Crypto map deployments typically require both sides of the connection to agree on all of the parameters to form the VPN. This isn't always possible, a customer I dealt with a long time ago provided VPN services to customer/partners. The VPNs were supposed to be dynamically created. This meant static crypto maps wouldn't work since a "peer" and "match" statement couldn't be defined since we don't know who the remote end is going to be. This means we need to use the dynamic crypto map, which allows things like EzVPN solutions to work for L2L and RA VPN implementations.
The dynamic crypto map is created on R3 but no Phase 1 or Phase 2 attributes are defined. We'll rely on the default options which are available if nothing is statically defined.
R3#show crypto isakmp default policy
Default IKE policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
There is also a default crypto IPsec transform-set available. We'll also use this default IPsec transform-set.
R3#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
This will allow us to form an encrypted connection that will use ESP-AES and ESP-SHA-HMAC and negotiate the mode of transport.
The dynamic map is created like a crypto map with no attributes applied and then the crypto map calls the dynamic map.
R3
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 108.0.0.8
!
crypto dynamic-map R3_TO_CSR8 10
!
crypto map CMAP 10 ipsec-isakmp dynamic R3_TO_CSR8
!
interface g0/0
crypto map CMAP
CSR8
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
ip access-list extended ACL_CSR8_TO_R3
permit ip host 88.88.88.88 host 33.33.33.33
!
crypto map CMAP 10 ipsec-isakmp
set peer 103.0.0.3
match address ACL_CSR8_TO_R3
CSR8#ping 33.33.33.33 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/16/19 ms
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 108.0.0.8, peer port 500
ISAKMP: (0):New peer created peer = 0xEF4A258 peer_handle = 0x80000005
ISAKMP: (0):Locking peer struct 0xEF4A258, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 500, remote port 500
ISAKMP: (0):insert sa successfully sa = EF2A050
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption AES-CBC
ISAKMP: (0): keylength of 128
ISAKMP: (0): hash SHA256
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):vendor ID is DPD
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):speaking to another IOS box!
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):vendor ID seems Unity/DPD but major 50 mismatch
ISAKMP: (1004):vendor ID is XAUTH
ISAKMP: (1004):received payload type 20
ISAKMP: (1004):His hash no match - this node outside NAT
ISAKMP: (1004):received payload type 20
ISAKMP: (1004):No NAT Found for self or peer
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: (1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1004):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP: (1004):processing ID payload. message ID = 0
ISAKMP: (1004):ID payload
next-payload : 8
type : 1
ISAKMP: (1004): address : 108.0.0.8
ISAKMP: (1004): protocol : 17
port : 500
length : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1004):processing HASH payload. message ID = 0
ISAKMP: (1004):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0xEF2A050
ISAKMP: (1004):SA authentication status:
authenticated
ISAKMP: (1004):SA has been authenticated with 108.0.0.8
ISAKMP: (1004):SA authentication status:
authenticated
ISAKMP: (1004):Process initial contact,
bring down existing phase 1 and 2 SA's with local 103.0.0.3 remote 108.0.0.8 remote port 500
ISAKMP: (0):Trying to insert a peer 103.0.0.3/108.0.0.8/500/,
ISAKMP: (0): and inserted successfully EF4A258.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1004):Old State = IKE_R_MM5 New State = IKE_R_MM5
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1004):SA is doing
ISAKMP: (1004):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1004):ID payload
next-payload : 8
type : 1
ISAKMP: (1004): address : 103.0.0.3
ISAKMP: (1004): protocol : 17
port : 500
length : 12
ISAKMP: (1004):Total payload length: 12
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1004):set new node -1211157027 to QM_IDLE
ISAKMP: (1004):processing HASH payload. message ID = 3083810269
ISAKMP: (1004):processing SA payload. message ID = 3083810269
ISAKMP: (1004):Checking IPSec proposal 1
ISAKMP: (1004):transform 1, ESP_AES
ISAKMP: (1004): attributes in transform:
ISAKMP: (1004): encaps is 1 (Tunnel)
ISAKMP: (1004): SA life type in seconds
ISAKMP: (1004): SA life duration (basic) of 3600
ISAKMP: (1004): SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: (1004): authenticator is HMAC-SHA
ISAKMP: (1004): key length is 128
ISAKMP: (1004):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
(ipsec_process_proposal)Map Accepted: R3_TO_CSR8, 10
ISAKMP: (1004):processing NONCE payload. message ID = 3083810269
ISAKMP: (1004):processing ID payload. message ID = 3083810269
ISAKMP: (1004):processing ID payload. message ID = 3083810269
ISAKMP: (1004):QM Responder gets spi
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1004):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP: (1004):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(crypto_ipsec_create_ipsec_sas): Map found R3_TO_CSR8, 10
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 100B8D9C
IPSEC(create_sa): sa created,
(sa) sa_dest= 103.0.0.3, sa_proto= 50,
sa_spi= 0x731D173(120705395),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 11
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0x218B976B(562796395),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 12
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
ISAKMP: (1004):Received IPSec Install callback... proceeding with the negotiation
ISAKMP: (1004):Successfully installed IPSEC SA (SPI:0x731D173) on GigabitEthernet0/0
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP: (1004):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1004):deleting node -1211157027 error FALSE reason "QM done (await)"
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1004):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC: Expand action denied, notify RP
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.0.0.3 108.0.0.8 QM_IDLE 1004 ACTIVE
R3#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 108.0.0.8
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x218B976B(562796395)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x731D173(120705395)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4344262/2842)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x218B976B(562796395)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4344262/2842)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
The dynamic crypto map is created on R3 but no Phase 1 or Phase 2 attributes are defined. We'll rely on the default options which are available if nothing is statically defined.
R3#show crypto isakmp default policy
Default IKE policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
There is also a default crypto IPsec transform-set available. We'll also use this default IPsec transform-set.
R3#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
This will allow us to form an encrypted connection that will use ESP-AES and ESP-SHA-HMAC and negotiate the mode of transport.
The dynamic map is created like a crypto map with no attributes applied and then the crypto map calls the dynamic map.
R3
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 108.0.0.8
!
crypto dynamic-map R3_TO_CSR8 10
!
crypto map CMAP 10 ipsec-isakmp dynamic R3_TO_CSR8
!
interface g0/0
crypto map CMAP
CSR8
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
ip access-list extended ACL_CSR8_TO_R3
permit ip host 88.88.88.88 host 33.33.33.33
!
crypto map CMAP 10 ipsec-isakmp
set peer 103.0.0.3
match address ACL_CSR8_TO_R3
CSR8#ping 33.33.33.33 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/16/19 ms
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 108.0.0.8, peer port 500
ISAKMP: (0):New peer created peer = 0xEF4A258 peer_handle = 0x80000005
ISAKMP: (0):Locking peer struct 0xEF4A258, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 500, remote port 500
ISAKMP: (0):insert sa successfully sa = EF2A050
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption AES-CBC
ISAKMP: (0): keylength of 128
ISAKMP: (0): hash SHA256
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):vendor ID is DPD
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):speaking to another IOS box!
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):vendor ID seems Unity/DPD but major 50 mismatch
ISAKMP: (1004):vendor ID is XAUTH
ISAKMP: (1004):received payload type 20
ISAKMP: (1004):His hash no match - this node outside NAT
ISAKMP: (1004):received payload type 20
ISAKMP: (1004):No NAT Found for self or peer
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: (1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1004):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP: (1004):processing ID payload. message ID = 0
ISAKMP: (1004):ID payload
next-payload : 8
type : 1
ISAKMP: (1004): address : 108.0.0.8
ISAKMP: (1004): protocol : 17
port : 500
length : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1004):processing HASH payload. message ID = 0
ISAKMP: (1004):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0xEF2A050
ISAKMP: (1004):SA authentication status:
authenticated
ISAKMP: (1004):SA has been authenticated with 108.0.0.8
ISAKMP: (1004):SA authentication status:
authenticated
ISAKMP: (1004):Process initial contact,
bring down existing phase 1 and 2 SA's with local 103.0.0.3 remote 108.0.0.8 remote port 500
ISAKMP: (0):Trying to insert a peer 103.0.0.3/108.0.0.8/500/,
ISAKMP: (0): and inserted successfully EF4A258.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1004):Old State = IKE_R_MM5 New State = IKE_R_MM5
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1004):SA is doing
ISAKMP: (1004):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1004):ID payload
next-payload : 8
type : 1
ISAKMP: (1004): address : 103.0.0.3
ISAKMP: (1004): protocol : 17
port : 500
length : 12
ISAKMP: (1004):Total payload length: 12
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1004):set new node -1211157027 to QM_IDLE
ISAKMP: (1004):processing HASH payload. message ID = 3083810269
ISAKMP: (1004):processing SA payload. message ID = 3083810269
ISAKMP: (1004):Checking IPSec proposal 1
ISAKMP: (1004):transform 1, ESP_AES
ISAKMP: (1004): attributes in transform:
ISAKMP: (1004): encaps is 1 (Tunnel)
ISAKMP: (1004): SA life type in seconds
ISAKMP: (1004): SA life duration (basic) of 3600
ISAKMP: (1004): SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: (1004): authenticator is HMAC-SHA
ISAKMP: (1004): key length is 128
ISAKMP: (1004):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
(ipsec_process_proposal)Map Accepted: R3_TO_CSR8, 10
ISAKMP: (1004):processing NONCE payload. message ID = 3083810269
ISAKMP: (1004):processing ID payload. message ID = 3083810269
ISAKMP: (1004):processing ID payload. message ID = 3083810269
ISAKMP: (1004):QM Responder gets spi
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1004):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP: (1004):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(crypto_ipsec_create_ipsec_sas): Map found R3_TO_CSR8, 10
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 100B8D9C
IPSEC(create_sa): sa created,
(sa) sa_dest= 103.0.0.3, sa_proto= 50,
sa_spi= 0x731D173(120705395),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 11
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0x218B976B(562796395),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 12
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
ISAKMP: (1004):Received IPSec Install callback... proceeding with the negotiation
ISAKMP: (1004):Successfully installed IPSEC SA (SPI:0x731D173) on GigabitEthernet0/0
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP: (1004):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1004):deleting node -1211157027 error FALSE reason "QM done (await)"
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1004):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC: Expand action denied, notify RP
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.0.0.3 108.0.0.8 QM_IDLE 1004 ACTIVE
R3#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 108.0.0.8
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x218B976B(562796395)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x731D173(120705395)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4344262/2842)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x218B976B(562796395)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4344262/2842)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: