Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Understanding the output of debug crypto isakmp on an ASA for an L2L Tunnel

Purpose

The output the debug crypto isakmp command is very verbose, so I've omitted some of it

[IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload             (1)

[IKEv1 DEBUG]: IP = 192.1.1.40, Oakley proposal is acceptable

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: IP = 192.1.1.40, Received NAT-Traversal ver 03 VID (2)

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: IP = 192.1.1.40, processing IKE SA                 (3)

[IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA Proposal # 1,              (4)

    Transform # 1 acceptable  Matches global IKE entry # 2

[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ISA_SA for isakmp    (5)

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: IP = 192.1.1.40, processing ke payload

[IKEv1 DEBUG]: IP = 192.1.1.40, processing ISA_KE

[IKEv1 DEBUG]: IP = 192.1.1.40, processing nonce payload

[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, Received Cisco Unity client VID

[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, Received DPD VID

[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS/PIX Vendor ID payload

     (version: 1.0.0, capabilities: 0000077f)

[IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, Received xauth V6 VID

[IKEv1 DEBUG]: IP = 192.1.1.40, constructing ke payload

[IKEv1 DEBUG]: IP = 192.1.1.40, constructing nonce payload

[IKEv1 DEBUG]: IP = 192.1.1.40, constructing Cisco Unity VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, constructing xauth V6 VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, Send IOS VID

[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing ASA spoofing IOS Vendor

ID payload (version: 1.0.0, capabilities: 20000001)

[IKEv1 DEBUG]: IP = 192.1.1.40, constructing VID payload

[IKEv1 DEBUG]: IP = 192.1.1.40, Send Altiga/Cisco

    VPN3000/Cisco ASA GW VID

[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group       (6)

    192.1.1.40

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating keys

    for Responder...

[IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0) with

    payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13)

    + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (msgid=0) with

    payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) +

    NOTIFY (11) + NONE (0) total length : 112

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID (7)

[IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.1.1.40

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, processing hash

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash

[IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS keep alive payload:

    proposal=30/10 sec.

[IKEv1 DEBUG]: IP = 192.1.1.40, Starting IOS keepalive monitor:

    80 sec.

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing

    Notify payload

[IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group

    192.1.1.40

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, constructing ID

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, construct hash

    payload

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash

[IKEv1 DEBUG]: IP = 192.1.1.40, Constructing IOS keep alive       (8)

   payload: proposal=32767/32767 sec.

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40,

    constructing dpd vid payload

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 1 COMPLETED   (9)

[IKEv1]: IP = 192.1.1.40, Keep-alive type for this connection: DPD

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Starting

    phase 1 rekey timer: 82080000 (ms)

[IKEv1 DECODE]: IP = 192.1.1.40, IKE Responder starting QM:

    msg id = 4a9a7c8b

[IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message            (10)

    (msgid=4a9a7c8b) with payloads : HDR + HASH (8) + SA (1) +

    NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--                (11)

    192.168.0.0--255.255.255.0

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received remote IP

    Proxy Subnet data in ID Payload:   Address 192.168.0.0,

    Mask 255.255.255.0, Protocol 0, Port 0

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID

[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--

    192.168.2.0--255.255.255.0

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received local IP Proxy

    Subnet data in ID Payload:   Address 192.168.2.0,

    Mask 255.255.255.0, Protocol 0, Port 0

[IKEv1]: QM IsRekeyed old sa not found by addr

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map  (12)

    check, checking map = mymap, seq = 10...

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map

    check, map mymap, seq = 10 is a successful match

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE Remote Peer

    configured for SA: mymap

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, processing IPSEC SA

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, IPsec SA     (13)

    Proposal # 1, Transform # 1 acceptable  Matches global IPsec

    SA entry # 10

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE: requesting SPI!

[IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xcc3dcb5a

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Transmitting (14)

    Proxy Id: Remote subnet: 192.168.0.0  Mask 255.255.255.0

    Protocol 0  Port 0   Local subnet:  192.168.2.0

    mask 255.255.255.0 Protocol 0  Port 0

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, loading all  (15)

    IPSEC SAs

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating

    Quick Mode Key!

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating

    Quick Mode Key!

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Security           (16)

    negotiation complete for LAN-to-LAN Group (192.1.1.40)

    Responder, Inbound SPI = 0xcc3dcb5a, Outbound SPI = 0x382e1cb2

[IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x382e1cb2

[IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xcc3dcb5a

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Starting P2 Rekey timer

    to expire in 3420 seconds

[IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 2 COMPLETED  (17)

    (msgid=4a9a7c8b)

[IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40,  Sending     (18)

    keep-alive of type DPD R-U-THERE (seq number 0x3252ed2c)

Here's a brief description of the debugs:

1.

Main   mode exchange is beginning; no policies have been shared yet and the peers   are still in an MM_NO_STATE.

2.

The   remote peer is testing for the use of NAT-T.

3.

The   comparison of ISAKMP/IKE policies begins here.

4.

This   message indicates that a matching policy has been found.

5.

The   management connection is being built.

6.

The   peer is associated with the "192.1.1.40" L2L tunnel group and the   encryption and hash keys are being generated.

7.

This   is where authentication begins with pre-shared keys: remember that   authentication occurs on both peers, and thus you'll see two sets of   corresponding authentication processes.

8.

DPD   is being negotiated.

9.

Phase   1 is complete.

10.

Phase   2 (quick mode) begins.

11.

The   remote subnet (192.168.0.0/24) is received and compared to the local subnet   (192.168.2.0/24).

12.

A   matching static crypto entry is looked for and found.

13.

The   appliance finds a matching data transform for the data connections.

14.

A   check is performed for mirrored crypto ACLs.

15.

Keys   are generated for the data SAs.

16.

SPIs   are assigned to the data SAs.

17.

Phase   2 completes.

18.

A DPD keepalive is being sent to the remote peer on the   management connection.

References----

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

6053
Views
5
Helpful
0
Comments