components0x00000006
0x00000006 时间:2021-04-04 阅读:()
ConfigureIKEv1IPsecSite-to-SiteTunnelswiththeASDMorCLIontheASAContentsIntroductionPrerequisitesRequirementsComponentsUsedConfigureNetworkDiagramConfigureViatheASDMVPNWizardConfigureViatheCLIConfigureSiteBforASAVersions8.
4andLaterConfigureSiteAforASAVersions8.
2andEarlierGroupPolicyVerifyASDMCLIPhase1Phase2TroubleshootASAVersions8.
4andLaterASAVersions8.
3andEarlierIntroductionThisdocumentdescribeshowtoconfigureanInternetKeyExchangeversion1(IKEv1)IPsecsite-to-sitetunnelbetweenaCisco5515-XSeriesAdaptiveSecurityAppliance(ASA)thatrunssoftwareVersion9.
2.
xandaCisco5510SeriesASAthatrunssoftwareVersion8.
2.
x.
PrerequisitesRequirementsCiscorecommendsthattheserequirementsbemetbeforeyouattempttheconfigurationthatisdescribedinthisdocument:Theend-to-endIPconnectivitymustbeestablished.
qTheseprotocolsmustbeallowed:UserDatagramProtocol(UDP)500and4500fortheIPseccontrolplaneqEncapsulatingSecurityPayload(ESP)IPProtocol50fortheIPsecdataplaneComponentsUsedTheinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:Cisco5510SeriesASAthatrunssoftwareVersion8.
2qCisco5515-XASAthatrunsthesoftwareVersion9.
2qTheinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.
Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.
Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
ConfigureThissectiondescribeshowtoconfigurethesite-to-siteVPNtunnelviatheAdaptiveSecurityDeviceManager(ASDM)VPNwizardorviatheCLI.
NetworkDiagramThisisthetopologythatisusedfortheexamplesthroughoutthisdocument:ConfigureViatheASDMVPNWizardCompletethesestepsinordertosetupthesite-to-siteVPNtunnelviatheASDMwizard:OpentheASDMandnavigatetoWizards>VPNWizards>Site-to-siteVPNWizard:1.
ClickNextonceyoureachthewizardhomepage:Note:ThemostrecentASDMversionsprovidealinktoavideothatexplainsthisconfiguration.
2.
ConfigurethepeerIPaddress.
Inthisexample,thepeerIPaddressissetto192.
168.
1.
1onSiteB.
IfyouconfigurethepeerIPaddressonSiteA,itmustbechangedto172.
16.
1.
1.
Theinterfacethroughwhichtheremoteendcanbereachedisalsospecified.
ClickNextoncecomplete.
3.
Configurethelocalandremotenetworks(trafficsourceanddestination).
ThisimageshowstheconfigurationforSiteB(thereverseappliesforSiteA):4.
OntheSecuritypage,configurethepre-sharedkey(itmustmatchonbothoftheends).
ClickNextoncecomplete.
5.
ConfigurethesourceinterfaceforthetrafficontheASA.
TheASDMautomaticallycreatestheNetworkAddressTranslation(NAT)rulebasedontheASAversionandpushesitwiththerestoftheconfigurationinthefinalstep.
Note:Fortheexamplethatisusedinthisdocument,insideisthesourceofthetraffic.
6.
ThewizardnowprovidesasummaryoftheconfigurationthatwillbepushedtotheASA.
Reviewandverifytheconfigurationsettings,andthenclickFinish.
7.
ConfigureViatheCLIThissectiondescribeshowtoconfiguretheIKEv1IPsecsite-to-sitetunnelviatheCLI.
ConfigureSiteBforASAVersions8.
4andLaterInASAVersions8.
4andlater,supportforbothIKEv1andInternetKeyExchangeversion2(IKEv2)wasintroduced.
Tip:Formoreinformationaboutthedifferencesbetweenthetwoversions,refertotheWhymigratetoIKEv2sectionoftheSwiftMigrationofIKEv1toIKEv2L2LTunnelConfigurationonASA8.
4CodeCiscodocument.
Tip:ForanIKEv2configurationexamplewiththeASA,refertotheSite-to-SiteIKEv2TunnelbetweenASAandRouterConfigurationExamplesCiscodocument.
Phase1(IKEv1)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableIKEv1ontheoutsideinterface:cryptoikev1enableoutside1.
CreateanIKEv1policythatdefinesthealgorithms/methodstobeusedforhashing,authentication,Diffie-Hellmangroup,lifetime,andencryption:cryptoikev1enableoutside2.
CreateatunnelgroupundertheIPsecattributesandconfigurethepeerIPaddressandthe3.
tunnelpre-sharedkey:cryptoikev1enableoutsidePhase2(IPsec)CompletethesestepsforthePhase2configuration:Createanaccesslistthatdefinesthetraffictobeencryptedandtunneled.
Inthisexample,thetrafficofinterestisthetrafficfromthetunnelthatissourcedfromthe10.
2.
2.
0subnettothe10.
1.
1.
0.
Itcancontainmultipleentriesiftherearemultiplesubnetsinvolvedbetweenthesites.
InVersions8.
4andlater,objectsorobjectgroupscanbecreatedthatserveascontainersforthenetworks,subnets,hostIPaddresses,ormultipleobjects.
CreatetwoobjectsthathavethelocalandremotesubnetsandusethemforboththecryptoAccessControlList(ACL)andtheNATstatements.
cryptoikev1enableoutside1.
ConfiguretheTransformSet(TS),whichmustinvolvethekeywordIKEv1.
AnidenticalTSmustbecreatedontheremoteendaswell.
cryptoikev1enableoutside2.
Configurethecryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPerfectForwardSecrecy(PFS)setting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledbeforePhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoikev1enableoutside4.
NATExemptionEnsurethattheVPNtrafficisnotsubjectedtoanyotherNATrule.
ThisistheNATrulethatisused:cryptoikev1enableoutsideNote:Whenmultiplesubnetsareused,youmustcreateobjectgroupswithallofthesourceanddestinationsubnetsandusethemintheNATrule.
cryptoikev1enableoutsideCompleteSampleConfigurationHereisthecompleteconfigurationforSiteB:cryptoikev1enableoutsidecryptoikev1policy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group192.
168.
1.
1typeipsec-l2ltunnel-group192.
168.
1.
1ipsec-attributesikev1pre-shared-keycisco!
NotetheIKEv1keywordatthebeginningofthepre-shared-keycommand.
objectnetwork10.
2.
2.
0_24subnet10.
2.
2.
0255.
255.
255.
0objectnetwork10.
1.
1.
0_24subnet10.
1.
1.
0255.
255.
255.
0access-list100extendedpermitipobject10.
2.
2.
0_24object10.
1.
1.
0_24cryptoipsecikev1transform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20matchaddress100cryptomapoutside_map20setpeer192.
168.
1.
1cryptomapoutside_map20setikev1transform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsidenat(inside,outside)1sourcestatic10.
2.
2.
0_2410.
2.
2.
0_24destinationstatic10.
1.
1.
0_2410.
1.
1.
0_24no-proxy-arproute-lookupConfigureSiteAforASAVersions8.
2andEarlierThissectiondescribeshowtoconfigureSiteAforASAVersions8.
2andearlier.
Phase1(ISAKMP)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)ontheoutsideinterface:cryptoisakmpenableoutsideNote:BecausemultipleversionsofIKE(IKEv1andIKEv2)arenotsupportedanylonger,the1.
ISAKMPisusedinordertorefertoPhase1.
CreateanISAKMPpolicythatdefinesthealgorithms/methodstobeusedinordertobuildPhase1.
Note:Inthisexampleconfiguration,thekeywordIKEv1fromVersion9.
xisreplacedwithISAKMP.
cryptoisakmpenableoutside2.
CreateatunnelgroupforthepeerIPaddress(externalIPaddressof5515)withthepre-sharedkey:cryptoisakmpenableoutside3.
Phase2(IPsec)CompletethesestepsforthePhase2configuration:SimilartotheconfigurationinVersion9.
x,youmustcreateanextendedaccesslistinordertodefinethetrafficofinterest.
cryptoisakmpenableoutside1.
DefineaTSthatcontainsalloftheavailableencryptionandhashingalgorithms(offeredissueshaveaquestionmark).
Ensurethatitisidenticaltothatwhichwasconfiguredontheotherside.
cryptoisakmpenableoutside2.
Configureacryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPFSsetting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledsothatPhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoisakmpenableoutside4.
NATExemptionCreateanaccesslistthatdefinesthetraffictobeexemptedfromtheNATchecks.
Inthisversion,itappearssimilartotheaccesslistthatyoudefinedforthetrafficofinterest:cryptoisakmpenableoutsideWhenmultiplesubnetsareused,addanotherlinetothesameaccesslist:cryptoisakmpenableoutsideTheaccesslistisusedwiththeNAT,asshownhere:cryptoisakmpenableoutsideNote:TheinsideherereferstothenameoftheinsideinterfaceonwhichtheASAreceivesthetrafficthatmatchestheaccesslist.
CompleteSampleConfigurationHereisthecompleteconfigurationforSiteA:cryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group172.
16.
1.
1typeipsec-l2ltunnel-group172.
16.
1.
1ipsec-attributespre-shared-keyciscoaccess-list100extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0cryptoipsectransform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20setpeercryptomapoutside_map20matchaddress100cryptomapoutside_map20settransform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsideaccess-listnonatline1extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0nat(inside)0access-listnonatGroupPolicyGrouppoliciesareusedinordertodefinespecificsettingsthatapplytothetunnel.
Thesepoliciesareusedinconjunctionwiththetunnelgroup.
Thegrouppolicycanbedefinedaseitherinternal,whichmeansthattheattributesarepulledfromthatwhichisdefinedontheASA,oritcanbedefinedasexternal,wheretheattributesarequeriedfromanexternalserver.
Thisisthecommandthatisusedinordertodefinethegrouppolicy:group-policySITE_AinternalNote:Youcandefinemultipleattributesinthegrouppolicy.
Foralistofallpossibleattributes,refertotheConfiguringGroupPoliciessectionoftheSelectedASDMVPNConfigurationProceduresfortheCiscoASA5500Series,Version5.
2.
GroupPolicyOptionalAttributesThevpn-tunnel-protocolattributedeterminesthetunneltypetowhichthesesettingsshouldbeapplied.
Inthisexample,IPsecisused:group-policySITE_AinternalYouhavetheoptiontoconfigurethethetunnelsothatitstaysidle(notraffic)anddoesnotgodown.
Inordertoconfigurethisoption,thevpn-idle-timeoutattributevalueshoulduseminutes,oryoucansetthevaluetonone,whichmeansthatthetunnelnevergoesdown.
Hereisanexample:group-policySITE_AinternalThedefault-group-policycommandunderthegeneralattributesofthetunnelgroupdefinesthegrouppolicythatisusedinordertopushcertainpolicysettingsforthetunnelthatisestablished.
Thedefaultsettingsfortheoptionsthatyoudidnotdefineinthegrouppolicyaretakenfromaglobaldefaultgrouppolicy:group-policySITE_AinternalVerifyUsetheinformationthatisprovidedinthissectioninordertoverifythatyourconfigurationworksproperly.
ASDMInordertoviewthetunnelstatusfromtheASDM,navigatetoMonitoring>VPN.
Thisinformationisprovided:ThepeerIPaddressqTheprotocolthatisusedinordertobuildthetunnelqTheencryptionalgorithmthatisusedqThetimeatwhichthetunnelcameupandtheup-timeqThenumberofpacketsthatarereceivedandtransferredqTip:ClickRefreshinordertoviewthelatestvalues,asthedatadoesnotupdateinreal-time.
CLIThissectiondescribeshowtoverifyyourconfigurationviatheCLI.
Phase1EnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteB(5515)side:showcryptoikev1saActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:192.
168.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEEnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteA(5510)side:showcryptoisakmpsaActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:172.
16.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEPhase2TheshowcryptoipsecsacommandshowstheIPsecSAsthatarebuiltbetweenthepeers.
TheencryptedtunnelisbuiltbetweenIPaddresses192.
168.
1.
1and172.
16.
1.
1forthetrafficthatflowsbetweenthenetworks10.
1.
1.
0and10.
2.
2.
0.
YoucanseethetwoESPSAsbuiltfortheinboundandoutboundtraffic.
TheAuthenticationHeader(AH)isnotusedbecausetherearenoAHSAs.
EnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteB(5515)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
172.
16.
1.
1localident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)current_peer:192.
168.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:172.
16.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasEnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteA(5510)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
192.
168.
1.
1localident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)current_peer:172.
16.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:192.
168.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasTroubleshootUsetheinformationthatisprovidedinthissectioninordertotroubleshootconfigurationissues.
ASAVersions8.
4andLaterEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoikev1127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1DEBUG]Pitcher:receivedakeyacquiremessage,spi0x0IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKEInitiator:NewPhase1,IntfNPIdentityIfc,IKEPeer192.
168.
1.
1localProxyAddress10.
2.
2.
0,remoteProxyAddress10.
1.
1.
0,Cryptomap(outside_map)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingISAKMPSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver03payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDverRFCpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,OakleyproposalisacceptableFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedNAT-Traversalver02VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedFragmentationVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingCiscoUnityVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingxauthV6VIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendIOSVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingISA_KEpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedCiscoUnityclientVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedxauthV6VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-Discoverypayload!
Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingkeysforInitiator.
.
.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIDpayloadFeb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
!
Successrateis80percent(4/5),round-tripmin/avg/max=1/3/10msciscoasa#Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingdpdvidpayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDRIDreceived192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ReceivedDPDVIDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,OakleybeginquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorstartingQM:msgid=4c073b21Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE1COMPLETEDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP1rekeytimer:73440seconds.
IPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotSPIfromkeyengine:SPI=0x03fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstuctingquickmodeFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingblankhashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingproxyIDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,TransmittingProxyId:Localsubnet:10.
2.
2.
0mask255.
255.
255.
0Protocol0Port0Remotesubnet:10.
1.
1.
0Mask255.
255.
255.
0Protocol0Port0Feb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsendingInitialContactFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingqmhashpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending1stQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,loadingallIPSECSAsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0x6f0e03f0,SCB:0x75B6DD00,Direction:outboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x1BA0C55CIPSEC:CreatingoutboundVPNcontext,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Newoutboundencryptrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:Newoutboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x1BA0C55CRuleID:0x6f0dec80Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(192.
168.
1.
1)Initiator,InboundSPI=0x03fc9db7,OutboundSPI=0x1ba0c55cFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstructingfinalquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending3rdQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:76Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x1ba0c55cIPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostIBSAupdate,SPI0x03FC9DB7IPSEC:CreatinginboundVPNcontext,SPI0x03FC9DB7Flags:0x00000006SA:0x75298588SPI:0x03FC9DB7MTU:0bytesVCID:0x00000000Peer:0x0000F614SCB:0x0B4707C7Channel:0x6ef0a5c0IPSEC:CompletedinboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x00011f6cIPSEC:UpdatingoutboundVPNcontext0x0000F614,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00011F6CSCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Completedoutboundinnerrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:CompletedoutboundouterSPDrule,SPI0x1BA0C55CRuleID:0x6f0dec80IPSEC:Newinboundtunnelflowrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x03FC9DB7RuleID:0x74e1b4a0IPSEC:Newinbounddecryptrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x03FC9DB7RuleID:0x6f0de830IPSEC:Newinboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x03FC9DB7RuleID:0x6f0de8d8Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x3fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP2rekeytimer:24480seconds.
Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE2COMPLETED(msgid=4c073b21)ASAVersions8.
3andEarlierEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoisakmp127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,OakleyproposalisacceptableFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver02VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver03VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-TraversalRFCVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedFragmentationVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingIKESApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKESAProposal#1,Transform#1acceptableMatchesglobalIKEentry#1Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingISAKMPSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingISA_KEpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedCiscoUnityclientVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedxauthV6VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingCiscoUnityVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingxauthV6VIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendIOSVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingkeysforResponder.
.
.
Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDRIDreceived172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedDPDVIDFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingdpdvidpayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE1COMPLETEDFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP1rekeytimer:82080seconds.
Feb1304:19:53[IKEv1DECODE]:IP=172.
16.
1.
1,IKEResponderstartingQM:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedremoteIPProxySubnetdatainIDPayload:Address10.
2.
2.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedlocalIPProxySubnetdatainIDPayload:Address10.
1.
1.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnotifypayloadFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,QMIsRekeyedoldsanotfoundbyaddrFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,checkingmap=outside_map,seq=20.
.
.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,mapoutside_map,seq=20isasuccessfulmatchFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERemotePeerconfiguredforcryptomap:outside_mapFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IPSecSAProposal#1,Transform#1acceptableMatchesglobalIPSecSAentry#20Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKE:requestingSPI!
IPSEC:NewembryonicSAcreated@0xAB5C63A8,SCB:0xABD54E98,Direction:inboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotSPIfromkeyengine:SPI=0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,oakleyconstuctingquickmodeFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingblankhashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingproxyIDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,TransmittingProxyId:Remotesubnet:10.
2.
2.
0Mask255.
255.
255.
0Protocol0Port0Localsubnet:10.
1.
1.
0mask255.
255.
255.
0Protocol0Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingqmhashpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERespondersending2ndQMpkt:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:52Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,loadingallIPSECSAsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0xAB570B58,SCB:0xABD55378,Direction:outboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x03FC9DB7IPSEC:CreatingoutboundVPNcontext,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Newoutboundencryptrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:Newoutboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x03FC9DB7RuleID:0xABD55848Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(172.
16.
1.
1)Responder,InboundSPI=0x1ba0c55c,OutboundSPI=0x03fc9db7Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x03fc9db7IPSEC:CompletedhostIBSAupdate,SPI0x1BA0C55CIPSEC:CreatinginboundVPNcontext,SPI0x1BA0C55CFlags:0x00000006SA:0xAB5C63A8SPI:0x1BA0C55CMTU:0bytesVCID:0x00000000Peer:0x0000F99CSCB:0x0150B419Channel:0xA7A98400IPSEC:CompletedinboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0001169CIPSEC:UpdatingoutboundVPNcontext0x0000F99C,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x0001169CSCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Completedoutboundinnerrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:CompletedoutboundouterSPDrule,SPI0x03FC9DB7RuleID:0xABD55848IPSEC:Newinboundtunnelflowrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x1BA0C55CRuleID:0xAB8D98A8IPSEC:Newinbounddecryptrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x1BA0C55CRuleID:0xABD55CB0IPSEC:Newinboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x1BA0C55CRuleID:0xABD55D48Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP2rekeytimer:27360seconds.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE2COMPLETED(msgid=4c073b21)
4andLaterConfigureSiteAforASAVersions8.
2andEarlierGroupPolicyVerifyASDMCLIPhase1Phase2TroubleshootASAVersions8.
4andLaterASAVersions8.
3andEarlierIntroductionThisdocumentdescribeshowtoconfigureanInternetKeyExchangeversion1(IKEv1)IPsecsite-to-sitetunnelbetweenaCisco5515-XSeriesAdaptiveSecurityAppliance(ASA)thatrunssoftwareVersion9.
2.
xandaCisco5510SeriesASAthatrunssoftwareVersion8.
2.
x.
PrerequisitesRequirementsCiscorecommendsthattheserequirementsbemetbeforeyouattempttheconfigurationthatisdescribedinthisdocument:Theend-to-endIPconnectivitymustbeestablished.
qTheseprotocolsmustbeallowed:UserDatagramProtocol(UDP)500and4500fortheIPseccontrolplaneqEncapsulatingSecurityPayload(ESP)IPProtocol50fortheIPsecdataplaneComponentsUsedTheinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:Cisco5510SeriesASAthatrunssoftwareVersion8.
2qCisco5515-XASAthatrunsthesoftwareVersion9.
2qTheinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.
Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.
Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
ConfigureThissectiondescribeshowtoconfigurethesite-to-siteVPNtunnelviatheAdaptiveSecurityDeviceManager(ASDM)VPNwizardorviatheCLI.
NetworkDiagramThisisthetopologythatisusedfortheexamplesthroughoutthisdocument:ConfigureViatheASDMVPNWizardCompletethesestepsinordertosetupthesite-to-siteVPNtunnelviatheASDMwizard:OpentheASDMandnavigatetoWizards>VPNWizards>Site-to-siteVPNWizard:1.
ClickNextonceyoureachthewizardhomepage:Note:ThemostrecentASDMversionsprovidealinktoavideothatexplainsthisconfiguration.
2.
ConfigurethepeerIPaddress.
Inthisexample,thepeerIPaddressissetto192.
168.
1.
1onSiteB.
IfyouconfigurethepeerIPaddressonSiteA,itmustbechangedto172.
16.
1.
1.
Theinterfacethroughwhichtheremoteendcanbereachedisalsospecified.
ClickNextoncecomplete.
3.
Configurethelocalandremotenetworks(trafficsourceanddestination).
ThisimageshowstheconfigurationforSiteB(thereverseappliesforSiteA):4.
OntheSecuritypage,configurethepre-sharedkey(itmustmatchonbothoftheends).
ClickNextoncecomplete.
5.
ConfigurethesourceinterfaceforthetrafficontheASA.
TheASDMautomaticallycreatestheNetworkAddressTranslation(NAT)rulebasedontheASAversionandpushesitwiththerestoftheconfigurationinthefinalstep.
Note:Fortheexamplethatisusedinthisdocument,insideisthesourceofthetraffic.
6.
ThewizardnowprovidesasummaryoftheconfigurationthatwillbepushedtotheASA.
Reviewandverifytheconfigurationsettings,andthenclickFinish.
7.
ConfigureViatheCLIThissectiondescribeshowtoconfiguretheIKEv1IPsecsite-to-sitetunnelviatheCLI.
ConfigureSiteBforASAVersions8.
4andLaterInASAVersions8.
4andlater,supportforbothIKEv1andInternetKeyExchangeversion2(IKEv2)wasintroduced.
Tip:Formoreinformationaboutthedifferencesbetweenthetwoversions,refertotheWhymigratetoIKEv2sectionoftheSwiftMigrationofIKEv1toIKEv2L2LTunnelConfigurationonASA8.
4CodeCiscodocument.
Tip:ForanIKEv2configurationexamplewiththeASA,refertotheSite-to-SiteIKEv2TunnelbetweenASAandRouterConfigurationExamplesCiscodocument.
Phase1(IKEv1)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableIKEv1ontheoutsideinterface:cryptoikev1enableoutside1.
CreateanIKEv1policythatdefinesthealgorithms/methodstobeusedforhashing,authentication,Diffie-Hellmangroup,lifetime,andencryption:cryptoikev1enableoutside2.
CreateatunnelgroupundertheIPsecattributesandconfigurethepeerIPaddressandthe3.
tunnelpre-sharedkey:cryptoikev1enableoutsidePhase2(IPsec)CompletethesestepsforthePhase2configuration:Createanaccesslistthatdefinesthetraffictobeencryptedandtunneled.
Inthisexample,thetrafficofinterestisthetrafficfromthetunnelthatissourcedfromthe10.
2.
2.
0subnettothe10.
1.
1.
0.
Itcancontainmultipleentriesiftherearemultiplesubnetsinvolvedbetweenthesites.
InVersions8.
4andlater,objectsorobjectgroupscanbecreatedthatserveascontainersforthenetworks,subnets,hostIPaddresses,ormultipleobjects.
CreatetwoobjectsthathavethelocalandremotesubnetsandusethemforboththecryptoAccessControlList(ACL)andtheNATstatements.
cryptoikev1enableoutside1.
ConfiguretheTransformSet(TS),whichmustinvolvethekeywordIKEv1.
AnidenticalTSmustbecreatedontheremoteendaswell.
cryptoikev1enableoutside2.
Configurethecryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPerfectForwardSecrecy(PFS)setting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledbeforePhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoikev1enableoutside4.
NATExemptionEnsurethattheVPNtrafficisnotsubjectedtoanyotherNATrule.
ThisistheNATrulethatisused:cryptoikev1enableoutsideNote:Whenmultiplesubnetsareused,youmustcreateobjectgroupswithallofthesourceanddestinationsubnetsandusethemintheNATrule.
cryptoikev1enableoutsideCompleteSampleConfigurationHereisthecompleteconfigurationforSiteB:cryptoikev1enableoutsidecryptoikev1policy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group192.
168.
1.
1typeipsec-l2ltunnel-group192.
168.
1.
1ipsec-attributesikev1pre-shared-keycisco!
NotetheIKEv1keywordatthebeginningofthepre-shared-keycommand.
objectnetwork10.
2.
2.
0_24subnet10.
2.
2.
0255.
255.
255.
0objectnetwork10.
1.
1.
0_24subnet10.
1.
1.
0255.
255.
255.
0access-list100extendedpermitipobject10.
2.
2.
0_24object10.
1.
1.
0_24cryptoipsecikev1transform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20matchaddress100cryptomapoutside_map20setpeer192.
168.
1.
1cryptomapoutside_map20setikev1transform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsidenat(inside,outside)1sourcestatic10.
2.
2.
0_2410.
2.
2.
0_24destinationstatic10.
1.
1.
0_2410.
1.
1.
0_24no-proxy-arproute-lookupConfigureSiteAforASAVersions8.
2andEarlierThissectiondescribeshowtoconfigureSiteAforASAVersions8.
2andearlier.
Phase1(ISAKMP)CompletethesestepsforthePhase1configuration:EnterthiscommandintotheCLIinordertoenableInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)ontheoutsideinterface:cryptoisakmpenableoutsideNote:BecausemultipleversionsofIKE(IKEv1andIKEv2)arenotsupportedanylonger,the1.
ISAKMPisusedinordertorefertoPhase1.
CreateanISAKMPpolicythatdefinesthealgorithms/methodstobeusedinordertobuildPhase1.
Note:Inthisexampleconfiguration,thekeywordIKEv1fromVersion9.
xisreplacedwithISAKMP.
cryptoisakmpenableoutside2.
CreateatunnelgroupforthepeerIPaddress(externalIPaddressof5515)withthepre-sharedkey:cryptoisakmpenableoutside3.
Phase2(IPsec)CompletethesestepsforthePhase2configuration:SimilartotheconfigurationinVersion9.
x,youmustcreateanextendedaccesslistinordertodefinethetrafficofinterest.
cryptoisakmpenableoutside1.
DefineaTSthatcontainsalloftheavailableencryptionandhashingalgorithms(offeredissueshaveaquestionmark).
Ensurethatitisidenticaltothatwhichwasconfiguredontheotherside.
cryptoisakmpenableoutside2.
Configureacryptomap,whichcontainsthesecomponents:ThepeerIPaddressThedefinedaccesslistthatcontainsthetrafficofinterestTheTSAnoptionalPFSsetting,whichcreatesanewpairofDiffie-Hellmankeysthatareusedinordertoprotectthedata(bothsidesmustbePFS-enabledsothatPhase2comesup)3.
Applythecryptomapontheoutsideinterface:cryptoisakmpenableoutside4.
NATExemptionCreateanaccesslistthatdefinesthetraffictobeexemptedfromtheNATchecks.
Inthisversion,itappearssimilartotheaccesslistthatyoudefinedforthetrafficofinterest:cryptoisakmpenableoutsideWhenmultiplesubnetsareused,addanotherlinetothesameaccesslist:cryptoisakmpenableoutsideTheaccesslistisusedwiththeNAT,asshownhere:cryptoisakmpenableoutsideNote:TheinsideherereferstothenameoftheinsideinterfaceonwhichtheASAreceivesthetrafficthatmatchestheaccesslist.
CompleteSampleConfigurationHereisthecompleteconfigurationforSiteA:cryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryptionaeshashshagroup2lifetime86400tunnel-group172.
16.
1.
1typeipsec-l2ltunnel-group172.
16.
1.
1ipsec-attributespre-shared-keyciscoaccess-list100extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0cryptoipsectransform-setmysetesp-aesesp-sha-hmaccryptomapoutside_map20setpeercryptomapoutside_map20matchaddress100cryptomapoutside_map20settransform-setmysetcryptomapoutside_map20setpfscryptomapoutside_mapinterfaceoutsideaccess-listnonatline1extendedpermitip10.
1.
1.
0255.
255.
255.
010.
2.
2.
0255.
255.
255.
0nat(inside)0access-listnonatGroupPolicyGrouppoliciesareusedinordertodefinespecificsettingsthatapplytothetunnel.
Thesepoliciesareusedinconjunctionwiththetunnelgroup.
Thegrouppolicycanbedefinedaseitherinternal,whichmeansthattheattributesarepulledfromthatwhichisdefinedontheASA,oritcanbedefinedasexternal,wheretheattributesarequeriedfromanexternalserver.
Thisisthecommandthatisusedinordertodefinethegrouppolicy:group-policySITE_AinternalNote:Youcandefinemultipleattributesinthegrouppolicy.
Foralistofallpossibleattributes,refertotheConfiguringGroupPoliciessectionoftheSelectedASDMVPNConfigurationProceduresfortheCiscoASA5500Series,Version5.
2.
GroupPolicyOptionalAttributesThevpn-tunnel-protocolattributedeterminesthetunneltypetowhichthesesettingsshouldbeapplied.
Inthisexample,IPsecisused:group-policySITE_AinternalYouhavetheoptiontoconfigurethethetunnelsothatitstaysidle(notraffic)anddoesnotgodown.
Inordertoconfigurethisoption,thevpn-idle-timeoutattributevalueshoulduseminutes,oryoucansetthevaluetonone,whichmeansthatthetunnelnevergoesdown.
Hereisanexample:group-policySITE_AinternalThedefault-group-policycommandunderthegeneralattributesofthetunnelgroupdefinesthegrouppolicythatisusedinordertopushcertainpolicysettingsforthetunnelthatisestablished.
Thedefaultsettingsfortheoptionsthatyoudidnotdefineinthegrouppolicyaretakenfromaglobaldefaultgrouppolicy:group-policySITE_AinternalVerifyUsetheinformationthatisprovidedinthissectioninordertoverifythatyourconfigurationworksproperly.
