L2L IPSec - PIX501 to VPN 3000 - Tunnel rejected: Policy not found...(long post)

Discussion in 'Cisco' started by mattsnow, Apr 5, 2007.

  1. mattsnow

    mattsnow

    Joined:
    Apr 5, 2007
    Messages:
    6
    Likes Received:
    0
    I have a PIX 501 that is behind a linksys router that supports IPSec passthrough trying to establish a LAN-to-LAN tunnel to my VPN 3000 Concentrator in my office. Here is some background on the configuration as it stands:

    PIX 501(6.1(3)):
    | inside: 192.168.30.1/24
    | outside: 172.16.1.150/25
    |
    V
    Linksys WRT54G(DD-WRT v0.24):
    | inside: 172.16.1.254/24
    | outside: 68.x.x.243/24
    V
    [internet]
    |
    |
    V
    VPN 3000 Concentrator(4.0.1):
    private: 172.16.3.2/22
    public: 63.x.x.3/27

    The Tunnel appears to come up under LAN-to-LAN sessions, but only the Bytes Rx increments when a client behind the pix501 trys to access a host in the 172.16.x.x subnet. The only information that appears in the concentrator logs is the Tunnel Rejected: policy not found.

    I have one other PIX 501 running 6.3(5) at another location with an identical configuration, just different internal subnet and it works perfectly! I am starting to lose hair over this and am hoping someone here can help.


    I've configured the concentrator with the following.

    Configuration-> Policy Management-> Traffic Management-> Network Lists
    Network List named "matt-corp" containing the following networks
    172.16.0.0/0.0.255.255
    192.168.30.0/0.0.0.255

    Configuration-> System-> Tunneling Protocols-> IPSec-> LAN-to-LAN
    LAN-to-LAN connection named "matt" with these settings:
    Peers: 68.x.x.243
    digital cert: none(use preshared keys)
    Preshared Key: cisco123
    authentication: ESP/MD5/HMAC-128
    Encryption: 3DES-168
    IKE Proposal: IKE-3DES-MD5
    Filter: none
    IPSec NAT-T: Enabled
    No bandwitdh policy or routing.
    Local Network: Network List "matt-corp"
    Remote Network: Network List "matt-corp"

    I've not made any changes to SAs(Configuration-> Policy Management-> Traffic Management-> Security Associations), or Rules (Configuration-> Policy Management-> Traffic Management-> Rules).
     
    mattsnow, Apr 5, 2007
    #1
    1. Advertisements

  2. mattsnow

    mattsnow

    Joined:
    Apr 5, 2007
    Messages:
    6
    Likes Received:
    0
    52548 04/05/2007 12:16:24.440 SEV=8 IKEDBG/0 RPT=17219 68.x.x.243
    RECEIVED Message (msgid=0) with payloads :
    HDR + SA (1) + NONE (0)
    total length : 84

    52550 04/05/2007 12:16:24.440 SEV=9 IKEDBG/0 RPT=17220 68.x.x.243
    processing SA payload

    52551 04/05/2007 12:16:24.450 SEV=8 IKEDBG/0 RPT=17221
    Proposal # 1, Transform # 1, Type ISAKMP, Id IKE
    Parsing received transform:
    Phase 1 failure against global IKE proposal # 1:
    Mismatched attr types for class Auth Method:
    Rcv'd: Preshared Key
    Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

    52557 04/05/2007 12:16:24.450 SEV=7 IKEDBG/0 RPT=17222 68.x.x.243
    Oakley proposal is acceptable

    52558 04/05/2007 12:16:24.450 SEV=9 IKEDBG/0 RPT=17223 68.x.x.243
    processing IKE SA

    52559 04/05/2007 12:16:24.450 SEV=8 IKEDBG/0 RPT=17224
    Proposal # 1, Transform # 1, Type ISAKMP, Id IKE
    Parsing received transform:
    Phase 1 failure against global IKE proposal # 1:
    Mismatched attr types for class Auth Method:
    Rcv'd: Preshared Key
    Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

    52565 04/05/2007 12:16:24.450 SEV=7 IKEDBG/28 RPT=994 68.x.x.243
    IKE SA Proposal # 1, Transform # 1 acceptable
    Matches global IKE entry # 2 Proposal (IKE-3DES-MD5)

    52567 04/05/2007 12:16:24.450 SEV=9 IKEDBG/0 RPT=17225 68.x.x.243
    constructing ISA_SA for isakmp

    52568 04/05/2007 12:16:24.450 SEV=9 IKEDBG/46 RPT=5909 68.x.x.243
    constructing Fragmentation VID + extended capabilities payload

    52569 04/05/2007 12:16:24.550 SEV=8 IKEDBG/0 RPT=17226 68.x.x.243
    SENDING Message (msgid=0) with payloads :
    HDR + SA (1) + VENDOR (13)
    total length : 108

    52571 04/05/2007 12:16:25.140 SEV=8 IKEDBG/0 RPT=17227 68.x.x.243
    RECEIVED Message (msgid=0) with payloads :
    HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0)
    total length : 244

    52574 04/05/2007 12:16:25.140 SEV=8 IKEDBG/0 RPT=17228 68.x.x.243
    RECEIVED Message (msgid=0) with payloads :
    HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0)
    total length : 244

    52577 04/05/2007 12:16:25.140 SEV=9 IKEDBG/0 RPT=17229 68.x.x.243
    processing ke payload

    52578 04/05/2007 12:16:25.140 SEV=9 IKEDBG/0 RPT=17230 68.x.x.243
    processing ISA_KE

    52579 04/05/2007 12:16:25.140 SEV=9 IKEDBG/1 RPT=20987 68.x.x.243
    processing nonce payload

    52580 04/05/2007 12:16:25.140 SEV=9 IKEDBG/47 RPT=4207 68.x.x.243
    processing VID payload

    52581 04/05/2007 12:16:25.140 SEV=9 IKEDBG/49 RPT=3149 68.x.x.243
    Received Cisco Unity client VID

    52582 04/05/2007 12:16:25.140 SEV=9 IKEDBG/47 RPT=4208 68.x.x.243
    processing VID payload

    52583 04/05/2007 12:16:25.140 SEV=9 IKEDBG/49 RPT=3150 68.x.x.243
    Received DPD VID

    52584 04/05/2007 12:16:25.140 SEV=9 IKEDBG/47 RPT=4209 68.x.x.243
    processing VID payload

    52585 04/05/2007 12:16:25.140 SEV=9 IKEDBG/38 RPT=2156 68.x.x.243
    Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)

    52586 04/05/2007 12:16:25.240 SEV=9 IKEDBG/0 RPT=17231 68.x.x.243
    constructing ke payload

    52587 04/05/2007 12:16:25.240 SEV=9 IKEDBG/1 RPT=20988 68.x.x.243
    constructing nonce payload

    52588 04/05/2007 12:16:25.250 SEV=9 IKEDBG/46 RPT=5910 68.x.x.243
    constructing Cisco Unity VID payload

    52589 04/05/2007 12:16:25.250 SEV=9 IKEDBG/46 RPT=5911 68.x.x.243
    constructing xauth V6 VID payload

    52590 04/05/2007 12:16:25.250 SEV=9 IKEDBG/48 RPT=2195 68.x.x.243
    Send IOS VID

    52591 04/05/2007 12:16:25.250 SEV=9 IKEDBG/38 RPT=2157 68.x.x.243
    Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabiliti
    es: 20000409)

    52593 04/05/2007 12:16:25.250 SEV=9 IKEDBG/46 RPT=5912 68.x.x.243
    constructing VID payload

    52594 04/05/2007 12:16:25.250 SEV=9 IKEDBG/48 RPT=2196 68.x.x.243
    Send Altiga GW VID

    52595 04/05/2007 12:16:25.250 SEV=9 IKEDBG/0 RPT=17232 68.x.x.243
    Generating keys for Responder...

    52596 04/05/2007 12:16:25.270 SEV=8 IKEDBG/0 RPT=17233 68.x.x.243
    SENDING Message (msgid=0) with payloads :
    HDR + KE (4) + NONCE (10)
    total length : 256

    52598 04/05/2007 12:16:26.290 SEV=8 IKEDBG/0 RPT=17234 68.x.x.243
    RECEIVED Message (msgid=0) with payloads :
    HDR + ID (5) + HASH (8) + NONE (0)
    total length : 76

    52600 04/05/2007 12:16:26.290 SEV=9 IKEDBG/1 RPT=20989 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    52601 04/05/2007 12:16:26.290 SEV=9 IKEDBG/0 RPT=17235 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52602 04/05/2007 12:16:26.290 SEV=9 IKEDBG/0 RPT=17236 68.x.x.243
    Group [68.x.x.243]
    computing hash

    52603 04/05/2007 12:16:26.290 SEV=9 IKEDBG/23 RPT=1094 68.x.x.243
    Group [68.x.x.243]
    Starting group lookup for peer 68.x.x.243

    52604 04/05/2007 12:16:26.390 SEV=7 IKEDBG/0 RPT=17237 68.x.x.243
    Group [68.x.x.243]
    Found Phase 1 Group (68.x.x.243)

    52605 04/05/2007 12:16:26.390 SEV=9 IKEDBG/19 RPT=4785 68.x.x.243
    Group [68.x.x.243]
    IKEGetUserAttributes: IP Compression = disabled

    52606 04/05/2007 12:16:26.390 SEV=9 IKEDBG/19 RPT=4786 68.x.x.243
    Group [68.x.x.243]
    IKEGetUserAttributes: Split Tunneling Policy = Disabled

    52607 04/05/2007 12:16:26.390 SEV=9 IKEDBG/1 RPT=20990 68.x.x.243
    Group [68.x.x.243]
    constructing ID

    52608 04/05/2007 12:16:26.390 SEV=9 IKEDBG/0 RPT=17238
    Group [68.x.x.243]
    construct hash payload

    52609 04/05/2007 12:16:26.390 SEV=9 IKEDBG/0 RPT=17239 68.x.x.243
    Group [68.x.x.243]
    computing hash

    52610 04/05/2007 12:16:26.390 SEV=9 IKEDBG/34 RPT=909 68.x.x.243
    Constructing IOS keep alive payload: proposal=32767/32767 sec.

