26:17: ISAKMP (0:1): purging node -1199502796

router2 520: 01:26:27: ISAKMP (0:1): purging SA., sa=813DE590, delme=813DE590

######### DEBUG ROUTER 2 END ###################################################

###

### Call comming from router2 into router1

###

router1 471: 01:30:38: ISAKMP (0:0): received packet from 220.220.220.1 (N) NEW SA

router1 472: 01:30:38: ISAKMP: Created a peer node for 220.220.220.1

router1 473: 01:30:38: ISAKMP (0:0): Setting client config settings 81644448

router1 474: 01:30:38: ISAKMP: Locking CONFIG struct 0x81644448 from crypto_ikmp_config_initialize_sa, count 1

router1 475: 01:30:38: ISAKMP: local port 500, remote port 500

router1 476: 01:30:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router1 477: Old State = IKE_READY New State = IKE_R_MM1

router1 478:

router1 479: 01:30:38: ISAKMP (0:1): processing SA payload. message ID = 0

router1 480: 01:30:38: ISAKMP (0:1): found peer pre-shared key matching 220.220.220.1

router1 481: 01:30:38: ISAKMP (0:1) local preshared key found

router1 482: 01:30:38: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

router1 483: 01:30:38: ISAKMP: encryption 3DES-CBC

router1 484: 01:30:38: ISAKMP: hash MD5

router1 485: 01:30:38: ISAKMP: default group 2

router1 486: 01:30:38: ISAKMP: auth pre-share

router1 487: 01:30:38: ISAKMP: life type in seconds

router1 488: 01:30:38: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

router1 489: 01:30:38: ISAKMP (0:1): atts are acceptable. Next payload is 0

router1 490: 01:30:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

router1 491: Old State = IKE_R_MM1 New State = IKE_R_MM1

router1 492:

router1 493: 01:30:38: ISAKMP (0:1): sending packet to 220.220.220.1 (R) MM_SA_SETUP

router1 494: 01:30:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

router1 495:

router1 496: Old State = IKE_R_MM1 New State = IKE_R_MM2

router1 497:

router1 498: 01:30:39: ISAKMP (0:1): received packet from 220.220.220.1 (R) MM_SA_SETUP

router1 499: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router1 500: Old State = IKE_R_MM2 New State = IKE_R_MM3

router1 501:

router1 502: 01:30:39: ISAKMP (0:1): processing KE payload. message ID = 0

router1 503: 01:30:39: ISAKMP (0:1): processing NONCE payload. message ID = 0

router1 504: 01:30:39: ISAKMP (0:1): found peer pre-shared key matching 220.220.220.1

router1 505: 01:30:39: ISAKMP (0:1): SKEYID state generated

router1 506: 01:30:39: ISAKMP (0:1): processing vendor id payload

router1 507: 01:30:39: ISAKMP (0:1): vendor ID is Unity

router1 508: 01:30:39: ISAKMP (0:1): processing vendor id payload

router1 509: 01:30:39: ISAKMP (0:1): vendor ID is DPD

router1 510: 01:30:39: ISAKMP (0:1): processing vendor id payload

router1 511: 01:30:39: ISAKMP (0:1): speaking to another IOS box!

router1 512: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

router1 513: Old State = IKE_R_MM3 New State = IKE_R_MM3

router1 514:

router1 515: 01:30:39: ISAKMP (0:1): sending packet to 220.220.220.1 (R) MM_KEY_EXCH

router1 516: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

router1 517: Old State = IKE_R_MM3 New State = IKE_R_MM4

router1 518:

router1 519: 01:30:39: ISAKMP (0:1): received packet from 220.220.220.1 (R) MM_KEY_EXCH

router1 520: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router1 521: Old State = IKE_R_MM4 New State = IKE_R_MM5

router1 522:

router1 523: 01:30:39: ISAKMP (0:1): processing ID payload. message ID = 0

router1 524: 01:30:39: ISAKMP (0:1): processing HASH payload. message ID = 0

router1 525: 01:30:39: ISAKMP (0:1): SA has been authenticated with 220.220.220.1

router1 526: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

router1 527: Old State = IKE_R_MM5 New State = IKE_R_MM5

router1 528:

