Skip to main content

ikev2 - ASA & IOS - part one

Today I would like to work with the new Internet Key Exchange protocol v2, which was introduced some time ago. This is a totally new protocol (https://tools.ietf.org/html/rfc7296) and you can’t consider it as an updated ikev1. You can’t mix these version because they are not compatible. In my today’s scenario I need to build the secure connection between two LANs using ASA and Cisco router (IOS).

ikev2-asa-ios-1-1.jpg

Due to many limitation on ASA (IPsec profiles, DVTI, GRE tunnel) the new protocol has totally different configuration steps on IOS and ASA. Let’s start with ASA as the differences between ikev1 and ikev2 are very small.

a) phase 1

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside

b) phase 2

crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1

c) tunnel group

tunnel-group 8.8.8.1 type ipsec-l2l
tunnel-group 8.8.8.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco321

d) ACL

access-list VPN extended permit ip host 7.7.7.1 host 9.9.9.9

e) crypto map

crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 8.8.8.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA interface outside

As you see the configuration is very similar to the IKE version 1. Now I configure the same on IOS:

a) phase 1

crypto ikev2 proposal IKE2-PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 5

b) keyring

crypto ikev2 keyring KEYRING
 peer asa2
  address 8.8.8.2
  pre-shared-key local cisco321
  pre-shared-key remote cisco123

c) ikev2 profile

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 8.8.8.2 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING

d) acl

access-list 101 permit ip host 9.9.9.9 host 7.7.7.1

e) phase 2

crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac

f) crypto map

crypto map MAPA 10 ipsec-isakmp
 set peer 8.8.8.2
 set transform-set TS
 match address 101

int fa0/0
 crypto map MAPA

Let’s test the tunnel now:

R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18#

As you see there is a problem, let’s investigate it:


asa2# IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (1): Retransmitting packet
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:A4B171A515142E51 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: A4B171A515142E51 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     6b e5 a0 db ad cf e1 03 d3 89 c3 c8 95 50 d6 1b
     93 57 e2 52 59 9a 19 99 7f 3e dd 21 e4 24 d3 01
     1a b3 2a fc 5d ca 89 41 e4 e9 0e e4 45 e4 33 c9
     89 27 c0 c1 06 dd cc 68 8f 9b 0c b2 e2 79 9a cb
     a8 73 a4 dc cf ee 8f 96 ce ed 5a ce 9f 6a f0 a8
     64 77 44 82 37 9c 46 80 96 19 5e 93 88 a5 40 68
     54 30 0c 18 59 32 d8 56 34 85 28 f2 5b 0c 0d 26
     7f 32 44 83 57 15 df ac ec a8 ad e4 c8 5a 54 12
     c6 de 1c 8b c7 76 19 74 3e 3b 5a fc 38 e4 fe 96
     fd 24 bd 7f ab 39 97 ed 05 2e 9e 92 54 6c 76 ec
     d5 46 c1 f4 2c 49 95 34 3d 9c 6a d2 7c 4a 8e 75
     2e 4a 8c 55 35 1d 60 36 42 7b f1 03 72 ec 4c 79
 N  Next payload: VID, reserved: 0x0, length: 24

     ad 3b c6 3b 72 fd 97 54 c9 08 67 de 96 c2 d3 f3
     06 82 d2 a9
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     52 0d a5 af 5d 48 69 a7 1d 34 89 6f 36 48 54 b0
     a2 be 29 12
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     ff f2 97 48 11 81 00 9c 40 3d 26 a3 7d 85 f0 62
     82 1e 9d 97
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
%ASA-4-750003: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:8.8.8.1 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
%ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel.  Map Tag = MAPA.  Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= MAPA.  Map Sequence Number = 10.
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-1: (1): Maximum number of retransmissions reached
IKEv2-PROTO-1: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-3: (1): Failed SA init exchange
IKEv2-PROTO-1: (1): Initial exchange failed
IKEv2-PROTO-1: (1): Initial exchange failed
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=A4B171A515142E51 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: (1): Abort exchange
IKEv2-PROTO-2: (1): Deleting SA
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
no de
asa2# no debug all
asa2# %ASA-5-111008: User 'enable_15' executed the 'no debug all' command.

I’m going to double check parameters of the phase 1:

IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

and ASA:

R17#

*Dec 11 19:54:54.971: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 3834FB9D8C70D53C - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 11 19:54:54.987: IKEv2:(SA ID = 1):Verify SA init message
*Dec 11 19:54:54.991: IKEv2:(SA ID = 1):Insert SA
*Dec 11 19:54:54.995: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 11 19:54:54.999: IKEv2:Using the Default Policy for Proposal
*Dec 11 19:54:54.999: IKEv2:Found Policy 'default'
*Dec 11 19:54:55.007: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 11 19:54:55.011: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 11 19:54:55.011: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 11 19:54:55.011: IKEv2:(SA ID =
R17#1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 11 19:54:55.015: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 11 19:54:55.107: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 19:54:55.111: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 11 19:54:55.115: IKEv2:(SA ID = 1):Failed to compute the SKEYSEED

*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):
*Dec
R17# 11 19:54:55.119: IKEv2:(SA ID = 1):Failed SA init exchange
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Initial exchange failed

*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Initial exchange failed
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Abort exchange
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):Deleting SA
*Dec 11 19:54:55.119: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
 *Dec 11 19:54:55.119: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

The difference between these configurations is ‘prf’ parameter. On ASA we can configure it:

crypto ikev2 policy 10
 prf sha

but on IOS the parameter is taken from integrity:

crypto ikev2 proposal IKE2-PROPOSAL
  integrity sha256

Let’s fix it and test it once again:

asa2# sh run crypto ikev2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside 
 
asa2#
R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/92/128 ms
R18#

OK, the problem has been solved, let’s analyze outputs from both devices.

ASA2:

asa2# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 33075769           8.8.8.2/500           8.8.8.1/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/840 sec
Child sa: local selector  7.7.7.1/0 - 7.7.7.1/65535
          remote selector 9.9.9.9/0 - 9.9.9.9/65535
          ESP spi in/out: 0x7772fe1/0x90760c1
asa2#
 
asa2# sh crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 33075769           8.8.8.2/500           8.8.8.1/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/911 sec
      Session-id: 1
      Status Description: Negotiation done
      Local spi: D108819E34F142B0       Remote spi: 0B77D1B0B8BE7D79
      Local id: 8.8.8.2
      Remote id: 8.8.8.1
      Local req mess id: 45             Remote req mess id: 0
      Local next mess id: 45            Remote next mess id: 0
      Local req queued: 45              Remote req queued: 0
      Local window: 1                   Remote window: 5
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  7.7.7.1/0 - 7.7.7.1/65535
          remote selector 9.9.9.9/0 - 9.9.9.9/65535
          ESP spi in/out: 0x7772fe1/0x90760c1
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa2#

and then on IOS:

R17#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         8.8.8.1/500           8.8.8.2/500           none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/957 sec

 IPv6 Crypto IKEv2  SA

R17#
R17#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         8.8.8.1/500           8.8.8.2/500           none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/961 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: 0B77D1B0B8BE7D79       Remote spi: D108819E34F142B0
      Local id: 8.8.8.1
      Remote id: 8.8.8.2
      Local req msg id:  0              Remote req msg id:  47
      Local next msg id: 0              Remote next msg id: 47
      Local req queued:  0              Remote req queued:  47
      Local window:      5              Remote window:      1
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

R17#

and now the phase 2:

ASA2:

asa2# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 8.8.8.2

      access-list VPN extended permit ip host 7.7.7.1 host 9.9.9.9
      local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (9.9.9.9/255.255.255.255/0/0)
      current_peer: 8.8.8.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 8.8.8.2/500, remote crypto endpt.: 8.8.8.1/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 090760C1
      current inbound spi : 07772FE1

    inbound esp sas:
      spi: 0x07772FE1 (125251553)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4193279/27756)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x090760C1 (151478465)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4239359/27756)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa2#

and then on the IOS:

R17#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: MAPA, local addr 8.8.8.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (9.9.9.9/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/0/0)
   current_peer 8.8.8.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 8.8.8.1, remote crypto endpt.: 8.8.8.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x7772FE1(125251553)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x90760C1(151478465)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4306668/2508)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7772FE1(125251553)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4306668/2508)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R17#
R17#sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500
  IKEv2 SA: local 8.8.8.1/500 remote 8.8.8.2/500 Active
  IPSEC FLOW: permit ip host 9.9.9.9 host 7.7.7.1
        Active SAs: 2, origin: crypto map
R17#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/0
Uptime: 00:18:46
Session status: UP-ACTIVE
Peer: 8.8.8.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 8.8.8.2
      Desc: (none)
  IKEv2 SA: local 8.8.8.1/500 remote 8.8.8.2/500 Active
          Capabilities:(none) connid:1 lifetime:23:41:14
  IPSEC FLOW: permit ip host 9.9.9.9 host 7.7.7.1
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4306668/2474
        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4306668/2474

R17#

Now I would like to look into debug outputs from both devices when the tunnel is established correctly without any issues.

a) phase 1 - IOS

R17#

*Dec 11 20:26:18.559: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 11 20:26:18.579: IKEv2:(SA ID = 1):Verify SA init message
*Dec 11 20:26:18.579: IKEv2:(SA ID = 1):Insert SA
*Dec 11 20:26:18.583: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 11 20:26:18.587: IKEv2:Using the Default Policy for Proposal
*Dec 11 20:26:18.587: IKEv2:Found Policy 'default'
*Dec 11 20:26:18.595: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 11 20:26:18.603: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 11 20:26:18.603: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 11 20:26:18.611: IKEv2:(SA ID =
R17#1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 20:26:18.611: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 11 20:26:18.615: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 11 20:26:18.715: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 11 20:26:18.715: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 11 20:26:18.719: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 11
R17# 20:26:18.719: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 11 20:26:18.723: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 11 20:26:18.723: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 11 20:26:18.723: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 11 20:26:18.723: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 11 20:26:18.727: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:
R17#f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 8F1780348F4BD5A2 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 11 20:26:18.739: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 11 20:26:18.743: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 11 20:26:18.871: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 8F1780348F4BD5A2 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 11 20:26:18.891: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 11 20:26:18.895: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 11 20:26:18.899: IKEv2:(SA ID = 1):NAT not found
*Dec 11 20:
R17#26:18.903: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 11 20:26:18.907: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 11 20:26:18.907: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 11 20:26:18.911: IKEv2:% Matched peer block 'asa2'
*Dec 11 20:26:18.915: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 11 20:26:18.915: IKEv2:Using the Default Policy for Proposal
*Dec 11 20:26:18.915: IKEv2:Found Policy 'default'
*Dec 11 20:26:18.915: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Use presh
R17#ared key for id 8.8.8.2, key len 8
*Dec 11 20:26:18.919: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 11 20:26:18.919: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 11 20:26:18.919: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 11 20:26:18.923: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 11 20:26:18.931: IKEv2:(SA ID = 1):Get my authentication method
*Dec 11 20:26:18.931: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 11 20:26:18.935: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 11 20:26:18.939: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 11 20:26:18.943: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.1, key len 8
*Dec 11 20:26:18.943: IKEv2:[IKEv2 -> Cryp
R17#to Engine] Generate IKEv2 authentication data
*Dec 11 20:26:18.943: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Get my authentication method
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'IPv4 address'
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96   Don't use ESN
*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 11 20:26:18.947: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FBA4D8E0DA62C55D - Responder SPI : 8F1780348F4BD5A2 Message id: 1
IKEv2 IKE
R17#_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Dec 11 20:26:18.955: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 11 20:26:18.959: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Dec 11 20:26:18.959: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 11 20:26:18.963: IKEv2:(SA ID = 1):Session with IKE ID PAIR (8.8.8.2, 8.8.8.1) is UP
*Dec 11 20:26:18.967: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 11 20:26:18.971: IKEv2:(SA ID = 1):Load IPSEC key material
*Dec 11 20:26:18.975: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Dec 11 20:26:18.975: IKEv2:(SA ID = 1):Asynchronous request queued

*Dec 11 20:26:18.979: IKEv2:(SA ID = 1):
*Dec 11 20:26:19.023: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Dec 11 20:26:19.031: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 11 20:26:19.035: IKEv2:(SA ID = 1):No dup
R17#licate IKEv2 SA found
*Dec 11 20:26:19.039: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context
R17#

b) phase 1 - ASA

asa2# debug crypto ikev2 protocol 127
asa2# %ASA-5-111008: User 'enable_15' executed the 'debug crypto ikev2 protocol 127' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ikev2 protocol 127'

asa2# %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = MAPA.  Map Sequence Number = 10.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-5-750001: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 7.7.7.1-7.7.7.1 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 9.9.9.9-9.9.9.9 Protocol: 0 Port Range: 0-65535
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (6): Getting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (6): Setting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (6): Computing DH public key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (6): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     b0 0c ba 71 62 0a 43 55 9f 11 89 de 20 51 f3 3e
     8c 10 e2 a5 91 40 52 d6 b4 cd 02 9b c1 98 9c 69
     06 5c eb bf 14 e0 75 5b 3a ce 8c 4b c3 12 a2 a3
     99 bf 4f ad 39 5f da 22 3d b2 af 60 5f d0 bf c1
     e4 8a 3c 03 12 20 d0 01 1d 14 72 2e 2f d0 84 32
     39 00 4f 87 86 aa 46 7c 1d aa be 63 97 1f 8f 9f
     9d 42 aa 8b 98 9c 43 d8 40 ee c8 45 64 60 a4 f2
     a8 cb b3 7d df b5 3b 5c 86 6c fa 4c 72 9b f4 04
     65 1f cc e3 9d 5a 5e 19 57 57 6e 20 e0 80 55 fb
     ad a0 34 99 11 8b 9a b8 99 e6 3c d4 2a 3b 1b a8
     ce 06 e5 3e 5d 66 1b d2 cf ed 93 52 6d a2 a7 4c
     2e cf 1d 41 97 e8 ff 4e b2 ed 39 f7 54 50 db b0
 N  Next payload: VID, reserved: 0x0, length: 24

     72 47 ad 6e 73 08 65 79 99 da 84 74 37 2e c6 ef
     fd 9f bc df
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     7a b3 fa c9 b0 ff df 95 cf c1 2e 19 cb 99 af e1
     a5 46 1f 75
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     84 28 fc 1f fe 34 06 eb cd 70 04 1d f8 c1 86 61
     35 8e 0a 7f
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (6): Insert SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     54 b1 71 9e e1 9d 1b a4 37 1e c0 08 ca 1b f9 52
     f5 9e c8 f9 fb 06 b0 fb 17 6d af 04 0e 9a 46 12
     1c ed fc 70 a4 80 48 56 ab fa 08 af 8c 71 a4 0b
     48 42 e5 9f 07 52 cb 35 91 76 00 3f ac c0 ab 97
     9e 87 98 98 47 6e 99 3c 4f 87 78 a1 fe 9f 99 3e
     95 8c 00 dd 6c 58 ec 29 4e 79 42 70 ee 9c 31 98
     9e 55 3f 4f 40 6d e8 b2 58 66 89 8e 47 cd 9e da
     e4 46 f8 78 0f 09 36 1b e2 4c 8e 87 1b 24 d9 0a
     dd d2 67 d9 f3 0e 36 a6 54 38 d8 17 36 00 12 0a
     d3 d7 22 6d cf 1d 48 3a 66 ed 62 92 cd 17 cc 73
     ad c8 6c 8d e3 21 0d 7e 99 b9 13 4c b2 77 9e d5
     a1 61 49 db 08 83 64 11 af ba c0 60 5a 56 a1 e5
 N  Next payload: VID, reserved: 0x0, length: 24

     0c 1c 09 9e 92 ca 3a 7a 18 2f d3 8f 11 a5 a1 92
     d8 73 c2 ff
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     6c 45 29 43 7f d8 89 5e 42 49 f7 cf 25 3a b7 31
     f4 d7 2c 59
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     4d e3 e5 f7 6d ca 27 6d 24 42 9a f9 ad b3 e9 41
     5f 0d 0a e6
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (6): Verify SA init message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (6): Process NAT discovery notify
IKEv2-PROTO-5: (6): Processing nat detect src notify
IKEv2-PROTO-5: (6): Remote address matched
IKEv2-PROTO-5: (6): Processing nat detect dst notify
IKEv2-PROTO-5: (6): Local address matched
IKEv2-PROTO-5: (6): No NAT found
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (6): Check NAT discovery
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (6): Computing DH secret key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (6): Generate skeyid
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (6): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (6): Complete SA init exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (6): Generate my authentication data
IKEv2-PROTO-3: (6): Use preshared key for id 8.8.8.2, key len 8
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (6): Get my authentication method
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (6): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (6): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     54 0a 73 29 29 0c 97 b3 3f 93 22 9f 33 1c 1c 52
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (6): Retransmitting packet
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
%ASA-5-750006: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:8.8.8.1 SA UP. Reason: New Connection Established
IKEv2-PROTO-3: %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = MAPA. Map Sequence Number = 10.
Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:560A72293A3B64F4 - r: 41BE4C8FC9FD61C6]
IKEv2-PROTO-4: IKEV2 HDR ispi: 560A72293A3B64F4 - rspi: 41BE4C8FC9FD61C6
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 272

REAL Decrypted packet:Data: 192 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     40 be 4d 8f da ca 92 81 3f 93 22 9f 33 1c 1c 52
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
IKEv2-PROTO-5: Parse Notify Payload: SET_WINDOW_SIZE NOTIFY(SET_WINDOW_SIZE)  Next payload: NOTIFY, reserved: 0x0, length: 12
    Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE

     00 00 00 05
IKEv2-PROTO-5: Parse Notify Payload: ESP_TFC_NO_SUPPORT NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
IKEv2-PROTO-5: Parse Notify Payload: NON_FIRST_FRAGS NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

Decrypted packet:Data: 272 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (6): Process auth response notify
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (6): Getting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (6): Verify peer's policy
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (6): Get peer authentication method
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (6): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (6): Verify authentication data
IKEv2-PROTO-3: (6): Use preshared key for id 8.8.8.1, key len 8
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-2: (6): Processing auth message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (6): Closing the PKI session
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (6): SA created; inserting SA into database
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (6): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-3: (6): Load IPSEC key material
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (6): Accounting not required
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (6): Checking for duplicate SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=560A72293A3B64F4 R_SPI=41BE4C8FC9FD61C6 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-5: (6): Deleting negotiation context for my message ID: 0x1

asa2# 

c) phase 2 - IOS
 
R17#
*Dec 11 20:57:29.423: IPSEC(validate_proposal_request): proposal part #1
*Dec 11 20:57:29.423: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 11 20:57:29.427: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 11 20:57:29.463: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 11 20:57:29.467: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 256
        src port     : 0
        dst port     : 0
*Dec 11 20:57:29.471: IPSEC(crypto_ipsec_create_ipsec_sas): Map found MAPA
*Dec 11 20:57:29.475: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with t
R17#he same proxies and peer 8.8.8.2
*Dec 11 20:57:29.491: IPSEC(create_sa): sa created,
  (sa) sa_dest= 8.8.8.1, sa_proto= 50,
    sa_spi= 0x9ECD60FF(2664259839),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 11
    sa_lifetime(k/sec)= (4608000/3600)
*Dec 11 20:57:29.495: IPSEC(create_sa): sa created,
  (sa) sa_dest= 8.8.8.2, sa_proto= 50,
    sa_spi= 0x63F38ED8(1676906200),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 12
    sa_lifetime(k/sec)= (4608000/3600)
*Dec 11 20:57:29.511: IPSEC: Expand action denied, notify RP
R17#

