Download to read offline
Uploaded byEdwin Marin
55debug
The document contains log messages from an IPsec VPN setup process between two devices with IP addresses 53.54.55.56 and 53.54.55.57. It shows the IKE/ISAKMP phase 1 negotiation to establish an SA and authentication using pre-shared keys. It then shows the phase 2 IKE negotiation to establish IPsec SAs for encryption and the IPsec tunnel coming up.
55debug
- 1. 7301# *Aug 15 10:46:04.199:ISAKMP (0): received packet from 53.54.55.57 dport 500 sport 500 Global (N) NEW SA *Aug 15 10:46:04.199: ISAKMP: Created a peer struct for 53.54.55.57, peer port 500 *Aug 15 10:46:04.199: ISAKMP: New peer created peer = 0x501A44A4 peer_handle = 0x80000003 *Aug 15 10:46:04.199: ISAKMP: Locking peer struct 0x501A44A4, refcount 1 for crypto_isakmp_process_block *Aug 15 10:46:04.199: ISAKMP: local port 500, remote port 500 *Aug 15 10:46:04.199: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 501882C0 *Aug 15 10:46:04.199: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 15 10:46:04.199: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Aug 15 10:46:04.199: ISAKMP:(0): processing SA payload. message ID = 0 *Aug 15 10:46:04.199: ISAKMP:(0): processing vendor id payload *Aug 15 10:46:04.199: ISAKMP:(0): vendor ID is DPD *Aug 15 10:46:04.199: ISAKMP:(0):found peer pre-shared key matching 53.54.55.57 *Aug 15 10:46:04.199: ISAKMP:(0): local preshared key found *Aug 15 10:46:04.199: ISAKMP : Scanning profiles for xauth ... *Aug 15 10:46:04.199: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Aug 15 10:46:04.199: ISAKMP: life type in seconds *Aug 15 10:46:04.199: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Aug 15 10:46:04.199: ISAKMP: encryption 3DES-CBC *Aug 15 10:46:04.199: ISAKMP: auth pre-share *Aug 15 10:46:04.199: ISAKMP: hash SHA *Aug 15 10:46:04.199: ISAKMP: default group 5 *Aug 15 10:46:04.199: ISAKMP:(0):atts are acceptable. Next payload is 0 *Aug 15 10:46:04.199: ISAKMP:(0):Acceptable atts:actual life: 0 *Aug 15 10:46:04.199: ISAKMP:(0):Acceptable atts:life: 0 *Aug 15 10:46:04.199: ISAKMP:(0):Fill atts in sa vpi_length:4 *Aug 15 10:46:04.199: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 *Aug 15 10:46:04.199: ISAKMP:(0):Returning Actual lifetime: 86400 *Aug 15 10:46:04.199: ISAKMP:(0)::Started lifetime timer: 86400. *Aug 15 10:46:04.199: ISAKMP:(0): processing vendor id payload *Aug 15 10:46:04.199: ISAKMP:(0): vendor ID is DPD *Aug 15 10:46:04.199: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 15 10:46:04.199: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Aug 15 10:46:04.199: ISAKMP:(0): sending packet to 53.54.55.57 my_port 500 peer_port 500 (R) MM_SA_SETUP *Aug 15 10:46:04.199: ISAKMP:(0):Sending an IKE IPv4 Packet. *Aug 15 10:46:04.199: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 15 10:46:04.199: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Aug 15 10:46:05.527: ISAKMP (0): received packet from 53.54.55.57 dport 500 sport 500 Global (R) MM_SA_SETUP *Aug 15 10:46:05.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 15 10:46:05.527: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 *Aug 15 10:46:05.527: ISAKMP:(0): processing KE payload. message ID = 0 *Aug 15 10:46:05.567: ISAKMP:(0): processing NONCE payload. message ID = 0 *Aug 15 10:46:05.567: ISAKMP:(0):found peer pre-shared key matching 53.54.55.57 *Aug 15 10:46:05.567: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 15 10:46:05.567: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Aug 15 10:46:05.567: ISAKMP:(1002): sending packet to 53.54.55.57 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Aug 15 10:46:05.567: ISAKMP:(1002):Sending an IKE IPv4 Packet.
