ISR Server Aggressive Mode

You are here:

ISR2900#show running-config 

Building configuration…

Current configuration : 5150 bytes
!
! Last configuration change at 10:16:27 UTC Thu Jul 18 2019
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISR2900
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.157-3.M4a.bin
boot-end-marker
!
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login AUTH local
aaa authorization network NET local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2921/K9 sn FGL17101054
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
crypto ikev2 proposal PROP
encryption aes-cbc-128
integrity sha256
group 2
!
crypto ikev2 policy ikev2policy
proposal PROP
!
crypto ikev2 keyring KEYRING
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile ikev2_profile]
match identity remote address 192.168.1.100 255.255.255.0
identity local address 192.168.1.102
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
crypto ikev2 profile IKEv2_Profile
match identity remote address 192.168.1.100 255.255.255.0
identity local address 192.168.1.102
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
!
!
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 10
lifetime 120
crypto isakmp key cisco123 address 192.168.1.210
crypto isakmp key cisco123 address 192.168.1.100
!
crypto isakmp client configuration group RA
key cisco
domain cisco.com
pool POOL
acl VPN-TRAFFIC
save-password
netmask 255.255.255.0
!
crypto isakmp peer address 192.168.1.210
set aggressive-mode password cisco123
set aggressive-mode client-endpoint ipv4-address 192.168.1.130
crypto isakmp profile test
match identity group RA
client authentication list AUTH
isakmp authorization list NET
client configuration address respond
client configuration group RA
virtual-template 1
!
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set ISR esp-3des esp-sha384-hmac
mode tunnel
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set test esp-3des esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsecprof
set security-association lifetime kilobytes disable
set transform-set test
set isakmp-profile test
!
!
crypto map CM 10 ipsec-isakmp
set peer 192.168.1.100
set transform-set ISR
set ikev2-profile IKEv2_Profile
match address VPN-TRAFFIC
!
crypto map IPSEC-SITE-TO-SITE 10 ipsec-isakmp
set peer 192.168.1.100
set transform-set ISR
set pfs group2
match address VPN-TRAFFIC
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer 192.168.1.210
set transform-set MY-SET
set pfs group2
match address VPN-TRAFFIC
!
crypto map ISR 1 ipsec-isakmp
! Incomplete
!
crypto map MC 10 ipsec-isakmp
set peer 192.168.1.0
set peer 192.168.1.100
set transform-set ISR
set ikev2-profile ikev2_profile]
match address ISR_VPN
!
!
!
!
!
interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface Loopback2
ip address 12.12.12.12 255.255.255.0
!
interface Loopback3
ip address 13.13.13.13 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.130 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.16.1.10 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.2.102 255.255.255.0
duplex auto
speed auto
crypto map IPSEC-SITE-TO-SITE
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprof
!
router rip
version 2
network 0.0.0.0
no auto-summary
!
ip local pool POOL 10.1.0.0 10.1.0.255
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 192.168.0.0 255.255.255.0 192.168.1.210
ip route 192.168.0.0 255.255.255.0 192.168.1.100
ip route 192.168.1.0 255.255.255.0 192.168.1.210
!
ip access-list extended ISR
ip access-list extended ISR_VPN
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended VPN-TRAFFIC
permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 11.11.11.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 12.12.12.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 13.13.13.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended split
!
!
!
access-list 101 permit ip any any
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

