IPSec VPN errors in logging
Hi all
My company uses ASA 5510 already for a while now (running 8.0 (4)); It is monitor VPN on the console port, so when I log in, I should be able to follow the VPN connections. However, there are repeated errors (every few seconds) for few users (each using vpnc under linux). The errors are:
% 5-ASA-713137: Group = vpnremote, username = XXX, IP = XXX, Reaper refCnt dominant [0] and tunnelCnt [0] - remove SA!
% ASA-3-713232: Group = vpnremote, name of user = XXX, IP = XXX, ITS lock refCnt = 0, the bitmask = 00000080, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
% ASA-715065 7: Group = vpnremote, name of user = XXX, IP = XXX, case of mistaken IKE AM Responder WSF (struct & 0xda81fb60)
% 5-ASA-713136: Group = vpnremote, user name = XXX, IP = XXX, establishing IKE session has expired [NullState], abandonment! % 7-ASA-713906: fsmDriver returned error The only thing I've found about this is that it happens when linux user makes impure disconnection (a user told me that he usually cleanly disconnect, but happened to broke his Internet connection, users have no problem make new connections). I never found how to stop these errors appear or maybe remove them (if they appear anyway) so that the log can be readable. I'm new in my company, and I'm far from an expert for ASA, so any help is appreciated. You can stop logging of syslog messages specific, as long as you know, you turn it off, so if you need for troubleshooting in the future, you can reactivate. In your example, if you want to disable recording of this particular message: % 5 - ASA-713137: Group = vpnremote, username = XXX, IP = XXX, Reaper refCnt dominant [0] and tunnelCnt [0] - remove SA! The highlighted above (713137) is the number of syslog, and you can disable logging to the syslog # by issueing: No message recording 713137 Hope that helps Tags: Cisco Security Hello First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN. The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520. I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version. I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log: 4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry 5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match! 6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF 3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet. 6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF 3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet. 6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF 3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet. 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1 6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500) and this, in the journal of customer: Cisco Systems VPN Client Version 5.0.02.0090 Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved. Customer type: Windows, Windows NT Running: 5.1.2600 Service Pack 3 24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002 Start the login process 25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004 Establish a secure connection 26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x". 27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B Attempts to establish a connection with 213.94.x.x. 28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x 29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008 IPSec driver started successfully 30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021 Retransmit the last package! 32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x 33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021 Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x 35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021 Retransmit the last package! 36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x 37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017 Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING 38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING 39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014 Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '. 40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025 Initializing CVPNDrv 41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046 Set indicator established tunnel to register to 0. 42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001 Signal received IKE to complete the VPN connection 43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A IPSec driver successfully stopped I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details. Can you see what I'm doing wrong? Thank you Sam Pls add the following policy: crypto ISAKMP policy 10 preshared authentication the Encryption md5 hash Group 2 You can also run debug on the ASA: debugging cry isa debugging ipsec cry and retrieve debug output after trying to connect. IPSec vpn - no selected proposal Hello: I am facing a problem in the configuration of the ipsec vpn on my 7200 router. It's a site to customer topology as shown below. The request from my pc, R2' isa crypto log: R2 #debug crypto isakmp * 6 April 22:41:59.931: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 22:42:00.035 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.059 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52) * 22:42:00.087 6 April: ISAKMP: (0): removal of HIS right State 'No reason' (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.895 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE And when I capture on my pc, I got: I don't know why, waiting for you helps nicely, thank you very much! I think that what is wrong is your combination of your group of encryption, hashing and dh, try changing your sha instead of md5 hash table. Issue of ASA L2TP VPN error QM WSF Hello guys Facing the issue with new support for .do L2tp connection on this you can L2TP is terminiated on ASA and ASA before there is a router where ASA outside interface is coordinated to the public IP address Here is the config and the logs.earlier of debugging that she was unknown to the Group and now tunnel is not eslablshitng to my machine via l2tp ASA 5,0000 Version 59 access-list acl - scope ip allowed any one IP local pool vpngroup 10.1.252.1 - 10.1.252.253 mask 255.255.255.0 Global 1 interface (outside) Crypto ipsec transform-set esp-3des esp-sha-hmac trans Crypto-map Dynamics dyno 10 transform-set ESP-3DES-MD5-TRANS trans internal DefaultRAGroup group strategy password cisco KCtylQW4545gfddN6mbi93ijmA user name is nt encrypted =========================== Debug logs: EQ-INTFW01 # Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) +.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0xc9c523ea
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local EQ-INTFW01 # IPSEC: deleted leaving encrypt rule, SPI 0x243066CC
EQ-INTFW01 #. --> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local 04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
! I'm glad that the problem is solved! Kind regards Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming HelloW everyone. I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall. but the vpn does not come to the top. can someone tell me what can be the root cause? Here is the configuration of twa asa: (I changed the ip address all the) Singapore: See the race
Community trap SNMP-server host test 192.168.168.231 *.
