Site to Site IPsec tunnel with Cisco and pfsense
-
@mr-pine said in Site to Site IPsec tunnel with Cisco and pfsense:
crypto map PFSVPN
Oh my god. sorry. PFS group was wrong! as you said I set to 2. I don't know how did you find!?
I also correct my cisco to this:
encr 3des authentication pre-share group 2 lifetime 4000 crypto isakmp key mysecret address 172.16.5.5 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! ! crypto map PFSVPN 15 ipsec-isakmp set peer 172.16.5.5 set transform-set 3DES-SHA set pfs group2 match address 100 ! ! ! ! ip forward-protocol nd no ip http server no ip http secure-server ! ip nat inside source route-map NONAT interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 permanent ip route 172.16.5.5 255.255.255.255 Dialer1 ! access-list 10 permit 172.16.0.0 0.0.255.255 access-list 10 permit any access-list 100 permit ip 172.16.152.0 0.0.0.255 172.16.0.0 0.0.0.255 access-list 100 permit ip 172.16.0.0 0.0.255.255 172.16.152.0 0.0.0.255 access-list 110 deny ip 172.16.152.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 110 permit ip 172.16.152.0 0.0.0.255 any no cdp run ! ! ! route-map NONAT permit 10 match ip address 110 ! !
now got new logs on cisco:
*Mar 9 05:31:22.998: map_db_find_best did not find matching map *Mar 9 05:31:22.998: IPSEC(ipsec_process_proposal): proxy identities not supported *Mar 9 05:31:22.998: IPSEC(validate_proposal_request): proposal part #1 *Mar 9 05:31:22.998: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.111.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Mar 9 05:31:22.998: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.111.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 05:31:22.998: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.111.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 05:31:22.998: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.111.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 05:31:22.998: map_db_find_best did not find matching map *Mar 9 05:31:22.998: IPSEC(ipsec_process_proposal): proxy identities not supported
-
OK that's great but what is pfSense showing now?
-
Nov 14 21:34:35 charon 07[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:34:45 charon 07[IKE] <con1000|24> sending DPD request Nov 14 21:34:45 charon 07[ENC] <con1000|24> generating INFORMATIONAL_V1 request 3757439349 [ HASH N(DPD) ] Nov 14 21:34:45 charon 07[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:34:45 charon 07[NET] <con1000|24> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:34:45 charon 07[ENC] <con1000|24> parsed INFORMATIONAL_V1 request 2314329083 [ HASH N(DPD_ACK) ] Nov 14 21:34:45 charon 07[NET] <con1000|24> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:34:45 charon 07[ENC] <con1000|24> parsed INFORMATIONAL_V1 request 453303260 [ HASH N(DPD) ] Nov 14 21:34:45 charon 07[ENC] <con1000|24> generating INFORMATIONAL_V1 request 408573435 [ HASH N(DPD_ACK) ] Nov 14 21:34:45 charon 07[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:34:55 charon 07[IKE] <con1000|24> sending DPD request Nov 14 21:34:55 charon 07[ENC] <con1000|24> generating INFORMATIONAL_V1 request 3451049163 [ HASH N(DPD) ] Nov 14 21:34:55 charon 07[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:34:55 charon 07[NET] <con1000|24> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:34:55 charon 07[ENC] <con1000|24> parsed INFORMATIONAL_V1 request 2642134501 [ HASH N(DPD_ACK) ] Nov 14 21:34:55 charon 07[NET] <con1000|24> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:34:55 charon 07[ENC] <con1000|24> parsed INFORMATIONAL_V1 request 3569179544 [ HASH N(DPD) ] Nov 14 21:34:55 charon 07[ENC] <con1000|24> generating INFORMATIONAL_V1 request 1472256830 [ HASH N(DPD_ACK) ] Nov 14 21:34:55 charon 07[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:05 charon 09[NET] <con1000|24> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:05 charon 09[ENC] <con1000|24> parsed INFORMATIONAL_V1 request 672897385 [ HASH N(DPD) ] Nov 14 21:35:05 charon 09[ENC] <con1000|24> generating INFORMATIONAL_V1 request 1924986738 [ HASH N(DPD_ACK) ] Nov 14 21:35:05 charon 09[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:09 charon 06[CFG] received stroke: terminate 'con1000' Nov 14 21:35:09 charon 15[IKE] <con1000|24> deleting IKE_SA con1000[24] between 172.16.5.5[172.16.5.5]...172.16.5.20[172.16.5.20] Nov 14 21:35:09 charon 15[IKE] <con1000|24> sending DELETE for IKE_SA con1000[24] Nov 14 21:35:09 charon 15[ENC] <con1000|24> generating INFORMATIONAL_V1 request 1137989583 [ HASH D ] Nov 14 21:35:09 charon 15[NET] <con1000|24> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (84 bytes) Nov 14 21:35:10 charon 06[CFG] received stroke: terminate 'con1000' Nov 14 21:35:10 charon 06[CFG] no IKE_SA named 'con1000' found Nov 14 21:35:10 charon 11[CFG] received stroke: initiate 'con1000' Nov 14 21:35:10 charon 06[IKE] <con1000|25> initiating Main Mode IKE_SA con1000[25] to 172.16.5.20 Nov 14 21:35:10 charon 06[ENC] <con1000|25> generating ID_PROT request 0 [ SA V V V V V ] Nov 14 21:35:10 charon 06[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (176 bytes) Nov 14 21:35:10 charon 06[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (100 bytes) Nov 14 21:35:10 charon 06[ENC] <con1000|25> parsed ID_PROT response 0 [ SA V ] Nov 14 21:35:10 charon 06[IKE] <con1000|25> received NAT-T (RFC 3947) vendor ID Nov 14 21:35:10 charon 06[ENC] <con1000|25> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Nov 14 21:35:10 charon 06[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (244 bytes) Nov 14 21:35:10 charon 06[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (304 bytes) Nov 14 21:35:10 charon 06[ENC] <con1000|25> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] Nov 14 21:35:10 charon 06[IKE] <con1000|25> received Cisco Unity vendor ID Nov 14 21:35:10 charon 06[IKE] <con1000|25> received DPD vendor ID Nov 14 21:35:10 charon 06[ENC] <con1000|25> received unknown vendor ID: 07:a1:37:8b:fb:24:a7:73:33:0b:c6:e6:1b:71:7e:90 Nov 14 21:35:10 charon 06[IKE] <con1000|25> received XAuth vendor ID Nov 14 21:35:10 charon 06[ENC] <con1000|25> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Nov 14 21:35:10 charon 06[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (100 bytes) Nov 14 21:35:10 charon 05[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (68 bytes) Nov 14 21:35:10 charon 05[ENC] <con1000|25> parsed ID_PROT response 0 [ ID HASH ] Nov 14 21:35:10 charon 05[IKE] <con1000|25> IKE_SA con1000[25] established between 172.16.5.5[172.16.5.5]...172.16.5.20[172.16.5.20] Nov 14 21:35:10 charon 05[IKE] <con1000|25> scheduling reauthentication in 28008s Nov 14 21:35:10 charon 05[IKE] <con1000|25> maximum IKE_SA lifetime 28548s Nov 14 21:35:10 charon 05[ENC] <con1000|25> generating QUICK_MODE request 1619982291 [ HASH SA No KE ID ID ] Nov 14 21:35:10 charon 05[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (380 bytes) Nov 14 21:35:10 charon 05[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:10 charon 05[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 4054978725 [ HASH N((24576)) ] Nov 14 21:35:10 charon 05[IKE] <con1000|25> received (24576) notify Nov 14 21:35:10 charon 05[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (84 bytes) Nov 14 21:35:10 charon 05[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 3129956325 [ HASH N(NO_PROP) ] Nov 14 21:35:10 charon 05[IKE] <con1000|25> received NO_PROPOSAL_CHOSEN error notify Nov 14 21:35:20 charon 13[IKE] <con1000|25> sending DPD request Nov 14 21:35:20 charon 13[ENC] <con1000|25> generating INFORMATIONAL_V1 request 2706628016 [ HASH N(DPD) ] Nov 14 21:35:20 charon 13[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:20 charon 13[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:20 charon 13[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 2813541667 [ HASH N(DPD) ] Nov 14 21:35:20 charon 13[ENC] <con1000|25> generating INFORMATIONAL_V1 request 1538694707 [ HASH N(DPD_ACK) ] Nov 14 21:35:20 charon 13[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:20 charon 13[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:20 charon 13[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 444822346 [ HASH N(DPD_ACK) ] Nov 14 21:35:30 charon 13[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:30 charon 13[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 3486885508 [ HASH N(DPD) ] Nov 14 21:35:30 charon 13[ENC] <con1000|25> generating INFORMATIONAL_V1 request 2522299192 [ HASH N(DPD_ACK) ] Nov 14 21:35:30 charon 13[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:40 charon 13[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:40 charon 13[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 593879169 [ HASH N(DPD) ] Nov 14 21:35:40 charon 13[ENC] <con1000|25> generating INFORMATIONAL_V1 request 4184589574 [ HASH N(DPD_ACK) ] Nov 14 21:35:40 charon 13[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:49 charon 13[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:49 charon 13[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 891356160 [ HASH N(DPD) ] Nov 14 21:35:49 charon 13[ENC] <con1000|25> generating INFORMATIONAL_V1 request 922756253 [ HASH N(DPD_ACK) ] Nov 14 21:35:49 charon 13[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:35:59 charon 10[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:35:59 charon 10[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 1675134373 [ HASH N(DPD) ] Nov 14 21:35:59 charon 10[ENC] <con1000|25> generating INFORMATIONAL_V1 request 280815738 [ HASH N(DPD_ACK) ] Nov 14 21:35:59 charon 10[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:36:05 charon 08[CFG] rereading secrets Nov 14 21:36:05 charon 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Nov 14 21:36:05 charon 08[CFG] loaded IKE secret for %any 172.16.5.20 Nov 14 21:36:05 charon 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Nov 14 21:36:05 charon 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Nov 14 21:36:05 charon 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Nov 14 21:36:05 charon 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Nov 14 21:36:05 charon 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Nov 14 21:36:05 charon 07[CFG] received stroke: unroute 'bypasslan' Nov 14 21:36:05 ipsec_starter 23741 shunt policy 'bypasslan' uninstalled Nov 14 21:36:05 charon 10[CFG] received stroke: delete connection 'bypasslan' Nov 14 21:36:05 charon 10[CFG] deleted connection 'bypasslan' Nov 14 21:36:05 charon 07[CFG] received stroke: unroute 'con1000' Nov 14 21:36:05 ipsec_starter 23741 configuration 'con1000' unrouted Nov 14 21:36:05 charon 10[CFG] received stroke: delete connection 'con1000' Nov 14 21:36:05 charon 10[CFG] deleted connection 'con1000' Nov 14 21:36:05 charon 04[CFG] received stroke: add connection 'bypasslan' Nov 14 21:36:05 charon 04[CFG] added configuration 'bypasslan' Nov 14 21:36:05 charon 10[CFG] received stroke: route 'bypasslan' Nov 14 21:36:05 ipsec_starter 23741 'bypasslan' shunt PASS policy installed Nov 14 21:36:05 charon 04[CFG] received stroke: add connection 'con1000' Nov 14 21:36:05 charon 04[CFG] added configuration 'con1000' Nov 14 21:36:05 charon 10[CFG] received stroke: route 'con1000' Nov 14 21:36:05 ipsec_starter 23741 'con1000' routed Nov 14 21:36:09 charon 10[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:36:09 charon 10[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 3532946353 [ HASH N(DPD) ] Nov 14 21:36:09 charon 10[ENC] <con1000|25> generating INFORMATIONAL_V1 request 453231053 [ HASH N(DPD_ACK) ] Nov 14 21:36:09 charon 10[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:36:18 charon 10[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:36:18 charon 10[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 1660378267 [ HASH N(DPD) ] Nov 14 21:36:18 charon 10[ENC] <con1000|25> generating INFORMATIONAL_V1 request 2731222186 [ HASH N(DPD_ACK) ] Nov 14 21:36:18 charon 10[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes) Nov 14 21:36:28 charon 15[NET] <con1000|25> received packet: from 172.16.5.20[500] to 172.16.5.5[500] (92 bytes) Nov 14 21:36:28 charon 15[ENC] <con1000|25> parsed INFORMATIONAL_V1 request 3531350043 [ HASH N(DPD) ] Nov 14 21:36:28 charon 15[ENC] <con1000|25> generating INFORMATIONAL_V1 request 1091241482 [ HASH N(DPD_ACK) ] Nov 14 21:36:28 charon 15[NET] <con1000|25> sending packet: from 172.16.5.5[500] to 172.16.5.20[500] (92 bytes)
cisco log:
*Mar 9 06:07:19.143: ISAKMP (2038): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 06:07:19.143: ISAKMP: set new node 1619982291 to QM_IDLE *Mar 9 06:07:19.147: ISAKMP:(2038): processing HASH payload. message ID = 1619982291 *Mar 9 06:07:19.147: ISAKMP:(2038): processing SA payload. message ID = 1619982291 *Mar 9 06:07:19.147: ISAKMP:(2038):Checking IPSec proposal 0 *Mar 9 06:07:19.147: ISAKMP: transform 1, ESP_AES *Mar 9 06:07:19.147: ISAKMP: attributes in transform: *Mar 9 06:07:19.147: ISAKMP: key length is 256 *Mar 9 06:07:19.147: ISAKMP: authenticator is HMAC-SHA *Mar 9 06:07:19.147: ISAKMP: group is 2 *Mar 9 06:07:19.147: ISAKMP: encaps is 1 (Tunnel) *Mar 9 06:07:19.147: ISAKMP: SA life type in seconds *Mar 9 06:07:19.147: ISAKMP: SA life duration (basic) of 3600 *Mar 9 06:07:19.147: ISAKMP:(2038):atts are acceptable. *Mar 9 06:07:19.147: ISAKMP:(2038):Checking IPSec proposal 0 *Mar 9 06:07:19.147: ISAKMP: transform 2, ESP_AES *Mar 9 06:07:19.147: ISAKMP: attributes in transform: *Mar 9 06:07:19.147: ISAKMP: key length is 192 *Mar 9 06:07:19.147: ISAKMP: authenticator is HMAC-SHA *Mar 9 06:07:19.147: ISAKMP: group is 2 *Mar 9 06:07:19.147: ISAKMP: encaps is 1 (Tunnel) *Mar 9 06:07:19.147: ISAKMP: SA life type in seconds *Mar 9 06:07:19.147: ISAKMP: SA life duration (basic) of 3600 *Mar 9 06:07:19.147: ISAKMP:(2038):atts are acceptable. *Mar 9 06:07:19.147: ISAKMP:(2038):Checking IPSec proposal 0 *Mar 9 06:07:19.147: ISAKMP: transform 3, ESP_AES *Mar 9 06:07:19.147: ISAKMP: attributes in transform: *Mar 9 06:07:19.147: ISAKMP: key length is 128 *Mar 9 06:07:19.151: ISAKMP: authenticator is HMAC-SHA *Mar 9 06:07:19.151: ISAKMP: group is 2 *Mar 9 06:07:19.151: ISAKMP: encaps is 1 (Tunnel) *Mar 9 06:07:19.151: ISAKMP: SA life type in seconds *Mar 9 06:07:19.151: ISAKMP: SA life duration (basic) of 3600 *Mar 9 06:07:19.151: ISAKMP:(2038):atts are acceptable. *Mar 9 06:07:19.151: IPSEC(validate_proposal_request): proposal part #1 *Mar 9 06:07:19.151: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Mar 9 06:07:19.151: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.151: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.151: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.151: map_db_find_best did not find matching map *Mar 9 06:07:19.151: IPSEC(ipsec_process_proposal): proxy identities not supported *Mar 9 06:07:19.151: ISAKMP:(2038): IPSec policy invalidated proposal with error 32 *Mar 9 06:07:19.151: IPSEC(validate_proposal_request): proposal part #1 *Mar 9 06:07:19.151: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0 *Mar 9 06:07:19.151: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.155: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.155: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.155: map_db_find_best did not find matching map *Mar 9 06:07:19.155: IPSEC(ipsec_process_proposal): proxy identities not supported *Mar 9 06:07:19.155: ISAKMP:(2038): IPSec policy invalidated proposal with error 32 *Mar 9 06:07:19.155: IPSEC(validate_proposal_request): proposal part #1 *Mar 9 06:07:19.155: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Mar 9 06:07:19.155: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.155: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.155: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 06:07:19.155: map_db_find_best did not find matching map *Mar 9 06:07:19.155: IPSEC(ipsec_process_proposal): proxy identities not supported *Mar 9 06:07:19.155: ISAKMP:(2038): IPSec policy invalidated proposal with error 32 *Mar 9 06:07:19.155: ISAKMP:(2038): phase 2 SA policy not acceptable! (local 172.16.5.20 remote 172.16.5.5) *Mar 9 06:07:19.155: ISAKMP: set new node -1165010971 to QM_IDLE *Mar 9 06:07:19.155: ISAKMP:(2038):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2231737992, message ID = 3129956325 *Mar 9 06:07:19.159: ISAKMP:(2038): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 06:07:19.159: ISAKMP:(2038):Sending an IKE IPv4 Packet. *Mar 9 06:07:19.159: ISAKMP:(2038):purging node -1165010971 *Mar 9 06:07:19.159: ISAKMP:(2038):deleting node 1619982291 error TRUE reason "QM rejected" *Mar 9 06:07:19.159: ISAKMP:(2038):Node 1619982291, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 9 06:07:19.159: ISAKMP:(2038):Old State = IKE_QM_READY New State = IKE_QM_READY *Mar 9 06:07:23.904: ISAKMP:(2037):purging node 967766711 *Mar 9 06:07:29.097: ISAKMP: set new node -1481425629 to QM_IDLE *Mar 9 06:07:29.097: ISAKMP:(2038):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 2231739072, message ID = 2813541667 *Mar 9 06:07:29.097: ISAKMP:(2038): seq. no 0x4BDC3AFD *Mar 9 06:07:29.097: ISAKMP:(2038): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 06:07:29.097: ISAKMP:(2038):Sending an IKE IPv4 Packet. *Mar 9 06:07:29.097: ISAKMP:(2038):purging node -1481425629 *Mar 9 06:07:29.097: ISAKMP:(2038):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE *Mar 9 06:07:29.097: ISAKMP:(2038):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 06:07:29.141: ISAKMP (2038): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 06:07:29.141: ISAKMP: set new node -1588339280 to QM_IDLE *Mar 9 06:07:29.141: ISAKMP:(2038): processing HASH payload. message ID = 2706628016 *Mar 9 06:07:29.141: ISAKMP:(2038): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 2706628016, sa = 0x85D0E0A0 *Mar 9 06:07:29.141: ISAKMP:(2038):deleting node -1588339280 error FALSE reason "Informational (in) state 1" *Mar 9 06:07:29.141: ISAKMP:(2038):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 9 06:07:29.141: ISAKMP:(2038):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 06:07:29.145: ISAKMP:(2038):DPD/R_U_THERE received from peer 172.16.5.5, sequence 0x18869FBA *Mar 9 06:07:29.145: ISAKMP: set new node 444822346 to QM_IDLE *Mar 9 06:07:29.145: ISAKMP:(2038):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 2231739112, message ID = 444822346 *Mar 9 06:07:29.145: ISAKMP:(2038): seq. no 0x18869FBA *Mar 9 06:07:29.145: ISAKMP:(2038): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 06:07:29.145: ISAKMP:(2038):Sending an IKE IPv4 Packet. *Mar 9 06:07:29.145: ISAKMP:(2038):purging node 444822346 *Mar 9 06:07:29.149: ISAKMP:(2038):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Mar 9 06:07:29.149: ISAKMP:(2038):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 06:07:29.149: ISAKMP (2038): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 06:07:29.149: ISAKMP: set new node 1538694707 to QM_IDLE *Mar 9 06:07:29.149: ISAKMP:(2038): processing HASH payload. message ID = 1538694707 *Mar 9 06:07:29.149: ISAKMP:(2038): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 1538694707, sa = 0x85D0E0A0 *Mar 9 06:07:29.149: ISAKMP:(2038): DPD/R_U_THERE_ACK received from peer 172.16.5.5, sequence 0x4BDC3AFD *Mar 9 06:07:29.153: ISAKMP:(2038):deleting node 1538694707 error FALSE reason "Informational (in) state 1" *Mar 9 06:07:29.153: ISAKMP:(2038):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 9 06:07:29.153: ISAKMP:(2038):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 06:07:33.718: ISAKMP:(2037):purging node 1956731654 *Mar 9 06:07:33.910: ISAKMP:(2037):purging node -745430556 *Mar 9 06:07:38.707: ISAKMP: set new node -808081788 to QM_IDLE *Mar 9 06:07:38.707: ISAKMP:(2038):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 2231739072, message ID = 3486885508 *Mar 9 06:07:38.707: ISAKMP:(2038): seq. no 0x4BDC3AFE *Mar 9 06:07:38.707: ISAKMP:(2038): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 06:07:38.707: ISAKMP:(2038):Sending an IKE IPv4 Packet. *Mar 9 06:07:38.707: ISAKMP:(2038):purging node -808081788 *Mar 9 06:07:38.707: ISAKMP:(2038):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE *Mar 9 06:07:38.707: ISAKMP:(2038):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 06:07:38.759: ISAKMP (2038): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 06:07:38.759: ISAKMP: set new node -1772668104 to QM_IDLE *Mar 9 06:07:38.759: ISAKMP:(2038): processing HASH payload. message ID = 2522299192 *Mar 9 06:07:38.759: ISAKMP:(2038): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 2522299192, sa = 0x85D0E0A0 *Mar 9 06:07:38.759: ISAKMP:(2038): DPD/R_U_THERE_ACK received from peer 172.16.5.5, sequence 0x4BDC3AFE *Mar 9 06:07:38.759: ISAKMP:(2038):deleting node -1772668104 error FALSE reason "Informational (in) state 1" *Mar 9 06:07:38.759: ISAKMP:(2038):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 9 06:07:38.759: ISAKMP:(2038):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 06:07:43.724: ISAKMP:(2037):purging node -537527947 *Mar 9 06:07:43.848: ISAKMP:(2037):purging node 408573435 *Mar 9 06:07:48.429: ISAKMP: set new node 593879169 to QM_IDLE *Mar 9 06:07:48.429: ISAKMP:(2038):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 2231739072, message ID = 593879169
-
Oh, Its works!!!!
I adjust this acl:access-list 100 permit ip 172.16.0.0 0.0.255.255 172.16.152.0 0.0.0.255 access-list 100 permit ip 172.16.152.0 0.0.0.255 172.16.0.0 0.0.255.255
now I can 172.16.152.1 from pf box, but can not see pf lan from cisco,
new cisco log :Mar 9 07:06:07.622: ISAKMP (2051): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 07:06:07.622: ISAKMP: set new node -1294467565 to QM_IDLE *Mar 9 07:06:07.622: ISAKMP:(2051): processing HASH payload. message ID = 3000499731 *Mar 9 07:06:07.622: ISAKMP:(2051): processing DELETE payload. message ID = 3000499731 *Mar 9 07:06:07.626: ISAKMP:(2051):peer does not do paranoid keepalives. *Mar 9 07:06:07.626: ISAKMP:(2051):deleting node -1294467565 error FALSE reason "Informational (in) state 1" *Mar 9 07:06:07.626: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 9 07:06:07.626: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Mar 9 07:06:07.626: IPSEC(key_engine_delete_sas): delete SA with spi 0xC50D9769 proto 50 for 172.16.5.5 *Mar 9 07:06:07.626: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 172.16.5.20, sa_proto= 50, sa_spi= 0x1EF2C2A8(519226024), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3 sa_lifetime(k/sec)= (4417323/3600), (identity) local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4) *Mar 9 07:06:07.626: IPSEC(update_current_outbound_sa): updated peer 172.16.5.5 current outbound sa to SPI 0 *Mar 9 07:06:07.626: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 172.16.5.5, sa_proto= 50, sa_spi= 0xC50D9769(3306002281), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4 sa_lifetime(k/sec)= (4417323/3600), (identity) local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4) *Mar 9 07:06:07.630: ISAKMP (2051): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 07:06:07.630: ISAKMP: set new node 123795513 to QM_IDLE *Mar 9 07:06:07.630: ISAKMP:(2051): processing HASH payload. message ID = 123795513 *Mar 9 07:06:07.630: ISAKMP:(2051): processing DELETE payload. message ID = 123795513 *Mar 9 07:06:07.630: ISAKMP:(2051):peer does not do paranoid keepalives. *Mar 9 07:06:07.630: ISAKMP:(2051):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.16.5.5) *Mar 9 07:06:07.630: ISAKMP:(2051):deleting node 123795513 error FALSE reason "Informational (in) state 1" *Mar 9 07:06:07.634: ISAKMP: set new node -1701654990 to QM_IDLE *Mar 9 07:06:07.634: ISAKMP:(2051): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 07:06:07.634: ISAKMP:(2051):Sending an IKE IPv4 Packet. *Mar 9 07:06:07.634: ISAKMP:(2051):purging node -1701654990 *Mar 9 07:06:07.634: ISAKMP:(2051):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Mar 9 07:06:07.634: ISAKMP:(2051):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA *Mar 9 07:06:07.634: ISAKMP:(2051):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.16.5.5) *Mar 9 07:06:07.634: ISAKMP: Unlocking peer struct 0x859C9ED8 for isadb_mark_sa_deleted(), count 0 *Mar 9 07:06:07.638: ISAKMP: Deleting peer node by peer_reap for 172.16.5.5: 859C9ED8 *Mar 9 07:06:07.638: ISAKMP:(2051):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 9 07:06:07.638: ISAKMP:(2051):Old State = IKE_DEST_SA New State = IKE_DEST_SA *Mar 9 07:06:07.638: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 9 07:06:08.827: ISAKMP (0): received packet from 172.16.5.5 dport 500 sport 500 Global (N) NEW SA *Mar 9 07:06:08.827: ISAKMP: Created a peer struct for 172.16.5.5, peer port 500 *Mar 9 07:06:08.827: ISAKMP: New peer created peer = 0x859C9ED8 peer_handle = 0x800000C8 *Mar 9 07:06:08.831: ISAKMP: Locking peer struct 0x859C9ED8, refcount 1 for crypto_isakmp_process_block *Mar 9 07:06:08.831: ISAKMP: local port 500, remote port 500 *Mar 9 07:06:08.831: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85D3B234 *Mar 9 07:06:08.831: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 9 07:06:08.831: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Mar 9 07:06:08.831: ISAKMP:(0): processing SA payload. message ID = 0 *Mar 9 07:06:08.831: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Mar 9 07:06:08.831: ISAKMP:(0): vendor ID is XAUTH *Mar 9 07:06:08.831: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.831: ISAKMP:(0): vendor ID is DPD *Mar 9 07:06:08.831: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.831: ISAKMP:(0): processing IKE frag vendor id payload *Mar 9 07:06:08.831: ISAKMP:(0):Support for IKE Fragmentation not enabled *Mar 9 07:06:08.835: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.835: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Mar 9 07:06:08.835: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Mar 9 07:06:08.835: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.835: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Mar 9 07:06:08.835: ISAKMP:(0): vendor ID is NAT-T v2 *Mar 9 07:06:08.835: ISAKMP:(0):found peer pre-shared key matching 172.16.5.5 *Mar 9 07:06:08.835: ISAKMP:(0): local preshared key found *Mar 9 07:06:08.835: ISAKMP : Scanning profiles for xauth ... *Mar 9 07:06:08.835: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Mar 9 07:06:08.835: ISAKMP: encryption 3DES-CBC *Mar 9 07:06:08.835: ISAKMP: hash SHA *Mar 9 07:06:08.835: ISAKMP: default group 2 *Mar 9 07:06:08.835: ISAKMP: auth pre-share *Mar 9 07:06:08.835: ISAKMP: life type in seconds *Mar 9 07:06:08.835: ISAKMP: life duration (basic) of 28800 *Mar 9 07:06:08.835: ISAKMP:(0):atts are acceptable. Next payload is 0 *Mar 9 07:06:08.835: ISAKMP:(0):Acceptable atts:actual life: 4000 *Mar 9 07:06:08.835: ISAKMP:(0):Acceptable atts:life: 0 *Mar 9 07:06:08.835: ISAKMP:(0):Basic life_in_seconds:28800 *Mar 9 07:06:08.835: ISAKMP:(0):Returning Actual lifetime: 4000 *Mar 9 07:06:08.835: ISAKMP:(0)::Started lifetime timer: 4000. *Mar 9 07:06:08.835: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.835: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Mar 9 07:06:08.839: ISAKMP:(0): vendor ID is XAUTH *Mar 9 07:06:08.839: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.839: ISAKMP:(0): vendor ID is DPD *Mar 9 07:06:08.839: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.839: ISAKMP:(0): processing IKE frag vendor id payload *Mar 9 07:06:08.839: ISAKMP:(0):Support for IKE Fragmentation not enabled *Mar 9 07:06:08.839: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.839: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Mar 9 07:06:08.839: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Mar 9 07:06:08.839: ISAKMP:(0): processing vendor id payload *Mar 9 07:06:08.839: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Mar 9 07:06:08.839: ISAKMP:(0): vendor ID is NAT-T v2 *Mar 9 07:06:08.839: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 9 07:06:08.839: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Mar 9 07:06:08.843: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Mar 9 07:06:08.843: ISAKMP:(0): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) MM_SA_SETUP *Mar 9 07:06:08.843: ISAKMP:(0):Sending an IKE IPv4 Packet. *Mar 9 07:06:08.843: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 9 07:06:08.843: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Mar 9 07:06:08.899: ISAKMP (0): received packet from 172.16.5.5 dport 500 sport 500 Global (R) MM_SA_SETUP *Mar 9 07:06:08.899: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 9 07:06:08.899: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 *Mar 9 07:06:08.899: ISAKMP:(0): processing KE payload. message ID = 0 *Mar 9 07:06:08.943: ISAKMP:(0): processing NONCE payload. message ID = 0 *Mar 9 07:06:08.943: ISAKMP:(0):found peer pre-shared key matching 172.16.5.5 *Mar 9 07:06:08.947: ISAKMP:received payload type 20 *Mar 9 07:06:08.947: ISAKMP (2052): His hash no match - this node outside NAT *Mar 9 07:06:08.947: ISAKMP:received payload type 20 *Mar 9 07:06:08.947: ISAKMP (2052): No NAT Found for self or peer *Mar 9 07:06:08.947: ISAKMP:(2052):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 9 07:06:08.947: ISAKMP:(2052):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Mar 9 07:06:08.947: ISAKMP:(2052): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Mar 9 07:06:08.947: ISAKMP:(2052):Sending an IKE IPv4 Packet. *Mar 9 07:06:08.947: ISAKMP:(2052):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 9 07:06:08.947: ISAKMP:(2052):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Mar 9 07:06:09.011: ISAKMP (2052): received packet from 172.16.5.5 dport 500 sport 500 Global (R) MM_KEY_EXCH *Mar 9 07:06:09.011: ISAKMP:(2052):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 9 07:06:09.011: ISAKMP:(2052):Old State = IKE_R_MM4 New State = IKE_R_MM5 *Mar 9 07:06:09.015: ISAKMP:(2052): processing ID payload. message ID = 0 *Mar 9 07:06:09.015: ISAKMP (2052): ID payload next-payload : 8 type : 1 address : 172.16.5.5 protocol : 0 port : 0 length : 12 *Mar 9 07:06:09.015: ISAKMP:(0):: peer matches *none* of the profiles *Mar 9 07:06:09.015: ISAKMP:(2052): processing HASH payload. message ID = 0 *Mar 9 07:06:09.015: ISAKMP:(2052): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 0x85D3B234 *Mar 9 07:06:09.015: ISAKMP:(2052):SA authentication status: authenticated *Mar 9 07:06:09.015: ISAKMP:(2052):SA has been authenticated with 172.16.5.5 *Mar 9 07:06:09.015: ISAKMP:(2052):SA authentication status: authenticated *Mar 9 07:06:09.015: ISAKMP:(2052): Process initial contact, bring down existing phase 1 and 2 SA's with local 172.16.5.20 remote 172.16.5.5 remote port 500 *Mar 9 07:06:09.015: ISAKMP: Trying to insert a peer 172.16.5.20/172.16.5.5/500/, and inserted successfully 859C9ED8. *Mar 9 07:06:09.015: ISAKMP:(2052):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 9 07:06:09.015: ISAKMP:(2052):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Mar 9 07:06:09.019: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 9 07:06:09.019: ISAKMP:(2052):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Mar 9 07:06:09.019: ISAKMP (2052): ID payload next-payload : 8 type : 1 address : 172.16.5.20 protocol : 17 port : 500 length : 12 *Mar 9 07:06:09.019: ISAKMP:(2052):Total payload length: 12 *Mar 9 07:06:09.019: ISAKMP:(2052): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Mar 9 07:06:09.019: ISAKMP:(2052):Sending an IKE IPv4 Packet. *Mar 9 07:06:09.019: ISAKMP:(2052):Returning Actual lifetime: 4000 *Mar 9 07:06:09.019: ISAKMP: set new node 37561868 to QM_IDLE *Mar 9 07:06:09.023: ISAKMP:(2052):Sending NOTIFY RESPONDER_LIFETIME protocol 1 spi 2231739112, message ID = 37561868 *Mar 9 07:06:09.023: ISAKMP:(2052): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Mar 9 07:06:09.023: ISAKMP:(2052):Sending an IKE IPv4 Packet. *Mar 9 07:06:09.023: ISAKMP:(2052):purging node 37561868 *Mar 9 07:06:09.023: ISAKMP: Sending phase 1 responder lifetime 4000 *Mar 9 07:06:09.023: ISAKMP:(2052):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 9 07:06:09.023: ISAKMP:(2052):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Mar 9 07:06:09.023: ISAKMP:(2052):IKE_DPD is enabled, initializing timers *Mar 9 07:06:09.023: ISAKMP:(2052):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Mar 9 07:06:09.023: ISAKMP:(2052):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 07:06:09.075: ISAKMP (2052): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 07:06:09.075: ISAKMP: set new node -933143284 to QM_IDLE *Mar 9 07:06:09.079: ISAKMP:(2052): processing HASH payload. message ID = 3361824012 *Mar 9 07:06:09.079: ISAKMP:(2052): processing SA payload. message ID = 3361824012 *Mar 9 07:06:09.079: ISAKMP:(2052):Checking IPSec proposal 0 *Mar 9 07:06:09.079: ISAKMP: transform 1, ESP_3DES *Mar 9 07:06:09.079: ISAKMP: attributes in transform: *Mar 9 07:06:09.079: ISAKMP: authenticator is HMAC-SHA *Mar 9 07:06:09.079: ISAKMP: group is 2 *Mar 9 07:06:09.079: ISAKMP: encaps is 1 (Tunnel) *Mar 9 07:06:09.079: ISAKMP: SA life type in seconds *Mar 9 07:06:09.079: ISAKMP: SA life duration (basic) of 3600 *Mar 9 07:06:09.079: ISAKMP:(2052):atts are acceptable. *Mar 9 07:06:09.079: IPSEC(validate_proposal_request): proposal part #1 *Mar 9 07:06:09.079: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.16.5.20:0, remote= 172.16.5.5:0, local_proxy= 172.16.152.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Mar 9 07:06:09.079: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 07:06:09.083: ISAKMP:(2052): processing NONCE payload. message ID = 3361824012 *Mar 9 07:06:09.083: ISAKMP:(2052): processing KE payload. message ID = 3361824012 *Mar 9 07:06:09.127: ISAKMP:(2052): processing ID payload. message ID = 3361824012 *Mar 9 07:06:09.127: ISAKMP:(2052): processing ID payload. message ID = 3361824012 *Mar 9 07:06:09.127: ISAKMP:(2052):QM Responder gets spi *Mar 9 07:06:09.127: ISAKMP:(2052):Node 3361824012, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 9 07:06:09.127: ISAKMP:(2052):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Mar 9 07:06:09.131: ISAKMP:(2052): Creating IPSec SAs *Mar 9 07:06:09.131: inbound SA from 172.16.5.5 to 172.16.5.20 (f/i) 0/ 0 (proxy 172.16.0.0 to 172.16.152.0) *Mar 9 07:06:09.131: has spi 0x23247432 and conn_id 0 *Mar 9 07:06:09.131: lifetime of 3600 seconds *Mar 9 07:06:09.131: outbound SA from 172.16.5.20 to 172.16.5.5 (f/i) 0/0 (proxy 172.16.152.0 to 172.16.0.0) *Mar 9 07:06:09.131: has spi 0xC7771621 and conn_id 0 *Mar 9 07:06:09.131: lifetime of 3600 seconds *Mar 9 07:06:09.131: ISAKMP:(2052): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 07:06:09.131: ISAKMP:(2052):Sending an IKE IPv4 Packet. *Mar 9 07:06:09.131: ISAKMP:(2052):Node 3361824012, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Mar 9 07:06:09.131: ISAKMP:(2052):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Mar 9 07:06:09.135: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 9 07:06:09.135: Crypto mapdb : proxy_match src addr : 172.16.152.0 dst addr : 172.16.0.0 protocol : 0 src port : 0 dst port : 0 *Mar 9 07:06:09.135: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.16.5.5 *Mar 9 07:06:09.135: IPSEC(policy_db_add_ident): src 172.16.152.0, dest 172.16.0.0, dest_port 0 *Mar 9 07:06:09.135: IPSEC(create_sa): sa created, (sa) sa_dest= 172.16.5.20, sa_proto= 50, sa_spi= 0x23247432(589591602), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5 sa_lifetime(k/sec)= (4410759/3600) *Mar 9 07:06:09.135: IPSEC(create_sa): sa created, (sa) sa_dest= 172.16.5.5, sa_proto= 50, sa_spi= 0xC7771621(3346470433), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6 sa_lifetime(k/sec)= (4410759/3600) *Mar 9 07:06:09.195: ISAKMP (2052): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 07:06:09.195: ISAKMP:(2052):deleting node -933143284 error FALSE reason "QM done (await)" *Mar 9 07:06:09.195: ISAKMP:(2052):Node 3361824012, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 9 07:06:09.195: ISAKMP:(2052):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Mar 9 07:06:09.195: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Mar 9 07:06:09.195: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Mar 9 07:06:09.195: IPSEC(key_engine_enable_outbound): enable SA with spi 3346470433/50 *Mar 9 07:06:09.195: IPSEC(update_current_outbound_sa): get enable SA peer 172.16.5.5 current outbound sa to SPI C7771621 *Mar 9 07:06:09.195: IPSEC(update_current_outbound_sa): updated peer 172.16.5.5 current outbound sa to SPI C7771621 *Mar 9 07:06:10.439: ISAKMP:(2050):purging node -181097793 *Mar 9 07:06:19.025: ISAKMP: set new node 757893848 to QM_IDLE *Mar 9 07:06:19.025: ISAKMP:(2052):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 2231739072, message ID = 757893848 *Mar 9 07:06:19.025: ISAKMP:(2052): seq. no 0x407B4CC7 *Mar 9 07:06:19.025: ISAKMP:(2052): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 07:06:19.025: ISAKMP:(2052):Sending an IKE IPv4 Packet. *Mar 9 07:06:19.025: ISAKMP:(2052):purging node 757893848 *Mar 9 07:06:19.025: ISAKMP:(2052):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE *Mar 9 07:06:19.025: ISAKMP:(2052):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 07:06:19.073: ISAKMP (2052): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 07:06:19.073: ISAKMP: set new node -884230151 to QM_IDLE *Mar 9 07:06:19.077: ISAKMP:(2052): processing HASH payload. message ID = 3410737145 *Mar 9 07:06:19.077: ISAKMP:(2052): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3410737145, sa = 0x85D3B234 *Mar 9 07:06:19.077: ISAKMP:(2052): DPD/R_U_THERE_ACK received from peer 172.16.5.5, sequence 0x407B4CC7 *Mar 9 07:06:19.077: ISAKMP:(2052):deleting node -884230151 error FALSE reason "Informational (in) state 1" *Mar 9 07:06:19.077: ISAKMP:(2052):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 9 07:06:19.077: ISAKMP:(2052):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 07:06:20.085: ISAKMP:(2050):purging node -1138592519 *Mar 9 07:06:28.999: ISAKMP: set new node -672023835 to QM_IDLE *Mar 9 07:06:28.999: ISAKMP:(2052):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 2231739072, message ID = 3622943461 *Mar 9 07:06:28.999: ISAKMP:(2052): seq. no 0x407B4CC8 *Mar 9 07:06:28.999: ISAKMP:(2052): sending packet to 172.16.5.5 my_port 500 peer_port 500 (R) QM_IDLE *Mar 9 07:06:28.999: ISAKMP:(2052):Sending an IKE IPv4 Packet. *Mar 9 07:06:28.999: ISAKMP:(2052):purging node -672023835 *Mar 9 07:06:28.999: ISAKMP:(2052):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE *Mar 9 07:06:28.999: ISAKMP:(2052):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 9 07:06:29.051: ISAKMP (2052): received packet from 172.16.5.5 dport 500 sport 500 Global (R) QM_IDLE *Mar 9 07:06:29.051: ISAKMP: set new node 1050033724 to QM_IDLE *Mar 9 07:06:29.051: ISAKMP:(2052): processing HASH payload. message ID = 1050033724 *Mar 9 07:06:29.051: ISAKMP:(2052): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 1050033724, sa = 0x85D3B234 *Mar 9 07:06:29.051: ISAKMP:(2052): DPD/R_U_THERE_ACK received from peer 172.16.5.5, sequence 0x407B4CC8 *Mar 9 07:06:29.051: ISAKMP:(2052):deleting node 1050033724 error FALSE reason "Informational (in) state 1" *Mar 9 07:06:29.051: ISAKMP:(2052):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 9 07:06:29.051: ISAKMP:(2052):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
It seems that I have still error in my cisco log.
-
Did you add the proper Firewall > Rules to the IPsec tab?
-
yes,
-
What does Status > IPsec show with the Phase 2 expanded?
-
-
It works like a charm. that last problem was related to my routing on main router(pf)
TNX Derelict, That was a great help for me.Another easy question:
Is it possible to have multi tunnel with more than one cisco at the same time?! like openvpn... -
Sure. Just do the same thing with a Phase 1 to the other endpoint and a phase 2 under that.
We have seen systems with hundreds of tunnels.
-
Ok,
TNX again, -
Hi, Again!,
I have a little question about the above configuration!
I calculate mtu over ipsec tunnel and enable 'Enable MSS clamping on VPN traffic' with 1486 value! over the ipsec tunnel clinets can see 2 lans without any problem.
but gre or l2tp/ipsec connection seems to have mtu problem. my clients on the remove lan uses windows l2tp/ipsec connection to connect to anther vlan on the main site over the Cisco-pf ipsec tunnel.
but can not access some services like https or big object like images on http. it seems that mtu problem!?
BTW, my ipsec tunnel on the cisco side runs over PPPoE connection. I set 'ip mtu' and 'ip tcp adjust-mss' in pppoe interface!
Any help ?!