router1 529: 01:30:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

router1 530: 01:30:39: ISAKMP (1): ID payload

router1 531: ^Inext-payload : 8

router1 532: ^Itype : 1

router1 533: ^Iprotocol : 17

router1 534: ^Iport : 500

router1 535: ^Ilength : 8

router1 536: 01:30:39: ISAKMP (1): Total payload length: 12

router1 537: 01:30:39: ISAKMP (0:1): sending packet to 220.220.220.1 (R) MM_KEY_EXCH

router1 538: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

router1 539:

router1 540: Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

router1 541:

router1 542: 01:30:39: ISAKMP (0:1): Need config/address

router1 543: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

router1 544: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

router1 545:

router1 546: 01:30:40: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 547: 01:30:40: ISAKMP: set new node 2114054612 to CONF_ADDR

router1 548: 01:30:40: ISAKMP (0:1): Need config/address

router1 549: 01:30:40: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

router1 550: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

router1 551:

router1 552: 01:30:50: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 553: 01:30:50: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

router1 554: 01:31:00: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 555: 01:31:00: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

router1 556: 01:31:05: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 557: 01:31:05: ISAKMP: set new node -1194574075 to CONF_ADDR

router1 558: 01:31:05: ISAKMP (0:1): processing HASH payload. message ID = -1194574075

router1 559: 01:31:05: ISAKMP (0:1): processing DELETE payload. message ID = -1194574075

router1 560: 01:31:05: ISAKMP (0:1): peer does not do paranoid keepalives.

router1 561:

router1 562: 01:31:05: ISAKMP (0:1): processing DELETE payload. message ID = -1194574075

router1 563: 01:31:05: ISAKMP (0:1): peer does not do paranoid keepalives.

router1 564:

router1 565: 01:31:05: ISAKMP (0:1): deleting node -1194574075 error FALSE reason "informational (in) state 1"

router1 566: 01:31:05: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE

router1 567:

router1 568: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

router1 569:

router1 570: 01:31:05: IPSEC(key_engine): got a queue event...

router1 571: 01:31:05: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

router1 572: 01:31:05: IPSEC(key_engine): got a queue event...

router1 573: 01:31:05: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

router1 574: 01:31:08: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 575: 01:31:08: ISAKMP: set new node -1199502796 to CONF_ADDR

router1 576: 01:31:08: ISAKMP (0:1): Waiting for config mode response ... dropping Quick Mode message.

router1 577: 01:31:10: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 578: 01:31:10: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

router1 579: 01:31:18: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR

router1 580: 01:31:18: ISAKMP: set new node 1293943581 to CONF_ADDR

router1 581: 01:31:18: ISAKMP (0:1): processing HASH payload. message ID = 1293943581

router1 582: 01:31:18: ISAKMP (0:1): processing DELETE payload. message ID = 1293943581

router1 583: 01:31:18: ISAKMP (0:1): peer does not do paranoid keepalives.

router1 584:

router1 585: 01:31:18: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (R) CONF_ADDR (peer 220.220.220.1) input queue 0

router1 586: 01:31:18: ISAKMP (0:1): deleting node 1293943581 error FALSE reason "informational (in) state 1"

router1 587: 01:31:18: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE

router1 588:

router1 589: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

router1 590:

router1 591: 01:31:18: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

router1 592: Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

router1 593:

router1 594: 01:31:18: ISAKMP (0:1): deleting SA reason "" state (R) CONF_ADDR (peer 220.220.220.1) input queue 0

router1 595: 01:31:18: ISAKMP (0:1): deleting node 2114054612 error FALSE reason ""

router1 596: 01:31:18: ISAKMP (0:1): deleting node -1199502796 error FALSE reason ""

router1 597: 01:31:18: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

router1 598: Old State = IKE_DEST_SA New State = IKE_DEST_SA

router1 599:

router1 600: 01:31:55: ISAKMP (0:1): purging node -1194574075

router1 601: 01:32:08: ISAKMP (0:1): purging node 1293943581

router1 602: 01:32:08: ISAKMP (0:1): purging node 2114054612

router1 603: 01:32:08: ISAKMP (0:1): purging node -1199502796

router1 604: 01:32:18: ISAKMP (0:1): purging SA., sa=812CD428, delme=812CD428

router1 605: 01:32:18: ISAKMP: Unlocking CONFIG struct 0x81644448 on return of attributes, count 0

router1 606: 01:33:26: ISAKMP: Deleting peer node for 220.220.220.1: 816317F8

######### DEBUG ROUTER 1 END ###################################################