SiteA Outside xx.xx.xxx.26 Inside:10.1.1.0/24 已做了remote VPN 并和另一个SiteC做了L2L
SiteB Outside xx.xx.xxx.186 Inside:192.168.0.0/24 已做了remote VPN
目前 SiteA--SiteB 建立L2L VPN IkE1 完成 IKE2无法成功 debug说是ACL问题,我看了2天没找出问题点
SiteAASA Version 8.2(2) !hostname ASA5510domain-name test.comenable password mgXqoEJSeX2UwbDs encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 10.1.1.13 SEC_China_Fileserver description SEC China Fileservername 10.1.1.17 SEC_China_SQL_SLUTIL description SEC China SQL SLUTILname 10.1.1.230 Jacky description jacky's notebookname 10.1.1.226 vivian description vivian's IPname 10.1.1.227 betty description betty's IPname 10.1.1.228 allen description allen's IPname 10.1.1.225 Ivring description ivring's IPname 10.1.1.7 SEC_China_SL6server description SEC China SL6servername 10.1.1.212 mytest_pcname 10.1.1.98 zhuzd_IPname 10.1.1.171 zhouzd_IPname 10.1.2.230 jackytestname 10.1.2.2 eng-131 description ENG Repare Station PLT-Aname 10.1.1.243 jackyxuname 10.1.1.76 zhanghj_pcname 10.242.1.42 SEC_MP_Fileserver_2 description SEC MP Fileservername 10.242.1.46 SEC_MP_TS_2 description SEC MP Terminal Servicesname 10.242.1.16 SEC_MP_CTRX_2 description SEC_MP_CTRXname 10.242.103.0 CORP_VPN_VLAN_2name 10.242.2.0 HOOP_VLAN_2name 10.242.6.0 MEX_VLAN_2name 10.242.3.0 MP_DHCP_VLAN_2name 10.242.4.0 SWDT_VLAN_name 10.242.1.26 SEC_Eng_Fileserver description SEC ENG Fileservername 10.242.1.54 SEC_SVN_server description SEC ENG SVNname 10.242.1.29 SEC_Licensing_server description SEC Licensing Servername 10.242.1.90 CvmWebTestname 10.242.1.30 CvmWebname 10.242.1.28 newCvmWeb
dns-guard!interface Ethernet0/0 nameif inside security-level 100 ip address 10.1.1.3 255.255.255.0 !interface Ethernet0/1 nameif outside security-level 0 ip address xx.xx.xxx.26 255.255.255.248 !interface Ethernet0/2 nameif DMZ security-level 100 ip address 10.1.2.1 255.255.255.0 !interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 nameif guanli security-level 100 ip address 192.168.50.1 255.255.255.0 management-only!regex URL1 "\.taobao\.com"regex URL2 "\.jd\.com"regex URL3 "\.youku\.com"regex URL4 "\.tudou\.com"regex URL5 "\.letv\.com"regex URL6 "\.tianya\.cn"regex URL7 "\.vip\.com"regex URL8 "\.58\.com"boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNS domain-name test.comsame-security-traffic permit inter-interfaceobject-group network SEC_China_Allowed description SEC MP servers that SEC China is allowed to access network-object host SEC_MP_Fileserver_2 network-object host SEC_MP_TS_2 network-object host SEC_MP_CTRX_2 network-object CORP_VPN_VLAN_2 255.255.255.0 network-object HOOP_VLAN_2 255.255.255.0 network-object MP_DHCP_VLAN_2 255.255.255.0 network-object SWDT_VLAN_ 255.255.255.0 network-object host SEC_Eng_Fileserver network-object host SEC_SVN_server network-object host SEC_Licensing_server network-object host CvmWebTest network-object host CvmWeb network-object host newCvmWeb network-object MEX_VLAN_2 255.255.254.0object-group network SEC_MP_Accessible description Servers that can be accessed by SEC MP network-object host SEC_China_Fileserver network-object host SEC_China_SQL_SLUTIL network-object host Jacky network-object host vivian network-object host betty network-object host allen network-object host Ivring network-object host SEC_China_SL6server network-object host mytest_pc network-object host zhuzd_IP network-object host zhouzd_IPobject-group network deny_vpn_access_internet network-object host jackyxu network-object host zhanghj_pcobject-group network Url network-object 10.1.1.0 255.255.255.0 network-object 10.1.2.0 255.255.255.0object-group network taobaoip network-object host 140.205.153.54 network-object host 140.205.32.93 network-object host 101.227.160.102 network-object host 104.16.25.190 network-object host 140.205.170.63 network-object host 58.216.17.240 network-object host 58.216.17.140 network-object host 140.205.96.1 network-object host 58.216.17.250 network-object host 140.205.243.65 network-object host 42.156.180.26 network-object host 222.186.49.250 network-object host 222.186.49.240 network-object host 61.155.221.253 network-object host 140.205.115.99 network-object host 122.225.34.250 network-object host 140.205.248.253 network-object host 58.215.145.28 network-object host 58.220.1.110 network-object host 61.155.221.240 network-object host 58.220.27.121 network-object host 140.205.16.112 network-object host 140.205.243.66 network-object host 106.11.14.99 network-object host 110.75.96.109 network-object host 211.150.65.35 network-object host 101.226.76.164 network-object host 222.186.49.177 network-object host 180.97.168.252 network-object host 140.205.174.90 network-object host 140.205.153.72 network-object host 140.205.164.47 network-object host 216.58.221.36 network-object host 222.186.49.225 network-object host 180.97.168.254 network-object host 106.11.15.99 network-object host 140.205.250.55 network-object host 140.205.16.113 network-object host 140.205.170.87 network-object host 180.96.11.177access-list 101 extended permit icmp any any access-list 101 extended permit ip any any access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.0 access-list no-nat extended permit ip object-group SEC_MP_Accessible object-group SEC_China_Allowed access-list no-nat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list vpnsplit standard permit 10.1.1.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip object-group SEC_MP_Accessible object-group SEC_China_Allowed access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq smtp access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq pop3 access-list 102 extended permit tcp object-group deny_vpn_access_internet any eq domain access-list 102 extended permit tcp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list 102 extended permit tcp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list 102 extended deny tcp object-group deny_vpn_access_internet any access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq pop3 access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq smtp access-list 102 extended permit tcp 10.1.2.32 255.255.255.224 any eq domain access-list 102 extended deny tcp 10.1.2.32 255.255.255.224 any access-list 102 extended permit ip any any access-list 102 extended permit tcp any any eq smtp access-list 102 extended permit tcp any any eq pop3 access-list 102 extended permit tcp any any eq domain access-list 104 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list 104 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list 104 extended permit tcp any any eq pop3 access-list 104 extended permit tcp any any eq smtp access-list 104 extended permit tcp any any eq domain access-list 104 extended deny tcp object-group deny_vpn_access_internet any access-list 104 extended deny tcp 10.1.2.0 255.255.255.128 any access-list 104 extended deny ip 10.1.1.0 255.255.255.0 object-group taobaoip access-list 104 extended permit ip any any access-list rate_limit_1 extended permit ip any host 10.1.1.203 access-list rate_limit_1 extended permit ip host 10.1.1.203 any access-list Url_filter extended permit tcp object-group Url any eq www access-list s2sdst extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0 pager lines 24logging enablelogging timestamplogging monitor alertslogging trap warningslogging history informationallogging asdm informationallogging host inside 10.1.1.20mtu inside 1500mtu outside 1500mtu DMZ 1500mtu guanli 1500ip local pool vpn-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-631.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no-natnat (inside) 1 10.1.1.0 255.255.255.0nat (inside) 1 10.1.5.0 255.255.255.0nat (inside) 1 10.1.6.0 255.255.255.0nat (DMZ) 0 access-list no-natnat (DMZ) 1 10.1.2.0 255.255.255.0static (inside,outside) tcp xx.xx.xxx.30 ftp SEC_China_Fileserver ftp netmask 255.255.255.255 access-group 104 in interface insideaccess-group 101 in interface outsideaccess-group 104 in interface DMZroute outside 0.0.0.0 0.0.0.0 xx.xx.xxx.25 1route inside 10.1.5.0 255.255.255.0 10.1.1.5 1route inside 10.1.6.0 255.255.255.0 10.1.1.5 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa authentication telnet console LOCAL aaa authentication ssh console LOCAL http server enablehttp 10.1.1.0 255.255.255.0 insidehttp 192.168.50.0 255.255.255.0 guanlino snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set vpnset esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dymap 10 set transform-set vpnsetcrypto dynamic-map dymap 10 set reverse-routecrypto map vpnmap 1 match address outside_1_cryptomapcrypto map vpnmap 1 set pfs group1crypto map vpnmap 1 set peer xx.xx.xxx.33 crypto map vpnmap 1 set transform-set ESP-DES-SHAcrypto map vpnmap 10 ipsec-isakmp dynamic dymapcrypto map vpnmap 100 match address s2sdstcrypto map vpnmap 100 set peer xx.xx.xxx.186 crypto map vpnmap 100 set transform-set ESP-DES-SHAcrypto map vpnmap interface outsidecrypto isakmp identity address crypto isakmp enable insidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400telnet 10.1.1.0 255.255.255.0 insidetelnet 10.1.2.0 255.255.255.0 DMZtelnet 192.168.1.0 255.255.255.0 guanlitelnet timeout 5ssh 10.1.1.0 255.255.255.0 insidessh timeout 30ssh version 1console timeout 0management-access insidethreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpngroup-policy secchina internalgroup-policy secchina attributes dns-server value 10.1.1.11 10.1.1.12 vpn-idle-timeout 3600000 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnsplitusername fraczekl password vVdYy3P7JcFB.4iZ encrypted privilege 15username cisco password 3USUcOPFUiMCO4Jk encryptedusername chinavpn password pKE03T4wKEjMO8L9 encryptedusername jacky password CFUG8xBf9yN39Z/W encryptedtunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 20 retry 2tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 20 retry 2tunnel-group DefaultWEBVPNGroup ipsec-attributes isakmp keepalive threshold 20 retry 2tunnel-group secchina type remote-accesstunnel-group secchina general-attributes address-pool vpn-pool default-group-policy secchinatunnel-group secchina ipsec-attributes pre-shared-key *****tunnel-group xx.xx.xxx.33 type ipsec-l2ltunnel-group xx.xx.xxx.33 ipsec-attributes pre-shared-key *****tunnel-group xx.xx.xxx.186 type ipsec-l2ltunnel-group xx.xx.xxx.186 ipsec-attributes pre-shared-key *****!class-map rateclass-map rate_limit_1 match access-list rate_limit_1class-map Url_filter_class match access-list Url_filterclass-map inspection_default match default-inspection-trafficclass-map type regex match-any Url_class match regex URL1 match regex URL2 match regex URL3 match regex URL5 match regex URL6 match regex URL4 match regex URL7 match regex URL8class-map type inspect http match-all Http_url_class match request header host regex class Url_class!!policy-map type inspect http Http_url_policy parameters class Http_url_class drop-connection logpolicy-map Inside_http_url_policy class Url_filter_class inspect http Http_url_policy policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map rate_limit class rate_limit_1 police input 409500 614000 police output 409500 614000!service-policy global_policy globalservice-policy Inside_http_url_policy interface insideservice-policy Inside_http_url_policy interface DMZprompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic dailyCryptochecksum:1128a553bde969d631bf602489907eeb: endASA5510#
SiteB
ASA Version 8.2(2) !hostname dstdomain-name dst.comenable password mgXqoEJSeX2UwbDs encryptedpasswd Opm7nsaBn/dtpNva encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address xx.xx.xxx.186 255.255.255.252 !interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 !interface Ethernet0/2 shutdown no nameif no security-level no ip address! interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only!boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNS domain-name dst.comaccess-list icmp extended permit icmp any any access-list 101 extended permit ip any any access-list 101 extended permit icmp any any access-list 102 extended permit icmp any any access-list 102 extended permit ip any any access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0 access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list vpnsplit standard permit 192.168.0.0 255.255.255.0 access-list s2sdst extended permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24logging asdm informationalmtu outside 1500mtu inside 1500mtu management 1500ip local pool vpn-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no-natnat (inside) 1 0.0.0.0 0.0.0.0access-group 102 in interface outsideaccess-group 101 in interface insideroute outside 0.0.0.0 0.0.0.0 xx.xx.xxx.185 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.1.0 255.255.255.0 managementno snmp-server locationno snmp-server contactcrypto ipsec transform-set vpnset esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dymap 10 set transform-set vpnsetcrypto dynamic-map dymap 10 set reverse-routecrypto map vpnmap 10 ipsec-isakmp dynamic dymapcrypto map vpnmap 100 match address s2sdstcrypto map vpnmap 100 set peer xx.xx.xxx.26 crypto map vpnmap 100 set transform-set ESP-DES-SHAcrypto map vpnmap interface outsidecrypto isakmp identity address crypto isakmp enable outsidecrypto isakmp enable insidecrypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400crypto isakmp policy 20 authentication pre-share encryption des hash sha group 2 lifetime 86400telnet 192.168.0.0 255.255.255.0 insidetelnet timeout 5
ssh 192.168.0.0 255.255.255.0 insidessh timeout 30ssh version 1console timeout 0vpdn group secadsl request dialout pppoevpdn group secadsl localname 051202188025vpdn group secadsl ppp authentication papvpdn username 051202188025 password ***** dhcpd dns 192.168.0.2 221.6.4.66!dhcpd address 192.168.0.100-192.168.0.199 insidedhcpd enable inside! dhcpd address 192.168.1.2-192.168.1.254 managementdhcpd enable management!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpngroup-policy secdst internalgroup-policy secdst attributes vpn-idle-timeout 3600000 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnsplitusername dstvpn password qOJicFdBm4JeSm01 encryptedusername clarkep password RKBIAk9trwpvrKNw encryptedtunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 20 retry 2tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 20 retry 2tunnel-group DefaultWEBVPNGroup ipsec-attributes isakmp keepalive threshold 20 retry 2tunnel-group secdst type remote-accesstunnel-group secdst general-attributes address-pool vpn-pool default-group-policy secdsttunnel-group secdst ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 2tunnel-group xx.xx.xxx.26 type ipsec-l2ltunnel-group xx.xx.xxx.26 ipsec-attributes pre-shared-key *****!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic dailyCryptochecksum:885511e0dce0a0f9b11c4bc98729ba7c: end
--------------------------------------------------------------SiteA debug May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Generating keys for Responder...May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMPMay 22 00:00:13 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Processing IOS keep alive payload: proposal=32767/32767 sec.May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received DPD VIDMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceMay 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing ID payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing hash payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMPMay 22 00:00:13 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Constructing IOS keep alive payload: proposal=32767/32767 sec.May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing dpd vid payloadMay 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, PHASE 1 COMPLETEDMay 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Keep-alive type for this connection: DPDMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Starting P1 rekey timer: 73440 seconds.May 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=1128b176) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing SA payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing nonce payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payloadMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.255.0, Protocol 0, Port 0May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payloadMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received local IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing notify payloadMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, QM IsRekeyed old sa not found by addrMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Static Crypto Map check, checking map = vpnmap, seq = 1...May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Static Crypto Map check, map = vpnmap, seq = 1, ACL does not match proxy IDs src:192.168.0.0 dst:10.1.1.0May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE Remote Peer configured for crypto map: dymapMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing IPSec SA payloadMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, All IPSec SA proposals found unacceptable!May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending notify messageMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing ipsec notify payload for msg id 1128b176May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payloadMay 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=cb6f4522) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, QM FSM error (P2 struct &0xad8078a0, mess id 0x1128b176)!May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE QM Responder FSM error history (struct &0xad8078a0) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASHMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending delete/delete with reason messageMay 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Removing peer from correlator table failed, no match!May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Deleting static route for L2L peer that came in on a dynamic map. address: 192.168.0.0, mask: 255.255.255.0May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE SA MM:39c7bdee rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE SA MM:39c7bdee terminating: flags 0x0101c002, refcnt 0, tuncnt 0May 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending delete/delete with reason messageMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IKE delete payloadMay 22 00:00:13 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payloadMay 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=132d892a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80May 22 00:00:13 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Session is being torn down. Reason: Phase 2 MismatchMay 22 00:00:13 [IKEv1]: Ignoring msg to mark SA with dsID 205643776 dead because SA deletedMay 22 00:00:13 [IKEv1]: IP = xx.xx.xxx.186, Received encrypted packet with no matching SA, droppingMay 22 00:00:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE Initiator: New Phase 1, Intf inside, IKE Peer xx.xx.xxx.186 local Proxy Address 10.1.1.0, remote Proxy Address 192.168.0.0, Crypto map (vpnmap)May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing ISAKMP SA payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 02 payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 03 payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver RFC payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing Fragmentation VID + extended capabilities payloadMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing SA payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Oakley proposal is acceptableMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received NAT-Traversal ver 02 VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received Fragmentation VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: TrueMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing ke payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing nonce payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing Cisco Unity VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing xauth V6 VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Send IOS VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Discovery payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hashMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Discovery payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hashMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing ke payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing ISA_KE payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing nonce payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received Cisco Unity client VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received xauth V6 VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)May 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Received Altiga/Cisco VPN3000/Cisco ASA GW VIDMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing NAT-Discovery payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hashMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing NAT-Discovery payloadMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, computing NAT Discovery hashMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Generating keys for Initiator...May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing ID payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing hash payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMPMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Constructing IOS keep alive payload: proposal=32767/32767 sec.May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing dpd vid payloadMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing ID payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Computing hash for ISAKMPMay 22 00:00:14 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Processing IOS keep alive payload: proposal=32767/32767 sec.May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing VID payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received DPD VIDMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, Connection landed on tunnel_group xx.xx.xxx.186May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Oakley begin quick modeMay 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, PHASE 1 COMPLETEDMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, Keep-alive type for this connection: DPDMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Starting P1 rekey timer: 73440 seconds.May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE got SPI from key engine: SPI = 0xa63e8880May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, oakley constucting quick modeMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IPSec SA payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IPSec nonce payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing proxy IDMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Transmitting Proxy Id: Local subnet: 10.1.1.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 192.168.0.0 Mask 255.255.255.0 Protocol 0 Port 0May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payloadMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=e202d6e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=5a443e5f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing notify payloadMay 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Received non-routine Notify message: No proposal chosen (14)May 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=33a7bff1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing hash payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, processing deleteMay 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Connection terminated for peer xx.xx.xxx.186. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/AMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, sending delete/delete with reason messageMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing blank hash payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing IPSec delete payloadMay 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, constructing qm hash payloadMay 22 00:00:14 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=abb6c8c2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE Deleting SA: Remote Proxy 192.168.0.0, Local Proxy 10.1.1.0May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Removing peer from correlator table failed, no match!May 22 00:00:14 [IKEv1 DEBUG]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, IKE SA MM:efeb7782 terminating: flags 0x0100c822, refcnt 0, tuncnt 0May 22 00:00:14 [IKEv1]: Group = xx.xx.xxx.186, IP = xx.xx.xxx.186, Session is being torn down. Reason: User RequestedMay 22 00:00:14 [IKEv1]: Ignoring msg to mark SA with dsID 205647872 dead because SA deletedMay 22 00:00:14 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xa63e8880May 22 00:00:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0May 22 00:00:17 [IKEv1]: IP = xx.xx.xxx.186, IKE Initiator: New Phase 1, Intf inside, IKE Peer xx.xx.xxx.186 local Proxy Address 10.1.1.0, remote Proxy Address 192.168.0.0, Crypto map (vpnmap)May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing ISAKMP SA payloadMay 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 02 payloadMay 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver 03 payloadMay 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing NAT-Traversal VID ver RFC payloadMay 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, constructing Fragmentation VID + extended capabilities payloadMay 22 00:00:17 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204May 22 00:00:17 [IKEv1]: IP = xx.xx.xxx.186, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128May 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, processing SA payloadMay 22 00:00:17 [IKEv1 DEBUG]: IP = xx.xx.xxx.186, Oakley proposal is acceptable