Crypto Engine debugging is on

*Jul 18 10:17:00.458: ISAKMP-PAK: (0):received packet from 192.168.1.210 dport 500 sport 500 Global (N) NEW SA
*Jul 18 10:17:00.458: ISAKMP: (0):Created a peer struct for 192.168.1.210, peer port 500
*Jul 18 10:17:00.458: ISAKMP: (0):New peer created peer = 0xC0F779D8 peer_handle = 0x8000001E
*Jul 18 10:17:00.458: ISAKMP: (0):Locking peer struct 0xC0F779D8, refcount 1 for crypto_isakmp_process_block
*Jul 18 10:17:00.458: ISAKMP: (0):local port 500, remote port 500
*Jul 18 10:17:00.458: ISAKMP: (0):insert sa successfully sa = 3E24764C
*Jul 18 10:17:00.458: ISAKMP: (0):processing SA payload. message ID = 0
*Jul 18 10:17:00.458: ISAKMP: (0):processing ID payload. message ID = 0
*Jul 18 10:17:00.458: ISAKMP: (0):ID payload 
        next-payload : 13
        type         : 2
*Jul 18 10:17:00.458: ISAKMP: (0):      FQDN name    : RA
*Jul 18 10:17:00.458: ISAKMP: (0):      protocol     : 0 
        port         : 0 
        length       : 10
*Jul 18 10:17:00.458: ISAKMP: (0):peer matches test profile
*Jul 18 10:17:00.458: ISAKMP: (0):Setting client config settings 2203DCF0
*Jul 18 10:17:00.458: ISAKMP: (0):(Re)Setting client xauth list  and state
*Jul 18 10:17:00.458: ISAKMP: (0):xauth- initializing AAA request
*Jul 18 10:17:00.458: ISAKMP: (0): Profile test assigned peer the group named RA
*Jul 18 10:17:00.458: ISAKMP: (0):processing vendor id payload
*Jul 18 10:17:00.458: ISAKMP: (0):vendor ID seems Unity/DPD but major 215 mismatch
*Jul 18 10:17:00.458: ISAKMP: (0):vendor ID is XAUTH
*Jul 18 10:17:00.458: ISAKMP: (0):processing vendor id payload
*Jul 18 10:17:00.458: ISAKMP: (0):vendor ID is DPD
*Jul 18 10:17:00.458: ISAKMP: (0):processing vendor id payload
*Jul 18 10:17:00.458: ISAKMP: (0):vendor ID is Unity
*Jul 18 10:17:00.458: ISAKMP: (0):SA using tunnel password as pre-shared key.
*Jul 18 10:17:00.458: ISAKMP: (0):local preshared key found
*Jul 18 10:17:00.458: ISAKMP: (0):Authentication by xauth preshared
*Jul 18 10:17:00.458: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
*Jul 18 10:17:00.458: ISAKMP: (0):      encryption AES-CBC
*Jul 18 10:17:00.458: ISAKMP: (0):      keylength of 128
*Jul 18 10:17:00.458: ISAKMP: (0):      hash MD5
*Jul 18 10:17:00.458: ISAKMP: (0):      default group 2
*Jul 18 10:17:00.458: ISAKMP: (0):      auth XAUTHInitPreShared
*Jul 18 10:17:00.458: ISAKMP: (0):      life type in seconds
*Jul 18 10:17:00.458: ISAKMP: (0):      life duration (basic) of 10800
*Jul 18 10:17:00.458: ISAKMP: (0):atts are acceptable. Next payload is 0
*Jul 18 10:17:00.458: ISAKMP: (0):Acceptable atts:actual life: 86400
*Jul 18 10:17:00.458: ISAKMP: (0):Acceptable atts:life: 0
*Jul 18 10:17:00.458: ISAKMP: (0):Basic life_in_seconds:10800
*Jul 18 10:17:00.458: ISAKMP: (0):Returning Actual lifetime: 10800
*Jul 18 10:17:00.458: ISAKMP: (0):Started lifetime timer: 10800.

*Jul 18 10:17:00.458: ISAKMP: (0):processing KE payload. message ID = 0
*Jul 18 10:17:00.458: crypto_engine: Create DH shared secret 
*Jul 18 10:17:00.482: ISAKMP: (0):processing NONCE payload. message ID = 0
*Jul 18 10:17:00.482: ISAKMP: (0):SA using tunnel password as pre-shared key.
*Jul 18 10:17:00.482: crypto_engine: Create IKE SA 
*Jul 18 10:17:00.482: crypto engine: deleting DH phase 2 SW:50 
*Jul 18 10:17:00.482: crypto_engine: Delete DH shared secret 
*Jul 18 10:17:00.482: ISAKMP: (1026):vendor ID is NAT-T RFC 3947
*Jul 18 10:17:00.482: ISAKMP: (1026):vendor ID is NAT-T v2
*Jul 18 10:17:00.482: ISAKMP: (1026):constructed NAT-T vendor-rfc3947 ID
*Jul 18 10:17:00.482: ISAKMP: (1026):SA is doing 
*Jul 18 10:17:00.482: ISAKMP: (1026):pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jul 18 10:17:00.482: ISAKMP: (1026):ID payload 
        next-payload : 10
        type         : 1
*Jul 18 10:17:00.482: ISAKMP: (1026):   address      : 192.168.1.130
*Jul 18 10:17:00.482: ISAKMP: (1026):   protocol     : 0 
        port         : 0 
        length       : 12
*Jul 18 10:17:00.482: ISAKMP: (1026):Total payload length: 12
*Jul 18 10:17:00.482: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.482: ISAKMP-PAK: (1026):sending packet to 192.168.1.210 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jul 18 10:17:00.482: ISAKMP: (1026):Sending an IKE IPv4 Packet.
*Jul 18 10:17:00.482: ISAKMP: (1026):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 18 10:17:00.482: ISAKMP: (1026):Old State = IKE_READY  New State = IKE_R_AM2 

*Jul 18 10:17:00.522: ISAKMP-PAK: (1026):received packet from 192.168.1.210 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
*Jul 18 10:17:00.522: crypto_engine: Decrypt IKE packet 
*Jul 18 10:17:00.522: ISAKMP: (1026):processing HASH payload. message ID = 0
*Jul 18 10:17:00.522: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.522: ISAKMP: (1026):received payload type 20
*Jul 18 10:17:00.522: ISAKMP: (1026):His hash no match - this node outside NAT
*Jul 18 10:17:00.522: ISAKMP: (1026):received payload type 20
*Jul 18 10:17:00.522: ISAKMP: (1026):His hash no match - this node outside NAT
*Jul 18 10:17:00.522: ISAKMP: (1026):SA authentication status:
        authenticated
*Jul 18 10:17:00.522: ISAKMP: (1026):SA has been authenticated with 192.168.1.210
*Jul 18 10:17:00.522: ISAKMP: (1026):Detected port,floating to port = 4500
*Jul 18 10:17:00.522: ISAKMP: (0):Trying to insert a peer 192.168.1.130/192.168.1.210/4500/, 
*Jul 18 10:17:00.522: ISAKMP: (0): and inserted successfully C0F779D8.
*Jul 18 10:17:00.526: ISAKMP: (1026):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 18 10:17:00.526: ISAKMP: (1026):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE 

*Jul 18 10:17:00.526: ISAKMP: (1026):Need XAUTH
*Jul 18 10:17:00.526: ISAKMP: (1026):set new node -1646091979 to CONF_XAUTH   
*Jul 18 10:17:00.526: ISAKMP: (1026):xauth- request attribute XAUTH_USER_NAME_V2
*Jul 18 10:17:00.526: ISAKMP: (1026):xauth- request attribute XAUTH_USER_PASSWORD_V2
*Jul 18 10:17:00.526: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.526: ISAKMP: (1026):initiating peer config to 192.168.1.210. ID = 2648875317
*Jul 18 10:17:00.526: crypto_engine: Encrypt IKE packet 
*Jul 18 10:17:00.526: ISAKMP-PAK: (1026):sending packet to 192.168.1.210 my_port 4500 peer_port 4500 (R) CONF_XAUTH   
*Jul 18 10:17:00.526: ISAKMP: (1026):Sending an IKE IPv4 Packet.
*Jul 18 10:17:00.526: ISAKMP: (1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 18 10:17:00.526: ISAKMP: (1026):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT 

*Jul 18 10:17:00.530: ISAKMP-PAK: (1026):received packet from 192.168.1.210 dport 4500 sport 4500 Global (R) CONF_XAUTH   
*Jul 18 10:17:00.530: crypto_engine: Decrypt IKE packet 
*Jul 18 10:17:00.530: ISAKMP: (1026):processing transaction payload from 192.168.1.210. message ID = -1646091979
*Jul 18 10:17:00.530: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.530: ISAKMP: (1026):Config payload REPLY
*Jul 18 10:17:00.530: ISAKMP: (1026):xauth-reply attribute XAUTH_USER_NAME_V2
*Jul 18 10:17:00.530: ISAKMP: (1026):xauth-reply attribute XAUTH_USER_PASSWORD_V2
*Jul 18 10:17:00.530: ISAKMP: (1026):deleting node -1646091979 error FALSE reason "Done with xauth request/reply exchange"
*Jul 18 10:17:00.530: ISAKMP: (1026):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Jul 18 10:17:00.530: ISAKMP: (1026):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT 

*Jul 18 10:17:00.530: ISAKMP: (1026):set new node 1104102926 to CONF_XAUTH   
*Jul 18 10:17:00.530: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.530: ISAKMP: (1026):initiating peer config to 192.168.1.210. ID = 1104102926
*Jul 18 10:17:00.530: crypto_engine: Encrypt IKE packet 
*Jul 18 10:17:00.530: ISAKMP-PAK: (1026):sending packet to 192.168.1.210 my_port 4500 peer_port 4500 (R) CONF_XAUTH   
*Jul 18 10:17:00.530: ISAKMP: (1026):Sending an IKE IPv4 Packet.
*Jul 18 10:17:00.530: ISAKMP: (1026):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
*Jul 18 10:17:00.530: ISAKMP: (1026):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT 

*Jul 18 10:17:00.534: ISAKMP-PAK: (1026):received packet from 192.168.1.210 dport 4500 sport 4500 Global (R) CONF_XAUTH   
*Jul 18 10:17:00.534: crypto_engine: Decrypt IKE packet 
*Jul 18 10:17:00.534: ISAKMP: (1026):processing transaction payload from 192.168.1.210. message ID = 1104102926
*Jul 18 10:17:00.534: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.534: ISAKMP: (1026):Config payload ACK
*Jul 18 10:17:00.534: ISAKMP: (1026):       XAUTH ACK Processed
*Jul 18 10:17:00.534: ISAKMP: (1026):deleting node 1104102926 error FALSE reason "Transaction mode done"
*Jul 18 10:17:00.534: ISAKMP: (1026):Talking to a Unity Client
*Jul 18 10:17:00.534: ISAKMP: (1026):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*Jul 18 10:17:00.534: ISAKMP: (1026):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE 

