IPSEC Cisco & Trendnet

Building configuration...

Current configuration : 2186 bytes
!
! Last configuration change at 07:56:06 UTC Sun Jan 6 2013
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco881
!
boot-start-marker
boot-end-marker
!
!
enable secret
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip domain name electro-arsenal.local
no ipv6 cef
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
license udi pid CISCO881-PCI-K9 sn FCZ1635C1XP
license boot module c880-data level advsecurity
!
!
username admin privilege 15 password 7
username pavel password 7
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key password address XX.XXX.XX.166
!
!
crypto ipsec transform-set IPSECSET esp-3des esp-md5-hmac
!
crypto map TEST 1 ipsec-isakmp
set peer XX.XXX.XX.166
set security-association lifetime seconds 1800
set transform-set IPSECSET
match address 100
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address YY.YY.YYY.122 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map TEST
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool pptp
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
interface Vlan1
ip address 192.168.0.222 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool pptp 192.168.0.223 192.168.0.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 46.39.236.121
!
ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
!
logging esm config
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
end

IPv4 Crypto ISAKMP SA
dst src state conn-id status
YY.YY.YYY.122 XX.XXX.XX.166 QM_IDLE 2042 ACTIVE
YY.YY.YYY.122 XX.XXX.XX.166 MM_NO_STATE 2041 ACTIVE (deleted)
YY.YY.YYY.122 XX.XXX.XX.166 MM_NO_STATE 2040 ACTIVE (deleted)
YY.YY.YYY.122 XX.XXX.XX.166 MM_NO_STATE 2039 ACTIVE (deleted)
YY.YY.YYY.122 XX.XXX.XX.166 MM_NO_STATE 2036 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

interface: FastEthernet4
Crypto map tag: TEST, local addr YY.YY.YYY.122

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 91.235.66.166 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 598, #pkts decrypt: 598, #pkts verify: 598
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: YY.YY.YYY.122, remote crypto endpt.: XX.XXX.XX.166
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x44B68B08(1152813832)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000046, crypto map: TEST
sa timing: remaining key lifetime (k/sec): (4463395/1778)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x8451655C(2219926876)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000046, crypto map: TEST
sa timing: remaining key lifetime (k/sec): (4463397/1778)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

Crypto Map "TEST" 1 ipsec-isakmp
Peer = XX.XXX.XX.166
Extended IP access list 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
Current peer: XX.XXX.XX.166
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSECSET: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map TEST:
FastEthernet4

debug:

*Jan 6 08:57:35.891: ISAKMP (0): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (N) NEW SA
*Jan 6 08:57:35.891: ISAKMP: Found a peer struct for XX.XXX.XX.166, peer port 500
*Jan 6 08:57:35.891: ISAKMP: Locking peer struct 0x86BC0564, refcount 1 for crypto_isakmp_process_block
*Jan 6 08:57:35.891: ISAKMP: local port 500, remote port 500
*Jan 6 08:57:35.891: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 86B4A4A8
*Jan 6 08:57:35.891: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 6 08:57:35.891: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Jan 6 08:57:35.891: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 6 08:57:35.891: ISAKMP:(0): processing vendor id payload
*Jan 6 08:57:35.891: ISAKMP:(0): vendor ID is DPD
*Jan 6 08:57:35.891: ISAKMP:(0):found peer pre-shared key matching XX.XXX.XX.166
*Jan 6 08:57:35.891: ISAKMP:(0): local preshared key found
*Jan 6 08:57:35.891: ISAKMP : Scanning profiles for xauth ...
*Jan 6 08:57:35.891: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 6 08:57:35.891: ISAKMP: default group 1
*Jan 6 08:57:35.891: ISAKMP: auth pre-share
*Jan 6 08:57:35.891: ISAKMP: encryption 3DES-CBC
*Jan 6 08:57:35.891: ISAKMP: hash MD5
*Jan 6 08:57:35.891: ISAKMP: life type in seconds
*Jan 6 08:57:35.891: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jan 6 08:57:35.891: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 6 08:57:35.891: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 6 08:57:35.891: ISAKMP:(0):Acceptable atts:life: 0
*Jan 6 08:57:35.891: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jan 6 08:57:35.891: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jan 6 08:57:35.891: ISAKMP:(0):Returning Actual lifetime: 86400
*Jan 6 08:57:35.891: ISAKMP:(0)::Started lifetime timer: 86400.

*Jan 6 08:57:35.891: ISAKMP:(0): processing vendor id payload
*Jan 6 08:57:35.891: ISAKMP:(0): vendor ID is DPD
*Jan 6 08:57:35.891: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 6 08:57:35.891: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Jan 6 08:57:35.895: ISAKMP:(0): sending packet to XX.XXX.XX.166 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 6 08:57:35.895: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 6 08:57:35.895: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 6 08:57:35.895: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Jan 6 08:57:36.103: ISAKMP (0): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 6 08:57:36.103: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 6 08:57:36.103: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Jan 6 08:57:36.103: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 6 08:57:36.103: crypto_engine: Create DH shared secret
*Jan 6 08:57:36.123: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 6 08:57:36.123: ISAKMP:(0):found peer pre-shared key matching XX.XXX.XX.166
*Jan 6 08:57:36.123: crypto_engine: Create IKE SA
*Jan 6 08:57:36.123: crypto engine: deleting DH phase 2 SW:13
*Jan 6 08:57:36.123: crypto_engine: Delete DH shared secret
*Jan 6 08:57:36.123: ISAKMP:(2153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 6 08:57:36.123: ISAKMP:(2153):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Jan 6 08:57:36.123: ISAKMP:(2153): sending packet to XX.XXX.XX.166 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 6 08:57:36.123: ISAKMP:(2153):Sending an IKE IPv4 Packet.
*Jan 6 08:57:36.123: ISAKMP:(2153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 6 08:57:36.123: ISAKMP:(2153):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Jan 6 08:57:36.355: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 6 08:57:36.355: crypto_engine: Decrypt IKE packet
*Jan 6 08:57:36.355: ISAKMP:(2153):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 6 08:57:36.355: ISAKMP:(2153):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Jan 6 08:57:36.355: ISAKMP:(2153): processing ID payload. message ID = 0
*Jan 6 08:57:36.355: ISAKMP (2153): ID payload
next-payload : 8
type : 1
address : XX.XXX.XX.166
protocol : 0
port : 0
length : 12
*Jan 6 08:57:36.355: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 6 08:57:36.355: ISAKMP:(2153): processing HASH payload. message ID = 0
*Jan 6 08:57:36.355: crypto_engine: Generate IKE hash
*Jan 6 08:57:36.355: ISAKMP:(2153):SA authentication status:
authenticated
*Jan 6 08:57:36.359: ISAKMP:(2153):SA has been authenticated with XX.XXX.XX.166
*Jan 6 08:57:36.359: ISAKMP:(2153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 6 08:57:36.359: ISAKMP:(2153):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Jan 6 08:57:36.359: ISAKMP:(2153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 6 08:57:36.359: ISAKMP (2153): ID payload
next-payload : 8
type : 1
address : YY.YY.YYY.122
protocol : 17
port : 500
length : 12
*Jan 6 08:57:36.359: ISAKMP:(2153):Total payload length: 12
*Jan 6 08:57:36.359: crypto_engine: Generate IKE hash
*Jan 6 08:57:36.359: crypto_engine: Encrypt IKE packet
*Jan 6 08:57:36.359: ISAKMP:(2153): sending packet to XX.XXX.XX.166 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 6 08:57:36.359: ISAKMP:(2153):Sending an IKE IPv4 Packet.
*Jan 6 08:57:36.359: ISAKMP:(2153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 6 08:57:36.359: ISAKMP:(2153):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Jan 6 08:57:36.359: ISAKMP:(2153):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 6 08:57:36.359: ISAKMP:(2153):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jan 6 08:57:36.371: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) QM_IDLE
*Jan 6 08:57:36.371: ISAKMP: set new node -117746533 to QM_IDLE
*Jan 6 08:57:36.371: crypto_engine: Decrypt IKE packet
*Jan 6 08:57:36.371: crypto_engine: Generate IKE hash
*Jan 6 08:57:36.371: ISAKMP:(2153): processing HASH payload. message ID = -117746533
*Jan 6 08:57:36.371: ISAKMP:(2153): processing SA payload. message ID = -117746533
*Jan 6 08:57:36.371: ISAKMP:(2153):Checking IPSec proposal 1
*Jan 6 08:57:36.371: ISAKMP: transform 1, ESP_3DES
*Jan 6 08:57:36.371: ISAKMP: attributes in transform:
*Jan 6 08:57:36.371: ISAKMP: authenticator is HMAC-MD5
*Jan 6 08:57:36.371: ISAKMP: encaps is 1 (Tunnel)
*Jan 6 08:57:36.371: ISAKMP: SA life type in seconds
*Jan 6 08:57:36.371: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x7 0x8
*Jan 6 08:57:36.371: ISAKMP:(2153):atts are acceptable.
*Jan 6 08:57:36.371: IPSEC(validate_proposal_request): proposal part #1
*Jan 6 08:57:36.371: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= YY.YY.YYY.122:0, remote= XX.XXX.XX.166:0,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 6 08:57:36.371: Crypto mapdb : proxy_match
src addr : 192.168.0.0
dst addr : 192.168.10.0
protocol : 0
src port : 0
dst port : 0
*Jan 6 08:57:36.371: ISAKMP:(2153): processing NONCE payload. message ID = -117746533
*Jan 6 08:57:36.371: ISAKMP:(2153): processing ID payload. message ID = -117746533
*Jan 6 08:57:36.371: ISAKMP:(2153): processing ID payload. message ID = -117746533
*Jan 6 08:57:36.371: ISAKMP:(2153):QM Responder gets spi
*Jan 6 08:57:36.371: ISAKMP:(2153):Node -117746533, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 6 08:57:36.371: ISAKMP:(2153):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jan 6 08:57:36.371: crypto_engine: Generate IKE hash
*Jan 6 08:57:36.371: crypto_engine: Generate IKE QM keys
*Jan 6 08:57:36.375: crypto_engine: Create IPSec SA (by keys)
*Jan 6 08:57:36.375: crypto_engine: Generate IKE QM keys
*Jan 6 08:57:36.375: crypto_engine: Create IPSec SA (by keys)
*Jan 6 08:57:36.375: ISAKMP:(2153): Creating IPSec SAs
*Jan 6 08:57:36.375: inbound SA from XX.XXX.XX.166 to YY.YY.YYY.122 (f/i) 0/ 0
(proxy 192.168.10.0 to 192.168.0.0)
*Jan 6 08:57:36.375: has spi 0x685CA3BE and conn_id 0
*Jan 6 08:57:36.375: lifetime of 1800 seconds
*Jan 6 08:57:36.375: outbound SA from YY.YY.YYY.122 to XX.XXX.XX.166 (f/i) 0/0
(proxy 192.168.0.0 to 192.168.10.0)
*Jan 6 08:57:36.375: has spi 0x88DDBA7D and conn_id 0
*Jan 6 08:57:36.375: lifetime of 1800 seconds
*Jan 6 08:57:36.375: crypto_engine: Encrypt IKE packet
*Jan 6 08:57:36.375: ISAKMP:(2153): sending packet to XX.XXX.XX.166 my_port 500 peer_port 500 (R) QM_IDLE
*Jan 6 08:57:36.375: ISAKMP:(2153):Sending an IKE IPv4 Packet.
*Jan 6 08:57:36.375: ISAKMP:(2153):Node -117746533, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jan 6 08:57:36.375: ISAKMP:(2153):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jan 6 08:57:36.375: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 6 08:57:36.375: Crypto mapdb : proxy_match
src addr : 192.168.0.0
dst addr : 192.168.10.0
protocol : 0
src port : 0
dst port : 0
*Jan 6 08:57:36.375: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer XX.XXX.XX.166
*Jan 6 08:57:36.375: IPSEC(create_sa): sa created,
(sa) sa_dest= YY.YY.YYY.122, sa_proto= 50,
sa_spi= 0x685CA3BE(1750901694),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 75
sa_lifetime(k/sec)= (4596644/1800)
*Jan 6 08:57:36.375: IPSEC(create_sa): sa created,
(sa) sa_dest= XX.XXX.XX.166, sa_proto= 50,
sa_spi= 0x88DDBA7D(2296232573),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 76
sa_lifetime(k/sec)= (4596644/1800)
*Jan 6 08:57:36.375: crypto engine: updating MTU size of IPSec SA Onboard VPN:76
*Jan 6 08:57:36.375: crypto_engine: Set IPSec MTU
*Jan 6 08:57:36.379: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) QM_IDLE
*Jan 6 08:57:36.379: ISAKMP: set new node -1260341533 to QM_IDLE
*Jan 6 08:57:36.379: crypto_engine: Decrypt IKE packet
*Jan 6 08:57:36.379: crypto_engine: Generate IKE hash
*Jan 6 08:57:36.379: ISAKMP:(2153): processing HASH payload. message ID = -1260341533
*Jan 6 08:57:36.379: ISAKMP:(2153): processing DELETE payload. message ID = -1260341533
*Jan 6 08:57:36.379: ISAKMP:(2153):peer does not do paranoid keepalives.

*Jan 6 08:57:36.379: ISAKMP:(2153):deleting node -1260341533 error FALSE reason "Informational (in) state 1"
*Jan 6 08:57:36.379: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 6 08:57:36.379: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Jan 6 08:57:36.379: IPSEC(key_engine_delete_sas): delete SA with spi 0xDBA91EBD proto 50 for XX.XXX.XX.166
*Jan 6 08:57:36.379: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= YY.YY.YYY.122, sa_proto= 50,
sa_spi= 0xA8DFD707(2833241863),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 73
sa_lifetime(k/sec)= (4556582/1800),
(identity) local= YY.YY.YYY.122:0, remote= XX.XXX.XX.166:0,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4)
*Jan 6 08:57:36.379: crypto engine: deleting IPSec SA Onboard VPN:73
*Jan 6 08:57:36.379: crypto_engine: Delete IPSec SA
*Jan 6 08:57:36.379: completed_delete_ipsec_sa: flow_id = 14000049
*Jan 6 08:57:36.379: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= XX.XXX.XX.166, sa_proto= 50,
sa_spi= 0xDBA91EBD(3685293757),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 74
sa_lifetime(k/sec)= (4556582/1800),
(identity) local= YY.YY.YYY.122:0, remote= XX.XXX.XX.166:0,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4)
*Jan 6 08:57:36.379: crypto engine: deleting IPSec SA Onboard VPN:74
*Jan 6 08:57:36.379: crypto_engine: Delete IPSec SA
*Jan 6 08:57:36.379: completed_delete_ipsec_sa: flow_id = 1400004A
*Jan 6 08:57:36.383: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) QM_IDLE
*Jan 6 08:57:36.383: crypto_engine: Decrypt IKE packet
*Jan 6 08:57:36.383: crypto_engine: Generate IKE hash
*Jan 6 08:57:36.383: ISAKMP:(2153):deleting node -117746533 error FALSE reason "QM done (await)"
*Jan 6 08:57:36.383: ISAKMP:(2153):Node -117746533, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 6 08:57:36.383: ISAKMP:(2153):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jan 6 08:57:36.383: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 6 08:57:36.387: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jan 6 08:57:36.387: IPSEC(key_engine_enable_outbound): enable SA with spi 2296232573/50
*Jan 6 08:57:36.387: IPSEC(update_current_outbound_sa): get enable SA peer XX.XXX.XX.166 current outbound sa to SPI 88DDBA7D
*Jan 6 08:57:36.387: IPSEC(update_current_outbound_sa): updated peer XX.XXX.XX.166 current outbound sa to SPI 88DDBA7D
*Jan 6 08:57:40.975: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) QM_IDLE
*Jan 6 08:57:40.975: ISAKMP:(2153): phase 2 packet is a duplicate of a previous packet.
*Jan 6 08:57:40.975: ISAKMP:(2153): retransmitting due to retransmit phase 2
*Jan 6 08:57:40.979: ISAKMP:(2153): ignoring retransmission,because phase2 node marked dead -117746533
*Jan 6 08:57:44.871: ISAKMP:(2150):purging SA., sa=873C0A10, delme=873C0A10
*Jan 6 08:57:45.975: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) QM_IDLE
*Jan 6 08:57:45.975: ISAKMP:(2153): phase 2 packet is a duplicate of a previous packet.
*Jan 6 08:57:45.975: ISAKMP:(2153): retransmitting due to retransmit phase 2
*Jan 6 08:57:45.975: ISAKMP:(2153): ignoring retransmission,because phase2 node marked dead -117746533
*Jan 6 08:57:50.975: ISAKMP (2153): received packet from XX.XXX.XX.166 dport 500 sport 500 Global (R) QM_IDLE
*Jan 6 08:57:50.975: ISAKMP:(2153): phase 2 packet is a duplicate of a previous packet.
*Jan 6 08:57:50.975: ISAKMP:(2153): retransmitting due to retransmit phase 2
*Jan 6 08:57:50.975: ISAKMP:(2153): ignoring retransmission,because phase2 node marked dead -117746533

Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: YY.YYY.YY.166 port 500
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Inactive
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Inactive
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Inactive
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IKEv1 SA: local XX.XX.XXX.122/500 remote YY.YYY.YY.166/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 4, origin: crypto map

[02:20:39]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(NOTIFY_PAYLOAD) ****
[02:20:46]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(DELETE_PAYLOAD) ****
[02:20:49]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(NOTIFY_PAYLOAD) ****
[02:20:51]**** RECEIVED IKE DELETE PAYLOAD ****
[02:20:51]**** Deleting IPSEC SA(spi=3327848093,ip=YY.YY.YYY.122) ****
[02:20:51]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(DELETE_PAYLOAD) ****
[02:20:51][==== IKE PHASE 1(to YY.YY.YYY.122) START (initiator) ====]
[02:20:51]**** SENT OUT FIRST MESSAGE OF MAIN MODE ****
[02:20:51] PAYLOADS: SA,PROP,TRANS,VID
[02:20:51]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[02:20:51] PAYLOADS: SA,PROP,TRANS
[02:20:52]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[02:20:52] PAYLOADS: KE,NONCE
[02:20:52] PAYLOADS: KE,NONCE,VID,VID,VID,VID
[02:20:52] Type = ID_IPV4_ADDR,ID Data=XX.XXX.XX.166
[02:20:52]**** SENT OUT FIFTH MESSAGE OF MAIN MODE ****
[02:20:52]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[02:20:52] PAYLOADS: ID,HASH
[02:20:52]**** MAIN MODE COMPLETED ****
[02:20:52][==== IKE PHASE 1 ESTABLISHED====]
[02:20:52][==== IKE PHASE 2(to YY.YY.YYY.122) START (initiator) ====]
[02:20:52]**** SENT OUT FIRST MESSAGE OF QUICK MODE ****
[02:20:52]
[02:20:52]
[02:20:52]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(DELETE_PAYLOAD) ****
[02:20:52]**** RECEIVED SECOND MESSAGE OF QUICK MODE ****
[02:20:52] PAYLOADS: HASH,SA,PROP,TRANS,NONCE,ID,ID,NOTIFY
[02:20:52]**** SENT OUT THIRD MESSAGE OF QUICK MODE ****
[02:20:52]**** QUICK MODE COMPLETED ****
[02:20:52][==== IKE PHASE 2 ESTABLISHED====]
[02:20:56]**** RECEIVED IKE DELETE PAYLOAD ****
[02:20:56]**** Deleting IPSEC SA(spi=387289644,ip=YY.YY.YYY.122) ****
[02:20:59]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(NOTIFY_PAYLOAD) ****
[02:21:09]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(NOTIFY_PAYLOAD) ****
[02:21:11]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(DELETE_PAYLOAD) ****
[02:21:17][==== IKE PHASE 1(to 46.39.236.125) START (initiator) ====]
[02:21:17]**** SENT OUT FIRST MESSAGE OF MAIN MODE ****
[02:21:17] PAYLOADS: SA,PROP,TRANS,VID
[02:21:17]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(DELETE_PAYLOAD) ****
[02:21:17][==== IKE PHASE 1(to YY.YY.YYY.122) START (initiator) ====]
[02:21:17]**** SENT OUT FIRST MESSAGE OF MAIN MODE ****
[02:21:17] PAYLOADS: SA,PROP,TRANS,VID
[02:21:17]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[02:21:17] PAYLOADS: SA,PROP,TRANS
[02:21:17]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[02:21:17] PAYLOADS: KE,NONCE
[02:21:17]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(DELETE_PAYLOAD) ****
[02:21:17][==== IKE PHASE 1(to YY.YY.YYY.122) START (initiator) ====]
[02:21:17]**** SENT OUT FIRST MESSAGE OF MAIN MODE ****
[02:21:17] PAYLOADS: SA,PROP,TRANS,VID
[02:21:17]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[02:21:17] PAYLOADS: SA,PROP,TRANS
[02:21:18]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[02:21:18] PAYLOADS: KE,NONCE
[02:21:18]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[02:21:18] PAYLOADS: KE,NONCE,VID,VID,VID,VID
[02:21:18] Type = ID_IPV4_ADDR,ID Data=XX.XXX.XX.166
[02:21:18]**** SENT OUT FIFTH MESSAGE OF MAIN MODE ****
[02:21:18]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[02:21:18] PAYLOADS: ID,HASH
[02:21:18]**** MAIN MODE COMPLETED ****
[02:21:18][==== IKE PHASE 1 ESTABLISHED====]
[02:21:18][==== IKE PHASE 2(to YY.YY.YYY.122) START (initiator) ====]
[02:21:18]**** SENT OUT FIRST MESSAGE OF QUICK MODE ****
[02:21:18]
[02:21:18]
[02:21:18]**** RECEIVED SECOND MESSAGE OF QUICK MODE ****
[02:21:18] PAYLOADS: HASH,SA,PROP,TRANS,NONCE,ID,ID,NOTIFY
[02:21:18]**** SENT OUT THIRD MESSAGE OF QUICK MODE ****
[02:21:18]**** QUICK MODE COMPLETED ****
[02:21:18][==== IKE PHASE 2 ESTABLISHED====]
[02:21:19]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(NOTIFY_PAYLOAD) ****
[02:21:22]**** RECEIVED IKE DELETE PAYLOAD ****
[02:21:22]**** Deleting IPSEC SA(spi=177476310,ip=YY.YY.YYY.122) ****
[02:21:29]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE(NOTIFY_PAYLOAD) ****

Current configuration : 2304 bytes
!
! Last configuration change at 11:14:13 UTC Tue Jan 8 2013 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco881
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!236
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip domain name
no ipv6 cef
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
license udi pid CISCO881-PCI-K9 sn FCZ1635C1XP
license boot module c880-data level advsecurity
!
!
username admin privilege 15 password 7
username pavel password 7
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key password address YY.YYY.YY.166
!
!
crypto ipsec transform-set IPSECSET esp-3des esp-md5-hmac
!
crypto map TEST 1 ipsec-isakmp
set peer YY.YYY.YY.166
set security-association lifetime seconds 1800
set transform-set IPSECSET
match address ACL_IPSEC
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address XX.XX.XXX.122 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map TEST
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool pptp
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
interface Vlan1
ip address 192.168.0.222 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool pptp 192.168.0.223 192.168.0.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 XX.XX.XXX.121
!
ip access-list extended ACL_IPSEC
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
logging esm config
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
end