This post is what a SUCCESSFUL debug output looks like during a site to site VPN connection on a Cisco ASA.
INITIATOR:
! Begin state: MM_WAIT_MSG1 (initialize connection) May 23 2010 13:15:25: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 May 23 2010 13:15:25: %ASA-5-713041: IP = 22.22.22.22, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 22.22.22.22 local Proxy Address 172.16.200.0, remote Proxy Address 192.168.1.0, Crypto map (MAP-VPN) May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing ISAKMP SA payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing NAT-Traversal VID ver 02 payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing NAT-Traversal VID ver 03 payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing NAT-Traversal VID ver RFC payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing Fragmentation VID + extended capabilities payload ! Begin state: MM_WAIT_MSG2 (send hash/encrypt/dh info and agree upon them) May 23 2010 13:15:25: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172 May 23 2010 13:15:25: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 88 May 23 2010 13:15:25: %ASA-7-715047: IP = 22.22.22.22, processing SA payload May 23 2010 13:15:25: %ASA-7-713906: IP = 22.22.22.22, Oakley proposal is acceptable May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing ke payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing nonce payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing Cisco Unity VID payload May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing xauth V6 VID payload ! Begin state: MM_WAIT_MSG3 (find compatible vendors) May 23 2010 13:15:25: %ASA-7-715048: IP = 22.22.22.22, Send IOS VID May 23 2010 13:15:25: %ASA-7-715038: IP = 22.22.22.22, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) May 23 2010 13:15:25: %ASA-7-715046: IP = 22.22.22.22, constructing VID payload May 23 2010 13:15:25: %ASA-7-715048: IP = 22.22.22.22, Send Altiga/Cisco VPN3000/Cisco ASA GW VID May 23 2010 13:15:25: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing ke payload May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing ISA_KE payload May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing nonce payload May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing VID payload May 23 2010 13:15:26: %ASA-7-715049: IP = 22.22.22.22, Received xauth V6 VID May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing VID payload May 23 2010 13:15:26: %ASA-7-715049: IP = 22.22.22.22, Received DPD VID May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing VID payload May 23 2010 13:15:26: %ASA-7-715049: IP = 22.22.22.22, Received Cisco Unity client VID May 23 2010 13:15:26: %ASA-7-715047: IP = 22.22.22.22, processing VID payload May 23 2010 13:15:26: %ASA-7-715038: IP = 22.22.22.22, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025) ! Begin state: MM_WAIT_MSG4 (exchanges PSK’s) May 23 2010 13:15:26: %ASA-7-713906: IP = 22.22.22.22, Connection landed on tunnel_group 22.22.22.22 May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, Generating keys for Initiator… May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing ID payload May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing hash payload May 23 2010 13:15:26: %ASA-7-715076: Group = 22.22.22.22, IP = 22.22.22.22, Computing hash for ISAKMP May 23 2010 13:15:26: %ASA-7-715034: IP = 22.22.22.22, Constructing IOS keep alive payload: proposal=32767/32767 sec. May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing dpd vid payload May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96 May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 84 May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing ID payload May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, ID_FQDN ID received, len 24 ! Begin state: MM_WAIT_MSG5 (checks that both hashs for the PSK match) May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing hash payload May 23 2010 13:15:26: %ASA-7-715076: Group = 22.22.22.22, IP = 22.22.22.22, Computing hash for ISAKMP May 23 2010 13:15:26: %ASA-7-713906: IP = 22.22.22.22, Connection landed on tunnel_group 22.22.22.22 May 23 2010 13:15:26: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 22.22.22.22 May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, Oakley begin quick mode ! Begin state: MM_WAIT_MSG6 May 23 2010 13:15:26: %ASA-7-714002: Group = 22.22.22.22, IP = 22.22.22.22, IKE Initiator starting QM: msg id = 6abd3691 May 23 2010 13:15:26: %ASA-5-713119: Group = 22.22.22.22, IP = 22.22.22.22, PHASE 1 COMPLETED May 23 2010 13:15:26: %ASA-7-713121: IP = 22.22.22.22, Keep-alive type for this connection: DPD May 23 2010 13:15:26: %ASA-7-715080: Group = 22.22.22.22, IP = 22.22.22.22, Starting P1 rekey timer: 82080 seconds. !^^^^ PHASE 2 BEGINS ^^^^! May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE RECEIVED Message (msgid=c99e184c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing hash payload May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing notify payload May 23 2010 13:15:26: %ASA-7-715006: Group = 22.22.22.22, IP = 22.22.22.22, IKE got SPI from key engine: SPI = 0x850a79e0 May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, oakley constucting quick mode May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing blank hash payload May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing IPSec SA payload May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing IPSec nonce payload May 23 2010 13:15:26: %ASA-7-715001: Group = 22.22.22.22, IP = 22.22.22.22, constructing proxy ID May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, Transmitting Proxy Id: Local subnet: 172.16.200.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 192.168.1.0 Mask 255.255.255.0 Protocol 0 Port 0 May 23 2010 13:15:26: %ASA-7-714007: Group = 22.22.22.22, IP = 22.22.22.22, IKE Initiator sending Initial Contact May 23 2010 13:15:26: %ASA-7-715046: Group = 22.22.22.22, IP = 22.22.22.22, constructing qm hash payload May 23 2010 13:15:26: %ASA-7-714004: Group = 22.22.22.22, IP = 22.22.22.22, IKE Initiator sending 1st QM pkt: msg id = 6abd3691 May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE SENDING Message (msgid=6abd3691) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200 May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE RECEIVED Message (msgid=6abd3691) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172 May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing hash payload May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing SA payload May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing nonce payload May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing ID payload May 23 2010 13:15:26: %ASA-7-714011: Group = 22.22.22.22, IP = 22.22.22.22, ID_IPV4_ADDR_SUBNET ID received–172.16.200.0–255.255.255.0 May 23 2010 13:15:26: %ASA-7-715047: Group = 22.22.22.22, IP = 22.22.22.22, processing ID payload May 23 2010 13:15:26: %ASA-7-714011: Group = 22.22.22.22, IP = 22.22.22.22, ID_IPV4_ADDR_SUBNET ID received–192.168.1.0–255.255.255.0 May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, loading all IPSEC SAs May 23 2010 13:15:26: %ASA-7-715001: Group = 22.22.22.22, IP = 22.22.22.22, Generating Quick Mode Key! May 23 2010 13:15:26: %ASA-7-715001: Group = 22.22.22.22, IP = 22.22.22.22, Generating Quick Mode Key! May 23 2010 13:15:26: %ASA-5-713049: Group = 22.22.22.22, IP = 22.22.22.22, Security negotiation complete for LAN-to-LAN Group (22.22.22.22) Initiator, Inbound SPI = 0x850a79e0, Outbound SPI = 0x2cc7158d May 23 2010 13:15:26: %ASA-7-713906: Group = 22.22.22.22, IP = 22.22.22.22, oakley constructing final quick mode May 23 2010 13:15:26: %ASA-7-714006: Group = 22.22.22.22, IP = 22.22.22.22, IKE Initiator sending 3rd QM pkt: msg id = 6abd3691 May 23 2010 13:15:26: %ASA-7-713236: IP = 22.22.22.22, IKE_DECODE SENDING Message (msgid=6abd3691) with payloads : HDR + HASH (8) + NONE (0) total length : 76 May 23 2010 13:15:26: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x2CC7158D) between 24.251.95.213 and 22.22.22.22 (user= 22.22.22.22) has been created. May 23 2010 13:15:26: %ASA-7-715007: Group = 22.22.22.22, IP = 22.22.22.22, IKE got a KEY_ADD msg for SA: SPI = 0x2cc7158d May 23 2010 13:15:26: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x850A79E0) between 24.251.95.213 and 22.22.22.22 (user= 22.22.22.22) has been created. May 23 2010 13:15:26: %ASA-7-715077: Group = 22.22.22.22, IP = 22.22.22.22, Pitcher: received KEY_UPDATE, spi 0x850a79e0 May 23 2010 13:15:26: %ASA-7-715080: Group = 22.22.22.22, IP = 22.22.22.22, Starting P2 rekey timer: 24480 seconds. May 23 2010 13:15:26: %ASA-5-713120: Group = 22.22.22.22, IP = 22.22.22.22, PHASE 2 COMPLETED (msgid=6abd3691)
Comments