Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

877 using fe as WAN (ISP provider modem/router) -> VPN won't come up!

Hi,

Due some changes with our ISP, the atm interface on the 877 router won't support stable connections anymore. The fix I'm having to do is to use our ISP provided modem/router, and have the 877 use an fe port as a WAN port and instigate the VPN from there.

I've had issues with getting the WAN port to work correctly that I got fixed here:

https://supportforums.cisco.com/message/4090973

Now I've got to get this bit going then I'm all good!

Basic set up is:

Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc

172.20.0.0/16                             192.168.1.254       192.168.1.139    172.30.99.1     172.30.99.0/24

Current config is:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ITTEST

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-24.T6.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 10240

enable secret

enable password

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

!

dot11 syslog

no ip source-route

!

!

ip dhcp excluded-address 172.30.99.1 172.30.99.100

!

ip dhcp pool dhcppool

   import all

   network 172.30.99.0 255.255.255.0

   default-router 172.30.99.1

   dns-server 172.30.99.1 172.20.0.120 172.20.0.121

   domain-name gratte.com

   update arp

!

!

ip cef

ip domain name gratte.com

ip name-server 192.168.1.254

ip name-server 172.20.0.120

ip name-server 172.20.0.121

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth

!

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.30.99.10 255.255.255.252

ip ospf mtu-ignore

load-interval 30

tunnel source Vlan1

tunnel destination xxx.xxx.xxx.xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

description DATA

spanning-tree portfast

!

interface FastEthernet1

description VOICE

switchport access vlan 100

switchport voice vlan 100

spanning-tree portfast

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

switchport access vlan 666

no cdp enable

spanning-tree portfast

!

interface Vlan1

ip address 172.30.99.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Vlan666

ip address 192.168.1.139 255.255.255.0

ip nat outside

ip virtual-reassembly

!

interface Dialer0

no ip address

!

ip default-gateway 192.168.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.254

ip route 10.20.0.0 255.255.0.0 Tunnel0

ip route 10.21.0.0 255.255.0.0 Tunnel0

ip route 64.156.192.220 255.255.255.255 Tunnel0

ip route 64.156.192.245 255.255.255.255 Tunnel0

ip route 74.50.50.16 255.255.255.255 Tunnel0

ip route 74.50.63.14 255.255.255.255 Tunnel0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.30.99.0 255.255.255.0 Vlan1

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source list 100 interface Vlan666 overload

!

access-list 100 permit ip 172.30.99.0 0.0.0.255 any

access-list 199 permit icmp any any

!

!

!

!

snmp-server community public RO

snmp-server community blobby RW

!

control-plane

!

!

line con 0

password

login

no modem enable

line aux 0

line vty 0 4

password

login

!

scheduler max-task-time 5000

ntp server 72.8.140.222

ntp server 172.20.0.120

ntp server 172.20.0.121

end

Hope someone can help!

  • VPN
5 REPLIES
Purple

877 using fe as WAN (ISP provider modem/router) -> VPN won't com

Hi,

your VPN peering must be done on public IP addresses not private ones which are not "routeable" on the Internet.

You'll have to do the PPPoE/PPPoA on the 877 to get a public IP and do your tunnel from there.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

877 using fe as WAN (ISP provider modem/router) -> VPN won't com

I assumed NAT would take care of that?

Would I have to configure the ISP router to bridge mode to achieve this then?

Another example where a similar set up to this works; we have a site where we have access to an existing internet connection; on this site I have a Juniper SRX100 (no dsl interface), a port configured for untrust (internet facing) and a port configured for trust (private network), I am able to make the tunnel work (using a dynamic VPN on the SRX100 end as no designated IP). It is seen as the existing internet connections public IP.

New Member

877 using fe as WAN (ISP provider modem/router) -> VPN won't com

Ok, tunnel is up!

Just used Dynamic instead of static and aggressive mode.

Now I have a strange problem.

Gateway at HO is 172.20.0.251, this is the site the 877 connects to.

Laptop on connected to VLAN 1 on the 877 is on 172.30.99.101

HO can ping the 877 on 172.30.99.1, the router can ping everything, the laptop can only ping the router.

Why can't HO ping the laptop and vice versa?

The router shows:

ITTEST#ping 172.20.0.251

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms

ITTEST#ping 172.30.99.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.30.99.101, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ITTEST#ping 172.30.99.101 source tun0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.30.99.101, timeout is 2 seconds:

Packet sent with a source address of 172.30.99.10

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

ITTEST#ping 172.20.0.251 source vlan1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:

Packet sent with a source address of 172.30.99.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 ms

a tracert from HO to the laptop reaches 172.30.99.1 and stops

a tracert from the laptop to HO reaches 172.30.99.1 and stops

strange.

ip route 0.0.0.0 0.0.0.0 192.168.1.254

ip route 10.20.0.0 255.255.0.0 Tunnel0

ip route 10.21.0.0 255.255.0.0 Tunnel0

ip route 64.156.192.220 255.255.255.255 Tunnel0

ip route 64.156.192.245 255.255.255.255 Tunnel0

ip route 74.50.50.16 255.255.255.255 Tunnel0

ip route 74.50.63.14 255.255.255.255 Tunnel0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.30.99.0 255.255.255.0 Vlan1

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source list 100 interface Vlan666 overload

!

access-list 100 permit ip 172.30.99.0 0.0.0.255 any

access-list 100 permit ip 172.20.0.0 0.0.255.255 any

access-list 199 permit icmp any any

New Member

877 using fe as WAN (ISP provider modem/router) -> VPN won't com

And now coupled with the routing problem in my last post, the tunnel seems to be a bit odd.

It comes up, works, pings can be made, then the below happens, it is seen at the remote end as connected, 877 shows as vpn up, but you can't ping across it anymore:

ITTEST#ping 172.20.0.251

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms

ITTEST#

00:59:38: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:38: %CRYPTO-4-IKMP_NO_SA: IKE message from

has no SA and is not an initialization offer

00:59:40: ISAKMP (0): received packet from

dport 500 sport 500 Global (N) NEW SA

00:59:43: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:43: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:48: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:48: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:53: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:56: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

00:59:58: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

01:00:03: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

01:00:08: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

01:00:18: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

01:00:18: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 43 seconds

01:00:18: ISAKMP: set new node 0 to QM_IDLE

01:00:18: SA has outstanding requests  (local 133.37.54.100 port 500, remote 133.37.54.72 port 500)

01:00:18: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE      )

01:00:18: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 614665514

01:00:18: ISAKMP:(2001):QM Initiator gets spi

01:00:18: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:18: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:00:18: ISAKMP:(2001):Node 614665514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

01:00:18: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

01:00:28: ISAKMP:(2001): retransmitting phase 2 QM_IDLE       614665514 ...

01:00:28: ISAKMP (2001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

01:00:28: ISAKMP (2001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

01:00:28: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE

01:00:28: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:28: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:00:38: ISAKMP:(2001): retransmitting phase 2 QM_IDLE       614665514 ...

01:00:38: ISAKMP (2001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

01:00:38: ISAKMP (2001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

01:00:38: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE

01:00:38: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:38: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:00:48: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

01:00:48: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

01:00:48: ISAKMP: set new node 0 to QM_IDLE

01:00:48: SA has outstanding requests  (local 133.37.54.100 port 500, remote 133.37.54.72 port 500)

01:00:48: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE      )

01:00:48: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 1063065985

01:00:48: ISAKMP:(2001):QM Initiator gets spi

01:00:48: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:48: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:00:48: ISAKMP:(2001):Node 1063065985, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

01:00:48: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

01:00:48: ISAKMP:(2001): retransmitting phase 2 QM_IDLE       614665514 ...

01:00:48: ISAKMP (2001): incrementing error counter on node, attempt 3 of 5: retransmit phase 2

01:00:48: ISAKMP (2001): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2

01:00:48: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE

01:00:48: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:48: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:00:58: ISAKMP:(2001): retransmitting phase 2 QM_IDLE       1063065985 ...

01:00:58: ISAKMP (2001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

01:00:58: ISAKMP (2001): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2

01:00:58: ISAKMP:(2001): retransmitting phase 2 1063065985 QM_IDLE

01:00:58: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:58: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:00:58: ISAKMP:(2001): retransmitting phase 2 QM_IDLE       614665514 ...

01:00:58: ISAKMP (2001): incrementing error counter on node, attempt 4 of 5: retransmit phase 2

01:00:58: ISAKMP (2001): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2

01:00:58: ISAKMP:(2001): retransmitting phase 2 614665514 QM_IDLE

01:00:58: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:00:58: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:01:01: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 172.30.99.1, sa_proto= 50,

    sa_spi= 0x42C0A605(1119921669),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1

    sa_lifetime(k/sec)= (4521680/3600),

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

01:01:01: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI 0

01:01:01: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= , sa_proto= 50,

    sa_spi= 0xD8415C94(3628162196),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2

    sa_lifetime(k/sec)= (4521680/3600),

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

01:01:01: ISAKMP: set new node -713733717 to QM_IDLE

01:01:01: ISAKMP:(2001):peer does not do paranoid keepalives.

01:01:01: ISAKMP:(2001):deleting SA reason "Death by retransmission throw" state (I) QM_IDLE       (peer )

01:01:01: ISAKMP:(2001):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

01:01:01: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

01:01:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

01:01:01: ISAKMP: set new node -312624059 to QM_IDLE

01:01:01: ISAKMP:(2001): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

01:01:01: ISAKMP:(2001):Sending an IKE IPv4 Packet.

01:01:01: ISAKMP:(2001):purging node -312624059

01:01:01: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

01:01:01: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

01:01:01: ISAKMP:(2001):deleting SA reason "Death by retransmission throw" state (I) QM_IDLE       (peer )

01:01:01: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.

01:01:01: ISAKMP: Unlocking peer struct 0x848AD260 for isadb_mark_sa_deleted(), count 0

01:01:01: ISAKMP: Deleting peer node by peer_reap for : 848AD260

01:01:01: ISAKMP:(2001):deleting node 614665514 error FALSE reason "IKE deleted"

01:01:01: ISAKMP:(2001):deleting node 1063065985 error FALSE reason "IKE deleted"

01:01:01: ISAKMP:(2001):deleting node -713733717 error FALSE reason "IKE deleted"

01:01:01: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

01:01:01: ISAKMP:(2001):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

01:01:01: IPSEC(key_engine): got a queue event with 1 KMI message(s)

01:01:18: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

ITTEST#ping 172.20.0.251

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.20.0.251, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

ITTEST#

I see the line ISAKMP:(2001):peer does not do paranoid keepalives. message, but this occured within an hour of the tunnel coming up, the lifetime would be the 24 hour default (86400)...

New Member

877 using fe as WAN (ISP provider modem/router) -> VPN won't com

And pretty much an hour to the time of when it dropped out, it's kicked back in:

02:00:40: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:40: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

02:00:42: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:55: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA

02:00:57: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

02:00:57: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 68 seconds

02:00:57: ISAKMP: set new node 0 to QM_IDLE

02:00:57: SA has outstanding requests  (local 132.76.193.228 port 500, remote 132.76.193.200 port 500)

02:00:57: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE      )

02:00:57: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1560671909

02:00:57: ISAKMP:(2002):QM Initiator gets spi

02:00:57: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

02:00:57: ISAKMP:(2002):Sending an IKE IPv4 Packet.

02:00:57: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

02:00:57: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE

02:00:58: ISAKMP: set new node 1105416027 to QM_IDLE

02:00:58: ISAKMP:(2002): processing HASH payload. message ID = 1105416027

02:00:58: ISAKMP:(2002): processing SA payload. message ID = 1105416027

02:00:58: ISAKMP:(2002):Checking IPSec proposal 1

02:00:58: ISAKMP: transform 1, ESP_3DES

02:00:58: ISAKMP:   attributes in transform:

02:00:58: ISAKMP:      SA life type in seconds

02:00:58: ISAKMP:      SA life duration (basic) of 3600

02:00:58: ISAKMP:      encaps is 1 (Tunnel)

02:00:58: ISAKMP:      key length is 192

02:00:58: ISAKMP:      authenticator is HMAC-SHA

02:00:58: ISAKMP:(2002):atts are acceptable.

02:00:58: ISAKMP:(2002):Checking IPSec proposal 1

02:00:58: ISAKMP: transform 2, ESP_3DES

02:00:58: ISAKMP:   attributes in transform:

02:00:58: ISAKMP:      SA life type in seconds

02:00:58: ISAKMP:      SA life duration (basic) of 3600

02:00:58: ISAKMP:      encaps is 1 (Tunnel)

02:00:58: ISAKMP:      authenticator is HMAC-SHA

02:00:58: ISAKMP:(2002):atts are acceptable.

02:00:58: IPSEC(validate_proposal_request): proposal part #1

02:00:58: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0

02:00:58: Crypto mapdb : proxy_match

        src addr     : 0.0.0.0

        dst addr     : 0.0.0.0

        protocol     : 0

        src port     : 0

        dst port     : 0

02:00:58: ISAKMP:(2002): processing NONCE payload. message ID = 1105416027

02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027

02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027

02:00:58: ISAKMP:(2002):QM Responder gets spi

02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

02:00:58: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

02:00:58: ISAKMP:(2002): Creating IPSec SAs

02:00:58:         inbound SA from to 172.30.99.1 (f/i)  0/ 0

        (proxy 0.0.0.0 to 0.0.0.0)

02:00:58:         has spi 0x48E03F51 and conn_id 0

02:00:58:         lifetime of 3600 seconds

02:00:58:         outbound SA from 172.30.99.1 to (f/i) 0/0

        (proxy 0.0.0.0 to 0.0.0.0)

02:00:58:         has spi  0xD4AF8B3C and conn_id 0

02:00:58:         lifetime of 3600 seconds

02:00:58: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

02:00:58: ISAKMP:(2002):Sending an IKE IPv4 Packet.

02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

02:00:58: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)

02:00:58: Crypto mapdb : proxy_match

        src addr     : 0.0.0.0

        dst addr     : 0.0.0.0

        protocol     : 0

        src port     : 0

        dst port     : 0

02:00:58: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer

02:00:58: IPSEC(create_sa): sa created,

  (sa) sa_dest= 172.30.99.1, sa_proto= 50,

    sa_spi= 0x48E03F51(1222655825),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5

    sa_lifetime(k/sec)= (4450631/3600)

02:00:58: IPSEC(create_sa): sa created,

  (sa) sa_dest= , sa_proto= 50,

    sa_spi= 0xD4AF8B3C(3568274236),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6

    sa_lifetime(k/sec)= (4450631/3600)

02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE

02:00:58: ISAKMP:(2002):deleting node 1105416027 error FALSE reason "QM done (await)"

02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

02:00:58: ISAKMP:(2002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)

02:00:58: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

02:00:58: IPSEC(key_engine_enable_outbound): enable SA with spi 3568274236/50

02:00:58: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI D4AF8B3C

02:00:59: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE

02:00:59: ISAKMP: set new node -1124267365 to QM_IDLE

02:00:59: ISAKMP:(2002): processing HASH payload. message ID = -1124267365

02:00:59: ISAKMP:(2002): processing DELETE payload. message ID = -1124267365

02:00:59: ISAKMP:(2002):peer does not do paranoid keepalives.

02:00:59: ISAKMP:(2002):deleting node -1124267365 error FALSE reason "Informational (in) state 1"

02:00:59: IPSEC(key_engine): got a queue event with 1 KMI message(s)

02:00:59: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

02:00:59: IPSEC(key_engine_delete_sas): delete SA with spi 0xBDD33AB1 proto 50 for

02:00:59: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 172.30.99.1, sa_proto= 50,

    sa_spi= 0x539777E6(1402435558),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3

    sa_lifetime(k/sec)= (4412467/3600),

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

02:00:59: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= , sa_proto= 50,

    sa_spi= 0xBDD33AB1(3184736945),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4

    sa_lifetime(k/sec)= (4412467/3600),

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

02:01:00: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE

02:01:00: ISAKMP: set new node -2105526428 to QM_IDLE

02:01:00: ISAKMP:(2002): processing HASH payload. message ID = -2105526428

02:01:00: ISAKMP:(2002): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -2105526428, sa = 844CC060

02:01:00: ISAKMP:(2002):deleting node -2105526428 error FALSE reason "Informational (in) state 1"

02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

02:01:00: ISAKMP:(2002):DPD/R_U_THERE received from peer , sequence 0x22D

02:01:00: ISAKMP: set new node 971443288 to QM_IDLE

02:01:00: ISAKMP:(2002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 2220478360, message ID = 971443288

02:01:00: ISAKMP:(2002): seq. no 0x22D

02:01:00: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

02:01:00: ISAKMP:(2002):Sending an IKE IPv4 Packet.

02:01:00: ISAKMP:(2002):purging node 971443288

02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

02:01:02: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE

02:01:02: ISAKMP:(2002): processing HASH payload. message ID = 1560671909

02:01:02: ISAKMP:(2002): processing SA payload. message ID = 1560671909

02:01:02: ISAKMP:(2002):Checking IPSec proposal 1

02:01:02: ISAKMP: transform 1, ESP_3DES

02:01:02: ISAKMP:   attributes in transform:

02:01:02: ISAKMP:      encaps is 1 (Tunnel)

02:01:02: ISAKMP:      SA life type in seconds

02:01:02: ISAKMP:      SA life duration (basic) of 3600

02:01:02: ISAKMP:      SA life type in kilobytes

02:01:02: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

02:01:02: ISAKMP:      authenticator is HMAC-SHA

02:01:02: ISAKMP:(2002):atts are acceptable.

02:01:02: IPSEC(validate_proposal_request): proposal part #1

02:01:02: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

02:01:02: Crypto mapdb : proxy_match

        src addr     : 0.0.0.0

        dst addr     : 0.0.0.0

        protocol     : 0

        src port     : 0

        dst port     : 0

02:01:02: ISAKMP:(2002): processing NONCE payload. message ID = 1560671909

02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909

02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909

02:01:02: ISAKMP:(2002): Creating IPSec SAs

02:01:02:         inbound SA from to 172.30.99.1 (f/i)  0/ 0

        (proxy 0.0.0.0 to 0.0.0.0)

02:01:02:         has spi 0x84F77E7D and conn_id 0

02:01:02:         lifetime of 3600 seconds

02:01:02:         lifetime of 4608000 kilobytes

02:01:02:         outbound SA from 172.30.99.1 to (f/i) 0/0

        (proxy 0.0.0.0 to 0.0.0.0)

02:01:02:         has spi  0xCA486707 and conn_id 0

02:01:02:         lifetime of 3600 seconds

02:01:02:         lifetime of 4608000 kilobytes

02:01:02: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE

02:01:02: ISAKMP:(2002):Sending an IKE IPv4 Packet.

02:01:02: ISAKMP:(2002):deleting node 1560671909 error FALSE reason "No Error"

02:01:02: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

02:01:02: ISAKMP:(2002):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

02:01:02: IPSEC(key_engine): got a queue event with 1 KMI message(s)

02:01:02: Crypto mapdb : proxy_match

        src addr     : 0.0.0.0

        dst addr     : 0.0.0.0

        protocol     : 0

        src port     : 0

        dst port     : 0

02:01:02: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer

02:01:02: IPSEC(create_sa): sa created,

  (sa) sa_dest= 172.30.99.1, sa_proto= 50,

    sa_spi= 0x84F77E7D(2230812285),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7

    sa_lifetime(k/sec)= (4550947/3600)

02:01:02: IPSEC(create_sa): sa created,

  (sa) sa_dest= , sa_proto= 50,

    sa_spi= 0xCA486707(3393742599),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8

    sa_lifetime(k/sec)= (4550947/3600)

02:01:02: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI CA486707

02:01:02: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=48E03F51

02:01:02: IPSEC(early_age_out_sibling): sibling outbound SPI D4AF8B3C expiring in 30 seconds due to it's a duplicate SA bundle.

02:01:03: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE

02:01:03: ISAKMP: set new node 2041302203 to QM_IDLE

02:01:03: ISAKMP:(2002): processing HASH payload. message ID = 2041302203

02:01:03: ISAKMP:(2002): processing DELETE payload. message ID = 2041302203

02:01:03: ISAKMP:(2002):peer does not do paranoid keepalives.

02:01:03: ISAKMP:(2002):deleting node 2041302203 error FALSE reason "Informational (in) state 1"

02:01:03: IPSEC(key_engine): got a queue event with 1 KMI message(s)

02:01:03: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

02:01:03: IPSEC(key_engine_delete_sas): delete SA with spi 0xD4AF8B3C proto 50 for

02:01:03: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 172.30.99.1, sa_proto= 50,

    sa_spi= 0x48E03F51(1222655825),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5

    sa_lifetime(k/sec)= (4450631/3600),

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

02:01:03: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= , sa_proto= 50,

    sa_spi= 0xD4AF8B3C(3568274236),

    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6

    sa_lifetime(k/sec)= (4450631/3600),

  (identity) local= 172.30.99.1, remote= ,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

02:01:48: ISAKMP:(2002):purging node 1105416027

02:01:49: ISAKMP:(2002):purging node -1124267365

02:01:50: ISAKMP:(2002):purging node -2105526428

02:01:52: ISAKMP:(2002):purging node 1560671909

02:01:53: ISAKMP:(2002):purging node 2041302203

420
Views
0
Helpful
5
Replies
This widget could not be displayed.