Crypto map based IPsec VPNs have been around for a really long time and are likely, based on experience, the most deployed VPN solution deployed. The logic of the crypto map is to act like a binding agent for the interesting traffic or proxy ACL; IPsec transform-set or the actual data plane encryption; and define the peer or peers to communicate with.
R3
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 108.0.0.8
!
crypto ipsec transform-set TSET esp-aes esp-sha256-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 108.0.0.8
set transform-set TSET
match address ACL_R3_TO_CSR8
!
ip access-list extended ACL_R3_TO_CSR8
permit ip host 33.33.33.33 host 88.88.88.88
!
interface GigabitEthernet0/0
crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 103.0.0.1
!
CSR8
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-aes esp-sha256-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 103.0.0.3
set transform-set TSET
match address ACL_CSR8_TO_R3
!
ip access-list extended ACL_CSR8_TO_R3
permit ip host 88.88.88.88 host 33.33.33.33
!
interface GigabitEthernet1
crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 108.0.0.1
!
CSR8#ping 33.33.33.33 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 13/15/17 ms
CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
204.0.0.24 29.0.0.9 QM_IDLE 1001 ACTIVE
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 108.0.0.8, peer port 500
ISAKMP: (0):New peer created peer = 0x1049CB88 peer_handle = 0x80000003
ISAKMP: (0):Locking peer struct 0x1049CB88, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 500, remote port 500
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = CD120A8
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption AES-CBC
ISAKMP: (0): keylength of 128
ISAKMP: (0): hash SHA256
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):vendor ID is DPD
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):speaking to another IOS box!
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):vendor ID seems Unity/DPD but major 11 mismatch
ISAKMP: (1002):vendor ID is XAUTH
ISAKMP: (1002):received payload type 20
ISAKMP: (1002):His hash no match - this node outside NAT
ISAKMP: (1002):received payload type 20
ISAKMP: (1002):No NAT Found for self or peer
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: (1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP: (1002):processing ID payload. message ID = 0
ISAKMP: (1002):ID payload
next-payload : 8
type : 1
ISAKMP: (1002): address : 108.0.0.8
ISAKMP: (1002): protocol : 17
port : 500
length : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1002):processing HASH payload. message ID = 0
ISAKMP: (1002):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0xCD120A8
ISAKMP: (1002):SA authentication status:
authenticated
ISAKMP: (1002):SA has been authenticated with 108.0.0.8
ISAKMP: (1002):SA authentication status:
authenticated
ISAKMP: (1002):Process initial contact,
bring down existing phase 1 and 2 SA's with local 103.0.0.3 remote 108.0.0.8 remote port 500
ISAKMP: (0):Trying to insert a peer 103.0.0.3/108.0.0.8/500/,
ISAKMP: (0): and inserted successfully 1049CB88.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1002):SA is doing
ISAKMP: (1002):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1002):ID payload
next-payload : 8
type : 1
ISAKMP: (1002): address : 103.0.0.3
ISAKMP: (1002): protocol : 17
port : 500
length : 12
ISAKMP: (1002):Total payload length: 12
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1002):set new node -900798332 to QM_IDLE
ISAKMP: (1002):processing HASH payload. message ID = 3394168964
ISAKMP: (1002):processing SA payload. message ID = 3394168964
ISAKMP: (1002):Checking IPSec proposal 1
ISAKMP: (1002):transform 1, ESP_AES
ISAKMP: (1002): attributes in transform:
ISAKMP: (1002): encaps is 1 (Tunnel)
ISAKMP: (1002): SA life type in seconds
ISAKMP: (1002): SA life duration (basic) of 3600
ISAKMP: (1002): SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: (1002): authenticator is HMAC-SHA256
ISAKMP: (1002): key length is 128
ISAKMP: (1002):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha256-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Crypto mapdb : proxy_match
src addr : 33.33.33.33
dst addr : 88.88.88.88
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: CMAP, 10
ISAKMP: (1002):processing NONCE payload. message ID = 3394168964
ISAKMP: (1002):processing ID payload. message ID = 3394168964
ISAKMP: (1002):processing ID payload. message ID = 3394168964
ISAKMP: (1002):QM Responder gets spi
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP: (1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 33.33.33.33
dst addr : 88.88.88.88
protocol : 256
src port : 0
dst port : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP, 10
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 108.0.0.8
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 100B8D9C
IPSEC(create_sa): sa created,
(sa) sa_dest= 103.0.0.3, sa_proto= 50,
sa_spi= 0x2B8340A(45626378),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0xE856F387(3898012551),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
ISAKMP: (1002):Received IPSec Install callback... proceeding with the negotiation
ISAKMP: (1002):Successfully installed IPSEC SA (SPI:0x2B8340A) on GigabitEthernet0/0
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP: (1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1002):deleting node -900798332 error FALSE reason "QM done (await)"
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC: Expand action denied, notify RP
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.0.0.3 108.0.0.8 QM_IDLE 1002 ACTIVE
R3#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: GigabitEthernet0/0
Uptime: 00:01:31
Session status: UP-ACTIVE
Peer: 108.0.0.8 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 108.0.0.8
Desc: (none)
Session ID: 0
IKEv1 SA: local 103.0.0.3/500 remote 108.0.0.8/500 Active
Capabilities:(none) connid:1002 lifetime:23:58:27
IPSEC FLOW: permit ip host 33.33.33.33 host 88.88.88.88
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4330938/3508
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4330938/3508
R3#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 108.0.0.8
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xE856F387(3898012551)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2B8340A(45626378)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4330938/3447)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE856F387(3898012551)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4330938/3447)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 108.0.0.8
!
crypto ipsec transform-set TSET esp-aes esp-sha256-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 108.0.0.8
set transform-set TSET
match address ACL_R3_TO_CSR8
!
ip access-list extended ACL_R3_TO_CSR8
permit ip host 33.33.33.33 host 88.88.88.88
!
interface GigabitEthernet0/0
crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 103.0.0.1
!
CSR8
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-aes esp-sha256-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 103.0.0.3
set transform-set TSET
match address ACL_CSR8_TO_R3
!
ip access-list extended ACL_CSR8_TO_R3
permit ip host 88.88.88.88 host 33.33.33.33
!
interface GigabitEthernet1
crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 108.0.0.1
!
CSR8#ping 33.33.33.33 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 13/15/17 ms
CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
204.0.0.24 29.0.0.9 QM_IDLE 1001 ACTIVE
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 108.0.0.8, peer port 500
ISAKMP: (0):New peer created peer = 0x1049CB88 peer_handle = 0x80000003
ISAKMP: (0):Locking peer struct 0x1049CB88, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 500, remote port 500
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = CD120A8
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0): encryption AES-CBC
ISAKMP: (0): keylength of 128
ISAKMP: (0): hash SHA256
ISAKMP: (0): default group 5
ISAKMP: (0): auth pre-share
ISAKMP: (0): life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):vendor ID is DPD
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):speaking to another IOS box!
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):vendor ID seems Unity/DPD but major 11 mismatch
ISAKMP: (1002):vendor ID is XAUTH
ISAKMP: (1002):received payload type 20
ISAKMP: (1002):His hash no match - this node outside NAT
ISAKMP: (1002):received payload type 20
ISAKMP: (1002):No NAT Found for self or peer
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: (1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP: (1002):processing ID payload. message ID = 0
ISAKMP: (1002):ID payload
next-payload : 8
type : 1
ISAKMP: (1002): address : 108.0.0.8
ISAKMP: (1002): protocol : 17
port : 500
length : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1002):processing HASH payload. message ID = 0
ISAKMP: (1002):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0xCD120A8
ISAKMP: (1002):SA authentication status:
authenticated
ISAKMP: (1002):SA has been authenticated with 108.0.0.8
ISAKMP: (1002):SA authentication status:
authenticated
ISAKMP: (1002):Process initial contact,
bring down existing phase 1 and 2 SA's with local 103.0.0.3 remote 108.0.0.8 remote port 500
ISAKMP: (0):Trying to insert a peer 103.0.0.3/108.0.0.8/500/,
ISAKMP: (0): and inserted successfully 1049CB88.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1002):SA is doing
ISAKMP: (1002):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1002):ID payload
next-payload : 8
type : 1
ISAKMP: (1002): address : 103.0.0.3
ISAKMP: (1002): protocol : 17
port : 500
length : 12
ISAKMP: (1002):Total payload length: 12
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1002):set new node -900798332 to QM_IDLE
ISAKMP: (1002):processing HASH payload. message ID = 3394168964
ISAKMP: (1002):processing SA payload. message ID = 3394168964
ISAKMP: (1002):Checking IPSec proposal 1
ISAKMP: (1002):transform 1, ESP_AES
ISAKMP: (1002): attributes in transform:
ISAKMP: (1002): encaps is 1 (Tunnel)
ISAKMP: (1002): SA life type in seconds
ISAKMP: (1002): SA life duration (basic) of 3600
ISAKMP: (1002): SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: (1002): authenticator is HMAC-SHA256
ISAKMP: (1002): key length is 128
ISAKMP: (1002):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha256-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Crypto mapdb : proxy_match
src addr : 33.33.33.33
dst addr : 88.88.88.88
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: CMAP, 10
ISAKMP: (1002):processing NONCE payload. message ID = 3394168964
ISAKMP: (1002):processing ID payload. message ID = 3394168964
ISAKMP: (1002):processing ID payload. message ID = 3394168964
ISAKMP: (1002):QM Responder gets spi
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP: (1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 33.33.33.33
dst addr : 88.88.88.88
protocol : 256
src port : 0
dst port : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP, 10
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 108.0.0.8
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 100B8D9C
IPSEC(create_sa): sa created,
(sa) sa_dest= 103.0.0.3, sa_proto= 50,
sa_spi= 0x2B8340A(45626378),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0xE856F387(3898012551),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
local_proxy= 33.33.33.33/255.255.255.255/256/0,
remote_proxy= 88.88.88.88/255.255.255.255/256/0
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
ISAKMP: (1002):Received IPSec Install callback... proceeding with the negotiation
ISAKMP: (1002):Successfully installed IPSEC SA (SPI:0x2B8340A) on GigabitEthernet0/0
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP: (1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: (1002):deleting node -900798332 error FALSE reason "QM done (await)"
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC: Expand action denied, notify RP
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
103.0.0.3 108.0.0.8 QM_IDLE 1002 ACTIVE
R3#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: GigabitEthernet0/0
Uptime: 00:01:31
Session status: UP-ACTIVE
Peer: 108.0.0.8 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 108.0.0.8
Desc: (none)
Session ID: 0
IKEv1 SA: local 103.0.0.3/500 remote 108.0.0.8/500 Active
Capabilities:(none) connid:1002 lifetime:23:58:27
IPSEC FLOW: permit ip host 33.33.33.33 host 88.88.88.88
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4330938/3508
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4330938/3508
R3#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 108.0.0.8
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xE856F387(3898012551)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2B8340A(45626378)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4330938/3447)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE856F387(3898012551)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4330938/3447)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
