Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN site-to-site between ASA and Router issues (Cert Auth with another Router action as PKI Server)

Hi Guys,

Anybody has been done VPN site-to-site between ASA and Router with certificate authentication by using another router action as PKI Server?

In my case:

|

                          R4(NTP/PKI Servers)

|

|

(dmz)

             |-----R1------- (inside) ASA (outside) --------R3-------R2----|

Tested:

  1. NTP is synchronized all Router and ASA
  2. The authenticate/enroll process has      been done and got the certificate
  3. VPN site-to-site between R2 and R3 worked      fine with certificate authentication
  4. ISAKMP policy and IPSEC transform-set      is the same all Router and ASA
  5. The Routing traffic between Routers      and ASA are OK.

I had some issue for the VPN traffic between ASA and R3 and I didn’t know why?

  1. The certificate was successfully      validated between ASA and R3 but the Phase 1 is not completed ...and      I saw a trackback on ASA:

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =   0x0810AE25  0x0814C6E6  0x084F269C  0x08491A32  0x084929FE  0x0925A6DF  0x0849206B  0x084A1879  0x084A2408  0x08062413

Anybody has been done this case before? Please let me know

Regards,

Tran

19 REPLIES
Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

Yes we've done it more than once.

Pleaseshare config for devices in question + "show crypto ca cert" and "sh clock" .

Useful  debugs:

--------

debu cry isa

deb crypto ipsec

deb cry ca m (pki in case of router)

deb cry ca t

-----------

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Hello Marcin,

config files in my case below:

ASA Config:--------------------------------------------------------------------------------------------------------------------------------------------------------

:
ASA Version 8.2(1)
!
hostname ASA
domain-name ine.com
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 136.1.122.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 136.1.121.100 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 136.1.120.100 255.255.255.0
!
clock timezone GMT 7
!
domain-name ine.com
access-list VLAN121_TO_VLAN124 extended permit ip 11.11.11.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list outside_in extended permit icmp any any
access-list outside_in extended permit udp any host 136.1.120.200 eq ntp
access-list outside_in extended permit tcp any host 136.1.120.200 eq www
access-list NONAT extended permit ip 11.11.11.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list dmz_in extended permit icmp any any
access-list dmz_in extended deny ip any any log
!
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
access-group dmz_in in interface dmz
!
router eigrp 1234
no auto-summary
network 136.1.120.0 255.255.255.0
network 136.1.121.0 255.255.255.0
network 136.1.122.0 255.255.255.0
!            
crypto ipsec transform-set ASA_R3 esp-3des esp-md5-hmac
!
crypto map VPN 10 match address VLAN121_TO_VLAN124
crypto map VPN 10 set peer 136.1.122.200
crypto map VPN 10 set transform-set ASA_R3
crypto map VPN 10 set trustpoint DMZ.ine.com
crypto map VPN interface outside
crypto ca trustpoint DMZ.ine.com
revocation-check crl
enrollment url http://136.1.120.200:80
fqdn ASA.ine.com
subject-name CN=ASA.ine.com, O=INE, OU=CCIEsec, L=CaLi, ST=USA
serial-number
crl configure
!
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash md5
group 2     
!
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 136.1.120.200
tunnel-group 136.1.122.200 type ipsec-l2l
tunnel-group 136.1.122.200 ipsec-attributes
trust-point DMZ.ine.com
!
fixup protocol icmp

!

end

R3 Config:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

hostname R3
!
clock timezone GMT 7
!
ip domain name ine.com
no ipv6 cef
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 136.1.120.200
!
crypto pki trustpoint DMZ.ine.com
enrollment url http://136.1.120.200:80
usage ike
serial-number
fqdn R3.ine.com
subject-name CN=R3.ine.com, O=INE, OU=CCIEsec, L=CaLi, ST=USA
revocation-check crl
rsakeypair R3.ine.com
storage flash:
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set ASA_R3 esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 136.1.122.100
set transform-set ASA_R3
match address VLAN124_TO_VLAN121
!
crypto map VPN124 10 ipsec-isakmp
set peer 136.1.124.201
set transform-set ASA_R3
match address VLAN33_TO_VLAN22
!
interface Loopback31
ip address 31.31.31.31 255.255.255.0
!
interface Loopback33
ip address 33.33.33.33 255.255.255.0
!
interface FastEthernet0/0
ip address 136.1.122.200 255.255.255.0
crypto map VPN
!
interface FastEthernet0/1
ip address 136.1.124.200 255.255.255.0
  crypto map VPN124
!
router eigrp 1234
network 31.31.31.31 0.0.0.0
network 33.33.33.33 0.0.0.0
network 136.1.122.0 0.0.0.255
network 136.1.124.0 0.0.0.255
no auto-summary
!
ip access-list extended VLAN124_TO_VLAN121
permit ip 33.33.33.0 0.0.0.255 11.11.11.0 0.0.0.255
ip access-list extended VLAN33_TO_VLAN22
permit ip 33.33.33.0 0.0.0.255 22.22.22.0 0.0.0.255
!
end

R3#  -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

R3#sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject:
    Name: R3.ine.com
    Serial Number: FHK133870KA
    serialNumber=FHK133870KA+hostname=R3.ine.com
    cn=R3.ine.com
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:15:53 GMT Sep 29 2010
    end   date: 18:15:53 GMT Sep 29 2011
  Associated Trustpoints: DMZ.ine.com
  Storage: nvram:DMZCertAutho#4.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:02:34 GMT Sep 29 2010
    end   date: 18:02:34 GMT Sep 28 2013
  Associated Trustpoints: DMZ.ine.com
  Storage: nvram:DMZCertAutho#2CA.cer

R3#-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

R3#sh clock

09:48:32.519 GMT Mon Oct 4 2010

R3#

ASA# sh clock

09:48:40.008 GMT Mon Oct 4 2010

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ASA# sh crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 02
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject Name:
    serialNumber=JMX1335L1MN
    hostname=ASA.ine.com
    cn=ASA.ine.com
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:15:06 GMT Sep 29 2010
    end   date: 18:15:06 GMT Sep 29 2011
  Associated Trustpoints: DMZ.ine.com

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject Name:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:02:34 GMT Sep 29 2010
    end   date: 18:02:34 GMT Sep 28 2013
  Associated Trustpoints: DMZ.ine.com

ASA#

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

It fails somewhere between MM5 and MM6. (on ASA)

I'd collect PKI debugs (messages and tranasction).

BTW, when using certificates, a typical tunnel-group should be named after OU of certificate, in your case we're falling back to using IP address.

%ASA-7-713906: IP = 136.1.122.200, Trying to find group via OU...
%ASA-3-713020: IP = 136.1.122.200, No Group found by matching OU(s) from ID payload:   ou=CCIEsec,
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IKE ID...
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 136.1.122.200, Connection landed on tunnel_group 136.1.122.200

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

You could see Cert validation process in the debug:

%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.

and You could see a Traceback for IKE Service on ASA

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =
%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =   0x0810AE25  0x0814C6E6  0x084F269C  0x08491A32  0x084929FE  0x0925A6DF  0x0849206B  0x084A1879  0x084A2408  0x08062413

Regards,

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

I see R3's cert was validated.

Since you're doing INE labs, what is done after initiator's certificate has been validated?

Traceback will be a consequence of failure not to ther way around, at least this is what it looks like. It does not work exactly like with IOS traceback.

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

The INE/ IPExpert Labs just did it to Microsoft CA but not IOS PKI Server between ASA and Router and I'm try using IOS PKI Server in this case.

Marcin, for this case it worked fine to pre-share key and Microsoft CA.

And i didn't know why? it didn't work to IOS PKI Server between ASA and Router, But it worked fine between Router and Router (R2&R3 in this case)

Regards,

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

Well if you would kindly debug what I ask at least we would move closer, maybe just by eliminating one possibility :-)

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

I have attached the debug on ASA/R3 before. Could you see it ? If you have time, please double-check it in the lab and that the reson why I must ask ... anybody has been done Cert Authen by using another Router action as PKI Server

...maybe ...forget Cert Authen/Router's PKI server between ASA and Router

Thanks,

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

Did you check with landing on tunnel-group matching OU?

Can you run those for me, even if it mean retrying.

bsns-asa5520-10# deb cry ca messages 100
bsns-asa5520-10# deb cry ca transactions 100
bsns-asa5520-10# deb cry isa 100
bsns-asa5520-10# deb cry ipsec 100

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

By the default, the ASA firewall will search local tunnel-group configuration with three critera: first OU, second IKE-ID and final IP Address (Cert Rule if enable) so OU is not key point to fail Phase 1 (in my view).

BTW, I have just find out the reson why the ASA not completed Phase 1

Regards,

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

By all means share it with us

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

tunnel-group 136.1.122.200 ipsec-attributes
peer-id-validate cert -----------------------------------> lacked this command
trust-point DMZ.ine.com

But I am still not understand why Cert was successfully validated (you could see in the debug before) if I lacked per-id-validate cert in the tunnel-group command and it should be the reporting is FAILED Cert Authentication...

The INE/IPexpert workbook didn't see about this command which the keypoint to failed Cert Authen/Phase 1 ....maybe ...that challenge

Regards,

Tran Thanh

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

Missed that one indeed.

As far as my understanding goes, the validation you were seeing is certificate being valid (not expired, not in CRL) and not identity of other peer ;-)

Can you please check for me if you weel the peer validation from certificate IF:

1) You land on tunnel-group == OU

2) Initiate tunnel

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

Once again, your question is:

what is done after initiator's certificate has been validated?


and


the validation you were seeing is certificate being valid (not expired, not in CRL) and not identity of other peer ;-)

Marcin, I saw in the debug and I have some explain here :

step 1:The ASA and R3 will exchange info to identity each other

           - ASA's Pub key + Digital Signature (ASA's Pub key has been signed by PKI Server before)

           - R3's Pub Key + Digital Signature (R3's Pub key has been signed by PKI Server before)

And in the debug I saw HASH processing here:

%ASA-7-715047: IP = 136.1.122.200, processing cert payload
%ASA-7-715001: IP = 136.1.122.200, processing RSA signature
%ASA-7-715076: IP = 136.1.122.200, Computing hash for ISAKMP
%ASA-7-713906: Dump of received Signature, len 256:
0000: 50312776 B5CBBF80 75510E0E 61D00549     P1'v....uQ..a..I
0010: 8D595605 C7FFC43C 32087541 D5B8BA96     .YV....<2.uA....
0020: 9273DAE3 25171153 4301289B 68556214     .s..%..SC.(.hUb.
0030: DF2F1A8B 489DC9A6 CE2C001A BD087762     ./..H....,....wb
0040: E9096735 743BDFFC E80BF946 0E9E3443     ..g5t;.....F..4C
0050: 8190D996 4C97D751 1D190F36 B07076F5     ....L..Q...6.pv.
0060: 36FEB9D0 248038F2 C4F3B32F CC3F6213     6...$.8..../.?b.

%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial numbe: Group = 136.1.122.200, IP = 136.1.122.200, Error: Unable to remove PeerTblEntry
r: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.

step 2 As my understanding, DH will take over and create shared session key in the Phase 1 after Certificate was successfully validated.


Marcin, How do you think ? I am looking for your reply :).

Regards,

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

Normally we assume DH exchange is done in MM3 and MM4, not sure if that changes when we do cert auth (due to exchange of cert_req).


MM5 - Initiator send it's identity.

MM6 - Responser sends it's identity.

The debug you attached below, what scenario is it for? (looks like still tunnel-group match based on IP ;-))

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

Absolutely , tunnel-group based on IP address and the debug is previous issue (Phase 1 is not completed). I'm just confusing about reporting in the debug Certificate was successfully validated ....I didn't see DH take over and create shared session key ...I think some wrong ...and the result is not completed Phase 1

Regards,

Tran

Cisco Employee

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Tran,

Big question for me is - why was it working with microsoft CA and not with IOS CA :-)

If I'll find a moment today. I'll lab it just to have peace of mind and remember again my CCIE times.

Marcin

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin, Thank you for exchanging info to me. And see you another case

Thank you very much.

Community Member

Re: VPN site-to-site between ASA and Router issues (Cert Auth wi

Marcin,

the info for you:

%ASA-7-713906: IP = 136.1.122.200, Trying to find group via OU...
%ASA-3-713020: IP = 136.1.122.200, No Group found by matching OU(s) from ID payload:   ou=CCIEsec,
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IKE ID...
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 136.1.122.200, Connection landed on tunnel_group 136.1.122.200
%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, peer ID type 2 received (FQDN)
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing ID payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing cert payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing RSA signature
%ASA-7-715076: Group = 136.1.122.200, IP = 136.1.122.200, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 256
%ASA-7-713906: Constructed Signature:
0000: 6A49AAB4 CA2006C0 068D840F 3BAEF907     jI... ......;...
0010: 5A47D830 E7EF7594 10FA4F54 ED3A38D7     ZG.0..u...OT.:8.
0020: D1B2D85D 67B65BD1 5C5510BE 038618CB     ...]g.[.\U......
0030: 81F35050 EDF77594 4F06D6B7 FAE036D4     ..PP..u.O.....6.
0040: 93C2A291 345F6575 8BC6C056 54102958     ....4_eu...VT.)X
0050: 3717AE54 43508589 E7B27A3E F3526CDC     7..TCP....z>.Rl.
0060: 6B9C0F44 F1A6BD6F F9203245 C860FCBB     k..D...o. 2E.`..
0070: F5A3DA2C 51A749BF 75C4DC36%ASA-7-715034: IP = 136.1.122.200, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing dpd vid payload
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1311
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 136.1.122.200
%ASA-5-713119: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 1 COMPLETED
%ASA-7-713121: IP = 136.1.122.200, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P1 rekey timer: 64800 seconds.
%ASA-7-714003: IP = 136.1.122.200, IKE Responder starting QM: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing SA payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing nonce payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--33.33.33.0--255.255.255.0
%ASA-7-713035: Group = 136.1.122.200, IP = 136.1.122.200, Received remote IP Proxy Subnet data in ID Payload:   Address 33.33.33.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--11.11.11.0--255.255.255.0
%ASA-7-713034: Group = 136.1.122.200, IP = 136.1.122.200, Received local IP Proxy Subnet data in ID Payload:   Address 11.11.11.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, checking map = VPN, seq = 10...
%ASA-7-713225: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, map VPN, seq = 10 is a successful match
%ASA-7-713066: Group = 136.1.122.200, IP = 136.1.122.200, IKE Remote Peer configured for crypto map: VPN
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing IPSec SA payload
%ASA-7-715027: Group = 136.1.122.200, IP = 136.1.122.200, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 10
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, IKE: requesting SPI!
%ASA-7-715006: Group = 136.1.122.200, IP = 136.1.122.200, IKE got SPI from key engine: SPI = 0xd05eafc9
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, oakley constucting quick mode
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing blank hash payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec SA payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec nonce payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing proxy ID
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, Transmitting Proxy Id:
  Remote subnet: 33.33.33.0  Mask 255.255.255.0 Protocol 0  Port 0
  Local subnet:  11.11.11.0  mask 255.255.255.0 Protocol 0  Port 0
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing qm hash payload
%ASA-7-714005: Group = 136.1.122.200, IP = 136.1.122.200, IKE Responder sending 2nd QM pkt: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + NONE (0) total length : 48
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, loading all IPSEC SAs
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3E4CFCCD) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-5-713049: Group = 136.1.122.200, IP = 136.1.122.200, Security negotiation complete for LAN-to-LAN Group (136.1.122.200)  Responder, Inbound SPI = 0xd05eafc9, Outbound SPI = 0x3e4cfccd
%ASA-7-715007: Group = 136.1.122.200, IP = 136.1.122.200, IKE got a KEY_ADD msg for SA: SPI = 0x3e4cfccd
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD05EAFC9) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-7-715077: Group = 136.1.122.200, IP = 136.1.122.200, Pitcher: received KEY_UPDATE, spi 0xd05eafc9
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P2 rekey timer: 3060 seconds.
%ASA-5-713120: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 2 COMPLETED (msgid=907cc977)

1151
Views
0
Helpful
19
Replies
CreatePlease to create content