OT: Multiple VPNs between Multiple PIXs

From: David (fullerdavid@hotmail.com)
Date: Tue Nov 30 2004 - 17:40:39 GMT-3

• Next message: Richard Dumoulin: "RE : RE : HELP with IPSEC VPN"
• Previous message: gladston@br.ibm.com: "S-G RP-bit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi there

I hope someone can help on this scenario. It is causing a lot of pain.

We got VPNs running between some offices. Most VPNs are up and running except
one. That is between FR PIX and DE PIX. The tunnel has never come up between
these. The configs are below with some debugs. Can someone please shed light
on what is going one...

Thanks a lot

David

FR# wr t

PIX Version 6.2(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname FR

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 990

fixup protocol sip udp 5060

names

access-list 110 permit ip 10.60.12.0 255.255.255.0 10.40.10.0 255.255.255.0

access-list 110 permit ip 10.60.12.0 255.255.255.0 10.50.10.0 255.255.255.0

access-list 110 permit ip 10.60.12.0 255.255.255.0 10.70.0.0 255.255.0.0

access-list 110 permit ip 10.60.12.0 255.255.255.0 10.90.0.0 255.255.0.0

access-list 110 permit ip 10.60.12.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list 120 permit ip 10.60.12.0 255.255.255.0 10.50.10.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

ip address outside 183.245.201.50 255.255.255.248

ip address inside 10.60.12.250 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 183.245.201.49 1

timeout uauth 0:05:00 absolute

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set CVPN3005 esp-3des esp-md5-hmac

crypto ipsec transform-set DE esp-3des esp-md5-hmac

crypto map CRYP_MAP 10 ipsec-isakmp

crypto map CRYP_MAP 10 match address 110

crypto map CRYP_MAP 10 set peer 93.95.90.4

crypto map CRYP_MAP 10 set transform-set CVPN3005

crypto map CRYP_MAP 50 ipsec-isakmp

crypto map CRYP_MAP 50 match address 120

crypto map CRYP_MAP 50 set peer 117.210.149.18

crypto map CRYP_MAP 50 set transform-set DE

crypto map CRYP_MAP interface outside

isakmp enable outside

isakmp key <REMOEVD> address 93.95.90.4 netmask 255.255.255.255

isakmp key <REMOEVD> address 117.210.149.18 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

: end

DE# wr t

PIX Version 6.2(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname DE

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 990

fixup protocol sip udp 5060

names

access-list 110 permit ip 10.50.10.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list 111 permit ip 10.50.10.0 255.255.255.0 10.20.0.0 255.255.0.0

access-list 111 permit ip 10.50.10.0 255.255.255.0 10.40.10.0 255.255.255.0

access-list 111 permit ip 10.50.10.0 255.255.255.0 10.23.50.0 255.255.255.0

access-list 120 permit ip 10.50.10.0 255.255.255.0 10.100.0.0 255.255.0.0

access-list 120 permit ip 10.50.10.0 255.255.255.0 10.60.12.0 255.255.255.0

access-list 101 permit ip 10.50.10.0 255.255.255.0 10.60.12.0 255.255.255.0

interface ethernet0 10baset

interface ethernet1 10baset

ip address outside 117.210.149.18 255.255.255.248

ip address inside 10.50.10.250 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 117.210.149.20 10.50.10.254 netmask 255.255.255.255 0
0

route outside 0.0.0.0 0.0.0.0 117.210.149.17 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set AT-L esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set FR esp-3des esp-md5-hmac

crypto map CRYP_MAP 10 ipsec-isakmp

crypto map CRYP_MAP 10 match address 111

crypto map CRYP_MAP 10 set peer 93.95.90.4

crypto map CRYP_MAP 10 set transform-set TRANS

crypto map CRYP_MAP 20 ipsec-isakmp

crypto map CRYP_MAP 20 match address 110

crypto map CRYP_MAP 20 set peer 163.67.13.100

crypto map CRYP_MAP 20 set transform-set AT-L

crypto map CRYP_MAP 50 ipsec-isakmp

crypto map CRYP_MAP 50 match address 101

crypto map CRYP_MAP 50 set peer 183.245.201.50

crypto map CRYP_MAP 50 set transform-set FR

crypto map CRYP_MAP interface outside

isakmp enable outside

isakmp key <REMOEVD> address 163.67.13.100 netmask 255.255.255.255

isakmp key <REMOEVD> address 93.95.90.4 netmask 255.255.255.255

isakmp key <REMOEVD> address 183.245.201.50 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

telnet 10.100.0.0 255.255.0.0 inside

: end

Debugs for FR:

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 117.210.149.18 not found

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 183.245.201.50 not found

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

ISAKMP: drop msg for deleted sa

ISADB: reaper checking SA 0x813d59e8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:93.95.90.4 Ref cnt decremented to:0 Total VPN
Peers:2

VPN Peer: ISAKMP: Deleted peer: ip:93.95.90.4 Total VPN
peers:1IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 93.95.90.4

ISADB: reaper checking SA 0x81328e28, conn_id = 0

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

OAK_MM exchange

crypto_isakmp_process_block: src 117.210.149.18, dest 183.245.201.50

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 415829038

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 183.245.201.50 not found

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 117.210.149.18 not found

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

        spi 0, message ID = 2845938197

ISAMKP (0): received DPD_R_U_THERE from peer 93.95.90.4

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 183.245.201.50, remote= 117.210.149.18,

    local_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of
1396846701:5342306dIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xc18d7e35(3247275573) for SA

        from 117.210.149.18 to 183.245.201.50 for prot 3

crypto_isakmp_process_block: src 117.210.149.18, dest 183.245.201.50

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1396846701

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 117.210.149.18 not found

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 183.245.201.50 not found

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 183.245.201.50

ISAKMP (0): processing DELETE payload. message ID = 300816067, spi size =
4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 117.210.149.18, dest 183.245.201.50

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2238667506

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 183.245.201.50 not found

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 117.210.149.18 not found

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

FR#

FR#

ISAKMP (0): beginning Quick Mode exchange, M-ID of
-322656803:ecc4a5ddIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x400698fc(1074174204) for SA

        from 93.95.90.4 to 183.245.201.50 for prot 3

Debugs for DE

ISAMKP (0): received DPD_R_U_THERE from peer 93.95.90.4

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 183.245.201.50, dest 117.210.149.18

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3215025985

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3215025985

ISAKMP (0): processing ID payload. message ID = 3215025985

ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.60.12.0/255.255.255.0 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 3215025985

ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.50.10.0/255.255.255.0 prot 0 port
0IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x39cb94c8(969643208) for SA

        from 183.245.201.50 to 117.210.149.18 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 183.245.201.50, dest 117.210.149.18

ISAKMP (0): processing NOTIFY payload 14 protocol 3

        spi 969643208, message ID = 1358144203

ISAKMP (0): deleting spi 3365194553 message ID = 3215025985

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP (0): processing DELETE payload. message ID = 3133134010, spi size =
4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): beginning Quick Mode exchange, M-ID of
415829038:18c90c2eIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xa7934206(2811445766) for SA

        from 183.245.201.50 to 117.210.149.18 for prot 3

crypto_isakmp_process_block: src 183.245.201.50, dest 117.210.149.18

ISAKMP (0): processing NOTIFY payload 14 protocol 3

        spi 2811445766, message ID = 4194863671

ISAKMP (0): deleting spi 105026471 message ID = 415829038

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 183.245.201.50, dest 117.210.149.18

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1396846701

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 117.210.149.18, src= 183.245.201.50,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1396846701

ISAKMP (0): processing ID payload. message ID = 1396846701

ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.60.12.0/255.255.255.0 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 1396846701

ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.50.10.0/255.255.255.0 prot 0 port
0IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x29dc8449(702317641) for SA

        from 183.245.201.50 to 117.210.149.18 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 183.245.201.50, dest 117.210.149.18

ISAKMP (0): processing NOTIFY payload 14 protocol 3

        spi 702317641, message ID = 3107790901

ISAKMP (0): deleting spi 1233443881 message ID = 1396846701

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 117.210.149.18, remote= 183.245.201.50,

    local_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of
-2056299790:856f5af2IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xf0ac7a76(4037835382) for SA

        from 183.245.201.50 to 117.210.149.18 for prot 3

crypto_isakmp_process_block: src 183.245.201.50, dest 117.210.149.18

ISAKMP (0): processing NOTIFY payload 14 protocol 3

        spi 4037835382, message ID = 2971266259

ISAKMP (0): deleting spi 1987751152 message ID = 2238667506

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP (0): processing DELETE payload. message ID = 2857583079, spi size =
4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1815809970

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,

  (key eng. msg.) dest= 93.95.90.4, src= 117.210.149.18,

    dest_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.80.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 93.95.90.4, src= 117.210.149.18,

    dest_proxy= 10.80.10.0/255.255.255.0/0/0 (type=4),

    src_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 163.67.13.100, dest 117.210.149.18

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

        spi 0, message ID = 1995458061

ISAMKP (0): received DPD_R_U_THERE from peer 163.67.13.100

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 117.210.149.18, remote= 183.245.201.50,

    local_proxy= 10.50.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.60.12.0/255.255.255.0/0/0 (type=4)

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block: src 93.95.90.4, dest 117.210.149.18

ISAKMP (0): processing DELETE payload. message ID = 840493505, spi size =
4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

• Next message: Richard Dumoulin: "RE : RE : HELP with IPSEC VPN"
• Previous message: gladston@br.ibm.com: "S-G RP-bit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:51 GMT-3