Today I would like to work with the new Internet Key Exchange
protocol v2, which was introduced some time ago. This is a totally new
protocol (https://tools.ietf.org/html/rfc7296)
and you can’t consider it as an updated ikev1. You can’t mix these
version because they are not compatible. In my today’s scenario I need
to build the secure connection between two LANs using ASA and Cisco
router (IOS).
Due to many limitation on ASA (IPsec profiles, DVTI, GRE tunnel) the new protocol has totally different configuration steps on IOS and ASA. Let’s start with ASA as the differences between ikev1 and ikev2 are very small.
a) phase 1
b) phase 2
c) tunnel group
d) ACL
e) crypto map
As you see the configuration is very similar to the IKE version 1. Now I configure the same on IOS:
a) phase 1
b) keyring
c) ikev2 profile
d) acl
e) phase 2
f) crypto map
Let’s test the tunnel now:
As you see there is a problem, let’s investigate it:
I’m going to double check parameters of the phase 1:
and ASA:
The difference between these configurations is ‘prf’ parameter. On ASA we can configure it:
but on IOS the parameter is taken from integrity:
Let’s fix it and test it once again:
OK, the problem has been solved, let’s analyze outputs from both devices.
ASA2:
and then on IOS:
and now the phase 2:
ASA2:
and then on the IOS:
Now I would like to look into debug outputs from both devices when the tunnel is established correctly without any issues.
a) phase 1 - IOS
b) phase 1 - ASA
c) phase 2 - IOS
d) phase 2 - ASA
Due to many limitation on ASA (IPsec profiles, DVTI, GRE tunnel) the new protocol has totally different configuration steps on IOS and ASA. Let’s start with ASA as the differences between ikev1 and ikev2 are very small.
a) phase 1
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
b) phase 2
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-1
c) tunnel group
tunnel-group 8.8.8.1 type ipsec-l2l
tunnel-group 8.8.8.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco123
ikev2 local-authentication pre-shared-key cisco321
d) ACL
access-list VPN extended permit ip host 7.7.7.1 host 9.9.9.9
e) crypto map
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 8.8.8.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA interface outside
As you see the configuration is very similar to the IKE version 1. Now I configure the same on IOS:
a) phase 1
crypto ikev2 proposal IKE2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 5
b) keyring
crypto ikev2 keyring KEYRING
peer asa2
address 8.8.8.2
pre-shared-key local cisco321
pre-shared-key remote cisco123
c) ikev2 profile
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 8.8.8.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
d) acl
access-list 101 permit ip host 9.9.9.9 host 7.7.7.1
e) phase 2
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
f) crypto map
crypto map MAPA 10 ipsec-isakmp
set peer 8.8.8.2
set transform-set TS
match address 101
int fa0/0
crypto map MAPA
Let’s test the tunnel now:
R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18#
As you see there is a problem, let’s investigate it:
asa2# IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (1): Retransmitting packet
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:A4B171A515142E51 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: A4B171A515142E51 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
6b e5 a0 db ad cf e1 03 d3 89 c3 c8 95 50 d6 1b
93 57 e2 52 59 9a 19 99 7f 3e dd 21 e4 24 d3 01
1a b3 2a fc 5d ca 89 41 e4 e9 0e e4 45 e4 33 c9
89 27 c0 c1 06 dd cc 68 8f 9b 0c b2 e2 79 9a cb
a8 73 a4 dc cf ee 8f 96 ce ed 5a ce 9f 6a f0 a8
64 77 44 82 37 9c 46 80 96 19 5e 93 88 a5 40 68
54 30 0c 18 59 32 d8 56 34 85 28 f2 5b 0c 0d 26
7f 32 44 83 57 15 df ac ec a8 ad e4 c8 5a 54 12
c6 de 1c 8b c7 76 19 74 3e 3b 5a fc 38 e4 fe 96
fd 24 bd 7f ab 39 97 ed 05 2e 9e 92 54 6c 76 ec
d5 46 c1 f4 2c 49 95 34 3d 9c 6a d2 7c 4a 8e 75
2e 4a 8c 55 35 1d 60 36 42 7b f1 03 72 ec 4c 79
N Next payload: VID, reserved: 0x0, length: 24
ad 3b c6 3b 72 fd 97 54 c9 08 67 de 96 c2 d3 f3
06 82 d2 a9
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
52 0d a5 af 5d 48 69 a7 1d 34 89 6f 36 48 54 b0
a2 be 29 12
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
ff f2 97 48 11 81 00 9c 40 3d 26 a3 7d 85 f0 62
82 1e 9d 97
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
%ASA-4-750003: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:8.8.8.1 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
%ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MAPA. Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MAPA. Map Sequence Number = 10.
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-1: (1): Maximum number of retransmissions reached
IKEv2-PROTO-1: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-3: (1): Failed SA init exchange
IKEv2-PROTO-1: (1): Initial exchange failed
IKEv2-PROTO-1: (1): Initial exchange failed
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: (1): Abort exchange
IKEv2-PROTO-2: (1): Deleting SA
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
no de
asa2# no debug all
asa2# %ASA-5-111008: User 'enable_15' executed the 'no debug all' command.
I’m going to double check parameters of the phase 1:
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
and ASA:
R17#
*Dec 11 19:54:54.971: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 3834FB9D8C70D53C - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID
*Dec 11 19:54:54.987: IKEv2:(SA ID = 1):Verify SA init message
*Dec 11 19:54:54.991: IKEv2:(SA ID = 1):Insert SA
*Dec 11 19:54:54.995: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 11 19:54:54.999: IKEv2:Using the Default Policy for Proposal
*Dec 11 19:54:54.999: IKEv2:Found Policy 'default'
*Dec 11 19:54:55.007: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 11 19:54:55.011: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 11 19:54:55.011: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Dec 11 19:54:55.011: IKEv2:(SA ID =
R17#1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 11 19:54:55.107: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 19:54:55.111: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 11 19:54:55.115: IKEv2:(SA ID = 1):Failed to compute the SKEYSEED
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):
*Dec
R17# 11 19:54:55.119: IKEv2:(SA ID = 1):Failed SA init exchange
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Initial exchange failed
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Initial exchange failed
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Abort exchange
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Deleting SA
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
The difference between these configurations is ‘prf’ parameter. On ASA we can configure it:
crypto ikev2 policy 10
prf sha
but on IOS the parameter is taken from integrity:
crypto ikev2 proposal IKE2-PROPOSAL
integrity sha256
Let’s fix it and test it once again:
asa2# sh run crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
asa2#
R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/92/128 ms
R18#
OK, the problem has been solved, let’s analyze outputs from both devices.
ASA2:
asa2# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
33075769 8.8.8.2/500 8.8.8.1/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/840 sec
Child sa: local selector 7.7.7.1/0 - 7.7.7.1/65535
remote selector 9.9.9.9/0 - 9.9.9.9/65535
ESP spi in/out: 0x7772fe1/0x90760c1
asa2#
asa2# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
33075769 8.8.8.2/500 8.8.8.1/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/911 sec
Session-id: 1
Status Description: Negotiation done
Local spi: D108819E34F142B0 Remote spi: 0B77D1B0B8BE7D79
Local id: 8.8.8.2
Remote id: 8.8.8.1
Local req mess id: 45 Remote req mess id: 0
Local next mess id: 45 Remote next mess id: 0
Local req queued: 45 Remote req queued: 0
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 7.7.7.1/0 - 7.7.7.1/65535
remote selector 9.9.9.9/0 - 9.9.9.9/65535
ESP spi in/out: 0x7772fe1/0x90760c1
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa2#
and then on IOS:
R17#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 8.8.8.1/500 8.8.8.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/957 sec
IPv6 Crypto IKEv2 SA
R17#
R17#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 8.8.8.1/500 8.8.8.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/961 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: 0B77D1B0B8BE7D79 Remote spi: D108819E34F142B0
Local id: 8.8.8.1
Remote id: 8.8.8.2
Local req msg id: 0 Remote req msg id: 47
Local next msg id: 0 Remote next msg id: 47
Local req queued: 0 Remote req queued: 47
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
R17#
and now the phase 2:
ASA2:
asa2# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 8.8.8.2
access-list VPN extended permit ip host 7.7.7.1 host 9.9.9.9
local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (9.9.9.9/255.255.255.255/0/0)
current_peer: 8.8.8.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 8.8.8.2/500, remote crypto endpt.: 8.8.8.1/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 090760C1
current inbound spi : 07772FE1
inbound esp sas:
spi: 0x07772FE1 (125251553)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4193279/27756)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x090760C1 (151478465)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4239359/27756)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa2#
and then on the IOS:
R17#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAPA, local addr 8.8.8.1
protected vrf: (none)
local ident (addr/mask/prot/port): (9.9.9.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/0/0)
current_peer 8.8.8.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 8.8.8.1, remote crypto endpt.: 8.8.8.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x7772FE1(125251553)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x90760C1(151478465)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MAPA
sa timing: remaining key lifetime (k/sec): (4306668/2508)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7772FE1(125251553)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MAPA
sa timing: remaining key lifetime (k/sec): (4306668/2508)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R17#
R17#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500
IKEv2 SA: local 8.8.8.1/500 remote 8.8.8.2/500 Active
IPSEC FLOW: permit ip host 9.9.9.9 host 7.7.7.1
Active SAs: 2, origin: crypto map
R17#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/0
Uptime: 00:18:46
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 8.8.8.2
Desc: (none)
IKEv2 SA: local 8.8.8.1/500 remote 8.8.8.2/500 Active
Capabilities:(none) connid:1 lifetime:23:41:14
IPSEC FLOW: permit ip host 9.9.9.9 host 7.7.7.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4306668/2474
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4306668/2474
R17#
Now I would like to look into debug outputs from both devices when the tunnel is established correctly without any issues.
a) phase 1 - IOS
R17#
*Dec 11 20:26:18.559: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID
*Dec 11 20:26:18.579: IKEv2:(SA ID = 1):Verify SA init message
*Dec 11 20:26:18.579: IKEv2:(SA ID = 1):Insert SA
*Dec 11 20:26:18.583: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 11 20:26:18.587: IKEv2:Using the Default Policy for Proposal
*Dec 11 20:26:18.587: IKEv2:Found Policy 'default'
*Dec 11 20:26:18.595: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 11 20:26:18.603: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 11 20:26:18.603: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Dec 11 20:26:18.611: IKEv2:(SA ID =
R17#1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 11 20:26:18.615: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 11 20:26:18.715: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 20:26:18.715: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 11 20:26:18.719: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 11
R17# 20:26:18.719: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 11 20:26:18.723: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 11 20:26:18.723: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 11 20:26:18.723: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1536_MODP/Group 5
*Dec 11 20:26:18.723: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool'
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:
R17#f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 8F1780348F4BD5A2 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Dec 11 20:26:18.739: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 11 20:26:18.743: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message
*Dec 11 20:26:18.871: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 8F1780348F4BD5A2 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Dec 11 20:26:18.891: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 11 20:26:18.895: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 11 20:26:18.899: IKEv2:(SA ID = 1):NAT not found
*Dec 11 20:
R17#26:18.903: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 11 20:26:18.907: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 11 20:26:18.907: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 11 20:26:18.911: IKEv2:% Matched peer block 'asa2'
*Dec 11 20:26:18.915: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 11 20:26:18.915: IKEv2:Using the Default Policy for Proposal
*Dec 11 20:26:18.915: IKEv2:Found Policy 'default'
*Dec 11 20:26:18.915: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Use presh
R17#ared key for id 8.8.8.2, key len 8
*Dec 11 20:26:18.919: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 11 20:26:18.919: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 11 20:26:18.923: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 11 20:26:18.931: IKEv2:(SA ID = 1):Get my authentication method
*Dec 11 20:26:18.931: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 11 20:26:18.935: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 11 20:26:18.939: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 11 20:26:18.943: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.1, key len 8
*Dec 11 20:26:18.943: IKEv2:[IKEv2 -> Cryp
R17#to Engine] Generate IKEv2 authentication data
*Dec 11 20:26:18.943: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Get my authentication method
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'IPv4 address'
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 8F1780348F4BD5A2 Message id: 1
IKEv2 IKE
R17#_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Dec 11 20:26:18.955: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 11 20:26:18.959: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Dec 11 20:26:18.959: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 11 20:26:18.963: IKEv2:(SA ID = 1):Session with IKE ID PAIR (8.8.8.2, 8.8.8.1) is UP
*Dec 11 20:26:18.967: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 11 20:26:18.971: IKEv2:(SA ID = 1):Load IPSEC key material
*Dec 11 20:26:18.975: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Dec 11 20:26:18.975: IKEv2:(SA ID = 1):Asynchronous request queued
*Dec 11 20:26:18.979: IKEv2:(SA ID = 1):
*Dec 11 20:26:19.023: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Dec 11 20:26:19.031: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 11 20:26:19.035: IKEv2:(SA ID = 1):No dup
R17#licate IKEv2 SA found
*Dec 11 20:26:19.039: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context
R17#
b) phase 1 - ASA
asa2# debug crypto ikev2 protocol 127
asa2# %ASA-5-111008: User 'enable_15' executed the 'debug crypto ikev2 protocol 127' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ikev2 protocol 127'
asa2# %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = MAPA. Map Sequence Number = 10.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-5-750001: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 7.7.7.1-7.7.7.1 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 9.9.9.9-9.9.9.9 Protocol: 0 Port Range: 0-65535
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (6): Getting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (6): Setting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (6): Computing DH public key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (6): Sending initial message
IKEv2-PROTO-3: IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
b0 0c ba 71 62 0a 43 55 9f 11 89 de 20 51 f3 3e
8c 10 e2 a5 91 40 52 d6 b4 cd 02 9b c1 98 9c 69
06 5c eb bf 14 e0 75 5b 3a ce 8c 4b c3 12 a2 a3
99 bf 4f ad 39 5f da 22 3d b2 af 60 5f d0 bf c1
e4 8a 3c 03 12 20 d0 01 1d 14 72 2e 2f d0 84 32
39 00 4f 87 86 aa 46 7c 1d aa be 63 97 1f 8f 9f
9d 42 aa 8b 98 9c 43 d8 40 ee c8 45 64 60 a4 f2
a8 cb b3 7d df b5 3b 5c 86 6c fa 4c 72 9b f4 04
65 1f cc e3 9d 5a 5e 19 57 57 6e 20 e0 80 55 fb
ad a0 34 99 11 8b 9a b8 99 e6 3c d4 2a 3b 1b a8
ce 06 e5 3e 5d 66 1b d2 cf ed 93 52 6d a2 a7 4c
2e cf 1d 41 97 e8 ff 4e b2 ed 39 f7 54 50 db b0
N Next payload: VID, reserved: 0x0, length: 24
72 47 ad 6e 73 08 65 79 99 da 84 74 37 2e c6 ef
fd 9f bc df
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
7a b3 fa c9 b0 ff df 95 cf c1 2e 19 cb 99 af e1
a5 46 1f 75
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
84 28 fc 1f fe 34 06 eb cd 70 04 1d f8 c1 86 61
35 8e 0a 7f
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (6): Insert SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572
SA Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
54 b1 71 9e e1 9d 1b a4 37 1e c0 08 ca 1b f9 52
f5 9e c8 f9 fb 06 b0 fb 17 6d af 04 0e 9a 46 12
1c ed fc 70 a4 80 48 56 ab fa 08 af 8c 71 a4 0b
48 42 e5 9f 07 52 cb 35 91 76 00 3f ac c0 ab 97
9e 87 98 98 47 6e 99 3c 4f 87 78 a1 fe 9f 99 3e
95 8c 00 dd 6c 58 ec 29 4e 79 42 70 ee 9c 31 98
9e 55 3f 4f 40 6d e8 b2 58 66 89 8e 47 cd 9e da
e4 46 f8 78 0f 09 36 1b e2 4c 8e 87 1b 24 d9 0a
dd d2 67 d9 f3 0e 36 a6 54 38 d8 17 36 00 12 0a
d3 d7 22 6d cf 1d 48 3a 66 ed 62 92 cd 17 cc 73
ad c8 6c 8d e3 21 0d 7e 99 b9 13 4c b2 77 9e d5
a1 61 49 db 08 83 64 11 af ba c0 60 5a 56 a1 e5
N Next payload: VID, reserved: 0x0, length: 24
0c 1c 09 9e 92 ca 3a 7a 18 2f d3 8f 11 a5 a1 92
d8 73 c2 ff
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: VID, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 21
46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
6c 45 29 43 7f d8 89 5e 42 49 f7 cf 25 3a b7 31
f4 d7 2c 59
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
4d e3 e5 f7 6d ca 27 6d 24 42 9a f9 ad b3 e9 41
5f 0d 0a e6
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 105
Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED
Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (6): Verify SA init message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (6): Process NAT discovery notify
IKEv2-PROTO-5: (6): Processing nat detect src notify
IKEv2-PROTO-5: (6): Remote address matched
IKEv2-PROTO-5: (6): Processing nat detect dst notify
IKEv2-PROTO-5: (6): Local address matched
IKEv2-PROTO-5: (6): No NAT found
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (6): Check NAT discovery
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (6): Computing DH secret key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (6): Generate skeyid
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (6): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (6): Complete SA init exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (6): Generate my authentication data
IKEv2-PROTO-3: (6): Use preshared key for id 8.8.8.2, key len 8
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (6): Get my authentication method
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (6): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3: ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (6): Building packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20
54 0a 73 29 29 0c 97 b3 3f 93 22 9f 33 1c 1c 52
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
08 08 08 02
AUTH Next payload: SA, reserved: 0x0, length: 40
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 7.7.7.1, end addr: 7.7.7.1
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 9.9.9.9, end addr: 9.9.9.9
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
ENCR Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (6): Retransmitting packet
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
ENCR Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
%ASA-5-750006: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:8.8.8.1 SA UP. Reason: New Connection Established
IKEv2-PROTO-3: %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = MAPA. Map Sequence Number = 10.
Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 272
REAL Decrypted packet:Data: 192 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDr, reserved: 0x0, length: 20
40 be 4d 8f da ca 92 81 3f 93 22 9f 33 1c 1c 52
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
08 08 08 01
AUTH Next payload: SA, reserved: 0x0, length: 40
Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
SA Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 7.7.7.1, end addr: 7.7.7.1
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 9.9.9.9, end addr: 9.9.9.9
IKEv2-PROTO-5: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE
00 00 00 05
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Decrypted packet:Data: 272 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (6): Process auth response notify
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (6): Getting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (6): Verify peer's policy
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (6): Get peer authentication method
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (6): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (6): Verify authentication data
IKEv2-PROTO-3: (6): Use preshared key for id 8.8.8.1, key len 8
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (6): Processing auth message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (6): Closing the PKI session
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (6): SA created; inserting SA into database
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (6): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (6): Load IPSEC key material
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (6): Accounting not required
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (6): Checking for duplicate SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (6): Deleting negotiation context for my message ID: 0x1
asa2#
c) phase 2 - IOS
R17#
*Dec 11 20:57:29.423: IPSEC(validate_proposal_request): proposal part #1
*Dec 11 20:57:29.423: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
local_proxy= 9.9.9.9/255.255.255.255/256/0,
remote_proxy= 7.7.7.1/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 11 20:57:29.427: Crypto mapdb : proxy_match
src addr : 9.9.9.9
dst addr : 7.7.7.1
protocol : 0
src port : 0
dst port : 0
*Dec 11 20:57:29.463: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 11 20:57:29.467: Crypto mapdb : proxy_match
src addr : 9.9.9.9
dst addr : 7.7.7.1
protocol : 256
src port : 0
dst port : 0
*Dec 11 20:57:29.471: IPSEC(crypto_ipsec_create_ipsec_sas): Map found MAPA
*Dec 11 20:57:29.475: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with t
R17#he same proxies and peer 8.8.8.2
*Dec 11 20:57:29.491: IPSEC(create_sa): sa created,
(sa) sa_dest= 8.8.8.1, sa_proto= 50,
sa_spi= 0x9ECD60FF(2664259839),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 11
sa_lifetime(k/sec)= (4608000/3600)
*Dec 11 20:57:29.495: IPSEC(create_sa): sa created,
(sa) sa_dest= 8.8.8.2, sa_proto= 50,
sa_spi= 0x63F38ED8(1676906200),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 12
sa_lifetime(k/sec)= (4608000/3600)
*Dec 11 20:57:29.511: IPSEC: Expand action denied, notify RP
R17#
d) phase 2 - ASA
asa2# debug crypto ipsec 127
asa2# %ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 127' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ipsec 127'
%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = MAPA. Map Sequence Number = 10.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-5-750001: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 7.7.7.1-7.7.7.1 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 9.9.9.9-9.9.9.9 Protocol: 0 Port Range: 0-65535
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=3072, daddr=9.9.9.9, dport=3072
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=3072, daddr=9.9.9.9, dport=3072
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc3bc470,
SCB: 0xBB9C0D18,
Direction: inbound
SPI : 0x9500080A
Session ID: 0x00007000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
%ASA-5-750006: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:8.8.8.1 SA UP. Reason: New Connection Established
%ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = MAPA. Map Sequence Number = 10.
IPSEC: New embryonic SA created @ 0xbc3bb4d0,
SCB: 0xBB9C4370,
Direction: outbound
SPI : 0x98468727
Session ID: 0x00007000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x98468727
IPSEC: Creating outbound VPN context, SPI 0x98468727
Flags: 0x00000005
SA : 0xbc3bb4d0
SPI : 0x98468727
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x00135E6B
Channel: 0xb62afb20
IPSEC: Completed outbound VPN context, SPI 0x98468727
VPN handle: 0x00012a6c
IPSEC: New outbound encrypt rule, SPI 0x98468727
Src addr: 7.7.7.1
Src mask: 255.255.255.255
Dst addr: 9.9.9.9
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x98468727
Rule ID: 0xbc432078
IPSEC: New outbound permit rule, SPI 0x98468727
Src addr: 8.8.8.2
Src mask: 255.255.255.255
Dst addr: 8.8.8.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x98468727
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x98468727
Rule ID: 0xbc428980
IPSEC: Completed host IBSA update, SPI 0x9500080A
IPSEC: Creating inbound VPN context, SPI 0x9500080A
Flags: 0x00000006
SA : 0xbc3bc470
SPI : 0x9500080A
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00012A6C
SCB : 0x00117A5F
Channel: 0xb62afb20
IPSEC: Completed inbound VPN context, SPI 0x9500080A
VPN handle: 0x00015f2c
IPSEC: Updating outbound VPN context 0x00012A6C, SPI 0x98468727
Flags: 0x00000005
SA : 0xbc3bb4d0
SPI : 0x98468727
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00015F2C
SCB : 0x00135E6B
Channel: 0xb62afb20
IPSEC: Completed outbound VPN context, SPI 0x98468727
VPN handle: 0x00012a6c
IPSEC: Completed outbound inner rule, SPI 0x98468727
Rule ID: 0xbc432078
IPSEC: Completed outbound outer SPD rule, SPI 0x98468727
Rule ID: 0xbc428980
IPSEC: New inbound tunnel flow rule, SPI 0x9500080A
Src addr: 9.9.9.9
Src mask: 255.255.255.255
Dst addr: 7.7.7.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x9500080A
Rule ID: 0xbc396208
IPSEC: New inbound decrypt rule, SPI 0x9500080A
Src addr: 8.8.8.1
Src mask: 255.255.255.255
Dst addr: 8.8.8.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x9500080A
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x9500080A
Rule ID: 0xbc428790
IPSEC: New inbound permit rule, SPI 0x9500080A
Src addr: 8.8.8.1
Src mask: 255.255.255.255
Dst addr: 8.8.8.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x9500080A
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x9500080A
Rule ID: 0xbc43d820
asa2#
In my next post I will study messages which are exchanged between these two peers.
Comments
Post a Comment