Ipsec Site to Site Cisco ASA to pfSense
-
I am attempting to set up a site to site tunnel between sites. I've searched around the forums(pfSense v2.4.1 and Cisco 5520) to no avail. The sanitized log is attached.
Nov 17 12:43:28 sense ipsec_starter[97362]: Starting strongSwan 5.6.0 IPsec [starter]... Nov 17 12:43:28 sense ipsec_starter[97362]: no netkey IPsec stack detected Nov 17 12:43:28 sense ipsec_starter[97362]: no KLIPS IPsec stack detected Nov 17 12:43:28 sense ipsec_starter[97362]: no known IPsec stack detected, ignoring! Nov 17 12:43:28 sense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE-p2, amd64) Nov 17 12:43:28 sense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument Nov 17 12:43:28 sense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed Nov 17 12:43:28 sense charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf' Nov 17 12:43:28 sense charon: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys' Nov 17 12:43:28 sense charon: 00[CFG] ipseckey plugin is disabled Nov 17 12:43:28 sense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Nov 17 12:43:28 sense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Nov 17 12:43:28 sense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Nov 17 12:43:28 sense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Nov 17 12:43:28 sense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Nov 17 12:43:28 sense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Nov 17 12:43:28 sense charon: 00[CFG] loaded IKE secret for %any X.X.240.1 Nov 17 12:43:28 sense charon: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory Nov 17 12:43:28 sense charon: 00[CFG] loaded 0 RADIUS server configurations Nov 17 12:43:28 sense charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Nov 17 12:43:28 sense charon: 00[JOB] spawning 16 worker threads Nov 17 12:43:28 sense ipsec_starter[97707]: charon (98013) started after 40 ms Nov 17 12:43:28 sense charon: 16[CFG] received stroke: add connection 'bypasslan' Nov 17 12:43:28 sense charon: 16[CFG] conn bypasslan Nov 17 12:43:28 sense charon: 16[CFG] left=%any Nov 17 12:43:28 sense charon: 16[CFG] leftsubnet=192.168.1.0/24 Nov 17 12:43:28 sense charon: 16[CFG] right=%any Nov 17 12:43:28 sense charon: 16[CFG] rightsubnet=192.168.1.0/24 Nov 17 12:43:28 sense charon: 16[CFG] ike=aes128-sha256-curve25519 Nov 17 12:43:28 sense charon: 16[CFG] esp=aes128-sha256 Nov 17 12:43:28 sense charon: 16[CFG] dpddelay=30 Nov 17 12:43:28 sense charon: 16[CFG] dpdtimeout=150 Nov 17 12:43:28 sense charon: 16[CFG] sha256_96=no Nov 17 12:43:28 sense charon: 16[CFG] mediation=no Nov 17 12:43:28 sense charon: 16[CFG] added configuration 'bypasslan' Nov 17 12:43:28 sense charon: 05[CFG] received stroke: route 'bypasslan' Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for us: Nov 17 12:43:28 sense charon: 05[CFG] 192.168.1.0/24|/0 Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for other: Nov 17 12:43:28 sense charon: 05[CFG] 192.168.1.0/24|/0 Nov 17 12:43:28 sense ipsec_starter[97707]: 'bypasslan' shunt PASS policy installed Nov 17 12:43:28 sense ipsec_starter[97707]: Nov 17 12:43:28 sense charon: 05[CFG] received stroke: add connection 'con1000' Nov 17 12:43:28 sense charon: 05[CFG] conn con1000 Nov 17 12:43:28 sense charon: 05[CFG] left=X.X.45.102 Nov 17 12:43:28 sense charon: 05[CFG] leftsubnet=192.168.1.0/24 Nov 17 12:43:28 sense charon: 05[CFG] leftauth=psk Nov 17 12:43:28 sense charon: 05[CFG] leftid=X.X.45.102 Nov 17 12:43:28 sense charon: 05[CFG] right=X.X.240.1 Nov 17 12:43:28 sense charon: 05[CFG] rightsubnet=10.1.191.0/24 Nov 17 12:43:28 sense charon: 05[CFG] rightauth=psk Nov 17 12:43:28 sense charon: 05[CFG] rightid=X.X.240.1 Nov 17 12:43:28 sense charon: 05[CFG] ike=aes128-sha1-modp1024! Nov 17 12:43:28 sense charon: 05[CFG] esp=aes128-sha1! Nov 17 12:43:28 sense charon: 05[CFG] dpddelay=10 Nov 17 12:43:28 sense charon: 05[CFG] dpdtimeout=60 Nov 17 12:43:28 sense charon: 05[CFG] dpdaction=3 Nov 17 12:43:28 sense charon: 05[CFG] sha256_96=no Nov 17 12:43:28 sense charon: 05[CFG] mediation=no Nov 17 12:43:28 sense charon: 05[CFG] keyexchange=ikev1 Nov 17 12:43:28 sense charon: 05[CFG] added configuration 'con1000' Nov 17 12:43:28 sense charon: 05[CFG] received stroke: route 'con1000' Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for us: Nov 17 12:43:28 sense charon: 05[CFG] 192.168.1.0/24|/0 Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for other: Nov 17 12:43:28 sense charon: 05[CFG] 10.1.191.0/24|/0 Nov 17 12:43:28 sense charon: 05[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 