- 2. *Aug 15 10:46:05.567:ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 15 10:46:05.567: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Aug 15 10:46:06.919: ISAKMP (1002): received packet from 53.54.55.57 dport 500 sport 500 Global (R) MM_KEY_EXCH *Aug 15 10:46:06.919: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Aug 15 10:46:06.919: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5 *Aug 15 10:46:06.919: ISAKMP:(1002): processing ID payload. message ID = 0 *Aug 15 10:46:06.919: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 53.54.55.57 protocol : 17 port : 500 length : 12 *Aug 15 10:46:06.919: ISAKMP:(0):: peer matches *none* of the profiles *Aug 15 10:46:06.919: ISAKMP:(1002): processing HASH payload. message ID = 0 *Aug 15 10:46:06.919: ISAKMP:(1002):SA authentication status: authenticated *Aug 15 10:46:06.919: ISAKMP:(1002):SA has been authenticated with 53.54.55.57 *Aug 15 10:46:06.919: ISAKMP: Trying to insert a peer 53.54.55.56/53.54.55.57/500/, and inserted successfully 501A44A4. *Aug 15 10:46:06.919: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Aug 15 10:46:06.919: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Aug 15 10:46:06.919: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Aug 15 10:46:06.919: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 53.54.55.56 protocol : 17 port : 500 length : 12 *Aug 15 10:46:06.919: ISAKMP:(1002):Total payload length: 12 *Aug 15 10:46:06.919: ISAKMP:(1002): sending packet to 53.54.55.57 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Aug 15 10:46:06.919: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Aug 15 10:46:06.919: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Aug 15 10:46:06.919: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Aug 15 10:46:06.919: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Aug 15 10:46:06.919: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Aug 15 10:46:06.955: ISAKMP (1002): received packet from 53.54.55.57 dport 500 sport 500 Global (R) QM_IDLE *Aug 15 10:46:06.955: ISAKMP: set new node -1028686484 to QM_IDLE *Aug 15 10:46:06.955: ISAKMP:(1002): processing HASH payload. message ID = -1028686484 *Aug 15 10:46:06.955: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = -1028686484, sa = 501882C0 *Aug 15 10:46:06.955: ISAKMP:(1002):SA authentication status: authenticated *Aug 15 10:46:06.955: ISAKMP:(1002): Process initial contact, bring down existing phase 1 and 2 SA's with local 53.54.55.56 remote 53.54.55.57 remote port 500
- 3. *Aug 15 10:46:06.955:ISAKMP:(1002):deleting node -1028686484 error FALSE reason "Informational (in) state 1" *Aug 15 10:46:06.955: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Aug 15 10:46:06.955: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Aug 15 10:46:06.955: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Aug 15 10:46:08.479: ISAKMP (1002): received packet from 53.54.55.57 dport 500 sport 500 Global (R) QM_IDLE *Aug 15 10:46:08.479: ISAKMP: set new node -441594065 to QM_IDLE *Aug 15 10:46:08.479: ISAKMP:(1002): processing HASH payload. message ID = -441594065 *Aug 15 10:46:08.479: ISAKMP:(1002): processing SA payload. message ID = -441594065 *Aug 15 10:46:08.479: ISAKMP:(1002):Checking IPSec proposal 1 *Aug 15 10:46:08.479: ISAKMP: transform 1, ESP_3DES *Aug 15 10:46:08.479: ISAKMP: attributes in transform: *Aug 15 10:46:08.479: ISAKMP: SA life type in seconds *Aug 15 10:46:08.479: ISAKMP: SA life duration (basic) of 43200 *Aug 15 10:46:08.479: ISAKMP: encaps is 2 (Transport) *Aug 15 10:46:08.479: ISAKMP: authenticator is HMAC-SHA *Aug 15 10:46:08.479: ISAKMP: group is 5 *Aug 15 10:46:08.479: ISAKMP:(1002):atts are acceptable. *Aug 15 10:46:08.479: IPSEC(validate_proposal_request): proposal part #1 *Aug 15 10:46:08.479: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 53.54.55.56, remote= 53.54.55.57, local_proxy= 53.54.55.56/255.255.255.255/47/0 (type=1), remote_proxy= 53.54.55.57/255.255.255.255/47/0 (type=1), protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): connection lookup returned 0 *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0: crypto_ss_listen_start already listening *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): Opening a socket with profile Profile3 *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): connection lookup returned 0 *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): Triggering tunnel immediately. *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): tunnel_protection_start_pending_timer 66A672EC *Aug 15 10:46:08.479: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): Good listen request *Aug 15 10:46:08.479: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb *Aug 15 10:46:08.479: CRYPTO_SS(TUNNEL SEC): Passive open, socket info: local 53.54.55.56 53.54.55.56/255.255.255.255/0, remote 53.54.55.57 53.54.55.57/255.255.255.255/0, prot 47, ifc Tu0 *Aug 15 10:46:08.479: Crypto mapdb : proxy_match src addr : 53.54.55.56 dst addr : 53.54.55.57 protocol : 47 src port : 0 dst port : 0 *Aug 15 10:46:08.479: ISAKMP:(1002): processing NONCE payload. message ID = -441594065 *Aug 15 10:46:08.479: ISAKMP:(1002): processing KE payload. message ID = -441594065 *Aug 15 10:46:08.479: CRYPTO_SS(TUNNEL SEC): Completed binding of application to socket *Aug 15 10:46:08.483: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): connection lookup returned 66A672EC
- 4. *Aug 15 10:46:08.483:IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): good socket ready message *Aug 15 10:46:08.519: ISAKMP:(1002): processing ID payload. message ID = -441594065 *Aug 15 10:46:08.519: ISAKMP:(1002): processing ID payload. message ID = -441594065 *Aug 15 10:46:08.519: ISAKMP:(1002):QM Responder gets spi *Aug 15 10:46:08.519: ISAKMP:(1002):Node -441594065, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Aug 15 10:46:08.519: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Aug 15 10:46:08.519: ISAKMP:(1002): Creating IPSec SAs *Aug 15 10:46:08.519: inbound SA from 53.54.55.57 to 53.54.55.56 (f/i) 0/ 0 (proxy 53.54.55.57 to 53.54.55.56) *Aug 15 10:46:08.519: has spi 0x6CACC283 and conn_id 0 *Aug 15 10:46:08.519: lifetime of 43200 seconds *Aug 15 10:46:08.519: outbound SA from 53.54.55.56 to 53.54.55.57 (f/i) 0/0 (proxy 53.54.55.56 to 53.54.55.57) *Aug 15 10:46:08.519: has spi 0xD18416C and conn_id 0 *Aug 15 10:46:08.519: lifetime of 43200 seconds *Aug 15 10:46:08.519: ISAKMP:(1002): sending packet to 53.54.55.57 my_port 500 peer_port 500 (R) QM_IDLE *Aug 15 10:46:08.519: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Aug 15 10:46:08.523: ISAKMP:(1002):Node -441594065, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Aug 15 10:46:08.523: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Aug 15 10:46:08.523: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Aug 15 10:46:08.523: Crypto mapdb : proxy_match src addr : 53.54.55.56 dst addr : 53.54.55.57 protocol : 47 src port : 0 dst port : 0 *Aug 15 10:46:08.523: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 53.54.55.57 *Aug 15 10:46:08.523: IPSEC(policy_db_add_ident): src 53.54.55.56, dest 53.54.55.57, dest_port 0 *Aug 15 10:46:08.523: IPSEC(create_sa): sa created, (sa) sa_dest= 53.54.55.56, sa_proto= 50, sa_spi= 0x6CACC283(1823261315), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3 sa_lifetime(k/sec)= (4443761/3600) *Aug 15 10:46:08.523: IPSEC(create_sa): sa created, (sa) sa_dest= 53.54.55.57, sa_proto= 50, sa_spi= 0xD18416C(219693420), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4 sa_lifetime(k/sec)= (4443761/3600) *Aug 15 10:46:08.523: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating Tunnel0 ident 5097A2B4 with tun_decap_oce 66A6A9C0 *Aug 15 10:46:08.523: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): connection lookup returned 66A672EC *Aug 15 10:46:08.523: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): tunnel_protection_socket_up *Aug 15 10:46:08.523: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): Signalling NHRP *Aug 15 10:46:08.523: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): Got MTU message mtu 1463 *Aug 15 10:46:08.523: IPSEC-IFC MGRE/Tu0(53.54.55.56/53.54.55.57): connection lookup returned 66A672EC *Aug 15 10:46:08.599: ISAKMP (1002): received packet from 53.54.55.57 dport 500
- 5. sport 500 Global(R) QM_IDLE *Aug 15 10:46:08.599: ISAKMP:(1002):deleting node -441594065 error FALSE reason "QM done (await)" *Aug 15 10:46:08.599: ISAKMP:(1002):Node -441594065, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Aug 15 10:46:08.599: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Aug 15 10:46:08.599: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Aug 15 10:46:08.599: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Aug 15 10:46:08.599: IPSEC(key_engine_enable_outbound): enable SA with spi 219693420/50 *Aug 15 10:46:08.599: IPSEC(update_current_outbound_sa): updated peer 53.54.55.57 current outbound sa to SPI D18416C *Aug 15 10:46:09.947: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:09.947: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:14.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:14.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:19.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:19.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:24.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:24.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:29.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:29.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0
- 6. sport 500 Global(R) QM_IDLE *Aug 15 10:46:08.599: ISAKMP:(1002):deleting node -441594065 error FALSE reason "QM done (await)" *Aug 15 10:46:08.599: ISAKMP:(1002):Node -441594065, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Aug 15 10:46:08.599: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Aug 15 10:46:08.599: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Aug 15 10:46:08.599: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Aug 15 10:46:08.599: IPSEC(key_engine_enable_outbound): enable SA with spi 219693420/50 *Aug 15 10:46:08.599: IPSEC(update_current_outbound_sa): updated peer 53.54.55.57 current outbound sa to SPI D18416C *Aug 15 10:46:09.947: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:09.947: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:14.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:14.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:19.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:19.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:24.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:24.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0 *Aug 15 10:46:29.959: NHRP-ERROR: Packet Recved with unsupported Address Family Number. *Aug 15 10:46:29.959: NHRP-ERROR: Incorrect NBMA Network length = 55 on Tunnel0