components0x00000006
0x00000006 时间:2021-04-04 阅读:()
ConfigureIKEv1IPsecSite-to-SiteTunnelswiththeASDMorCLIontheASAContentsIntroductionPrerequisitesRequirementsComponentsUsedConfigureNetworkDiagramConfigureViatheASDMVPNWizardConfigureViatheCLIConfigureSiteBforASAVersions8.
4andLaterConfigureSiteAforASAVersions8.
2andEarlierGroupPolicyVerifyASDMCLIPhase1Phase2TroubleshootASAVersions8.
4andLaterASAVersions8.
3andEarlierIntroductionThisdocumentdescribeshowtoconfigureanInternetKeyExchangeversion1(IKEv1)IPsecsite-to-sitetunnelbetweenaCisco5515-XSeriesAdaptiveSecurityAppliance(ASA)thatrunssoftwareVersion9.
2.
xandaCisco5510SeriesASAthatrunssoftwareVersion8.
2.
x.
PrerequisitesRequirementsCiscorecommendsthattheserequirementsbemetbeforeyouattempttheconfigurationthatisdescribedinthisdocument:Theend-to-endIPconnectivitymustbeestablished.
qTheseprotocolsmustbeallowed:UserDatagramProtocol(UDP)500and4500fortheIPseccontrolplaneqEncapsulatingSecurityPayload(ESP)IPProtocol50fortheIPsecdataplaneComponentsUsedTheinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:Cisco5510SeriesASAthatrunssoftwareVersion8.
2qCisco5515-XASAthatrunsthesoftwareVersion9.
2qTheinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.
Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.
Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
ConfigureThissectiondescribeshowtoconfigurethesite-to-siteVPNtunnelviatheAdaptiveSecurityDeviceManager(ASDM)VPNwizardorviatheCLI.
NetworkDiagramThisisthetopologythatisusedfortheexamplesthroughoutthisdocument:ConfigureViatheASDMVPNWizardCompletethesestepsinordertosetupthesite-to-siteVPNtunnelviatheASDMwizard:OpentheASDMandnavigatetoWizards>VPNWizards>Site-to-siteVPNWizard:1.
ClickNextonceyoureachthewizardhomepage:Note:ThemostrecentASDMversionsprovidealinktoavideothatexplainsthisconfiguration.
2.
ConfigurethepeerIPaddress.
Inthisexample,thepeerIPaddressissetto192.
168.
1.
1onSiteB.
IfyouconfigurethepeerIPaddressonSiteA,itmustbechangedto172.
16.
1.
1.
Theinterfacethroughwhichtheremoteendcanbereachedisalsospecified.
ClickNextoncecomplete.
3.
Configurethelocalandremotenetworks(trafficsourceanddestination).
ThisimageshowstheconfigurationforSiteB(thereverseappliesforSiteA):4.
OntheSecuritypage,configurethepre-sharedkey(itmustmatchonbothoftheends).
ClickNextoncecomplete.
5.
ConfigurethesourceinterfaceforthetrafficontheASA.
TheASDMautomaticallycreatestheNetworkAddressTranslation(NAT)rulebasedontheASAversionandpushesitwiththerestoftheconfigurationinthefinalstep.
Note:Fortheexamplethatisusedinthisdocument,insideisthesourceofthetraffic.
6.
ThewizardnowprovidesasummaryoftheconfigurationthatwillbepushedtotheASA.
Reviewandverifytheconfigurationsettings,andthenclickFinish.
7.
ConfigureViatheCLIThissectiondescribeshowtoconfiguretheIKEv1IPsecsite-to-sitetunnelviatheCLI.
ConfigureSiteBforASAVersions8.
4andLaterInASAVersions8.
4andlater,supportforbothIKEv1andInternetKeyExchangeversion2(IKEv2)wasintroduced.
Tip:Formoreinformationaboutthedifferencesbetweenthetwoversions,refertotheWhymigratetoIKEv2sectionoftheSwiftMigrationofIKEv1toIKEv2L2LTunnelConfigurationonASA8.
4CodeCiscodocument.
Tip:ForanIKEv2configurationexamplewiththeASA,refertotheSite-to-SiteIKEv2TunnelbetweenASAandRouterConfigurationExamplesCiscodocument.
Phase1(IKEv1)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableIKEv1ontheoutsideinterface:cryptoikev1enableoutside1.
CreateanIKEv1policythatdefinesthealgorithms/methodstobeusedforhashing,authentication,Diffie-Hellmangroup,lifetime,andencryption:cryptoikev1enableoutside2.
CreateatunnelgroupundertheIPsecattributesandconfigurethepeerIPaddressandthe3.
tunnelpre-sharedkey:cryptoikev1enableoutsidePhase2(IPsec)CompletethesestepsforthePhase2configuration:Createanaccesslistthatdefinesthetraffictobeencryptedandtunneled.
Inthisexample,thetrafficofinterestisthetrafficfromthetunnelthatissourcedfromthe10.
2.
2.
0subnettothe10.
1.
1.
0.
Itcancontainmultipleentriesiftherearemultiplesubnetsinvolvedbetweenthesites.
