Asa 5520 L2TP IPSEC and Cisco 837:Challenge

Discussion in 'Cisco' started by JARAMOS, May 19, 2009.

  1. JARAMOS

    JARAMOS

    Joined:
    May 19, 2009
    Messages:
    5
    Dear team.
    I waste at least a week, trying to solve this trouble. I'm going crazy...
    Road Warriors using l2tp ipse windows can't connect.
    Schema:
    Inside Network (VLAN5)---ASA--Cisco 837(PAT)---Internet Cloud---DSLRouter---L2tp ipsec Windows Client
    Cisco 837 is connected directly to ASA Internet Interface. Cisco 837 is working with PAT. 837 Config:
    !
    ip cef
    ip name-server 80.58.61.250
    ip name-server 80.58.61.254
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip inspect name myfw esmtp timeout 3600
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    no cdp enable
    hold-queue 32 in
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    no atm auto-configuration
    no atm ilmi-keepalive
    no atm address-registration
    no atm ilmi-enable
    bundle-enable
    dsl operating-mode auto
    hold-queue 208 in
    pvc 0/16 ilmi
    !
    !
    interface ATM0.1 point-to-point
    ip address X.X.X.X X.X.X.X
    ip nat outside
    ip virtual-reassembly
    no ip route-cache
    no ip mroute-cache
    pvc 8/32
    encapsulation aal5snap
    !
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    !
    ip http server
    no ip http secure-server
    !
    ip nat inside source list 102 interface ATM0.1 overload
    ip nat inside source static 192.168.1.10 interface ATM0.1
    !
    logging history size 250
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 105 permit icmp host 192.168.1.38 any
    access-list 105 permit ip host 192.168.1.38 any
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq domain any
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 permit tcp any any eq 5000
    access-list 111 permit tcp any any eq 5010
    access-list 111 permit tcp any any eq 5020
    access-list 111 permit udp any eq isakmp any eq isakmp
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq 1701
    access-list 111 permit esp any any log
    access-list 111 permit udp any any eq non500-isakmp
    access-list 111 permit tcp any any eq 51
    access-list 122 permit ip any any
    no cdp run
    ##########ASA main config#############
    interface GigabitEthernet0/0
    description VLAN5
    speed 1000
    duplex full
    nameif VLAN5
    security-level 100
    ip address 57.236.92.69 255.255.255.240 standby 57.236.92.70
    ospf cost 10
    !
    interface GigabitEthernet0/1.123
    description ES-Internet-VLAN123
    vlan 123
    nameif INTERNET
    security-level 0
    ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
    ospf cost 10

    access-list DefaultRAGroup_splitTunnelAcl standard permit 57.236.92.0 255.255.255.0
    access-list VLAN5_nat0_outbound extended permit ip 57.236.92.0 255.255.255.0 209.165.201.0 255.255.255.0
    nat (VLAN5) 0 access-list VLAN5_nat0_outbound
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set l2tp-ipsec esp-3des esp-md5-hmac
    crypto ipsec transform-set l2tp-ipsec mode transport
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map cisco 20 set transform-set l2tp-ipsec
    crypto dynamic-map cisco 20 set security-association lifetime seconds 28800
    crypto dynamic-map cisco 20 set security-association lifetime kilobytes 4608000
    crypto map mymap 60000 ipsec-isakmp dynamic cisco
    crypto map mymap interface INTERNET
    crypto isakmp enable INTERNET
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 30
    route INTERNET 212.122.120.186 255.255.255.255 192.168.1.1 1
    (212.122.120.186 Ip address of road warrior, Interface Internet doesn't have 0.0.0.0 0.0.0.0 route)
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec
    username uservpn1 password xxxxxxxxxxx nt-encrypted privilege 0
    username uservpn1 attributes
    vpn-group-policy DfltGrpPolicy
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    vpn-filter none
    tunnel-group DefaultRAGroup general-attributes
    address-pool IP_Pool_VPN
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    sysopt connection permit-vpn

    If I connect my laptop to cisco 837 router, vpn is created sucesfully, but if I try to connect from Internet, doesn't connect, NAT-T issue?.
    Thanks in advance for you support!!
    JARAMOS, May 19, 2009
    #1
    1. Advertising

  2. JARAMOS

    JARAMOS

    Joined:
    May 19, 2009
    Messages:
    5
    log part 1:
    CQM1-CASA5520-01# May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
    JARAMOS, May 19, 2009
    #2
    1. Advertising

  3. JARAMOS

    JARAMOS

    Joined:
    May 19, 2009
    Messages:
    5
    log part 2:
    212.122.120.186, Starting P1 rekey timer: 21600 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 79.148.252.117, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed old sa not found by addr
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Remote Peer configured for crypto map: cisco
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, processing IPSec SA payload
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 20
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE: requesting SPI!
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Transmitting Proxy Id:
    Remote host: 212.122.120.186 Protocol 17 Port 0
    Local host: 192.168.1.10 Protocol 17 Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Security negotiation complete for User () Responder, Inbound SPI = 0x7b12214f, Outbound SPI = 0x4435f6f8
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P2 rekey timer: 3060 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 2 COMPLETED (msgid=e1965ba4)
    May 19 11:37:34 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <212.122.120.186> mask <0xFFFFFFFF> port <4500>
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Peer negotiated phase 1 rekey
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Remote Peer configured for crypto map: cisco
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, processing IPSec SA payload
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 20
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE: requesting SPI!
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Transmitting Proxy Id:
    Remote host: 212.122.120.186 Protocol 17 Port 0
    Local host: 192.168.1.10 Protocol 17 Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Security negotiation complete for User () Responder, Inbound SPI = 0xf50dff95, Outbound SPI = 0xba3278ff
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P2 rekey timer: 3060 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 2 COMPLETED (msgid=6bdc6d8e)
    May 19 11:37:34 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <212.122.120.186> mask <0xFFFFFFFF> port <4500>
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
    JARAMOS, May 19, 2009
    #3
  4. JARAMOS

    JARAMOS

    Joined:
    May 19, 2009
    Messages:
    5
    log part 3:
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
    May 19 11:37:35 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
    May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Peer negotiated phase 1 rekey
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
    May 19 11:37:35 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
    May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc94686a8, mess id 0x24983b7f)!
    May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc94686a8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc927c758, mess id 0x24983b7f)!
    May 19 11:37:35 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc927c758) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
    May 19 11:37:35 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
    May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
    May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
    May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc927c758, mess id 0x24983b7f)!
    May 19 11:37:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc927c758) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
    May 19 11:37:37 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
    May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
    May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed sa already being rekeyed
    May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM FSM error (P2 struct &0xc927c758, mess id 0x24983b7f)!
    May 19 11:37:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE QM Responder FSM error history (struct &0xc927c758) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
    May 19 11:37:41 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Removing peer from correlator table failed, no match!
    May 19 11:37:47 [IKEv1]: IP = 212.122.120.186, Received encrypted packet with no matching SA, dropping
    May 19 11:37:47 [IKEv1]: IP = 212.122.120.186, Received encrypted packet with no matching SA, dropping
    May 19 11:37:47 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Connection terminated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
    May 19 11:37:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Deleting SA: Remote Proxy 212.122.120.186, Local Proxy 192.168.1.10
    May 19 11:37:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Deleting SA: Remote Proxy 212.122.120.186, Local Proxy 192.168.1.10
    May 19 11:37:47 [IKEv1]: Ignoring msg to mark SA with dsID 1449984 dead because SA deleted

    As you can see tree times is stablished PHASE 1, and two times PHASE 2... very strange...
    JARAMOS, May 19, 2009
    #4
  5. JARAMOS

    JARAMOS

    Joined:
    May 19, 2009
    Messages:
    5
    log part 2:
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 79.148.252.117, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, QM IsRekeyed old sa not found by addr
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Remote Peer configured for crypto map: cisco
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, processing IPSec SA payload
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 20
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE: requesting SPI!
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Transmitting Proxy Id:
    Remote host: 212.122.120.186 Protocol 17 Port 0
    Local host: 192.168.1.10 Protocol 17 Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Security negotiation complete for User () Responder, Inbound SPI = 0x7b12214f, Outbound SPI = 0x4435f6f8
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P2 rekey timer: 3060 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 2 COMPLETED (msgid=e1965ba4)
    May 19 11:37:34 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <212.122.120.186> mask <0xFFFFFFFF> port <4500>
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, Oakley proposal is acceptable
    May 19 11:37:34 [IKEv1 DEBUG]: IP = 212.122.120.186, IKE SA Proposal # 1, Transform # 3 acceptable Matches global IKE entry # 2
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Connection landed on tunnel_group DefaultRAGroup
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Freeing previously allocated memory for authorization-dn-attributes
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Peer negotiated phase 1 rekey
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, PHASE 1 COMPLETED
    May 19 11:37:34 [IKEv1]: IP = 212.122.120.186, Keep-alive type for this connection: None
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Starting P1 rekey timer: 21600 seconds.
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received remote Proxy Host FQDN in ID Payload: Host Name: nany Address 212.122.120.186, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, Received local Proxy Host data in ID Payload: Address 192.168.1.10, Protocol 17, Port 1701
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, L2TP/IPSec session detected.
    May 19 11:37:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 212.122.120.186, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
    May 19 11:37:34 [IKEv1]: Group = DefaultRAGroup, IP = 212.122.120.186, IKE Remote Peer configured for crypto map: cisco
    JARAMOS, May 19, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    1
    Views:
    540
  2. AM
    Replies:
    0
    Views:
    441
  3. Mag
    Replies:
    2
    Views:
    1,940
    alexd
    Jan 31, 2009
  4. braydonsdad@gmail.com

    ASA-5520 with ASA-CSC-20

    braydonsdad@gmail.com, Feb 20, 2009, in forum: Cisco
    Replies:
    1
    Views:
    554
    rameshhx
    Feb 22, 2009
  5. Joe Jeremias

    vista ipsec to cisco asa 5520

    Joe Jeremias, Aug 14, 2009, in forum: Cisco
    Replies:
    0
    Views:
    677
    Joe Jeremias
    Aug 14, 2009
Loading...

Share This Page