Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​FlexVPN - IOS to ASA w/ Crypto Map with Assymmetric PSK

Picture
In this lab example we'll be looking at IKEv2 as the Phase 1 mechanism. We'll be using asymmetric pre-shared keys. Dynamic PAT is also setup, so NAT exemption is needed on CSR1 and Manual Twice NAT is needed on the ASA.



CSR1
crypto ikev2 proposal IKEV2_IOS_ASA_PROPOSAL 
 encryption 3des
 integrity sha1
 group 5
!
crypto ikev2 policy IKEV2_IOS_ASA_POLICY 
 proposal IKEV2_IOS_ASA_PROPOSAL
!
crypto ikev2 keyring IKEV2_IOS_ASA_KEYRING
 peer ASA2
  address 102.0.0.2
  pre-shared-key local ciscorouter
  pre-shared-key remote ciscoasa
 !        
crypto ikev2 profile IKEV2_IOS_ASA_PROFILE
 match identity remote address 102.0.0.2 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local IKEV2_IOS_ASA_KEYRING
!
crypto ipsec transform-set IKEV2_IOS_ASA_TSET esp-3des esp-md5-hmac 
 mode tunnel
!
ip access-list extended IKEV2_IOS_ASA_VPN
 permit ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
!
crypto map IKEV2 20 ipsec-isakmp 
 set peer 102.0.0.2
 set transform-set IKEV2_IOS_ASA_TSET 
 set ikev2-profile IKEV2_IOS_ASA_PROFILE
 match address IKEV2_IOS_ASA_VPN
!
interface GigabitEthernet1
 ip nat outside
!
interface GigabitEthernet2
 ip nat inside
!
ip access-list extended NAT
 deny   ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
 deny   ip 10.1.0.0 0.0.255.255 10.18.0.0 0.0.255.255
 deny   ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
 deny   ip 10.1.0.0 0.0.255.255 10.20.0.0 0.0.255.255
 permit ip 10.1.0.0 0.0.255.255 any
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!
interface GigabitEthernet1
 crypto map IKEV2



ASA2
crypto ikev2 policy 10
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
!
tunnel-group 101.0.0.10 type ipsec-l2l
tunnel-group 101.0.0.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key ciscorouter
 ikev2 local-authentication pre-shared-key ciscoasa
!
crypto ipsec ikev2 ipsec-proposal IKEV2_3DES_MD5
 protocol esp encryption 3des
 protocol esp integrity md5
!
access-list IKEV2_R4_TO_HQ_VPN extended permit ip object INSIDE_NETWORK object HQ_NETWORK
!
crypto map CMAP 10 match address IKEV2_R4_TO_HQ_VPN
crypto map CMAP 10 set peer 101.0.0.10 
crypto map CMAP 10 set ikev2 ipsec-proposal IKEV2_3DES_MD5
crypto map CMAP interface outside
!
crypto ikev2 enable outside
!
object network INSIDE_NETWORK
 subnet 10.1.4.0 255.255.255.0
!
object network HQ_NETWORK
 subnet 10.1.0.0 255.255.0.0
!
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static HQ_NETWORK HQ_NETWORK no-proxy-arp route-lookup
!
object network INSIDE_NETWORK
 nat (inside,outside) dynamic interface




IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID 

IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
IKEv2:Failed to retrieve Certificate Issuer list
IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH key
IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 25,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_1536_MODP/Group 5
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
IKEv2:Failed to retrieve Certificate Issuer list 

IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

IKEv2:(SESSION ID = 25,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (30 sec) to wait for auth message 

IKEv2:(SESSION ID = 25,SA ID = 1):Received Packet [From 102.0.0.2:500/To 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

IKEv2:(SESSION ID = 25,SA ID = 1):Stopping timer to wait for auth message
IKEv2:(SESSION ID = 25,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 25,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 25,SA ID = 1):Searching policy based on peer's identity '102.0.0.2' of type 'IPv4 address'
IKEv2:found matching IKEv2 profile 'IKEV2_IOS_ASA_PROFILE'
IKEv2:% Getting preshared key from profile keyring IKEV2_IOS_ASA_KEYRING
IKEv2:% Matched peer block 'ASA2'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 25,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 25,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's preshared key for 102.0.0.2
IKEv2:(SESSION ID = 25,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 25,SA ID = 1):Use preshared key for id 102.0.0.2, key len 8
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Processing INITIAL_CONTACT
IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_IOS_ASA_PROFILE with psh index 1.

