Cisco
IPsec(アグレッシブモード)のデバッグログ
構成図
IPsec(アグレッシブモード)のコンフィグで、IPsecが接続される際のデバッグログを記録します。
RT-1のデバッグログ(イニシエーター)
RT-1#terminal monitor
RT-1#
RT-1#debug crypto isakmp
Crypto ISAKMP debugging is on
RT-1#
RT-1#debug crypto ipsec
Crypto IPSEC debugging is on
RT-1#
000055: Nov 14 23:23:15.513: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 11.11.11.11:500, remote= 22.22.22.22:500,
local_proxy= 10.1.1.0/255.255.255.0/256/0,
remote_proxy= 10.2.1.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes esp-sha256-hmac (Tunnel),
lifedur= 1200s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000056: Nov 14 23:23:15.513: ISAKMP:(0): SA request profile is (NULL)
000057: Nov 14 23:23:15.513: ISAKMP: Created a peer struct for 22.22.22.22, peer port 500
000058: Nov 14 23:23:15.513: ISAKMP: New peer created peer = 0xF9D6254 peer_handle = 0x80000011
000059: Nov 14 23:23:15.513: ISAKMP: Locking peer struct 0xF9D6254, refcount 1 for isakmp_initiator
000060: Nov 14 23:23:15.513: ISAKMP: local port 500, remote port 500
000061: Nov 14 23:23:15.513: ISAKMP: set new node 0 to QM_IDLE
000062: Nov 14 23:23:15.513: ISAKMP:(0):insert sa successfully sa = 34A3C24
000063: Nov 14 23:23:15.513: ISAKMP:(0):SA has tunnel attributes set.
000064: Nov 14 23:23:15.513: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000065: Nov 14 23:23:15.513: ISAKMP:(0): constructed NAT-T vendor-07 ID
000066: Nov 14 23:23:15.513: ISAKMP:(0): constructed NAT-T vendor-03 ID
000067: Nov 14 23:23:15.513: ISAKMP:(0): constructed NAT-T vendor-02 ID
000068: Nov 14 23:23:15.513: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_FQDN
000069: Nov 14 23:23:15.513: ISAKMP (0): ID payload
next-payload : 13
type : 2
FQDN name : Hoge
protocol : 17
port : 0
length : 12
000070: Nov 14 23:23:15.513: ISAKMP:(0):Total payload length: 12
000071: Nov 14 23:23:15.513: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
000072: Nov 14 23:23:15.513: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
000073: Nov 14 23:23:15.513: ISAKMP:(0): beginning Aggressive Mode exchange
000074: Nov 14 23:23:15.513: ISAKMP:(0): sending packet to 22.22.22.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000075: Nov 14 23:23:15.513: ISAKMP:(0):Sending an IKE IPv4 Packet.
000076: Nov 14 23:23:15.521: ISAKMP (0): received packet from 22.22.22.22 dport 500 sport 500 Global (I) AG_INIT_EXCH
000077: Nov 14 23:23:15.521: ISAKMP:(0): processing SA payload. message ID = 0
000078: Nov 14 23:23:15.521: ISAKMP:(0): processing ID payload. message ID = 0
000079: Nov 14 23:23:15.521: ISAKMP (0): ID payload
next-payload : 10
type : 1
address : 22.22.22.22
protocol : 0
port : 0
length : 12
000080: Nov 14 23:23:15.521: ISAKMP:(0):: peer matches *none* of the profiles
000081: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000082: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID is Unity
000083: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000084: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID is DPD
000085: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000086: Nov 14 23:23:15.521: ISAKMP:(0): speaking to another IOS box!
000087: Nov 14 23:23:15.521: ISAKMP:(0):SA using tunnel password as pre-shared key.
000088: Nov 14 23:23:15.521: ISAKMP:(0): local preshared key found
000089: Nov 14 23:23:15.521: ISAKMP : Scanning profiles for xauth ...
000090: Nov 14 23:23:15.521: ISAKMP:(0):Checking ISAKMP transform 1 against priority 110 policy
000091: Nov 14 23:23:15.521: ISAKMP: encryption AES-CBC
000092: Nov 14 23:23:15.521: ISAKMP: keylength of 128
000093: Nov 14 23:23:15.521: ISAKMP: hash SHA256
000094: Nov 14 23:23:15.521: ISAKMP: default group 2
000095: Nov 14 23:23:15.521: ISAKMP: auth pre-share
000096: Nov 14 23:23:15.521: ISAKMP: life type in seconds
000097: Nov 14 23:23:15.521: ISAKMP: life duration (basic) of 1800
000098: Nov 14 23:23:15.521: ISAKMP:(0):atts are acceptable. Next payload is 0
000099: Nov 14 23:23:15.521: ISAKMP:(0):Acceptable atts:actual life: 1800
000100: Nov 14 23:23:15.521: ISAKMP:(0):Acceptable atts:life: 0
000101: Nov 14 23:23:15.521: ISAKMP:(0):Basic life_in_seconds:1800
000102: Nov 14 23:23:15.521: ISAKMP:(0):Returning Actual lifetime: 1800
000103: Nov 14 23:23:15.521: ISAKMP:(0)::Started lifetime timer: 1800.
000104: Nov 14 23:23:15.521: ISAKMP (0): vendor ID is NAT-T RFC 3947
000105: Nov 14 23:23:15.521: ISAKMP:(0): processing KE payload. message ID = 0
000106: Nov 14 23:23:15.525: ISAKMP:(0): processing NONCE payload. message ID = 0
000107: Nov 14 23:23:15.525: ISAKMP:(0):SA using tunnel password as pre-shared key.
000108: Nov 14 23:23:15.525: ISAKMP:(2008): processing HASH payload. message ID = 0
000109: Nov 14 23:23:15.525: ISAKMP:received payload type 20
000110: Nov 14 23:23:15.525: ISAKMP (2008): His hash no match - this node outside NAT
000111: Nov 14 23:23:15.525: ISAKMP:received payload type 20
000112: Nov 14 23:23:15.525: ISAKMP (2008): No NAT Found for self or peer
000113: Nov 14 23:23:15.525: ISAKMP:(2008):SA authentication status:
authenticated
000114: Nov 14 23:23:15.525: ISAKMP:(2008):SA has been authenticated with 22.22.22.22
000115: Nov 14 23:23:15.525: ISAKMP: Trying to insert a peer 11.11.11.11/22.22.22.22/500/, and inserted successfully F9D6254.
000116: Nov 14 23:23:15.525: ISAKMP:(2008):Send initial contact
000117: Nov 14 23:23:15.525: ISAKMP:(2008): sending packet to 22.22.22.22 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000118: Nov 14 23:23:15.525: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000119: Nov 14 23:23:15.525: ISAKMP:(2008):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000120: Nov 14 23:23:15.525: ISAKMP:(2008):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
000121: Nov 14 23:23:15.525: ISAKMP:(2008):IKE_DPD is enabled, initializing timers
000122: Nov 14 23:23:15.525: ISAKMP:(2008):beginning Quick Mode exchange, M-ID of 472674436
000123: Nov 14 23:23:15.525: ISAKMP:(2008):QM Initiator gets spi
000124: Nov 14 23:23:15.525: ISAKMP:(2008): sending packet to 22.22.22.22 my_port 500 peer_port 500 (I) QM_IDLE
000125: Nov 14 23:23:15.525: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000126: Nov 14 23:23:15.525: ISAKMP:(2008):Node 472674436, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000127: Nov 14 23:23:15.525: ISAKMP:(2008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
000128: Nov 14 23:23:15.525: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000129: Nov 14 23:23:15.525: ISAKMP:(2008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000130: Nov 14 23:23:15.545: ISAKMP (2008): received packet from 22.22.22.22 dport 500 sport 500 Global (I) QM_IDLE
000131: Nov 14 23:23:15.545: ISAKMP:(2008): processing HASH payload. message ID = 472674436
000132: Nov 14 23:23:15.545: ISAKMP:(2008): processing SA payload. message ID = 472674436
000133: Nov 14 23:23:15.545: ISAKMP:(2008):Checking IPSec proposal 1
000134: Nov 14 23:23:15.545: ISAKMP: transform 1, ESP_AES
000135: Nov 14 23:23:15.545: ISAKMP: attributes in transform:
000136: Nov 14 23:23:15.545: ISAKMP: encaps is 1 (Tunnel)
000137: Nov 14 23:23:15.545: ISAKMP: SA life type in seconds
000138: Nov 14 23:23:15.545: ISAKMP: SA life duration (basic) of 1200
000139: Nov 14 23:23:15.545: ISAKMP: SA life type in kilobytes
000140: Nov 14 23:23:15.545: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
000141: Nov 14 23:23:15.545: ISAKMP: authenticator is HMAC-SHA256
000142: Nov 14 23:23:15.545: ISAKMP: key length is 128
000143: Nov 14 23:23:15.545: ISAKMP: group is 14
000144: Nov 14 23:23:15.545: ISAKMP:(2008):atts are acceptable.
000145: Nov 14 23:23:15.545: IPSEC(validate_proposal_request): proposal part #1
000146: Nov 14 23:23:15.545: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 11.11.11.11:0, remote= 22.22.22.22:0,
local_proxy= 10.1.1.0/255.255.255.0/256/0,
remote_proxy= 10.2.1.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000147: Nov 14 23:23:15.545: Crypto mapdb : proxy_match
src addr : 10.1.1.0
dst addr : 10.2.1.0
protocol : 0
src port : 0
dst port : 0
000148: Nov 14 23:23:15.545: (ipsec_process_proposal)Map Accepted: MAP-name, 160
000149: Nov 14 23:23:15.545: ISAKMP:(2008): processing NONCE payload. message ID = 472674436
000150: Nov 14 23:23:15.545: ISAKMP:(2008): processing KE payload. message ID = 472674436
000151: Nov 14 23:23:15.557: ISAKMP:(2008): processing ID payload. message ID = 472674436
000152: Nov 14 23:23:15.557: ISAKMP:(2008): processing ID payload. message ID = 472674436
000153: Nov 14 23:23:15.557: ISAKMP:(2008):Node 472674436, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000154: Nov 14 23:23:15.557: ISAKMP:(2008):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
000155: Nov 14 23:23:15.557: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000156: Nov 14 23:23:15.557: Crypto mapdb : proxy_match
src addr : 10.1.1.0
dst addr : 10.2.1.0
protocol : 256
src port : 0
dst port : 0
000157: Nov 14 23:23:15.557: IPSEC(crypto_ipsec_create_ipsec_sas): Map found MAP-name, 160
000158: Nov 14 23:23:15.557: IPSEC(create_sa): sa created,
(sa) sa_dest= 11.11.11.11, sa_proto= 50,
sa_spi= 0x84355376(2218087286),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 9
sa_lifetime(k/sec)= (4608000/1200),
(identity) local= 11.11.11.11:0, remote= 22.22.22.22:0,
local_proxy= 10.1.1.0/255.255.255.0/256/0,
remote_proxy= 10.2.1.0/255.255.255.0/256/0
000159: Nov 14 23:23:15.561: IPSEC(create_sa): sa created,
(sa) sa_dest= 22.22.22.22, sa_proto= 50,
sa_spi= 0x9077C846(2423769158),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 10
sa_lifetime(k/sec)= (4608000/1200),
(identity) local= 11.11.11.11:0, remote= 22.22.22.22:0,
local_proxy= 10.1.1.0/255.255.255.0/256/0,
remote_proxy= 10.2.1.0/255.255.255.0/256/0
000160: Nov 14 23:23:15.561: IPSEC: Expand action denied, notify RP
000161: Nov 14 23:23:15.561: ISAKMP: Failed to find peer index node to update peer_info_list
000162: Nov 14 23:23:15.561: ISAKMP:(2008):Received IPSec Install callback... proceeding with the negotiation
RT-1#
000163: Nov 14 23:23:15.561: ISAKMP:(2008):Successfully installed IPSEC SA (SPI:0x84355376) on Dialer1
000164: Nov 14 23:23:15.561: ISAKMP:(2008): sending packet to 22.22.22.22 my_port 500 peer_port 500 (I) QM_IDLE
000165: Nov 14 23:23:15.561: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000166: Nov 14 23:23:15.561: ISAKMP:(2008):deleting node 472674436 error FALSE reason "No Error"
000167: Nov 14 23:23:15.561: ISAKMP:(2008):Node 472674436, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
000168: Nov 14 23:23:15.561: ISAKMP:(2008):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
RT-1#
RT-1#no debug all
All possible debugging has been turned off
RT-1#
RT-2のデバッグログ(レスポンダー)
RT-2#debug crypto isakmp
Crypto ISAKMP debugging is on
RT-2#
RT-2#debug crypto ipsec
Crypto IPSEC debugging is on
RT-2#
000049: Nov 14 23:23:15.521: ISAKMP (0): received packet from 11.11.11.11 dport 500 sport 500 Global (N) NEW SA
000050: Nov 14 23:23:15.521: ISAKMP: Created a peer struct for 11.11.11.11, peer port 500
000051: Nov 14 23:23:15.521: ISAKMP: New peer created peer = 0xE1228B4 peer_handle = 0x80000007
000052: Nov 14 23:23:15.521: ISAKMP: Locking peer struct 0xE1228B4, refcount 1 for crypto_isakmp_process_block
000053: Nov 14 23:23:15.521: ISAKMP: local port 500, remote port 500
000054: Nov 14 23:23:15.521: ISAKMP:(0):insert sa successfully sa = E143D94
000055: Nov 14 23:23:15.521: ISAKMP:(0): processing SA payload. message ID = 0
000056: Nov 14 23:23:15.521: ISAKMP:(0): processing ID payload. message ID = 0
000057: Nov 14 23:23:15.521: ISAKMP (0): ID payload
next-payload : 13
type : 2
FQDN name : Hoge
protocol : 17
port : 0
length : 12
000058: Nov 14 23:23:15.521: ISAKMP:(0):: peer matches *none* of the profiles
000059: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000060: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000061: Nov 14 23:23:15.521: ISAKMP (0): vendor ID is NAT-T RFC 3947
000062: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000063: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000064: Nov 14 23:23:15.521: ISAKMP (0): vendor ID is NAT-T v7
000065: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000066: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000067: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID is NAT-T v3
000068: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000069: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000070: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID is NAT-T v2
000071: Nov 14 23:23:15.521: ISAKMP:(0):Looking for a matching key for Hoge in default
000072: Nov 14 23:23:15.521: ISAKMP:(0): local preshared key found
000073: Nov 14 23:23:15.521: ISAKMP : Scanning profiles for xauth ...
000074: Nov 14 23:23:15.521: ISAKMP:(0):Checking ISAKMP transform 1 against priority 110 policy
000075: Nov 14 23:23:15.521: ISAKMP: encryption AES-CBC
000076: Nov 14 23:23:15.521: ISAKMP: keylength of 128
000077: Nov 14 23:23:15.521: ISAKMP: hash SHA256
000078: Nov 14 23:23:15.521: ISAKMP: default group 2
000079: Nov 14 23:23:15.521: ISAKMP: auth pre-share
000080: Nov 14 23:23:15.521: ISAKMP: life type in seconds
000081: Nov 14 23:23:15.521: ISAKMP: life duration (basic) of 1800
000082: Nov 14 23:23:15.521: ISAKMP:(0):atts are acceptable. Next payload is 0
000083: Nov 14 23:23:15.521: ISAKMP:(0):Acceptable atts:actual life: 1800
000084: Nov 14 23:23:15.521: ISAKMP:(0):Acceptable atts:life: 0
000085: Nov 14 23:23:15.521: ISAKMP:(0):Basic life_in_seconds:1800
000086: Nov 14 23:23:15.521: ISAKMP:(0):Returning Actual lifetime: 1800
000087: Nov 14 23:23:15.521: ISAKMP:(0)::Started lifetime timer: 1800.
000088: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000089: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000090: Nov 14 23:23:15.521: ISAKMP (0): vendor ID is NAT-T RFC 3947
000091: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000092: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000093: Nov 14 23:23:15.521: ISAKMP (0): vendor ID is NAT-T v7
000094: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000095: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000096: Nov 14 23:23:15.521: ISAKMP:(0): vendor ID is NAT-T v3
000097: Nov 14 23:23:15.521: ISAKMP:(0): processing vendor id payload
000098: Nov 14 23:23:15.525: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000099: Nov 14 23:23:15.525: ISAKMP:(0): vendor ID is NAT-T v2
000100: Nov 14 23:23:15.525: ISAKMP:(0): processing KE payload. message ID = 0
000101: Nov 14 23:23:15.525: ISAKMP:(0): processing NONCE payload. message ID = 0
000102: Nov 14 23:23:15.525: ISAKMP:(0):Looking for a matching key for Hoge in default
000103: Nov 14 23:23:15.525: ISAKMP:(2005): processing vendor id payload
000104: Nov 14 23:23:15.525: ISAKMP:(2005): vendor ID is DPD
000105: Nov 14 23:23:15.525: ISAKMP:(2005): processing vendor id payload
000106: Nov 14 23:23:15.525: ISAKMP:(2005): vendor ID seems Unity/DPD but major 168 mismatch
000107: Nov 14 23:23:15.525: ISAKMP:(2005): vendor ID is XAUTH
000108: Nov 14 23:23:15.525: ISAKMP:(2005): processing vendor id payload
000109: Nov 14 23:23:15.525: ISAKMP:(2005): claimed IOS but failed authentication
000110: Nov 14 23:23:15.525: ISAKMP:(2005): constructed NAT-T vendor-rfc3947 ID
000111: Nov 14 23:23:15.525: ISAKMP:(2005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000112: Nov 14 23:23:15.525: ISAKMP (2005): ID payload
next-payload : 10
type : 1
address : 22.22.22.22
protocol : 0
port : 0
length : 12
000113: Nov 14 23:23:15.525: ISAKMP:(2005):Total payload length: 12
000114: Nov 14 23:23:15.525: ISAKMP:(2005): sending packet to 11.11.11.11 my_port 500 peer_port 500 (R) AG_INIT_EXCH
000115: Nov 14 23:23:15.525: ISAKMP:(2005):Sending an IKE IPv4 Packet.
000116: Nov 14 23:23:15.525: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000117: Nov 14 23:23:15.525: ISAKMP:(2005):Old State = IKE_READY New State = IKE_R_AM2
000118: Nov 14 23:23:15.533: ISAKMP (2005): received packet from 11.11.11.11 dport 500 sport 500 Global (R) AG_INIT_EXCH
000119: Nov 14 23:23:15.533: ISAKMP:(2005): processing HASH payload. message ID = 0
000120: Nov 14 23:23:15.533: ISAKMP:received payload type 20
000121: Nov 14 23:23:15.533: ISAKMP (2005): His hash no match - this node outside NAT
000122: Nov 14 23:23:15.533: ISAKMP:received payload type 20
000123: Nov 14 23:23:15.533: ISAKMP (2005): No NAT Found for self or peer
000124: Nov 14 23:23:15.533: ISAKMP:(2005): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0xE143D94
000125: Nov 14 23:23:15.533: ISAKMP:(2005):SA authentication status:
authenticated
000126: Nov 14 23:23:15.533: ISAKMP:(2005):SA has been authenticated with 11.11.11.11
000127: Nov 14 23:23:15.533: ISAKMP:(2005):SA authentication status:
authenticated
000128: Nov 14 23:23:15.533: ISAKMP:(2005): Process initial contact,
bring down existing phase 1 and 2 SA's with local 22.22.22.22 remote 11.11.11.11 remote port 500
000129: Nov 14 23:23:15.533: ISAKMP: Trying to insert a peer 22.22.22.22/11.11.11.11/500/, and inserted successfully E1228B4.
000130: Nov 14 23:23:15.533: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000131: Nov 14 23:23:15.533: ISAKMP:(2005):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
000132: Nov 14 23:23:15.533: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000133: Nov 14 23:23:15.533: ISAKMP:(2005):IKE_DPD is enabled, initializing timers
000134: Nov 14 23:23:15.533: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000135: Nov 14 23:23:15.533: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000136: Nov 14 23:23:15.533: ISAKMP (2005): received packet from 11.11.11.11 dport 500 sport 500 Global (R) QM_IDLE
000137: Nov 14 23:23:15.533: ISAKMP: set new node 472674436 to QM_IDLE
000138: Nov 14 23:23:15.533: ISAKMP:(2005): processing HASH payload. message ID = 472674436
000139: Nov 14 23:23:15.533: ISAKMP:(2005): processing SA payload. message ID = 472674436
000140: Nov 14 23:23:15.533: ISAKMP:(2005):Checking IPSec proposal 1
000141: Nov 14 23:23:15.533: ISAKMP: transform 1, ESP_AES
000142: Nov 14 23:23:15.533: ISAKMP: attributes in transform:
000143: Nov 14 23:23:15.533: ISAKMP: encaps is 1 (Tunnel)
000144: Nov 14 23:23:15.533: ISAKMP: SA life type in seconds
000145: Nov 14 23:23:15.533: ISAKMP: SA life duration (basic) of 1200
000146: Nov 14 23:23:15.533: ISAKMP: SA life type in kilobytes
000147: Nov 14 23:23:15.533: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
000148: Nov 14 23:23:15.533: ISAKMP: authenticator is HMAC-SHA256
000149: Nov 14 23:23:15.533: ISAKMP: key length is 128
000150: Nov 14 23:23:15.533: ISAKMP: group is 14
000151: Nov 14 23:23:15.533: ISAKMP:(2005):atts are acceptable.
000152: Nov 14 23:23:15.533: IPSEC(validate_proposal_request): proposal part #1
000153: Nov 14 23:23:15.533: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 22.22.22.22:0, remote= 11.11.11.11:0,
local_proxy= 10.2.1.0/255.255.255.0/256/0,
remote_proxy= 10.1.1.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000154: Nov 14 23:23:15.537: Crypto mapdb : proxy_match
src addr : 10.2.1.0
dst addr : 10.1.1.0
protocol : 0
src port : 0
dst port : 0
000155: Nov 14 23:23:15.537: (ipsec_process_proposal)Map Accepted: DMAP-name, 210
000156: Nov 14 23:23:15.537: ISAKMP:(2005): processing NONCE payload. message ID = 472674436
000157: Nov 14 23:23:15.537: ISAKMP:(2005): processing KE payload. message ID = 472674436
000158: Nov 14 23:23:15.549: ISAKMP:(2005): processing ID payload. message ID = 472674436
000159: Nov 14 23:23:15.549: ISAKMP:(2005): processing ID payload. message ID = 472674436
000160: Nov 14 23:23:15.549: ISAKMP:(2005):QM Responder gets spi
000161: Nov 14 23:23:15.549: ISAKMP:(2005):Node 472674436, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000162: Nov 14 23:23:15.549: ISAKMP:(2005):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
000163: Nov 14 23:23:15.549: ISAKMP:(2005):Node 472674436, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
000164: Nov 14 23:23:15.549: ISAKMP:(2005):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
000165: Nov 14 23:23:15.549: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000166: Nov 14 23:23:15.549: Crypto mapdb : proxy_match
src addr : 10.2.1.0
dst addr : 10.1.1.0
protocol : 256
src port : 0
dst port : 0
000167: Nov 14 23:23:15.549: IPSEC(crypto_ipsec_create_ipsec_sas): Map found DMAP-name, 210
000168: Nov 14 23:23:15.549: IPSEC(create_sa): sa created,
(sa) sa_dest= 22.22.22.22, sa_proto= 50,
sa_spi= 0x9077C846(2423769158),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 9
sa_lifetime(k/sec)= (4608000/1200),
(identity) local= 22.22.22.22:0, remote= 11.11.11.11:0,
local_proxy= 10.2.1.0/255.255.255.0/256/0,
remote_proxy= 10.1.1.0/255.255.255.0/256/0
000169: Nov 14 23:23:15.549: IPSEC(create_sa): sa created,
(sa) sa_dest= 11.11.11.11, sa_proto= 50,
sa_spi= 0x84355376(2218087286),
sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 10
sa_lifetime(k/sec)= (4608000/1200),
(identity) local= 22.22.22.22:0, remote= 11.11.11.11:0,
local_proxy= 10.2.1.0/255.255.255.0/256/0,
remote_proxy= 10.1.1.0/255.255.255.0/256/0
000170: Nov 14 23:23:15.549: ISAKMP: Failed to find peer index node to update peer_info_list
000171: Nov 14 23:23:15.549: ISAKMP:(2005):Received IPSec Install callback... proceeding with the negotiation
000172: Nov 14 23:23:15.549: ISAKMP:(2005):Successfully installed IPSEC SA (SPI:0x9077C846) on Dialer1
000173: Nov 14 23:23:15.549: ISAKMP:(2005): sending packet to 11.11.11.11 my_port 500 peer_port 500 (R) QM_IDLE
000174: Nov 14 23:23:15.549: ISAKMP:(2005):Sending an IKE IPv4 Packet.
000175: Nov 14 23:23:15.549: ISAKMP:(2005):Node 472674436, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
000176: Nov 14 23:23:15.549: ISAKMP:(2005):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
000177: Nov 14 23:23:15.569: ISAKMP (2005): received packet from 11.11.11.11 dport 500 sport 500 Global (R) QM_IDLE
000178: Nov 14 23:23:15.569: ISAKMP:(2005):deleting node 472674436 error FALSE reason "QM done (await)"
000179: Nov 14 23:23:15.569: ISAKMP:(2005):Node 472674436, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000180: Nov 14 23:23:15.569: ISAKMP:(2005):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
000181: Nov 14 23:23:15.569: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000182: Nov 14 23:23:15.569: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
000183: Nov 14 23:23:15.569: IPSEC: Expand action denied, notify RP
RT-2#
RT-2#no debug all
All possible debugging has been turned off
RT-2#