InVersions8.
4andlater,objectsorobjectgroupscanbecreatedthatserveascontainersforthenetworks,subnets,hostIPaddresses,ormultipleobjects.
CreatetwoobjectsthathavethelocalandremotesubnetsandusethemforboththecryptoAccessControlList(ACL)andtheNATstatements.
cryptoikev1enableoutside1.
ConfiguretheTransformSet(TS),whichmustinvolvethekeywordIKEv1.
AnidenticalTSmustbecreatedontheremoteendaswell.
cryptoikev1enableoutside2.
Configurethecryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPerfectForwardSecrecy(PFS)setting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledbeforePhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoikev1enableoutside4.
NATExemptionEnsurethattheVPNtrafficisnotsubjectedtoanyotherNATrule.
ThisistheNATrulethatisused:cryptoikev1enableoutsideNote:Whenmultiplesubnetsareused,youmustcreateobjectgroupswithallofthesourceanddestinationsubnetsandusethemintheNATrule.
cryptoikev1enableoutsideCompleteSampleConfigurationHereisthecompleteconfigurationforSiteB:cryptoikev1enableoutsidecryptoikev1policy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group192.
168.
1.
1typeipsec-l2ltunnel-group192.
168.
1.
1ipsec-attributesikev1pre-shared-keycisco!
NotetheIKEv1keywordatthebeginningofthepre-shared-keycommand.
objectnetwork10.
2.
2.
0_24subnet10.
2.
2.
0255.
255.
255.
0objectnetwork10.
1.
1.
0_24subnet10.
1.
1.
0255.
255.
255.
0access-list100extendedpermitipobject10.
2.
2.
0_24object10.
1.
1.
0_24cryptoipsecikev1transform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20matchaddress100cryptomapoutside_map20setpeer192.
168.
1.
1cryptomapoutside_map20setikev1transform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsidenat(inside,outside)1sourcestatic10.
2.
2.
0_2410.
2.
2.
0_24destinationstatic10.
1.
1.
0_2410.
1.
1.
0_24no-proxy-arproute-lookupConfigureSiteAforASAVersions8.
2andEarlierThissectiondescribeshowtoconfigureSiteAforASAVersions8.
2andearlier.
Phase1(ISAKMP)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)ontheoutsideinterface:cryptoisakmpenableoutsideNote:BecausemultipleversionsofIKE(IKEv1andIKEv2)arenotsupportedanylonger,the1.
ISAKMPisusedinordertorefertoPhase1.
CreateanISAKMPpolicythatdefinesthealgorithms/methodstobeusedinordertobuildPhase1.
Note:Inthisexampleconfiguration,thekeywordIKEv1fromVersion9.
xisreplacedwithISAKMP.
cryptoisakmpenableoutside2.
CreateatunnelgroupforthepeerIPaddress(externalIPaddressof5515)withthepre-sharedkey:cryptoisakmpenableoutside3.
Phase2(IPsec)CompletethesestepsforthePhase2configuration:SimilartotheconfigurationinVersion9.
x,youmustcreateanextendedaccesslistinordertodefinethetrafficofinterest.
cryptoisakmpenableoutside1.
DefineaTSthatcontainsalloftheavailableencryptionandhashingalgorithms(offeredissueshaveaquestionmark).
Ensurethatitisidenticaltothatwhichwasconfiguredontheotherside.
cryptoisakmpenableoutside2.
Configureacryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPFSsetting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledsothatPhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoisakmpenableoutside4.
NATExemptionCreateanaccesslistthatdefinesthetraffictobeexemptedfromtheNATchecks.
Inthisversion,itappearssimilartotheaccesslistthatyoudefinedforthetrafficofinterest:cryptoisakmpenableoutsideWhenmultiplesubnetsareused,addanotherlinetothesameaccesslist:cryptoisakmpenableoutsideTheaccesslistisusedwiththeNAT,asshownhere:cryptoisakmpenableoutsideNote:TheinsideherereferstothenameoftheinsideinterfaceonwhichtheASAreceivesthetrafficthatmatchestheaccesslist.
CompleteSampleConfigurationHereisthecompleteconfigurationforSiteA:cryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group172.
16.
1.
1typeipsec-l2ltunnel-group172.
16.
1.
1ipsec-attributespre-shared-keyciscoaccess-list100extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0cryptoipsectransform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20setpeercryptomapoutside_map20matchaddress100cryptomapoutside_map20settransform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsideaccess-listnonatline1extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0nat(inside)0access-listnonatGroupPolicyGrouppoliciesareusedinordertodefinespecificsettingsthatapplytothetunnel.
Thesepoliciesareusedinconjunctionwiththetunnelgroup.
Thegrouppolicycanbedefinedaseitherinternal,whichmeansthattheattributesarepulledfromthatwhichisdefinedontheASA,oritcanbedefinedasexternal,wheretheattributesarequeriedfromanexternalserver.
Thisisthecommandthatisusedinordertodefinethegrouppolicy:group-policySITE_AinternalNote:Youcandefinemultipleattributesinthegrouppolicy.
