Ipsec Site to Site Cisco ASA to pfSense



  • I am attempting to set up a site to site tunnel between sites. I've searched around the forums(pfSense v2.4.1 and Cisco 5520) to no avail. The sanitized log is attached.

    Nov 17 12:43:28 sense ipsec_starter[97362]: Starting strongSwan 5.6.0 IPsec [starter]...
    Nov 17 12:43:28 sense ipsec_starter[97362]: no netkey IPsec stack detected
    Nov 17 12:43:28 sense ipsec_starter[97362]: no KLIPS IPsec stack detected
    Nov 17 12:43:28 sense ipsec_starter[97362]: no known IPsec stack detected, ignoring!
    Nov 17 12:43:28 sense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE-p2, amd64)
    Nov 17 12:43:28 sense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Nov 17 12:43:28 sense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Nov 17 12:43:28 sense charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
    Nov 17 12:43:28 sense charon: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
    Nov 17 12:43:28 sense charon: 00[CFG] ipseckey plugin is disabled
    Nov 17 12:43:28 sense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Nov 17 12:43:28 sense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Nov 17 12:43:28 sense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Nov 17 12:43:28 sense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Nov 17 12:43:28 sense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
    Nov 17 12:43:28 sense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Nov 17 12:43:28 sense charon: 00[CFG]   loaded IKE secret for %any X.X.240.1
    Nov 17 12:43:28 sense charon: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
    Nov 17 12:43:28 sense charon: 00[CFG] loaded 0 RADIUS server configurations
    Nov 17 12:43:28 sense charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
    Nov 17 12:43:28 sense charon: 00[JOB] spawning 16 worker threads
    Nov 17 12:43:28 sense ipsec_starter[97707]: charon (98013) started after 40 ms
    Nov 17 12:43:28 sense charon: 16[CFG] received stroke: add connection 'bypasslan'
    Nov 17 12:43:28 sense charon: 16[CFG] conn bypasslan
    Nov 17 12:43:28 sense charon: 16[CFG]   left=%any
    Nov 17 12:43:28 sense charon: 16[CFG]   leftsubnet=192.168.1.0/24
    Nov 17 12:43:28 sense charon: 16[CFG]   right=%any
    Nov 17 12:43:28 sense charon: 16[CFG]   rightsubnet=192.168.1.0/24
    Nov 17 12:43:28 sense charon: 16[CFG]   ike=aes128-sha256-curve25519
    Nov 17 12:43:28 sense charon: 16[CFG]   esp=aes128-sha256
    Nov 17 12:43:28 sense charon: 16[CFG]   dpddelay=30
    Nov 17 12:43:28 sense charon: 16[CFG]   dpdtimeout=150
    Nov 17 12:43:28 sense charon: 16[CFG]   sha256_96=no
    Nov 17 12:43:28 sense charon: 16[CFG]   mediation=no
    Nov 17 12:43:28 sense charon: 16[CFG] added configuration 'bypasslan'
    Nov 17 12:43:28 sense charon: 05[CFG] received stroke: route 'bypasslan'
    Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for us:
    Nov 17 12:43:28 sense charon: 05[CFG]  192.168.1.0/24|/0
    Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for other:
    Nov 17 12:43:28 sense charon: 05[CFG]  192.168.1.0/24|/0
    Nov 17 12:43:28 sense ipsec_starter[97707]: 'bypasslan' shunt PASS policy installed
    Nov 17 12:43:28 sense ipsec_starter[97707]:
    Nov 17 12:43:28 sense charon: 05[CFG] received stroke: add connection 'con1000'
    Nov 17 12:43:28 sense charon: 05[CFG] conn con1000
    Nov 17 12:43:28 sense charon: 05[CFG]   left=X.X.45.102
    Nov 17 12:43:28 sense charon: 05[CFG]   leftsubnet=192.168.1.0/24
    Nov 17 12:43:28 sense charon: 05[CFG]   leftauth=psk
    Nov 17 12:43:28 sense charon: 05[CFG]   leftid=X.X.45.102
    Nov 17 12:43:28 sense charon: 05[CFG]   right=X.X.240.1
    Nov 17 12:43:28 sense charon: 05[CFG]   rightsubnet=10.1.191.0/24
    Nov 17 12:43:28 sense charon: 05[CFG]   rightauth=psk
    Nov 17 12:43:28 sense charon: 05[CFG]   rightid=X.X.240.1
    Nov 17 12:43:28 sense charon: 05[CFG]   ike=aes128-sha1-modp1024!
    Nov 17 12:43:28 sense charon: 05[CFG]   esp=aes128-sha1!
    Nov 17 12:43:28 sense charon: 05[CFG]   dpddelay=10
    Nov 17 12:43:28 sense charon: 05[CFG]   dpdtimeout=60
    Nov 17 12:43:28 sense charon: 05[CFG]   dpdaction=3
    Nov 17 12:43:28 sense charon: 05[CFG]   sha256_96=no
    Nov 17 12:43:28 sense charon: 05[CFG]   mediation=no
    Nov 17 12:43:28 sense charon: 05[CFG]   keyexchange=ikev1
    Nov 17 12:43:28 sense charon: 05[CFG] added configuration 'con1000'
    Nov 17 12:43:28 sense charon: 05[CFG] received stroke: route 'con1000'
    Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for us:
    Nov 17 12:43:28 sense charon: 05[CFG]  192.168.1.0/24|/0
    Nov 17 12:43:28 sense charon: 05[CFG] proposing traffic selectors for other:
    Nov 17 12:43:28 sense charon: 05[CFG]  10.1.191.0/24|/0
    Nov 17 12:43:28 sense charon: 05[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 17 12:43:28 sense charon: 05[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
    Nov 17 12:43:28 sense ipsec_starter[97707]: 'con1000' routed
    Nov 17 12:43:28 sense ipsec_starter[97707]:
    Nov 17 12:43:31 sense charon: 00[DMN] signal of type SIGINT received. Shutting down
    Nov 17 12:43:31 sense charon: 00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING
    Nov 17 12:43:31 sense charon: 00[CFG] proposing traffic selectors for us:
    Nov 17 12:43:31 sense charon: 00[CFG]  192.168.1.0/24|/0
    Nov 17 12:43:31 sense charon: 00[CFG] proposing traffic selectors for other:
    Nov 17 12:43:31 sense charon: 00[CFG]  192.168.1.0/24|/0
    Nov 17 12:43:31 sense ipsec_starter[97707]: charon stopped after 200 ms
    Nov 17 12:43:31 sense ipsec_starter[97707]: ipsec starter stopped
    

    After the 'Nov 17 12:43:28 sense ipsec_starter[97707]: 'con1000' routed' entry charon should begin communicating with the remote site, but there isn't an attempt. It just receives the SIGINT to shutdown. Does anyone have a suggestion on where to go from here.



  • I was able to get communication between sites by including a host ping in the phase 2 config. However, the connection is torn down right after phase 2 completes.
    When initiating from pfSense side
    pfSense sanitized:

    Nov 22 11:16:57 sense ipsec_starter[91886]: Starting strongSwan 5.6.0 IPsec [starter]...
    Nov 22 11:16:57 sense ipsec_starter[91886]: no netkey IPsec stack detected
    Nov 22 11:16:57 sense ipsec_starter[91886]: no KLIPS IPsec stack detected
    Nov 22 11:16:57 sense ipsec_starter[91886]: no known IPsec stack detected, ignoring!
    Nov 22 11:16:57 sense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE-p2, amd64)
    Nov 22 11:16:57 sense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Nov 22 11:16:57 sense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Nov 22 11:16:57 sense charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
    Nov 22 11:16:57 sense charon: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
    Nov 22 11:16:57 sense charon: 00[CFG] ipseckey plugin is disabled
    Nov 22 11:16:57 sense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Nov 22 11:16:57 sense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Nov 22 11:16:57 sense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Nov 22 11:16:57 sense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Nov 22 11:16:57 sense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
    Nov 22 11:16:57 sense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Nov 22 11:16:57 sense charon: 00[CFG]   loaded IKE secret for %any X.X.240.1
    Nov 22 11:16:57 sense charon: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
    Nov 22 11:16:57 sense charon: 00[CFG] loaded 0 RADIUS server configurations
    Nov 22 11:16:57 sense charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
    Nov 22 11:16:57 sense charon: 00[JOB] spawning 16 worker threads
    Nov 22 11:16:57 sense ipsec_starter[92450]: charon (92458) started after 40 ms
    Nov 22 11:16:57 sense charon: 16[CFG] received stroke: add connection 'bypasslan'
    Nov 22 11:16:57 sense charon: 16[CFG] conn bypasslan
    Nov 22 11:16:57 sense charon: 16[CFG]   left=%any
    Nov 22 11:16:57 sense charon: 16[CFG]   leftsubnet=192.168.1.0/24
    Nov 22 11:16:57 sense charon: 16[CFG]   right=%any
    Nov 22 11:16:57 sense charon: 16[CFG]   rightsubnet=192.168.1.0/24
    Nov 22 11:16:57 sense charon: 16[CFG]   ike=aes128-sha256-curve25519
    Nov 22 11:16:57 sense charon: 16[CFG]   esp=aes128-sha256
    Nov 22 11:16:57 sense charon: 16[CFG]   dpddelay=30
    Nov 22 11:16:57 sense charon: 16[CFG]   dpdtimeout=150
    Nov 22 11:16:57 sense charon: 16[CFG]   sha256_96=no
    Nov 22 11:16:57 sense charon: 16[CFG]   mediation=no
    Nov 22 11:16:57 sense charon: 16[CFG] added configuration 'bypasslan'
    Nov 22 11:16:57 sense charon: 05[CFG] received stroke: route 'bypasslan'
    Nov 22 11:16:57 sense charon: 05[CFG] proposing traffic selectors for us:
    Nov 22 11:16:57 sense charon: 05[CFG]  192.168.1.0/24|/0
    Nov 22 11:16:57 sense charon: 05[CFG] proposing traffic selectors for other:
    Nov 22 11:16:57 sense charon: 05[CFG]  192.168.1.0/24|/0
    Nov 22 11:16:57 sense ipsec_starter[92450]: 'bypasslan' shunt PASS policy installed
    Nov 22 11:16:57 sense ipsec_starter[92450]:
    Nov 22 11:16:57 sense charon: 05[CFG] received stroke: add connection 'con1000'
    Nov 22 11:16:57 sense charon: 05[CFG] conn con1000
    Nov 22 11:16:57 sense charon: 05[CFG]   left=X.X.45.102
    Nov 22 11:16:57 sense charon: 05[CFG]   leftsubnet=192.168.1.0/24
    Nov 22 11:16:57 sense charon: 05[CFG]   leftauth=psk
    Nov 22 11:16:57 sense charon: 05[CFG]   leftid=X.X.45.102
    Nov 22 11:16:57 sense charon: 05[CFG]   right=X.X.240.1
    Nov 22 11:16:57 sense charon: 05[CFG]   rightsubnet=10.1.191.0/24
    Nov 22 11:16:57 sense charon: 05[CFG]   rightauth=psk
    Nov 22 11:16:57 sense charon: 05[CFG]   rightid=X.X.240.1
    Nov 22 11:16:57 sense charon: 05[CFG]   ike=aes128-sha1-modp1024!
    Nov 22 11:16:57 sense charon: 05[CFG]   esp=aes128-sha1!
    Nov 22 11:16:57 sense charon: 05[CFG]   dpddelay=10
    Nov 22 11:16:57 sense charon: 05[CFG]   dpdtimeout=60
    Nov 22 11:16:57 sense charon: 05[CFG]   dpdaction=3
    Nov 22 11:16:57 sense charon: 05[CFG]   sha256_96=no
    Nov 22 11:16:57 sense charon: 05[CFG]   mediation=no
    Nov 22 11:16:57 sense charon: 05[CFG]   keyexchange=ikev1
    Nov 22 11:16:57 sense charon: 05[CFG] added configuration 'con1000'
    Nov 22 11:16:57 sense charon: 15[CFG] received stroke: route 'con1000'
    Nov 22 11:16:57 sense charon: 15[CFG] proposing traffic selectors for us:
    Nov 22 11:16:57 sense charon: 15[CFG]  192.168.1.0/24|/0
    Nov 22 11:16:57 sense charon: 15[CFG] proposing traffic selectors for other:
    Nov 22 11:16:57 sense charon: 15[CFG]  10.1.191.0/24|/0
    Nov 22 11:16:57 sense charon: 15[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 22 11:16:57 sense charon: 15[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
    Nov 22 11:16:57 sense ipsec_starter[92450]: 'con1000' routed
    Nov 22 11:16:57 sense ipsec_starter[92450]:
    Nov 22 11:16:58 sense charon: 15[KNL] creating acquire job for policy X.X.45.102/32|/0 === X.X.240.1/32|/0 with reqid {1}
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_VENDOR task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_CERT_PRE task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing MAIN_MODE task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_CERT_POST task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing ISAKMP_NATD task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> queueing QUICK_MODE task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> activating new tasks
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   activating ISAKMP_VENDOR task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   activating ISAKMP_CERT_PRE task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   activating MAIN_MODE task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   activating ISAKMP_CERT_POST task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   activating ISAKMP_NATD task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending XAuth vendor ID
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending DPD vendor ID
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending FRAGMENTATION vendor ID
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending NAT-T (RFC 3947) vendor ID
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> initiating Main Mode IKE_SA con1000[1] to X.X.240.1
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> IKE_SA con1000[1] state change: CREATED => CONNECTING
    Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Nov 22 11:16:58 sense charon: 05[ENC] <con1000|1> generating ID_PROT request 0 [ SA V V V V V ]
    Nov 22 11:16:58 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (184 bytes)
    Nov 22 11:16:58 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (132 bytes)
    Nov 22 11:16:58 sense charon: 05[ENC] <con1000|1> parsed ID_PROT response 0 [ SA V V ]
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> received NAT-T (RFC 3947) vendor ID
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> received FRAGMENTATION vendor ID
    Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> selecting proposal:
    Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1>   proposal matches
    Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Nov 22 11:16:58 sense charon: 05[CFG] <con1000|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1> reinitiating already active tasks
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   ISAKMP_VENDOR task
    Nov 22 11:16:58 sense charon: 05[IKE] <con1000|1>   MAIN_MODE task
    Nov 22 11:16:58 sense charon: 05[ENC] <con1000|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Nov 22 11:16:58 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (244 bytes)
    Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (304 bytes)
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> received Cisco Unity vendor ID
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> received XAuth vendor ID
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> received unknown vendor ID: 68:fa:dc:be:fe:5d:79:ec:00:7d:97:1f:ec:3a:6a:38
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> reinitiating already active tasks
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1>   ISAKMP_VENDOR task
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1>   MAIN_MODE task
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (108 bytes)
    Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (92 bytes)
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> parsed ID_PROT response 0 [ ID HASH V ]
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> received DPD vendor ID
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> IKE_SA con1000[1] established between X.X.45.102[X.X.45.102]...X.X.240.1[X.X.240.1]
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> IKE_SA con1000[1] state change: CONNECTING => ESTABLISHED
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> scheduling reauthentication in 85346s
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> maximum IKE_SA lifetime 85886s
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> activating new tasks
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1>   activating QUICK_MODE task
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> proposing traffic selectors for us:
