In this lab example we'll be looking at IKEv2 as the Phase 1 mechanism. We'll be using asymmetric pre-shared keys. Dynamic PAT is also setup, so NAT exemption is needed on CSR1 and Manual Twice NAT is needed on the ASA.
CSR1
crypto ikev2 proposal IKEV2_IOS_ASA_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_IOS_ASA_POLICY
proposal IKEV2_IOS_ASA_PROPOSAL
!
crypto ikev2 keyring IKEV2_IOS_ASA_KEYRING
peer ASA2
address 102.0.0.2
pre-shared-key local ciscorouter
pre-shared-key remote ciscoasa
!
crypto ikev2 profile IKEV2_IOS_ASA_PROFILE
match identity remote address 102.0.0.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_IOS_ASA_KEYRING
!
crypto ipsec transform-set IKEV2_IOS_ASA_TSET esp-3des esp-md5-hmac
mode tunnel
!
ip access-list extended IKEV2_IOS_ASA_VPN
permit ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
!
crypto map IKEV2 20 ipsec-isakmp
set peer 102.0.0.2
set transform-set IKEV2_IOS_ASA_TSET
set ikev2-profile IKEV2_IOS_ASA_PROFILE
match address IKEV2_IOS_ASA_VPN
!
interface GigabitEthernet1
ip nat outside
!
interface GigabitEthernet2
ip nat inside
!
ip access-list extended NAT
deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
deny ip 10.1.0.0 0.0.255.255 10.18.0.0 0.0.255.255
deny ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
deny ip 10.1.0.0 0.0.255.255 10.20.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!
interface GigabitEthernet1
crypto map IKEV2
ASA2
crypto ikev2 policy 10
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
!
tunnel-group 101.0.0.10 type ipsec-l2l
tunnel-group 101.0.0.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key ciscorouter
ikev2 local-authentication pre-shared-key ciscoasa
!
crypto ipsec ikev2 ipsec-proposal IKEV2_3DES_MD5
protocol esp encryption 3des
protocol esp integrity md5
!
access-list IKEV2_R4_TO_HQ_VPN extended permit ip object INSIDE_NETWORK object HQ_NETWORK
!
crypto map CMAP 10 match address IKEV2_R4_TO_HQ_VPN
crypto map CMAP 10 set peer 101.0.0.10
crypto map CMAP 10 set ikev2 ipsec-proposal IKEV2_3DES_MD5
crypto map CMAP interface outside
!
crypto ikev2 enable outside
!
object network INSIDE_NETWORK
subnet 10.1.4.0 255.255.255.0
!
object network HQ_NETWORK
subnet 10.1.0.0 255.255.0.0
!
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static HQ_NETWORK HQ_NETWORK no-proxy-arp route-lookup
!
object network INSIDE_NETWORK
nat (inside,outside) dynamic interface
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID
IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
IKEv2:Failed to retrieve Certificate Issuer list
IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH key
IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 25,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
IKEv2:Failed to retrieve Certificate Issuer list
IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 25,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (30 sec) to wait for auth message
IKEv2:(SESSION ID = 25,SA ID = 1):Received Packet [From 102.0.0.2:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 25,SA ID = 1):Stopping timer to wait for auth message
IKEv2:(SESSION ID = 25,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 25,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 25,SA ID = 1):Searching policy based on peer's identity '102.0.0.2' of type 'IPv4 address'
IKEv2:found matching IKEv2 profile 'IKEV2_IOS_ASA_PROFILE'
IKEv2:% Getting preshared key from profile keyring IKEV2_IOS_ASA_KEYRING
IKEv2:% Matched peer block 'ASA2'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 25,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 25,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's preshared key for 102.0.0.2
IKEv2:(SESSION ID = 25,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 25,SA ID = 1):Use preshared key for id 102.0.0.2, key len 8
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Processing INITIAL_CONTACT
IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_IOS_ASA_PROFILE with psh index 1.
IKEv2:(SESSION ID = 25,SA ID = 1):
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IKEv2:(SESSION ID = 25,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's preshared key for 102.0.0.2
IKEv2:(SESSION ID = 25,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 25,SA ID = 1):Use preshared key for id 101.0.0.10, key len 11
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 25,SA ID = 1):Constructing IDr payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 25,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
3DES MD596 Don't use ESN
IKEv2:(SESSION ID = 25,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
IKEv2:(SESSION ID = 25,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 25,SA ID = 1):Session with IKE ID PAIR (102.0.0.2, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 25,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 25,SA ID = 1):No duplicate IKEv2 SA found
IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (8 sec) to delete negotiation context
IKEv2:(SESSION ID = 25,SA ID = 1):Received Packet [From 102.0.0.2:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
IKEv2:(SESSION ID = 25,SA ID = 1):Received DPD/liveness query
IKEv2:(SESSION ID = 25,SA ID = 1):Building packet for encryption.
IKEv2:(SESSION ID = 25,SA ID = 1):Sending ACK to informational exchange
IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.1.4.4, sport=28539, daddr=10.1.14.14, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.1.4.4, sport=28539, daddr=10.1.14.14, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC: New embryonic SA created @ 0x00007fdbd658f100,
SCB: 0xD6580690,
Direction: inbound
SPI : 0x94E1FD90
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (78): Setting configured policies
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (78): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-4: (78): Request queued for computation of DH key
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (78): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (78): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(78): 3DES(78): SHA1(78): SHA96(78): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 0000000000000000 Message id: 0
(78): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: SA, version: 2.0 (78): Exchange type: IKE_SA_INIT, flags: INITIATOR (78): Message id: 0, length: 506(78):
Payload contents:
(78): SA(78): Next payload: KE, reserved: 0x0, length: 44
(78): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(78): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(78): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(78): KE(78): Next payload: N, reserved: 0x0, length: 200
(78): DH group: 5, Reserved: 0x0
(78):
(78): 65 cd 1e 04 e5 1a da 36 96 d6 12 28 0a 3d 5f 82
(78): fa bf a3 25 cd 81 e2 f9 62 07 de ac fd dd bf 02
(78): 1a de d4 e6 c4 a4 57 23 5c a3 7d f2 2f 86 cd 03
(78): 6b a7 05 17 b7 af e3 d4 e8 ad 48 94 1f 10 fa 3d
(78): 02 7e 5b 25 c8 33 de 17 64 b2 22 5f 3a 83 2d d4
(78): c8 60 aa 96 2b 6d 81 ca 8f 48 45 b2 2b 59 91 85
(78): 98 3e 8a 90 41 05 7a 9f 8c 04 6a 03 72 92 83 bb
(78): 67 03 33 31 47 ad 9d 17 09 20 8f 3d d4 c2 45 e9
(78): 90 48 71 59 91 34 a1 6c 74 bc 93 cc ef b3 65 39
(78): 9f 47 72 9e 8c 42 5e 6b 29 42 7d 40 32 f4 85 fd
(78): e6 64 19 c9 f7 85 71 5d 82 ba 6c 8c b7 42 19 71
(78): d1 14 eb 5d fe 9f d5 27 bf 5d ca 15 7a 42 61 df
(78): N(78): Next payload: VID, reserved: 0x0, length: 68
(78):
(78): 3c ad a9 e8 6b 3d 0c 80 3b c9 a5 57 9c 0c ed af
(78): 59 ae a3 8a 60 8c 74 51 49 7e ad 37 c3 c7 a5 c7
(78): 58 10 b6 d7 a3 78 60 7e e3 93 bc 5e 4a 7b 0d 05
(78): 55 b2 51 cd b4 4d 57 eb 4f 1f 54 ed 34 80 f5 16
(78): VID(78): Next payload: VID, reserved: 0x0, length: 23
(78):
(78): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(78): 53 4f 4e
(78): VID(78): Next payload: NOTIFY, reserved: 0x0, length: 59
(78):
(78): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(78): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(78): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(78): 73 2c 20 49 6e 63 2e
(78): NOTIFY(NAT_DETECTION_SOURCE_IP)(78): Next payload: NOTIFY, reserved: 0x0, length: 28
(78): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(78):
(78): 42 27 22 80 e8 20 29 d8 3e 0f 43 e9 62 57 27 d9
(78): 8a 0d 71 51
(78): NOTIFY(NAT_DETECTION_DESTINATION_IP)(78): Next payload: NOTIFY, reserved: 0x0, length: 28
(78): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(78):
(78): e1 06 67 fe f6 bc 58 e4 a8 a4 51 1d 84 4e 08 83
(78): 2f 60 09 d3
(78): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(78): Next payload: VID, reserved: 0x0, length: 8
(78): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(78): VID(78): Next payload: NONE, reserved: 0x0, length: 20
(78):
(78): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (78): Insert SA
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 0
(78): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: SA, version: 2.0 (78): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (78): Message id: 0, length: 486(78):
Payload contents:
(78): SA(78): Next payload: KE, reserved: 0x0, length: 44
(78): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(78): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(78): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(78): KE(78): Next payload: N, reserved: 0x0, length: 200
(78): DH group: 5, Reserved: 0x0
(78):
(78): 5c 4a f0 76 1a da 8a ed 13 14 24 11 fd 96 9d 52
(78): 4a c8 9f 1b fd 50 84 d4 81 0d 01 60 12 ca eb 42
(78): 7a 41 76 e9 62 f5 be 62 ec 32 67 75 c0 74 96 41
(78): 0f ba 4e 92 55 7b 5a 99 ee dc b3 6f 47 f8 36 ce
(78): 5d 4a ee fe 1c cf e4 2c c7 43 4b 13 2e 53 b4 52
(78): 46 ec 4a 40 60 30 c3 98 d3 21 87 40 cb 53 61 70
(78): b2 37 82 84 e1 a6 6d 15 7f 8a f1 58 ab fd 7e 32
(78): aa a0 ad 9a ea 91 19 74 3a 96 ce b6 26 1c d2 c5
(78): 22 6b e6 30 7c 1c 16 85 04 e3 04 b4 87 d7 44 be
(78): 74 d2 fe 9e 1c 4c 97 31 e5 b3 eb 95 23 75 4c 6d
(78): 2e e0 68 c5 6f 47 c8 0a b3 e2 54 53 06 fc ba 6a
(78): df 05 22 55 87 89 ed 0a d2 58 c8 5a a6 b5 1d 4c
(78): N(78): Next payload: VID, reserved: 0x0, length: 36
(78):
(78): 3b 8c 47 69 6a 61 12 d7 52 5c ba da 3a 5d ad b7
(78): d1 40 d3 84 a1 a5 95 f9 43 11 0a de 49 0d d2 85
IKEv2-PROTO-7: Parse Vendor Specific Payload: CISCO-DELETE-REASON(78): VID(78): Next payload: VID, reserved: 0x0, length: 23
(78):
(78): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(78): 53 4f 4e
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78): VID(78): Next payload: VID, reserved: 0x0, length: 19
(78):
(78): 43 49 53 43 4f 56 50 4e 2d 52 45 56 2d 30 31
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78): VID(78): Next payload: VID, reserved: 0x0, length: 59
(78):
(78): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(78): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(78): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(78): 73 2c 20 49 6e 63 2e
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78): VID(78): Next payload: NOTIFY, reserved: 0x0, length: 21
(78):
(78): 46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(78): 44
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(78): NOTIFY(NAT_DETECTION_SOURCE_IP)(78): Next payload: NOTIFY, reserved: 0x0, length: 28
(78): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(78):
(78): cb 6f 14 24 81 4a 6e 6e ab 02 5a 83 27 f1 ae da
(78): 8f b2 64 45
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(78): NOTIFY(NAT_DETECTION_DESTINATION_IP)(78): Next payload: NONE, reserved: 0x0, length: 28
(78): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(78):
(78): b3 4f b9 d9 8c bc a6 ed bb 28 1a f3 93 88 1d b7
(78): b6 78 75 c5
(78):
(78): Decrypted packet:(78): Data: 486 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (78): Verify SA init message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (78): Process NAT discovery notify
IKEv2-PROTO-7: (78): Processing nat detect src notify
IKEv2-PROTO-7: (78): Remote address matched
IKEv2-PROTO-7: (78): Processing nat detect dst notify
IKEv2-PROTO-7: (78): Local address matched
IKEv2-PROTO-7: (78): No NAT found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (78): Checking NAT discovery
IKEv2-PROTO-4: (78): NAT not found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (78): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2-PROTO-4: (78): Request queued for computation of DH secret
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (78): Generate skeyid
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-7: (78): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (78): Completed SA init exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (78): Generate my authentication data
IKEv2-PROTO-4: (78): Use preshared key for id 102.0.0.2, key len 8
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (78): Get my authentication method
IKEv2-PROTO-4: (78): My authentication method is 'PSK'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (78): Generating IKE_AUTH message
IKEv2-PROTO-7: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-4: (78): Constructing IDi payload: '102.0.0.2' of type 'IPv4 address'
IKEv2-PROTO-4: (78): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(78): 3DES(78): MD596(78): Don't use ESNIKEv2-PROTO-7: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-7: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-7: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-4: (78): Building packet for encryption.
(78):
Payload contents:
(78): VID(78): Next payload: IDi, reserved: 0x0, length: 20
(78):
(78): fb 44 8f b8 4f 5c 10 0b ed b9 28 39 92 03 a4 c5
(78): IDi(78): Next payload: AUTH, reserved: 0x0, length: 12
(78): Id type: IPv4 address, Reserved: 0x0 0x0
(78):
(78): 66 00 00 02
(78): AUTH(78): Next payload: SA, reserved: 0x0, length: 28
(78): Auth method PSK, reserved: 0x0, reserved 0x0
(78): Auth data: 20 bytes
(78): SA(78): Next payload: TSi, reserved: 0x0, length: 40
(78): last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(78): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
(78): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(78): TSi(78): Next payload: TSr, reserved: 0x0, length: 40
(78): Num of TSs: 2, reserved 0x0, reserved 0x0
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.4.4, end addr: 10.1.4.4
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.4.0, end addr: 10.1.4.255
(78): TSr(78): Next payload: NOTIFY, reserved: 0x0, length: 40
(78): Num of TSs: 2, reserved 0x0, reserved 0x0
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.14.14, end addr: 10.1.14.14
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.0.0, end addr: 10.1.255.255
(78): NOTIFY(INITIAL_CONTACT)(78): Next payload: NOTIFY, reserved: 0x0, length: 8
(78): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(78): NOTIFY(ESP_TFC_NO_SUPPORT)(78): Next payload: NOTIFY, reserved: 0x0, length: 8
(78): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(78): NOTIFY(NON_FIRST_FRAGS)(78): Next payload: NONE, reserved: 0x0, length: 8
(78): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
(78): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: IKE_AUTH, flags: INITIATOR (78): Message id: 1, length: 260(78):
Payload contents:
(78): ENCR(78): Next payload: VID, reserved: 0x0, length: 232
(78): Encrypted data: 228 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
(78): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (78): Message id: 1, length: 236(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 236 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 176 bytes
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
84 5c 49 84 cf a7 f5 f2 ed b9 28 39 92 03 a4 c5
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
65 00 00 0a
AUTH Next payload: SA, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 40
last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.1.4.0, end addr: 10.1.4.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.1.0.0, end addr: 10.1.255.255
IKEv2-PROTO-7: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
00 00 00 05
IKEv2-PROTO-7: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-7: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (78): Process auth response notify
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (78): Searching policy based on peer's identity '101.0.0.10' of type 'IPv4 address'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (78): Verify peer's policy
IKEv2-PROTO-4: (78): Peer's policy verified
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (78): Get peer's authentication method
IKEv2-PROTO-4: (78): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (78): Get peer's preshared key for 101.0.0.10
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (78): Verify peer's authentication data
IKEv2-PROTO-4: (78): Use preshared key for id 101.0.0.10, key len 11
IKEv2-PROTO-4: (78): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (78): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-4: (78): Processing IKE_AUTH message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (78): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PROTO-4: (78): Session with IKE ID PAIR (101.0.0.10, 102.0.0.2) is UP
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-4: (78): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-4: (78): Load IPSEC key material
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IPSEC: New embryonic SA created @ 0x00007fdbd6590900,
SCB: 0xD658B7E0,
Direction: outbound
SPI : 0x60EB9451
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 10.1.4.0 to remote 10.1.0.0
PROXY MATCH on crypto map CMAP seq 10
IPSEC DEBUG: Using NP outbound permit rule for SPI 0x60EB9451
IPSEC: Completed host OBSA update, SPI 0x60EB9451
IPSEC: Creating outbound VPN context, SPI 0x60EB9451
Flags: 0x00000005
SA : 0x00007fdbd6590900
SPI : 0x60EB9451
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x02E7EFD9
Channel: 0x00007fdbed89e100
IPSEC: Completed outbound VPN context, SPI 0x60EB9451
VPN handle: 0x0000000000012414
IPSEC: New outbound encrypt rule, SPI 0x60EB9451
Src addr: 10.1.4.0
Src mask: 255.255.255.0
Dst addr: 10.1.0.0
Dst mask: 255.255.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bad0
IPSEC: New outbound permit rule, SPI 0x60EB9451
Src addr: 102.0.0.2
Src mask: 255.255.255.255
Dst addr: 101.0.0.10
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x60EB9451
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bbe0
IPSEC: New embryonic SA created @ 0x00007fdbd658f100,
SCB: 0xD6580690,
Direction: inbound
SPI : 0x94E1FD90
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 10.1.4.0 to remote 10.1.0.0
PROXY MATCH on crypto map CMAP seq 10
IPSEC DEBUG: Using NP inbound permit rule for SPI 0x94E1FD90
IPSEC: Completed host IBSA update, SPI 0x94E1FD90
IPSEC: Creating inbound VPN context, SPI 0x94E1FD90
Flags: 0x00000006
SA : 0x00007fdbd658f100
SPI : 0x94E1FD90
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00012414
SCB : 0x02E6C2DD
Channel: 0x00007fdbed89e100
IPSEC: Completed inbound VPN context, SPI 0x94E1FD90
VPN handle: 0x000000000001556c
IPSEC: Updating outbound VPN context 0x00012414, SPI 0x60EB9451
Flags: 0x00000005
SA : 0x00007fdbd6590900
SPI : 0x60EB9451
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x0001556C
SCB : 0x02E7EFD9
Channel: 0x00007fdbed89e100
IPSEC: Completed outbound VPN context, SPI 0x60EB9451
VPN handle: 0x0000000000012414
IPSEC: Completed outbound inner rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bad0
IPSEC: Completed outbound outer SPD rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bbe0
IPSEC: New inbound tunnel flow rule, SPI 0x94E1FD90
Src addr: 10.1.0.0
Src mask: 255.255.0.0
Dst addr: 10.1.4.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x94E1FD90
Rule ID: 0x00007fdbd603e8a0
IPSEC: New inbound decrypt rule, SPI 0x94E1FD90
Src addr: 101.0.0.10
Src mask: 255.255.255.255
Dst addr: 102.0.0.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x94E1FD90
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x94E1FD90
Rule ID: 0x00007fdbd6126620
IPSEC: New inbound permit rule, SPI 0x94E1FD90
Src addr: 101.0.0.10
Src mask: 255.255.255.255
Dst addr: 102.0.0.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x94E1FD90
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x94E1FD90
Rule ID: 0x00007fdbd665b3b0
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-4: (78): DPD timer started for 10 secs
IKEv2-PROTO-7: (78): Accounting not required
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-7: (78): Closing the PKI session
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (78): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (78): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (78): Restarting DPD timer 6 secs
IKEv2-PROTO-7: (78): Timer expired, Sending DPD
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption.
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 2, length: 60(78):
Payload contents:
(78): ENCR(78): Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 2, length: 60(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 0 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 2, Requests can be sent from range 3 to 7
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x2
IKEv2-PROTO-7: (78): Restarting DPD timer 7 secs
IKEv2-PROTO-7: (78): Timer expired, Sending DPD
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption.
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 3
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 3, length: 60(78):
Payload contents:
(78): ENCR(78): Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 3
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 3, length: 60(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 0 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 3, Requests can be sent from range 4 to 8
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x3
IKEv2-PROTO-7: (78): Timer expired, Sending DPD
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption.
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 4
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 4, length: 60(78):
Payload contents:
(78): ENCR(78): Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 4
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 4, length: 60(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 0 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 4, Requests can be sent from range 5 to 9
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x4
R4#telnet 10.1.14.14
Trying 10.1.14.14 ... Open
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************
User Access Verification
Username: Rob
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************
ASA2# show crypto ikev2 sa
IKEv2 SAs:
Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
165595917 102.0.0.2/500 101.0.0.10/500 READY INITIATOR
Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1381 sec
Child sa: local selector 10.1.4.0/0 - 10.1.4.255/65535
remote selector 10.1.0.0/0 - 10.1.255.255/65535
ESP spi in/out: 0x94e1fd90/0x60eb9451
ASA2# show crypto ipsec sa peer 101.0.0.10
peer address: 101.0.0.10
Crypto map tag: CMAP, seq num: 10, local addr: 102.0.0.2
access-list IKEV2_R4_TO_HQ_VPN extended permit ip 10.1.4.0 255.255.255.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 101.0.0.10
#pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 95, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.0.0.2/500, remote crypto endpt.: 101.0.0.10/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 60EB9451
current inbound spi : 94E1FD90
inbound esp sas:
spi: 0x94E1FD90 (2497838480)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4193273/27400)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x60EB9451 (1626051665)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4331515/27400)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
CSR1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 101.0.0.10/500 102.0.0.2/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1454 sec
IPv6 Crypto IKEv2 SA
CSR1#show crypto ipsec sa peer 102.0.0.2
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 101.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
current_peer 102.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 102, #pkts encrypt: 102, #pkts digest: 102
#pkts decaps: 98, #pkts decrypt: 98, #pkts verify: 98
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.0.0.10, remote crypto endpt.: 102.0.0.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x94E1FD90(2497838480)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x60EB9451(1626051665)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2443, flow_id: CSR:443, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607992/2130)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x94E1FD90(2497838480)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2444, flow_id: CSR:444, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607992/2130)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR1
crypto ikev2 proposal IKEV2_IOS_ASA_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_IOS_ASA_POLICY
proposal IKEV2_IOS_ASA_PROPOSAL
!
crypto ikev2 keyring IKEV2_IOS_ASA_KEYRING
peer ASA2
address 102.0.0.2
pre-shared-key local ciscorouter
pre-shared-key remote ciscoasa
!
crypto ikev2 profile IKEV2_IOS_ASA_PROFILE
match identity remote address 102.0.0.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_IOS_ASA_KEYRING
!
crypto ipsec transform-set IKEV2_IOS_ASA_TSET esp-3des esp-md5-hmac
mode tunnel
!
ip access-list extended IKEV2_IOS_ASA_VPN
permit ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
!
crypto map IKEV2 20 ipsec-isakmp
set peer 102.0.0.2
set transform-set IKEV2_IOS_ASA_TSET
set ikev2-profile IKEV2_IOS_ASA_PROFILE
match address IKEV2_IOS_ASA_VPN
!
interface GigabitEthernet1
ip nat outside
!
interface GigabitEthernet2
ip nat inside
!
ip access-list extended NAT
deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
deny ip 10.1.0.0 0.0.255.255 10.18.0.0 0.0.255.255
deny ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
deny ip 10.1.0.0 0.0.255.255 10.20.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!
interface GigabitEthernet1
crypto map IKEV2
ASA2
crypto ikev2 policy 10
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
!
tunnel-group 101.0.0.10 type ipsec-l2l
tunnel-group 101.0.0.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key ciscorouter
ikev2 local-authentication pre-shared-key ciscoasa
!
crypto ipsec ikev2 ipsec-proposal IKEV2_3DES_MD5
protocol esp encryption 3des
protocol esp integrity md5
!
access-list IKEV2_R4_TO_HQ_VPN extended permit ip object INSIDE_NETWORK object HQ_NETWORK
!
crypto map CMAP 10 match address IKEV2_R4_TO_HQ_VPN
crypto map CMAP 10 set peer 101.0.0.10
crypto map CMAP 10 set ikev2 ipsec-proposal IKEV2_3DES_MD5
crypto map CMAP interface outside
!
crypto ikev2 enable outside
!
object network INSIDE_NETWORK
subnet 10.1.4.0 255.255.255.0
!
object network HQ_NETWORK
subnet 10.1.0.0 255.255.0.0
!
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static HQ_NETWORK HQ_NETWORK no-proxy-arp route-lookup
!
object network INSIDE_NETWORK
nat (inside,outside) dynamic interface
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID
IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
IKEv2:Failed to retrieve Certificate Issuer list
IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH key
IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 25,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
IKEv2:Failed to retrieve Certificate Issuer list
IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 25,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (30 sec) to wait for auth message
IKEv2:(SESSION ID = 25,SA ID = 1):Received Packet [From 102.0.0.2:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 25,SA ID = 1):Stopping timer to wait for auth message
IKEv2:(SESSION ID = 25,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 25,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 25,SA ID = 1):Searching policy based on peer's identity '102.0.0.2' of type 'IPv4 address'
IKEv2:found matching IKEv2 profile 'IKEV2_IOS_ASA_PROFILE'
IKEv2:% Getting preshared key from profile keyring IKEV2_IOS_ASA_KEYRING
IKEv2:% Matched peer block 'ASA2'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 25,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 25,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's preshared key for 102.0.0.2
IKEv2:(SESSION ID = 25,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 25,SA ID = 1):Use preshared key for id 102.0.0.2, key len 8
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Processing INITIAL_CONTACT
IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_IOS_ASA_PROFILE with psh index 1.
IKEv2:(SESSION ID = 25,SA ID = 1):
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IKEv2:(SESSION ID = 25,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Get peer's preshared key for 102.0.0.2
IKEv2:(SESSION ID = 25,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 25,SA ID = 1):Use preshared key for id 101.0.0.10, key len 11
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 25,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 25,SA ID = 1):Constructing IDr payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 25,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
3DES MD596 Don't use ESN
IKEv2:(SESSION ID = 25,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
IKEv2:(SESSION ID = 25,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 25,SA ID = 1):Session with IKE ID PAIR (102.0.0.2, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 25,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 25,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 25,SA ID = 1):No duplicate IKEv2 SA found
IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (8 sec) to delete negotiation context
IKEv2:(SESSION ID = 25,SA ID = 1):Received Packet [From 102.0.0.2:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
IKEv2:(SESSION ID = 25,SA ID = 1):Received DPD/liveness query
IKEv2:(SESSION ID = 25,SA ID = 1):Building packet for encryption.
IKEv2:(SESSION ID = 25,SA ID = 1):Sending ACK to informational exchange
IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 102.0.0.2:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.1.4.4, sport=28539, daddr=10.1.14.14, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.1.4.4, sport=28539, daddr=10.1.14.14, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map CMAP 10: matched.
IPSEC: New embryonic SA created @ 0x00007fdbd658f100,
SCB: 0xD6580690,
Direction: inbound
SPI : 0x94E1FD90
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (78): Setting configured policies
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (78): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-4: (78): Request queued for computation of DH key
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (78): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (78): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(78): 3DES(78): SHA1(78): SHA96(78): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 0000000000000000 Message id: 0
(78): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: SA, version: 2.0 (78): Exchange type: IKE_SA_INIT, flags: INITIATOR (78): Message id: 0, length: 506(78):
Payload contents:
(78): SA(78): Next payload: KE, reserved: 0x0, length: 44
(78): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(78): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(78): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(78): KE(78): Next payload: N, reserved: 0x0, length: 200
(78): DH group: 5, Reserved: 0x0
(78):
(78): 65 cd 1e 04 e5 1a da 36 96 d6 12 28 0a 3d 5f 82
(78): fa bf a3 25 cd 81 e2 f9 62 07 de ac fd dd bf 02
(78): 1a de d4 e6 c4 a4 57 23 5c a3 7d f2 2f 86 cd 03
(78): 6b a7 05 17 b7 af e3 d4 e8 ad 48 94 1f 10 fa 3d
(78): 02 7e 5b 25 c8 33 de 17 64 b2 22 5f 3a 83 2d d4
(78): c8 60 aa 96 2b 6d 81 ca 8f 48 45 b2 2b 59 91 85
(78): 98 3e 8a 90 41 05 7a 9f 8c 04 6a 03 72 92 83 bb
(78): 67 03 33 31 47 ad 9d 17 09 20 8f 3d d4 c2 45 e9
(78): 90 48 71 59 91 34 a1 6c 74 bc 93 cc ef b3 65 39
(78): 9f 47 72 9e 8c 42 5e 6b 29 42 7d 40 32 f4 85 fd
(78): e6 64 19 c9 f7 85 71 5d 82 ba 6c 8c b7 42 19 71
(78): d1 14 eb 5d fe 9f d5 27 bf 5d ca 15 7a 42 61 df
(78): N(78): Next payload: VID, reserved: 0x0, length: 68
(78):
(78): 3c ad a9 e8 6b 3d 0c 80 3b c9 a5 57 9c 0c ed af
(78): 59 ae a3 8a 60 8c 74 51 49 7e ad 37 c3 c7 a5 c7
(78): 58 10 b6 d7 a3 78 60 7e e3 93 bc 5e 4a 7b 0d 05
(78): 55 b2 51 cd b4 4d 57 eb 4f 1f 54 ed 34 80 f5 16
(78): VID(78): Next payload: VID, reserved: 0x0, length: 23
(78):
(78): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(78): 53 4f 4e
(78): VID(78): Next payload: NOTIFY, reserved: 0x0, length: 59
(78):
(78): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(78): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(78): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(78): 73 2c 20 49 6e 63 2e
(78): NOTIFY(NAT_DETECTION_SOURCE_IP)(78): Next payload: NOTIFY, reserved: 0x0, length: 28
(78): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(78):
(78): 42 27 22 80 e8 20 29 d8 3e 0f 43 e9 62 57 27 d9
(78): 8a 0d 71 51
(78): NOTIFY(NAT_DETECTION_DESTINATION_IP)(78): Next payload: NOTIFY, reserved: 0x0, length: 28
(78): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(78):
(78): e1 06 67 fe f6 bc 58 e4 a8 a4 51 1d 84 4e 08 83
(78): 2f 60 09 d3
(78): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(78): Next payload: VID, reserved: 0x0, length: 8
(78): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(78): VID(78): Next payload: NONE, reserved: 0x0, length: 20
(78):
(78): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (78): Insert SA
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 0
(78): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: SA, version: 2.0 (78): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (78): Message id: 0, length: 486(78):
Payload contents:
(78): SA(78): Next payload: KE, reserved: 0x0, length: 44
(78): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(78): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(78): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(78): KE(78): Next payload: N, reserved: 0x0, length: 200
(78): DH group: 5, Reserved: 0x0
(78):
(78): 5c 4a f0 76 1a da 8a ed 13 14 24 11 fd 96 9d 52
(78): 4a c8 9f 1b fd 50 84 d4 81 0d 01 60 12 ca eb 42
(78): 7a 41 76 e9 62 f5 be 62 ec 32 67 75 c0 74 96 41
(78): 0f ba 4e 92 55 7b 5a 99 ee dc b3 6f 47 f8 36 ce
(78): 5d 4a ee fe 1c cf e4 2c c7 43 4b 13 2e 53 b4 52
(78): 46 ec 4a 40 60 30 c3 98 d3 21 87 40 cb 53 61 70
(78): b2 37 82 84 e1 a6 6d 15 7f 8a f1 58 ab fd 7e 32
(78): aa a0 ad 9a ea 91 19 74 3a 96 ce b6 26 1c d2 c5
(78): 22 6b e6 30 7c 1c 16 85 04 e3 04 b4 87 d7 44 be
(78): 74 d2 fe 9e 1c 4c 97 31 e5 b3 eb 95 23 75 4c 6d
(78): 2e e0 68 c5 6f 47 c8 0a b3 e2 54 53 06 fc ba 6a
(78): df 05 22 55 87 89 ed 0a d2 58 c8 5a a6 b5 1d 4c
(78): N(78): Next payload: VID, reserved: 0x0, length: 36
(78):
(78): 3b 8c 47 69 6a 61 12 d7 52 5c ba da 3a 5d ad b7
(78): d1 40 d3 84 a1 a5 95 f9 43 11 0a de 49 0d d2 85
IKEv2-PROTO-7: Parse Vendor Specific Payload: CISCO-DELETE-REASON(78): VID(78): Next payload: VID, reserved: 0x0, length: 23
(78):
(78): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(78): 53 4f 4e
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78): VID(78): Next payload: VID, reserved: 0x0, length: 19
(78):
(78): 43 49 53 43 4f 56 50 4e 2d 52 45 56 2d 30 31
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78): VID(78): Next payload: VID, reserved: 0x0, length: 59
(78):
(78): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(78): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(78): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(78): 73 2c 20 49 6e 63 2e
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM)(78): VID(78): Next payload: NOTIFY, reserved: 0x0, length: 21
(78):
(78): 46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(78): 44
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(78): NOTIFY(NAT_DETECTION_SOURCE_IP)(78): Next payload: NOTIFY, reserved: 0x0, length: 28
(78): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(78):
(78): cb 6f 14 24 81 4a 6e 6e ab 02 5a 83 27 f1 ae da
(78): 8f b2 64 45
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(78): NOTIFY(NAT_DETECTION_DESTINATION_IP)(78): Next payload: NONE, reserved: 0x0, length: 28
(78): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(78):
(78): b3 4f b9 d9 8c bc a6 ed bb 28 1a f3 93 88 1d b7
(78): b6 78 75 c5
(78):
(78): Decrypted packet:(78): Data: 486 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (78): Verify SA init message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (78): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (78): Process NAT discovery notify
IKEv2-PROTO-7: (78): Processing nat detect src notify
IKEv2-PROTO-7: (78): Remote address matched
IKEv2-PROTO-7: (78): Processing nat detect dst notify
IKEv2-PROTO-7: (78): Local address matched
IKEv2-PROTO-7: (78): No NAT found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (78): Checking NAT discovery
IKEv2-PROTO-4: (78): NAT not found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (78): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2-PROTO-4: (78): Request queued for computation of DH secret
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (78): Generate skeyid
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-7: (78): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (78): Completed SA init exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (78): Generate my authentication data
IKEv2-PROTO-4: (78): Use preshared key for id 102.0.0.2, key len 8
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (78): Get my authentication method
IKEv2-PROTO-4: (78): My authentication method is 'PSK'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (78): Generating IKE_AUTH message
IKEv2-PROTO-7: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-4: (78): Constructing IDi payload: '102.0.0.2' of type 'IPv4 address'
IKEv2-PROTO-4: (78): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(78): 3DES(78): MD596(78): Don't use ESNIKEv2-PROTO-7: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-7: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-7: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-4: (78): Building packet for encryption.
(78):
Payload contents:
(78): VID(78): Next payload: IDi, reserved: 0x0, length: 20
(78):
(78): fb 44 8f b8 4f 5c 10 0b ed b9 28 39 92 03 a4 c5
(78): IDi(78): Next payload: AUTH, reserved: 0x0, length: 12
(78): Id type: IPv4 address, Reserved: 0x0 0x0
(78):
(78): 66 00 00 02
(78): AUTH(78): Next payload: SA, reserved: 0x0, length: 28
(78): Auth method PSK, reserved: 0x0, reserved 0x0
(78): Auth data: 20 bytes
(78): SA(78): Next payload: TSi, reserved: 0x0, length: 40
(78): last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(78): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(78): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
(78): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(78): TSi(78): Next payload: TSr, reserved: 0x0, length: 40
(78): Num of TSs: 2, reserved 0x0, reserved 0x0
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.4.4, end addr: 10.1.4.4
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.4.0, end addr: 10.1.4.255
(78): TSr(78): Next payload: NOTIFY, reserved: 0x0, length: 40
(78): Num of TSs: 2, reserved 0x0, reserved 0x0
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.14.14, end addr: 10.1.14.14
(78): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(78): start port: 0, end port: 65535
(78): start addr: 10.1.0.0, end addr: 10.1.255.255
(78): NOTIFY(INITIAL_CONTACT)(78): Next payload: NOTIFY, reserved: 0x0, length: 8
(78): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(78): NOTIFY(ESP_TFC_NO_SUPPORT)(78): Next payload: NOTIFY, reserved: 0x0, length: 8
(78): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(78): NOTIFY(NON_FIRST_FRAGS)(78): Next payload: NONE, reserved: 0x0, length: 8
(78): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
(78): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: IKE_AUTH, flags: INITIATOR (78): Message id: 1, length: 260(78):
Payload contents:
(78): ENCR(78): Next payload: VID, reserved: 0x0, length: 232
(78): Encrypted data: 228 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 1
(78): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (78): Message id: 1, length: 236(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 236 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 176 bytes
IKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
84 5c 49 84 cf a7 f5 f2 ed b9 28 39 92 03 a4 c5
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
65 00 00 0a
AUTH Next payload: SA, reserved: 0x0, length: 28
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 20 bytes
SA Next payload: TSi, reserved: 0x0, length: 40
last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.1.4.0, end addr: 10.1.4.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.1.0.0, end addr: 10.1.255.255
IKEv2-PROTO-7: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
00 00 00 05
IKEv2-PROTO-7: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-7: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (78): Process auth response notify
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (78): Searching policy based on peer's identity '101.0.0.10' of type 'IPv4 address'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (78): Verify peer's policy
IKEv2-PROTO-4: (78): Peer's policy verified
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (78): Get peer's authentication method
IKEv2-PROTO-4: (78): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (78): Get peer's preshared key for 101.0.0.10
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (78): Verify peer's authentication data
IKEv2-PROTO-4: (78): Use preshared key for id 101.0.0.10, key len 11
IKEv2-PROTO-4: (78): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (78): Check for EAP exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (78): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-4: (78): Processing IKE_AUTH message
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (78): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PROTO-4: (78): Session with IKE ID PAIR (101.0.0.10, 102.0.0.2) is UP
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-4: (78): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-4: (78): Load IPSEC key material
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IPSEC: New embryonic SA created @ 0x00007fdbd6590900,
SCB: 0xD658B7E0,
Direction: outbound
SPI : 0x60EB9451
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 10.1.4.0 to remote 10.1.0.0
PROXY MATCH on crypto map CMAP seq 10
IPSEC DEBUG: Using NP outbound permit rule for SPI 0x60EB9451
IPSEC: Completed host OBSA update, SPI 0x60EB9451
IPSEC: Creating outbound VPN context, SPI 0x60EB9451
Flags: 0x00000005
SA : 0x00007fdbd6590900
SPI : 0x60EB9451
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x02E7EFD9
Channel: 0x00007fdbed89e100
IPSEC: Completed outbound VPN context, SPI 0x60EB9451
VPN handle: 0x0000000000012414
IPSEC: New outbound encrypt rule, SPI 0x60EB9451
Src addr: 10.1.4.0
Src mask: 255.255.255.0
Dst addr: 10.1.0.0
Dst mask: 255.255.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bad0
IPSEC: New outbound permit rule, SPI 0x60EB9451
Src addr: 102.0.0.2
Src mask: 255.255.255.255
Dst addr: 101.0.0.10
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x60EB9451
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bbe0
IPSEC: New embryonic SA created @ 0x00007fdbd658f100,
SCB: 0xD6580690,
Direction: inbound
SPI : 0x94E1FD90
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 10.1.4.0 to remote 10.1.0.0
PROXY MATCH on crypto map CMAP seq 10
IPSEC DEBUG: Using NP inbound permit rule for SPI 0x94E1FD90
IPSEC: Completed host IBSA update, SPI 0x94E1FD90
IPSEC: Creating inbound VPN context, SPI 0x94E1FD90
Flags: 0x00000006
SA : 0x00007fdbd658f100
SPI : 0x94E1FD90
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00012414
SCB : 0x02E6C2DD
Channel: 0x00007fdbed89e100
IPSEC: Completed inbound VPN context, SPI 0x94E1FD90
VPN handle: 0x000000000001556c
IPSEC: Updating outbound VPN context 0x00012414, SPI 0x60EB9451
Flags: 0x00000005
SA : 0x00007fdbd6590900
SPI : 0x60EB9451
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x0001556C
SCB : 0x02E7EFD9
Channel: 0x00007fdbed89e100
IPSEC: Completed outbound VPN context, SPI 0x60EB9451
VPN handle: 0x0000000000012414
IPSEC: Completed outbound inner rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bad0
IPSEC: Completed outbound outer SPD rule, SPI 0x60EB9451
Rule ID: 0x00007fdbd658bbe0
IPSEC: New inbound tunnel flow rule, SPI 0x94E1FD90
Src addr: 10.1.0.0
Src mask: 255.255.0.0
Dst addr: 10.1.4.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x94E1FD90
Rule ID: 0x00007fdbd603e8a0
IPSEC: New inbound decrypt rule, SPI 0x94E1FD90