    52611 04/05/2007 12:16:26.390 SEV=9 IKEDBG/46 RPT=5913 68.x.x.243
    Group [68.x.x.243]
    constructing dpd vid payload

    52612 04/05/2007 12:16:26.390 SEV=8 IKEDBG/0 RPT=17240 68.x.x.243
    SENDING Message (msgid=0) with payloads :
    HDR + ID (5) + HASH (8)
    total length : 92

    52614 04/05/2007 12:16:26.390 SEV=4 IKE/119 RPT=1059 68.x.x.243
    Group [68.x.x.243]
    PHASE 1 COMPLETED

    52615 04/05/2007 12:16:26.390 SEV=6 IKE/121 RPT=1059 68.x.x.243
    Keep-alive type for this connection: DPD

    52616 04/05/2007 12:16:26.390 SEV=7 IKEDBG/0 RPT=17241 68.x.x.243
    Group [68.x.x.243]
    Starting phase 1 rekey timer: 82080000 (ms)

    52617 04/05/2007 12:16:26.390 SEV=4 AUTH/22 RPT=1062
    User [68.x.x.243], Group [68.x.x.243] connected

    52618 04/05/2007 12:16:26.390 SEV=4 AUTH/84 RPT=905
    LAN-to-LAN tunnel to headend device 68.x.x.243 connected

    52619 04/05/2007 12:16:26.980 SEV=8 IKEDBG/0 RPT=17242 68.x.x.243
    RECEIVED Message (msgid=23627eb1) with payloads :
    HDR + HASH (8) + NOTIFY (11) + NONE (0)
    total length : 76

    52621 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17243 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52622 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17244 68.x.x.243
    Group [68.x.x.243]
    Processing Notify payload

    52623 04/05/2007 12:16:26.980 SEV=6 IKE/0 RPT=4446
    Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE

    52624 04/05/2007 12:16:26.980 SEV=8 IKEDBG/0 RPT=17245 68.x.x.243
    RECEIVED Message (msgid=f15eede) with payloads :
    HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
    total length : 164

    52627 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17246 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52628 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17247 68.x.x.243
    Group [68.x.x.243]
    processing SA payload

    52629 04/05/2007 12:16:26.980 SEV=9 IKEDBG/1 RPT=20991 68.x.x.243
    Group [68.x.x.243]
    processing nonce payload

    52630 04/05/2007 12:16:26.980 SEV=9 IKEDBG/1 RPT=20992 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    52631 04/05/2007 12:16:26.980 SEV=5 IKE/35 RPT=3198 68.x.x.243
    Group [68.x.x.243]
    Received remote IP Proxy Subnet data in ID Payload:
    Address 192.168.30.0, Mask 255.255.255.0, Protocol 0, Port 0

    52634 04/05/2007 12:16:26.980 SEV=9 IKEDBG/1 RPT=20993 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    52635 04/05/2007 12:16:26.980 SEV=5 IKE/34 RPT=3367 68.x.x.243
    Group [68.x.x.243]
    Received local IP Proxy Subnet data in ID Payload:
    Address 172.16.0.0, Mask 255.255.0.0, Protocol 0, Port 0

    52638 04/05/2007 12:16:26.980 SEV=8 IKEDBG/0 RPT=17248
    QM IsRekeyed old sa not found by addr

    52639 04/05/2007 12:16:26.980 SEV=5 IKE/66 RPT=702 68.x.x.243
    Group [68.x.x.243]
    IKE Remote Peer configured for SA: L2L: spnpix3

    52640 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17249 68.x.x.243
    Group [68.x.x.243]
    processing IPSEC SA

    52641 04/05/2007 12:16:26.980 SEV=7 IKEDBG/27 RPT=702 68.x.x.243
    Group [68.x.x.243]
    IPSec SA Proposal # 1, Transform # 1 acceptable
    Matches global IPSec SA entry # 10 Proposal (L2L: spnpix3)

    52644 04/05/2007 12:16:26.980 SEV=7 IKEDBG/0 RPT=17250 68.x.x.243
    Group [68.x.x.243]
    IKE: requesting SPI!

    52645 04/05/2007 12:16:26.990 SEV=9 IPSECDBG/6 RPT=5951
    IPSEC key message parse - msgtype 6, len 208, vers 1, pid 00000000, seq 1774, er
    r 0, type 2, mode 0, state 32, label 0, pad 0, spi 00000000, encrKeyLen 0, hashK
    eyLen 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 631724, lifetime2 0, d
    sId 300

    52649 04/05/2007 12:16:26.990 SEV=9 IPSECDBG/1 RPT=18137
    Processing KEY_GETSPI msg!

    52650 04/05/2007 12:16:26.990 SEV=7 IPSECDBG/13 RPT=1774
    Reserved SPI 1100517644

    52651 04/05/2007 12:16:26.990 SEV=8 IKEDBG/6 RPT=1774
    IKE got SPI from key engine: SPI = 0x4198910c

    52652 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17251 68.x.x.243
    Group [68.x.x.243]
    oakley constucting quick mode

    52653 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17252 68.x.x.243
    Group [68.x.x.243]
    constructing blank hash
     
    Last edited: Apr 5, 2007
    mattsnow, Apr 5, 2007
    #2
    1. Advertisements

  3. mattsnow

    mattsnow

    Joined:
    Apr 5, 2007
    Messages:
    6
    Likes Received:
    0
    52654 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17253 68.x.x.243
    Group [68.x.x.243]
    constructing ISA_SA for ipsec

    52655 04/05/2007 12:16:26.990 SEV=9 IKEDBG/1 RPT=20994 68.x.x.243
    Group [68.x.x.243]
    constructing ipsec nonce payload

    52656 04/05/2007 12:16:26.990 SEV=9 IKEDBG/1 RPT=20995 68.x.x.243
    Group [68.x.x.243]
    constructing proxy ID

    52657 04/05/2007 12:16:26.990 SEV=7 IKEDBG/0 RPT=17254 68.x.x.243
    Group [68.x.x.243]
    Transmitting Proxy Id:
    Remote subnet: 192.168.30.0 Mask 255.255.255.0 Protocol 0 Port 0
    Local subnet: 172.16.0.0 mask 255.255.0.0 Protocol 0 Port 0

    52661 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17255 68.x.x.243
    Group [68.x.x.243]
    constructing qm hash

    52662 04/05/2007 12:16:27.000 SEV=8 IKEDBG/0 RPT=17256 68.x.x.243
    SENDING Message (msgid=f15eede) with payloads :
    HDR + HASH (8) + SA (1)
    total length : 164

    52664 04/05/2007 12:16:27.690 SEV=8 IKEDBG/0 RPT=17257 68.x.x.243
    RECEIVED Message (msgid=f15eede) with payloads :
    HDR + HASH (8) + NONE (0)
    total length : 48

    52666 04/05/2007 12:16:27.700 SEV=9 IKEDBG/0 RPT=17258 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52667 04/05/2007 12:16:27.700 SEV=9 IKEDBG/0 RPT=17259 68.x.x.243
    Group [68.x.x.243]
    loading all IPSEC SAs

    52668 04/05/2007 12:16:27.700 SEV=9 IKEDBG/1 RPT=20996 68.x.x.243
    Group [68.x.x.243]
    Generating Quick Mode Key!

    52669 04/05/2007 12:16:27.700 SEV=9 IKEDBG/1 RPT=20997 68.x.x.243
    Group [68.x.x.243]
    Generating Quick Mode Key!

    52670 04/05/2007 12:16:27.700 SEV=7 IKEDBG/0 RPT=17260 68.x.x.243
    Group [68.x.x.243]
    Loading subnet:
    Dst: 172.16.0.0 mask: 255.255.0.0
    Src: 192.168.30.0 mask: 255.255.255.0

    52673 04/05/2007 12:16:27.700 SEV=4 IKE/49 RPT=807 68.x.x.243
    Group [68.x.x.243]
    Security negotiation complete for LAN-to-LAN Group (68.x.x.243)
    Responder, Inbound SPI = 0x4198910c, Outbound SPI = 0x9a044cb0

    52676 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/6 RPT=5952
    IPSEC key message parse - msgtype 1, len 335, vers 1, pid 00000000, seq 0, err 0
    , type 2, mode 1, state 8256, label 0, pad 0, spi 9a044cb0, encrKeyLen 24, hashK
    eyLen 16, ivlen 8, alg 2, hmacAlg 3, lifetype 0, lifetime1 631724, lifetime2 0,
    dsId 0

    52680 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/1 RPT=18138
    Processing KEY_ADD msg!

    52681 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/1 RPT=18139
    key_msghdr2secassoc(): Enter

    52682 04/05/2007 12:16:27.700 SEV=7 IPSECDBG/1 RPT=18140
    No USER filter configured

    52683 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/1 RPT=18141
    KeyProcessAdd: Enter

    52684 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18142
    KeyProcessAdd: Adding outbound SA

    52685 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18143
    KeyProcessAdd: src 172.16.0.0 mask 0.0.255.255, dst 192.168.30.0 mask 0.0.0.255

    52686 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18144
    KeyProcessAdd: FilterIpsecAddIkeSa success

    52687 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/6 RPT=5953
    IPSEC key message parse - msgtype 3, len 335, vers 1, pid 00000000, seq 0, err 0
    , type 2, mode 1, state 8224, label 0, pad 0, spi 4198910c, encrKeyLen 24, hashK
    eyLen 16, ivlen 8, alg 2, hmacAlg 3, lifetype 0, lifetime1 631724, lifetime2 0,
    dsId 0

    52691 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18145
    Processing KEY_UPDATE msg!

    52692 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18146
    Update inbound SA addresses

    52693 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18147
    key_msghdr2secassoc(): Enter

    52694 04/05/2007 12:16:27.710 SEV=7 IPSECDBG/1 RPT=18148
    No USER filter configured

    52695 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18149
    KeyProcessUpdate: Enter

    52696 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18150
    KeyProcessUpdate: success

    52697 04/05/2007 12:16:27.710 SEV=8 IKEDBG/7 RPT=807
    IKE got a KEY_ADD msg for SA: SPI = 0x9a044cb0

    52698 04/05/2007 12:16:27.710 SEV=8 IKEDBG/0 RPT=17261
    pitcher: rcv KEY_UPDATE, spi 0x4198910c

    52699 04/05/2007 12:16:27.710 SEV=4 IKE/120 RPT=807 68.x.x.243
    Group [68.x.x.243]
    PHASE 2 COMPLETED (msgid=0f15eede)

    52700 04/05/2007 12:16:30.860 SEV=7 IPSECDBG/10 RPT=3719
    IPSEC ipsec_output() can call key_acquire() because 10 seconds have elapsed sinc
    e last IKE negotiation began (src 0xac10011f, dst 0x0104f01c)


    52744 04/05/2007 12:16:35.010 SEV=9 IPSECDBG/6 RPT=5955
    IPSEC key message parse - msgtype 2, len 274, vers 1, pid 00000000, seq 0, err 0
    , type 2, mode 0, state 64, label 0, pad 0, spi 3d4a98ee, encrKeyLen 0, hashKeyL
    en 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 631724, lifetime2 0, dsId
    0

    52748 04/05/2007 12:16:35.010 SEV=9 IPSECDBG/1 RPT=18152
    Processing KEY_DELETE msg!

    52749 04/05/2007 12:16:35.010 SEV=9 IPSECDBG/1 RPT=18153
    key_msghdr2secassoc(): Enter

    52750 04/05/2007 12:16:35.010 SEV=7 IPSECDBG/1 RPT=18154
    No USER filter configured

    52751 04/05/2007 12:16:35.010 SEV=8 IKEDBG/0 RPT=17279
    pitcher: received key delete msg, spi 0x70d92766

    52752 04/05/2007 12:16:35.010 SEV=8 IKEDBG/0 RPT=17280
    pitcher: received key delete msg, spi 0x3d4a98ee

    52753 04/05/2007 12:16:35.040 SEV=4 DNS/6 RPT=2299
    Unable to resolve hostname:

    52754 04/05/2007 12:16:35.040 SEV=2 EVENT/41 RPT=2299
    Event log can't resolve hostname ()

    52755 04/05/2007 12:16:35.230 SEV=9 IPSECDBG/17 RPT=32177
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52756 04/05/2007 12:16:35.760 SEV=9 IPSECDBG/17 RPT=32178
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52757 04/05/2007 12:16:40.860 SEV=7 IPSECDBG/10 RPT=3720
    IPSEC ipsec_output() can call key_acquire() because 10 seconds have elapsed sinc
    e last IKE negotiation began (src 0xac10011f, dst 0x0104f01c)
     
    Last edited: Apr 5, 2007
    mattsnow, Apr 5, 2007
    #3
  4. mattsnow

    mattsnow

    Joined:
    Apr 5, 2007
    Messages:
    6
    Likes Received:
    0
    52760 04/05/2007 12:16:40.860 SEV=8 IKEDBG/0 RPT=17281
    pitcher: received a key acquire message!

    52761 04/05/2007 12:16:41.710 SEV=9 IPSECDBG/17 RPT=32179
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52762 04/05/2007 12:16:44.540 SEV=9 IKEDBG/36 RPT=15756 68.x.x.243
    Group [68.x.x.243]
    Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e25)

    52764 04/05/2007 12:16:44.540 SEV=9 IKEDBG/0 RPT=17282 68.x.x.243
    Group [68.x.x.243]
    constructing blank hash

    52765 04/05/2007 12:16:44.540 SEV=9 IKEDBG/0 RPT=17283 68.x.x.243
    Group [68.x.x.243]
    constructing qm hash

    52766 04/05/2007 12:16:44.540 SEV=8 IKEDBG/0 RPT=17284 68.x.x.243
    SENDING Message (msgid=114d9c64) with payloads :
    HDR + HASH (8) + NOTIFY (11)
    total length : 80

    52768 04/05/2007 12:16:44.560 SEV=8 IKEDBG/0 RPT=17285 68.x.x.243
    RECEIVED Message (msgid=9864d3d1) with payloads :
    HDR + HASH (8) + NOTIFY (11) + NONE (0)
    total length : 80

    52770 04/05/2007 12:16:44.560 SEV=9 IKEDBG/0 RPT=17286 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52771 04/05/2007 12:16:44.560 SEV=9 IKEDBG/0 RPT=17287 68.x.x.243
    Group [68.x.x.243]
    Processing Notify payload

    52772 04/05/2007 12:16:45.230 SEV=9 IPSECDBG/17 RPT=32180
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52773 04/05/2007 12:16:52.770 SEV=4 IKEDBG/0 RPT=17288
    QM FSM error (P2 struct &0x1e275b8, mess id 0xa54a668d)!

    52805 04/05/2007 12:17:04.540 SEV=9 IKEDBG/36 RPT=15758 68.x.x.243
    Group [68.x.x.243]
    Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e26)

    52807 04/05/2007 12:17:04.540 SEV=9 IKEDBG/0 RPT=17301 68.x.x.243
    Group [68.x.x.243]
    constructing blank hash

    52808 04/05/2007 12:17:04.540 SEV=9 IKEDBG/0 RPT=17302 68.x.x.243
    Group [68.x.x.243]
    constructing qm hash

    52809 04/05/2007 12:17:04.540 SEV=8 IKEDBG/0 RPT=17303 68.x.x.243
    SENDING Message (msgid=9ae67981) with payloads :
    HDR + HASH (8) + NOTIFY (11)
    total length : 80

    52811 04/05/2007 12:17:04.560 SEV=8 IKEDBG/0 RPT=17304 68.x.x.243
    RECEIVED Message (msgid=5293ae87) with payloads :
    HDR + HASH (8) + NOTIFY (11) + NONE (0)
    total length : 80

    52813 04/05/2007 12:17:04.560 SEV=9 IKEDBG/0 RPT=17305 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52814 04/05/2007 12:17:04.560 SEV=9 IKEDBG/0 RPT=17306 68.x.x.243
    Group [68.x.x.243]
    Processing Notify payload

    52815 04/05/2007 12:17:04.850 SEV=9 IPSECDBG/17 RPT=32181
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52816 04/05/2007 12:17:05.230 SEV=9 IPSECDBG/17 RPT=32182
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52817 04/05/2007 12:17:05.640 SEV=7 IPSECDBG/10 RPT=3721
    IPSEC ipsec_output() can call key_acquire() because 24 seconds have elapsed sinc
    e last IKE negotiation began (src 0xac100102, dst 0x0104f01c)

    52819 04/05/2007 12:17:05.640 SEV=7 IPSECDBG/14 RPT=3723
    Sending KEY_ACQUIRE to IKE for src 172.16.1.2, dst 192.168.15.22

    52820 04/05/2007 12:17:05.640 SEV=8 IKEDBG/0 RPT=17307
    pitcher: received a key acquire message!

    52821 04/05/2007 12:17:05.640 SEV=4 IKE/41 RPT=1079
    IKE Initiator: New Phase 2, Intf 2, IKE Peer 205.173.134.137
    local Proxy Address 172.16.0.0, remote Proxy Address 192.168.15.0,
    SA (L2L: Flex1-VPN)

    52824 04/05/2007 12:17:05.640 SEV=9 IKEDBG/0 RPT=17308 205.173.134.137
    Group [205.173.134.137]
    Oakley begin quick mode

    52825 04/05/2007 12:17:05.640 SEV=9 IPSECDBG/6 RPT=5957
    IPSEC key message parse - msgtype 6, len 208, vers 1, pid 00000000, seq 1775, er
    r 0, type 2, mode 0, state 32, label 0, pad 0, spi 00000000, encrKeyLen 0, hashK
    eyLen 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 631724, lifetime2 0, d
    sId 300

    52829 04/05/2007 12:17:05.640 SEV=9 IPSECDBG/1 RPT=18157
    Processing KEY_GETSPI msg!

    52830 04/05/2007 12:17:05.650 SEV=7 IPSECDBG/13 RPT=1775
    Reserved SPI 934163155

    52831 04/05/2007 12:17:05.650 SEV=8 IKEDBG/6 RPT=1775
    IKE got SPI from key engine: SPI = 0x37ae32d3

    52882 04/05/2007 12:17:24.540 SEV=9 IKEDBG/36 RPT=15761 68.x.x.243
    Group [68.x.x.243]
    Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e27)

    52884 04/05/2007 12:17:24.540 SEV=9 IKEDBG/0 RPT=17333 68.x.x.243
    Group [68.x.x.243]
    constructing blank hash

    52885 04/05/2007 12:17:24.540 SEV=9 IKEDBG/0 RPT=17334 68.x.x.243
    Group [68.x.x.243]
    constructing qm hash

    52886 04/05/2007 12:17:24.540 SEV=8 IKEDBG/0 RPT=17335 68.x.x.243
    SENDING Message (msgid=49f01833) with payloads :
    HDR + HASH (8) + NOTIFY (11)
    total length : 80

    52888 04/05/2007 12:17:24.560 SEV=8 IKEDBG/0 RPT=17336 68.x.x.243
    RECEIVED Message (msgid=26297c2f) with payloads :
    HDR + HASH (8) + NOTIFY (11) + NONE (0)
    total length : 80

    52890 04/05/2007 12:17:24.560 SEV=9 IKEDBG/0 RPT=17337 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52891 04/05/2007 12:17:24.560 SEV=9 IKEDBG/0 RPT=17338 68.x.x.243
    Group [68.x.x.243]
    Processing Notify payload

    52892 04/05/2007 12:17:25.230 SEV=9 IPSECDBG/17 RPT=32185
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52937 04/05/2007 12:17:44.540 SEV=9 IKEDBG/36 RPT=15764 68.x.x.243
    Group [68.x.x.243]
    Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e28)

    52939 04/05/2007 12:17:44.540 SEV=9 IKEDBG/0 RPT=17358 68.x.x.243
    Group [68.x.x.243]
    constructing blank hash

    52940 04/05/2007 12:17:44.540 SEV=9 IKEDBG/0 RPT=17359 68.x.x.243
    Group [68.x.x.243]
    constructing qm hash

    52941 04/05/2007 12:17:44.540 SEV=8 IKEDBG/0 RPT=17360 68.x.x.243
    SENDING Message (msgid=fc6952c4) with payloads :
    HDR + HASH (8) + NOTIFY (11)
    total length : 80

    52943 04/05/2007 12:17:44.560 SEV=8 IKEDBG/0 RPT=17361 68.x.x.243
    RECEIVED Message (msgid=75e5c835) with payloads :
    HDR + HASH (8) + NOTIFY (11) + NONE (0)
    total length : 80

    52945 04/05/2007 12:17:44.560 SEV=9 IKEDBG/0 RPT=17362 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52946 04/05/2007 12:17:44.560 SEV=9 IKEDBG/0 RPT=17363 68.x.x.243
    Group [68.x.x.243]
    Processing Notify payload

    52947 04/05/2007 12:17:45.230 SEV=9 IPSECDBG/17 RPT=32188
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52948 04/05/2007 12:17:52.110 SEV=9 IPSECDBG/17 RPT=32189
    Received an IPSEC-over-NAT-T NAT keepalive packet

    52959 04/05/2007 12:17:58.490 SEV=8 IKEDBG/0 RPT=17370 68.x.x.243
    RECEIVED Message (msgid=6ed3c92b) with payloads :
    HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
    total length : 164

    52962 04/05/2007 12:17:58.490 SEV=9 IKEDBG/0 RPT=17371 68.x.x.243
    Group [68.x.x.243]
    processing hash

    52963 04/05/2007 12:17:58.490 SEV=9 IKEDBG/0 RPT=17372 68.x.x.243
    Group [68.x.x.243]
    processing SA payload

    52964 04/05/2007 12:17:58.490 SEV=9 IKEDBG/1 RPT=21000 68.x.x.243
    Group [68.x.x.243]
    processing nonce payload

    52965 04/05/2007 12:17:58.490 SEV=9 IKEDBG/1 RPT=21001 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    52966 04/05/2007 12:17:58.490 SEV=5 IKE/35 RPT=3199 68.x.x.243
    Group [68.x.x.243]
    Received remote IP Proxy Subnet data in ID Payload:
    Address 192.168.30.0, Mask 255.255.255.0, Protocol 0, Port 0

    52969 04/05/2007 12:17:58.490 SEV=9 IKEDBG/1 RPT=21002 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    52970 04/05/2007 12:17:58.490 SEV=5 IKE/34 RPT=3368 68.x.x.243
    Group [68.x.x.243]
    Received local IP Proxy Subnet data in ID Payload:
    Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

    52973 04/05/2007 12:17:58.500 SEV=8 IKEDBG/0 RPT=17373
    QM IsRekeyed old sa not found by addr

    52974 04/05/2007 12:17:58.500 SEV=4 IKE/61 RPT=2668 68.x.x.243
    Group [68.x.x.243]
    Tunnel rejected: Policy not found for Src:192.168.30.0, Dst: 0.0.0.0!

    52976 04/05/2007 12:17:58.500 SEV=4 IKEDBG/0 RPT=17374
    QM FSM error (P2 struct &0x1e8c5e4, mess id 0x6ed3c92b)!

    52977 04/05/2007 12:17:58.500 SEV=7 IKEDBG/65 RPT=3676 68.x.x.243
    Group [68.x.x.243]
    IKE QM Responder FSM error history (struct &0x1e8c5e4)
    <state>, <event>:
    QM_DONE, EV_ERROR
    QM_BLD_MSG2, EV_NEGO_SA
    QM_BLD_MSG2, EV_IS_REKEY
    QM_BLD_MSG2, EV_CONFIRM_SA
     
    Last edited: Apr 5, 2007
    mattsnow, Apr 5, 2007
    #4
  5. mattsnow

    mattsnow

    Joined:
    Apr 5, 2007
    Messages:
    6
    Likes Received:
    0
    52982 04/05/2007 12:17:58.500 SEV=9 IKEDBG/0 RPT=17375
    sending delete/delete with reason message

    52983 04/05/2007 12:17:58.500 SEV=6 IKE/0 RPT=4449 68.x.x.243
    Group [68.x.x.243]
    Removing peer from correlator table failed, no match!

    52996 04/05/2007 12:18:04.540 SEV=9 IKEDBG/36 RPT=15767 68.x.x.243
    Group [68.x.x.243]
    Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e29)

    52998 04/05/2007 12:18:04.540 SEV=9 IKEDBG/0 RPT=17382 68.x.x.243
    Group [68.x.x.243]
    constructing blank hash

    52999 04/05/2007 12:18:04.540 SEV=9 IKEDBG/0 RPT=17383 68.x.x.243
    Group [68.x.x.243]
    constructing qm hash

    53000 04/05/2007 12:18:04.540 SEV=8 IKEDBG/0 RPT=17384 68.x.x.243
    SENDING Message (msgid=90d310b9) with payloads :
    HDR + HASH (8) + NOTIFY (11)
    total length : 80

    53002 04/05/2007 12:18:04.560 SEV=8 IKEDBG/0 RPT=17385 68.x.x.243
    RECEIVED Message (msgid=b1e17710) with payloads :
    HDR + HASH (8) + NOTIFY (11) + NONE (0)
    total length : 80

    53004 04/05/2007 12:18:04.560 SEV=9 IKEDBG/0 RPT=17386 68.x.x.243
    Group [68.x.x.243]
    processing hash

    53005 04/05/2007 12:18:04.560 SEV=9 IKEDBG/0 RPT=17387 68.x.x.243
    Group [68.x.x.243]
    Processing Notify payload

    53006 04/05/2007 12:18:04.840 SEV=9 IPSECDBG/17 RPT=32190
    Received an IPSEC-over-NAT-T NAT keepalive packet

    53007 04/05/2007 12:18:05.230 SEV=9 IPSECDBG/17 RPT=32191
    Received an IPSEC-over-NAT-T NAT keepalive packet

    53018 04/05/2007 12:18:12.310 SEV=9 IPSECDBG/17 RPT=32192
    Received an IPSEC-over-NAT-T NAT keepalive packet

    53019 04/05/2007 12:18:14.020 SEV=8 IKEDBG/0 RPT=17394 68.x.x.243
    RECEIVED Message (msgid=6ed3c92b) with payloads :
    HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
    total length : 164

    53022 04/05/2007 12:18:14.020 SEV=9 IKEDBG/0 RPT=17395 68.x.x.243
    Group [68.x.x.243]
    processing hash

    53023 04/05/2007 12:18:14.020 SEV=9 IKEDBG/0 RPT=17396 68.x.x.243
    Group [68.x.x.243]
    processing SA payload

    53024 04/05/2007 12:18:14.020 SEV=9 IKEDBG/1 RPT=21003 68.x.x.243
    Group [68.x.x.243]
    processing nonce payload

    53025 04/05/2007 12:18:14.020 SEV=9 IKEDBG/1 RPT=21004 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    53026 04/05/2007 12:18:14.020 SEV=5 IKE/35 RPT=3200 68.x.x.243
    Group [68.x.x.243]
    Received remote IP Proxy Subnet data in ID Payload:
    Address 192.168.30.0, Mask 255.255.255.0, Protocol 0, Port 0

    53029 04/05/2007 12:18:14.020 SEV=9 IKEDBG/1 RPT=21005 68.x.x.243
    Group [68.x.x.243]
    Processing ID

    53030 04/05/2007 12:18:14.020 SEV=5 IKE/34 RPT=3369 68.x.x.243
    Group [68.x.x.243]
    Received local IP Proxy Subnet data in ID Payload:
    Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

    53033 04/05/2007 12:18:14.020 SEV=8 IKEDBG/0 RPT=17397
    QM IsRekeyed old sa not found by addr

    53034 04/05/2007 12:18:14.020 SEV=4 IKE/61 RPT=2669 68.x.x.243
    Group [68.x.x.243]
    Tunnel rejected: Policy not found for Src:192.168.30.0, Dst: 0.0.0.0!

    53036 04/05/2007 12:18:14.020 SEV=4 IKEDBG/0 RPT=17398
    QM FSM error (P2 struct &0x1d671a4, mess id 0x6ed3c92b)!

    53037 04/05/2007 12:18:14.020 SEV=7 IKEDBG/65 RPT=3677 68.x.x.243
    Group [68.x.x.243]
    IKE QM Responder FSM error history (struct &0x1d671a4)
    <state>, <event>:
    QM_DONE, EV_ERROR
    QM_BLD_MSG2, EV_NEGO_SA
    QM_BLD_MSG2, EV_IS_REKEY
    QM_BLD_MSG2, EV_CONFIRM_SA

    53042 04/05/2007 12:18:14.020 SEV=9 IKEDBG/0 RPT=17399
    sending delete/delete with reason message

    53043 04/05/2007 12:18:14.020 SEV=6 IKE/0 RPT=4450 68.x.x.243
    Group [68.x.x.243]
    Removing peer from correlator table failed, no match!
     
    Last edited: Apr 5, 2007
    mattsnow, Apr 5, 2007
    #5
  6. mattsnow

    mattsnow

    Joined:
    Apr 5, 2007
    Messages:
    6
    Likes Received:
    0
    And finally, here is the debug output from the PIX 501:

    spnpix3# debug crypto ipsec
    spnpix3# debug crypto isakmp
    spnpix3# debug crypto engine
    spnpix3#
    VPN Peer: ISAKMP: Added new peer: ip:63.x.x.3 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:63.x.x.3 Ref cnt incremented to:1 Total VPN Peers:1
    ISAKMP (0): beginning Main Mode exchange

    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a VPN3000 concentrator

    ISAKMP (0): ID payload
    next-payload : 8
    type : 2
    protocol : 17
    port : 500
    length : 24
    ISAKMP (0): Total payload length: 28
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): SA has been authenticated

    ISAKMP (0): beginning Quick Mode exchange, M-ID of 253095646:f15eedeIPSEC(key_engine): got a queue event...
    IPSEC(spi_response): getting spi 0x9a044cb0(2583973040) for SA
    from 63.x.x.3 to 172.16.1.150 for prot 3

    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 253095646

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 28800
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    ISAKMP: encaps is 1
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= 63.x.x.3, src= 172.16.1.150,
    dest_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

    ISAKMP (0): processing NONCE payload. message ID = 253095646

    ISAKMP (0): processing ID payload. message ID = 253095646
    ISAKMP (0): processing ID payload. message ID = 253095646map_alloc_entry: allocating entry 1
    map_alloc_entry: allocating entry 2

    ISAKMP (0): Creating IPSec SAs
    inbound SA from 63.x.x.3 to 172.16.1.150 (proxy 172.16.0.0 to 192.168.30.0)
    has spi 2583973040 and conn_id 1 and flags 4
    lifetime of 28800 seconds
    lifetime of 4608000 kilobytes
    outbound SA from 172.16.1.150 to 63.x.x.3 (proxy 192.168.30.0 to 172.16.0.0)
    has spi 1100517644 and conn_id 2 and flags 4
    lifetime of 28800 seconds
    lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
    IPSEC(initialize_sas): ,
    (key eng. msg.) dest= 172.16.1.150, src= 63.x.x.3,
    dest_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
    src_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x9a044cb0(2583973040), conn_id= 1, keysize= 0, flags= 0x4
    IPSEC(initialize_sas): ,
    (key eng. msg.) src= 172.16.1.150, dest= 63.x.x.3,
    src_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x4198910c(1100517644), conn_id= 2, keysize= 0, flags= 0x4

    VPN Peer: IPSEC: Peer ip:63.x.x.3 Ref cnt incremented to:2 Total VPN Peers:1
    VPN Peer: IPSEC: Peer ip:63.x.x.3 Ref cnt incremented to:3 Total VPN Peers:1
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 290298980
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 2598795649
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 1240471603
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 4234760900
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0): beginning Quick Mode exchange, M-ID of 1859373355:6ed3c92bIPSEC(key_engine): got a queue event...
    IPSEC(spi_response): getting spi 0xc4b036c4(3299882692) for SA
    from 63.x.x.3 to 172.16.1.150 for prot 3

    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 2429751481
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0): retransmitting phase 2...
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 3352187060
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,
    (identity) local= 172.16.1.150, remote= 63.x.x.3,
    local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): beginning Quick Mode exchange, M-ID of 2024501992:78ab72e8IPSEC(key_engine): got a queue event...
    IPSEC(spi_response): getting spi 0x93ce7cd3(2479783123) for SA
    from 63.x.x.3 to 172.16.1.150 for prot 3

    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 3551383499
    ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= 172.16.1.150, remote= 63.x.x.3,
    local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): deleting IPSEC SAs with peer at 63.x.x.3IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 63.x.x.3
    map_free_entry: freeing entry 1
    CRYPTO(epa_release_conn): released conn 1

    VPN Peer: IPSEC: Peer ip:63.x.x.3 Decrementing Ref cnt to:2 Total VPN Peers:1map_free_entry: freeing entry 2
    CRYPTO(epa_release_conn): released conn 2

    VPN Peer: IPSEC: Peer ip:63.x.x.3 Decrementing Ref cnt to:1 Total VPN Peers:1
    ISAKMP (0): deleting SA: src 172.16.1.150, dst 63.x.x.3
    crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
    ISADB: reaper checking SA 0x8095aa20, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:63.x.x.3 Ref cnt decremented to:0 Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:63.x.x.3 Total VPN peers:0IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 63.x.x.3
     
    mattsnow, Apr 5, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.