Console timeout 0
Malaysia: :
No snmp server location Good news, that VPN has been implemented! According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests. Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA. In addition, you can try to enable ICMP inspection: Policy-map global_policy inspect the icmp inspect the icmp error IPSec vpn cisco asa and acs 5.1 We have configured authentication ipsec vpn cisco asa acs 5.1: Here is the config in cisco vpn 5580: standard access list acltest allow 10.10.30.0 255.255.255.0 RADIUS protocol AAA-server Gserver AAA-server host 10.1.8.10 Gserver (inside) Cisco key AAA-server host 10.1.8.11 Gserver (inside) Cisco key internal group gpTest strategy gpTest group policy attributes Protocol-tunnel-VPN IPSec Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list acltest type tunnel-group test remote access tunnel-group test general attributes address localpool pool Group Policy - by default-gpTest authentication-server-group LOCAL Gserver authorization-server-group Gserver accounting-server-group Gserver IPSec-attributes of tunnel-group test pre-shared-key cisco123 GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS. When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get error: 22040 wrong password or invalid shared secret (pls see picture to attach it) the system still works, but I don't know why, we get the error log. Thanks for any help you can provide! Duyen Hello Duyen, I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package. Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group: authentication-server-group LOCAL Gserver authorization-server-group Gserver As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group. Please remove the authorization under the Tunnel of Group: No authorization-server-group Gserver Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS. Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above. I hope this helps. Kind regards. IPSec VPN between Cisco and ScreenOS Hello I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted. The guy managing the Juniper device send me an extract from his diary: ########################################################################### 2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID
9b 839579: negotiations failed. 2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11 of
217.150.152.45:500 with cookies 87960e39d074ca49 and 9302d26c7ce324a5 because there is no acceptable Phase 2 proposals... It has defined the following phase 2 proposals: IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second ########################################################################### And I use these: ########################################################################### crypto ISAKMP policy 1 BA aes 256 preshared authentication Group 2 ! ISAKMP crypto key
Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac card crypto ipsec vpn 2 isakmp Description * VPN Anbindung nach PKI in Magdeburg *. defined by peer 217.150.152.45 define security-association life seconds 1800 the value of the transform-set esp - aes match address PKI-TRAFFIC ! ########################################################################### Here is my Log: ################################################################################################################# 28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL) 28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500 28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A 28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator 28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500 28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE 28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success 28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode. 28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45 28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID 28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t 28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID 28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t 28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1 28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange 28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE 28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE. 28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE 28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH 28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2 28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0 28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment 28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239 28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment 28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD 28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment 28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload 28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled 28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45 28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found
28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth... 28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1 28 August 08:23:46.448: ISAKMP: AES - CBC encryption 28 August 08:23:46.448: ISAKMP: SHA hash 28 August 08:23:46.448: ISAKMP: group by default 2 28 August 08:23:46.448: ISAKMP: pre-shared key auth 28 August 08:23:46.448: ISAKMP: keylength 256 28 August 08:23:46.448: ISAKMP: type of life in seconds 28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0 28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0 28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0 28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4 28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400 28 August 08:23:46.448: ISAKMP: (0): return real life: 86400 28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400. 28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment 28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239 28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment 28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD 28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment 28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload 28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled 28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2 28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP 28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE. 28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3 28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP 28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH 28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4 28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0 28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0 28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45 28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4 28 August 08:23:46.508: ISAKMP: (1049): send initial contact 28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication 28 August 08:23:46.508: ISAKMP (1049): payload ID next payload: 8 type: 1 address: 92.67.80.237 Protocol: 17 Port: 500 Length: 12 28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12 28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH 28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE. 28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5 28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH 28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0 28 August 08:23:46.540: ISAKMP (1049): payload ID next payload: 8 type: 1 address: 217.150.152.45 Protocol: 17 Port: 500 Length: 12 28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles 28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0 28 August 08:23:46.540: ISAKMP: (1049): SA authentication status: authenticated
28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45 28 August 08:23:46.540: ISAKMP: try inserting a peer
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH 28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6 28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6 28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE 28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006 28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi 28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE 28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE. 28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1 28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE 28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE 28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE 28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455 28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1 SPI 0, message ID =-452721455, his 0x31627E04 = 28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive. 28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45) 28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1. 28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE 28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE 28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE 28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE. 28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780 28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA 28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45) Intertoys_Zentrale_Waddinxveen_01 #. 28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0 28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150 28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted. 28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH 28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA ################################################################################################################# Is there something special that needs to be addressed when creating a VPN for Juniper devices? Greetings Thomas The peer IPSec a PFS enabled, do the same in your crypto-map: card crypto ipsec vpn 2 isakmp PFS group2 Set -- When you configure a site to tunnles, I get errors in logging of ASA of gall. I've included the two configs on the walls of ASA file. any one see what Miss me? small site : Saved : Written by usiadmin at 15:22:08.143 UTC Monday, March 19, 2012 ! ASA Version 7.2 (3) ! hostname smallASA domain.com domain name activate awSQhSsotCzGWRMo encrypted password names of ! interface Vlan1 nameif inside security-level 100 IP 10.16.4.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP 116.12.211.66 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! L0Wjs4eA25R/befo encrypted passwd passive FTP mode DNS lookup field inside DNS server-group DefaultDNS Server name 10.10.20.1 domain.com domain name access extensive list ip 10.16.4.0 outside_1_cryptomap allow 255.255.255.0 any access extensive list ip 10.16.4.0 inside_nat0_outbound allow 255.255.255.0 any pager lines 24 Enable logging asdm of logging of information Within 1500 MTU Outside 1500 MTU ICMP unreachable rate-limit 1 burst-size 1 ASDM image disk0: / asdm - 523.bin don't allow no asdm history ARP timeout 14400 NAT-control Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 0.0.0.0 0.0.0.0 Route outside 0.0.0.0 0.0.0.0 116.12.211.65 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout, uauth 0:05:00 absolute Enable http server http 0.0.0.0 0.0.0.0 outdoors http 10.16.4.0 255.255.255.0 inside No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs peer set card crypto outside_map 1 12.69.103.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 Crypto isakmp nat-traversal 20 Telnet 10.16.4.0 255.255.255.0 inside Telnet timeout 5 SSH 10.16.4.0 255.255.255.0 inside SSH 0.0.0.0 0.0.0.0 outdoors SSH timeout 5 Console timeout 0 dhcpd dns 165.21.83.88 10.10.2.1 dhcpd domain domain.com dhcpd outside auto_config ! dhcpd address 10.16.4.100 - 10.16.4.131 inside dhcpd allow inside ! ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns preset_dns_map parameters message-length maximum 512 Policy-map global_policy class inspection_default inspect the preset_dns_map dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect esmtp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp ! global service-policy global_policy usiadmin encrypted DI5M5NnQfLzGHaw1 privilege 15 password username initech encrypted ENDpqoooBPsmGFZP privilege 15 password username tunnel-group 12.69.103.226 type ipsec-l2l IPSec-attributes tunnel-group 12.69.103.226 pre-shared key, PSK context of prompt hostname Cryptochecksum:e6bf95f3c25574bfed2adafb3283e882 : end large site
: Saved : Written by usiadmin to the 22:57:30.549 CDT Monday, March 19, 2012 ! ASA Version 8.0 (3) ! hostname STO-ASA-5510-FW domain.com domain name enable the password... Ge0JnvJlk/gAiB encrypted names of 192.168.255.0 BGP-Transit_Network description name Transit BGP name 10.10.99.0 VPN name 10.10.2.80 BB DNS-guard ! interface Ethernet0/0 Inside the Interface Description nameif inside security-level 100 IP 10.10.200.29 255.255.255.240
OSPF cost 10 ! interface Ethernet0/1 Description external Interface facing the Rotuer for Internet. nameif outside security-level 0 IP 12.69.103.226 255.255.255.240 OSPF cost 10 ! interface Ethernet0/2 Description physical interface trunk - do not use No nameif no level of security no ip address ! interface Ethernet0/2.900 Description Interface DMZ 12.69.103.0 / 26 (usable hotes.1 a.62) VLAN 900 nameif DMZ1-VLAN900 security-level 50 IP 12.69.103.1 255.255.255.192 OSPF cost 10 ! interface Ethernet0/3 Shutdown No nameif no level of security no ip address ! interface Management0/0 nameif management security-level 100 IP 10.10.5.250 255.255.254.0 OSPF cost 10 management only ! L0Wjs4eA25R/befo encrypted passwd banner exec ********************************************************************** exec banner STO-ASA-5510-FW exec banner ASA5510 - 10.10.200.29 exec banner configured for data use only banner exec ********************************************************************** banner login ********************************************************************** connection of the banner caveat: this system is for the use of only authorized customers. banner of individuals to connect using the system of computer network without permission. banner login or exceeding their authority, are subject with all their activity of connection banner on this system monitored and recorded by computer network staff of the login banner system. To protect the computer network system of banner of the connection of unauthorized use and to ensure that computer network systems is connection of banner works properly, system administrators monitor this system. banner connect anyone using this computer network system expressly consents to such a banner of the connection monitoring and is advised that if such monitoring reveals possible conduct of connection banner of criminal activity, system personnel may provide the evidence of connection banner of such activity to the police. connection banner that access is restricted to the authorized users only. Unauthorized access is connection banner, a violation of State and federal, civil and criminal. banner login ********************************************************************** passive FTP mode clock timezone CST - 6 clock to summer time recurring CDT DNS server-group DefaultDNS domain universalsilencer.com permit same-security-traffic intra-interface object-group service SAP tcp - udp Description SAP updates port-object eq 3299 object-group Protocol TCPUDP object-protocol udp object-tcp protocol object-group service HUMANLand tcp port-object eq citrix-ica DM_INLINE_TCP_1 tcp service object-group EQ port 5061 object port-object eq www EQ object of the https port DM_INLINE_TCP_2 tcp service object-group EQ port 5061 object port-object eq www EQ object of the https port DM_INLINE_UDP_1 udp service object-group EQ port-object snmp port-object eq snmptrap object-group service DM_INLINE_SERVICE_1 ICMP service object the purpose of the service tcp - udp eq www the purpose of the udp eq snmp service the purpose of the udp eq snmptrap service the eq syslog udp service object the eq 2055 tcp service object the eq 2055 udp service object EQ-3389 tcp service object object-group service human tcp - udp port-object eq 8100 object-group service grove tcp
port-object eq 2492 netflowTcp tcp service object-group port-object eq 2055 object-group service 6144 tcp - udp 6144 description port-object eq 6144 object-group service 1536-DMPA-inter-tcp - udp 1536-DMPA-inter description port-object eq 1536 the DM_INLINE_NETWORK_1 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0 network-object 69.31.0.0 255.255.0.0 the DM_INLINE_NETWORK_2 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0 network-object 69.31.0.0 255.255.0.0 the DM_INLINE_NETWORK_3 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0 network-object 69.31.0.0 255.255.0.0 the DM_INLINE_NETWORK_4 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0 object-group service rdp tcp RDP description EQ port 3389 object the DM_INLINE_NETWORK_5 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 the DM_INLINE_NETWORK_6 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 the DM_INLINE_NETWORK_7 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 the DM_INLINE_NETWORK_8 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 access outside the 207.152.125.136 note list extended access list to refuse any newspaper outdoors the object-group objects DM_INLINE_NETWORK_1 TCPUDP-group scope of list of outdoor access to refuse the object-group objects DM_INLINE_NETWORK_2 host 12.69.103.129 TCPUDP-group extended access list to refuse the object-group TCPUDP outdoors any object-group DM_INLINE_NETWORK_3 scope of list of outdoor access to refuse the subject-TCPUDP 12.69.103.129 host object group DM_INLINE_NETWORK_4 access outside the note list * in Bound SAP traffic by Ron Odom update *. list of access outside the scope permitted tcp host 194.39.131.34 host 12.69.103.155 3200 3300 Journal range access outside the note list * router SAP *. list of access outside the permitted range tcp host 10.10.2.110 host 194.39.131.34 3200 3300 extended access list permits object-group DM_INLINE_SERVICE_1 outside any host 12.69.103.154 access outside the note list * entrants to the mail server to 10.10.2.10 Peter K *. list of extended outside access permit tcp any host 12.69.103.147 eq smtp access outside the note list * incoming to the OCS EDGE on DMZ Peter K *. access list outside extended permit tcp any host 12.69.103.2 object - group DM_INLINE_TCP_1 list of external extended ip access permits any host 12.69.103.6 list of access outside the comment flagged for malware activity scope of list of outdoor access to deny the host ip 77.78.247.86 all list of external extended ip access permits any host 12.69.103.156 inactive list of extended outside access permit tcp any host 12.69.103.147 eq www list of extended outside access permit tcp any host 12.69.103.147 eq https access outside the note list * incoming hosting 10.10.3.200 - Dan K *. list of extended outside access permit tcp any host 12.69.103.145 eq www list of extended outside access permit tcp any host 12.69.103.145 eq https access outside the note list * journey to host 10.10.2.30 USIFAXBACK - Dan K *. list of extended outside access permit tcp any host 12.69.103.146 eq www list of extended outside access permit tcp any host 12.69.103.146 eq https access outside the note list * incoming hosting 10.10.8.5 - Mitel 7100 BOB M 4/4-2008 - BV *. list of extended outside access permit tcp any host 12.69.103.152 eq pptp access list outside extended permit tcp any host 200.56.251.118 object - group HUMANLand
list of extended outside access permit tcp any host 200.56.251.121 eq 8100 outdoor access list note allow all return ICMP traffic off in order to help the attacks of hidden form extended the list of outdoor access to deny icmp everything no matter what newspaper list of allowed outside access extended ip 10.14.0.0 255.255.0.0 all open a debug session list of allowed outside access extended ip 10.15.0.0 255.255.0.0 any list of allowed outside access extended ip object-group DM_INLINE_NETWORK_7 all outdoor access list extended permits all ip 10.14.0.0 255.255.0.0 debug log outdoor access list extended permits all ip 10.15.0.0 255.255.0.0 list of external extended ip access permits any object-group DM_INLINE_NETWORK_6 list of access outside the scope permitted udp host 12.88.249.62 any DM_INLINE_UDP_1 object-group Note added to pervent bocking human outside access list list of access outside the permitted scope object-TCPUDP host 10.12.2.250 host 200.56.251.121 human group object Note added to pervent bocking human outside access list list of access outside the permitted scope object-TCPUDP host 200.56.251.121 host 10.12.2.250 human group object outside the permitted scope of access tcp list any any eq log pptp extended access list to refuse the object-group TCPUDP outdoors everything any object-group 6144 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 VPN 255.255.255.192 extensive list of access VPN-SplitTunnel ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192 allow extended VPN-SplitTunnel access list ip 10.12.0.0 allow 255.255.0.0 VPN 255.255.255.192 extended VPN-SplitTunnel access list ip 10.13.0.0 allow 255.255.0.0 VPN 255.255.255.192
list of access VPN-SplitTunnel extended permitted ip VPN BGP-Transit_Network 255.255.255.0 255.255.255.192 list of access VPN-SplitTunnel extended permitted ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.14.4.0 255.255.254.0 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.15.4.0 255.255.254.0 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.14.8.0 255.255.254.0 Note DMZ1_in access-list * OCS - 2nd interface to inside EDGE welcomes Peter K *. DMZ1_in list extended access permit tcp host 12.69.103.3 host 10.10.2.15 DM_INLINE_TCP_2 object-group Note DMZ1_in of access list permit all ICMP traffic DMZ1_in access list extended icmp permitted any any newspaper DMZ1_in deny ip extended access list all 207.152.0.0 255.255.0.0 DMZ1_in list extended access deny ip 207.152.0.0 255.255.0.0 any Note DMZ1_in access-list * explicitly block access to all domestic networks *. Note access-list DMZ1_in * no need allowed inside networks *. Note DMZ1_in access-list * to do above this section *. DMZ1_in list extended access deny ip any 10.0.0.0 255.0.0.0 DMZ1_in list extended access deny ip any 172.16.0.0 255.240.0.0 DMZ1_in list extended access deny ip any 192.168.0.0 255.255.0.0 Note DMZ1_in access-list * IP Allow - this will be the internet *. DMZ1_in list of allowed ip extended access all any debug log ezvpn1 list standard access allowed 10.0.0.0 255.0.0.0 access-list DMZ1-VLAN900_cryptomap extended ip allowed any one access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 VPN 255.255.255.192 IP 10.11.0.0 allow Access-list extended sheep 255.255.0.0 VPN 255.255.255.192 IP 10.12.0.0 allow Access-list extended sheep 255.255.0.0 VPN 255.255.255.192 access-list extended sheep ip 10.13.0.0 allow 255.255.0.0 VPN 255.255.255.192 access-list sheep extended ip VPN BGP-Transit_Network 255.255.255.0 allow 255.255.255.192 access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0 access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.14.4.0 255.255.254.0 access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.14.8.0 255.255.254.0 access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0 access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.15.4.0 255.255.254.0
access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0 permit traffic to access extended list ip 10.0.0.0 255.0.0.0 10.14.0.0 inactive 255.255.0.0 outside_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 10.15.0.0 255.255.0.0 access extensive list ip 10.14.0.0 outside_nat0_outbound allow 255.255.0.0 VPN 255.255.255.192 access extensive list ip 10.15.0.0 outside_nat0_outbound allow 255.255.0.0 VPN 255.255.255.192 outside_nat0_outbound list extended access allowed object-group ip VPN DM_INLINE_NETWORK_8 255.255.255.192 outside_cryptomap_1 to access ip 10.0.0.0 scope list allow 255.0.0.0 DM_INLINE_NETWORK_5 object-group pager lines 24 Enable logging timestamp of the record logging list VPN informational level class auth logging list class VPN config level criticism VPN vpn list logging level notification class notification of log list VPN vpnc level class VPN list logging level notifications class webvpn logging alerts list any level exploitation forest-size of the buffer of 256000 logging buffered all logging VPN trap asdm of logging of information host of inside the 10.10.2.41 logging format emblem logging ftp-bufferwrap connection server ftp 10.10.2.41 \logs usi\administrator 178US1SIL3 ~. Within 1500 MTU Outside 1500 MTU MTU 1500 DMZ1-VLAN900 management of MTU 1500 mask 10.10.99.1 - 10.10.99.63 255.255.255.192 IP local pool Clients_vpn no failover ICMP unreachable rate-limit 1 burst-size 1 ICMP allow any inside ICMP allow all outside ICMP allow any DMZ1-VLAN900 ASDM image disk0: / asdm - 611.bin ASDM location VPN 255.255.255.192 inside ASDM location BGP-Transit_Network 255.255.255.0 inside ASDM location 10.10.4.60 255.255.254.255 inside ASDM location 255.255.255.255 inside BB ASDM location 10.16.0.0 255.255.0.0 inside ASDM location 69.31.0.0 255.255.0.0 inside ASDM location 198.78.0.0 255.255.0.0 inside ASDM location 10.16.0.0 255.255.255.0 inside enable ASDM history ARP timeout 14400 Global (inside) 1 10.10.2.4 netmask 255.0.0.0 Global (outside) 10 12.69.103.129 netmask 255.255.255.255
Global (outside) 11 12.69.103.130 netmask 255.255.255.255 Global (outside) 12 12.69.103.131 netmask 255.255.255.255 Global (outside) 13 12.69.103.132 netmask 255.255.255.255 Global (outside) 14 12.69.103.133 netmask 255.0.0.0 NAT (inside) 0 access-list sheep NAT (inside) 11 192.168.255.4 255.255.255.252 NAT (inside) 12 192.168.255.8 255.255.255.252 NAT (inside) 13 192.168.255.12 255.255.255.252 NAT (inside) 10 10.10.0.0 255.255.0.0 NAT (inside) 11 10.11.0.0 255.255.0.0 NAT (inside) 12 10.12.0.0 255.255.0.0 NAT (inside) 13 10.13.0.0 255.255.0.0 NAT (inside) 10 10.14.0.0 255.255.0.0 NAT (outside) 0-list of access outside_nat0_outbound NAT (outside) 10 10.16.0.0 255.255.255.0 NAT (outside) 10 10.14.0.0 255.255.0.0 NAT (outside) 10 10.15.0.0 255.255.0.0 NAT (outside) 10 10.16.0.0 255.255.0.0 static (DMZ1-VLAN900, external) 12.69.103.0 12.69.103.0 subnet mask 255.255.255.192 public static 12.69.103.154 (Interior, exterior) 10.10.2.41 netmask 255.255.255.255 static (inside, DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 static (inside, DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 static (inside, DMZ1-VLAN900) 172.16.0.0 subnet 255.240.0.0 172.16.0.0 mask public static 12.69.103.147 (Interior, exterior) 10.10.2.10 netmask 255.255.255.255 public static 12.69.103.152 (Interior, exterior) 10.10.8.5 netmask 255.255.255.255 public static 12.69.103.155 (Interior, exterior) 10.10.2.110 netmask 255.255.255.255 outside access-group in external interface Access-group DMZ1_in in interface DMZ1-VLAN900 ! Router eigrp 100 Network 10.0.0.0 255.0.0.0 ! Route outside 0.0.0.0 0.0.0.0 12.69.103.225 1 Route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
Route inside 10.10.98.0 255.255.255.0 10.10.200.30 1 Route outside 10.14.0.0 255.255.0.0 12.69.103.225 1 Route outside 10.15.0.0 255.255.0.0 12.69.103.225 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout, uauth 0:05:00 absolute dynamic-access-policy-registration DfltAccessPolicy AAA-server Microsoft radius Protocol simultaneous accounting mode reactivation mode impoverishment deadtime 30 AAA-server Microsoft host 10.10.2.1 key cisco123 the ssh LOCAL console AAA authentication AAA authentication LOCAL telnet console AAA authentication enable LOCAL console AAA authentication http LOCAL console Enable http server http 10.10.0.0 255.255.0.0 management http 10.10.0.0 255.255.0.0 inside SNMP-server host within the 10.10.2.41 community UNISNMP version 2 c-port udp 161 location of Server SNMP STODATDROOM contact SNMP SYS Admin Server UNISNMP SNMP-server community Server enable SNMP traps snmp authentication linkup, linkdown cold start Server enable SNMP traps syslog Server SNMP traps enable ipsec works stop Server enable SNMP traps entity config - change insert-fru fru - remove Server SNMP enable doors remote access has exceeded the threshold of session Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 card crypto outside_map 1 match address outside_cryptomap peer set card crypto outside_map 1 115.111.107.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA card crypto outside_map 2 match address outside_cryptomap_1 peer set card crypto outside_map 2 116.12.211.66 card crypto outside_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 address card crypto outside_map 10 game traffic peer set card crypto outside_map 10 212.185.51.242
outside_map crypto 10 card value transform-set ESP-3DES-SHA outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP inside crypto map inside_map interface card crypto DMZ1-VLAN900_map0 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 crypto isakmp identity address crypto ISAKMP allow inside crypto ISAKMP allow outside crypto ISAKMP policy 5 preshared authentication 3des encryption sha hash Group 2 life no crypto ISAKMP policy 10 preshared authentication the Encryption sha hash Group 2 life no Crypto isakmp nat-traversal 33 No vpn-addr-assign aaa No dhcp vpn-addr-assign VPN-addr-assign local reuse-delay 10 Telnet 10.10.0.0 255.255.0.0 inside Telnet 10.10.0.0 255.255.0.0 management Telnet timeout 29 SSH timeout 29 SSH version 2 Console timeout 1 management-access inside dhcprelay Server 10.10.2.1 outside a basic threat threat detection threat scan-threat shun except ip 10.14.0.0 address detection 255.255.0.0
threat scan-threat shun except ip 10.15.0.0 address detection 255.255.0.0 threat detection statistics Web cache WCCP WCCP interface within web in cache redirection NTP 192.5.41.41 Server NTP 192.5.41.40 Server Server NTP 192.43.244.18 TFTP server inside 10.10.2.2 \asa attributes of Group Policy DfltGrpPolicy banner of value WARNING: this system is for the use of only authorized customers. value of server WINS 10.10.2.1 value of 10.10.2.1 DNS server 10.10.2.2 Protocol-tunnel-VPN IPSec svc webvpn Split-tunnel-policy tunnelspecified Split-tunnel-network-list value VPN-SplitTunnel universalsilencer.com value by default-field Server proxy Internet Explorer 00.00.00.00 value the address value Clients_vpn pools internal CHINAPH group policy CHINAPH group policy attributes Protocol-tunnel-VPN IPSec svc webvpn Split-tunnel-policy tunnelall enable dhcp Intercept 255.255.0.0 the address value Clients_vpn pools internal ezGROUP1 group policy attributes of the strategy of group ezGROUP1 VPN-tunnel-Protocol svc webvpn allow password-storage Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list ezvpn1 allow to NEM deleted users IPSec-attributes tunnel-group DefaultL2LGroup pre-shared-key germanysilence type tunnel-group USISplitTunnelRemoteAccess remote access attributes global-tunnel-group USISplitTunnelRemoteAccess address pool Clients_vpn IPSec-attributes tunnel-group USISplitTunnelRemoteAccess pre-shared-key z2LNoioYVCTyJlX type tunnel-group USISplitTunnelRADIUS remote access attributes global-tunnel-group USISplitTunnelRADIUS address pool Clients_vpn Group-Microsoft LOCAL authentication server IPSec-attributes tunnel-group USISplitTunnelRADIUS pre-shared-key fLFO2p5KSS8Ic2y type tunnel-group ezVPN1 remote access tunnel-group ezVPN1 General-attributes Group Policy - by default-ezGROUP1 ezVPN1 group of tunnel ipsec-attributes pre-shared key, PSK tunnel-group 212.185.51.242 type ipsec-l2l IPSec-attributes tunnel-group 212.185.51.242 pre-shared key, PSK NOCHECK Peer-id-validate tunnel-group 115.111.107.226 type ipsec-l2l IPSec-attributes tunnel-group 115.111.107.226 pre-shared key PSJ tunnel-Group China type remote access attributes global-tunnel-Group China address pool Clients_vpn Group Policy - by default-CHINAPH tunnel-group 116.12.211.66 type ipsec-l2l IPSec-attributes tunnel-group 116.12.211.66 pre-shared key, PSK ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns migrated_dns_map_1 parameters message-length maximum 512 Policy-map global_policy class inspection_default inspect the migrated_dns_map_1 dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp inspect the icmp ! global service-policy global_policy context of prompt hostname Cryptochecksum:834976612f8f76e1b088326516362975 : end Hello Ronald.
You use PFS on a site and not on the other. Allows to remove from the site that has it and give it a try. Change this: card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs peer set card crypto outside_map 1 12.69.103.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside To do this: card crypto outside_map 1 match address outside_1_cryptomap peer set card crypto outside_map 1 12.69.103.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside So just do a NO card crypto outside_map 1 set pfs Kind regards Julio Note all useful posts Two IPSec VPN on an interface does not Hello I'm actually trying to bring two IPSec VPN on a single interface. I managed to create a tunnel between hand and Barcelona and between by and Mad. But I can't create it between Barcelona and Mad. We have a cisco ISR1921 Mad Barcelona and a nominal Netgear. Config of Barcelona: Crazy conf: Now the weird part: I have absolutely NO LOG AT ALL. I don't have them when the tunnel with normal is negotiated, but I have absolutely nothing to Mad-Barcelona. Not even an error message or anything like that. Negotiations between Barcelona and the Mad is nowhere. Someone has an idea, what happens? I'm thinking that he might not start the tunnel and does not all newspapers: -you see all success in the used card encryption access list? -is it possible that there is a problem of connectivity between sites? -There is a NAT (or PAT) which may affect the set of addresses? -is it possible that routing to one of the sites is not going through the interface that has the encryption card? Maybe if you post production show card crypto that there could be a few clues about the problem? HTH Rick Hello I just upgraded to macOS Sierra and built-in Cisco IPsec VPN no longer works. When you try to connect, I get a "cannot validate the certificate of the server. "Check your settings and try to reconnect" error message. I use Cisco ASA with self-signed certificates and everything worked fine with previous versions of OS X. Please help me, I need my VPN Thx a lot I am having the same problem with StrongSwan and help cert signed with the channel to complete certificates included in the pkcs12 file imported to the keychain. It was working properly in El Capitan, but now broken in the Sierra. Hi guys,. Tried to set up an ipsec VPN LAN - LAN between my WRV200 and WRVS4400N my companion. Filled all the relevant config... simple... but still nothing. They don't seem to connect. We are both on ADSL and using IP address by DNS. Routers are in the log file and try to establish the connection. Tried all the setting, both routers are configured the same. STILL NO JOY! Can anyone help, before having to migrate to a netgear or something nasty! Sorry forgot to mention, using an AM200 modem in Bridge mode. It my router DHCP address direct WAN instead of NAT. The two systems are fixed the same where routers have outside the WAN address. The modem is transparent. I guess that NAT traversal in not required in that State. ISA500 site by site ipsec VPN with Cisco IGR Hello I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550. But without success. my config for openswan, just FYI, maybe not importand for this problem installation of config protostack = netkey nat_traversal = yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET nhelpers = 0 Conn rz1 IKEv2 = no type = tunnel left = % all leftsubnet=192.168.5.0/24 right =.
rightsourceip = 192.168.1.2 rightsubnet=192.168.1.0/24 Keylife 28800 = s ikelifetime 28800 = s keyingtries = 3 AUTH = esp ESP = aes128-sha1 KeyExchange = ike authby secret = start = auto IKE = aes128-sha1; modp1536 dpdaction = redΘmarrer dpddelay = 30 dpdtimeout = 60 PFS = No. aggrmode = no Config Cisco 2821 for dynamic dialin: crypto ISAKMP policy 1 BA aes sha hash preshared authentication Group 5 lifetime 28800 ! card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1 ! access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 ! Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac crypto dynamic-map DYNMAP_1 1 game of transformation-ESP-AES-SHA1 match address 102 ! ISAKMP crypto key
ISAKMP crypto keepalive 30 periodicals ! life crypto ipsec security association seconds 28800 ! interface GigabitEthernet0/0.4002 card crypto CMAP_1 ! I tried ISA550 a config with the same constelations, but without suggesting. Anyone has the same problem? And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel? I can successfully establish a tunnel between openswan linux server and the isa550. Patrick, as you can see on newspapers, the software behind ISA is also OpenSWAN I have a facility with a 892 SRI running which should be the same as your 29erxx. Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key. Here is my setup, with roardwarrior AND 2, site 2 site. session of crypto consignment logging crypto ezvpn ! crypto ISAKMP policy 1 BA 3des preshared authentication Group 2 lifetime 28800 ! crypto ISAKMP policy 2 BA 3des md5 hash preshared authentication Group 2 lifetime 28800 ! crypto ISAKMP policy 3 BA 3des preshared authentication Group 2 ! crypto ISAKMP policy 4 BA 3des md5 hash preshared authentication Group 2 ! crypto ISAKMP policy 5 BA 3des preshared authentication Group 2 life 7200 ISAKMP crypto address XXXX XXXXX No.-xauth key XXXX XXXX No.-xauth address isakmp encryption key ! ISAKMP crypto client configuration group by default key XXXX DNS XXXX default pool ACL easyvpn_client_routes PFS ! ! Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT ! dynamic-map crypto VPN 20 game of transformation-FEAT market arriere-route ! ! card crypto client VPN authentication list by default card crypto VPN isakmp authorization list by default crypto map VPN client configuration address respond 10 VPN ipsec-isakmp crypto map Description of VPN - 1 defined peer XXX game of transformation-FEAT match the address internal_networks_ipsec 11 VPN ipsec-isakmp crypto map VPN-2 description defined peer XXX game of transformation-FEAT PFS group2 Set match the address internal_networks_ipsec2 card crypto 20-isakmp dynamic VPN ipsec VPN ! ! Michael Please note all useful posts Cisco RV220W IPSec VPN problem Local configuration for any config mode Dear all, I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config? What needs to be changed or where is my fault? I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client. I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not. 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode. 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD 2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149] 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500] 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149] 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149] 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149] 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser". 2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149] 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode 2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683
2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association. 2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client. The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series. I would recommend that you search by using a client VPN as Greenbow or IPSecuritas. -Tom Problem Cisco 2811 with L2TP IPsec VPN Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication My config: ! ! VPDN enable session of crypto consignment ISAKMP crypto key... address 0.0.0.0 0.0.0.0 ! interface Loopback1 interface FastEthernet0/0 interface virtual-Template1 L2TP_VPN_IN extended IP access list RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813 Debugging shows me 234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t 234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP 234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport 234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0 234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication 234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects. I hope that you will help me. Thank you. Hi dvecherkin1, Who IOS you're running, you could hit the next default. https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr It may be useful -Randy- Evaluate the ticket to help others find the answer quickly. Hello I am trying to configure an IPSec VPN tunnel between my company and a remote company for the use of FTP secure. I used the SDM to configure the tunnel on my router based on the information provided by the society that we are trying to connect to. The other company has provided my debug log when I was testing the connection, but I do not know how to read and what could be the problem. I hope someone here can give me an overview of what prevents the tunnel connection. Please let me know if you need more information. Thank you Peter Haase Peter, Good job! Because the tunnel is up, we must not debugs. I'm glad that finally it works. HTH Sangaré On OSX El Capitan, I'm locked out of the System Preferences window. This has happened while I was trying to activate a backup by the airport. The screen went to the window to the location and froze. Meanwhile, I can backup with Time Machine on the sa SATA on Satellite L50-B-1NL speed I would like to replace the 1 TB of HARD drive on my Toshiba Satellite L50-B-1NL with an SSD. How fast is the SATA interface? It will use most of the SATA 3?Thank you HP TouchSmart 520-1030: recovery of the disks are no longer available from the HP Support I am trying to help a friend who's HP TouchSmart 520-1030 hard disk is dead. I have the HP support site, fill out forms to buy 5 DVD System Recovery Disk Set Kit for this system. He even asked for my credit card information. Only after that I entere How can I stop videos attached to the emails I receive from switches to movie maker If I get an email with a video attachment, when I try and open it, it automatically goes to movie maker, so I have to make a movie before that I can see and it never used to do this DigitalPersona fingerprint reader works not properly I just installed a router linksys wireless... my internet works fine, but when I go on websites that have a password, I used to get an access to fingerprint at the top of the screen icon. I would be scanning my fingerprints and all the information waSimilar Questions
Crypto ISAKMP debug is on
R2 #.
R2 #.
R2 #.
* 22:41:59.871 6 April: ISAKMP (0): received 66.66.66.52 packet dport 500 sport 500 SA NEW Global (N)
* 22:41:59.879 6 April: ISAKMP: created a struct peer 66.66.66.52, peer port 500
* 22:41:59.879 6 April: ISAKMP: new created position = 0x67E98D84 peer_handle = 0 x 80000002
* 22:41:59.883 6 April: ISAKMP: lock struct 0x67E98D84, refcount 1 to peer crypto_isakmp_process_block
* 22:41:59.887 6 April: ISAKMP: 500 local port, remote port 500
* 22:41:59.891 6 April: ISAKMP: (0): insert his with his 67E5DCD8 = success
* 22:41:59.911 6 April: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 22:41:59.911 6 April: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
* 6 April 22:41:59.935: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.939: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:41:59.939: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.943: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:41:59.947 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:41:59.947: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.951: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:41:59.955: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:41:59.959: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.959: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:41:59.963: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.967: ISAKM
R2 #P: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:41:59.971: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.971: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:41:59.975: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.979: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:41:59.983 6 April: ISAKMP: (0): pair found pre-shared key matching 66.66.66.52
* 6 April 22:41:59.987: ISAKMP: (0): pre-shared key local found
* 22:41:59.987 6 April: ISAKMP: analysis of the profiles for xauth...
* 22:41:59.991 6 April: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
* 22:41:59.995 6 April: ISAKMP: AES - CBC encryption
* 22:41:59.995 6 April: ISAKMP: keylength 256
* 22:41:59.999 6 April: ISAKMP: SHA hash
* 22:41:59.999 6 April: ISAKMP: unknown group of DH 20
* 22:41:59.999 6 April: ISAKMP: pre-shared key auth
* 22:42:00.003 6 April: ISAKMP: type of life in seconds
* 22:42:00.003 6 April: ISAKMP:
R2 # life expectancy (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 128
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group unknown 19
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
R2 #r 6 22:42:00.011: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 256
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): offered hash algorithm is
R2 # does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: group by default 2
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.015 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.019 6 April: ISAKMP: (0): offered hash algorithm does not match policy.
* 22:42:00.023 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 0
* 22:42:00.023 6 April: ISAKMP: (0): no offer is accepted!
* 6 April 22:42:00.027: ISAKMP: (0): phase 1 SA policy is not acceptable! (local 180.180.0.130 remote 66.66.66.52)
* 22:42:00.027 6 April: ISAKMP (0): increment the count of errors on his, try 1 of 5: construct_fail_ag_init
* 6 April 22:42:00.027: ISAKMP: (0): has no
R2 #construct AG information message.
* 6 April 22:42:00.027: ISAKMP: (0): lot of 66.66.66.52 sending my_port 500 peer_port 500 (R) MM_NO_STATE
* 22:42:00.027 6 April: ISAKMP: (0): sending a packet IPv4 IKE.
* 22:42:00.031 6 April: ISAKMP: (0): the peer is not paranoid KeepAlive.
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:42:00.039 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:42:00.039: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:42:00.039: ISAKMP: (0)
R2 #: load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:42:00.039 6 April: ISAKMP (0): action of WSF returned the error: 2
* 22:42:00.039 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 22:42:00.039 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
* 22:42:00.059 6 April: ISAKMP: unlock counterpart struct 0x67E98D84 for isadb_m
R2 #ark_sa_deleted (), count 0
* 22:42:00.067 6 April: ISAKMP: delete peer node by peer_reap for 66.66.66.52: 67E98D84
* 22:42:00.071 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 22:42:00.075 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_DEST_SA
* 22:42:00.087 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
* 22:42:00.087 6 April: ISAKMP: (0): former State = new State IKE_DEST_SA = IKE_DEST_SA
* 22:42:02.911 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
R2 #.
* 22:43:00.087 6 April: ISAKMP: (0): serving SA., his is 67E5DCD8, delme is 67E5DCD8
R2 #.
acl_outside list extended access permitted ip object-group HQ ABC object-group
acl_outside list extended access permit tcp any host 10.10.20.10 eq 5269
inside_nat0 list extended access permitted ip object-group ABC object-group HQ
inside_nat0 list of allowed ip extended access all 10.1.252.0 255.255.255.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0
card crypto 65535-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600
attributes of Group Policy DefaultRAGroup
value of 10.1.16.11 DNS server 10.1.16.13
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
by default-field valuexyz.com
Split-dns value xyz.com
enable dhcp Intercept 255.255.0.0
the authentication of the user activation
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
attributes username cisco
Protocol-tunnel-VPN l2tp ipsec
type of remote access service
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared key *.
attributes global-tunnel-group DefaultRAGroup
vpngroup address pool
Group Policy - by default-DefaultRAGroup
management of the password password-expire-to-days 30
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
SELLER (13) of the SELLER (13) of the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) ++ NONE (0) overall length: 38
4
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Oakley proposal is acceptable
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT - Traversal RFC VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT-Traversal worm 02 VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received Fragmentation VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
OUP 2
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA proposal # 1, transform # 5 acceptable entry Matches overall IKE #.
1
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build the payloads of ISAKMP security
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing the payload of NAT-Traversal VID worm RFC
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, construction of Fragmentation VID + load useful functionality
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13)
NONE (0) + SELLER (13) overall length: 124
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10)
NAT - D (20) + NAT - D (20), NONE (0) overall length: 260
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, processing ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing ISA_KE
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building nonce payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads of Cisco Unity VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing payload V6 VID xauth
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send IOS VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilit)
IES: 20000001)
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Generating keys for answering machine...
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10) +.
SELLER of the SELLER the SELLER (13) (13) (13) of the SELLER (13) + NAT - D (20) + NAT - D (20) ++ (0) NONE total length: 304
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8) +.
NONE (0) overall length: 64
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, status of automatic NAT detection: remote endpoint IS be
Hind a NAT device this end is behind a NAT device
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload ID
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building dpd vid payload
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, ID (5) + HASH (8) + V
ENDOR (13) + (0) NONE total length: 84
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 1 COMPLETED
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, for this connection Keep-alive type: None
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, Keep-alives configured on, but the peer does not support persistent (type = None)
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P1: 21600 seconds.
Apr 04 14:59:36 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000001
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
10.1.100.79, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
85.78.161.254, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its not found old addr
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M
global security association entry IPSec matches # 10
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
01
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 1) with payloads: HDR, HASH (8), HIS (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0x321170a2, SPI = out = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000001)
Apr 04 14:59:36 [IKEv1]: rules of classification IKEQM_Active() Add L2TP: ip <195.229.90.21>mask <0xFFFFFFFF>port<4500>
Apr 04 14:59:38 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000002
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M
global security association entry IPSec matches # 10
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, the delete unit Active process event generate a new key for outdoors
peer 195.229.90.21.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
02
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 2) with payloads: HDR, HASH (8), SA (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = b0e14739) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Received delete to resultants to reappear homologous IKE: 195,22
9.90.21, reappear addr: cd4874a0, msgid: 0x00000001
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, L2TP/IPSec: ignoring delete for a sentry (rekeyed m
SGID = 1)
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0xc9c523ea, SPI = out = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000002)
Apr 04 14:59:39 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:39 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd51dbb8, mess id 0x3)!
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
DBB8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:41 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:41 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:44 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:44 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:48 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:48 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, drop
Rule ID: 0xCD487C20
IPSEC: Remove permitted outbound rule, SPI 0x243066CC
Rule ID: 0xCD51D3E8
IPSEC: Circumscribed outgoing VPN, SPI 0x243066CC context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x44001D8E
Rule ID: 0xCD51DC68
IPSEC: Deleted the allowed inbound rule, SPI 0x44001D8E
Rule ID: 0xCD51DE08
IPSEC: Remove workflow rule entrants tunnel, SPI 0x44001D8E
Rule ID: 0xCD51CCF8
IPSEC: Circumscribed incoming VPN, SPI 0x44001D8E context
VPN handle: 0 x 00035734
IPSEC: Deleted leaving encrypt rule, SPI 0x9EF2CA7A
Rule ID: 0xCD3CD1E8
IPSEC: Remove permitted outbound rule, SPI 0x9EF2CA7A
Rule ID: 0xCD51AE20
IPSEC: Removed outbound VPN, SPI 0x9EF2CA7A context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x866D812A
Rule ID: 0xCD487FD0
IPSEC: Deleted the allowed inbound rule, SPI 0x866D812A
Rule ID: 0xCCB3D7D0
IPSEC: Remove workflow rule entrants tunnel, SPI 0x866D812A
Rule ID: 0xCD48B110
IPSEC: Deleted incoming VPN, SPI 0x866D812A context
VPN handle: 0 x 00035734
IPSEC: HIS embryonic new created @ 0xCCB9C1F8.
RCS: 0XCD489170,
Direction: inbound
SPI: 0XADBC899B
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD17B2B8.
RCS: 0XCD4896C8,
Direction: outgoing
SPI: 0XD69313B6
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xD69313B6
IPSEC: Creating outgoing VPN context, SPI 0xD69313B6
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x00000000
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: New rule to permit outgoing, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: Completed the update of IBSA host, SPI 0xADBC899B
IPSEC: Create context incoming VPN, SPI 0xADBC899B
Flags: 0 x 00000226
SA: 0XCCB9C1F8
SPI: 0XADBC899B
MTU: 0 bytes
VCID: 0X00000000
Peer: 0x00037A0C
CBS: 0 X 01088849
Channel: 0xC929B4C0
IPSEC: Completed incoming VPN, SPI 0xADBC899B context
Handle VPN: 0x0003864C
IPSEC: updated outgoing VPN 0x00037A0C, SPI 0xD69313B6 context
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x0003864C
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: Internal filled rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: New entrants flow tunnel, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0xADBC899B
Rule ID: 0xC92B0518
IPSEC: New rule to decrypt incoming, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0xADBC899B
Rule ID: 0xCD3CD1A8
IPSEC: New rule incoming authorization, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0xADBC899B
Rule ID: 0xCD03D6F0
IPSEC: HIS embryonic new created @ 0xCD51AC70.
RCS: 0XCD51ABC0,
Direction: inbound
SPI: 0X89796CE7
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD488538.
RCS: 0XCD488D48,
Direction: outgoing
SPI: 0XEF66E002
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xEF66E002
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: New rule to permit outgoing, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: Completed the update of IBSA host, SPI 0x89796CE7
IPSEC: Completed incoming VPN, SPI 0x89796CE7 context
Handle VPN: 0x0003864C
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: Filled internal SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: New entrants flow tunnel, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0x89796CE7
Rule ID: 0xCD51C6F0
IPSEC: New rule to decrypt incoming, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0x89796CE7
Rule ID: 0xCD487CC8
IPSEC: New rule incoming authorization, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0x89796CE7
Rule ID: 0xCD487E68
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, drop
Please mark the thread as answered in favour of other members of the community.
Dinesh Moudgil
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">
!
<--- more="" ---="">
interface GigabitEthernet0/3
<--- more="" ---="">
Shutdown
<--- more="" ---="">
No nameif
<--- more="" ---="">
no level of security
<--- more="" ---="">
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">
IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: end
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">
Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">
Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">
tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
class inspection_default
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni
crypto isakmp policy 10encr 3desauthentication pre-sharegroup 2lifetime 28800crypto isakmp key PAR_KEY address PAR_IP no-xauthcrypto isakmp key MAD_KEY address MAD_IP no-xauth!!crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmaccrypto ipsec transform-set ESP_3DES_SHA1 esp-3des esp-sha-hmaccrypto ipsec transform-set ESP_3DES esp-3des!crypto map outside_map 10 ipsec-isakmpset peer MAD_IPset transform-set ESP_3DES_SHA1set pfs group2match address 120crypto map outside_map 20 ipsec-isakmpset peer PAR_IPset transform-set ESP_3DES_SHA1 ESP_3DES_MD5 ESP_3DESset pfs group2match address 110access-list 110 permit ip 10.40.42.0 0.0.1.255 10.20.42.0 0.0.1.255access-list 120 permit ip 10.40.42.0 0.0.1.255 10.60.42.0 0.0.1.255crypto isakmp policy 10encr 3desauthentication pre-sharegroup 2lifetime 28800crypto isakmp key PAR_KEY address PAR_IP no-xauthcrypto isakmp key BARCELONE_KEY address BARCELONE_IP no-xauth!!crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmaccrypto ipsec transform-set ESP_3DES_SHA1 esp-3des esp-sha-hmaccrypto ipsec transform-set ESP_3DES esp-3des!crypto map outside_map 20 ipsec-isakmpset peer PAR_IPset transform-set ESP_3DES_SHA1 ESP_3DES_MD5 ESP_3DESset pfs group2match address 110crypto map outside_map 30 ipsec-isakmpset peer BARCELONE_IPset transform-set ESP_3DES_SHA1set pfs group2match address 120access-list 110 permit ip 10.60.42.0 0.0.1.255 10.20.42.0 0.0.1.255access-list 120 permit ip 10.60.42.0 0.0.1.255 10.40.42.0 0.0.1.255
Please mark replied messages useful
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUS
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entry
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identityMaybe you are looking for