Src addr: 101.0.0.10
Src mask: 255.255.255.255
Dst addr: 102.0.0.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x94E1FD90
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x94E1FD90
Rule ID: 0x00007fdbd6126620
IPSEC: New inbound permit rule, SPI 0x94E1FD90
Src addr: 101.0.0.10
Src mask: 255.255.255.255
Dst addr: 102.0.0.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x94E1FD90
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x94E1FD90
Rule ID: 0x00007fdbd665b3b0
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-4: (78): DPD timer started for 10 secs
IKEv2-PROTO-7: (78): Accounting not required
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-7: (78): Closing the PKI session
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (78): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (78): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (78): Restarting DPD timer 6 secs
IKEv2-PROTO-7: (78): Timer expired, Sending DPD
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption.
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 2, length: 60(78):
Payload contents:
(78): ENCR(78): Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 2
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 2, length: 60(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 0 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 2, Requests can be sent from range 3 to 7
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000002 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x2
IKEv2-PROTO-7: (78): Restarting DPD timer 7 secs
IKEv2-PROTO-7: (78): Timer expired, Sending DPD
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption.
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 3
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 3, length: 60(78):
Payload contents:
(78): ENCR(78): Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 3
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 3, length: 60(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 0 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 3, Requests can be sent from range 4 to 8
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000003 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x3
IKEv2-PROTO-7: (78): Timer expired, Sending DPD
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (78): Sending DPD/liveness query
IKEv2-PROTO-4: (78): Building packet for encryption.
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-4: (78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (78): Action: Action_Null
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (78): Checking if request will fit in peer window
(78):
IKEv2-PROTO-4: (78): Sending Packet [To 101.0.0.10:500/From 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 4
(78): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: INITIATOR (78): Message id: 4, length: 60(78):
Payload contents:
(78): ENCR(78): Next payload: NONE, reserved: 0x0, length: 32
(78): Encrypted data: 28 bytes
(78):
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(78):
IKEv2-PROTO-4: (78): Received Packet [From 101.0.0.10:500/To 102.0.0.2:500/VRF i0:f0]
(78): Initiator SPI : F9448EB85C6BE34C - Responder SPI : 855C4884DC9006B5 Message id: 4
(78): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (78): Next payload: ENCR, version: 2.0 (78): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (78): Message id: 4, length: 60(78):
Payload contents:
IKEv2-PROTO-4: decrypt queued(78):
(78): Decrypted packet:(78): Data: 60 bytes
IKEv2-PROTO-4:
(78): REAL Decrypted packet:(78): Data: 0 bytes
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (78): Processing ACK to informational exchange
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (78): Processed response with message id 4, Requests can be sent from range 5 to 9
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (78): SM Trace-> SA: I_SPI=F9448EB85C6BE34C R_SPI=855C4884DC9006B5 (I) MsgID = 00000004 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (78): Deleting negotiation context for my message ID: 0x4
R4#telnet 10.1.14.14
Trying 10.1.14.14 ... Open
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************
User Access Verification
Username: Rob
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************
ASA2# show crypto ikev2 sa
IKEv2 SAs:
Session-id:65, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
165595917 102.0.0.2/500 101.0.0.10/500 READY INITIATOR
Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1381 sec
Child sa: local selector 10.1.4.0/0 - 10.1.4.255/65535
remote selector 10.1.0.0/0 - 10.1.255.255/65535
ESP spi in/out: 0x94e1fd90/0x60eb9451
ASA2# show crypto ipsec sa peer 101.0.0.10
peer address: 101.0.0.10
Crypto map tag: CMAP, seq num: 10, local addr: 102.0.0.2
access-list IKEV2_R4_TO_HQ_VPN extended permit ip 10.1.4.0 255.255.255.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 101.0.0.10
#pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 95, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 102.0.0.2/500, remote crypto endpt.: 101.0.0.10/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 60EB9451
current inbound spi : 94E1FD90
inbound esp sas:
spi: 0x94E1FD90 (2497838480)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4193273/27400)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x60EB9451 (1626051665)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4331515/27400)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
CSR1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 101.0.0.10/500 102.0.0.2/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1454 sec
IPv6 Crypto IKEv2 SA
CSR1#show crypto ipsec sa peer 102.0.0.2
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 101.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
current_peer 102.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 102, #pkts encrypt: 102, #pkts digest: 102
#pkts decaps: 98, #pkts decrypt: 98, #pkts verify: 98
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.0.0.10, remote crypto endpt.: 102.0.0.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x94E1FD90(2497838480)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x60EB9451(1626051665)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2443, flow_id: CSR:443, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607992/2130)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x94E1FD90(2497838480)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2444, flow_id: CSR:444, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607992/2130)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