ASDMInordertoviewthetunnelstatusfromtheASDM,navigatetoMonitoring>VPN.
Thisinformationisprovided:ThepeerIPaddressqTheprotocolthatisusedinordertobuildthetunnelqTheencryptionalgorithmthatisusedqThetimeatwhichthetunnelcameupandtheup-timeqThenumberofpacketsthatarereceivedandtransferredqTip:ClickRefreshinordertoviewthelatestvalues,asthedatadoesnotupdateinreal-time.
CLIThissectiondescribeshowtoverifyyourconfigurationviatheCLI.
Phase1EnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteB(5515)side:showcryptoikev1saActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:192.
168.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEEnterthiscommandintotheCLIinordertoverifythePhase1configurationontheSiteA(5510)side:showcryptoisakmpsaActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:172.
16.
1.
1Type:L2LRole:initiatorRekey:noState:MM_ACTIVEPhase2TheshowcryptoipsecsacommandshowstheIPsecSAsthatarebuiltbetweenthepeers.
TheencryptedtunnelisbuiltbetweenIPaddresses192.
168.
1.
1and172.
16.
1.
1forthetrafficthatflowsbetweenthenetworks10.
1.
1.
0and10.
2.
2.
0.
YoucanseethetwoESPSAsbuiltfortheinboundandoutboundtraffic.
TheAuthenticationHeader(AH)isnotusedbecausetherearenoAHSAs.
EnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteB(5515)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
172.
16.
1.
1localident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)current_peer:192.
168.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:172.
16.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasEnterthiscommandintotheCLIinordertoverifythePhase2configurationontheSiteA(5510)side:interface:FastEthernet0Cryptomaptag:outside_map,localaddr.
192.
168.
1.
1localident(addr/mask/prot/port):(10.
1.
1.
0/255.
255.
255.
0/0/0)remoteident(addr/mask/prot/port):(10.
2.
2.
0/255.
255.
255.
0/0/0)current_peer:172.
16.
1.
1PERMIT,flags={origin_is_acl,}#pktsencaps:20,#pktsencrypt:20,#pktsdigest20#pktsdecaps:20,#pktsdecrypt:20,#pktsverify20#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.
failed:0,#pktsdecompressfailed:0,#senderrors0,#recverrors0localcryptoendpt.
:192.
168.
1.
1,remotecryptoendpt.
:172.
16.
1.
1pathmtu1500,mediamtu1500currentoutboundspi:3D3inboundespsas:spi:0x136A010F(325714191)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3442,flow_id:1443,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:inboundpcpsas:outboundespsas:spi:0x3D3(979)transform:esp-aesesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:3443,flow_id:1444,cryptomap:outside_mapsatiming:remainingkeylifetime(k/sec):(4608000/52)IVsize:8bytesreplaydetectionsupport:Youtboundahsas:outboundpcpsasTroubleshootUsetheinformationthatisprovidedinthissectioninordertotroubleshootconfigurationissues.
ASAVersions8.
4andLaterEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoikev1127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1DEBUG]Pitcher:receivedakeyacquiremessage,spi0x0IPSEC(crypto_map_check)-3:Lookingforcryptomapmatching5-tuple:Prot=1,saddr=10.
2.
2.
1,sport=19038,daddr=10.
1.
1.
1,dport=19038IPSEC(crypto_map_check)-3:Checkingcryptomapoutside_map20:matched.
Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKEInitiator:NewPhase1,IntfNPIdentityIfc,IKEPeer192.
168.
1.
1localProxyAddress10.
2.
2.
0,remoteProxyAddress10.
1.
1.
0,Cryptomap(outside_map)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingISAKMPSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDver03payloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-TraversalVIDverRFCpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,OakleyproposalisacceptableFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedNAT-Traversalver02VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedFragmentationVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingCiscoUnityVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingxauthV6VIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendIOSVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,constructingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingkepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingISA_KEpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedCiscoUnityclientVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedxauthV6VIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-DiscoverypayloadFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,processingNAT-Discoverypayload!
Feb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,computingNATDiscoveryhashFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingkeysforInitiator.
.
.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIDpayloadFeb1323:48:56[IKEv1DEBUG]!
Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
!
Successrateis80percent(4/5),round-tripmin/avg/max=1/3/10msciscoasa#Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingdpdvidpayloadFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDRIDreceived192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ComputinghashforISAKMPFeb1323:48:56[IKEv1DEBUG]IP=192.
168.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingVIDpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ReceivedDPDVIDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Connectionlandedontunnel_group192.
168.
1.
1Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,OakleybeginquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorstartingQM:msgid=4c073b21Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE1COMPLETEDFeb1323:48:56[IKEv1]IP=192.
168.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP1rekeytimer:73440seconds.
IPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotSPIfromkeyengine:SPI=0x03fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstuctingquickmodeFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingblankhashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingIPSecnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingproxyIDFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,TransmittingProxyId:Localsubnet:10.
2.
2.
0mask255.
255.
255.
0Protocol0Port0Remotesubnet:10.
1.
1.
0Mask255.
255.
255.
0Protocol0Port0Feb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsendingInitialContactFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,constructingqmhashpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending1stQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1323:48:56[IKEv1]IKEReceiver:Packetreceivedon172.
16.
1.
1:500from192.
168.
1.
1:500Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processinghashpayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingSApayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingnoncepayloadFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,processingIDpayloadFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,loadingallIPSECSAsFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0x6f0e03f0,SCB:0x75B6DD00,Direction:outboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x1BA0C55CIPSEC:CreatingoutboundVPNcontext,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Newoutboundencryptrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:Newoutboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x1BA0C55CRuleID:0x6f0dec80Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=6ef246d0;encrypt_rule=752972d0;tunnelFlow_rule=75ac8020Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(192.
168.
1.
1)Initiator,InboundSPI=0x03fc9db7,OutboundSPI=0x1ba0c55cFeb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,oakleyconstructingfinalquickmodeFeb1323:48:56[IKEv1DECODE]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEInitiatorsending3rdQMpkt:msgid=4c073b21Feb1323:48:56[IKEv1]IP=192.
168.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:76Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x1ba0c55cIPSEC:NewembryonicSAcreated@0x75298588,SCB:0x75C34F18,Direction:inboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000002Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostIBSAupdate,SPI0x03FC9DB7IPSEC:CreatinginboundVPNcontext,SPI0x03FC9DB7Flags:0x00000006SA:0x75298588SPI:0x03FC9DB7MTU:0bytesVCID:0x00000000Peer:0x0000F614SCB:0x0B4707C7Channel:0x6ef0a5c0IPSEC:CompletedinboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x00011f6cIPSEC:UpdatingoutboundVPNcontext0x0000F614,SPI0x1BA0C55CFlags:0x00000005SA:0x6f0e03f0SPI:0x1BA0C55CMTU:1500bytesVCID:0x00000000Peer:0x00011F6CSCB:0x0B47D387Channel:0x6ef0a5c0IPSEC:CompletedoutboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0000f614IPSEC:Completedoutboundinnerrule,SPI0x1BA0C55CRuleID:0x74e1c558IPSEC:CompletedoutboundouterSPDrule,SPI0x1BA0C55CRuleID:0x6f0dec80IPSEC:Newinboundtunnelflowrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x03FC9DB7RuleID:0x74e1b4a0IPSEC:Newinbounddecryptrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x03FC9DB7RuleID:0x6f0de830IPSEC:Newinboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x03FC9DB7RuleID:0x6f0de8d8Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x3fc9db7Feb1323:48:56[IKEv1DEBUG]Group=192.
168.
1.
1,IP=192.
168.
1.
1,StartingP2rekeytimer:24480seconds.
Feb1323:48:56[IKEv1]Group=192.
168.
1.
1,IP=192.
168.
1.
1,PHASE2COMPLETED(msgid=4c073b21)ASAVersions8.
3andEarlierEnterthesedebugcommandsinordertodeterminethelocationofthetunnelfailure:debugcryptoisakmp127(Phase1)qdebugcryptoipsec127(Phase2)qHereisacompleteexampledebugoutput:Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:172Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,OakleyproposalisacceptableFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver02VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-Traversalver03VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedNAT-TraversalRFCVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedFragmentationVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKEPeerincludedIKEfragmentationcapabilityflags:MainMode:TrueAggressiveMode:TrueFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingIKESApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,IKESAProposal#1,Transform#1acceptableMatchesglobalIKEentry#1Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingISAKMPSApayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-TraversalVIDver02payloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingFragmentationVID+extendedcapabilitiespayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:132Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingISA_KEpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedCiscoUnityclientVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedxauthV6VIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingVPN3000/ASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ReceivedAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,processingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingkepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingCiscoUnityVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingxauthV6VIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendIOSVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingASAspoofingIOSVendorIDpayload(version:1.
0.
0,capabilities:20000001)Feb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,SendAltiga/CiscoVPN3000/CiscoASAGWVIDFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,constructingNAT-DiscoverypayloadFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,computingNATDiscoveryhashFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingkeysforResponder.
.
.
Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+KE(4)+NONCE(10)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NAT-D(130)+NAT-D(130)+NONE(0)totallength:304Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDRIDreceived172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ProcessingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingVIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedDPDVIDFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,AutomaticNATDetectionStatus:RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdeviceFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Connectionlandedontunnel_group172.
16.
1.
1Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIDpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ComputinghashforISAKMPFeb1304:19:53[IKEv1DEBUG]:IP=172.
16.
1.
1,ConstructingIOSkeepalivepayload:proposal=32767/32767sec.
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingdpdvidpayloadFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=0)withpayloads:HDR+ID(5)+HASH(8)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength:96Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE1COMPLETEDFeb1304:19:53[IKEv1]:IP=172.
16.
1.
1,Keep-alivetypeforthisconnection:DPDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP1rekeytimer:82080seconds.
Feb1304:19:53[IKEv1DECODE]:IP=172.
16.
1.
1,IKEResponderstartingQM:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)totallength:200Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
2.
2.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedremoteIPProxySubnetdatainIDPayload:Address10.
2.
2.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIDpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ID_IPV4_ADDR_SUBNETIDreceived--10.
1.
1.
0--255.
255.
255.
0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,ReceivedlocalIPProxySubnetdatainIDPayload:Address10.
1.
1.
0,Mask255.
255.
255.
0,Protocol0,Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingnotifypayloadFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,QMIsRekeyedoldsanotfoundbyaddrFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,checkingmap=outside_map,seq=20.
.
.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StaticCryptoMapcheck,mapoutside_map,seq=20isasuccessfulmatchFeb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERemotePeerconfiguredforcryptomap:outside_mapFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IPSecSAProposal#1,Transform#1acceptableMatchesglobalIPSecSAentry#20Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKE:requestingSPI!
IPSEC:NewembryonicSAcreated@0xAB5C63A8,SCB:0xABD54E98,Direction:inboundSPI:0x1BA0C55CSessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotSPIfromkeyengine:SPI=0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,oakleyconstuctingquickmodeFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingblankhashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecSApayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingIPSecnoncepayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingproxyIDFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,TransmittingProxyId:Remotesubnet:10.
2.
2.
0Mask255.
255.
255.
0Protocol0Port0Localsubnet:10.
1.
1.
0mask255.
255.
255.
0Protocol0Port0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,constructingqmhashpayloadFeb1304:19:53[IKEv1DECODE]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKERespondersending2ndQMpkt:msgid=4c073b21Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODESENDINGMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:172Feb1304:19:53[IKEv1]:IP=172.
16.
1.
1,IKE_DECODERECEIVEDMessage(msgid=4c073b21)withpayloads:HDR+HASH(8)+NONE(0)totallength:52Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,processinghashpayloadFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,loadingallIPSECSAsFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,GeneratingQuickModeKey!
IPSEC:NewembryonicSAcreated@0xAB570B58,SCB:0xABD55378,Direction:outboundSPI:0x03FC9DB7SessionID:0x00004000VPIFnum:0x00000001Tunneltype:l2lProtocol:espLifetime:240secondsIPSEC:CompletedhostOBSAupdate,SPI0x03FC9DB7IPSEC:CreatingoutboundVPNcontext,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x00000000SCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Newoutboundencryptrule,SPI0x03FC9DB7Srcaddr:10.