17 12:43:28 sense charon: 05[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED Nov 17 12:43:28 sense ipsec_starter[97707]: 'con1000' routed Nov 17 12:43:28 sense ipsec_starter[97707]: Nov 17 12:43:31 sense charon: 00[DMN] signal of type SIGINT received. Shutting down Nov 17 12:43:31 sense charon: 00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING Nov 17 12:43:31 sense charon: 00[CFG] proposing traffic selectors for us: Nov 17 12:43:31 sense charon: 00[CFG] 192.168.1.0/24|/0 Nov 17 12:43:31 sense charon: 00[CFG] proposing traffic selectors for other: Nov 17 12:43:31 sense charon: 00[CFG] 192.168.1.0/24|/0 Nov 17 12:43:31 sense ipsec_starter[97707]: charon stopped after 200 ms Nov 17 12:43:31 sense ipsec_starter[97707]: ipsec starter stopped
After the 'Nov 17 12:43:28 sense ipsec_starter[97707]: 'con1000' routed' entry charon should begin communicating with the remote site, but there isn't an attempt. It just receives the SIGINT to shutdown. Does anyone have a suggestion on where to go from here.
-
I was able to get communication between sites by including a host ping in the phase 2 config. However, the connection is torn down right after phase 2 completes.
When initiating from pfSense side
pfSense sanitized:Nov 22 11:16:57 sense ipsec_starter[91886]: Starting strongSwan 5.6.0 IPsec [starter]... Nov 22 11:16:57 sense ipsec_starter[91886]: no netkey IPsec stack detected Nov 22 11:16:57 sense ipsec_starter[91886]: no KLIPS IPsec stack detected Nov 22 11:16:57 sense ipsec_starter[91886]: no known IPsec stack detected, ignoring! Nov 22 11:16:57 sense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE-p2, amd64) Nov 22 11:16:57 sense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument Nov 22 11:16:57 sense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed Nov 22 11:16:57 sense charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf' Nov 22 11:16:57 sense charon: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys' Nov 22 11:16:57 sense charon: 00[CFG] ipseckey plugin is disabled Nov 22 11:16:57 sense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Nov 22 11:16:57 sense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Nov 22 11:16:57 sense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Nov 22 11:16:57 sense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Nov 22 11:16:57 sense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Nov 22 11:16:57 sense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Nov 22 11:16:57 sense charon: 00[CFG] loaded IKE secret for %any X.X.240.1 Nov 22 11:16:57 sense charon: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory Nov 22 11:16:57 sense charon: 00[CFG] loaded 0 RADIUS server configurations Nov 22 11:16:57 sense charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Nov 22 11:16:57 sense charon: 00[JOB] spawning 16 worker threads Nov 22 11:16:57 sense ipsec_starter[92450]: charon (92458) started after 40 ms Nov 22 11:16:57 sense charon: 16[CFG] received stroke: add connection 'bypasslan' Nov 22 11:16:57 sense charon: 16[CFG] conn bypasslan Nov 22 11:16:57 sense charon: 16[CFG] left=%any Nov 22 11:16:57 sense charon: 16[CFG] leftsubnet=192.168.1.0/24 Nov 22 11:16:57 sense charon: 16[CFG] right=%any Nov 22 11:16:57 sense charon: 16[CFG] rightsubnet=192.168.1.0/24 Nov 22 11:16:57 sense charon: 16[CFG] ike=aes128-sha256-curve25519 Nov 22 11:16:57 sense charon: 16[CFG] esp=aes128-sha256 Nov 22 11:16:57 sense charon: 16[CFG] dpddelay=30 Nov 22 11:16:57 sense charon: 16[CFG] dpdtimeout=150 Nov 22 11:16:57 sense charon: 16[CFG] sha256_96=no Nov 22 11:16:57 sense charon: 16[CFG] mediation=no Nov 22 11:16:57 sense charon: 16[CFG] added configuration 'bypasslan' Nov 22 11:16:57 sense charon: 05[CFG] received stroke: route 'bypasslan' Nov 22 11:16:57 sense charon: 05[CFG] proposing traffic selectors for us: Nov 22 11:16:57 sense charon: 05[CFG] 192.168.1.0/24|/0 Nov 22 11:16:57 sense charon: 05[CFG] proposing traffic selectors for other: Nov 22 11:16:57 sense charon: 05[CFG] 192.168.1.0/24|/0 Nov 22 11:16:57 sense ipsec_starter[92450]: 'bypasslan' shunt PASS policy installed Nov 22 11:16:57 sense ipsec_starter[92450]: Nov 22 11:16:57 sense charon: 05[CFG] received stroke: add connection 'con1000' Nov 22 11:16:57 sense charon: 05[CFG] conn con1000 Nov 22 11:16:57 sense charon: 05[CFG] left=X.X.45.102 Nov 22 11:16:57 sense charon: 05[CFG] leftsubnet=192.168.1.0/24 Nov 22 11:16:57 sense charon: 05[CFG] leftauth=psk Nov 22 11:16:57 sense charon: 05[CFG] leftid=X.X.45.102 Nov 22 11:16:57 sense charon: 05[CFG] right=X.X.240.1 Nov 22 11:16:57 sense charon: 05[CFG] rightsubnet=10.1.191.0/24 Nov 22 11:16:57 sense charon: 05[CFG] rightauth=psk Nov 22 11:16:57 sense charon: 05[CFG] rightid=X.X.240.1 Nov 22 11:16:57 sense charon: 05[CFG] ike=aes128-sha1-modp1024! Nov 22 11:16:57 sense charon: 05[CFG] esp=aes128-sha1! Nov 22 11:16:57 sense charon: 05[CFG] dpddelay=10 Nov 22 11:16:57 sense charon: 05[CFG] dpdtimeout=60 Nov 22 11:16:57 sense charon: 05[CFG] dpdaction=3 Nov 22 11:16:57 sense charon: 05[CFG] sha256_96=no Nov 22 11:16:57 sense charon: 05[CFG] mediation=no Nov 22 11:16:57 sense charon: 05[CFG] keyexchange=ikev1 Nov 22 11:16:57 sense charon: 05[CFG] added configuration 'con1000' Nov 22 11:16:57 sense charon: 15[CFG] received stroke: route 'con1000' Nov 22 11:16:57 sense charon: 15[CFG] proposing traffic selectors for us: Nov 22 11:16:57 sense charon: 15[CFG] 192.168.1.0/24|/0 Nov 22 11:16:57 sense charon: 15[CFG] proposing traffic selectors for other: Nov 22 11:16:57 sense charon: 15[CFG] 10.1.191.0/24|/0 Nov 22 11:16:57 sense charon: 15[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 22 11:16:57 sense charon: 15[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED Nov 22 11:16:57 sense ipsec_starter[92450]: 'con1000' routed Nov 22 11:16:57 sense ipsec_starter[92450]: Nov 22 11:16:58 sense charon: 15[KNL] creating acquire job for policy X.X.45.102/32|/0 === X.X.240.1/32|/0 with reqid {1} Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_VENDOR task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_CERT_PRE task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing MAIN_MODE task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_CERT_POST task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_NATD task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing QUICK_MODE task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating new tasks Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating ISAKMP_VENDOR task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating ISAKMP_CERT_PRE task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating MAIN_MODE task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating ISAKMP_CERT_POST task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating ISAKMP_NATD task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending XAuth vendor ID Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending DPD vendor ID Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending FRAGMENTATION vendor ID Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending NAT-T (RFC 3947) vendor ID Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> initiating Main Mode IKE_SA con1000[1] to X.X.240.1 Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> IKE_SA con1000[1] state change: CREATED => CONNECTING Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 22 11:16:58 sense charon: 05[ENC] <con1000|1> generating ID_PROT request 0 [ SA V V V V V ] Nov 22 11:16:58 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (184 bytes) Nov 22 11:16:58 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (132 bytes) Nov 22 11:16:58 sense charon: 05[ENC] <con1000|1> parsed ID_PROT response 0 [ SA V V ] Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> received NAT-T (RFC 3947) vendor ID Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> received FRAGMENTATION vendor ID Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> selecting proposal: Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> proposal matches Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> reinitiating already active tasks Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> ISAKMP_VENDOR task Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> MAIN_MODE task Nov 22 11:16:58 sense charon: 05[ENC] <con1000|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Nov 22 11:16:58 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (244 bytes) Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (304 bytes) Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> received Cisco Unity vendor ID Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> received XAuth vendor ID Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> received unknown vendor ID: 68:fa:dc:be:fe:5d:79:ec:00:7d:97:1f:ec:3a:6a:38 Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> reinitiating already active tasks Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> ISAKMP_VENDOR task Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> MAIN_MODE task Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (108 