| PDF Downloads
| ||||||
FeedbackIntroduction
This document provides information to understand debugs on the Adaptive Security Appliance (ASA) when aggressive mode and pre-shared key (PSK) are being used.
This document also provides information on how to translate certain debug lines in a configuration.
What is not discussed in this document:
-
passing traffic after tunnel has been established
-
basic concepts of IPSec or Internet Key Exchange (IKE)
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
-
Adaptive Security Appliances
-
basic knowledge of IPSec or IKE
Components Used
The information in this document is based on these hardware and software versions.
-
ASA 8.3.2
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Core issue
IKE and IPSec debugs tend to get cryptic, Cisco's Technical Assistance Center (TAC) often uses them to understand where a problem with IPSec VPN tunnel establishment is located.
Scenario
Aggressive mode is typically used in case of EZVPN, both software (Cisco VPN client) and hardware clients (ASA 5505 or IOS routers), but only when using pre-shared key (PSK).
These debugs are from ASA 8.3.2 (EZVPN server). EZVPN client will be a router, in client mode.
Debugs used
debug crypto isakmp 127 debug crypto ipsec 127
Hardware client configuration
crypto ipsec client ezvpn EZ connect manual group EZ key cisco mode client peer 10.48.67.14 username cisco password cisco xauth userid mode local interface FastEthernet4 ip address 10.48.66.23 255.255.254.0 duplex auto speed auto crypto ipsec client ezvpn EZ end interface Vlan1 ip address 172.16.0.1 255.255.255.0 crypto ipsec client ezvpn EZ inside end
ASA configuration
ASA configuration is meant to be strictly basic, no external servers are used.
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.48.67.14 255.255.254.0 crypto ipsec transform-set TRA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DYN 10 set transform-set TRA crypto dynamic-map DYN 10 set reverse-route crypto map MAP 65000 ipsec-isakmp dynamic DYN crypto map MAP interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 username cisco password cisco username cisco attributes vpn-framed-ip-address 192.168.1.100 255.255.255.0 tunnel-group EZ type remote-access tunnel-group EZ general-attributes default-group-policy EZ tunnel-group EZ ipsec-attributes pre-shared-key ***** group-policy EZ internal group-policy EZ attributes password-storage enable
Debugging
Phase 1 - Aggressive mode
Aggressive mode consists of 3 messages.
Aggressive mode message 1 (AM1); sent from client to server
Includes:
-
capabilities (Vendor IDs)
-
isakmp proposals
-
group (identity)
-
hashed PSK
-
Diffie-Hellman exchange
%ASA-6-302015: Built inbound UDP connection 655 for outside:10.48.66.23/500 (10.48.66.23/500) to identity:10.48.67.14/500 (10.48.67.14/500) %ASA-7-713236: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1134 %ASA-7-715047: IP = 10.48.66.23, processing SA payload %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal RFC VID %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal ver 03 VID %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715049: IP = 10.48.66.23, Received NAT-Traversal ver 02 VID %ASA-7-715047: IP = 10.48.66.23, processing ke payload %ASA-7-715047: IP = 10.48.66.23, processing ISA_KE payload %ASA-7-715047: IP = 10.48.66.23, processing nonce payload %ASA-7-715047: IP = 10.48.66.23, processing ID payload %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715049: IP = 10.48.66.23, Received DPD VID %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715049: IP = 10.48.66.23, Received xauth V6 VID %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715050: IP = 10.48.66.23, Claims to be IOS but failed authentication %ASA-7-715047: IP = 10.48.66.23, processing VID payload %ASA-7-715049: IP = 10.48.66.23, Received Cisco Unity client VID %ASA-7-713906: IP = 10.48.66.23, Connection landed on tunnel_group EZ %ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing IKE SA payload %ASA-7-715028: Group = EZ, IP = 10.48.66.23, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1 Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1134
Relevant configuration:
ISAKMP is enabled on interface, and at least one policy defined matching what the client sent.
crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400
Tunnel-group matching the identity name present.
tunnel-group EZ type remote-access tunnel-group EZ general-attributes default-group-policy EZ tunnel-group EZ ipsec-attributes pre-shared-key cisco
Aggressive mode message 2 (AM2); sent from server to client.
-
capabilities
-
Diffie-Hellman exchange
-
NAT detection payload
Oct 28 15:30:24 [IKEv1 DEBUG]%ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ISAKMP SA payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ke payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing nonce payload %ASA-7-713906: Group = EZ, IP = 10.48.66.23, Generating keys for Responder... : IP = 10.48.66.23, processing SA payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing ID payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing hash payload %ASA-7-715076: Group = EZ, IP = 10.48.66.23, Computing hash for ISAKMP %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing Cisco Unity VID payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing xauth V6 VID payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing dpd vid payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Traversal VID ver 02 payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Discovery payload %ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing NAT-Discovery payload %ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing Fragmentation VID + extended capabilities payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing VID payload %ASA-7-715048: Group = EZ, IP = 10.48.66.23, Send Altiga/Cisco VPN3000/Cisco ASA GW VID %ASA-7-713236: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8)+ VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444 Oct 28 15:30:24 [IKEv1 DEBUG]: IP = 10.48.66.23, processing VID payload
Aggressive mode message 3 (AM3); sent from client to server.
Contains:
-
NAT discovery and decision
%ASA-7-713236: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128 %ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing hash payload %ASA-7-715076: Group = EZ, IP = 10.48.66.23, Computing hash for ISAKMP %ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing NAT-Discovery payload %ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash %ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing NAT-Discovery payload %ASA-7-713906: Group = EZ, IP = 10.48.66.23, computing NAT Discovery hash %ASA-7-715047: Group = EZ, IP = 10.48.66.23, processing notify payload %ASA-6-713172: Group = EZ, IP = 10.48.66.23, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing blank hash payload %ASA-7-715046: Group = EZ, IP = 10.48.66.23, constructing qm hash payload
Phase 1.5 - Xauth and Mode configuration
Xauth - eXtended AUTHentication. User authentication.
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=7f8bcb91) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 72 Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=7f8bcb91) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, IP = 10.48.66.23, process_attr(): Enter! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, IP = 10.48.66.23, Processing MODE_CFG Reply attributes. Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: primary DNS = cleared Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: secondary DNS = cleared Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: primary WINS = cleared Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: secondary WINS = cleared Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: IP Compression = disabled Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Split Tunneling Policy = Disabled Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Browser Proxy Setting = no-modify Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKEGetUserAttributes: Browser Proxy Bypass Local = disable Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, User (cisco) authenticated. Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=a5d79e97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 64 Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=a5d79e97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, process_attr(): Enter! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing cfg ACK attributes
Relevant configuration:
username cisco password cisco
Mode config - request and provide authentication attributes
Contains:
-
Request for parameters to configure client.
-
Reply - at least, and IP address and mask in typical scenario.
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=f582f52e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 393 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, process_attr(): Enter! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing cfg Request attributes Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for IPV4 address! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for IPV4 net mask! Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28692 Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28693 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DNS server address! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DNS server address! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for WINS server address! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for WINS server address! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Split Tunnel List! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Split DNS! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Default Domain Name! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Save PW setting! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Local LAN Include! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for PFS setting! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for backup ip-sec peer list! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Application Version! Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Client Type: IOS Client Application Version: 12.4(20)T5 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for Banner! Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received unknown transaction mode attribute: 28695 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, MODE_CFG: Received request for DHCP hostname for DDNS is: bsns-871-3! Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Obtained IP addr (192.168.1.100) prior to initiating Mode Cfg(XAuth enabled) Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Sending subnet mask (255.255.255.0) to remote client Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Assigned private IP address 192.168.1.100 to remote user Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=f582f52e) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)total length : 173 Oct 28 15:30:24 [IKEv1 DECODE]: IP = 10.48.66.23, IKE Responder starting QM: msg id = 8bd3cce6 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Gratuitous ARP sent for 192.168.1.100 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, PHASE 1 COMPLETED Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message (msgid=6531fd86) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Relevant configuration:
(Note in this case, user always same IP is assigned)
username cisco attributes vpn-framed-ip-address 192.168.1.100 255.255.255.0
Now, IPSec phase 1 is completed and this begins:
Phase 2 - Quick mode
Quick mode message 1 (QM1)
-
phase two encryption algorithms (IPsec transform sets)
-
tunnel type and encryption
-
proxy ID - "what I would like to put in the tunnel?"
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=8bd3cce6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)+ ID (5) + ID (5) + NONE (0) total length : 1276 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing SA payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing nonce payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing ID payload Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, ID_IPV4_ADDR ID received 192.168.1.100 Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received remote Proxy Host data in ID Payload: Address 192.168.1.100, Protocol 0, Port 0 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing ID payload Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0 Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, QM IsRekeyed old sa not found by addr Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE Remote Peer configured for crypto map: DYN Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing IPSec SA payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 10
Relevant configuration:
crypto dynamic-map DYN 10 set transform-set TRA
Quick mode message 2 (QM2)
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0x5416EBD0,
SCB: 0x53707C08,
Direction: inbound
SPI : 0xD6602721
Session ID: 0x00067000
VPIF num : 0x00000002
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE got SPI from key engine: SPI = 0xd6602721
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, oakley constucting quick mode
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing blank hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing IPSec SA payload
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Overriding Initiator's IPSec rekeying duration from 2147483
to 28800 seconds
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing IPSec nonce payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing proxy ID
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Transmitting Proxy Id:
Remote host: 192.168.1.100 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Sending RESPONDER LIFETIME notification to Initiator
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, constructing qm hash payload
Oct 28 15:30:24 [IKEv1 DECODE]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE Responder sending 2nd QM pkt: msg id = 8bd3cce6
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE SENDING Message
(msgid=8bd3cce6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +
ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
Relevant configuration:
tunnel-group EZ type remote-access !(tunnel type ra = tunnel type remote-access) crypto ipsec transform-set TRA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DYN 10 set transform-set TRA crypto map MAP 65000 ipsec-isakmp dynamic DYN crypto map MAP interface outside
Quick mode message 3 (QM3)
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=8bd3cce6) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, loading all IPSEC SAs
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Generating Quick Mode Key!
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, NP encrypt rule look up for crypto map DYN 10 matching ACL Unknown: returned cs_id=53cacff8; rule=00000000
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x54173AD0,
SCB: 0x536EFC00,
Direction: outbound
SPI : 0x8C52372D
Session ID: 0x00067000
VPIF num : 0x00000002
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x8C52372D
IPSEC: Creating outbound VPN context, SPI 0x8C52372D
Flags: 0x00000005
SA : 0x54173AD0
SPI : 0x8C52372D
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x04E59681
Channel: 0x4C69CD00
IPSEC: Completed outbound VPN context, SPI 0x8C52372D
VPN handle: 0x0019BB3C
IPSEC: New outbound encrypt rule, SPI 0x8C52372D
Src addr: 0.0.0.0
Src mask: 0.0.0.0
Dst addr: 192.168.1.100
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x8C52372D
Rule ID: 0x536FEF98
IPSEC: New outbound permit rule, SPI 0x8C52372D
Src addr: 10.48.67.14
Src mask: 255.255.255.255
Dst addr: 10.48.66.23
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x8C52372D
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x8C52372D
Rule ID: 0x4CB82D38
IPSEC: Applying VPN filter BLA_3
IPSEC: Completed outbound user rule, SPI 0x8C52372D
Rule ID: 0x00000004
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, NP encrypt rule look up for crypto map DYN 10 matching ACL Unknown: returned cs_id=53cacff8; rule=00000000
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Security negotiation complete for User (cisco) Responder, Inbound SPI = 0xd6602721, Outbound SPI = 0x8c52372d
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, IKE got a KEY_ADD msg for SA: SPI = 0x8c52372d
IPSEC: Completed host IBSA update, SPI 0xD6602721
IPSEC: Creating inbound VPN context, SPI 0xD6602721
Flags: 0x00000006
SA : 0x5416EBD0
SPI : 0xD6602721
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0019BB3C
SCB : 0x04E50703
Channel: 0x4C69CD00
IPSEC: Completed inbound VPN context, SPI 0xD6602721
VPN handle: 0x0019C174
IPSEC: Updating outbound VPN context 0x0019BB3C, SPI 0x8C52372D
Flags: 0x00000005
SA : 0x54173AD0
SPI : 0x8C52372D
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x0019C174
SCB : 0x04E59681
Channel: 0x4C69CD00
IPSEC: Completed outbound VPN context, SPI 0x8C52372D
VPN handle: 0x0019BB3C
IPSEC: Completed outbound inner rule, SPI 0x8C52372D
Rule ID: 0x536FEF98
IPSEC: Completed outbound outer SPD rule, SPI 0x8C52372D
Rule ID: 0x4CB82D38
IPSEC: New inbound tunnel flow rule, SPI 0xD6602721
Src addr: 192.168.1.100
Src mask: 255.255.255.255
Dst addr: 0.0.0.0
Dst mask: 0.0.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xD6602721
Rule ID: 0x4CB84870
IPSEC: New inbound decrypt rule, SPI 0xD6602721
Src addr: 10.48.66.23
Src mask: 255.255.255.255
Dst addr: 10.48.67.14
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xD6602721
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xD6602721
Rule ID: 0x541476E0
IPSEC: New inbound permit rule, SPI 0xD6602721
Src addr: 10.48.66.23
Src mask: 255.255.255.255
Dst addr: 10.48.67.14
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xD6602721
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xD6602721
Rule ID: 0x4CB840B0
IPSEC: Applying VPN filter BLA_3
IPSEC: Completed inbound user rule, SPI 0xD6602721
Rule ID: 0x00000004
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Pitcher: received KEY_UPDATE, spi 0xd6602721
Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Starting P2 rekey timer: 27360 seconds.
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, Adding static route for client address: 192.168.1.100
Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 10.48.66.23, PHASE 2 COMPLETED (msgid=8bd3cce6)
Relevant configuration:
crypto ipsec transform-set TRA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DYN 10 set transform-set TRA crypto dynamic-map DYN 10 set reverse-route !adding static route ...
Phase 2 is now finished, but client also sends information about itself.
If you look carefully, you should find:
-
hostname of EZVPN client
-
software being run on client
-
location and name of software
Oct 28 15:30:24 [IKEv1]: IP = 10.48.66.23, IKE_DECODE RECEIVED Message (msgid=91facca9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 184 Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing hash payload Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, processing notify payload Oct 28 15:30:24 [IKEv1 DECODE]: OBSOLETE DESCRIPTOR - INDEX 1 Oct 28 15:30:24 [IKEv1 DECODE]: 0000: 00000000 7534000B 62736E73 2D383731 ....u4..bsns-871 0010: 2D332E75 32000943 6973636F 20383731 -3.u2..Cisco 871 0020: 7535000B 46484B30 39343431 32513675 u5..FHK094412Q6u 0030: 36000932 32383538 39353638 75390009 6..228589568u9.. 0040: 31343532 31363331 32753300 2B666C61 145216312u3.+fla 0050: 73683A63 3837302D 61647669 70736572 sh:c870-advipser 0060: 76696365 736B392D 6D7A2E31 32342D32 vicesk9-mz.124-2 0070: 302E5435 2E62696E 0.T5.bin Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, Processing PSK Hash Oct 28 15:30:24 [IKEv1]: Group = EZ, Username = cisco, IP = 192.168.1.100, Inconsistent PSK hash size Oct 28 15:30:24 [IKEv1 DEBUG]: Group = EZ, Username = cisco, IP = 10.48.66.23, PSK Hash Verification Failed!
Established tunnel
ISAKMP
Command:
sh cry isa sa det
Output:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.48.66.23
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86387
AM_ACTIVE - aggressive mode is active.
IPSec
Command:
sh crypto ipsec sa
Output: (Note the different SPI values than negotiated. This is in fact same tunnel after phase 2 rekey.)
interface: outside
Crypto map tag: DYN, seq num: 10, local addr: 10.48.67.14
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)
current_peer: 10.48.66.23, username: cisco
dynamic allocated peer ip: 192.168.1.100
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.48.67.14/0, remote crypto endpt.: 10.48.66.23/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C4B9A77C
current inbound spi : EA2B6B15
inbound esp sas:
spi: 0xEA2B6B15 (3928714005)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 425984, crypto-map: DYN
sa timing: remaining key lifetime (sec): 28714
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xC4B9A77C (3300501372)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 425984, crypto-map: DYN
sa timing: remaining key lifetime (sec): 28714
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Cisco Support Community - Featured Conversations
Related Information
| Updated: Aug 17, 2012 | Document ID: 113595 |