IKEv2:(SESSION ID = 25,SA ID = 1):
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

IKEv2:(SESSION ID = 25,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's preshared key for 102.0.0.2
IKEv2:(SESSION ID = 25,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 25,SA ID = 1):Use preshared key for id 101.0.0.10, key len 11
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 25,SA ID = 1):Constructing IDr payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 25,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
   3DES   MD596   Don't use ESN
IKEv2:(SESSION ID = 25,SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

IKEv2:(SESSION ID = 25,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 25,SA ID = 1):Session with IKE ID PAIR (102.0.0.2, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 25,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 25,SA ID = 1):No duplicate IKEv2 SA found
IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (8 sec) to delete negotiation context 

IKEv2:(SESSION ID = 25,SA ID = 1):Received Packet [From 102.0.0.2:500/To 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST 
Payload contents: 
 

IKEv2:(SESSION ID = 25,SA ID = 1):Received DPD/liveness query
IKEv2:(SESSION ID = 25,SA ID = 1):Building packet for encryption. 
IKEv2:(SESSION ID = 25,SA ID = 1):Sending ACK to informational exchange 

IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE 
Payload contents: 
 ENCR 







IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.1.4.4, sport=28539, daddr=10.1.14.14, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.1.4.4, sport=28539, daddr=10.1.14.14, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC: New embryonic SA created @ 0x00007fdbd658f100, 
    SCB: 0xD6580690, 
    Direction: inbound
    SPI      : 0x94E1FD90
    Session ID: 0x00041000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (78): Setting configured policies
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (78): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-4: (78): Request queued for computation of DH key
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (78): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (78): IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
(78):    3DES(78):    SHA1(78):    SHA96(78):    DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(78):  
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 0000000000000000 Message id: 0
(78): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: SA, version: 2.0 (78): Exchange type: IKE_SA_INIT, flags: INITIATOR (78): Message id: 0, length: 506(78):  
Payload contents: 
(78):  SA(78):   Next payload: KE, reserved: 0x0, length: 44
(78):   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
(78):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(78):  KE(78):   Next payload: N, reserved: 0x0, length: 200
(78):     DH group: 5, Reserved: 0x0
(78): 
(78):      65 cd 1e 04 e5 1a da 36 96 d6 12 28 0a 3d 5f 82
(78):      fa bf a3 25 cd 81 e2 f9 62 07 de ac fd dd bf 02
(78):      1a de d4 e6 c4 a4 57 23 5c a3 7d f2 2f 86 cd 03
(78):      6b a7 05 17 b7 af e3 d4 e8 ad 48 94 1f 10 fa 3d
(78):      02 7e 5b 25 c8 33 de 17 64 b2 22 5f 3a 83 2d d4
(78):      c8 60 aa 96 2b 6d 81 ca 8f 48 45 b2 2b 59 91 85
(78):      98 3e 8a 90 41 05 7a 9f 8c 04 6a 03 72 92 83 bb
(78):      67 03 33 31 47 ad 9d 17 09 20 8f 3d d4 c2 45 e9
(78):      90 48 71 59 91 34 a1 6c 74 bc 93 cc ef b3 65 39
(78):      9f 47 72 9e 8c 42 5e 6b 29 42 7d 40 32 f4 85 fd
(78):      e6 64 19 c9 f7 85 71 5d 82 ba 6c 8c b7 42 19 71
(78):      d1 14 eb 5d fe 9f d5 27 bf 5d ca 15 7a 42 61 df
(78):  N(78):   Next payload: VID, reserved: 0x0, length: 68
(78): 
(78):      3c ad a9 e8 6b 3d 0c 80 3b c9 a5 57 9c 0c ed af
(78):      59 ae a3 8a 60 8c 74 51 49 7e ad 37 c3 c7 a5 c7
(78):      58 10 b6 d7 a3 78 60 7e e3 93 bc 5e 4a 7b 0d 05
(78):      55 b2 51 cd b4 4d 57 eb 4f 1f 54 ed 34 80 f5 16
(78):  VID(78):   Next payload: VID, reserved: 0x0, length: 23
(78): 
(78):      43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(78):      53 4f 4e
(78):  VID(78):   Next payload: NOTIFY, reserved: 0x0, length: 59
(78): 
(78):      43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(78):      26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(78):      30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(78):      73 2c 20 49 6e 63 2e
(78):  NOTIFY(NAT_DETECTION_SOURCE_IP)(78):   Next payload: NOTIFY, reserved: 0x0, length: 28
(78):     Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(78): 
(78):      42 27 22 80 e8 20 29 d8 3e 0f 43 e9 62 57 27 d9
(78):      8a 0d 71 51
(78):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(78):   Next payload: NOTIFY, reserved: 0x0, length: 28
(78):     Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(78): 
(78):      e1 06 67 fe f6 bc 58 e4 a8 a4 51 1d 84 4e 08 83
(78):      2f 60 09 d3
(78):  NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(78):   Next payload: VID, reserved: 0x0, length: 8
(78):     Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(78):  VID(78):   Next payload: NONE, reserved: 0x0, length: 20
(78): 
(78):      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(78):  
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (78): Insert SA
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(78):  
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 0
(78): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: SA, version: 2.0 (78): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (78): Message id: 0, length: 486(78):  
Payload contents: 
(78):  SA(78):   Next payload: KE, reserved: 0x0, length: 44
(78):   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
(78):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(78):  KE(78):   Next payload: N, reserved: 0x0, length: 200
(78):     DH group: 5, Reserved: 0x0
(78): 
(78):      5c 4a f0 76 1a da 8a ed 13 14 24 11 fd 96 9d 52
(78):      4a c8 9f 1b fd 50 84 d4 81 0d 01 60 12 ca eb 42
(78):      7a 41 76 e9 62 f5 be 62 ec 32 67 75 c0 74 96 41
(78):      0f ba 4e 92 55 7b 5a 99 ee dc b3 6f 47 f8 36 ce
(78):      5d 4a ee fe 1c cf e4 2c c7 43 4b 13 2e 53 b4 52
(78):      46 ec 4a 40 60 30 c3 98 d3 21 87 40 cb 53 61 70
(78):      b2 37 82 84 e1 a6 6d 15 7f 8a f1 58 ab fd 7e 32
(78):      aa a0 ad 9a ea 91 19 74 3a 96 ce b6 26 1c d2 c5
(78):      22 6b e6 30 7c 1c 16 85 04 e3 04 b4 87 d7 44 be
(78):      74 d2 fe 9e 1c 4c 97 31 e5 b3 eb 95 23 75 4c 6d
(78):      2e e0 68 c5 6f 47 c8 0a b3 e2 54 53 06 fc ba 6a
(78):      df 05 22 55 87 89 ed 0a d2 58 c8 5a a6 b5 1d 4c
(78):  N(78):   Next payload: VID, reserved: 0x0, length: 36
(78): 
(78):      3b 8c 47 69 6a 61 12 d7 52 5c ba da 3a 5d ad b7
(78):      d1 40 d3 84 a1 a5 95 f9 43 11 0a de 49 0d d2 85
IKEv2-PROTO-7: Parse Vendor Specific Payload: CISCO-DELETE-REASON(78):  VID(78):   Next payload: VID, reserved: 0x0, length: 23
(78): 
(78):      43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(78):      53 4f 4e
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78):  VID(78):   Next payload: VID, reserved: 0x0, length: 19
(78): 
(78):      43 49 53 43 4f 56 50 4e 2d 52 45 56 2d 30 31
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78):  VID(78):   Next payload: VID, reserved: 0x0, length: 59
(78): 
(78):      43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(78):      26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(78):      30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(78):      73 2c 20 49 6e 63 2e
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78):  VID(78):   Next payload: NOTIFY, reserved: 0x0, length: 21
(78): 
(78):      46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(78):      44
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(78):  NOTIFY(NAT_DETECTION_SOURCE_IP)(78):   Next payload: NOTIFY, reserved: 0x0, length: 28
(78):     Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(78): 
(78):      cb 6f 14 24 81 4a 6e 6e ab 02 5a 83 27 f1 ae da
(78):      8f b2 64 45
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(78):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(78):   Next payload: NONE, reserved: 0x0, length: 28
(78):     Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(78): 
(78):      b3 4f b9 d9 8c bc a6 ed bb 28 1a f3 93 88 1d b7
(78):      b6 78 75 c5
(78):  
(78): Decrypted packet:(78): Data: 486 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (78): Verify SA init message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (78): Process NAT discovery notify
IKEv2-PROTO-7: (78): Processing nat detect src notify
IKEv2-PROTO-7: (78): Remote address matched
IKEv2-PROTO-7: (78): Processing nat detect dst notify
IKEv2-PROTO-7: (78): Local address matched
IKEv2-PROTO-7: (78): No NAT found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (78): Checking NAT discovery
IKEv2-PROTO-4: (78): NAT not found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (78): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2-PROTO-4: (78): Request queued for computation of DH secret
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (78): Generate skeyid
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-7: (78): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (78): Completed SA init exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (78): Generate my authentication data
IKEv2-PROTO-4: (78): Use preshared key for id 102.0.0.2, key len 8
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (78): Get my authentication method
IKEv2-PROTO-4: (78): My authentication method is 'PSK'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (78): Generating IKE_AUTH message
IKEv2-PROTO-7: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-4: (78): Constructing IDi payload: '102.0.0.2' of type 'IPv4 address'
IKEv2-PROTO-4: (78): ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
(78):    3DES(78):    MD596(78):    Don't use ESNIKEv2-PROTO-7: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-7: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-7: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-4: (78): Building packet for encryption. 
(78):  
Payload contents: 
(78):  VID(78):   Next payload: IDi, reserved: 0x0, length: 20
(78): 
(78):      fb 44 8f b8 4f 5c 10 0b ed b9 28 39 92 03 a4 c5
(78):  IDi(78):   Next payload: AUTH, reserved: 0x0, length: 12
(78):     Id type: IPv4 address, Reserved: 0x0 0x0
(78): 
(78):      66 00 00 02
(78):  AUTH(78):   Next payload: SA, reserved: 0x0, length: 28
(78):     Auth method PSK, reserved: 0x0, reserved 0x0
(78): Auth data: 20 bytes
(78):  SA(78):   Next payload: TSi, reserved: 0x0, length: 40
(78):   last proposal: 0x0, reserved: 0x0, length: 36
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
(78):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: MD596
(78):     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id: Don't use ESN
(78):  TSi(78):   Next payload: TSr, reserved: 0x0, length: 40
(78):     Num of TSs: 2, reserved 0x0, reserved 0x0
(78):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78):     start port: 0, end port: 65535
(78):     start addr: 10.1.4.4, end addr: 10.1.4.4
(78):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78):     start port: 0, end port: 65535
(78):     start addr: 10.1.4.0, end addr: 10.1.4.255
(78):  TSr(78):   Next payload: NOTIFY, reserved: 0x0, length: 40
(78):     Num of TSs: 2, reserved 0x0, reserved 0x0
(78):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78):     start port: 0, end port: 65535
(78):     start addr: 10.1.14.14, end addr: 10.1.14.14
(78):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78):     start port: 0, end port: 65535
(78):     start addr: 10.1.0.0, end addr: 10.1.255.255
(78):  NOTIFY(INITIAL_CONTACT)(78):   Next payload: NOTIFY, reserved: 0x0, length: 8
(78):     Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(78):  NOTIFY(ESP_TFC_NO_SUPPORT)(78):   Next payload: NOTIFY, reserved: 0x0, length: 8
(78):     Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(78):  NOTIFY(NON_FIRST_FRAGS)(78):   Next payload: NONE, reserved: 0x0, length: 8
(78):     Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78): 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(78):  
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
(78): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: IKE_AUTH, flags: INITIATOR (78): Message id: 1, length: 260(78):  
Payload contents: 
(78):  ENCR(78):   Next payload: VID, reserved: 0x0, length: 232
(78): Encrypted data: 228 bytes
(78):  
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(78):  
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
(78): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (78): Message id: 1, length: 236(78):  
Payload contents: 
IKEv2-PROTO-4: decrypt queued(78):  
(78): Decrypted packet:(78): Data: 236 bytes
IKEv2-PROTO-4: 
(78): REAL Decrypted packet:(78): Data: 176 bytes
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     84 5c 49 84 cf a7 f5 f2 ed b9 28 39 92 03 a4 c5
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     65 00 00 0a
 AUTH  Next payload: SA, reserved: 0x0, length: 28
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 40
  last proposal: 0x0, reserved: 0x0, length: 36
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: MD596
    last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id: Don't use ESN
 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 10.1.4.0, end addr: 10.1.4.255
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 10.1.0.0, end addr: 10.1.255.255
IKEv2-PROTO-7: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE)  Next payload: NOTIFY, reserved: 0x0, length: 12
    Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE

     00 00 00 05
IKEv2-PROTO-7: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-7: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (78): Process auth response notify
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (78): Searching policy based on peer's identity '101.0.0.10' of type 'IPv4 address'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (78): Verify peer's policy
IKEv2-PROTO-4: (78): Peer's policy verified
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (78): Get peer's authentication method
IKEv2-PROTO-4: (78): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (78): Get peer's preshared key for 101.0.0.10
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (78): Verify peer's authentication data
IKEv2-PROTO-4: (78): Use preshared key for id 101.0.0.10, key len 11
IKEv2-PROTO-4: (78): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (78): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-4: (78): Processing IKE_AUTH message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (78): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PROTO-4: (78): Session with IKE ID PAIR (101.0.0.10, 102.0.0.2) is UP
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-4: (78): 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-4: (78): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-4: (78): Load IPSEC key material
IKEv2-PROTO-4: (78): 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IPSEC: New embryonic SA created @ 0x00007fdbd6590900, 
    SCB: 0xD658B7E0, 
    Direction: outbound
    SPI      : 0x60EB9451
    Session ID: 0x00041000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
Rule Lookup for local 10.1.4.0 to remote 10.1.0.0
PROXY MATCH on crypto map CMAP seq 10
IPSEC DEBUG: Using NP outbound permit rule for SPI 0x60EB9451
IPSEC: Completed host OBSA update, SPI 0x60EB9451
IPSEC: Creating outbound VPN context, SPI 0x60EB9451
    Flags: 0x00000005
    SA   : 0x00007fdbd6590900
    SPI  : 0x60EB9451
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x02E7EFD9
    Channel: 0x00007fdbed89e100
IPSEC: Completed outbound VPN context, SPI 0x60EB9451
    VPN handle: 0x0000000000012414
IPSEC: New outbound encrypt rule, SPI 0x60EB9451
    Src addr: 10.1.4.0
    Src mask: 255.255.255.0
    Dst addr: 10.1.0.0
    Dst mask: 255.255.0.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x60EB9451
    Rule ID: 0x00007fdbd658bad0
IPSEC: New outbound permit rule, SPI 0x60EB9451
    Src addr: 102.0.0.2
    Src mask: 255.255.255.255
    Dst addr: 101.0.0.10
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x60EB9451
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x60EB9451
    Rule ID: 0x00007fdbd658bbe0
IPSEC: New embryonic SA created @ 0x00007fdbd658f100, 
    SCB: 0xD6580690, 
    Direction: inbound
    SPI      : 0x94E1FD90
    Session ID: 0x00041000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
Rule Lookup for local 10.1.4.0 to remote 10.1.0.0
PROXY MATCH on crypto map CMAP seq 10
IPSEC DEBUG: Using NP inbound permit rule for SPI 0x94E1FD90
IPSEC: Completed host IBSA update, SPI 0x94E1FD90
IPSEC: Creating inbound VPN context, SPI 0x94E1FD90
    Flags: 0x00000006
    SA   : 0x00007fdbd658f100
    SPI  : 0x94E1FD90
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x00012414
    SCB  : 0x02E6C2DD
    Channel: 0x00007fdbed89e100
IPSEC: Completed inbound VPN context, SPI 0x94E1FD90
    VPN handle: 0x000000000001556c
IPSEC: Updating outbound VPN context 0x00012414, SPI 0x60EB9451
    Flags: 0x00000005
    SA   : 0x00007fdbd6590900
    SPI  : 0x60EB9451
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x0001556C
    SCB  : 0x02E7EFD9
    Channel: 0x00007fdbed89e100
IPSEC: Completed outbound VPN context, SPI 0x60EB9451
    VPN handle: 0x0000000000012414
IPSEC: Completed outbound inner rule, SPI 0x60EB9451
    Rule ID: 0x00007fdbd658bad0
IPSEC: Completed outbound outer SPD rule, SPI 0x60EB9451
    Rule ID: 0x00007fdbd658bbe0
IPSEC: New inbound tunnel flow rule, SPI 0x94E1FD90
    Src addr: 10.1.0.0
    Src mask: 255.255.0.0
    Dst addr: 10.1.4.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x94E1FD90
    Rule ID: 0x00007fdbd603e8a0
IPSEC: New inbound decrypt rule, SPI 0x94E1FD90
    Src addr: 101.0.0.10
    Src mask: 255.255.255.255
    Dst addr: 102.0.0.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x94E1FD90
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x94E1FD90
    Rule ID: 0x00007fdbd6126620
IPSEC: New inbound permit rule, SPI 0x94E1FD90
    Src addr: 101.0.0.10
    Src mask: 255.255.255.255
    Dst addr: 102.0.0.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x94E1FD90
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x94E1FD90
    Rule ID: 0x00007fdbd665b3b0
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-4: (78): DPD timer started for 10 secs
IKEv2-PROTO-7: (78): Accounting not required
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-7: (78): Closing the PKI session
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (78): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (78): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (78): Restarting DPD timer 6 secs

IKEv2-PROTO-7: (78): Timer expired, Sending DPD

IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption. 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78): 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):  
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 2, length: 60(78):  
Payload contents: 
(78):  ENCR(78):   Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):  
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):  
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 2, length: 60(78):  
Payload contents: 
IKEv2-PROTO-4: decrypt queued(78):  
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4: 
(78): REAL Decrypted packet:(78): Data: 0 bytes
 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 2, Requests can be sent from range 3 to 7
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x2
IKEv2-PROTO-7: (78): Restarting DPD timer 7 secs

IKEv2-PROTO-7: (78): Timer expired, Sending DPD

IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption. 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78): 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):  
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 3
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 3, length: 60(78):  
Payload contents: 
(78):  ENCR(78):   Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):  
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):  
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 3
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 3, length: 60(78):  
Payload contents: 
IKEv2-PROTO-4: decrypt queued(78):  
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4: 
(78): REAL Decrypted packet:(78): Data: 0 bytes
 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 3, Requests can be sent from range 4 to 8
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x3
IKEv2-PROTO-7: (78): Timer expired, Sending DPD

IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption. 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78): 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):  
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 4
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 4, length: 60(78):  
Payload contents: 
(78):  ENCR(78):   Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):  
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):  
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0] 
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 4
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 4, length: 60(78):  
Payload contents: 
IKEv2-PROTO-4: decrypt queued(78):  
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4: 
(78): REAL Decrypted packet:(78): Data: 0 bytes
 
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 4, Requests can be sent from range 5 to 9
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x4







R4#telnet 10.1.14.14
Trying 10.1.14.14 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: Rob
Password: 
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************




ASA2# show crypto ikev2 sa 

IKEv2 SAs:

Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
165595917 102.0.0.2/500                                       101.0.0.10/500                                           READY    INITIATOR
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1381 sec
Child sa: local selector  10.1.4.0/0 - 10.1.4.255/65535
          remote selector 10.1.0.0/0 - 10.1.255.255/65535
          ESP spi in/out: 0x94e1fd90/0x60eb9451  





ASA2# show crypto ipsec sa peer 101.0.0.10
peer address: 101.0.0.10
    Crypto map tag: CMAP, seq num: 10, local addr: 102.0.0.2

      access-list IKEV2_R4_TO_HQ_VPN extended permit ip 10.1.4.0 255.255.255.0 10.1.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      current_peer: 101.0.0.10


      #pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
      #pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 95, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 102.0.0.2/500, remote crypto endpt.: 101.0.0.10/500
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 60EB9451
      current inbound spi : 94E1FD90

    inbound esp sas:
      spi: 0x94E1FD90 (2497838480)
         SA State: active
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 65, crypto-map: CMAP
         sa timing: remaining key lifetime (kB/sec): (4193273/27400)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x60EB9451 (1626051665)
         SA State: active
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 65, crypto-map: CMAP
         sa timing: remaining key lifetime (kB/sec): (4331515/27400)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001





CSR1#show crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         101.0.0.10/500        102.0.0.2/500         none/none            READY  
      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1454 sec

 IPv6 Crypto IKEv2  SA 





CSR1#show crypto ipsec sa peer 102.0.0.2

interface: GigabitEthernet1
    Crypto map tag: IKEV2, local addr 101.0.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
   current_peer 102.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 102, #pkts encrypt: 102, #pkts digest: 102
    #pkts decaps: 98, #pkts decrypt: 98, #pkts verify: 98
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 101.0.0.10, remote crypto endpt.: 102.0.0.2
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x94E1FD90(2497838480)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x60EB9451(1626051665)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2443, flow_id: CSR:443, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607992/2130)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x94E1FD90(2497838480)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2444, flow_id: CSR:444, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607992/2130)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto