iPsec gateway to gateway on LRT224, main mode?
Hi, I just got my new Linksys LRT224
I'm new to Linksys, but have used Netgear, D-Link and routers VPN Redfox.
About 20 minutes after conversion unboxing of the LRT224 I have an iPsec tunnel of aggressive mode between my Netgear SRX5308 and the LRT224 work, very impressive I think, well not my performance 
but the ease of LRT224. Very nice interface easy to understand and quick Web. However, I noticed two things so far, 1 I can open only my SRX to the LRT224 tunnel and not vice versa. 2nd I can't get aggressive mode working on LRT224? I do something wrong or does the LRT224 not support the main mode?
Someone else who tried the main mode?
(there is no check box to select the main mode, but by selecting the name of domain + IP FQDN on local and remote in aggressive mode is not checked)
I normally set up routers like this:
SRX5308 Linksys *.
IKE:
General
Name of the policy = srx5308
Direction = Both
Change Mode = hand
Local:
FULL DOMAIN NAME
XXXX.dyndns.org
Distance:
FULL DOMAIN NAME
yyyy.dyndns.org
IKE SA settings:
Encryption algorithm = 3DES
= SHA-1 authentication algorithm
= Pre-shared key authentication method
Pre-shared key = MySharedSecret
The Diffie-Hellman (DH) Group = group 2 (1024 bits)
HIS life (s) = 28800
VPN strategy:
Name of the policy = srx5308
Remote endpoint point = yyyy.dyndns.org
Selection of traffic:
Beach = local IP address
Start IP 192.168.2.100 =
End IP = 192.168.2.200
Beach = remote IP address
Start IP 192.168.1.100 =
End IP = 192.168.1.200
Auto policy settings:
Life expectancy = 28800 seconds
Encryption algorithm = 3DES
= SHA-1 integrity algorithm
PFS = on
Key PFS = DH group 2 (1024 bits)
Selected IKE Policy = srx5308
****************************************************************
Are looking for the forum and also my friend google, but so far have not found anything, so I'll keep looking.
Hi Ea > Br
You can try it. Set the parameter to LRT224.
As below:
Configuration of the remote control groups:
Remote security gateway type = IP + authentication with domain name
Remote IP Type group = IP by DNS resolved:
XXXX.dyndns.org
Domain name = xxxx.dyndns.org
The VPN tunnel will be working on the main mode, and you can open tunnel of LRT224 too.
Tags: Linksys Products
Similar Questions
-
Cisco VPN router to Juniper - need phase 1 Main Mode
Experts,
Hello, I did research throughout the day and I can't find the difference on how to configure the main mode of the phase 1 compared to the aggressive mode for phase 1.
I'm setting up a vpn to a device of Juniper tunnel.
The peer needs main mode for phase 1 in order to connect.
My questions:
1. How can I configure main mode and aggressive mode?
2. What is the default behavior for the tunnel VPN Lan2Lan.
Thanks for the help.
The command to disable the aggressive mode is:
disable ISAKMP aggressive mode crypto
OP:
What Juniper device you connect to? A GSU?
-
IPSEC VPN site to site on Transparent mode
Hello
The new version of the OS of the SAA does support IPSEC site-to-site VPN for partners on more Transparent?
Thank you very much
Kind regards
J
The transparent firewall supports for connections to management only site-to-site VPN tunnels. It doesn't end of VPN connections for traffic through the ASA. You can pass through the ASA VPN traffic using a more extended access list, but it fails to complete connections not frames. Clientless SSL VPN is also not supported.
-
IPsec VPN between two routers - mode ESP Transport and Tunnel mode
Hi experts,
I have this question about the Transport mode and Tunnel mode for awhile.
Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.
To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.
My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.
R1:
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 2.2.2.2
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 2.2.2.2
transformation-ESP_null game
match address VPN!
list of IP - VPN access scope
ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!R3:
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 1.1.1.2
!
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 1.1.1.2
transformation-ESP_null game
match address VPN!
list of IP - VPN access scope
Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255I configured transform-"null" value, while it will not encrypt the traffic.
Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.
Packets encapsulated in exactly the same way!
It's just SPI + sequence No. +
+ padding I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...
I guess my next step is to check if the two modes to make the difference when the GRE is used.
Thank you
Difan
Hi Difan,
As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).
A typical scenario in this mode of transport is used:
-Encryption between two hosts
-GRE tunnels
-L2TP over IPsec
Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.
I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.
HTH,
Marcin
-
VPN gateway with the traffic filtering
I work in his laboratory on a configuration on a small scale in which client PC establishes an IPSEC VPN with Cisco 1921 router, I have two questions in this regard.
(1) for wireless PC clients, uses an IPSEC VPN Client the best option or should I prefer other options. wireless clients also use Radius Server for authentication.
(2) I want to make sure no other traffic can reach or pass the interface of local network other than the VPN Client traffic, I need to set up on the router to make sure that no other traffic cannot pass other than traffic APV.
First: The real IPsec VPN client is the AnyConnect. The VPN-config for AnyConnect (especially for IPsec) gateway on the router IOS is much more difficult, so it's on the SAA. If you still have the possibility of changing the front doors, then go for a SAA. It is also much cheaper from a perspective of license given that no license of AnyConnect Essentials for the router. The Cisco VPN Client to the traditional address is EOL and should not begin a new deployment on this basis.
Your questions:
(1) all VPN - users should be authenticated in some way. Send the request to a central directory authentication is a best practice and usually done with RADIUS. In addition to authentication, you can also perform an authorization to control what rights Gets a VPN user.
(2) If you only want to allow IPsec traffic, you must configure an access list, a permit for UDP/500, UDP/4500 and IP/50 of your router IP. With this config, all other traffic will be dropped.
-
Need for visibility on the IPsec protocol: aggressive Mode
Hello
I have a few doubts about VPN. I already went through a large number of documents. Everybody says something I don't agree with. So please don't view this kind of material in your answer.
Aggressive mode: what I know, there are 3 Exchange for aggressive mode. Initiator in the first message sends the ID parameters, DH, HIS (IP address, domain name FULL). Then the answering machine (2nd MSG) reacts with the SA settings, DH, ID, HASH_R, then the initiator (3rd MSG) responds with HASH_I and PHASE 1 is established here.
As the initiator and the responder IDs are sent in clear text, so we say that aggressive mode is not course.
DH is used to exchange keys between peers. DH, negotiates and then generate a SECRET_KEY which in turn, is used to encrypt the symmetric key. We have SA parameters for encryption, hash, authentication.
Here are my questions:
(a) all of ITS parameters, IDs, DH traded first and second messages. The third message from the initiator is to send to HASH_I. Now, I don't see at all any use of DH in this mode, no encryption (payload ISAKAMP is not encrypted). A single phase 1 aims to build a secure layer of management so that the PHASE connection 2 (data connection) may establish under a secure layer (PHASE 1). Now, I see that in aggressive mode we are not able to achieve this secure layer. So, what's the point of having encryption algorithms and DH in PHASE 1 if they are never used? Instead of skip PHASE 1 and we can have the PFS in Phase 2 for serving as a DH and we were hashing algorithms, encryption too.
(b) the PRE SHARED KEY is actually shared via connect using the DH? Or just a HASH of PRE-SHARED-KEY is generated and sent on the connection for authentication?
(c) why the aggressive mode can be used for dynamic addressing and not the main mode?
If please answer queries and correct me if I am wrong somewhere.
Thank you
Rakesh Kumar
(a). theoretically, jumping Phase 1 and done everything in Phase 2 (for aggressive mode only) would probably be a good idea to make it safer. However, this would require a complete redesign of the IKE protocol. As you probably already know, aggressive mode is used by default only for VPN remote access, and I've never seen used for a site to any of the customers that I came in contact. In aggressive mode, in my opinion, would be used only in situations where a large number of VPN tunnels are built and demolished all the time (as with RA VPN) to save on material resources. But... It is what it is, not a very safe to use method.
(b) the pre-shared key is used to create a hash and this hash is sent to the remote peer. If the remote peer can create the same hash using its own pre-shared key, then peers know they share the same secrets. The problem with aggressive mode is that the hash is sent in plain text format, so if an attacker is able to capture these data they could preform a brute force offline attack.
(c). I think that this has to do with the fact that the aggressive mode sends its identity in text clear and not must therefore not be pre-configured as a peer answer as it does with tunnels with addresses static at both ends.
--
Please do not forget to select a correct answer and rate useful posts
-
Hello
We currently have a VPN site-to site mode tunnel linking our business network and our site of DR to provide replication secure on our site of Dr. I have doing some changes to firewall this weekend that will set a FW IOS Zone-Based between the 2 sites (to provide 2 firewalls for the corporate site - creation of a demilitarized zone in the middle).
The company's website and the site of DR are all our autonomous system, so there is no NAT invovled, as all the roads are private. I have a VPN to provide extra protection to every place, because they are both accessible via Internet (I wanted that the thin ACL on each ASA outside interface) anyway, to my question.
I implement a firewall area on the border router to provide extra protection. In the ACL of the pair area between my company and recovery site, if I change the VPN in transport mode, should work in these ACE?
Company ASA = 1.1.1.1
NET company = 10.10.10.0/24
DR. ASA = 2.2.2.2
Net DR = 20.20.20.0/24
esp permits 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
esp permit 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
permit udp host 2.2.2.2 host 1.1.1.1 eq isakmp
I'm sure that it is correct; However, I wanted to reassure a bit, before I made these changes on Saturday.
This link describes IPSec offers a Protocol, transport and tunnel mode with these characteristics, what I mean is that the ASA as a Cisco solution does not support the mode of Transport for Lan to Lan tunnels.
Now, sinc evous made me hesitate on my response, I made a quick test linking 2 ASA backpack and a tunnel from lan to lan using the mode of transport, the tunnel has come fine but traffic does not parameter, with reason? the ASA has been falling due to the fact that SA and the classification of the secured traffic should be peer (as tunnel normal mode circuit) in our case the ASA received a package ESP from the internal network of the ASA remote which does not correspond to the classification that's why it was ignored.
Application of ESP and eliminated from 11.1.1.2 for outside: 10.1.1.2
Refuse the Protocol entering 50 CBC outside: 11.1.1.2 dst identity: 10.1.1.2
This message appears after configuring nat and acl rules to see if it accepts the traffic:
IPSEC: Received a package of non-IPSec (Protocol = ESP) 11.1.1.2 to 10.1.1.2.
So, as you can see it looks more like a limitation of the platform or something.
Now, the question I have for you why the need for mode of transport?
-
Two LRT224 a connection using VPN
What is the best way to connect two LRT224 between them, which are in two different cities?
Open VPN or IPSec?
I think gateway to gateway should be the correct mode, but I'm very unsure with the large number of parameters...
Try the EasyLink VPN from LRT214/LRT224, which simplifies the site to site VPN configuration.
EasyLink VPN works in the following way conceptually.
1. on the main site, activate EasyLink VPN Server (tab incoming on the Web GUI) and create an account (name and password) for each remote site.
2. at a remote site, activate EasyLink VPN Client (tab on the Web GUI) and between the identifiers of account for (name of user and password).
3. the remote site will automatically reach the primary site to establish an IPsec tunnel.
Note: LRT224 can support up to five peers EasyLink VPN in a star VPN topology.
-
ASA5510-CISCO871 DOWN IPSEC TUNNEL
Help!
Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established.
Config and debug info:
ASA:
1.1.1.26 external ip address
1.1.1.254 the gateway ip
3.3.3.0 LAN network
3.3.3.250 ip LAN
3.3.3.20 PC in LANROUTER 871
2.2.2.226 external ip address
2.2.2.225 the gateway ip
4.4.4.0 network LAN
4.4.4.254 ip LAN
4.4.4.28 PC in LANASA 5510 CONFIG:
interface Ethernet0/0
WAN description
nameif AI_WAN
security-level 0
IP 1.1.1.26 255.255.255.248interface GigabitEthernet1/0
network LAN AB Description
nameif AB_LAN
security-level 100
IP 3.3.3.250 255.255.255.0Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 associationcrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-roadcard crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap
card crypto AI_WAN_map 1 set peer 2.2.2.226
AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
AI_WAN_map AI_WAN crypto map interfaceISAKMP crypto enable AI_WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
crypto ISAKMP disconnect - notifyRoute 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254
Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0
tunnel-group 2.2.2.226 type ipsec-l2l
tunnel-group 2.2.2.226 General-attributes
IPSec-attributes tunnel-group 2.2.2.226
pre-shared key *.CONFIG ROUTER 871:
crypto ISAKMP policy 2
preshared authentication
Group 2
isakmp encryption key * address 1.1.1.26Crypto ipsec transform-set esp - esp-md5-hmac des-md5
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to1.1.1.26
defined by peer 1.1.1.26
the transform-set des-md5 value
match address 100interface FastEthernet4
IP 2.2.2.226 255.255.255.0
IP virtual-reassembly
automatic duplex
automatic speed
map SDM_CMAP_1 cryptointerface Vlan1
IP 4.4.4.254 255.255.255.0
IP virtual-reassemblyIP route 0.0.0.0 0.0.0.0 2.2.2.225
IP route 3.3.3.0 255.255.255.0 1.1.1.26access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
DEBUGGING OF ASA 5510
ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8), : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8), : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reasonDEBUGGING OF 871 ROUTER
871_router #debu cry isa
871_router #ping 3.3.3.20 4.4.4.254 sourceType to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
Packet sent with a source address of 4.4.4.254Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL)
21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
25 Feb 21:58:06.799: insert his with his 83476114 = success
21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
Success rate is 0% (0/5)
Sokuluk #.
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SAHere is the download page for 871 router - IOS 12.4 (15) T14:
However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software.
-
Bug of Linksys WRT54GC Mode of operation of "router"?
I use a Linksys WRT54GC router and I experience a behavior that I don't expect.
You give me your opinion?
This is the case:My assumption of "Gateway" or "Router" operating Mode is:
Gateway mode means NAT that makes invisible LAN subnet side WAN addresses. NAT is disabled by activating the Mode of operation of 'Gateway' to 'router '.I have connected a PC (192.168.2.100) to port the router WAN and another (192.168.23.100) PC on a LAN (192.168.23.1) of the router (192.168.2.2) port.
When I switch my WRT54GC "Router" mode I can't always ping the PC on the site of the side router LAN WAN. SPI Firewall protection and block anonymous Internet requests are disabled. Firewalls on both computers is disabled.I saw a similar problem at the forum "Connecting two routers via WAN" 08/28/2008 Victor Tang.
Don't you think that it is a bug in the mode of operation of the WRT54GC software?
I reported the bug to Linksys.
My first experience with Linksys technical support is very good.
They take the serious problem, ask for the discharge of Wireshark and send me an update of the firmware of the router.
This fixes the bug with the mode of operation, now I can without NAT on and outside, very well!
I don't have firmware update earlier because the release notes did not mention my bug, I read in the forum a lot of users having problems after the update of the firmware, so I followed the policy do not update unless it can solve your problem.
There are some things perhaps worth mentioning:
You should be careful to use the right firmware for your router.
Not only the model of the router is too important, the hardware version and too country!
I've got a WRT54GC, hardware version 1, and it is the type of the EU.
Of this material, there's also a different US with versions of firmware version!
The latest version of the firmware to the US type is v1.60.1, the latest version of the EU type is 1.60.0 v.
Thus, you should take care of this website, you download the update to get the right version and read the release notes. These release notes, you can check if your current firmware version is part of the history of this firmware, so you know that you have the right one. I was so very accurate because many have reported problems in the forum with updates.
Now I'm able to Exchange traffic between computers and printers in different subnets and I can access the Internet from each subnet gateway I want.
It is important to think about the configuration of your PC and routing tables.
The firewall on the computers must be configured on the additional subnet.
A PC has a default gateway to reach a device on another subnet.
Most of the time these are devices on the Internet, so if you create additional internal subnets that your traffic will be by default will be send to the Internet and will be lost. To define additional gateways where your additional subnet can be found to avoid this.
This can be done on a PC with the command: route add
(IE 192.168.23.0 mask 255.255.255.0 192.168.2.2) or you define a static route to your router (the latter is preferable). The problems I've had, forced me to consider how does networking, with the help of the users on this forum, I would conclude that this is a bug, with the support of very good Linksys everything now works as expected.
Thank you.
-
I'm trying to get a site to site VPN working between two routers RV110W, obviously in different places with different public IPs and different internal addressed IP networks.
For some reason, the IPsec Security Association gets 'established', but no traffic will travel between the two.
I use the "basic VPN setup" on routers and type in their respective information below.
Public IP have been replaced by x.x.x.x.
Router A:
Connection: - name -.
Key: - PSK-
IP / domain FULL: - public IP address of the remote site.
Local WAN: - local WAN.
Remote LAN: 10.151.238.0
Remote mask: 255.255.255.0
Local NETWORK: 10.151.237.0
Local mask: 255.255.255.0
Router b:
Connection: - name -.
Key: - PSK-
IP / domain FULL: - public IP address of the remote site.
Local WAN: - local WAN.
Remote LAN: 10.151.237.0
Remote mask: 255.255.255.0
Local NETWORK: 10.151.238.0
Local mask: 255.255.255.0
I am very confused.
Site A:
Public IP address
10.151.237.0/24 network
Cisco VPN Firewall RV110W
2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: meet the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: hand mode peer ID is ID_IPV4_ADDR: \'x.x.x.x\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: the proposed peer: 10.151.237.0/24:0/0-> 10.151.238.0/24:0/0
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: response to a proposal of fast Mode {msgid:6ecb39e8}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: us: 10.151.237.0/24===x.x.x.x
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: them: x.x.x.x===10.151.238.0/24
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R2: IPsec Security Association established the {-online 0x2fadc90d ESP tunnel mode<0xa6393cfc xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: hand mode peer ID is ID_IPV4_ADDR: \'96.2.164.121\'
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp proposal d = AES (12) msgid:0779895 #3 _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:53 RV110W kern.debug wl0.0: IEEE 802.11 Association request for e0: c9:7 has: 7 a: 3d:2 b b8:62:1f:51:ad:a9 BSSID
2013-07-11 16:16:54 RV110W kern.info wl0.0: e0:c9:7 a: 7 a: 3d:2 b IEEE 802.11 STA associated BSSID b8:62:1f:51:ad:a9
2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: received REQUEST from E0:C9:7 A: 7 A: 3D:2 B
2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: sending acknowledgement to 10.151.237.5
' 2013-07-11 16:17:23 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: max number of retransmissions (2) reached STATE_MAIN_R2
2013-07-11 16:17:43 RV110W daemon.info udhcpd [2541]: INFORMATION from 38:60:77:13:C0:48
Site B:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Public IP address
10.151.238.0/24 network
Cisco VPN Firewall RV110W
2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined
2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: Ok (ret = 0) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9
2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105
2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101
2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined
2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: Ok (ret = 0) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation
: FAILURE (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: '\x.x.x.x\ '.
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9
2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105
2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101
Please help if you can.
Aaron,
When the tunnel is up, you can ping the LAN IP of the remote router? What type of traffic you are trying to send? What equipment and what device?
If you are trying to reach a PC through the tunnel, be sure that there is no firewall software blocking traffic between a different LAN. Repeatedly PCs will respond to connections on the same network, but not to a different subnet.
Please give us more information about what devices are involved and what they try to do.
-Marty
-
Hey all, I was instructed to set up a tunnel vpn site-to-site between 2 offices. I think I have everything configured correctly for the most part, but when I generate a valuable traffic, tunnel does. Can you tell me to look at the debug output below what could be the problem? Aaa.aaa.aaa.aaa my IP address and the IP address of my counterpart is bbb.bbb.bbb.bbb
ROUTER #.
* 27 Feb 14:41:30.677: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = aaa.aaa.aaa.aaa:500, distance = bbb.bbb.bbb.bbb:500,
local_proxy = 172.18.230.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.230.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp - aes esp-sha-hmac (Tunnel),
lifedur = Ko 86400 s and 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
* 14:41:30.677 Feb 27: ISAKMP: 500 local port, remote port 500
* 14:41:30.677 Feb 27: ISAKMP: set new node 0 to QM_IDLE
* 14:41:30.677 Feb 27: ISAKMP: (0): insert his with his 4BA8CE24 = success
* 14:41:30.677 Feb 27: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 14:41:30.677 Feb 27: ISAKMP: (0): pair found pre-shared key matching bbb.bbb.bbb.bbb
* 27 Feb 14:41:30.677: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 27 Feb 14:41:30.677: ISAKMP: (0): built the seller-07 ID NAT - t
* 27 Feb 14:41:30.677: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 27 Feb 14:41:30.677: ISAKMP: (0): built the seller-02 ID NAT - t
* 14:41:30.677 Feb 27: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 14:41:30.677 Feb 27: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
* 27 Feb 14:41:30.677: ISAKMP: (0): Beginner Main Mode Exchange
* 27 Feb 14:41:30.677: ISAKMP: (0): package bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 14:41:30.677 Feb 27: ISAKMP: (0): sending a packet IPv4 IKE.
* 14:41:30.713 Feb 27: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_NO_STATE bbb.bbb.bbb.bbb
* 14:41:30.713 Feb 27: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 14:41:30.713 Feb 27: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
* 27 Feb 14:41:30.713: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 27 Feb 14:41:30.713: ISAKMP: (0): load useful vendor id of treatment
* 27 Feb 14:41:30.713: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 27 Feb 14:41:30.713: ISAKMP: (0): provider ID is NAT - T v2
* 27 Feb 14:41:30.713: ISAKMP: (0): load useful vendor id of treatment
* 27 Feb 14:41:30.713: ISAKMP: (0): IKE frag vendor processing id payload
* 14:41:30.717 Feb 27: ISAKMP: (0): IKE Fragmentation support not enabled
* 14:41:30.717 Feb 27: ISAKMP: (0): pair found pre-shared key matching bbb.bbb.bbb.bbb
* 27 Feb 14:41:30.717: ISAKMP: (0): pre-shared key local found
* 27 Feb 14:41:30.717: ISAKMP: (0): pre-shared xauth authentication
* 14:41:30.717 Feb 27: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
* 14:41:30.717 Feb 27: ISAKMP: 3DES-CBC encryption
* 14:41:30.717 Feb 27: ISAKMP: SHA hash
* 14:41:30.717 Feb 27: ISAKMP: group by default 2
* 14:41:30.717 Feb 27: ISAKMP: pre-shared key auth
* 14:41:30.717 Feb 27: ISAKMP: type of life in seconds
* 14:41:30.717 Feb 27: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 14:41:30.717 Feb 27: ISAKMP: (0): offered hash algorithm does not match policy.
* 14:41:30.717 Feb 27: ISAKMP: (0): atts are not acceptable. Next payload is 0
* 14:41:30.717 Feb 27: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 15
* 14:41:30.717 Feb 27: ISAKMP: 3DES-CBC encryption
* 14:41:30.717 Feb 27: ISAKMP: SHA hash
* 14:41:30.717 Feb 27: ISAKMP: group by default 2
* 14:41:30.717 Feb 27: ISAKMP: pre-shared key auth
* 14:41:30.717 Feb 27: ISAKMP: type of life in seconds
* 14:41:30.717 Feb 27: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 14:41:30.717 Feb 27: ISAKMP: (0): free encryption algorithm does not match policy.
* 14:41:30.717 Feb 27: ISAKMP: (0): atts are not acceptable. Next payload is 0
* 14:41:30.717 Feb 27: ISAKMP: (0): audit ISAKMP transform 3 against priority policy 20
* 14:41:30.717 Feb 27: ISAKMP: 3DES-CBC encryption
* 14:41:30.717 Feb 27: ISAKMP: SHA hash
* 14:41:30.717 Feb 27: ISAKMP: group by default 2
* 14:41:30.717 Feb 27: ISAKMP: pre-shared key auth
* 14:41:30.717 Feb 27: ISAKMP: type of life in seconds
* 14:41:30.717 Feb 27: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 14:41:30.717 Feb 27: ISAKMP: (0): atts are acceptable. Next payload is 0
* 14:41:30.717 Feb 27: ISAKMP: (0): Acceptable atts: real life: 0
* 14:41:30.717 Feb 27: ISAKMP: (0): Acceptable atts:life: 0
* 14:41:30.717 Feb 27: ISAKMP: (0): fill atts in his vpi_length:4
* 14:41:30.717 Feb 27: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 14:41:30.717 Feb 27: ISAKMP: (0): return real life: 86400
* 14:41:30.717 Feb 27: ISAKMP: (0): timer life Started: 86400.
* 27 Feb 14:41:30.717: ISAKMP: (0): load useful vendor id of treatment
* 27 Feb 14:41:30.717: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 27 Feb 14:41:30.717: ISAKMP: (0): provider ID is NAT - T v2
* 27 Feb 14:41:30.717: ISAKMP: (0): load useful vendor id of treatment
* 27 Feb 14:41:30.717: ISAKMP: (0): IKE frag vendor processing id payload
* 14:41:30.717 Feb 27: ISAKMP: (0): IKE Fragmentation support not enabled
* 14:41:30.717 Feb 27: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 14:41:30.717 Feb 27: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
* 27 Feb 14:41:30.717: ISAKMP: (0): package bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) sending MM_SA_SETUP
* 14:41:30.717 Feb 27: ISAKMP: (0): sending a packet IPv4 IKE.
* 14:41:30.721 Feb 27: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 14:41:30.721 Feb 27: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
* 14:41:30.753 Feb 27: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP bbb.bbb.bbb.bbb
* 14:41:30.753 Feb 27: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 14:41:30.753 Feb 27: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
* 27 Feb 14:41:30.757: ISAKMP: (0): processing KE payload. Message ID = 0
* 27 Feb 14:41:30.789: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 14:41:30.789 Feb 27: ISAKMP: (0): pair found pre-shared key matching bbb.bbb.bbb.bbb
* 27 Feb 14:41:30.789: ISAKMP: (1640): load useful vendor id of treatment
* 27 Feb 14:41:30.789: ISAKMP: (1640): provider ID is the unit
* 27 Feb 14:41:30.789: ISAKMP: (1640): load useful vendor id of treatment
* 27 Feb 14:41:30.789: ISAKMP: (1640): provider ID seems the unit/DPD but major incompatibility of 193
* 27 Feb 14:41:30.789: ISAKMP: (1640): provider ID is XAUTH
* 27 Feb 14:41:30.789: ISAKMP: (1640): load useful vendor id of treatment
* 27 Feb 14:41:30.789: ISAKMP: (1640): addressing another box of IOS!
* 27 Feb 14:41:30.789: ISAKMP: (1640): load useful vendor id of treatment
* 14:41:30.789 Feb 27: ISAKMP: (1640): vendor ID seems the unit/DPD but hash mismatch
* 14:41:30.789 Feb 27: ISAKMP: receives the payload type 20
* 14:41:30.789 Feb 27: ISAKMP (1640): sound not hash no match - this node outside NAT
* 14:41:30.789 Feb 27: ISAKMP: receives the payload type 20
* 14:41:30.789 Feb 27: ISAKMP (1640): No. NAT found for oneself or peer
* 14:41:30.789 Feb 27: ISAKMP: (1640): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 14:41:30.789 Feb 27: ISAKMP: (1640): former State = new State IKE_I_MM4 = IKE_I_MM4
* 14:41:30.789 Feb 27: ISAKMP: (1640): send initial contact
* 14:41:30.789 Feb 27: ISAKMP: (1640): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 14:41:30.789 Feb 27: ISAKMP (1640): payload ID
next payload: 8
type: 1
address: aaa.aaa.aaa.aaa
Protocol: 17
Port: 500
Length: 12
* 14:41:30.789 Feb 27: ISAKMP: (1640): the total payload length: 12
* 27 Feb 14:41:30.789: ISAKMP: (1640): package bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
* 14:41:30.789 Feb 27: ISAKMP: (1640): an IPv4 IKE packet is sent.
* 14:41:30.793 Feb 27: ISAKMP: (1640): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 14:41:30.793 Feb 27: ISAKMP: (1640): former State = new State IKE_I_MM4 = IKE_I_MM5
* 14:41:30.825 Feb 27: ISAKMP (1640): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH bbb.bbb.bbb.bbb
* 14:41:30.825 27 Feb: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE bbb.bbb.bbb.bbb package was not encrypted and it should have been.
* 14:41:30.825 Feb 27: ISAKMP (1640): increment the count of errors on his, try 1 of 5: reset_retransmission
* 27 Feb 14:41:31.825: ISAKMP: (1640): transmit phase 1 MM_KEY_EXCH...
* 14:41:31.825 Feb 27: ISAKMP (1640): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 27 Feb 14:41:31.825: ISAKMP: (1640): transmit phase 1 MM_KEY_EXCH
* 27 Feb 14:41:31.825: ISAKMP: (1640): package bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
* 14:41:31.825 Feb 27: ISAKMP: (1640): an IPv4 IKE packet is sent.
* 14:41:31.857 Feb 27: ISAKMP (1640): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH bbb.bbb.bbb.bbb
* 14:41:31.857 27 Feb: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE bbb.bbb.bbb.bbb package was not encrypted and it should have been.
* 14:41:31.857 Feb 27: ISAKMP (1640): increment the count of errors on his, try 3 of 5: reset_retransmission
* 27 Feb 14:41:32.857: ISAKMP: (1640): transmit phase 1 MM_KEY_EXCH...
* 14:41:32.857 Feb 27: ISAKMP (1640): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 27 Feb 14:41:32.857: ISAKMP: (1640): transmit phase 1 MM_KEY_EXCH
* 27 Feb 14:41:32.857: ISAKMP: (1640): package bbb.bbb.bbb.bbb my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
* 14:41:32.857 Feb 27: ISAKMP: (1640): an IPv4 IKE packet is sent.
* 14:41:32.889 Feb 27: ISAKMP (1640): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH bbb.bbb.bbb.bbb
* 27 Feb 14:41:32.889: ISAKMP: (1640): package of phase 1 is a duplicate of a previous package.
* 27 Feb 14:41:32.889: ISAKMP: (1640): retransmission jumped to the stage 1 (time elapsed since the last transmission of 32)
ROUTER #u all
Off crypto conditional debugging.
All possible debugging has been disabled
* 14:42:00.821 27 Feb: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE bbb.bbb.bbb.bbb package was not encrypted and it should have been.
* 14:42:01.853 27 Feb: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE bbb.bbb.bbb.bbb package was not encrypted and it should have been.
Thank you all
Does that help?
-
Problem with VPN client connecting the PIX of IPSec.
PIX # 17 Sep 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 17 14:58:51 [IKEv1]: IP = Y, landed on tunnel_group connection
Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA proposal # 1, transform # 13 entry overall IKE acceptable matches # 1
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the authenticated user (X).
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, mode of transaction attribute not supported received: 5
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, Type of customer: Client Windows NT Version of the Application: 5.0.06.0160
Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, assigned private IP 10.0.1.7 remote user address
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED
Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P1: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, data received in payload ID remote Proxy Host: address 10.0.1.7, protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, his old QM IsRekeyed not found addr
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, remote peer IKE configured crypto card: outside_dyn_map
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec processing SA payload
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec SA proposal # 14, turn # 1 entry overall SA IPSec acceptable matches # 20
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE: asking SPI!
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, IPSec initiator of the substitution of regeneration of the key duration to 2147483 to 7200 seconds
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, passing the Id of the Proxy:
Remote host: 10.0.1.7 Protocol Port 0 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol Port 0 0
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = notification sending answering MACHINE service LIFE of the initiator
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the security negotiation is complete for the user (slalanne) answering machine, Inbound SPI = 0 x 6
044adb5, outbound SPI = 0xcd82f95e
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P2: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, adding static route to the customer's address: 10.0.1.7
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid = c4d80320)
PIX # 17 Sep 14:59:40 [IKEv1]: Group = X, Username = X, Y = IP, Connection over for homologous X. Reason: Peer terminate remote Proxy 10.0.1.7, 0.0.0.0Sep Proxy Local 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE removing SA: 10.0.1.7 Remote Proxy, Proxy Local 0.0.0.0
Sep 17 14:59:40 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop
Then debugging IPSec are also normal.
Now this user is a disconnect and other clients to connect normally. the former user is trying to connect to the site and here is the difference in debugging:
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, Y = IP, tunnel IPSec rejecting: no entry card crypto for remote proxy proxy 10.0.1.8/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, error QM WSF (P2 struct & 0x2a5fd68, mess id 0x16b59315).
Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = O, case of mistaken IKE responder QM WSF (struct & 0x2a5fd68), :
QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BL
D_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_
BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, peer table correlator withdrawal failed, no match!
Sep 17 14:25:22 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, dropHere is the config VPN... and I don't see what the problem is:
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 20 seconds 7200
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
life 7200
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
life 86400outside_cryptomap_dyn_20 list of allowed ip extended access any 10.0.1.0 255.255.255.248
attributes global-tunnel-group DefaultRAGroup
authentication-server-group (outside LOCAL)
Type-X group tunnel ipsec-ra
tunnel-group X general attributes
address pool addresses
authentication-server-group (outside LOCAL)
Group Policy - by default-X
tunnel-group X ipsec-attributes
pre-shared-key *.
context of prompt hostnamemask of 10.0.1.6 - 10.0.1.40 IP local pool 255.255.255.0
Please remove the acl of the dynamic encryption card crypto, it causes odd behavior
try to use split instead of the acl acl in dynamic crypto map, and let me know how it goes
-
8.2 ASA failure phase2 ike ipsec
I used the wizard to access remote vpn, IPSEC on an ASA 5510 security + running os version 8.2.
Group: adminsbbs
User: adminuser
When connecting using the client, it says «fixing communications...» "and then it flashes and it is disconnected. Hoping the following debug output to help you will help me, so I didn't enter the config.
What seems to be the cause of failure of the phase 2 of IKE?
Since the ASA device:
asa01 # 29 dec 18:54:16 [IKEv1 DEBUG]: IP = 3.4.249.124, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
29 Dec 18:54: 16 [IKEv1]: IP = 3.4.249.124, connection landed on tunnel_group adminsbbs
29 Dec 18:54: 16 [IKEv1 DEBUG]: Group = adminsbbs, IP = 3.4.249.124, IKE SA proposal # 1, transform # 10 entry overall IKE acceptable matches # 1
29 Dec 18:54: 16 [IKEv1]: Group = adminsbbs, IP = 3.4.249.124, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, (adminuser) user authenticated.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, transaction mode attribute unhandled received: 5
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, Type of Client: Mac OS X Client Application Version: 4.9.01 (0100)
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, assigned private IP 172.16.20.1 remote user address
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM completed
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, PHASE 1 COMPLETED
29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, Keep-alive type for this connection: DPD
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, timer to generate a new key to start P1: 82080 seconds.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, data received in payload ID remote Proxy Host: address 172.16.20.1, protocol 0, Port 0
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, QM IsRekeyed its not found old addr
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, remote peer IKE configured crypto card: outside_dyn_map
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, ITS processing IPSec payload
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, IPSec security association proposals found unacceptable.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, error QM WSF (P2 struct & 0xcca2f140, mess id 0x374db953).
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, case of mistaken IKE responder QM WSF (struct & 0xcca2f140)
, : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2 EV_COMP_HASH 29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Removing counterpart of table Correlator has failed, no match!
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Session is be demolished. Reason: Phase 2
29 Dec 18:54: 26 [IKEv1]: ignoring msg SA brand with Iddm 102400 dead because ITS removal
29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, encrypted packet received with any HIS correspondent, drop
The client connection:
Cisco Systems VPN Client Version 4.9.01 (0100)
Copyright (C) 1998-2006 Cisco Systems, Inc. All rights reserved.
Type of client: Mac OS X
Running: Darwin Darwin Kernel Version 10.5.0 10.5.0: Fri Nov 5 23:20:39 PDT 2010. root:XNU-1504.9.17~1/RELEASE_I386 i386
365 19:09:13.384 29/12/2010 Sev = Info/4 CM / 0 x 43100002
Start the login process
366 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0xAC10D5FF, ADR Src: 0xAC10D501 (DRVIFACE:1158).
367 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0xAC107FFF, ADR Src: 0xAC107F01 (DRVIFACE:1158).
368 19:09:13.385 29/12/2010 Sev = Info/4 CM / 0 x 43100004
Establish a connection using Ethernet
369 19:09:13.385 12/29/2010 Sev = Info/4 CM / 0 x 43100024
Attempt to connect with the server "1.2.0.14".
370 19:09:13.385 12/29/2010 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (500).
371 19:09:13.387 29/12/2010 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (4500).
372 19:09:13.387 29/12/2010 Sev = Info/6 IKE/0x4300003B
Attempts to establish a connection with 1.2.0.14.
373 19:09:13.471 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 1.2.0.14
374 19:09:13.538 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
375 19:09:13.538 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
376 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer is a compatible peer Cisco-Unity
377 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports XAUTH
378 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports the DPD
379 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports NAT - T
380 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports fragmentation IKE payloads
381 19:09:13.622 29/12/2010 Sev = Info/6 IKE / 0 x 43000001
IOS Vendor ID successful construction
382 19:09:13.622 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 1.2.0.14
383 19:09:13.623 12/29/2010 Sev = Info/6 IKE / 0 x 43000055
Sent a keepalive on the IPSec Security Association
384 19:09:13.623 29/12/2010 Sev = Info/4 IKE / 0 x 43000083
IKE port in use - Local Port = 0 x 1194, Remote Port = 0 x 1194
385 19:09:13.623 29/12/2010 Sev = Info/5 IKE / 0 x 43000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
386 19:09:13.623 29/12/2010 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
387 19:09:13.639 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
388 19:09:13.639 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
389 19:09:13.639 12/29/2010 Sev = Info/4 CM / 0 x 43100015
Launch application xAuth
390 19:09:13.825 12/29/2010 Sev = Info/4 IPSEC / 0 x 43700008
IPSec driver started successfully
391 19:09:13.825 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
392 19:09:16.465 29/12/2010 Sev = Info/4 CM / 0 x 43100017
xAuth application returned
393 19:09:16.465 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
394 19:09:16.480 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
395 19:09:16.480 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
396 19:09:16.481 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
397 19:09:16.481 29/12/2010 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
398 19:09:16.482 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
399 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
400 19:09:16.498 12/29/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
401 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.16.20.1
402 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
403 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 1.2.2.2
404 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 1.2.2.22
405 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
406 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0 x 00000003
407 19:09:16.498 12/29/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #1
subnet 10.10.10.0 =
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
408 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #2
subnet = 1.2.31.0
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
409 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #3
subnet = 1.2.8.0
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
410 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
411 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5510 Version 8.2 (2) built by manufacturers on Tuesday, January 11, 10 14:19
412 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
413 19:09:16.499 29/12/2010 Sev = Info/4 CM / 0 x 43100019
Data in mode Config received
414 19:09:16.500 29/12/2010 Sev = Info/4 IKE / 0 x 43000056
Received a request from key driver: local IP = 192.168.0.103, GW IP = 1.2.0.14, Remote IP = 0.0.0.0
415 19:09:16.500 2010-12-29 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to 1.2.0.14
416 19:09:16.517 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
417 19:09:16.517 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
418 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000045
Answering MACHINE-LIFE notify has value of 86400 seconds
419 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000047
This SA has been alive for 3 seconds, affecting seconds expired 86397 now
420 19:09:16.518 12/29/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
421 19:09:16.518 12/29/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
422 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 1.2.0.14
423 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000049
IPsec security association negotiation made scrapped, MsgID = FCB95275
424 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000017
Marking of IKE SA delete (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED
425 19:09:16.520 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
426 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000058
Received an ISAKMP for a SA message no assets, I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148
427 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
428 19:09:17.217 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
429 19:09:19.719 29/12/2010 Sev = Info/4 IKE/0x4300004B
IKE negotiation to throw HIS (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED
430 19:09:19.719 29/12/2010 Sev = Info/4 CM / 0 x 43100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
431 19:09:19.719 29/12/2010 Sev = Info/5 CM / 0 x 43100025
Initializing CVPNDrv
432 19:09:19.719 29/12/2010 Sev = Info/4 CVPND/0x4340001F
Separation of privileges: restore MTU on the main interface.
433 19:09:19.719 29/12/2010 Sev = Info/4 IKE / 0 x 43000001
Signal received IKE to complete the VPN connection
434 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
435 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
436 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
437 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped
Hello 3moloz123,
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
1. the reason why the VPN remote access (RA) couldn't form with success before the passage of TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is the mode of transport is not supported for RA VPN. You must use Tunnel mode for the processing of IPSec together we must maintain the IP header inside so that, once the package is decapsules and decrypted at the head of IPSec end we can transfer the package.
In the newspapers, you can see this failure
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT - T) Cfg had: UDP Transport
Repeat x 4
RRS of transformation all sent by the RA Client. Cfg would be is that the dynamic encryption card supports.
2. the isakmp policy change was unnecessary, the Phase 1 session came fine ISAKMP indicating worked. Phase 2 begins only after a successful Phase 1 (session ISAKMP).
After failing to build Phase 2 (child SA) we drop the ISAKMP Security Association since it is not used.
I hope that answers your questions.
Kind regards
Craig -
ASA IPSEC VPN with public IP dynamic
Hey,.
I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).
So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?
Thank you
Shuai
If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.
Sent by Cisco Support technique iPad App
Maybe you are looking for
-
How can I skip pages going back and?
I would like to be able to jump pages instead of returning just one page at a time. I know this is possible because I just did it accidentally. A list popped up with all the previous pages, I had visited.
-
Satellite L350-16U - I want to replace the Vista to Win XP
I want to replace my operating system (windows vista) on my PC (Satellite L350-16U) by windows XP. Is this possible? Is how hard it? What s the verification of the list to succeed in this business?
-
HP Laserjet 3052: HP Laserjet 3052 will not scan on Windows 10
Hello Since the upgrade to Windows 10, I had several problems with my printer. I reinstalled from the driver and it seems to work OK with the impression, but it does not scan. I tried reinstalling the driver, but whenever I have access the printer p
-
LaserJet M1136 MFP: Find the MAC or the IP address of the printer
Hi, I tried to find the IP address or MAC address of my printer of office for days without result. The printer is connected via USB to a computer on the network and others connect to it like a computer on the network. I need to add the printer to a M
-
Not enough space for upgrade to Windows 10
I just bought a Tablet W1-810 yesterday. I have not installed all the programs again, because I wanted to update the Windows 10 Tablet first. I installed a 32 GB memory card. I downloaded 10 Windows via Windows Update of Windows'. BUT: When the Table