Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT to a remote network

Hi guys

I'm having some trouble getting phase 2 up in this site to site.

I have a server on the inside that needs to do some snmp polling on a server at a customer location over a site to site.

Internal server 10.10.10.10, remote server 10.172.100.20.

My internal server, after doing a traceroute, doesn't seem to know a route when i try to hit that remote server, so what i did was create an object NAT.

We have other customers we monitor, but we usually put our own ASA at their localtion for the site to site, however not in this case, so i'm using the customers SonicWall. We have an IP range defined for these monitoring customers of 10.2.255.x /29, so i made a new object for the remote server and called it 10.2.255.97 and NATing to the actual IP of 10.170.100.20.

Phase 1 comes up fine, but phase 2 will not. I have screen shots of the SonicWall setup, and all config is fine. I'm thinking this idea of trying to use a NAT to that server is screwing me over. Anyone ever do anything like this at all?

Thanks

13 REPLIES

Re:NAT to a remote network

Hi Steve,

Can you post your config? Particular the ACL you are using to match VPN traffic. And what version code are you using?

Regards,
Mike


Sent from Cisco Technical Support Android App

New Member

Re:NAT to a remote network

Thanks for the reply. Tons of config, so here's what's relevant. If I miss anything, let me know. Debugs added for your viewing pleasure...

crypto map outside_map 10 match address outside_cryptomap_2

crypto map outside_map 10 set peer x.x.x.x

crypto map outside_map 10 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5 ESP-AES-256-MD5 ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-256-SHA

access-list outside_cryptomap_2 extended permit ip object INTERNAL_SERVER object 10.2.255.97_RemoteServer_NAT

object network 10.2.255.97_RemoteServer_NAT

host 10.2.255.97

object network 10.2.255.97_RemoteServer_NAT

nat (inside,outside) static 10.172.100.20 <--remote server

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

vpn-tunnel-protocol ikev1

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_x.x.x.x

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer RemotePeerIPx.x.x.x local Proxy Address 10.172.100.20, remote Proxy Address 10.2.255.97, Crypto map (outside_map)

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing ISAKMP SA payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Traversal VID ver 02 payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Traversal VID ver 03 payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Traversal VID ver RFC payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing Fragmentation VID + extended capabilities payload

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 284

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing SA payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Oakley proposal is acceptable

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing VID payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Received xauth V6 VID

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing VID payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Received NAT-Traversal ver 02 VID

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing ke payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing nonce payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing Cisco Unity VID payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing xauth V6 VID payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Send IOS VID

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing VID payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Discovery payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Discovery payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing ke payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing ISA_KE payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing nonce payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing NAT-Discovery payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing NAT-Discovery payload

Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, Connection landed on tunnel_group RemotePeerIPx.x.x.x

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Generating keys for Initiator...

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing ID payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing hash payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Computing hash for ISAKMP

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing dpd vid payload

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Feb 26 07:36:57 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing ID payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Computing hash for ISAKMP

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing VID payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received DPD VID

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, Connection landed on tunnel_group RemotePeerIPx.x.x.x

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Oakley begin quick mode

Feb 26 07:36:57 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, PHASE 1 COMPLETED

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, Keep-alive type for this connection: DPD

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Starting P1 rekey timer: 64800 seconds.

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x4848d1bf

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x8de01337

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0xc651facf

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x6de46d10

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x1a6bb9bb

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0xb46ecb90

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0xd39d77dd

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x12b15c5e

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x1b9b490d

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x2ce6cbf0

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, oakley constucting quick mode

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing blank hash payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IPSec SA payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IPSec nonce payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing proxy ID

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Transmitting Proxy Id:

Local host: 10.172.100.20 Protocol 0 Port 0

Remote host: 10.2.255.97 Protocol 0 Port 0

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing qm hash payload

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=dbc8a511) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 644

Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=e7b42a42) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload

Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload

Feb 26 07:36:57 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Feb 26 07:37:05 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=9c1586a2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:37:05 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload

Feb 26 07:37:05 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload

Feb 26 07:37:05 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Feb 26 07:37:13 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=cab41f38) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:37:13 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload

Feb 26 07:37:13 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload

Feb 26 07:37:13 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Feb 26 07:37:21 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=eee718a9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:37:21 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload

Feb 26 07:37:21 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload

Feb 26 07:37:21 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, QM FSM error (P2 struct &0x7486d8b8, mess id 0xdbc8a511)!

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE QM Initiator FSM error history (struct &0x7486d8b8) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, sending delete/delete with reason message

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing blank hash payload

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IPSec delete payload

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing qm hash payload

Feb 26 07:37:29 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=b3336872) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20

Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Removing peer from correlator table failed, no match!

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE SA MM:296c99ad rcv'd Terminate: state MM_ACTIVE flags 0x00008062, refcnt 1, tuncnt 0

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE SA MM:296c99ad terminating: flags 0x01008022, refcnt 0, tuncnt 0

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, sending delete/delete with reason message

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing blank hash payload

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IKE delete payload

Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing qm hash payload

Feb 26 07:37:29 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=43c81111) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Session is being torn down. Reason: Lost Service

Re:NAT to a remote network

Hi Steve,

Feb 26 07:37:21 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Session is being torn down. Reason: Lost Service

What do you see on the Sonic Wall side?

Would you mind enabling the IPsec debug to 255?

The Sonic Wall should not send any network range (1.1.1.1 - 1.1.1.254, for instance) since the ASA expects a subnet 1.1.1.0/24, for example.

So, check the logs on the Sonic Wall, get the IPsec logs at 255 to check what they send and hopefully find the issue.

New Member

Re:NAT to a remote network

I'm emailed my customer to get logs from his end. Will update once I have them.

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 207.                                                             173.224.194 local Proxy Address LocalServer, remote Proxy Address 10.2.255.97, Crypto map (outside_map)

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing ISAKMP SA payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Traversal VID ver 03 payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Traversal VID ver RFC payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VE                                                             NDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 284

SENDING PACKET to x.x.x.x

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

01 10 02 00 00 00 00 00 00 00 00 78 0d 00 00 3c   | ...........x...<

00 00 00 01 00 00 00 01 00 00 00 30 01 01 00 01   | ...........0....

00 00 00 28 02 01 00 00 80 04 00 02 80 01 00 07   | ...(............

80 0e 01 00 80 02 00 02 80 03 00 01 80 0b 00 01   | ................

00 0c 00 04 00 01 51 80 0d 00 00 0c 09 00 26 89   | ......Q.......&.

df d6 b7 12 00 00 00 14 90 cb 80 91 3e bb 69 6e   | ............>.in

08 63 81 b5 ec 42 7b 1f                           | .c...B{.

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Security Association

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (none)

MessageID: 00000000

Length: 120

Payload Security Association

   Next Payload: Vendor ID

   Reserved: 00

   Payload Length: 60

   DOI: IPsec

   Situation:(SIT_IDENTITY_ONLY)

   Payload Proposal

     Next Payload: None

     Reserved: 00

     Payload Length: 48

     Proposal #: 1

     Protocol-Id: PROTO_ISAKMP

     SPI Size: 0

     # of transforms: 1

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 2

       Transform-Id: KEY_IKE

       Reserved2: 0000

       Group Description: Group 2

       Encryption Algorithm: AES-CBC

      Key Length: 256

       Hash Algorithm: SHA1

       Authentication Method: Preshared key

       Life Type: seconds

       Life Duration (Hex): 00 01 51 80

Payload Vendor ID

   Next Payload: Vendor ID

   Reserved: 00

   Payload Length: 12

   Data (In Hex): 09 00 26 89 df d6 b7 12

Payload Vendor ID

   Next Payload: None

   Reserved: 00

   Payload Length: 20

   Data (In Hex):

     90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + V                                                             ENDOR (13) + VENDOR (13) + NONE (0) total length : 120

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing SA payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Oakley proposal is acceptable

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Received xauth V6 VID

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Received NAT-Traversal ver 02 VID

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing ke payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing nonce payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing Cisco Unity VID payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing xauth V6 VID payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Send IOS VID

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0,                                                               capabilities: 20000001)

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing VID payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Discovery payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Discovery payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NO                                                             NCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total lengt                                                             h : 304

SENDING PACKET to x.x.x.x

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

04 10 02 00 00 00 00 00 00 00 00 dc 0a 00 00 84   | ................