Foralistofallpossibleattributes,refertotheConfiguringGroupPoliciessectionoftheSelectedASDMVPNConfigurationProceduresfortheCiscoASA5500Series,Version5.
2.
GroupPolicyOptionalAttributesThevpn-tunnel-protocolattributedeterminesthetunneltypetowhichthesesettingsshouldbeapplied.
Inthisexample,IPsecisused:group-policySITE_AinternalYouhavetheoptiontoconfigurethethetunnelsothatitstaysidle(notraffic)anddoesnotgodown.
Inordertoconfigurethisoption,thevpn-idle-timeoutattributevalueshoulduseminutes,oryoucansetthevaluetonone,whichmeansthatthetunnelnevergoesdown.
Hereisanexample:group-policySITE_AinternalThedefault-group-policycommandunderthegeneralattributesofthetunnelgroupdefinesthegrouppolicythatisusedinordertopushcertainpolicysettingsforthetunnelthatisestablished.
Thedefaultsettingsfortheoptionsthatyoudidnotdefineinthegrouppolicyaretakenfromaglobaldefaultgrouppolicy:group-policySITE_AinternalVerifyUsetheinformationthatisprovidedinthissectioninordertoverifythatyourconfigurationworksproperly.
ASDMInordertoviewthetunnelstatusfromtheASDM,navigatetoMonitoring>VPN.
Thisinformationisprovided:ThepeerIPaddressqTheprotocolthatisusedinordertobuildthetunnelqTheencryptionalgorithmthatisusedqThetimeatwhichthetunnelcameupandtheup-timeqThenumberofpacketsthatarereceivedandtransferredqTip:ClickRefreshinordertoviewthelatestvalues,asthedatadoesnotupdateinreal-time.
CLIThissectiondescribeshowtoverifyyourconfigurationviatheCLI.
Phase1EnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteB(5515)side:showcryptoikev1saActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:192.
168.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEEnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteA(5510)side:showcryptoisakmpsaActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:172.
16.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEPhase2TheshowcryptoipsecsacommandshowstheIPsecSAsthatarebuiltbetweenthepeers.
TheencryptedtunnelisbuiltbetweenIPaddresses192.
168.
1.
1and172.
16.
1.
1forthetrafficthatflowsbetweenthenetworks10.
1.
1.
0and10.
2.
2.
0.
YoucanseethetwoESPSAsbuiltfortheinboundandoutboundtraffic.
TheAuthenticationHeader(AH)isnotusedbecausetherearenoAHSAs.
EnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteB(5515)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
172.
16.
1.
1localident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)current_peer:192.
168.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:172.
16.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasEnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteA(5510)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
192.
168.
1.
1localident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)current_peer:172.
16.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:192.
168.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasTroubleshootUsetheinformationthatisprovidedinthissectioninordertotroubleshootconfigurationissues.
ASAVersions8.
4andLaterEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoikev1127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1DEBUG]Pitcher:receivedakeyacquiremessage,spi0x0IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKEInitiator:NewPhase1,IntfNPIdentityIfc,IKEPeer192.
168.
1.
1localProxyAddress10.
2.
2.
0,remoteProxyAddress10.
1.
1.
0,Cryptomap(outside_map)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingISAKMPSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver03payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDverRFCpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,OakleyproposalisacceptableFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedNAT-Traversalver02VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedFragmentationVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingCiscoUnityVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingxauthV6VIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendIOSVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingISA_KEpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedCiscoUnityclientVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedxauthV6VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-Discoverypayload!
Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingkeysforInitiator.
.
.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIDpayloadFeb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
!
Successrateis80percent(4/5),round-tripmin/avg/max=1/3/10msciscoasa#Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingdpdvidpayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDRIDreceived192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ReceivedDPDVIDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,OakleybeginquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorstartingQM:msgid=4c073b21Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE1COMPLETEDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP1rekeytimer:73440seconds.
IPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotSPIfromkeyengine:SPI=0x03fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstuctingquickmodeFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingblankhashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingproxyIDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,TransmittingProxyId:Localsubnet:10.
2.
2.
0mask255.
255.
255.
0Protocol0Port0Remotesubnet:10.
1.
1.
0Mask255.
255.
255.
0Protocol0Port0Feb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsendingInitialContactFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingqmhashpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending1stQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,loadingallIPSECSAsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0x6f0e03f0,SCB:0x75B6DD00,Direction:outboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x1BA0C55CIPSEC:CreatingoutboundVPNcontext,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Newoutboundencryptrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:Newoutboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x1BA0C55CRuleID:0x6f0dec80Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(192.
168.
1.