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1>  192.168.1.0/24|/0
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> proposing traffic selectors for other:
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1>  10.1.191.0/24|/0
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> generating QUICK_MODE request 3653203974 [ HASH SA No ID ID ]
    Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (188 bytes)
    Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> received packet: from X.X.240.1[500] to X.X.45.102[500] (172 bytes)
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> parsed QUICK_MODE response 3653203974 [ HASH SA No ID ID ]
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> selecting proposal:
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1>   proposal matches
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 22 11:16:59 sense charon: 05[CFG] <con1000|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> CHILD_SA con1000{2} state change: CREATED => INSTALLING
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1>   using AES_CBC for encryption
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1>   using HMAC_SHA1_96 for integrity
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> adding inbound ESP SA
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1>   SPI 0xcdf33db8, src X.X.240.1 dst X.X.45.102
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> adding outbound ESP SA
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1>   SPI 0xa6dd3f15, src X.X.45.102 dst X.X.240.1
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> CHILD_SA con1000{2} established with SPIs cdf33db8_i a6dd3f15_o and TS 192.168.1.0/24|/0 === 10.1.191.0/24|/0
    Nov 22 11:16:59 sense charon: 05[CHD] <con1000|1> CHILD_SA con1000{2} state change: INSTALLING => INSTALLED
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> reinitiating already active tasks
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1>   QUICK_MODE task
    Nov 22 11:16:59 sense charon: 05[ENC] <con1000|1> generating QUICK_MODE request 3653203974 [ HASH ]
    Nov 22 11:16:59 sense charon: 05[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (60 bytes)
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> activating new tasks
    Nov 22 11:16:59 sense charon: 05[IKE] <con1000|1> nothing to initiate
    Nov 22 11:17:00 sense charon: 00[DMN] signal of type SIGINT received. Shutting down
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> queueing QUICK_DELETE task
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> queueing ISAKMP_DELETE task
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> activating new tasks
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1>   activating QUICK_DELETE task
    Nov 22 11:17:00 sense charon: 00[CHD] <con1000|1> CHILD_SA con1000{2} state change: INSTALLED => DELETING
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> closing CHILD_SA con1000{2} with SPIs cdf33db8_i (0 bytes) a6dd3f15_o (0 bytes) and TS 192.168.1.0/24|/0 === 10.1.191.0/24|/0
    Nov 22 11:17:00 sense charon: 00[CHD] <con1000|1> CHILD_SA con1000{2} state change: DELETING => DESTROYING
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> sending DELETE for ESP CHILD_SA with SPI cdf33db8
    Nov 22 11:17:00 sense charon: 00[ENC] <con1000|1> generating INFORMATIONAL_V1 request 1344763220 [ HASH D ]
    Nov 22 11:17:00 sense charon: 00[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (76 bytes)
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> activating new tasks
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1>   activating ISAKMP_DELETE task
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> deleting IKE_SA con1000[1] between X.X.45.102[X.X.45.102]...X.X.240.1[X.X.240.1]
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> sending DELETE for IKE_SA con1000[1]
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> IKE_SA con1000[1] state change: ESTABLISHED => DELETING
    Nov 22 11:17:00 sense charon: 00[ENC] <con1000|1> generating INFORMATIONAL_V1 request 159799913 [ HASH D ]
    Nov 22 11:17:00 sense charon: 00[NET] <con1000|1> sending packet: from X.X.45.102[500] to X.X.240.1[500] (92 bytes)
    Nov 22 11:17:00 sense charon: 00[IKE] <con1000|1> IKE_SA con1000[1] state change: DELETING => DESTROYING
    Nov 22 11:17:00 sense charon: 00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING
    Nov 22 11:17:00 sense charon: 00[CFG] proposing traffic selectors for us:
    Nov 22 11:17:00 sense charon: 00[CFG]  192.168.1.0/24|/0
    Nov 22 11:17:00 sense charon: 00[CFG] proposing traffic selectors for other:
    Nov 22 11:17:00 sense charon: 00[CFG]  192.168.1.0/24|/0
    Nov 22 11:17:00 sense ipsec_starter[92450]: charon stopped after 200 ms
    Nov 22 11:17:00 sense ipsec_starter[92450]: ipsec starter stopped</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>
    

    Cisco sanitized

    FIREWALL# Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing SA payload
    Nov 22 10:40:49 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
    Nov 22 10:40:49 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Oakley proposal is acceptable
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received xauth V6 VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received DPD VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received Fragmentation VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received NAT-Traversal RFC VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Received NAT-Traversal ver 02 VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing IKE SA payload
    Nov 22 10:40:49 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
    Nov 22 10:40:49 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing ISAKMP SA payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver RFC payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing Fragmentation VID + extended capabilities payload
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing ke payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing ISA_KE payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing nonce payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing NAT-Discovery payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, processing NAT-Discovery payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing ke payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing nonce payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing Cisco Unity VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing xauth V6 VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Send IOS VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing VID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Discovery payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Discovery payload
    Nov 22 10:40:49 [IKEv1 DEBUG]IP = X.X.45.102, computing NAT Discovery hash
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, Connection landed on tunnel_group X.X.45.102
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Generating keys for Responder...
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing ID payload
    Nov 22 10:40:49 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, ID_IPV4_ADDR ID received
    X.X.45.102
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Computing hash for ISAKMP
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing notify payload
    Nov 22 10:40:49 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, Connection landed on tunnel_group X.X.45.102
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing ID payload
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing hash payload
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Computing hash for ISAKMP
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing dpd vid payload
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
    Nov 22 10:40:49 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, PHASE 1 COMPLETED
    Nov 22 10:40:49 [IKEv1]IP = X.X.45.102, Keep-alive type for this connection: DPD
    Nov 22 10:40:49 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Starting P1 rekey timer: 64800 seconds.
    Nov 22 10:40:50 [IKEv1 DECODE]IP = X.X.45.102, IKE Responder starting QM: msg id = ce76bad9
    Nov 22 10:40:50 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=ce76bad9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing SA payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing nonce payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing ID payload
    Nov 22 10:40:50 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, ID_IPV4_ADDR_SUBNET ID received--192.168.1.0--255.255.255.0
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing ID payload
    Nov 22 10:40:50 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, ID_IPV4_ADDR_SUBNET ID received--10.1.191.0--255.255.255.0
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Received local IP Proxy Subnet data in ID Payload:   Address 10.1.191.0, Mask 255.255.255.0, Protocol 0, Port 0
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, QM IsRekeyed old sa not found by addr
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Static Crypto Map check, checking map = IPSec_VPN_Map, seq = 1...
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Static Crypto Map check, map IPSec_VPN_Map, seq = 1 is a successful match
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, IKE Remote Peer configured for crypto map: IPSec_VPN_Map
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing IPSec SA payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IPSec SA Proposal # 0, Transform # 1 acceptable  Matches global IPSec SA entry # 1
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, IKE: requesting SPI!
    IPSEC: New embryonic SA created @ 0x75942ba0,
        SCB: 0x752EA5B0,
        Direction: inbound
        SPI      : 0x9DEA6F2B
        Session ID: 0x00043000
        VPIF num  : 0x00000002
        Tunnel type: l2l
        Protocol   : esp
        Lifetime   : 240 seconds
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE got SPI from key engine: SPI = 0x9dea6f2b
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, oakley constucting quick mode
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing blank hash payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing IPSec SA payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing IPSec nonce payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing proxy ID
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Transmitting Proxy Id:
      Remote subnet: 192.168.1.0  Mask 255.255.255.0 Protocol 0  Port 0
      Local subnet:  10.1.191.0  mask 255.255.255.0 Protocol 0  Port 0
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing qm hash payload
    Nov 22 10:40:50 [IKEv1 DECODE]Group = X.X.45.102, IP = X.X.45.102, IKE Responder sending 2nd QM pkt: msg id = ce76bad9
    Nov 22 10:40:50 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=ce76bad9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160