*Jul 18 10:17:00.534: ISAKMP: (1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 18 10:17:00.534: ISAKMP: (1026):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Jul 18 10:17:00.534: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 18 10:17:00.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Jul 18 10:17:00.534: ISAKMP-PAK: (1026):received packet from 192.168.1.210 dport 4500 sport 4500 Global (R) QM_IDLE      
*Jul 18 10:17:00.534: ISAKMP: (1026):set new node -1920751661 to QM_IDLE      
*Jul 18 10:17:00.538: crypto_engine: Decrypt IKE packet 
*Jul 18 10:17:00.542: ISAKMP: (1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 18 10:17:00.542: ISAKMP: (1026):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Jul 18 10:17:00.542: ISAKMP: (1026):Virtual-Access1 is created
*Jul 18 10:17:00.542: ISAKMP: (1026):src 192.168.1.210 dst 192.168.1.130
*Jul 18 10:17:00.546: ISAKMP: (1026):processing saved QM.
*Jul 18 10:17:00.546: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.546: ISAKMP: (1026):processing HASH payload. message ID = 2374215635
*Jul 18 10:17:00.546: ISAKMP: (1026):processing SA payload. message ID = 2374215635
*Jul 18 10:17:00.546: ISAKMP: (1026):Checking IPSec proposal 0
*Jul 18 10:17:00.546: ISAKMP: (1026):transform 1, ESP_3DES
*Jul 18 10:17:00.546: ISAKMP: (1026):   attributes in transform:
*Jul 18 10:17:00.546: ISAKMP: (1026):      authenticator is HMAC-SHA
*Jul 18 10:17:00.546: ISAKMP: (1026):      encaps is 3 (Tunnel-UDP)
*Jul 18 10:17:00.546: ISAKMP: (1026):      SA life type in seconds
*Jul 18 10:17:00.546: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80 
*Jul 18 10:17:00.546: ISAKMP: (1026):atts are acceptable.
*Jul 18 10:17:00.546: IPSEC(validate_proposal_request): proposal part #1
*Jul 18 10:17:00.546: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.1.130:0, remote= 192.168.1.210:0,
    local_proxy= 172.16.1.0/255.255.255.0/256/0,
    remote_proxy= 192.168.0.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 18 10:17:00.546: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*Jul 18 10:17:00.546: Crypto mapdb : proxy_match
        src addr     : 172.16.1.0
        dst addr     : 192.168.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Jul 18 10:17:00.546: (ipsec_process_proposal)Map Accepted: Virtual-Access1-head-0, 65537
*Jul 18 10:17:00.546: ISAKMP: (1026):processing NONCE payload. message ID = 2374215635
*Jul 18 10:17:00.546: ISAKMP: (1026):processing ID payload. message ID = 2374215635
*Jul 18 10:17:00.546: ISAKMP: (1026):processing ID payload. message ID = 2374215635
*Jul 18 10:17:00.546: ISAKMP: (1026):QM Responder gets spi
*Jul 18 10:17:00.546: ISAKMP: (1026):Node 2374215635, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 18 10:17:00.546: ISAKMP: (1026):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Jul 18 10:17:00.546: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.546: ISAKMP: (1026):Node 2374215635, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul 18 10:17:00.546: ISAKMP: (1026):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Jul 18 10:17:00.546: ISAKMP: (1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 18 10:17:00.546: ISAKMP: (1026):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Jul 18 10:17:00.546: IPSEC: Expand action denied, discard or forward packet.
*Jul 18 10:17:00.546: IPSEC: Expand action denied, notify RP
*Jul 18 10:17:00.546: IPSEC: Expand action denied, discard or forward packet.
*Jul 18 10:17:00.546: IPSEC: Expand action denied, discard or forward packet.
*Jul 18 10:17:00.546: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 18 10:17:00.546: Crypto mapdb : proxy_match
        src addr     : 172.16.1.0
        dst addr     : 192.168.0.0
        protocol     : 256
        src port     : 0
        dst port     : 0
*Jul 18 10:17:00.546: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Virtual-Access1-head-0, 65537
*Jul 18 10:17:00.546: IPSEC(recalculate_mtu): reset sadb_root C0EFEF7C mtu to 1500
*Jul 18 10:17:00.546: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.1.210
*Jul 18 10:17:00.546: crypto_engine: Generate IKE QM keys 
*Jul 18 10:17:00.546: crypto_engine: Create IPSec SA (by keys) 
*Jul 18 10:17:00.546: crypto_engine: Generate IKE QM keys 
*Jul 18 10:17:00.546: crypto_engine: Create IPSec SA (by keys) 
*Jul 18 10:17:00.546: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer C0CAA44C
*Jul 18 10:17:00.546: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.1.130, sa_proto= 50, 
    sa_spi= 0x9D67B2CE(2640818894), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2027
    sa_lifetime(k/sec)= (0/3600),
  (identity) local= 192.168.1.130:0, remote= 192.168.1.210:0,
    local_proxy= 172.16.1.0/255.255.255.0/256/0,
    remote_proxy= 192.168.0.0/255.255.255.0/256/0
*Jul 18 10:17:00.546: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.1.210, sa_proto= 50, 
    sa_spi= 0xC74254CF(3343013071), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2028
    sa_lifetime(k/sec)= (0/3600),
  (identity) local= 192.168.1.130:0, remote= 192.168.1.210:0,
    local_proxy= 172.16.1.0/255.255.255.0/256/0,
    remote_proxy= 192.168.0.0/255.255.255.0/256/0
*Jul 18 10:17:00.546: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Jul 18 10:17:00.550: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV4 route from ACL for 192.168.1.210
*Jul 18 10:17:00.550: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access1
*Jul 18 10:17:00.550: IPSEC(rte_mgr): VPN Route Added 192.168.0.0 255.255.255.0 via Virtual-Access1 in IP DEFAULT TABLE with tag 0 distance 1
*Jul 18 10:17:00.550: ISAKMP: (1026):Received IPSec Install callback... proceeding with the negotiation
*Jul 18 10:17:00.550: ISAKMP: (1026):Successfully installed IPSEC SA (SPI:0x9D67B2CE) on Virtual-Access1
*Jul 18 10:17:00.550: crypto_engine: Encrypt IKE packet 
*Jul 18 10:17:00.550: ISAKMP-PAK: (1026):sending packet to 192.168.1.210 my_port 4500 peer_port 4500 (R) QM_IDLE      
*Jul 18 10:17:00.550: ISAKMP: (1026):Sending an IKE IPv4 Packet.
*Jul 18 10:17:00.550: ISAKMP: (1026):Node 2374215635, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Jul 18 10:17:00.550: ISAKMP: (1026):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
*Jul 18 10:17:00.554: ISAKMP-PAK: (1026):received packet from 192.168.1.210 dport 4500 sport 4500 Global (R) QM_IDLE      
*Jul 18 10:17:00.554: crypto_engine: Decrypt IKE packet 
*Jul 18 10:17:00.554: crypto_engine: Generate IKE hash 
*Jul 18 10:17:00.554: ISAKMP: (1026):deleting node -1920751661 error FALSE reason "QM done (await)"
*Jul 18 10:17:00.554: ISAKMP: (1026):Node 2374215635, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 18 10:17:00.554: ISAKMP: (1026):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Jul 18 10:17:00.554: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 18 10:17:00.554: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jul 18 10:17:00.554: crypto engine: updating MTU size of IPSec SA Onboard VPN:28 to 1500 (overhead=62)
*Jul 18 10:17:00.554: crypto_engine: Set IPSec MTU 
*Jul 18 10:17:00.554: crypto engine: updating MTU size of IPSec SA Onboard VPN:28 to 1500 (overhead=62)
*Jul 18 10:17:00.554: crypto_engine: Set IPSec MTU 
*Jul 18 10:17:00.554: IPSEC: Expand action denied, notify RP
*Jul 18 10:17:00.554: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
ISR2900#u all
All possible debugging has been turned off
ISR2900#





ISR2900#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.1.130   192.168.1.210   QM_IDLE           1026 ACTIVE

IPv6 Crypto ISAKMP SA

ISR2900#



ISR2900#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1026  192.168.1.130   192.168.1.210          ACTIVE aes  md5         2  02:50:47 XN  
       Engine-id:Conn-id =  SW:26

IPv6 Crypto ISAKMP SA

ISR2900#

ISR2900#show crypto engine connections active 
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
 1026  IKE     MD5+AES                   0        0        0 192.168.1.130
 2027  IPsec   3DES+SHA                  0     1158     1158 192.168.1.130
 2028  IPsec   3DES+SHA               5790        0        0 192.168.1.130

ISR2900#


ISR2900#show crypto ipsec sa

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 192.168.1.130

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 192.168.1.210 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6041, #pkts encrypt: 6041, #pkts digest: 6041
    #pkts decaps: 1209, #pkts decrypt: 1209, #pkts verify: 1209
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.130, remote crypto endpt.: 192.168.1.210
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xC74254CF(3343013071)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9D67B2CE(2640818894)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2027, flow_id: Onboard VPN:27, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (sec): 2994
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC74254CF(3343013071)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2028, flow_id: Onboard VPN:28, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (sec): 2994
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
ISR2900#

 

Was this article helpful?
Dislike 0
Views: 464