1.
1.
0Srcmask:255.
255.
255.
0Dstaddr:10.
2.
2.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedoutboundencryptrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:Newoutboundpermitrule,SPI0x03FC9DB7Srcaddr:192.
168.
1.
1Srcmask:255.
255.
255.
255Dstaddr:172.
16.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x03FC9DB7UseSPI:trueIPSEC:Completedoutboundpermitrule,SPI0x03FC9DB7RuleID:0xABD55848Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,NPencryptrulelookupforcryptomapoutside_map20matchingACL100:returnedcs_id=ab9302f0;rule=ab9309b0Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,SecuritynegotiationcompleteforLAN-to-LANGroup(172.
16.
1.
1)Responder,InboundSPI=0x1ba0c55c,OutboundSPI=0x03fc9db7Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,IKEgotaKEY_ADDmsgforSA:SPI=0x03fc9db7IPSEC:CompletedhostIBSAupdate,SPI0x1BA0C55CIPSEC:CreatinginboundVPNcontext,SPI0x1BA0C55CFlags:0x00000006SA:0xAB5C63A8SPI:0x1BA0C55CMTU:0bytesVCID:0x00000000Peer:0x0000F99CSCB:0x0150B419Channel:0xA7A98400IPSEC:CompletedinboundVPNcontext,SPI0x1BA0C55CVPNhandle:0x0001169CIPSEC:UpdatingoutboundVPNcontext0x0000F99C,SPI0x03FC9DB7Flags:0x00000005SA:0xAB570B58SPI:0x03FC9DB7MTU:1500bytesVCID:0x00000000Peer:0x0001169CSCB:0x01512E71Channel:0xA7A98400IPSEC:CompletedoutboundVPNcontext,SPI0x03FC9DB7VPNhandle:0x0000F99CIPSEC:Completedoutboundinnerrule,SPI0x03FC9DB7RuleID:0xABD557B0IPSEC:CompletedoutboundouterSPDrule,SPI0x03FC9DB7RuleID:0xABD55848IPSEC:Newinboundtunnelflowrule,SPI0x1BA0C55CSrcaddr:10.
2.
2.
0Srcmask:255.
255.
255.
0Dstaddr:10.
1.
1.
0Dstmask:255.
255.
255.
0SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:0Useprotocol:falseSPI:0x00000000UseSPI:falseIPSEC:Completedinboundtunnelflowrule,SPI0x1BA0C55CRuleID:0xAB8D98A8IPSEC:Newinbounddecryptrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinbounddecryptrule,SPI0x1BA0C55CRuleID:0xABD55CB0IPSEC:Newinboundpermitrule,SPI0x1BA0C55CSrcaddr:172.
16.
1.
1Srcmask:255.
255.
255.
255Dstaddr:192.
168.
1.
1Dstmask:255.
255.
255.
255SrcportsUpper:0Lower:0Op:ignoreDstportsUpper:0Lower:0Op:ignoreProtocol:50Useprotocol:trueSPI:0x1BA0C55CUseSPI:trueIPSEC:Completedinboundpermitrule,SPI0x1BA0C55CRuleID:0xABD55D48Feb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,Pitcher:receivedKEY_UPDATE,spi0x1ba0c55cFeb1304:19:53[IKEv1DEBUG]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,StartingP2rekeytimer:27360seconds.
Feb1304:19:53[IKEv1]:Group=172.
16.
1.
1,IP=172.
16.
1.
1,PHASE2COMPLETED(msgid=4c073b21)
- components0x00000006相关文档
- 配置0x00000006
- 路由0x00000006
- IOH0x00000006
- CMOS0x00000006
- detail0x00000006
- dedicated0x00000006
NameCheap黑色星期五和网络礼拜一
如果我们较早关注NameCheap商家的朋友应该记得前几年商家黑色星期五和网络星期一的时候大促采用的闪购活动,每一个小时轮番变化一次促销活动而且限量的。那时候会导致拥挤官网打不开迟缓的问题。从去年开始,包括今年,NameCheap商家比较直接的告诉你黑色星期五和网络星期一为期6天的活动。没有给你限量的活动,只有限时六天,这个是到11月29日。如果我们有需要新注册、转入域名的可以参加,优惠力度还是比...
racknerd:美国大硬盘服务器,$599/月,Ryzen7-3700X/32G内存/120gSSD+192T hdd
racknerd当前对美国犹他州数据中心的大硬盘服务器(存储服务器)进行低价促销,价格跌破眼镜啊。提供AMD和Intel两个选择,默认32G内存,120G SSD系统盘,12个16T HDD做数据盘,接入1Gbps带宽,每个月默认给100T流量,5个IPv4... 官方网站:https://www.racknerd.com 加密数字货币、信用卡、PayPal、支付宝、银联(卡),可以付款! ...
WebHorizon($10.56/年)256MB/5G SSD/200GB/日本VPS
WebHorizon是一家去年成立的国外VPS主机商,印度注册,提供虚拟主机和VPS产品,其中VPS包括OpenVZ和KVM架构,有独立IP也有共享IP,数据中心包括美国、波兰、日本、新加坡等(共享IP主机可选机房更多)。目前商家对日本VPS提供一个8折优惠码,优惠后最低款OpenVZ套餐年付10.56美元起。OpenVZCPU:1core内存:256MB硬盘:5G NVMe流量:200GB/1G...
0x00000006为你推荐
-
哈利波特罗恩升级当爸哈利波特2为啥赫敏只抱哈利波特不抱罗恩。只是握手!!!这……京沪高铁上市首秀京沪高铁怎么老是出问题?高铁的核心技术是中国自己的吗?funnymudpee京东的显卡什么时候能降回正常价格啊,想买个1060商标注册流程及费用注册商标的程序及费用?firetrap我发现好多外贸店都卖其乐的原单,有怎么多原单吗同一ip网站同IP的网站互相链接会被K吗?sss17.com一玩棋牌吧(www.17wqp.com)怎么样?www.gegeshe.com《我的电台fm》 she网址是多少?www.gegeshe.com有什么好听的流行歌曲www.zjs.com.cn中通快递投诉网站网址是什么?