d) phase 2 - ASA

asa2# debug crypto ipsec 127
asa2# %ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 127' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ipsec 127'
%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = MAPA.  Map Sequence Number = 10.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-5-750001: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 7.7.7.1-7.7.7.1 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 9.9.9.9-9.9.9.9 Protocol: 0 Port Range: 0-65535
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=3072, daddr=9.9.9.9, dport=3072
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=3072, daddr=9.9.9.9, dport=3072
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc3bc470,
    SCB: 0xBB9C0D18,
    Direction: inbound
    SPI      : 0x9500080A
    Session ID: 0x00007000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
%ASA-5-750006: Local:8.8.8.2:500 Remote:8.8.8.1:500 Username:8.8.8.1 SA UP. Reason: New Connection Established
%ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = MAPA. Map Sequence Number = 10.
IPSEC: New embryonic SA created @ 0xbc3bb4d0,
    SCB: 0xBB9C4370,
    Direction: outbound
    SPI      : 0x98468727
    Session ID: 0x00007000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x98468727
IPSEC: Creating outbound VPN context, SPI 0x98468727
    Flags: 0x00000005
    SA   : 0xbc3bb4d0
    SPI  : 0x98468727
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x00135E6B
    Channel: 0xb62afb20
IPSEC: Completed outbound VPN context, SPI 0x98468727
    VPN handle: 0x00012a6c
IPSEC: New outbound encrypt rule, SPI 0x98468727
    Src addr: 7.7.7.1
    Src mask: 255.255.255.255
    Dst addr: 9.9.9.9
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x98468727
    Rule ID: 0xbc432078
IPSEC: New outbound permit rule, SPI 0x98468727
    Src addr: 8.8.8.2
    Src mask: 255.255.255.255
    Dst addr: 8.8.8.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x98468727
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x98468727
    Rule ID: 0xbc428980
IPSEC: Completed host IBSA update, SPI 0x9500080A
IPSEC: Creating inbound VPN context, SPI 0x9500080A
    Flags: 0x00000006
    SA   : 0xbc3bc470
    SPI  : 0x9500080A
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x00012A6C
    SCB  : 0x00117A5F
    Channel: 0xb62afb20
IPSEC: Completed inbound VPN context, SPI 0x9500080A
    VPN handle: 0x00015f2c
IPSEC: Updating outbound VPN context 0x00012A6C, SPI 0x98468727
    Flags: 0x00000005
    SA   : 0xbc3bb4d0
    SPI  : 0x98468727
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00015F2C
    SCB  : 0x00135E6B
    Channel: 0xb62afb20
IPSEC: Completed outbound VPN context, SPI 0x98468727
    VPN handle: 0x00012a6c
IPSEC: Completed outbound inner rule, SPI 0x98468727
    Rule ID: 0xbc432078
IPSEC: Completed outbound outer SPD rule, SPI 0x98468727
    Rule ID: 0xbc428980
IPSEC: New inbound tunnel flow rule, SPI 0x9500080A
    Src addr: 9.9.9.9
    Src mask: 255.255.255.255
    Dst addr: 7.7.7.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x9500080A
    Rule ID: 0xbc396208
IPSEC: New inbound decrypt rule, SPI 0x9500080A
    Src addr: 8.8.8.1
    Src mask: 255.255.255.255
    Dst addr: 8.8.8.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x9500080A
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x9500080A
    Rule ID: 0xbc428790
IPSEC: New inbound permit rule, SPI 0x9500080A
    Src addr: 8.8.8.1
    Src mask: 255.255.255.255
    Dst addr: 8.8.8.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x9500080A
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x9500080A
    Rule ID: 0xbc43d820

asa2# 
 
In my next post I will study messages which are exchanged between these two peers.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo