已解决: 求助：2台ASA5510 L2L VPN IKE2起不来 , 配置已贴出，求扫盲！

jackyxu · ‎05-21-2017

SiteA Outside xx.xx.xxx.26 Inside:10.1.1.0/24 已做了remote VPN 并和另一个SiteC做了L2L
SiteB Outside xx.xx.xxx.186 Inside:192.168.0.0/24 已做了remote VPN
目前 SiteA--SiteB 建立L2L VPN IkE1 完成 IKE2无法成功 debug说是ACL问题,我看了2天没找出问题点
SiteA
ASA Version 8.2(2)
!
hostname ASA5510
domain-name test.com
enable password mgXqoEJSeX2UwbDs encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.1.13 SEC_China_Fileserver description SEC China Fileserver
name 10.1.1.17 SEC_China_SQL_SLUTIL description SEC China SQL SLUTIL
name 10.1.1.230 Jacky description jacky's notebook
name 10.1.1.226 vivian description vivian's IP
name 10.1.1.227 betty description betty's IP
name 10.1.1.228 allen description allen's IP
name 10.1.1.225 Ivring description ivring's IP
name 10.1.1.7 SEC_China_SL6server description SEC China SL6server
name 10.1.1.212 mytest_pc
name 10.1.1.98 zhuzd_IP
name 10.1.1.171 zhouzd_IP
name 10.1.2.230 jackytest
name 10.1.2.2 eng-131 description ENG Repare Station PLT-A
name 10.1.1.243 jackyxu
name 10.1.1.76 zhanghj_pc
name 10.242.1.42 SEC_MP_Fileserver_2 description SEC MP Fileserver
name 10.242.1.46 SEC_MP_TS_2 description SEC MP Terminal Services
name 10.242.1.16 SEC_MP_CTRX_2 description SEC_MP_CTRX
name 10.242.103.0 CORP_VPN_VLAN_2
name 10.242.2.0 HOOP_VLAN_2
name 10.242.6.0 MEX_VLAN_2
name 10.242.3.0 MP_DHCP_VLAN_2
name 10.242.4.0 SWDT_VLAN_
name 10.242.1.26 SEC_Eng_Fileserver description SEC ENG Fileserver
name 10.242.1.54 SEC_SVN_server description SEC ENG SVN
name 10.242.1.29 SEC_Licensing_server description SEC Licensing Server
name 10.242.1.90 CvmWebTest
name 10.242.1.30 CvmWeb
name 10.242.1.28 newCvmWeb

dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.3 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address xx.xx.xxx.26 255.255.255.248
!
interface Ethernet0/2
nameif DMZ
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif guanli
security-level 100
ip address 192.168.50.1 255.255.255.0
management-only
!
regex URL1 "\.taobao\.com"
regex URL2 "\.jd\.com"
regex URL3 "\.youku\.com"
regex URL4 "\.tudou\.com"
regex URL5 "\.letv\.com"
regex URL6 "\.tianya\.cn"
regex URL7 "\.vip\.com"
regex URL8 "\.58\.com"
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
same-security-traffic permit inter-interface
object-group network SEC_China_Allowed
description SEC MP servers that SEC China is allowed to access
network-object host SEC_MP_Fileserver_2
network-object host SEC_MP_TS_2
network-object host SEC_MP_CTRX_2
network-object CORP_VPN_VLAN_2 255.255.255.0
network-object HOOP_VLAN_2 255.255.255.0
network-object MP_DHCP_VLAN_2 255.255.255.0
network-object SWDT_VLAN_ 255.255.255.0
network-object host SEC_Eng_Fileserver
network-object host SEC_SVN_server
network-object host SEC_Licensing_server
network-object host CvmWebTest
network-object host CvmWeb
network-object host newCvmWeb
network-object MEX_VLAN_2 255.255.254.0
object-group network SEC_MP_Accessible
description Servers that can be accessed by SEC MP
network-object host SEC_China_Fileserver
network-object host SEC_China_SQL_SLUTIL
network-object host Jacky
network-object host vivian
network-object host betty
network-object host allen
network-object host Ivring
network-object host SEC_China_SL6server
network-object host mytest_pc
network-object host zhuzd_IP
network-object host zhouzd_IP
object-group network deny_vpn_access_internet
network-object host jackyxu
network-object host zhanghj_pc
object-group network Url
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
object-group network taobaoip
network-object host 140.205.153.54
network-object host 140.205.32.93
network-object host 101.227.160.102
network-object host 104.16.25.190
network-object host 140.205.170.63
network-object host 58.216.17.240
network-object host 58.216.17.140
network-object host 140.205.96.1
network-object host 58.216.17.250
network-object host 140.205.243.65
network-object host 42.156.180.26
network-object host 222.186.49.250
network-object host 222.186.49.240
network-object host 61.155.221.253
network-object host 140.205.115.99
network-object host 122.225.34.250
network-object host 140.205.248.253
network-object host 58.215.145.28
network-object host 58.220.1.110
network-object host 61.155.221.240
network-object host 58.220.27.121
network-object host 140.205.16.112
network-object host 140.205.243.66
network-object host 106.11.14.99
network-object host 110.75.96.109
network-object host 211.150.65.35
network-object host 101.226.76.164
network-object host 222.186.49.177
network-object host 180.97.168.252
network-object host 140.205.174.90
network-object host 140.205.153.72
network-object host 140.205.164.47
network-object host 216.58.221.36
network-object host 222.186.49.225
network-object host 180.97.168.254
network-object host 106.11.15.99
network-object host 140.205.250.55
network-object host 140.205.16.113
network-object host 140.205.170.87
network-object host 180.96.11.177
access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list no-nat extended permit ip object-group SEC_MP_Accessible object-group SEC_China_Allowed
access-list no-nat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpnsplit standard permit 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group SEC_MP_Accessible object-group SEC_China_Allowed
access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq smtp
access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq pop3
access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq domain
access-list 102 extended permit tcp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 102 extended permit tcp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 102 extended deny tcp object-group deny_vpn_access_internet any
access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq pop3
access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq smtp
access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq domain
access-list 102 extended deny tcp 10.1.2.32 255.255.255.224 any
access-list 102 extended permit ip any any
access-list 102 extended permit tcp any any eq smtp
access-list 102 extended permit tcp any any eq pop3
access-list 102 extended permit tcp any any eq domain
access-list 104 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 104 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 104 extended permit tcp any any eq pop3
access-list 104 extended permit tcp any any eq smtp
access-list 104 extended permit tcp any any eq domain
access-list 104 extended deny tcp object-group deny_vpn_access_internet any
access-list 104 extended deny tcp 10.1.2.0 255.255.255.128 any
access-list 104 extended deny ip 10.1.1.0 255.255.255.0 object-group taobaoip
access-list 104 extended permit ip any any
access-list rate_limit_1 extended permit ip any host 10.1.1.203
access-list rate_limit_1 extended permit ip host 10.1.1.203 any
access-list Url_filter extended permit tcp object-group Url any eq www
access-list s2sdst extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor alerts
logging trap warnings
logging history informational
logging asdm informational
logging host inside 10.1.1.20
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu guanli 1500
ip local pool vpn-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.5.0 255.255.255.0
nat (inside) 1 10.1.6.0 255.255.255.0
nat (DMZ) 0 access-list no-nat
nat (DMZ) 1 10.1.2.0 255.255.255.0
static (inside,outside) tcp xx.xx.xxx.30 ftp SEC_China_Fileserver ftp netmask 255.255.255.255
access-group 104 in interface inside
access-group 101 in interface outside
access-group 104 in interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.25 1
route inside 10.1.5.0 255.255.255.0 10.1.1.5 1
route inside 10.1.6.0 255.255.255.0 10.1.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 guanli
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set vpnset
crypto dynamic-map dymap 10 set reverse-route
crypto map vpnmap 1 match address outside_1_cryptomap
crypto map vpnmap 1 set pfs group1
crypto map vpnmap 1 set peer xx.xx.xxx.33
crypto map vpnmap 1 set transform-set ESP-DES-SHA
crypto map vpnmap 10 ipsec-isakmp dynamic dymap
crypto map vpnmap 100 match address s2sdst
crypto map vpnmap 100 set peer xx.xx.xxx.186
crypto map vpnmap 100 set transform-set ESP-DES-SHA
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.2.0 255.255.255.0 DMZ
telnet 192.168.1.0 255.255.255.0 guanli
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy secchina internal
group-policy secchina attributes
dns-server value 10.1.1.11 10.1.1.12
vpn-idle-timeout 3600000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
username fraczekl password vVdYy3P7JcFB.4iZ encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
username chinavpn password pKE03T4wKEjMO8L9 encrypted
username jacky password CFUG8xBf9yN39Z/W encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group secchina type remote-access
tunnel-group secchina general-attributes
address-pool vpn-pool
default-group-policy secchina
tunnel-group secchina ipsec-attributes
pre-shared-key *****
tunnel-group xx.xx.xxx.33 type ipsec-l2l
tunnel-group xx.xx.xxx.33 ipsec-attributes
pre-shared-key *****
tunnel-group xx.xx.xxx.186 type ipsec-l2l
tunnel-group xx.xx.xxx.186 ipsec-attributes
pre-shared-key *****
!
class-map rate
class-map rate_limit_1
match access-list rate_limit_1
class-map Url_filter_class
match access-list Url_filter
class-map inspection_default
match default-inspection-traffic
class-map type regex match-any Url_class
match regex URL1
match regex URL2
match regex URL3
match regex URL5
match regex URL6
match regex URL4
match regex URL7
match regex URL8
class-map type inspect http match-all Http_url_class
match request header host regex class Url_class
!
!
policy-map type inspect http Http_url_policy
parameters
class Http_url_class
drop-connection log
policy-map Inside_http_url_policy
class Url_filter_class
inspect http Http_url_policy
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map rate_limit
class rate_limit_1
police input 409500 614000
police output 409500 614000
!
service-policy global_policy global
service-policy Inside_http_url_policy interface inside
service-policy Inside_http_url_policy interface DMZ
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1128a553bde969d631bf602489907eeb
: end
ASA5510#

SiteB

ASA Version 8.2(2)
!
hostname dst
domain-name dst.com
enable password mgXqoEJSeX2UwbDs encrypted
passwd Opm7nsaBn/dtpNva encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xx.xxx.186 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name dst.com
access-list icmp extended permit icmp any any
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 102 extended permit icmp any any
access-list 102 extended permit ip any any
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnsplit standard permit 192.168.0.0 255.255.255.0
access-list s2sdst extended permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 102 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set vpnset
crypto dynamic-map dymap 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic dymap
crypto map vpnmap 100 match address s2sdst
crypto map vpnmap 100 set peer xx.xx.xxx.26
crypto map vpnmap 100 set transform-set ESP-DES-SHA
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 30
ssh version 1
console timeout 0
vpdn group secadsl request dialout pppoe
vpdn group secadsl localname 051202188025
vpdn group secadsl ppp authentication pap
vpdn username 051202188025 password *****
dhcpd dns 192.168.0.2 221.6.4.66
!
dhcpd address 192.168.0.100-192.168.0.199 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy secdst internal
group-policy secdst attributes
vpn-idle-timeout 3600000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
username dstvpn password qOJicFdBm4JeSm01 encrypted
username clarkep password RKBIAk9trwpvrKNw encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group secdst type remote-access
tunnel-group secdst general-attributes
address-pool vpn-pool
default-group-policy secdst
tunnel-group secdst ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group xx.xx.xxx.26 type ipsec-l2l
tunnel-group xx.xx.xxx.26 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:885511e0dce0a0f9b11c4bc98729ba7c
: end

--------------------------------------------------------------
SiteA debug
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Generating keys for Responder...
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMP
May 22 00:00:13 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Processing IOS keep alive payload: proposal=32767/32767 sec.
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received DPD VID
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing ID payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing hash payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMP
May 22 00:00:13 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Constructing IOS keep alive payload: proposal=32767/32767 sec.
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing dpd vid payload
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, PHASE 1 COMPLETED
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Keep-alive type for this connection: DPD
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Starting P1 rekey timer: 73440 seconds.
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=1128b176) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing SA payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing nonce payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payload
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.255.0, Protocol 0, Port 0
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payload
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received local IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing notify payload
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, QM IsRekeyed old sa not found by addr
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Static Crypto Map check, checking map = vpnmap, seq = 1...
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Static Crypto Map check, map = vpnmap, seq = 1, ACL does not match proxy IDs src:192.168.0.0 dst:10.1.1.0
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE Remote Peer configured for crypto map: dymap
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing IPSec SA payload
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, All IPSec SA proposals found unacceptable!
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending notify message
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing ipsec notify payload for msg id 1128b176
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payload
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=cb6f4522) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, QM FSM error (P2 struct &0xad8078a0, mess id 0x1128b176)!
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE QM Responder FSM error history (struct &0xad8078a0) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending delete/delete with reason message
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Removing peer from correlator table failed, no match!
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Deleting static route for L2L peer that came in on a dynamic map. address: 192.168.0.0, mask: 255.255.255.0
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE SA MM:39c7bdee rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE SA MM:39c7bdee terminating: flags 0x0101c002, refcnt 0, tuncnt 0
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending delete/delete with reason message
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IKE delete payload
May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payload
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=132d892a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Session is being torn down. Reason: Phase 2 Mismatch
May 22 00:00:13 [IKEv1]: Ignoring msg to mark SA with dsID 205643776 dead because SA deleted
May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Received encrypted packet with no matching SA, dropping
May 22 00:00:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE Initiator: New Phase 1, Intf inside, IKE Peer xx.xx.xxx.186 local Proxy Address 10.1.1.0, remote Proxy Address 192.168.0.0, Crypto map (vpnmap)
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing ISAKMP SA payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 02 payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 03 payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver RFC payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing Fragmentation VID + extended capabilities payload
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing SA payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Oakley proposal is acceptable
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received NAT-Traversal ver 02 VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received Fragmentation VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing ke payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing nonce payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing Cisco Unity VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing xauth V6 VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Send IOS VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Discovery payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hash
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Discovery payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hash
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing ke payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing ISA_KE payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing nonce payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received Cisco Unity client VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received xauth V6 VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing NAT-Discovery payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hash
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing NAT-Discovery payload
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hash
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Generating keys for Initiator...
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing ID payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing hash payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMP
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Constructing IOS keep alive payload: proposal=32767/32767 sec.
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing dpd vid payload
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMP
May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Processing IOS keep alive payload: proposal=32767/32767 sec.
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing VID payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received DPD VID
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Oakley begin quick mode
May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, PHASE 1 COMPLETED
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, Keep-alive type for this connection: DPD
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Starting P1 rekey timer: 73440 seconds.
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE got SPI from key engine: SPI = 0xa63e8880
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, oakley constucting quick mode
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IPSec SA payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IPSec nonce payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing proxy ID
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Transmitting Proxy Id:
Local subnet: 10.1.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.0.0 Mask 255.255.255.0 Protocol 0 Port 0
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payload
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=e202d6e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=5a443e5f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing notify payload
May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received non-routine Notify message: No proposal chosen (14)
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=33a7bff1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing delete
May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Connection terminated for peer xx.xx.xxx.186. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending delete/delete with reason message
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IPSec delete payload
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payload
May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=abb6c8c2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE Deleting SA: Remote Proxy 192.168.0.0, Local Proxy 10.1.1.0
May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Removing peer from correlator table failed, no match!
May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE SA MM:efeb7782 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Session is being torn down. Reason: User Requested
May 22 00:00:14 [IKEv1]: Ignoring msg to mark SA with dsID 205647872 dead because SA deleted
May 22 00:00:14 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xa63e8880
May 22 00:00:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 22 00:00:17 [IKEv1]: IP = xx.xx.xxx.186, IKE Initiator: New Phase 1, Intf inside, IKE Peer xx.xx.xxx.186 local Proxy Address 10.1.1.0, remote Proxy Address 192.168.0.0, Crypto map (vpnmap)
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing ISAKMP SA payload
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 02 payload
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 03 payload
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver RFC payload
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing Fragmentation VID + extended capabilities payload
May 22 00:00:17 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
May 22 00:00:17 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing SA payload
May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Oakley proposal is acceptable

pebao · ‎05-21-2017

ikev2 的配置请参考下面链接：
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html#anc19

在原帖中查看解决方案

pebao · ‎05-21-2017

ikev2 的配置请参考下面链接：
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html#anc19

one-time · ‎05-21-2017

感谢您的提问！稍后会有小伙伴为您解答的！

stoneyeye · ‎07-06-2017

把crypto map vpnmap 100变成crypto map vpnmap 9，序号变小一点试试。祝你好运！:)