IPSec/GRE & NAT/PAT

Hi Guys,

I'm attempting to configure a IPSec over GRE VPN Connection, and its failing!

(RouterA[82.82.82.2]) ---{{}}---([84.84.84.70]CustFirewall-NAT/PAT [10.5.4.1]) >NAT/PAT> ([10.5.4.70]RouterB)

Below you will find the Debug followed by the configurations for the routers (chopped down)

Router B Debug

*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):Authentication method offered does not match policy! *Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0 *Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):no offers accepted! *Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 10.5.4.70 remote 82.82.82.2) *Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 82.82.82.2) *Apr 21 10:02:11.617: ISAKMP (0:0): FSM action returned error: 2 *Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 82.82.82.2)

Router A

*Jun 3 22:53:30.237: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 84.84.84.70

RouterB Configuration

--------------------------------

-------------------------------- crypto isakmp key thekeythekey address 82.82.82.2 crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set md5-3des-set esp-3des esp-md5-hmac ! crypto map IPSecMap 10 ipsec-isakmp set peer 82.82.82.2 set transform-set md5-3des-set match address CustTunnel ! ! ! interface Tunnel0 description Tunnel to A End ip address 10.8.0.22 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/1 tunnel destination 82.82.82.2 ! interface FastEthernet0/1 description RouterB (Cust DMZ) ip address 10.5.4.70 255.255.252.0 duplex auto speed auto crypto map IPSecMap ! ip route 82.82.82.2 255.255.255.255 10.5.4.1 ! ! ip access-list extended CustTunnel permit gre host 10.5.4.70 host 82.82.82.2 permit gre host 82.82.82.2 host 10.5.4.70 !

RouterA

--------------------------------

-------------------------------- crypto isakmp key thekeythekey address 84.84.84.70 crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map PeerMap 10 ipsec-isakmp set peer 84.84.84.70 set transform-set 3des-md5 match address CustTunnel ! interface Tunnel1 description Vale Of Glamorgan GRE ip address 10.8.0.21 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/0 tunnel destination 84.84.84.70 ! interface FastEthernet0/0 description Internet ip address 82.82.82.2 255.255.255.224 duplex auto speed auto crypto map PeerMap ! ip access-list extended CustTunnel permit gre host 82.82.82.2 host 84.84.84.70 permit gre host 84.84.84.70 host 82.82.82.2

If you need any more information to help, please respond and i will obtain it..

Regards

Reply to
Tomehb
Loading thread data ...

Thing is that your GRE traffic will NOT get natted. Obviously:) (I mean obviously, once worked out) Since it is inside the crypto tunnel (sorry, but that is NOT the GRE tunnel).

So the GRE tunnel dest is 10.5.4.70 and not 84.84.84.70.

I am sure you can work out the rest. Just to clarify my own mind I worked it out anyway.

Quite a confusing one.

The Crypto ACLs on the two ends must *always* match. Not necessrily exactly but the SA that is being created must be allowed by both sides.

*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 10.5.4.70 remote 82.82.82.2)

Is telling you that the ACLs do not match. The other end crypto ACL does not match "this".

As long as NAT Traversal is enabled for IPsec you should be good to go. I forget if it is on by default. Quite likely.

Remember the firewall will need to pass the crypto traffic. I think NAT-T uses port UDP 4500 for ESP - as well as UDP 500 for IKE. Without NAT-T ESP is IP protocol 50. ####################################### #######################################

Router B

crypto isakmp key thekeythekey address 82.82.82.2 crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set md5-3des-set esp-3des esp-md5-hmac ! crypto map IPSecMap 10 ipsec-isakmp set peer 82.82.82.2 set transform-set md5-3des-set match address CustTunnel ! ! ! interface Tunnel0 description Tunnel to A End ip address 10.8.0.22 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/1 tunnel destination 82.82.82.2 ! interface FastEthernet0/1 description RouterB (Cust DMZ) ip address 10.5.4.70 255.255.252.0 duplex auto speed auto crypto map IPSecMap ! ip route 82.82.82.2 255.255.255.255 10.5.4.1 ! good idea MAKES SURE that the gre traffic ! cant try to go down its own tunnel.

! ! ip access-list extended CustTunnel permit gre host 10.5.4.70 host 82.82.82.2

! permit gre host 82.82.82.2 host 10.5.4.70 ! you don't need this ! IPSEC does both directions anyway !

RouterA

--------------------------------

-------------------------------- crypto isakmp key thekeythekey address 84.84.84.70 crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map PeerMap 10 ipsec-isakmp set peer 84.84.84.70 set transform-set 3des-md5 match address CustTunnel ! interface Tunnel1 description Vale Of Glamorgan GRE ip address 10.8.0.21 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/0 tunnel destination 10.5.4.70 ! *CHANGE* ! interface FastEthernet0/0 description Internet ip address 82.82.82.2 255.255.255.224 duplex auto speed auto crypto map PeerMap ! ip access-list extended CustTunnel permit gre host 82.82.82.2 host 10.5.4.70

! Add a specific route for the GRE trsaffic here too ! Makes sure that GRE traffic never tries to go over ! the tunnel. ip route 10.5.4.70 255.255.255.255 internet.next.hop

Reply to
bod43

Changed the destination end point for the GRE Tunnel to 10.5.4.70, how will routerA know to tunnel this down it's IPSec connection to RouterB? when the ip extended CustTunnel is set for

permit gre host 82.82.82.2 host 84.84.84.70

- This Router has many IPSec connection, but this is the first to a router behind a NAT Firewall...

?

Anyhow i spose this first issuse is to get the IPSec up and running :)

Router A:

=3D=3D=3D=3D=3D=3D=3D=3D

RouterA#show crypto isakmp sa

dst src state conn-id slot

82.82.82.2 84.84.84.70 MM_KEY_EXCH 1023 0

Router B:

=3D=3D=3D=3D=3D=3D=3D=3D

RouterB#show crypto isakmp sa

dst src state conn-id slot status

82.82.82.2 10.5.4.70 MM_KEY_EXCH 1 0 ACTIVE

RouterB# debug crypto isakmp error

*Apr 22 11:27:18.231: ISAKMP:(0:3:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 11:27:18.231: ISAKMP:(0:3:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 11:27:48.231: ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 11:27:48.231: ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.82.82.2)

Reply to
Tomehb

More debug from routerB:

Full Debug:

*Apr 22 13:06:30.306: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:06:30.306: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:06:30.306: ISAKMP: New peer created peer =3D 0x63685008 peer_handle =3D 0x80000880

*Apr 22 13:06:30.306: ISAKMP: Locking peer struct 0x63685008, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:06:30.306: ISAKMP: local port 500, remote port 500

*Apr 22 13:06:30.306: insert sa successfully sa =3D 632D58D4

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:06:30.310: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:06:30.310: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:06:30.310: ISAKMP: encryption DES-CBC

*Apr 22 13:06:30.310: ISAKMP: hash SHA

*Apr 22 13:06:30.310: ISAKMP: default group 1

*Apr 22 13:06:30.310: ISAKMP: auth pre-share

*Apr 22 13:06:30.310: ISAKMP: life type in seconds

*Apr 22 13:06:30.310: ISAKMP: life duration (basic) of 28800

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:06:30.342: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.342: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:06:30.346: ISAKMP (0:134217729): vendor ID is NAT-T v7

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM2

*Apr 22 13:06:30.562: ISAKMP (0:134217729): received packet from 82.82.82.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Apr 22 13:06:30.562: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:06:30.562: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM2 New State =3D IKE_R_MM3

*Apr 22 13:06:30.562: ISAKMP:(0:1:SW:1): processing KE payload. message ID =3D 0

*Apr 22 13:06:30.602: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =3D 0

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):SKEYID state generated

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): vendor ID is Unity

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): vendor ID is DPD

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): speaking to another IOS box!

*Apr 22 13:06:30.606: ISAKMP (0:134217729): NAT found, the node inside NAT

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM3

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM4

*Apr 22 13:06:40.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:06:40.606: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Apr 22 13:06:40.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:06:40.606: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:06:50.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:06:50.606: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Apr 22 13:06:50.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:06:50.606: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:00.310: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:07:00.310: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:07:00.310: ISAKMP: New peer created peer =3D 0x62EEAEB8 peer_handle =3D 0x80000881

*Apr 22 13:07:00.310: ISAKMP: Locking peer struct 0x62EEAEB8, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:07:00.310: ISAKMP: local port 500, remote port 500

*Apr 22 13:07:00.310: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =3D 6309B3E8

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:00.314: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:07:00.314: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:07:00.314: ISAKMP: encryption DES-CBC

*Apr 22 13:07:00.314: ISAKMP: hash SHA

*Apr 22 13:07:00.314: ISAKMP: default group 1

*Apr 22 13:07:00.314: ISAKMP: auth pre-share

*Apr 22 13:07:00.314: ISAKMP: life type in seconds

*Apr 22 13:07:00.314: ISAKMP: life duration (basic) of 28800

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:00.346: ISAKMP (0:134217730): vendor ID is NAT-T v7

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v3

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v2

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): constructed NAT-T vendor-07 ID

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM2

*Apr 22 13:07:00.566: ISAKMP (0:134217730): received packet from

82.82.82.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Apr 22 13:07:00.566: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:00.566: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM2 New State =3D IKE_R_MM3

*Apr 22 13:07:00.566: ISAKMP:(0:2:SW:1): processing KE payload. message ID =3D 0

*Apr 22 13:07:00.606: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID =3D 0

*Apr 22 13:07:00.606: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:00.606: ISAKMP:(0:2:SW:1):SKEYID state generated

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): vendor ID is Unity

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): vendor ID is DPD

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): speaking to another IOS box!

*Apr 22 13:07:00.610: ISAKMP (0:134217730): NAT found, the node inside NAT

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM3

*Apr 22 13:07:00.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:00.610: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Apr 22 13:07:00.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:00.610: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM4

*Apr 22 13:07:10.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:10.610: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Apr 22 13:07:10.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:10.610: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:10.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:10.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Apr 22 13:07:10.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:10.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:20.610: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Apr 22 13:07:20.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:20.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Apr 22 13:07:20.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:07:30.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:30.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Apr 22 13:07:30.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:30.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:07:30.610: ISAKMP: Unlocking IKE struct 0x63685008 for isadb_mark_sa_deleted(), count 0

*Apr 22 13:07:30.610: ISAKMP: Deleting peer node by peer_reap for 82.82.82.2: 63685008

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM4 New State =3D IKE_DEST_SA

*Apr 22 13:07:40.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:40.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Apr 22 13:07:40.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:40.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:50.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:50.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Apr 22 13:07:50.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:50.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:51.514: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:07:51.514: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:07:51.514: ISAKMP: New peer created peer =3D 0x63685008 peer_handle =3D 0x8000088A

*Apr 22 13:07:51.514: ISAKMP: Locking peer struct 0x63685008, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:07:51.514: ISAKMP: local port 500, remote port 500

*Apr 22 13:07:51.514: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =3D 6309BF30

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:51.514: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:07:51.518: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:07:51.518: ISAKMP: encryption DES-CBC

*Apr 22 13:07:51.518: ISAKMP: hash SHA

*Apr 22 13:07:51.518: ISAKMP: default group 1

*Apr 22 13:07:51.518: ISAKMP: auth pre-share

*Apr 22 13:07:51.518: ISAKMP: life type in seconds

*Apr 22 13:07:51.518: ISAKMP: life duration (basic) of 28800

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:51.550: ISAKMP (0:134217731): vendor ID is NAT-T v7

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID is NAT-T v3

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1): vendor ID is NAT-T v2

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1): constructed NAT-T vendor-07 ID

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM2

*Apr 22 13:07:51.762: ISAKMP (0:134217731): received packet from

82.82.82.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Apr 22 13:07:51.762: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:51.762: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM2 New State =3D IKE_R_MM3

*Apr 22 13:07:51.762: ISAKMP:(0:3:SW:1): processing KE payload. message ID =3D 0

*Apr 22 13:07:51.802: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID =3D 0

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):SKEYID state generated

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): vendor ID is Unity

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): vendor ID is DPD

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): speaking to another IOS box!

*Apr 22 13:07:51.806: ISAKMP (0:134217731): NAT found, the node inside NAT

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM3

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:51.810: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:51.810: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM4

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:08:00.610: ISAKMP: Unlocking IKE struct 0x62EEAEB8 for isadb_mark_sa_deleted(), count 0

*Apr 22 13:08:00.610: ISAKMP: Deleting peer node by peer_reap for 82.82.82.2: 62EEAEB8

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM4 New State =3D IKE_DEST_SA

*Apr 22 13:08:01.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:08:01.810: ISAKMP (0:134217731): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Apr 22 13:08:01.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:08:01.810: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:08:11.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:08:11.810: ISAKMP (0:134217731): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Apr 22 13:08:11.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:08:11.810: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:08:21.510: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:08:21.510: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:08:21.510: ISAKMP: New peer created peer =3D 0x62EEAEB8 peer_handle =3D 0x80000883

*Apr 22 13:08:21.514: ISAKMP: Locking peer struct 0x62EEAEB8, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:08:21.514: ISAKMP: local port 500, remote port 500

*Apr 22 13:08:21.514: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =3D 6309CA78

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:08:21.514: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:08:21.514: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:08:21.514: ISAKMP: encryption DES-CBC

*Apr 22 13:08:21.514: ISAKMP: hash SHA

*Apr 22 13:08:21.514: ISAKMP: default group 1

*Apr 22 13:08:21.514: ISAKMP: auth pre-share

*Apr 22 13:08:21.514: ISAKMP: life type in seconds

*Apr 22 13:08:21.514: ISAKMP: life duration (basic) of 28800

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:08:21.550: ISAKMP (0:134217732): vendor ID is NAT-T v7

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v3

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v2

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

=A0 =A0conn-id slot

=A0 =A0conn-id slot status

=A0 =A00 ACTIVE

Reply to
twinkle9

Full Debug:

*Apr 22 13:06:30.306: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:06:30.306: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:06:30.306: ISAKMP: New peer created peer =3D 0x63685008 peer_handle =3D 0x80000880

*Apr 22 13:06:30.306: ISAKMP: Locking peer struct 0x63685008, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:06:30.306: ISAKMP: local port 500, remote port 500

*Apr 22 13:06:30.306: insert sa successfully sa =3D 632D58D4

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:06:30.310: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:06:30.310: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:06:30.310: ISAKMP: encryption DES-CBC

*Apr 22 13:06:30.310: ISAKMP: hash SHA

*Apr 22 13:06:30.310: ISAKMP: default group 1

*Apr 22 13:06:30.310: ISAKMP: auth pre-share

*Apr 22 13:06:30.310: ISAKMP: life type in seconds

*Apr 22 13:06:30.310: ISAKMP: life duration (basic) of 28800

*Apr 22 13:06:30.310: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:06:30.342: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.342: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:06:30.346: ISAKMP (0:134217729): vendor ID is NAT-T v7

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:06:30.346: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM2

*Apr 22 13:06:30.562: ISAKMP (0:134217729): received packet from 82.82.82.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Apr 22 13:06:30.562: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:06:30.562: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM2 New State =3D IKE_R_MM3

*Apr 22 13:06:30.562: ISAKMP:(0:1:SW:1): processing KE payload. message ID =3D 0

*Apr 22 13:06:30.602: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =3D 0

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):SKEYID state generated

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): vendor ID is Unity

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): vendor ID is DPD

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): processing vendor id payload

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): speaking to another IOS box!

*Apr 22 13:06:30.606: ISAKMP (0:134217729): NAT found, the node inside NAT

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM3

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:06:30.606: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM4

*Apr 22 13:06:40.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:06:40.606: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Apr 22 13:06:40.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:06:40.606: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:06:50.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:06:50.606: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Apr 22 13:06:50.606: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:06:50.606: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:00.310: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:07:00.310: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:07:00.310: ISAKMP: New peer created peer =3D 0x62EEAEB8 peer_handle =3D 0x80000881

*Apr 22 13:07:00.310: ISAKMP: Locking peer struct 0x62EEAEB8, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:07:00.310: ISAKMP: local port 500, remote port 500

*Apr 22 13:07:00.310: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =3D 6309B3E8

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:00.310: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:00.314: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:07:00.314: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:07:00.314: ISAKMP: encryption DES-CBC

*Apr 22 13:07:00.314: ISAKMP: hash SHA

*Apr 22 13:07:00.314: ISAKMP: default group 1

*Apr 22 13:07:00.314: ISAKMP: auth pre-share

*Apr 22 13:07:00.314: ISAKMP: life type in seconds

*Apr 22 13:07:00.314: ISAKMP: life duration (basic) of 28800

*Apr 22 13:07:00.314: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:00.346: ISAKMP (0:134217730): vendor ID is NAT-T v7

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:00.346: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v3

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v2

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): constructed NAT-T vendor-07 ID

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:00.350: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM2

*Apr 22 13:07:00.566: ISAKMP (0:134217730): received packet from

82.82.82.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Apr 22 13:07:00.566: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:00.566: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM2 New State =3D IKE_R_MM3

*Apr 22 13:07:00.566: ISAKMP:(0:2:SW:1): processing KE payload. message ID =3D 0

*Apr 22 13:07:00.606: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID =3D 0

*Apr 22 13:07:00.606: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:00.606: ISAKMP:(0:2:SW:1):SKEYID state generated

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): vendor ID is Unity

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): vendor ID is DPD

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): processing vendor id payload

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): speaking to another IOS box!

*Apr 22 13:07:00.610: ISAKMP (0:134217730): NAT found, the node inside NAT

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM3

*Apr 22 13:07:00.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:00.610: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Apr 22 13:07:00.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:00.610: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:00.610: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM4

*Apr 22 13:07:10.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:10.610: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Apr 22 13:07:10.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:10.610: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:10.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:10.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Apr 22 13:07:10.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:10.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:20.610: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Apr 22 13:07:20.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:1:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:20.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Apr 22 13:07:20.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:20.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:07:30.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:30.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Apr 22 13:07:30.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:30.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:07:30.610: ISAKMP: Unlocking IKE struct 0x63685008 for isadb_mark_sa_deleted(), count 0

*Apr 22 13:07:30.610: ISAKMP: Deleting peer node by peer_reap for 82.82.82.2: 63685008

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Apr 22 13:07:30.610: ISAKMP:(0:1:SW:1):Old State =3D IKE_R_MM4 New State =3D IKE_DEST_SA

*Apr 22 13:07:40.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:40.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Apr 22 13:07:40.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:40.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:50.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:07:50.610: ISAKMP (0:134217730): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Apr 22 13:07:50.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:07:50.610: ISAKMP:(0:2:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:51.514: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:07:51.514: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:07:51.514: ISAKMP: New peer created peer =3D 0x63685008 peer_handle =3D 0x8000088A

*Apr 22 13:07:51.514: ISAKMP: Locking peer struct 0x63685008, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:07:51.514: ISAKMP: local port 500, remote port 500

*Apr 22 13:07:51.514: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =3D 6309BF30

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:51.514: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:51.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:07:51.518: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:07:51.518: ISAKMP: encryption DES-CBC

*Apr 22 13:07:51.518: ISAKMP: hash SHA

*Apr 22 13:07:51.518: ISAKMP: default group 1

*Apr 22 13:07:51.518: ISAKMP: auth pre-share

*Apr 22 13:07:51.518: ISAKMP: life type in seconds

*Apr 22 13:07:51.518: ISAKMP: life duration (basic) of 28800

*Apr 22 13:07:51.518: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:07:51.550: ISAKMP (0:134217731): vendor ID is NAT-T v7

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID is NAT-T v3

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.550: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1): vendor ID is NAT-T v2

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1): constructed NAT-T vendor-07 ID

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:51.554: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM2

*Apr 22 13:07:51.762: ISAKMP (0:134217731): received packet from

82.82.82.2 dport 500 sport 500 Global (R) MM_SA_SETUP

*Apr 22 13:07:51.762: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:07:51.762: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM2 New State =3D IKE_R_MM3

*Apr 22 13:07:51.762: ISAKMP:(0:3:SW:1): processing KE payload. message ID =3D 0

*Apr 22 13:07:51.802: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID =3D 0

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):SKEYID state generated

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): vendor ID is Unity

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): vendor ID is DPD

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): processing vendor id payload

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): speaking to another IOS box!

*Apr 22 13:07:51.806: ISAKMP (0:134217731): NAT found, the node inside NAT

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM3

*Apr 22 13:07:51.806: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:07:51.810: ISAKMP:(0:3:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 22 13:07:51.810: ISAKMP:(0:3:SW:1):Old State =3D IKE_R_MM3 New State =3D IKE_R_MM4

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)

*Apr 22 13:08:00.610: ISAKMP: Unlocking IKE struct 0x62EEAEB8 for isadb_mark_sa_deleted(), count 0

*Apr 22 13:08:00.610: ISAKMP: Deleting peer node by peer_reap for 82.82.82.2: 62EEAEB8

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Apr 22 13:08:00.610: ISAKMP:(0:2:SW:1):Old State =3D IKE_R_MM4 New State =3D IKE_DEST_SA

*Apr 22 13:08:01.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:08:01.810: ISAKMP (0:134217731): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Apr 22 13:08:01.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:08:01.810: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:08:11.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Apr 22 13:08:11.810: ISAKMP (0:134217731): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Apr 22 13:08:11.810: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Apr 22 13:08:11.810: ISAKMP:(0:3:SW:1): sending packet to 82.82.82.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Apr 22 13:08:21.510: ISAKMP (0:0): received packet from 82.82.82.2 dport 500 sport 500 Global (N) NEW SA

*Apr 22 13:08:21.510: ISAKMP: Created a peer struct for 82.82.82.2, peer port 500

*Apr 22 13:08:21.510: ISAKMP: New peer created peer =3D 0x62EEAEB8 peer_handle =3D 0x80000883

*Apr 22 13:08:21.514: ISAKMP: Locking peer struct 0x62EEAEB8, IKE refcount 1 for crypto_isakmp_process_block

*Apr 22 13:08:21.514: ISAKMP: local port 500, remote port 500

*Apr 22 13:08:21.514: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa =3D 6309CA78

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):Input =3D IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):Old State =3D IKE_READY New State =3D IKE_R_MM1

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing SA payload. message ID =3D 0

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*Apr 22 13:08:21.514: ISAKMP (0:0): vendor ID is NAT-T v7

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): processing vendor id payload

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 82.82.82.2

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0): local preshared key found

*Apr 22 13:08:21.514: ISAKMP : Scanning profiles for xauth ...

*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 22 13:08:21.514: ISAKMP: encryption DES-CBC

*Apr 22 13:08:21.514: ISAKMP: hash SHA

*Apr 22 13:08:21.514: ISAKMP: default group 1

*Apr 22 13:08:21.514: ISAKMP: auth pre-share *Apr 22 13:08:21.514: ISAKMP: life type in seconds *Apr 22 13:08:21.514: ISAKMP: life duration (basic) of 28800 *Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 245 mismatch *Apr 22 13:08:21.550: ISAKMP (0:134217732): vendor ID is NAT-T v7 *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 157 mismatch *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v3 *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 123 mismatch *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v2 *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1

=A0 =A0conn-id slot

=A0 =A0conn-id slot status

=A0 =A00 ACTIVE

Reply to
Tomehb

On RouterA -

As already mentioned bod43 post, change Tunnel1 destination to 10.5.4.70

Add route to 10.5.4.70/32 via upstream router

ip access-list extended CustTunnel permit gre host 82.82.82.2 host 10.5.4.70

On RouterB -

ip access-list extended CustTunnel permit gre host 10.5.4.70 host 82.82.82.2

Key points -

  1. ACL for crypto map should match traffic we want to encrypt (so only sent traffic matters) and both side should be a mirror copy.

  1. IPSec tunnel is being established between public IP addresses and NAT'ed on RouterB side to 10.5.4.70. GRE tunnel doesn't get NAT processing on account of being encrypted. So source and destination should be IP addresses before NAT.

Regards, Andrey.

Reply to
Andrey Tarasov

=A0 =A0conn-id slot

=A0 =A0conn-id slot status

=A0 =A00 ACTIVE

Hello,

I believe that the solution that I proposed is completely and exactly correct.

If you wish me to troubleshoot further please state whether you have followed the proposal exactly and state what symptoms you are seeing.

I think that it is your responsibility to explain to me any divergence from my proposal and to explain in the terms of that proposal exactly what is not working. I perhaps spent an hour working on my previous response. I feel that it is discourteous that you have responded with such an inadequate and limited message.

I hope that I can be of further assistance.

Reply to
bod43

Well, i rushed the reply an i'm truly sorry for this, but just thought i would add it quickly before i left work. I believe i made all of the changes, however I still needed to confirm that all of the correct ports are open on the customers firewall. I will be writing again, with all of the information after checking the configurations on Monday. If the configurations differ to your example i will amend the changes, if they don't and it fails to work i will attempt troubleshoot the problem further and give you appropriate feedback so that you can assist me further. I'm very grateful for your input.... :)

Regards

Thomas

=A0 =A0 =A0conn-id slot

=A0 =A0 =A0conn-id slot status

1 =A0 =A00 ACTIVE
Reply to
Tomehb

Dear me - must stop writing messages after beer.

Bit strong - sorry:)

Reply to
bod43

Thanks guys,

I've got this fully working now, your configuration did work.It seems that the customer missed configured there firewall...

The connection seems to be fully working so I guess I can ignore..

CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

Cheers

Tom

Reply to
Tomehb

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.