0d 50 14 db ba af fb ee 1e e2 32 e3 68 06 b8 e9   | .P........2.h...

d7 20 76 5f d3 a8 2d 18 23 f6 6b 1b ad 7f d2 da   | . v_..-.#.k...

ea 36 87 f0 3a 1d b8 46 92 8e 79 6e 79 37 10 0f   | .6..:..F..yny7..

17 31 9a 49 a6 86 af 7f 09 d2 e6 f7 67 63 d0 12   | .1.I......gc..

e1 70 72 0f 51 43 79 a7 63 2b 42 5a 8b 9d 03 0f   | .pr.QCy.c+BZ....

75 63 f3 13 ae 9a 50 c9 20 d0 86 af 47 35 da 9a   | uc....P. ...G5..

a3 ed b1 2b e0 f5 8d 06 08 cc 27 ea 4d 5e 75 25   | ...+......'.M^u%

78 cd f9 fd 3b db f0 93 32 89 19 1c c3 a0 50 e7   | x...;...2.....P.

82 00 00 0c 94 f8 c3 0a 74 c4 c0 bf 82 00 00 18   | ........t.......

b8 b8 02 2b d7 fc 54 35 59 5e 13 22 06 04 2f 13   | ...+..T5Y^."../.

cd 2d 51 1d 00 00 00 18 07 07 13 0f e7 1a b6 a1   | .-Q.............

59 36 98 4d 9b 8e dc 9e 2f ca d1 f1               | Y6.M..../...

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Key Exchange

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (none)

MessageID: 00000000

Length: 220

Payload Key Exchange

   Next Payload: Nonce

   Reserved: 00

   Payload Length: 132

   Data:

     0d 50 14 db ba af fb ee 1e e2 32 e3 68 06 b8 e9

     d7 20 76 5f d3 a8 2d 18 23 f6 6b 1b ad 7f d2 da

     ea 36 87 f0 3a 1d b8 46 92 8e 79 6e 79 37 10 0f

     17 31 9a 49 a6 86 af 7f 09 d2 e6 f7 67 63 d0 12

     e1 70 72 0f 51 43 79 a7 63 2b 42 5a 8b 9d 03 0f

     75 63 f3 13 ae 9a 50 c9 20 d0 86 af 47 35 da 9a

     a3 ed b1 2b e0 f5 8d 06 08 cc 27 ea 4d 5e 75 25

     78 cd f9 fd 3b db f0 93 32 89 19 1c c3 a0 50 e7

Payload Nonce

   Next Payload: NAT-D

   Reserved: 00

   Payload Length: 12

   Data: 94 f8 c3 0a 74 c4 c0 bf

Payload NAT-D

   Next Payload: NAT-D

   Reserved: 00

   Payload Length: 24

   Data:

     b8 b8 02 2b d7 fc 54 35 59 5e 13 22 06 04 2f 13

     cd 2d 51 1d

Payload NAT-D

   Next Payload: None

   Reserved: 00

   Payload Length: 24

   Data:

     07 07 13 0f e7 1a b6 a1 59 36 98 4d 9b 8e dc 9e

     2f ca d1 f1

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + N                                                            ONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing ke payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing ISA_KE payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing nonce payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing NAT-Discovery payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing NAT-Discovery payload

Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Generating keys for Initiator...

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing ID payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing hash payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HA                                                             SH (8) + VENDOR (13) + NONE (0) total length : 84

BEFORE ENCRYPTION

RAW PACKET DUMP on SEND

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c   | ................

01 11 00 00 43 da 10 7c 0d 00 00 18 61 46 bc 93   | ....C..|....aF..

1d 8a 92 f4 dc fd 3a 45 20 8a be a2 c1 4d dd 78   | ......:E ....M.x

00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc   | ........h...k...

77 57 01 00                                       | wW..

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Identification

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (none)

MessageID: 00000000

Length: 469762048

Payload Identification

   Next Payload: Hash

   Reserved: 00

   Payload Length: 12

   ID Type: IPv4 Address (1)

   Protocol ID (UDP/TCP, etc...): 17

   Port: 0

   ID Data: 67.218.16.124

Payload Hash

   Next Payload: Vendor ID

   Reserved: 00

   Payload Length: 24

   Data:

     61 46 bc 93 1d 8a 92 f4 dc fd 3a 45 20 8a be a2

     c1 4d dd 78

Payload Vendor ID

   Next Payload: None

   Reserved: 00

   Payload Length: 20

   Data (In Hex):

     af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

Feb 26 07:59:43 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status:     Remote en                                                             d is NOT behind a NAT device     This   end is NOT behind a NAT device

SENDING PACKET to x.x.x.x

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

05 10 02 01 00 00 00 00 00 00 00 5c 19 9f 2a 93   | ...........\..*.

2e e8 d3 18 58 47 f6 c5 3f 77 5b aa f0 c7 15 89   | ....XG..?w[.....

12 23 ae c3 4d 32 88 4a cc 32 6d 2d 75 1e fc 34   | .#..M2.J.2m-u..4

d1 be cd 37 d4 c4 02 d7 1f af 9d 68 87 49 58 5d   | ...7.......h.IX]

94 20 7b dc a1 74 88 35 d0 45 3d 10               | . {..t.5.E=.

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Identification

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (Encryption)

MessageID: 00000000

Length: 92

AFTER DECRYPTION

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Identification

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (Encryption)

MessageID: 00000000

Length: 92

Payload Identification

   Next Payload: Hash

   Reserved: 00

   Payload Length: 12

   ID Type: IPv4 Address (1)

   Protocol ID (UDP/TCP, etc...): 0

   Port: 0

   ID Data: x.x.x.x

Payload Hash

   Next Payload: Vendor ID

   Reserved: 00

   Payload Length: 24

   Data:

     3b 06 9d 5f ea 28 60 20 15 b8 e8 e3 5c 56 23 3b

     df f3 d8 08

Payload Vendor ID

   Next Payload: None

   Reserved: 00

   Payload Length: 20

   Data (In Hex):

     af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + H                                                             ASH (8) + VENDOR (13) + NONE (0) total length : 84

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received

x.x.x.x

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing VID payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received DPD VID

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Oakley begin quick mode

Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator starting QM: msg id = 03                                                             abefc3

Feb 26 07:59:43 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, Keep-alive type for this connection: DPD

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 64800 seconds.

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x41                                                             d78d8c

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xf0                                                             073a17

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xfc                                                            d1f908

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xa3                                                             f91d04

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x3d                                                             13c244

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x10                                                             d256fa

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xa3                                                            91873e

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x37                                                             ee49ba

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x64                                                             90a58b

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x28                                                             b10b9e

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, oakley constucting quick mode

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec SA payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec nonce payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing proxy ID

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Transmitting Proxy Id:

Local host: LocalServer Protocol 0 Port 0

Remote host: 10.2.255.97 Protocol 0 Port 0

Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending Initial Contact

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload

Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending 1st QM pkt: msg                                                               id = 03abefc3

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=3abefc3) with payloads : HDR + HASH                                                               (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 644

BEFORE ENCRYPTION

RAW PACKET DUMP on SEND

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 20 00 c3 ef ab 03 1c 00 00 00 01 00 00 18   | .. .............

87 8a 56 dd c8 fc ff 2c 5f c9 0d a7 af f6 04 23   | ..V....,_......#

14 0c 4e 28 0a 00 02 04 00 00 00 01 00 00 00 01   | ..N(............

02 00 00 30 01 03 04 01 41 d7 8d 8c 00 00 00 24   | ...0....A......$

01 02 00 00 80 01 00 01 80 02 70 80 80 01 00 02   | ..........p.....

00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02   | .....FP.........

02 00 00 30 02 03 04 01 f0 07 3a 17 00 00 00 24   | ...0......:....$

01 02 00 00 80 01 00 01 80 02 70 80 80 01 00 02   | ..........p.....

00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 01   | .....FP.........

02 00 00 30 03 03 04 01 fc d1 f9 08 00 00 00 24   | ...0...........$

01 03 00 00 80 01 00 01 80 02 70 80 80 01 00 02   | ..........p.....

00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 01   | .....FP.........

02 00 00 34 04 03 04 01 a3 f9 1d 04 00 00 00 28   | ...4...........(

01 0c 00 00 80 01 00 01 80 02 70 80 80 01 00 02   | ..........p.....

00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 01   | .....FP.........

80 06 01 00 02 00 00 34 05 03 04 01 3d 13 c2 44   | .......4....=..D

00 00 00 28 01 0c 00 00 80 01 00 01 80 02 70 80   | ...(..........p.

80 01 00 02 00 02 00 04 00 46 50 00 80 04 00 01   | .........FP.....

80 05 00 01 80 06 00 c0 02 00 00 34 06 03 04 01   | ...........4....

10 d2 56 fa 00 00 00 28 01 0c 00 00 80 01 00 01   | ..V....(........

80 02 70 80 80 01 00 02 00 02 00 04 00 46 50 00   | ..p..........FP.

80 04 00 01 80 05 00 02 80 06 00 c0 02 00 00 34   | ...............4

07 03 04 01 a3 91 87 3e 00 00 00 28 01 0c 00 00   | .......>...(....

80 01 00 01 80 02 70 80 80 01 00 02 00 02 00 04   | ......p.........

00 46 50 00 80 04 00 01 80 05 00 01 80 06 00 80   | .FP.............

02 00 00 34 08 03 04 01 37 ee 49 ba 00 00 00 28   | ...4....7.I....(

01 0c 00 00 80 01 00 01 80 02 70 80 80 01 00 02   | ..........p.....

00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02   | .....FP.........

80 06 00 80 02 00 00 30 09 03 04 01 64 90 a5 8b   | .......0....d...

00 00 00 24 01 03 00 00 80 01 00 01 80 02 70 80   | ...$..........p.

80 01 00 02 00 02 00 04 00 46 50 00 80 04 00 01   | .........FP.....

80 05 00 02 00 00 00 34 0a 03 04 01 28 b1 0b 9e   | .......4....(...

00 00 00 28 01 0c 00 00 80 01 00 01 80 02 70 80   | ...(..........p.

80 01 00 02 00 02 00 04 00 46 50 00 80 04 00 01   | .........FP.....

80 05 00 02 80 06 01 00 05 00 00 18 f1 54 fc 26   | .............T.&

6d 43 7b f4 f9 00 92 c3 b8 b8 4c 76 74 66 af 08   | mC{.......Lvtf..

05 00 00 0c 01 00 00 00 ac 10 7d bc 0b 00 00 0c   | ..........}.....

01 00 00 00 0a 02 ff 61 00 00 00 1c 00 00 00 01   | .......a........

01 10 60 02 51 17 01 0f 76 1a ab 96 b9 cf 2d 3e   | ..`.Q...v.....->

e2 2a 9e e0                                       | .*..

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Quick Mode

Flags: (none)

MessageID: C3EFAB03

Length: 469762048

Payload Hash

   Next Payload: Security Association

   Reserved: 00

   Payload Length: 24

   Data:

     87 8a 56 dd c8 fc ff 2c 5f c9 0d a7 af f6 04 23

     14 0c 4e 28

Payload Security Association

   Next Payload: Nonce

   Reserved: 00

   Payload Length: 516

   DOI: IPsec

   Situation:(SIT_IDENTITY_ONLY)

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 48

     Proposal #: 1

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: 41 d7 8d 8c

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 36

       Transform #: 1

       Transform-Id: ESP_DES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: SHA1

   Payload Proposal

      Next Payload: Proposal

     Reserved: 00

     Payload Length: 48

     Proposal #: 2

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: f0 07 3a 17

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 36

       Transform #: 1

       Transform-Id: ESP_DES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: MD5

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 48

     Proposal #: 3

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: fc d1 f9 08

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 36

       Transform #: 1

       Transform-Id: ESP_3DES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: MD5

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 52

     Proposal #: 4

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: a3 f9 1d 04

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 1

       Transform-Id: ESP_AES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: MD5

       Key Length: 256

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 52

     Proposal #: 5

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: 3d 13 c2 44

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 1

       Transform-Id: ESP_AES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: MD5

       Key Length: 192

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 52

     Proposal #: 6

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: 10 d2 56 fa

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 1

       Transform-Id: ESP_AES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: SHA1

       Key Length: 192

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 52

     Proposal #: 7

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: a3 91 87 3e

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 1

       Transform-Id: ESP_AES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: MD5

       Key Length: 128

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 52

     Proposal #: 8

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: 37 ee 49 ba

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 1

       Transform-Id: ESP_AES

       Reserved2: 0000

       Life Type: Seconds

        Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: SHA1

       Key Length: 128

   Payload Proposal

     Next Payload: Proposal

     Reserved: 00

     Payload Length: 48

     Proposal #: 9

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: 64 90 a5 8b

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 36

       Transform #: 1

       Transform-Id: ESP_3DES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: SHA1

   Payload Proposal

     Next Payload: None

     Reserved: 00

     Payload Length: 52

     Proposal #: 10

     Protocol-Id: PROTO_IPSEC_ESP

     SPI Size: 4

     # of transforms: 1

     SPI: 28 b1 0b 9e

     Payload Transform

       Next Payload: None

       Reserved: 00

       Payload Length: 40

       Transform #: 1

       Transform-Id: ESP_AES

       Reserved2: 0000

       Life Type: Seconds

       Life Duration (Hex): 70 80

       Life Type: Kilobytes

       Life Duration (Hex): 00 46 50 00

       Encapsulation Mode: Tunnel

       Authentication Algorithm: SHA1

       Key Length: 256

Payload Nonce

   Next Payload: Identification

   Reserved: 00

   Payload Length: 24

   Data:

     f1 54 fc 26 6d 43 7b f4 f9 00 92 c3 b8 b8 4c 76

     74 66 af 08

Payload Identification

   Next Payload: Identification

   Reserved: 00

   Payload Length: 12

   ID Type: IPv4 Address (1)

   Protocol ID (UDP/TCP, etc...): 0

   Port: 0

   ID Data: LocalServer

Payload Identification

   Next Payload: Notification

   Reserved: 00

   Payload Length: 12

   ID Type: IPv4 Address (1)

   Protocol ID (UDP/TCP, etc...): 0

   Port: 0

   ID Data: 10.2.255.97

Payload Notification

   Next Payload: None

   Reserved: 00

   Payload Length: 28

   DOI: IPsec

   Protocol-ID: PROTO_ISAKMP

   Spi Size: 16

   Notify Type: STATUS_INITIAL_CONTACT

   SPI:

     51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 05 01 9a 89 2c 3f 00 00 00 4c c7 9d 70 5d   | ......,?...L..p]

63 4b cf f8 13 be c0 3a 3a f3 d7 d0 a0 7e 65 4c   | cK.....::....~eL

37 c2 e3 21 58 6c 11 01 c0 67 75 35 81 85 d6 c4   | 7..!Xl...gu5....

ed b2 9a 2b bf 94 b0 2c 78 4c 81 03               | ...+...,xL..

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: 9A892C3F

Length: 76

AFTER DECRYPTION

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: 9A892C3F

Length: 76

Payload Hash

   Next Payload: Notification

   Reserved: 00

   Payload Length: 24

   Data:

     4e 28 ec ea eb 41 9e c7 72 4a 0a bf 6d 4b 1a 49

     69 c3 c6 00

Payload Notification

   Next Payload: None

   Reserved: 00

   Payload Length: 16

   DOI: IPsec

   Protocol-ID: PROTO_IPSEC_ESP

   Spi Size: 4

   Notify Type: NO_PROPOSAL_CHOSEN

   SPI: 41 d7 8d 8c

Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=9a892c3f) with payloads : HDR + HAS                                                             H (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload

Feb 26 07:59:43 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo                                                             sal chosen (14)

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 05 01 90 43 74 39 00 00 00 4c cd e9 e9 b2  | .....Ct9...L....

13 1a 91 67 aa 19 c5 43 8a 4b a0 9d e1 d5 6c 72   | ...g...C.K....lr

43 0b 57 42 27 d9 1a 02 eb 29 fa 89 ae 79 5d 66   | C.WB'....)...y]f

ba f8 75 7c c5 c9 eb 6c 4f 84 fb 4d               | ..u|...lO..M

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: 90437439

Length: 76

AFTER DECRYPTION

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: 90437439

Length: 76

Payload Hash

   Next Payload: Notification

   Reserved: 00

   Payload Length: 24

   Data:

     ae 92 53 da f6 71 3e cd 23 c3 a3 ad bc a3 2f a8

     0d 63 3e f1

Payload Notification

   Next Payload: None

   Reserved: 00

   Payload Length: 16

   DOI: IPsec

  Protocol-ID: PROTO_IPSEC_ESP

   Spi Size: 4

   Notify Type: NO_PROPOSAL_CHOSEN

   SPI: 41 d7 8d 8c

Feb 26 07:59:51 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=90437439) with payloads : HDR + HAS                                                              H (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:59:51 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Feb 26 07:59:51 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload

Feb 26 07:59:51 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo                                                             sal chosen (14)

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 05 01 80 52 56 c3 00 00 00 4c 67 2e 0f 4b   | .....RV....Lg..K

1b d7 0f 34 ba 4b e7 d2 b0 95 6c f9 db b4 a4 49   | ...4.K....l....I

c0 f1 fa 3e 3a 4d cd 39 49 88 4a 7a 4f c7 25 cf   | ...>:M.9I.JzO.%.

f8 66 4c 27 b8 79 1b 92 11 cd 92 77               | .fL'.y.....w

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: 805256C3

Length: 76

AFTER DECRYPTION

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: 805256C3

Length: 76

Payload Hash

   Next Payload: Notification

   Reserved: 00

   Payload Length: 24

   Data:

     82 6b d7 07 c6 88 f5 fe 0a 0a 84 7f 11 fc b7 64

     74 8b f3 5b

Payload Notification

   Next Payload: None

   Reserved: 00

   Payload Length: 16

   DOI: IPsec

   Protocol-ID: PROTO_IPSEC_ESP

   Spi Size: 4

   Notify Type: NO_PROPOSAL_CHOSEN

   SPI: 41 d7 8d 8c

Feb 26 07:59:59 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=805256c3) with payloads : HDR + HAS                                                             H (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 07:59:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Feb 26 07:59:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload

Feb 26 07:59:59 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo                                                            sal chosen (14)

IKE Recv RAW packet dump

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 05 01 f8 3f 8e 9e 00 00 00 4c 21 6d 93 31   | .....?.....L!m.1

97 12 3f fd e0 1c b0 77 fa ac ff 3b 85 0a e6 3d   | ..?....w...;...=

d9 d5 04 cd 5d d2 fa eb 60 8c 09 4a fe 60 6a 56   | ....]...`..J.`jV

f0 88 ec 51 7b 52 ec 54 b1 21 a3 70               | ...Q{R.T.!.p

RECV PACKET from x.x.x.x

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: F83F8E9E

Length: 76

AFTER DECRYPTION

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (Encryption)

MessageID: F83F8E9E

Length: 76

Payload Hash

   Next Payload: Notification

   Reserved: 00

   Payload Length: 24

   Data:

     bf e1 0c 1b 42 a0 3e d4 53 f6 80 bb e0 5f ee 4f

     fb 3d fc 25

Payload Notification

   Next Payload: None

   Reserved: 00

   Payload Length: 16

   DOI: IPsec

   Protocol-ID: PROTO_IPSEC_ESP

   Spi Size: 4

   Notify Type: NO_PROPOSAL_CHOSEN

   SPI: 41 d7 8d 8c

Feb 26 08:00:07 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=f83f8e9e) with payloads : HDR + HAS                                                             H (8) + NOTIFY (11) + NONE (0) total length : 68

Feb 26 08:00:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Feb 26 08:00:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload

Feb 26 08:00:07 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo                                                             sal chosen (14)

Feb 26 08:00:15 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x748afa20, mess id                                                               0x3abefc3)!

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE QM Initiator FSM error history (str                                                            uct &0x748afa20) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SN                                                             D_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MS                                                             G2, NullEvent

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason messa                                                             ge

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec delete payload

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload

Feb 26 08:00:15 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=cd9374cb) with payloads : HDR + HASH                                                              (8) + DELETE (12) + NONE (0) total length : 68

BEFORE ENCRYPTION

RAW PACKET DUMP on SEND

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 05 00 cb 74 93 cd 1c 00 00 00 0c 00 00 18   | .....t..........

9b bd 7b fc a1 5d 55 d0 3c ed fe 69 7a d0 fc b1   | ..{..]U.<..iz...

31 97 da fd 00 00 00 10 00 00 00 01 03 04 00 01   | 1...............

41 d7 8d 8c                                       | A...

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (none)

MessageID: CB7493CD

Length: 469762048

Payload Hash

   Next Payload: Delete

    Reserved: 00

   Payload Length: 24

   Data:

     9b bd 7b fc a1 5d 55 d0 3c ed fe 69 7a d0 fc b1

     31 97 da fd

Payload Delete

   Next Payload: None

   Reserved: 00

   Payload Length: 16

   DOI: IPsec

   Protocol-ID: PROTO_IPSEC_ESP

   Spi Size: 4

   # of SPIs: 1

   SPI (Hex dump): 41 d7 8d 8c

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                              97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                              97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.                                                             97, Local Proxy LocalServer

Feb 26 08:00:15 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, n                                                             o match!

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:0f011751 rcv'd Terminate: sta                                                             te MM_ACTIVE flags 0x00008062, refcnt 1, tuncnt 0

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:0f011751 terminating: flags                                                               0x01008022, refcnt 0, tuncnt 0

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason messa                                                              ge

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IKE delete payload

Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload

Feb 26 08:00:15 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=d0f33f10) with payloads : HDR + HASH                                                              (8) + DELETE (12) + NONE (0) total length : 80

BEFORE ENCRYPTION

RAW PACKET DUMP on SEND

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

08 10 05 00 10 3f f3 d0 1c 00 00 00 0c 00 00 18   | .....?..........

4d 28 eb 8f e7 66 89 55 bb 66 92 ef 86 e6 9e 43   | M(...f.U.f.....C

15 a3 d4 df 00 00 00 1c 00 00 00 01 01 10 00 01   | ................

51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0   | Q...v.....->.*..

ISAKMP Header

Initiator COOKIE: 51 17 01 0f 76 1a ab 96

Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0

Next Payload: Hash

Version: 1.0

Exchange Type: Informational

Flags: (none)

MessageID: 103FF3D0

Length: 469762048

Payload Hash

   Next Payload: Delete

   Reserved: 00

   Payload Length: 24

   Data:

     4d 28 eb 8f e7 66 89 55 bb 66 92 ef 86 e6 9e 43

     15 a3 d4 df

Payload Delete

   Next Payload: None

   Reserved: 00

   Payload Length: 28

   DOI: IPsec

   Protocol-ID: PROTO_ISAKMP

   Spi Size: 16

   # of SPIs: 1

   SPI (Hex dump):

     51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0

Feb 26 08:00:15 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Lost Serv                                                              ice

New Member

Re:NAT to a remote network

Code version is 8.4(5)

Re:NAT to a remote network

Steve,

Notify Type: NO_PROPOSAL_CHOSEN

Are you completely sure that your ASA is proposing a valid transform-set?

Could you ask for the Phase II settings of the remote endpoint?

Thanks,

New Member

Re:NAT to a remote network

Sorry, he's using a watchguard firewall, not a sonicwall.

No PFS

ESP-AES-SHA1

ESP-AES-MD5

ESP-3DES-SHA1

ESP-3DES-MD5

ESP-DES-SHA1

ESP-DES-MD5    

Re:NAT to a remote network

Okay, I propbably read Sonic Wall from a different case

The screenshot does not display.

New Member

Re:NAT to a remote network

Edited. No, i mistakenly said sonicwall in my OP.

Re:NAT to a remote network

I see... So this one should hit: ESP-AES-128-SHA

Please do the following:

On the ASA:

no crypto map outside_map 10 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5 ESP-AES-256-MD5 ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-AES-256-SHA

On the Watchguard keep only the ESP-AES-SHA1 one.

On the other hand, could you please share the Phase II settings of the Watchguard (not only the transform-sets)?

Thanks,

New Member

Re:NAT to a remote network

Heres a couple other screen shots.

Re:NAT to a remote network

As per the log:

RemotePeerIPx.x.x.x local Proxy Address 10.172.100.20, remote Proxy Address 10.2.255.97, Crypto map (outside_map)

So:

Local host: 10.172.100.20

Remote host: 10.2.255.97

Why are you including totally different private IPs on the Watchguard?

New Member

Re:NAT to a remote network

The screen shots have the actual ips. In my op and in the logs, the ips were changed. I didn't have access to the firewall at the time of the post, so I chose some random addresses. Also changed them in the log so they made some sense.

The ips in the watch guard are correct. Sorry for the confusion.

694
Views
0
Helpful
13
Replies
CreatePlease login to create content