1)Initiator,InboundSPI=0x03fc9db7,OutboundSPI=0x1ba0c55cFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstructingfinalquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending3rdQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:76Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x1ba0c55cIPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostIBSAupdate,SPI0x03FC9DB7IPSEC:CreatinginboundVPNcontext,SPI0x03FC9DB7Flags:0x00000006SA:0x75298588SPI:0x03FC9DB7MTU:0bytesVCID:0x00000000Peer:0x0000F614SCB:0x0B4707C7Channel:0x6ef0a5c0IPSEC:CompletedinboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x00011f6cIPSEC:UpdatingoutboundVPNcontext0x0000F614,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00011F6CSCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Completedoutboundinnerrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:CompletedoutboundouterSPDrule,SPI0x1BA0C55CRuleID:0x6f0dec80IPSEC:Newinboundtunnelflowrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x03FC9DB7RuleID:0x74e1b4a0IPSEC:Newinbounddecryptrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x03FC9DB7RuleID:0x6f0de830IPSEC:Newinboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x03FC9DB7RuleID:0x6f0de8d8Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x3fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP2rekeytimer:24480seconds.
Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE2COMPLETED(msgid=4c073b21)ASAVersions8.
3andEarlierEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoisakmp127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,OakleyproposalisacceptableFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver02VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver03VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-TraversalRFCVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedFragmentationVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingIKESApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKESAProposal#1,Transform#1acceptableMatchesglobalIKEentry#1Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingISAKMPSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingISA_KEpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedCiscoUnityclientVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedxauthV6VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingCiscoUnityVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingxauthV6VIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendIOSVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingkeysforResponder.
.
.
Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDRIDreceived172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedDPDVIDFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingdpdvidpayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE1COMPLETEDFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP1rekeytimer:82080seconds.
Feb1304:19:53[IKEv1DECODE]:IP=172.
16.
1.
1,IKEResponderstartingQM:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedremoteIPProxySubnetdatainIDPayload:Address10.
2.
2.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedlocalIPProxySubnetdatainIDPayload:Address10.
1.
1.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnotifypayloadFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,QMIsRekeyedoldsanotfoundbyaddrFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,checkingmap=outside_map,seq=20.
.
.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,mapoutside_map,seq=20isasuccessfulmatchFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERemotePeerconfiguredforcryptomap:outside_mapFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IPSecSAProposal#1,Transform#1acceptableMatchesglobalIPSecSAentry#20Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKE:requestingSPI!
IPSEC:NewembryonicSAcreated@0xAB5C63A8,SCB:0xABD54E98,Direction:inboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotSPIfromkeyengine:SPI=0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,oakleyconstuctingquickmodeFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingblankhashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingproxyIDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,TransmittingProxyId:Remotesubnet:10.
2.
2.
0Mask255.
255.
255.
0Protocol0Port0Localsubnet:10.
1.
1.
0mask255.
255.
255.
0Protocol0Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingqmhashpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERespondersending2ndQMpkt:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:52Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,loadingallIPSECSAsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0xAB570B58,SCB:0xABD55378,Direction:outboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x03FC9DB7IPSEC:CreatingoutboundVPNcontext,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Newoutboundencryptrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:Newoutboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x03FC9DB7RuleID:0xABD55848Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(172.
16.
1.
1)Responder,InboundSPI=0x1ba0c55c,OutboundSPI=0x03fc9db7Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x03fc9db7IPSEC:CompletedhostIBSAupdate,SPI0x1BA0C55CIPSEC:CreatinginboundVPNcontext,SPI0x1BA0C55CFlags:0x00000006SA:0xAB5C63A8SPI:0x1BA0C55CMTU:0bytesVCID:0x00000000Peer:0x0000F99CSCB:0x0150B419Channel:0xA7A98400IPSEC:CompletedinboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0001169CIPSEC:UpdatingoutboundVPNcontext0x0000F99C,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x0001169CSCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Completedoutboundinnerrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:CompletedoutboundouterSPDrule,SPI0x03FC9DB7RuleID:0xABD55848IPSEC:Newinboundtunnelflowrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x1BA0C55CRuleID:0xAB8D98A8IPSEC:Newinbounddecryptrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x1BA0C55CRuleID:0xABD55CB0IPSEC:Newinboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x1BA0C55CRuleID:0xABD55D48Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP2rekeytimer:27360seconds.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE2COMPLETED(msgid=4c073b21)
4andLaterConfigureSiteAforASAVersions8.
2andEarlierGroupPolicyVerifyASDMCLIPhase1Phase2TroubleshootASAVersions8.
4andLaterASAVersions8.
3andEarlierIntroductionThisdocumentdescribeshowtoconfigureanInternetKeyExchangeversion1(IKEv1)IPsecsite-to-sitetunnelbetweenaCisco5515-XSeriesAdaptiveSecurityAppliance(ASA)thatrunssoftwareVersion9.
2.
xandaCisco5510SeriesASAthatrunssoftwareVersion8.
2.
x.
PrerequisitesRequirementsCiscorecommendsthattheserequirementsbemetbeforeyouattempttheconfigurationthatisdescribedinthisdocument:Theend-to-endIPconnectivitymustbeestablished.
qTheseprotocolsmustbeallowed:UserDatagramProtocol(UDP)500and4500fortheIPseccontrolplaneqEncapsulatingSecurityPayload(ESP)IPProtocol50fortheIPsecdataplaneComponentsUsedTheinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:Cisco5510SeriesASAthatrunssoftwareVersion8.
2qCisco5515-XASAthatrunsthesoftwareVersion9.
2qTheinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.
Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.
Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
ConfigureThissectiondescribeshowtoconfigurethesite-to-siteVPNtunnelviatheAdaptiveSecurityDeviceManager(ASDM)VPNwizardorviatheCLI.
NetworkDiagramThisisthetopologythatisusedfortheexamplesthroughoutthisdocument:ConfigureViatheASDMVPNWizardCompletethesestepsinordertosetupthesite-to-siteVPNtunnelviatheASDMwizard:OpentheASDMandnavigatetoWizards>VPNWizards>Site-to-siteVPNWizard:1.
ClickNextonceyoureachthewizardhomepage:Note:ThemostrecentASDMversionsprovidealinktoavideothatexplainsthisconfiguration.
2.
ConfigurethepeerIPaddress.
Inthisexample,thepeerIPaddressissetto192.
168.
1.
1onSiteB.
IfyouconfigurethepeerIPaddressonSiteA,itmustbechangedto172.
16.
1.
1.
Theinterfacethroughwhichtheremoteendcanbereachedisalsospecified.
ClickNextoncecomplete.
3.
Configurethelocalandremotenetworks(trafficsourceanddestination).
ThisimageshowstheconfigurationforSiteB(thereverseappliesforSiteA):4.
OntheSecuritypage,configurethepre-sharedkey(itmustmatchonbothoftheends).
ClickNextoncecomplete.
5.
ConfigurethesourceinterfaceforthetrafficontheASA.
TheASDMautomaticallycreatestheNetworkAddressTranslation(NAT)rulebasedontheASAversionandpushesitwiththerestoftheconfigurationinthefinalstep.
Note:Fortheexamplethatisusedinthisdocument,insideisthesourceofthetraffic.
6.
ThewizardnowprovidesasummaryoftheconfigurationthatwillbepushedtotheASA.
Reviewandverifytheconfigurationsettings,andthenclickFinish.
7.
ConfigureViatheCLIThissectiondescribeshowtoconfiguretheIKEv1IPsecsite-to-sitetunnelviatheCLI.
ConfigureSiteBforASAVersions8.
4andLaterInASAVersions8.
4andlater,supportforbothIKEv1andInternetKeyExchangeversion2(IKEv2)wasintroduced.
Tip:Formoreinformationaboutthedifferencesbetweenthetwoversions,refertotheWhymigratetoIKEv2sectionoftheSwiftMigrationofIKEv1toIKEv2L2LTunnelConfigurationonASA8.
4CodeCiscodocument.
Tip:ForanIKEv2configurationexamplewiththeASA,refertotheSite-to-SiteIKEv2TunnelbetweenASAandRouterConfigurationExamplesCiscodocument.
Phase1(IKEv1)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableIKEv1ontheoutsideinterface:cryptoikev1enableoutside1.
CreateanIKEv1policythatdefinesthealgorithms/methodstobeusedforhashing,authentication,Diffie-Hellmangroup,lifetime,andencryption:cryptoikev1enableoutside2.
CreateatunnelgroupundertheIPsecattributesandconfigurethepeerIPaddressandthe3.
tunnelpre-sharedkey:cryptoikev1enableoutsidePhase2(IPsec)CompletethesestepsforthePhase2configuration:Createanaccesslistthatdefinesthetraffictobeencryptedandtunneled.
Inthisexample,thetrafficofinterestisthetrafficfromthetunnelthatissourcedfromthe10.
2.
2.
0subnettothe10.
1.
1.
0.
Itcancontainmultipleentriesiftherearemultiplesubnetsinvolvedbetweenthesites.
InVersions8.
4andlater,objectsorobjectgroupscanbecreatedthatserveascontainersforthenetworks,subnets,hostIPaddresses,ormultipleobjects.
CreatetwoobjectsthathavethelocalandremotesubnetsandusethemforboththecryptoAccessControlList(ACL)andtheNATstatements.
cryptoikev1enableoutside1.
ConfiguretheTransformSet(TS),whichmustinvolvethekeywordIKEv1.
AnidenticalTSmustbecreatedontheremoteendaswell.
cryptoikev1enableoutside2.
Configurethecryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPerfectForwardSecrecy(PFS)setting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledbeforePhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoikev1enableoutside4.
NATExemptionEnsurethattheVPNtrafficisnotsubjectedtoanyotherNATrule.
ThisistheNATrulethatisused:cryptoikev1enableoutsideNote:Whenmultiplesubnetsareused,youmustcreateobjectgroupswithallofthesourceanddestinationsubnetsandusethemintheNATrule.
cryptoikev1enableoutsideCompleteSampleConfigurationHereisthecompleteconfigurationforSiteB:cryptoikev1enableoutsidecryptoikev1policy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group192.
168.
1.
1typeipsec-l2ltunnel-group192.
168.
1.
1ipsec-attributesikev1pre-shared-keycisco!
NotetheIKEv1keywordatthebeginningofthepre-shared-keycommand.
objectnetwork10.
2.
2.
0_24subnet10.
2.
2.
0255.
255.
255.
0objectnetwork10.
1.
1.
0_24subnet10.
1.
1.
0255.
255.
255.
0access-list100extendedpermitipobject10.
2.
2.
0_24object10.
1.
1.
0_24cryptoipsecikev1transform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20matchaddress100cryptomapoutside_map20setpeer192.
168.
1.
1cryptomapoutside_map20setikev1transform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsidenat(inside,outside)1sourcestatic10.
2.
2.
0_2410.
2.
2.
0_24destinationstatic10.
1.
1.
0_2410.
1.
1.
0_24no-proxy-arproute-lookupConfigureSiteAforASAVersions8.
2andEarlierThissectiondescribeshowtoconfigureSiteAforASAVersions8.
2andearlier.
Phase1(ISAKMP)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)ontheoutsideinterface:cryptoisakmpenableoutsideNote:BecausemultipleversionsofIKE(IKEv1andIKEv2)arenotsupportedanylonger,the1.
ISAKMPisusedinordertorefertoPhase1.
CreateanISAKMPpolicythatdefinesthealgorithms/methodstobeusedinordertobuildPhase1.
Note:Inthisexampleconfiguration,thekeywordIKEv1fromVersion9.
xisreplacedwithISAKMP.
cryptoisakmpenableoutside2.
CreateatunnelgroupforthepeerIPaddress(externalIPaddressof5515)withthepre-sharedkey:cryptoisakmpenableoutside3.
Phase2(IPsec)CompletethesestepsforthePhase2configuration:SimilartotheconfigurationinVersion9.
x,youmustcreateanextendedaccesslistinordertodefinethetrafficofinterest.
cryptoisakmpenableoutside1.
DefineaTSthatcontainsalloftheavailableencryptionandhashingalgorithms(offeredissueshaveaquestionmark).
Ensurethatitisidenticaltothatwhichwasconfiguredontheotherside.
cryptoisakmpenableoutside2.
Configureacryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPFSsetting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledsothatPhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoisakmpenableoutside4.
NATExemptionCreateanaccesslistthatdefinesthetraffictobeexemptedfromtheNATchecks.
Inthisversion,itappearssimilartotheaccesslistthatyoudefinedforthetrafficofinterest:cryptoisakmpenableoutsideWhenmultiplesubnetsareused,addanotherlinetothesameaccesslist:cryptoisakmpenableoutsideTheaccesslistisusedwiththeNAT,asshownhere:cryptoisakmpenableoutsideNote:TheinsideherereferstothenameoftheinsideinterfaceonwhichtheASAreceivesthetrafficthatmatchestheaccesslist.
CompleteSampleConfigurationHereisthecompleteconfigurationforSiteA:cryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group172.
16.
1.
1typeipsec-l2ltunnel-group172.
16.
1.
1ipsec-attributespre-shared-keyciscoaccess-list100extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0cryptoipsectransform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20setpeercryptomapoutside_map20matchaddress100cryptomapoutside_map20settransform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsideaccess-listnonatline1extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0nat(inside)0access-listnonatGroupPolicyGrouppoliciesareusedinordertodefinespecificsettingsthatapplytothetunnel.
Thesepoliciesareusedinconjunctionwiththetunnelgroup.
Thegrouppolicycanbedefinedaseitherinternal,whichmeansthattheattributesarepulledfromthatwhichisdefinedontheASA,oritcanbedefinedasexternal,wheretheattributesarequeriedfromanexternalserver.
Thisisthecommandthatisusedinordertodefinethegrouppolicy:group-policySITE_AinternalNote:Youcandefinemultipleattributesinthegrouppolicy.
Foralistofallpossibleattributes,refertotheConfiguringGroupPoliciessectionoftheSelectedASDMVPNConfigurationProceduresfortheCiscoASA5500Series,Version5.
2.
GroupPolicyOptionalAttributesThevpn-tunnel-protocolattributedeterminesthetunneltypetowhichthesesettingsshouldbeapplied.
Inthisexample,IPsecisused:group-policySITE_AinternalYouhavetheoptiontoconfigurethethetunnelsothatitstaysidle(notraffic)anddoesnotgodown.
Inordertoconfigurethisoption,thevpn-idle-timeoutattributevalueshoulduseminutes,oryoucansetthevaluetonone,whichmeansthatthetunnelnevergoesdown.
Hereisanexample:group-policySITE_AinternalThedefault-group-policycommandunderthegeneralattributesofthetunnelgroupdefinesthegrouppolicythatisusedinordertopushcertainpolicysettingsforthetunnelthatisestablished.
Thedefaultsettingsfortheoptionsthatyoudidnotdefineinthegrouppolicyaretakenfromaglobaldefaultgrouppolicy:group-policySITE_AinternalVerifyUsetheinformationthatisprovidedinthissectioninordertoverifythatyourconfigurationworksproperly.
ASDMInordertoviewthetunnelstatusfromtheASDM,navigatetoMonitoring>VPN.
Thisinformationisprovided:ThepeerIPaddressqTheprotocolthatisusedinordertobuildthetunnelqTheencryptionalgorithmthatisusedqThetimeatwhichthetunnelcameupandtheup-timeqThenumberofpacketsthatarereceivedandtransferredqTip:ClickRefreshinordertoviewthelatestvalues,asthedatadoesnotupdateinreal-time.
CLIThissectiondescribeshowtoverifyyourconfigurationviatheCLI.
Phase1EnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteB(5515)side:showcryptoikev1saActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:192.
168.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEEnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteA(5510)side:showcryptoisakmpsaActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:172.
16.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEPhase2TheshowcryptoipsecsacommandshowstheIPsecSAsthatarebuiltbetweenthepeers.
TheencryptedtunnelisbuiltbetweenIPaddresses192.
168.
1.
1and172.
16.
1.
1forthetrafficthatflowsbetweenthenetworks10.
1.
1.
0and10.
2.
2.
0.
YoucanseethetwoESPSAsbuiltfortheinboundandoutboundtraffic.
TheAuthenticationHeader(AH)isnotusedbecausetherearenoAHSAs.
EnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteB(5515)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
172.
16.
1.
1localident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)current_peer:192.
168.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:172.
16.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasEnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteA(5510)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
192.
168.
1.
1localident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)current_peer:172.
16.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:192.
168.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasTroubleshootUsetheinformationthatisprovidedinthissectioninordertotroubleshootconfigurationissues.
ASAVersions8.
4andLaterEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoikev1127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1DEBUG]Pitcher:receivedakeyacquiremessage,spi0x0IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKEInitiator:NewPhase1,IntfNPIdentityIfc,IKEPeer192.
168.
1.
1localProxyAddress10.
2.
2.
0,remoteProxyAddress10.
1.
1.
0,Cryptomap(outside_map)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingISAKMPSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver03payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDverRFCpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,OakleyproposalisacceptableFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedNAT-Traversalver02VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedFragmentationVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingCiscoUnityVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingxauthV6VIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendIOSVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingISA_KEpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedCiscoUnityclientVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedxauthV6VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-Discoverypayload!
Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingkeysforInitiator.
.
.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIDpayloadFeb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
!
Successrateis80percent(4/5),round-tripmin/avg/max=1/3/10msciscoasa#Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingdpdvidpayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDRIDreceived192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ReceivedDPDVIDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,OakleybeginquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorstartingQM:msgid=4c073b21Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE1COMPLETEDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP1rekeytimer:73440seconds.
IPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotSPIfromkeyengine:SPI=0x03fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstuctingquickmodeFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingblankhashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingproxyIDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,TransmittingProxyId:Localsubnet:10.
2.
2.
0mask255.
255.
255.
0Protocol0Port0Remotesubnet:10.
1.
1.
0Mask255.
255.
255.
0Protocol0Port0Feb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsendingInitialContactFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingqmhashpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending1stQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,loadingallIPSECSAsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0x6f0e03f0,SCB:0x75B6DD00,Direction:outboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x1BA0C55CIPSEC:CreatingoutboundVPNcontext,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Newoutboundencryptrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:Newoutboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x1BA0C55CRuleID:0x6f0dec80Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(192.
168.
1.
1)Initiator,InboundSPI=0x03fc9db7,OutboundSPI=0x1ba0c55cFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstructingfinalquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending3rdQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:76Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x1ba0c55cIPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostIBSAupdate,SPI0x03FC9DB7IPSEC:CreatinginboundVPNcontext,SPI0x03FC9DB7Flags:0x00000006SA:0x75298588SPI:0x03FC9DB7MTU:0bytesVCID:0x00000000Peer:0x0000F614SCB:0x0B4707C7Channel:0x6ef0a5c0IPSEC:CompletedinboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x00011f6cIPSEC:UpdatingoutboundVPNcontext0x0000F614,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00011F6CSCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Completedoutboundinnerrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:CompletedoutboundouterSPDrule,SPI0x1BA0C55CRuleID:0x6f0dec80IPSEC:Newinboundtunnelflowrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x03FC9DB7RuleID:0x74e1b4a0IPSEC:Newinbounddecryptrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x03FC9DB7RuleID:0x6f0de830IPSEC:Newinboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x03FC9DB7RuleID:0x6f0de8d8Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x3fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP2rekeytimer:24480seconds.
Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE2COMPLETED(msgid=4c073b21)ASAVersions8.
3andEarlierEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoisakmp127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,OakleyproposalisacceptableFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver02VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver03VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-TraversalRFCVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedFragmentationVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingIKESApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKESAProposal#1,Transform#1acceptableMatchesglobalIKEentry#1Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingISAKMPSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingISA_KEpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedCiscoUnityclientVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedxauthV6VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingCiscoUnityVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingxauthV6VIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendIOSVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingkeysforResponder.
.
.
Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDRIDreceived172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedDPDVIDFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingdpdvidpayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE1COMPLETEDFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP1rekeytimer:82080seconds.
Feb1304:19:53[IKEv1DECODE]:IP=172.
16.
1.
1,IKEResponderstartingQM:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedremoteIPProxySubnetdatainIDPayload:Address10.
2.
2.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedlocalIPProxySubnetdatainIDPayload:Address10.
1.
1.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnotifypayloadFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,QMIsRekeyedoldsanotfoundbyaddrFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,checkingmap=outside_map,seq=20.
.
.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,mapoutside_map,seq=20isasuccessfulmatchFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERemotePeerconfiguredforcryptomap:outside_mapFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IPSecSAProposal#1,Transform#1acceptableMatchesglobalIPSecSAentry#20Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKE:requestingSPI!
IPSEC:NewembryonicSAcreated@0xAB5C63A8,SCB:0xABD54E98,Direction:inboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotSPIfromkeyengine:SPI=0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,oakleyconstuctingquickmodeFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingblankhashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingproxyIDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,TransmittingProxyId:Remotesubnet:10.
2.
2.
0Mask255.
255.
255.
0Protocol0Port0Localsubnet:10.
1.
1.
0mask255.
255.
255.
0Protocol0Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingqmhashpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERespondersending2ndQMpkt:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:52Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,loadingallIPSECSAsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0xAB570B58,SCB:0xABD55378,Direction:outboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x03FC9DB7IPSEC:CreatingoutboundVPNcontext,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Newoutboundencryptrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:Newoutboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x03FC9DB7RuleID:0xABD55848Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(172.
16.
1.
1)Responder,InboundSPI=0x1ba0c55c,OutboundSPI=0x03fc9db7Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x03fc9db7IPSEC:CompletedhostIBSAupdate,SPI0x1BA0C55CIPSEC:CreatinginboundVPNcontext,SPI0x1BA0C55CFlags:0x00000006SA:0xAB5C63A8SPI:0x1BA0C55CMTU:0bytesVCID:0x00000000Peer:0x0000F99CSCB:0x0150B419Channel:0xA7A98400IPSEC:CompletedinboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0001169CIPSEC:UpdatingoutboundVPNcontext0x0000F99C,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x0001169CSCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Completedoutboundinnerrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:CompletedoutboundouterSPDrule,SPI0x03FC9DB7RuleID:0xABD55848IPSEC:Newinboundtunnelflowrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x1BA0C55CRuleID:0xAB8D98A8IPSEC:Newinbounddecryptrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x1BA0C55CRuleID:0xABD55CB0IPSEC:Newinboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x1BA0C55CRuleID:0xABD55D48Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP2rekeytimer:27360seconds.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE2COMPLETED(msgid=4c073b21)
- components0x00000006相关文档
- 配置0x00000006
- 路由0x00000006
- IOH0x00000006
- CMOS0x00000006
- detail0x00000006
- dedicated0x00000006
90IDC-香港云主机,美国服务器,日本KVM高性能云主机,创建高性能CLOUD只需60秒即可开通使用!
官方网站:点击访问90IDC官方网站优惠码:云八五折优惠劵:90IDCHK85,仅适用于香港CLOUD主机含特惠型。活动方案:年付特惠服务器:CPU均为Intel Xeon两颗,纯CN2永不混线,让您的网站更快一步。香港大浦CN2測速網址: http://194.105.63.191美国三网CN2測速網址: http://154.7.13.95香港购买地址:https://www.90idc.ne...
腾讯云轻量服务器老用户续费优惠和老用户复购活动
继阿里云服务商推出轻量服务器后,腾讯云这两年对于轻量服务器的推广力度还是比较大的。实际上对于我们大部分网友用户来说,轻量服务器对于我们网站和一般的业务来说是绝对够用的。反而有些时候轻量服务器的带宽比CVM云服务器够大,配置也够好,更有是价格也便宜,所以对于初期的网站业务来说轻量服务器是够用的。这几天UCLOUD优刻得香港服务器稳定性不佳,于是有网友也在考虑搬迁到腾讯云服务器商家,对于轻量服务器官方...
GigsGigsCloud($26/年)KVM-1GB/15G SSD/2TB/洛杉矶机房
GigsGigsCloud新上了洛杉矶机房国际版线路VPS,基于KVM架构,采用SSD硬盘,年付最低26美元起。这是一家成立于2015年的马来西亚主机商,提供VPS主机和独立服务器租用,数据中心包括美国洛杉矶、中国香港、新加坡、马来西亚和日本等。商家VPS主机基于KVM架构,所选均为国内直连或者优化线路,比如洛杉矶机房有CN2 GIA、AS9929或者高防线路等。下面列出这款年付VPS主机配置信息...
0x00000006为你推荐
-
美国互联网瘫痪美国网络大瘫痪到底是怎么发生的openeuleropen与close的区别及用法罗伦佐娜罗拉芳娜 (西班牙小姐)谁可以简单的介绍以下www.haole012.comhttp://fj.qq.com/news/wm/wm012.htm 这个链接的视频的 第3分20秒开始的 背景音乐 是什么?8090lu.com8090lu.com怎么样了?工程有进展吗?mole.61.com摩尔庄园的米米号和密码我都忘了 只记得注册的邮箱 怎么办-_-haole10.com空人电影网改网址了?www.10yyy.cn是空人电影网么www.se222se.com原来的www站到底222eee怎么了莫非不是不能222eee在收视com了,/?求解www.idanmu.com腾讯有qqsk.zik.mu这个网站吗?baqizi.cc讲讲曾子杀猪的主要内容!