    Nov 22 10:40:50 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=ce76bad9) with payloads : HDR + HASH (8) + NONE (0) total length : 52
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, loading all IPSEC SAs
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Generating Quick Mode Key!
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, NP encrypt rule look up for crypto map IPSec_VPN_Map 1 matching ACL outside_cryptomap: returned cs_id=74473d38; rule=75c7a4e0
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Generating Quick Mode Key!
    IPSEC: New embryonic SA created @ 0x74dd3a90,
        SCB: 0x7445EF50,
        Direction: outbound
        SPI      : 0xCF5B0E07
        Session ID: 0x00043000
        VPIF num  : 0x00000002
        Tunnel type: l2l
        Protocol   : esp
        Lifetime   : 240 seconds
    IPSEC: Completed host OBSA update, SPI 0xCF5B0E07
    IPSEC: Creating outbound VPN context, SPI 0xCF5B0E07
        Flags: 0x00000025
        SA   : 0x74dd3a90
        SPI  : 0xCF5B0E07
        MTU  : 1500 bytes
        VCID : 0x00000000
        Peer : 0x00000000
        SCB  : 0x0EF851C5
        Channel: 0x6deb45c0
    IPSEC: Completed outbound VPN context, SPI 0xCF5B0E07
        VPN handle: 0x000a2384
    IPSEC: New outbound encrypt rule, SPI 0xCF5B0E07
        Src addr: 10.1.191.0
        Src mask: 255.255.255.0
        Dst addr: 192.168.1.0
        Dst mask: 255.255.255.0
        Src ports
          Upper: 0
          Lower: 0
          Op   : ignore
        Dst ports
          Upper: 0
          Lower: 0
          Op   : ignore
        Protocol: 0
        Use protocol: false
        SPI: 0x00000000
        Use SPI: false
    IPSEC: Completed outbound encrypt rule, SPI 0xCF5B0E07
        Rule ID: 0x75c7a440
    IPSEC: New outbound permit rule, SPI 0xCF5B0E07
        Src addr: X.X.240.1
        Src mask: 255.255.255.255
        Dst addr: X.X.45.102
        Dst mask: 255.255.255.255
        Src ports
          Upper: 4500
          Lower: 4500
          Op   : equal
        Dst ports
          Upper: 4500
          Lower: 4500
          Op   : equal
        Protocol: 17
        Use protocol: true
        SPI: 0x00000000
        Use SPI: false
    IPSEC: Completed outbound permit rule, SPI 0xCF5B0E07
        Rule ID: 0x74b66010
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, NP encrypt rule look up for crypto map IPSec_VPN_Map 1 matching ACL outside_cryptomap: returned cs_id=74473d38; rule=75c7a4e0
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Security negotiation complete for LAN-to-LAN Group (X.X.45.102)  Responder, Inbound SPI = 0x9dea6f2b, Outbound SPI = 0xcf5b0e07
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE got a KEY_ADD msg for SA: SPI = 0xcf5b0e07
    IPSEC: Completed host IBSA update, SPI 0x9DEA6F2B
    IPSEC: Creating inbound VPN context, SPI 0x9DEA6F2B
        Flags: 0x00000026
        SA   : 0x75942ba0
        SPI  : 0x9DEA6F2B
        MTU  : 0 bytes
        VCID : 0x00000000
        Peer : 0x000A2384
        SCB  : 0x0ED07CD5
        Channel: 0x6deb45c0
    IPSEC: Completed inbound VPN context, SPI 0x9DEA6F2B
        VPN handle: 0x000a5e64
    IPSEC: Updating outbound VPN context 0x000A2384, SPI 0xCF5B0E07
        Flags: 0x00000025
        SA   : 0x74dd3a90
        SPI  : 0xCF5B0E07
        MTU  : 1500 bytes
        VCID : 0x00000000
        Peer : 0x000A5E64
        SCB  : 0x0EF851C5
        Channel: 0x6deb45c0
    IPSEC: Completed outbound VPN context, SPI 0xCF5B0E07
        VPN handle: 0x000a2384
    IPSEC: Completed outbound inner rule, SPI 0xCF5B0E07
        Rule ID: 0x75c7a440
    IPSEC: Completed outbound outer SPD rule, SPI 0xCF5B0E07
        Rule ID: 0x74b66010
    IPSEC: New inbound tunnel flow rule, SPI 0x9DEA6F2B
        Src addr: 192.168.1.0
        Src mask: 255.255.255.0
        Dst addr: 10.1.191.0
        Dst mask: 255.255.255.0
        Src ports
          Upper: 0
          Lower: 0
          Op   : ignore
        Dst ports
          Upper: 0
          Lower: 0
          Op   : ignore
        Protocol: 0
        Use protocol: false
        SPI: 0x00000000
        Use SPI: false
    IPSEC: Completed inbound tunnel flow rule, SPI 0x9DEA6F2B
        Rule ID: 0x74dd3f08
    IPSEC: New inbound decrypt rule, SPI 0x9DEA6F2B
        Src addr: X.X.45.102
        Src mask: 255.255.255.255
        Dst addr: X.X.240.1
        Dst mask: 255.255.255.255
        Src ports
          Upper: 4500
          Lower: 4500
          Op   : equal
        Dst ports
          Upper: 4500
          Lower: 4500
          Op   : equal
        Protocol: 17
        Use protocol: true
        SPI: 0x00000000
        Use SPI: false
    IPSEC: Completed inbound decrypt rule, SPI 0x9DEA6F2B
        Rule ID: 0x76486f30
    IPSEC: New inbound permit rule, SPI 0x9DEA6F2B
        Src addr: X.X.45.102
        Src mask: 255.255.255.255
        Dst addr: X.X.240.1
        Dst mask: 255.255.255.255
        Src ports
          Upper: 4500
          Lower: 4500
          Op   : equal
        Dst ports
          Upper: 4500
          Lower: 4500
          Op   : equal
        Protocol: 17
        Use protocol: true
        SPI: 0x00000000
        Use SPI: false
    IPSEC: Completed inbound permit rule, SPI 0x9DEA6F2B
        Rule ID: 0x748df0b8
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Pitcher: received KEY_UPDATE, spi 0x9dea6f2b
    Nov 22 10:40:50 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Starting P2 rekey timer: 27360 seconds.
    Nov 22 10:40:50 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, PHASE 2 COMPLETED (msgid=ce76bad9)
    Nov 22 10:40:52 [IKEv1]IP = X.X.45.102, IKE_DECODE RECEIVED Message (msgid=d897f18a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing hash payload
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, processing delete
    Nov 22 10:40:52 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Connection terminated for peer X.X.45.102.  Reason: Peer Terminate  Remote Proxy 192.168.1.0, Local Proxy 10.1.191.0
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, Active unit receives a delete event for remote peer X.X.45.102.
    
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 10.1.191.0
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE SA MM:772aa61a rcv'd Terminate: state MM_ACTIVE  flags 0x00018042, refcnt 1, tuncnt 0
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, IKE SA MM:772aa61a terminating:  flags 0x01018002, refcnt 0, tuncnt 0
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, sending delete/delete with reason message
    IPSEC: Deleted outbound encrypt rule, SPI 0xCF5B0E07
        Rule ID: 0x75c7a440
    IPSEC: Deleted outbound permit rule, SPI 0xCF5B0E07
        Rule ID: 0x74b66010
    IPSEC: Deleted outbound VPN context, SPI 0xCF5B0E07
        VPN handle: 0x000a2384
    IPSEC: Deleted inbound decrypt rule, SPI 0x9DEA6F2B
        Rule ID: 0x76486f30
    IPSEC: Deleted inbound permit rule, SPI 0x9DEA6F2B
        Rule ID: 0x748df0b8
    IPSEC: Deleted inbound tunnel flow rule, SPI 0x9DEA6F2B
        Rule ID: 0x74dd3f08
    IPSEC: Deleted inbound VPN context, SPI 0x9DEA6F2B
        VPN handle: 0x000a5e64
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing blank hash payload
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing IKE delete payload
    Nov 22 10:40:52 [IKEv1 DEBUG]Group = X.X.45.102, IP = X.X.45.102, constructing qm hash payload
    Nov 22 10:40:52 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=50fca46a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Nov 22 10:40:52 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x9dea6f2b
    Nov 22 10:40:52 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x9dea6f2b
    Nov 22 10:40:52 [IKEv1]Group = X.X.45.102, IP = X.X.45.102, Session is being torn down. Reason: User Requested
    Nov 22 10:40:52 [IKEv1]Ignoring msg to mark SA with dsID 274432 dead because SA deleted
    Nov 22 10:40:52 [IKEv1]IP = X.X.45.102, Received encrypted packet with no matching SA, dropping
    
    

    Interestingly, when I initiate the connection from the Cisco side it fails to complete phase one, it was originally being caught in the firewall, but I have added allows.

     packet-tracer input inside icmp 10.1.191.52 8 0 192.168.1.2 de$
    
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    
    Phase: 2
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.1.191.52, sport=0, daddr=192.168.1.2, dport=0
    Config:
    Additional Information:
     Forward Flow based lookup yields rule:
     in  id=0x73836f70, priority=0, domain=inspect-ip-options, deny=true
            hits=38041969, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    
    Phase: 3
    Type: INSPECT
    Subtype: np-inspect
    <--- More --->IPSEC(crypto_map_check)-3: Checking crypto map IPSec_VPN_Map 1: matched.
    Nov 22 11:37:04 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.1.191.52, sport=0, daddr=192.168.1.2, dport=0
    IPSEC(crypto_map_check)-3: Checking crypto map IPSec_VPN_Map 1: matched.
    Nov 22 11:37:04 [IKEv1]IP = X.X.45.102, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.45.102  local Proxy Address 10.1.191.0, remote Proxy Address 192.168.1.0,  Crypto map (IPSec_VPN_Map)
    Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing ISAKMP SA payload
    Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver 02 payload
    Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver 03 payload
    Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing NAT-Traversal VID ver RFC payload
    Nov 22 11:37:04 [IKEv1 DEBUG]IP = X.X.45.102, constructing Fragmentation VID + extended capabilities payload
    Nov 22 11:37:04 [IKEv1]IP = X.X.45.102, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248
    Nov 22 11:37:12 [IKEv1]IP = X.X.45.102, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248
    Nov 22 11:37:20 [IKEv1]IP = X.X.45.102, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248
    Nov 22 11:37:28 [IKEv1]IP = X.X.45.102, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248
    Nov 22 11:37:36 [IKEv1 DEBUG]IP = X.X.45.102, IKE MM Initiator FSM error history (struct &0x74907e98)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
    Nov 22 11:37:36 [IKEv1 DEBUG]IP = X.X.45.102, IKE SA MM:25ee7eac terminating:  flags 0x01000022, refcnt 0, tuncnt 0
    Nov 22 11:37:36 [IKEv1 DEBUG]IP = X.X.45.102, sending delete/delete with reason message
    Result: ALLOW
    Config:
    Additional Information:
     Forward Flow based lookup yields rule:
     in  id=0x73836b48, priority=66, domain=inspect-icmp-error, deny=false
            hits=381217, user_data=0x73836160, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
            src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (inside,outside) source static VLAN_191 VLAN_191 destination static Remote_Net Remote_Net no-proxy-arp route-lookup
    Additional Information:
    Static translate 10.1.191.52/0 to 10.1.191.52/0
     Forward Flow based lookup yields rule:
     in  id=0x74905610, priority=6, domain=nat, deny=false
            hits=39, user_data=0x74470b28, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
            src ip/id=10.1.191.0, mask=255.255.255.0, port=0
            dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
            input_ifc=inside, output_ifc=outside
    
    Phase: 5
    Type: VPN
    Subtype: encrypt
    Result: DROP
    Config:
    Additional Information:
     Forward Flow based lookup yields rule:
     out id=0x75c7a4e0, priority=70, domain=encrypt, deny=false
            hits=19, user_data=0x0, cs_id=0x74473d38, reverse, flags=0x0, protocol=0
            src ip/id=10.1.191.0, mask=255.255.255.0, port=0
            dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
            input_ifc=any, output_ifc=outside
    
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule</event></state> 
    


  • I'm have some problem, you have solution?

    Thank you


Log in to reply