bytes) Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (92 bytes) Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> parsed ID_PROT response 0 [ ID HASH V ] Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> received DPD vendor ID Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> IKE_SA con1000[1] established between X.X.45.102[X.X.45.102]...X.X.240.1[X.X.240.1] Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> IKE_SA con1000[1] state change: CONNECTING => ESTABLISHED Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> scheduling reauthentication in 85346s Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> maximum IKE_SA lifetime 85886s Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> activating new tasks Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> activating QUICK_MODE task Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> proposing traffic selectors for us: Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> 192.168.1.0/24|/0 Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> proposing traffic selectors for other: Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> 10.1.191.0/24|/0 Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> generating QUICK_MODE request 3653203974 [ HASH SA No ID ID ] Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (188 bytes) Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (172 bytes) Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> parsed QUICK_MODE response 3653203974 [ HASH SA No ID ID ] Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> selecting proposal: Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> proposal matches Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> CHILD_SA con1000{2} state change: CREATED => INSTALLING Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> using AES_CBC for encryption Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> using HMAC_SHA1_96 for integrity Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> adding inbound ESP SA Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> SPI 0xcdf33db8, src X.X.240.1 dst X.X.45.102 Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> adding outbound ESP SA Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> SPI 0xa6dd3f15, src X.X.45.102 dst X.X.240.1 Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> CHILD_SA con1000{2} established with SPIs cdf33db8_i a6dd3f15_o and TS 192.168.1.0/24|/0 === 10.1.191.0/24|/0 Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> CHILD_SA con1000{2} state change: INSTALLING => INSTALLED Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> reinitiating already active tasks Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> QUICK_MODE task Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> generating QUICK_MODE request 3653203974 [ HASH ] Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (60 bytes) Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> activating new tasks Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> nothing to initiate Nov 22 11:17:00 sense charon: 00[DMN] signal of type SIGINT received. Shutting down Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> queueing QUICK_DELETE task Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> queueing ISAKMP_DELETE task Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> activating new tasks Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> activating QUICK_DELETE task Nov 22 11:17:00 sense charon: 00[CHD] <con1000|1> CHILD_SA con1000{2} state change: INSTALLED => DELETING Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> closing CHILD_SA con1000{2} with SPIs cdf33db8_i (0 bytes) a6dd3f15_o (0 bytes) and TS 192.168.1.0/24|/0 === 10.1.191.0/24|/0 Nov 22 11:17:00 sense charon: 00[CHD] <con1000|1> CHILD_SA con1000{2} state change: DELETING => DESTROYING Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> sending DELETE for ESP CHILD_SA with SPI cdf33db8 Nov 22 11:17:00 sense charon: 00[ENC] <con1000|1> generating INFORMATIONAL_V1 request 1344763220 [ HASH D ] Nov 22 11:17:00 sense charon: 00[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (76 bytes) Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> activating new tasks Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> activating ISAKMP_DELETE task Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> deleting IKE_SA con1000[1] between X.X.45.102[X.X.45.102]...X.X.240.1[X.X.240.1] Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> sending DELETE for IKE_SA con1000[1] Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> IKE_SA con1000[1] state change: ESTABLISHED => DELETING Nov 22 11:17:00 sense charon: 00[ENC] <con1000|1> generating INFORMATIONAL_V1 request 159799913 [ HASH D ] Nov 22 11:17:00 sense charon: 00[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (92 bytes) Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> IKE_SA con1000[1] state change: DELETING => DESTROYING Nov 22 11:17:00 sense charon: 00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING Nov 22 11:17:00 sense charon: 00[CFG] proposing traffic selectors for us: Nov 22 11:17:00 sense charon: 00[CFG] 192.168.1.0/24|/0 Nov 22 11:17:00 sense charon: 00[CFG] proposing traffic selectors for other: Nov 22 11:17:00 sense charon: 00[CFG] 192.168.1.0/24|/0 Nov 22 11:17:00 sense ipsec_starter[92450]: charon stopped after 200 ms Nov 22 11:17:00 sense ipsec_starter[92450]: ipsec starter stopped</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>
Cisco sanitized
FIREWALL# Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184 Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing SA payload Nov 22 10:40:49 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5 Nov 22 10:40:49 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5 Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Oakley proposal is acceptable Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received xauth V6 VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received DPD VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received Fragmentation VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received NAT-Traversal RFC VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received NAT-Traversal ver 02 VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing IKE SA payload Nov 22 10:40:49 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5 Nov 22 10:40:49 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5 Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing ISAKMP SA payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver RFC payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing Fragmentation VID + extended capabilities payload Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132 Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244 Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing ke payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing ISA_KE payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing nonce payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing NAT-Discovery payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing NAT-Discovery payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing ke payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing nonce payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing Cisco Unity VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing xauth V6 VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Send IOS VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing VID payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Discovery payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Discovery payload Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, Connection landed on tunnel_group X.X.45.102 Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Generating keys for Responder... Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92 Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing ID payload Nov 22 10:40:49 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, ID_IPV4_ADDR ID received X.X.45.102 Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Computing hash for ISAKMP Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing notify payload Nov 22 10:40:49 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, Connection landed on tunnel_group X.X.45.102 Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing ID payload Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing hash payload Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Computing hash for ISAKMP Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing dpd vid payload Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 Nov 22 10:40:49 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, PHASE 1 COMPLETED Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, Keep-alive type for this connection: DPD Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Starting P1 rekey timer: 64800 seconds. Nov 22 10:40:50 [IKEv1 DECODE]IP = X.X.45.102, IKE Responder starting QM: msg id = ce76bad9 Nov 22 10:40:50 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=ce76bad9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing SA payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing nonce payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing ID payload Nov 22 10:40:50 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, ID_IPV4_ADDR_SUBNET ID received--192.168.1.0--255.255.255.0 Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing ID payload Nov 22 10:40:50 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, ID_IPV4_ADDR_SUBNET ID received--10.1.191.0--255.255.255.0 Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Received local IP Proxy Subnet data in ID Payload: Address 10.1.191.0, Mask 255.255.255.0, Protocol 0, Port 0 Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, QM IsRekeyed old sa not found by addr Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Static Crypto Map check, checking map = IPSec_VPN_Map, seq = 1... Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Static Crypto Map check, map IPSec_VPN_Map, seq = 1 is a successful match Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, IKE Remote Peer configured for crypto map: IPSec_VPN_Map Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing IPSec SA payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IPSec SA Proposal # 0, Transform # 1 acceptable Matches global IPSec SA entry # 1 Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, IKE: requesting SPI! IPSEC: New embryonic SA created @ 0x75942ba0, SCB: 0x752EA5B0, Direction: inbound SPI : 0x9DEA6F2B Session ID: 0x00043000 VPIF num : 0x00000002 Tunnel type: l2l Protocol : esp Lifetime : 240 seconds Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE got SPI from key engine: SPI = 0x9dea6f2b Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, oakley constucting quick mode Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing blank hash payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing IPSec SA payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing IPSec nonce payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing proxy ID Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Transmitting Proxy Id: Remote subnet: 192.168.1.0 Mask 255.255.255.0 Protocol 0 Port 0 Local subnet: 10.1.191.0 mask 255.255.255.0 Protocol 0 Port 0 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing qm hash payload Nov 22 10:40:50 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, IKE Responder sending 2nd QM pkt: msg id = ce76bad9 Nov 22 10:40:50 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=ce76bad9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160 Nov 22 10:40:50 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=ce76bad9) with payloads : HDR + HASH (8) + NONE (0) total length : 52 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, loading all IPSEC SAs Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Generating Quick Mode Key! Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, NP encrypt rule look up for crypto map IPSec_VPN_Map 1 matching ACL outside_cryptomap: returned cs_id=74473d38; rule=75c7a4e0 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Generating Quick Mode Key! IPSEC: New embryonic SA created @ 0x74dd3a90, SCB: 0x7445EF50, Direction: outbound SPI : 0xCF5B0E07 Session ID: 0x00043000 VPIF num : 0x00000002 Tunnel type: l2l Protocol : esp Lifetime : 240 seconds IPSEC: Completed host OBSA update, SPI 0xCF5B0E07 IPSEC: Creating outbound VPN context, SPI 0xCF5B0E07 Flags: 0x00000025 SA : 0x74dd3a90 SPI : 0xCF5B0E07 MTU : 1500 bytes VCID : 0x00000000 Peer : 0x00000000 SCB : 0x0EF851C5 Channel: 0x6deb45c0 IPSEC: Completed outbound VPN context, SPI 0xCF5B0E07 VPN handle: 0x000a2384 IPSEC: New outbound encrypt rule, SPI 0xCF5B0E07 Src addr: 10.1.191.0 Src mask: 255.255.255.0 Dst addr: 192.168.1.0 Dst mask: 255.255.255.0 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: false IPSEC: Completed outbound encrypt rule, SPI 0xCF5B0E07 Rule ID: 0x75c7a440 IPSEC: New outbound permit rule, SPI 0xCF5B0E07 Src addr: X.X.240.1 Src mask: 255.255.255.255 Dst addr: X.X.45.102 Dst mask: 255.255.255.255 Src ports Upper: 4500 Lower: 4500 Op : equal Dst ports Upper: 4500 Lower: 4500 Op : equal Protocol: 17 Use protocol: true SPI: 0x00000000 Use SPI: false IPSEC: Completed outbound permit rule, SPI 0xCF5B0E07 Rule ID: 0x74b66010 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, NP encrypt rule look up for crypto map IPSec_VPN_Map 1 matching ACL outside_cryptomap: returned cs_id=74473d38; rule=75c7a4e0 Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Security negotiation complete for LAN-to-LAN Group (X.X.45.102) Responder, Inbound SPI = 0x9dea6f2b, Outbound SPI = 0xcf5b0e07 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE got a KEY_ADD msg for SA: SPI = 0xcf5b0e07 IPSEC: Completed host IBSA update, SPI 0x9DEA6F2B IPSEC: Creating inbound VPN context, SPI 0x9DEA6F2B Flags: 0x00000026 SA : 0x75942ba0 SPI : 0x9DEA6F2B MTU : 0 bytes VCID : 0x00000000 Peer : 0x000A2384 SCB : 0x0ED07CD5 Channel: 0x6deb45c0 IPSEC: Completed inbound VPN context, SPI 0x9DEA6F2B VPN handle: 0x000a5e64 IPSEC: Updating outbound VPN context 0x000A2384, SPI 0xCF5B0E07 Flags: 0x00000025 SA : 0x74dd3a90 SPI : 0xCF5B0E07 MTU : 1500 bytes VCID : 0x00000000 Peer : 0x000A5E64 SCB : 0x0EF851C5 Channel: 0x6deb45c0 IPSEC: Completed outbound VPN context, SPI 0xCF5B0E07 VPN handle: 0x000a2384 IPSEC: Completed outbound inner rule, SPI 0xCF5B0E07 Rule ID: 0x75c7a440 IPSEC: Completed outbound outer SPD rule, SPI 0xCF5B0E07 Rule ID: 0x74b66010 IPSEC: New inbound tunnel flow rule, SPI 0x9DEA6F2B Src addr: 192.168.1.0 Src mask: 255.255.255.0 Dst addr: 10.1.191.0 Dst mask: 255.255.255.0 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: false IPSEC: Completed inbound tunnel flow rule, SPI 0x9DEA6F2B Rule ID: 0x74dd3f08 IPSEC: New inbound decrypt rule, SPI 0x9DEA6F2B Src addr: X.X.45.102 Src mask: 255.255.255.255 Dst addr: X.X.240.1 Dst mask: 255.255.255.255 Src ports Upper: 4500 Lower: 4500 Op : equal Dst ports Upper: 4500 Lower: 4500 Op : equal Protocol: 17 Use protocol: true SPI: 0x00000000 Use SPI: false IPSEC: Completed inbound decrypt rule, SPI 0x9DEA6F2B Rule ID: 0x76486f30 IPSEC: New inbound permit rule, SPI 0x9DEA6F2B Src addr: X.X.45.102 Src mask: 255.255.255.255 Dst addr: X.X.240.1 Dst mask: 255.255.255.255 Src ports Upper: 4500 Lower: 4500 Op : equal Dst ports Upper: 4500 Lower: 4500 Op : equal Protocol: 17 Use protocol: true SPI: 0x00000000 Use SPI: false IPSEC: Completed inbound permit rule, SPI 0x9DEA6F2B Rule ID: 0x748df0b8 Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Pitcher: received KEY_UPDATE, spi 0x9dea6f2b Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Starting P2 rekey timer: 27360 seconds. Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, PHASE 2 COMPLETED (msgid=ce76bad9) Nov 22 10:40:52 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=d897f18a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing delete Nov 22 10:40:52 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Connection terminated for peer X.X.45.102. Reason: Peer Terminate Remote Proxy 192.168.1.0, Local Proxy 10.1.191.0 Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Active unit receives a delete event for remote peer X.X.45.102. Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 10.1.191.0 Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE SA MM:772aa61a rcv'd Terminate: state MM_ACTIVE flags 0x00018042, refcnt 1, tuncnt 0 Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE SA MM:772aa61a terminating: flags 0x01018002, refcnt 0, tuncnt 0 Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, sending delete/delete with reason message IPSEC: Deleted outbound encrypt rule, SPI 0xCF5B0E07 Rule ID: 0x75c7a440 IPSEC: Deleted outbound permit rule, SPI 0xCF5B0E07 Rule ID: 0x74b66010 IPSEC: Deleted outbound VPN context, SPI 0xCF5B0E07 VPN handle: 0x000a2384 IPSEC: Deleted inbound decrypt rule, SPI 0x9DEA6F2B Rule ID: 0x76486f30 IPSEC: Deleted inbound permit rule, SPI 0x9DEA6F2B Rule ID: 0x748df0b8 IPSEC: Deleted inbound tunnel flow rule, SPI 0x9DEA6F2B Rule ID: 0x74dd3f08 IPSEC: Deleted inbound VPN context, SPI 0x9DEA6F2B VPN handle: 0x000a5e64 Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing blank hash payload Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing IKE delete payload Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing qm hash payload Nov 22 10:40:52 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=50fca46a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Nov 22 10:40:52 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x9dea6f2b Nov 22 10:40:52 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x9dea6f2b Nov 22 10:40:52 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Session is being torn down. Reason: User Requested Nov 22 10:40:52 [IKEv1]Ignoring msg to mark SA with dsID 274432 dead because SA deleted Nov 22 10:40:52 [IKEv1]IP = X.X.45.102, Received encrypted packet with no matching SA, dropping
Interestingly, when I initiate the connection from the Cisco side it fails to complete phase one, it was originally being caught in the firewall, but I have added allows.
packet-tracer input inside icmp 10.1.191.52 8 0 192.168.1.2 de$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: IP-OPTIONS Subtype: Result: ALLOW IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.1.191.52, sport=0, daddr=192.168.1.2, dport=0 Config: Additional Information: Forward Flow based lookup yields rule: in id=0x73836f70, priority=0, domain=inspect-ip-options, deny=true hits=38041969, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 3 Type: INSPECT Subtype: np-inspect <--- More --->IPSEC(crypto_map_check)-3: Checking crypto map IPSec_VPN_Map 1: matched. Nov 22 11:37:04 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0 IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.1.191.52, sport=0, daddr=192.168.1.2, dport=0 IPSEC(crypto_map_check)-3: Checking crypto map IPSec_VPN_Map 1: matched. Nov 22 11:37:04 [IKEv1]IP = X.X.45.102, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.45.102 local Proxy Address 10.1.191.0, remote Proxy Address 192.168.1.0, Crypto map (IPSec_VPN_Map) Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing ISAKMP SA payload Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver 02 payload Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver 03 payload Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver RFC payload Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing Fragmentation VID + extended capabilities payload Nov 22 11:37:04 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248 Nov 22 11:37:12 [IKEv1]IP = X.X.45.102, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248 Nov 22 11:37:20 [IKEv1]IP = X.X.45.102, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248 Nov 22 11:37:28 [IKEv1]IP = X.X.45.102, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248 Nov 22 11:37:36 [IKEv1 DEBUG]IP = X.X.45.102, IKE MM Initiator FSM error history (struct &0x74907e98) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY Nov 22 11:37:36 [IKEv1 DEBUG]IP = X.X.45.102, IKE SA MM:25ee7eac terminating: flags 0x01000022, refcnt 0, tuncnt 0 Nov 22 11:37:36 [IKEv1 DEBUG]IP = X.X.45.102, sending delete/delete with reason message Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x73836b48, priority=66, domain=inspect-icmp-error, deny=false hits=381217, user_data=0x73836160, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static VLAN_191 VLAN_191 destination static Remote_Net Remote_Net no-proxy-arp route-lookup Additional Information: Static translate 10.1.191.52/0 to 10.1.191.52/0 Forward Flow based lookup yields rule: in id=0x74905610, priority=6, domain=nat, deny=false hits=39, user_data=0x74470b28, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.1.191.0, mask=255.255.255.0, port=0 dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0 input_ifc=inside, output_ifc=outside Phase: 5 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x75c7a4e0, priority=70, domain=encrypt, deny=false hits=19, user_data=0x0, cs_id=0x74473d38, reverse, flags=0x0, protocol=0 src ip/id=10.1.191.0, mask=255.255.255.0, port=0 dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0 input_ifc=any, output_ifc=outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule</event></state>
-
I'm have some problem, you have solution?
Thank you