1. When traffic is initiated from VPC-ASA to VPC-Palo
VPC-ASA> ping 10.0.10.100 -c 1
When all configuration are correct, and VPN is up:
ciscoasa# IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (58): Setting configured policies
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (58): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
IKEv2-PROTO-4: (58): Request queued for computation of DH key
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (58): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (58): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(58): AES-CBC(58): SHA256(58): SHA256(58): DH_GROUP_2048_MODP/Group 14(58):
IKEv2-PROTO-4: (58): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(58): Initiator SPI : C5C5D1BF71CE22DF - Responder SPI : 0000000000000000 Message id: 0
(58): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (58): Next payload: SA, version: 2.0 (58): Exchange type: IKE_SA_INIT, flags: INITIATOR (58): Message id: 0, length: 574(58):
Payload contents:
(58): SA(58): Next payload: KE, reserved: 0x0, length: 48
(58): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(58): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(58): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(58): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(58): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(58): KE(58): Next payload: N, reserved: 0x0, length: 264
(58): DH group: 14, Reserved: 0x0
(58):
(58): 54 f6 cf 60 a7 04 50 56 0b eb 50 ac d9 f1 69 f8
(58): e3 68 c6 47 5b 55 86 2a f8 81 d8 13 4d b5 10 62
(58): e1 d2 19 c6 6d be e7 2d 56 7b 83 13 7c c3 ad 97
(58): 2e 09 80 25 6a f6 12 75 90 75 93 3f 1d d3 87 61
(58): 21 e2 f6 42 aa 56 f5 da 1e 54 fd 4d 20 2d db 82
(58): 04 8e e6 55 7e c9 6a 69 ac 4f df b8 87 27 6e 23
(58): fd d5 28 c2 d9 3b de b4 ab 66 ce 7d 7c 71 66 29
(58): 38 24 1e 2a 58 17 dd 10 5c f7 3e 5c 26 71 b9 66
(58): 7c 4d f5 c6 1c 12 fd 8a 25 d3 43 a3 49 8a bc d4
(58): 14 fa e8 69 c9 c3 2d 2a 60 ae 0c 6e fa 77 fb 39
(58): df 64 fd a1 a3 0c 6d b5 ef ce 30 a3 14 77 46 09
(58): 1f 33 e3 4a 6e cc fe 4a 6e 94 6e fc 34 d6 de 06
(58): 53 0e 8f 6f 85 8d db cc e6 6e 2a 5f 7d 8f f7 f7
(58): d9 7b 75 40 bf fe ed 71 fe f5 2a d5 d6 3f 33 c9
(58): ff 23 4a a5 02 2b a2 7c c0 34 c1 12 7d a9 19 42
(58): 5b c4 3c 68 d8 32 d5 af ab 30 ad 26 37 3c 20 56
(58): N(58): Next payload: VID, reserved: 0x0, length: 68
(58):
(58): 5d e9 d3 71 1e 79 77 d7 8f 53 61 cb 02 57 18 fd
(58): 72 7c a7 2c c7 8a 6e 59 c6 d4 05 9e ae 62 98 01
(58): 29 ff ce e4 7e c1 a6 76 4c 14 f3 b9 aa 2b a7 10
(58): dc 30 3c 0f a7 20 ef d3 f5 55 de ee a9 5f 34 f4
(58): VID(58): Next payload: VID, reserved: 0x0, length: 23
(58):
(58): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(58): 53 4f 4e
(58): VID(58): Next payload: NOTIFY, reserved: 0x0, length: 59
(58):
(58): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(58): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(58): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(58): 73 2c 20 49 6e 63 2e
(58): NOTIFY(NAT_DETECTION_SOURCE_IP)(58): Next payload: NOTIFY, reserved: 0x0, length: 28
(58): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(58):
(58): fc 09 a1 1c 44 db ce 00 c1 a0 bb ee 9e 71 85 67
(58): 0b 9e 8d 95
(58): NOTIFY(NAT_DETECTION_DESTINATION_IP)(58): Next payload: NOTIFY, reserved: 0x0, length: 28
(58): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(58):
(58): 9b 67 69 23 44 87 33 fd 22 cf 41 8d a5 bb 23 4a
(58): da 63 55 fa
(58): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(58): Next payload: VID, reserved: 0x0, length: 8
(58): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(58): VID(58): Next payload: NONE, reserved: 0x0, length: 20
(58):
(58): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(58):
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (58): Insert SA
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(58):
IKEv2-PROTO-4: (58): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(58): Initiator SPI : C5C5D1BF71CE22DF - Responder SPI : 30BF75974FDB3B3C Message id: 0
(58): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (58): Next payload: SA, version: 2.0 (58): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (58): Message id: 0, length: 432(58):
Payload contents:
(58): SA(58): Next payload: KE, reserved: 0x0, length: 48
(58): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(58): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(58): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(58): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(58): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(58): KE(58): Next payload: N, reserved: 0x0, length: 264
(58): DH group: 14, Reserved: 0x0
(58):
(58): a7 1c b1 fe 24 10 ce 74 14 4c 4c e2 b0 db e1 a2
(58): 1f a3 3d f8 d3 23 16 fe cd 39 bc 99 5c 56 4b e4
(58): df f5 86 39 43 48 6d 62 63 5d d1 a4 06 26 44 1c
(58): 89 c0 ea de 9a 0c 96 9f 1f df a7 a1 0d 1d 49 27
(58): 7e 83 53 a1 b3 c6 ef 9f 01 17 77 23 2b f0 15 bc
(58): 8a a8 4c ad f4 5a 00 b3 67 d1 14 34 22 e5 81 42
(58): 22 49 e1 86 f0 e5 22 5c cc 03 44 b8 b4 ce af e0
(58): 96 f7 c1 4a 49 38 f2 b8 10 47 97 8d c2 2c 00 3e
(58): bd da 9a 01 6f bf 02 5a 37 0a 09 e7 77 b0 22 d7
(58): a6 f7 b2 ad b6 1a 1d d2 3c 84 1f a6 74 f4 7a f2
(58): ff 13 12 b0 fa e7 49 de f6 3f 34 66 12 6e 0f 91
(58): 40 25 ea bc ce 3c 65 45 7d a6 a5 a1 83 09 08 f8
(58): 8f 0f bc bb 29 c1 6b 13 33 68 75 72 41 d2 58 f1
(58): ca 31 0d 28 81 20 86 c7 65 ed 06 df a4 f1 e0 9c
(58): 1b 59 3e ea 7c cc a9 0e 5c 9c 2a c6 c1 18 20 ec
(58): d7 76 77 0c 03 a6 e5 a2 b8 a5 48 7b 3f 0a 31 76
(58): N(58): Next payload: NOTIFY, reserved: 0x0, length: 36
(58):
(58): 3a 6e 3e 36 80 93 27 7f 91 30 dd 81 b2 e4 41 fc
(58): 05 14 75 27 68 a7 f5 5d 77 ac 6d c9 9a db 9e 08
(58): NOTIFY(NAT_DETECTION_SOURCE_IP)(58): Next payload: NOTIFY, reserved: 0x0, length: 28
(58): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(58):
(58): 85 7a 89 4e 21 67 65 6c 60 e0 16 9e 71 62 70 b5
(58): ae 07 35 41
(58): NOTIFY(NAT_DETECTION_DESTINATION_IP)(58): Next payload: NONE, reserved: 0x0, length: 28
(58): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(58):
(58): 57 d8 da e8 70 d0 24 c8 75 56 ee a0 e8 9c d0 27
(58): 23 a9 1f a5
(58):
(58): Decrypted packet:(58): Data: 432 bytes
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (58): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (58): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (58): Verify SA init message
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (58): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (58): Process NAT discovery notify
IKEv2-PROTO-7: (58): Processing nat detect src notify
IKEv2-PROTO-7: (58): Remote address matched
IKEv2-PROTO-7: (58): Processing nat detect dst notify
IKEv2-PROTO-7: (58): Local address matched
IKEv2-PROTO-7: (58): No NAT found
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (58): Checking NAT discovery
IKEv2-PROTO-4: (58): NAT not found
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (58): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
IKEv2-PROTO-4: (58): Request queued for computation of DH secret
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (58): Generate skeyid
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-4: (58): Completed SA init exchange
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (58): Check for EAP exchange
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (58): Generate my authentication data
IKEv2-PROTO-4: (58): Use preshared key for id 203.0.113.20, key len 8
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (58): Get my authentication method
IKEv2-PROTO-4: (58): My authentication method is 'PSK'
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (58): Check for EAP exchange
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (58): Generating IKE_AUTH message
IKEv2-PROTO-4: (58): Constructing IDi payload: '203.0.113.20' of type 'IPv4 address'
IKEv2-PROTO-4: (58): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(58): AES-CBC(58): SHA256(58): Don't use ESNIKEv2-PROTO-4: (58): Building packet for encryption.
(58):
Payload contents:
(58): VID(58): Next payload: IDi, reserved: 0x0, length: 20
(58):
(58): c7 c5 d0 bf 62 f9 d1 98 06 41 07 e8 f1 c3 0e da
(58): IDi(58): Next payload: AUTH, reserved: 0x0, length: 12
(58): Id type: IPv4 address, Reserved: 0x0 0x0
(58):
(58): cb 00 71 14
(58): AUTH(58): Next payload: SA, reserved: 0x0, length: 40
(58): Auth method PSK, reserved: 0x0, reserved 0x0
(58): Auth data: 32 bytes
(58): SA(58): Next payload: TSi, reserved: 0x0, length: 44
(58): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(58): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(58): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(58): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(58): TSi(58): Next payload: TSr, reserved: 0x0, length: 24
(58): Num of TSs: 1, reserved 0x0, reserved 0x0
(58): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(58): start port: 0, end port: 65535
(58): start addr: 10.0.20.100, end addr: 10.0.20.100
(58): TSr(58): Next payload: NOTIFY, reserved: 0x0, length: 24
(58): Num of TSs: 1, reserved 0x0, reserved 0x0
(58): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(58): start port: 0, end port: 65535
(58): start addr: 10.0.10.100, end addr: 10.0.10.100
(58): NOTIFY(INITIAL_CONTACT)(58): Next payload: NOTIFY, reserved: 0x0, length: 8
(58): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(58): NOTIFY(ESP_TFC_NO_SUPPORT)(58): Next payload: NOTIFY, reserved: 0x0, length: 8
(58): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(58): NOTIFY(NON_FIRST_FRAGS)(58): Next payload: NONE, reserved: 0x0, length: 8
(58): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(58):
IKEv2-PROTO-4: (58): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(58): Initiator SPI : C5C5D1BF71CE22DF - Responder SPI : 30BF75974FDB3B3C Message id: 1
(58): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (58): Next payload: ENCR, version: 2.0 (58): Exchange type: IKE_AUTH, flags: INITIATOR (58): Message id: 1, length: 256(58):
Payload contents:
(58): ENCR(58): Next payload: VID, reserved: 0x0, length: 228
(58): Encrypted data: 224 bytes
(58):
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (58): Check for EAP exchange
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(58):
IKEv2-PROTO-4: (58): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(58): Initiator SPI : C5C5D1BF71CE22DF - Responder SPI : 30BF75974FDB3B3C Message id: 1
(58): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (58): Next payload: ENCR, version: 2.0 (58): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (58): Message id: 1, length: 224(58):
Payload contents:
(58):
(58): Decrypted packet:(58): Data: 224 bytes
(58): REAL Decrypted packet:(58): Data: 152 bytes
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (58): Process auth response notify
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (58): Searching policy based on peer's identity '203.0.113.10' of type 'IPv4 address'
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (58): Verify peer's policy
IKEv2-PROTO-4: (58): Peer's policy verified
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (58): Get peer's authentication method
IKEv2-PROTO-4: (58): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (58): Get peer's preshared key for 203.0.113.10
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (58): Verify peer's authentication data
IKEv2-PROTO-4: (58): Use preshared key for id 203.0.113.10, key len 8
IKEv2-PROTO-4: (58): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (58): Check for EAP exchange
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (58): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-4: (58): Processing IKE_AUTH message
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (58): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
IKEv2-PROTO-4: (58): Session with IKE ID PAIR (203.0.113.10, 203.0.113.20) is UP
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-4: (58): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-4: (58): Load IPSEC key material
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-4: (58): DPD timer started for 10 secs
IKEv2-PROTO-7: (58): Accounting not required
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-7: (58): Closing the PKI session
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (58): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (58): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-7: (58): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (58): Request has mess_id 0; expected 0 through 0
(58): Following packets are DPD packets
IKEv2-PROTO-4: (58): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(58): Initiator SPI : C5C5D1BF71CE22DF - Responder SPI : 30BF75974FDB3B3C Message id: 0
(58): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (58): Next payload: ENCR, version: 2.0 (58): Exchange type: INFORMATIONAL, flags: RESPONDER (58): Message id: 0, length: 80(58):
Payload contents:
(58):
(58): Decrypted packet:(58): Data: 80 bytes
(58): REAL Decrypted packet:(58): Data: 0 bytes
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: READY Event: EV_RECV_INFO_REQ
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_RECV_INFO_REQ
IKEv2-PROTO-4: (58): Received DPD/liveness query
IKEv2-PROTO-4: (58): Building packet for encryption.
IKEv2-PROTO-4: (58): Sending ACK to informational exchange
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_NO_EVENT
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_TRYSEND
(58):
IKEv2-PROTO-4: (58): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(58): Initiator SPI : C5C5D1BF71CE22DF - Responder SPI : 30BF75974FDB3B3C Message id: 0
(58): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (58): Next payload: ENCR, version: 2.0 (58): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (58): Message id: 0, length: 80(58):
Payload contents:
(58): ENCR(58): Next payload: NONE, reserved: 0x0, length: 52
(58): Encrypted data: 48 bytes
(58):
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: INFO_R Event: EV_START_DEL_NEG_TMR
IKEv2-PROTO-7: (58): Action: Action_Null
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (58): Sent response with message id 0, Requests can be accepted from range 1 to 1
IKEv2-PROTO-7: (58): SM Trace-> SA: I_SPI=C5C5D1BF71CE22DF R_SPI=30BF75974FDB3B3C (R) MsgID = 00000000 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (58): Request has mess_id 1; expected 1 through 1
Palo:
> tail follow yes mp-log ikemgr.log
1.1 Phase1 mismatch
ciscoasa# debug crypto condition peer 203.0.113.10
ciscoasa# debug crypto ikev2 protocol 255 - no much difference between level 2 and 255
ciscoasa# IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (43): Setting configured policies
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (43): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
IKEv2-PROTO-4: (43): Request queued for computation of DH key
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (43): Action: Action_Null
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (43): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (43): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(43): AES-CBC(43): SHA256(43): SHA256(43): DH_GROUP_2048_MODP/Group 14(43):
IKEv2-PROTO-4: (43): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(43): Initiator SPI : 8E275BE1C7F0937F - Responder SPI : 0000000000000000 Message id: 0
(43): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (43): Next payload: SA, version: 2.0 (43): Exchange type: IKE_SA_INIT, flags: INITIATOR (43): Message id: 0, length: 574(43):
Payload contents:
(43): SA(43): Next payload: KE, reserved: 0x0, length: 48
(43): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(43): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(43): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(43): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(43): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(43): KE(43): Next payload: N, reserved: 0x0, length: 264
(43): DH group: 14, Reserved: 0x0
(43):
(43): 5a 25 ac fb 18 3c fb 30 f6 39 93 08 bb d5 7f a8
(43): 2c 54 08 2e b2 52 d6 95 53 15 95 0a 4f 97 00 61
(43): 67 8d 16 4a d5 ed ad 8a ab 1c 15 1a 46 ee c1 6b
(43): ed f4 0a 78 bf 3a 61 ac cc bf 7c b5 4d 17 72 5b
(43): 64 49 3f 34 fe e9 bb 91 30 4f b2 63 05 68 7a 5a
(43): 7e da 58 bf de 0d 41 80 5c 90 95 d0 b0 59 7f 57
(43): 5d 7e 98 a0 72 28 a0 ae d7 78 8c 64 69 3f ea ea
(43): d8 3e 38 8a 8e af d8 f9 3a ee 47 0e d8 9c a7 4a
(43): 26 47 07 7a 7a 18 e4 b7 f8 b3 33 56 c7 ad 2f 39
(43): df 1b 2d c6 6a 39 44 79 73 3e c0 f1 58 3d 46 e3
(43): 73 2f 77 60 f1 c0 5d 11 22 6f b0 27 6d ef 96 a2
(43): b2 3e c7 32 39 dd 5e 41 54 35 a9 50 5c 64 da 7c
(43): ca 25 9a e4 04 b9 40 bd 14 d5 be cc 4c 11 7a 52
(43): 5b 5c ff 42 ab 41 09 d4 99 87 7e cb 82 f6 fa e1
(43): d3 b7 0b 9f ee 31 ab 6d 68 a2 b7 d8 a7 bc fc 7f
(43): d4 f0 65 95 88 b5 2c c4 1a 4d 0a aa 69 1e d3 34
(43): N(43): Next payload: VID, reserved: 0x0, length: 68
(43):
(43): 9e 84 e8 bc 2a d8 9a a5 61 02 47 b8 81 e3 93 ec
(43): a9 76 9c 0a a5 94 2b 54 7e c5 64 de 4d 96 48 18
(43): 48 0d 7a 6d 29 40 08 23 b9 a5 4d 41 d8 f6 2c 73
(43): e0 33 11 60 ab 16 b0 c2 d3 bd 8e 87 07 28 e2 e6
(43): VID(43): Next payload: VID, reserved: 0x0, length: 23
(43):
(43): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(43): 53 4f 4e
(43): VID(43): Next payload: NOTIFY, reserved: 0x0, length: 59
(43):
(43): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(43): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(43): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(43): 73 2c 20 49 6e 63 2e
(43): NOTIFY(NAT_DETECTION_SOURCE_IP)(43): Next payload: NOTIFY, reserved: 0x0, length: 28
(43): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(43):
(43): 98 4f 7b 82 14 80 b5 47 9a 1b f9 3f 76 ca 50 7b
(43): 09 23 dd 2a
(43): NOTIFY(NAT_DETECTION_DESTINATION_IP)(43): Next payload: NOTIFY, reserved: 0x0, length: 28
(43): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(43):
(43): 40 a5 21 e6 a0 13 01 1d 6c 8c 46 d2 6d 27 cf 6c
(43): 80 bc 96 2e
(43): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(43): Next payload: VID, reserved: 0x0, length: 8
(43): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(43): VID(43): Next payload: NONE, reserved: 0x0, length: 20
(43):
(43): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(43):
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (43): Insert SA
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(43):
IKEv2-PROTO-4: (43): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(43): Initiator SPI : 8E275BE1C7F0937F - Responder SPI : 0000000000000000 Message id: 0
(43): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (43): Next payload: NOTIFY, version: 2.0 (43): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (43): Message id: 0, length: 36(43):
Payload contents:
(43): NOTIFY(NO_PROPOSAL_CHOSEN)(43): Next payload: NONE, reserved: 0x0, length: 8
(43): Security protocol id: Unknown - 0, spi size: 0, type: NO_PROPOSAL_CHOSEN
(43):
(43): Decrypted packet:(43): Data: 36 bytes
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (43): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (43): Processing IKE_SA_INIT message
IKEv2-PROTO-2: (43): Received no proposal chosen notify
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-4: (43): Failed SA init exchange
IKEv2-PROTO-2: (43): Initial exchange failed
IKEv2-PROTO-2: (43): Initial exchange failed
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (43): Abort exchange
IKEv2-PROTO-4: (43): Deleting SA
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (43): Setting configured policies
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (43): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
IKEv2-PROTO-4: (43): Request queued for computation of DH key
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (43): Action: Action_Null
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (43): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (43): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(43): AES-CBC(43): SHA256(43): SHA256(43): DH_GROUP_2048_MODP/Group 14(43):
IKEv2-PROTO-4: (43): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(43): Initiator SPI : 8E275BE1C7F0937F - Responder SPI : 0000000000000000 Message id: 0
(43): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (43): Next payload: SA, version: 2.0 (43): Exchange type: IKE_SA_INIT, flags: INITIATOR (43): Message id: 0, length: 574(43):
Payload contents:
(43): SA(43): Next payload: KE, reserved: 0x0, length: 48
(43): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(43): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(43): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(43): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(43): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(43): KE(43): Next payload: N, reserved: 0x0, length: 264
(43): DH group: 14, Reserved: 0x0
(43):
(43): 5a 25 ac fb 18 3c fb 30 f6 39 93 08 bb d5 7f a8
(43): 2c 54 08 2e b2 52 d6 95 53 15 95 0a 4f 97 00 61
(43): 67 8d 16 4a d5 ed ad 8a ab 1c 15 1a 46 ee c1 6b
(43): ed f4 0a 78 bf 3a 61 ac cc bf 7c b5 4d 17 72 5b
(43): 64 49 3f 34 fe e9 bb 91 30 4f b2 63 05 68 7a 5a
(43): 7e da 58 bf de 0d 41 80 5c 90 95 d0 b0 59 7f 57
(43): 5d 7e 98 a0 72 28 a0 ae d7 78 8c 64 69 3f ea ea
(43): d8 3e 38 8a 8e af d8 f9 3a ee 47 0e d8 9c a7 4a
(43): 26 47 07 7a 7a 18 e4 b7 f8 b3 33 56 c7 ad 2f 39
(43): df 1b 2d c6 6a 39 44 79 73 3e c0 f1 58 3d 46 e3
(43): 73 2f 77 60 f1 c0 5d 11 22 6f b0 27 6d ef 96 a2
(43): b2 3e c7 32 39 dd 5e 41 54 35 a9 50 5c 64 da 7c
(43): ca 25 9a e4 04 b9 40 bd 14 d5 be cc 4c 11 7a 52
(43): 5b 5c ff 42 ab 41 09 d4 99 87 7e cb 82 f6 fa e1
(43): d3 b7 0b 9f ee 31 ab 6d 68 a2 b7 d8 a7 bc fc 7f
(43): d4 f0 65 95 88 b5 2c c4 1a 4d 0a aa 69 1e d3 34
(43): N(43): Next payload: VID, reserved: 0x0, length: 68
(43):
(43): 9e 84 e8 bc 2a d8 9a a5 61 02 47 b8 81 e3 93 ec
(43): a9 76 9c 0a a5 94 2b 54 7e c5 64 de 4d 96 48 18
(43): 48 0d 7a 6d 29 40 08 23 b9 a5 4d 41 d8 f6 2c 73
(43): e0 33 11 60 ab 16 b0 c2 d3 bd 8e 87 07 28 e2 e6
(43): VID(43): Next payload: VID, reserved: 0x0, length: 23
(43):
(43): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(43): 53 4f 4e
(43): VID(43): Next payload: NOTIFY, reserved: 0x0, length: 59
(43):
(43): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(43): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(43): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(43): 73 2c 20 49 6e 63 2e
(43): NOTIFY(NAT_DETECTION_SOURCE_IP)(43): Next payload: NOTIFY, reserved: 0x0, length: 28
(43): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(43):
(43): 98 4f 7b 82 14 80 b5 47 9a 1b f9 3f 76 ca 50 7b
(43): 09 23 dd 2a
(43): NOTIFY(NAT_DETECTION_DESTINATION_IP)(43): Next payload: NOTIFY, reserved: 0x0, length: 28
(43): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(43):
(43): 40 a5 21 e6 a0 13 01 1d 6c 8c 46 d2 6d 27 cf 6c
(43): 80 bc 96 2e
(43): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(43): Next payload: VID, reserved: 0x0, length: 8
(43): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(43): VID(43): Next payload: NONE, reserved: 0x0, length: 20
(43):
(43): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(43):
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (43): Insert SA
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(43):
IKEv2-PROTO-4: (43): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(43): Initiator SPI : 8E275BE1C7F0937F - Responder SPI : 0000000000000000 Message id: 0
(43): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (43): Next payload: NOTIFY, version: 2.0 (43): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (43): Message id: 0, length: 36(43):
Payload contents:
(43): NOTIFY(NO_PROPOSAL_CHOSEN)(43): Next payload: NONE, reserved: 0x0, length: 8
(43): Security protocol id: Unknown - 0, spi size: 0, type: NO_PROPOSAL_CHOSEN
(43):
(43): Decrypted packet:(43): Data: 36 bytes
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (43): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (43): Processing IKE_SA_INIT message
IKEv2-PROTO-2: (43): Received no proposal chosen notify
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-4: (43): Failed SA init exchange
IKEv2-PROTO-2: (43): Initial exchange failed
IKEv2-PROTO-2: (43): Initial exchange failed
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (43): SM Trace-> SA: I_SPI=8E275BE1C7F0937F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (43): Abort exchange
IKEv2-PROTO-4: (43): Deleting SA
Note: ASA debug can see transform-set, but no difference between AES and AES256.
Palo:
Note: Palo IKE log doesn't tell which phase I parameter received from the peer..
Phase2 mismatch
ASA:
ciscoasa# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ciscoasa# debug crypto ikev2 protocol 200
!!Prepare IKEv2-INIT_SA
ciscoasa# IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (65): Setting configured policies
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (65): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
IKEv2-PROTO-4: (65): Request queued for computation of DH key
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (65): Action: Action_Null
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (65): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (65): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(65): AES-CBC(65): SHA256(65): SHA256(65): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(65):
!!Send IKEv2-INIT_SA
IKEv2-PROTO-4: (65): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 0000000000000000 Message id: 0
(65): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (65): Next payload: SA, version: 2.0 (65): Exchange type: IKE_SA_INIT, flags: INITIATOR (65): Message id: 0, length: 574(65):
Payload contents:
(65): SA(65): Next payload: KE, reserved: 0x0, length: 48
(65): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(65): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(65): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(65): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(65): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(65): KE(65): Next payload: N, reserved: 0x0, length: 264
(65): DH group: 14, Reserved: 0x0
(65):
(65): 6a 9a 53 f9 01 7e ef 7e 28 cf 2d 88 3c b0 1b 9f
(65): 82 3d 60 fc 4c 95 3e 7d f6 c3 28 81 0f 25 c3 92
(65): fd c7 72 2d 4f c8 09 d0 dd 50 46 94 09 86 53 12
(65): 33 31 38 52 ca d6 53 5f 8d 06 6f 7e 68 4a 16 48
(65): 17 1c 0a e2 39 1d 7a 17 b4 4e 6d 20 38 d6 d6 c2
(65): cf 6c 87 ac b6 a4 89 cd 25 cd 7c bd 01 52 64 fe
(65): 43 71 50 bd f6 22 88 99 85 df df 5b 97 98 ab 2a
(65): d2 d2 c0 eb 40 e0 a3 92 a9 d5 55 d2 08 55 4e 85
(65): 3b 2a 2e e7 25 bc 21 1b 1e 29 75 1b d9 88 1f 4f
(65): 01 f2 00 9c 14 b1 d0 6b af 0d bf 3c 92 95 9c 60
(65): 6b 52 3d 18 f6 68 0b c3 18 2f 1d 36 e3 73 14 d4
(65): b0 e7 e3 de 1b fd 07 a8 7f 7e 02 55 e1 30 b7 8d
(65): a7 b6 b2 05 e6 d3 ce a9 4c 19 7b 01 a2 4d 83 8a
(65): c2 b9 97 c9 49 07 9f d5 63 73 e9 1a 43 ce 13 16
(65): 6c b3 49 53 39 3b b1 a3 cf dd 26 8f f6 4d e5 99
(65): 10 55 c4 b7 d8 18 81 7f 49 69 b9 72 89 66 60 45
(65): N(65): Next payload: VID, reserved: 0x0, length: 68
(65):
(65): e9 ec a6 55 28 4f cd 2f b6 81 6e d4 08 db 1d 22
(65): 70 4f 1a 52 72 db d7 87 eb 54 ea 42 07 87 39 ce
(65): d1 4a 6b 7b d5 a5 bf 0e d8 e6 79 46 74 65 a9 d3
(65): 2c ba 69 04 26 c2 a4 03 cf 96 6e ba 91 0f ec 60
(65): VID(65): Next payload: VID, reserved: 0x0, length: 23
(65):
(65): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(65): 53 4f 4e
(65): VID(65): Next payload: NOTIFY, reserved: 0x0, length: 59
(65):
(65): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(65): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(65): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(65): 73 2c 20 49 6e 63 2e
(65): NOTIFY(NAT_DETECTION_SOURCE_IP)(65): Next payload: NOTIFY, reserved: 0x0, length: 28
(65): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(65):
(65): 82 22 be 89 37 b6 f0 6b 56 3d 10 79 d0 8d 83 dd
(65): 23 42 54 07
(65): NOTIFY(NAT_DETECTION_DESTINATION_IP)(65): Next payload: NOTIFY, reserved: 0x0, length: 28
(65): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(65):
(65): 41 9e 00 6d fb e8 5e d0 57 a4 24 6b cf f5 a2 c6
(65): 58 2b 98 df
(65): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(65): Next payload: VID, reserved: 0x0, length: 8
(65): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(65): VID(65): Next payload: NONE, reserved: 0x0, length: 20
(65):
(65): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(65):
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (65): Insert SA
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(65):
!!Received IKEv2-INIT_SA
IKEv2-PROTO-4: (65): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 0
(65): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (65): Next payload: SA, version: 2.0 (65): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (65): Message id: 0, length: 432(65):
Payload contents:
(65): SA(65): Next payload: KE, reserved: 0x0, length: 48
(65): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(65): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(65): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(65): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(65): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(65): KE(65): Next payload: N, reserved: 0x0, length: 264
(65): DH group: 14, Reserved: 0x0
(65):
(65): 2e 04 52 a9 d1 d4 5b eb 5f 80 8c 8e b5 2c af 3b
(65): 06 c1 ff ef 14 35 62 82 0e a6 96 83 b9 f4 8d 95
(65): fa 16 af 75 ce 05 76 72 77 a1 af 2c 78 9f b1 af
(65): f7 f3 84 6f 97 7c de 15 5d 88 de 3c 3c b6 25 e6
(65): d0 1f 15 4c 8d 32 78 87 4e b2 16 aa 06 ff e6 b8
(65): 10 81 5f 62 9f 8e 06 f9 da d6 e6 8e 7c fc 87 4e
(65): 40 3c 95 29 ca 7e ce 6b 71 cc c7 eb 6f 3f 6c 5d
(65): ff f3 78 78 de 29 53 0d 03 69 d0 6b 9b 89 1c 07
(65): 76 49 3a b6 69 c7 85 b9 39 ad 68 7d c2 f7 37 a5
(65): a2 b2 3f e2 a6 ae fc 21 c6 98 75 22 1b 22 50 fe
(65): 13 8b d4 c8 54 22 89 33 66 67 82 81 0a a8 8c 43
(65): e6 1f 9e 0c 98 bc b8 b2 91 1c 23 24 6e 69 5f 3b
(65): 06 97 c0 b7 8f bb 1d ef 7c 65 b2 13 af d9 1c 4e
(65): ef 10 5b 90 44 8b ab 84 1c e3 98 bb 71 84 fc 4e
(65): e9 67 81 71 82 20 4d 8c 12 ea 64 46 d1 4d c3 b9
(65): 36 66 da 39 b6 11 e9 96 90 d1 8e 67 90 92 f2 f8
(65): N(65): Next payload: NOTIFY, reserved: 0x0, length: 36
(65):
(65): c9 92 5b 31 50 f4 52 b9 e7 4c 79 e9 a7 9f 3e ac
(65): 6a 92 e9 81 2e 39 bd ab 80 58 bf aa 3c ea 09 14
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(65): NOTIFY(NAT_DETECTION_SOURCE_IP)(65): Next payload: NOTIFY, reserved: 0x0, length: 28
(65): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(65):
(65): d4 a7 5f 99 76 db 97 ff 11 94 58 b8 dc 82 f2 a3
(65): bd 2a f3 2b
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(65): NOTIFY(NAT_DETECTION_DESTINATION_IP)(65): Next payload: NONE, reserved: 0x0, length: 28
(65): Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(65):
(65): 98 cc e9 25 3b 1f 08 34 ac 32 2f 04 d5 76 3e 0b
(65): 3f 40 3e 4e
(65):
(65): Decrypted packet:(65): Data: 432 bytes
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (65): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (65): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (65): Verify SA init message
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (65): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (65): Process NAT discovery notify
IKEv2-PROTO-7: (65): Processing nat detect src notify
IKEv2-PROTO-7: (65): Remote address matched
IKEv2-PROTO-7: (65): Processing nat detect dst notify
IKEv2-PROTO-7: (65): Local address matched
IKEv2-PROTO-7: (65): No NAT found
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (65): Checking NAT discovery
IKEv2-PROTO-4: (65): NAT not found
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (65): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
IKEv2-PROTO-4: (65): Request queued for computation of DH secret
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (65): Action: Action_Null
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (65): Generate skeyid
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-4: (65): Completed SA init exchange
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (65): Check for EAP exchange
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (65): Generate my authentication data
IKEv2-PROTO-4: (65): Use preshared key for id 203.0.113.20, key len 8
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (65): Get my authentication method
IKEv2-PROTO-4: (65): My authentication method is 'PSK'
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (65): Check for EAP exchange
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (65): Generating IKE_AUTH message
IKEv2-PROTO-7: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-4: (65): Constructing IDi payload: '203.0.113.20' of type 'IPv4 address'
IKEv2-PROTO-4: (65): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(65): AES-CBC(65): SHA256(65): Don't use ESNIKEv2-PROTO-7: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-7: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-7: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-4: (65): Building packet for encryption.
(65):
Payload contents:
(65): VID(65): Next payload: IDi, reserved: 0x0, length: 20
(65):
(65): dc 8a af 2c d3 e1 c6 a5 63 20 7d 26 99 fc c2 40
(65): IDi(65): Next payload: AUTH, reserved: 0x0, length: 12
(65): Id type: IPv4 address, Reserved: 0x0 0x0
(65):
(65): cb 00 71 14
(65): AUTH(65): Next payload: SA, reserved: 0x0, length: 40
(65): Auth method PSK, reserved: 0x0, reserved 0x0
(65): Auth data: 32 bytes
(65): SA(65): Next payload: TSi, reserved: 0x0, length: 44
(65): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(65): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(65): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(65): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(65): TSi(65): Next payload: TSr, reserved: 0x0, length: 24
(65): Num of TSs: 1, reserved 0x0, reserved 0x0
(65): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(65): start port: 0, end port: 65535
(65): start addr: 10.0.20.100, end addr: 10.0.20.100
(65): TSr(65): Next payload: NOTIFY, reserved: 0x0, length: 24
(65): Num of TSs: 1, reserved 0x0, reserved 0x0
(65): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(65): start port: 0, end port: 65535
(65): start addr: 10.0.10.100, end addr: 10.0.10.100
(65): NOTIFY(INITIAL_CONTACT)(65): Next payload: NOTIFY, reserved: 0x0, length: 8
(65): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(65): NOTIFY(ESP_TFC_NO_SUPPORT)(65): Next payload: NOTIFY, reserved: 0x0, length: 8
(65): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(65): NOTIFY(NON_FIRST_FRAGS)(65): Next payload: NONE, reserved: 0x0, length: 8
(65): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
!!Prepare IKEv2-AUTH_SA
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (65): Action: Action_Null
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(65):
!!send IKEv2-INIT_SA
IKEv2-PROTO-4: (65): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
(65): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (65): Next payload: ENCR, version: 2.0 (65): Exchange type: IKE_AUTH, flags: INITIATOR (65): Message id: 1, length: 256(65):
Payload contents:
(65): ENCR(65): Next payload: VID, reserved: 0x0, length: 228
(65): Encrypted data: 224 bytes
(65):
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (65): Check for EAP exchange
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(65):
!!Received IKEv2-Auth_SA
IKEv2-PROTO-4: (65): Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
(65): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (65): Next payload: ENCR, version: 2.0 (65): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (65): Message id: 1, length: 80(65):
Payload contents:
IKEv2-PROTO-4: decrypt queued(65):
(65): Decrypted packet:(65): Data: 80 bytes
(65): REAL Decrypted packet:(65): Data: 8 bytes
IKEv2-PROTO-7: Parse Notify Payload: NO_PROPOSAL_CHOSEN NOTIFY(NO_PROPOSAL_CHOSEN) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (65): Action: Action_Null
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (65): Process auth response notify
IKEv2-PROTO-2: (65): Received no proposal chosen notify
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-4: (65): Retransmitting packet
(65):
IKEv2-PROTO-4: (65): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
(65): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (65): Next payload: ENCR, version: 2.0 (65): Exchange type: IKE_AUTH, flags: INITIATOR (65): Message id: 1, length: 256(65):
Payload contents:
(65): ENCR(65): Next payload: VID, reserved: 0x0, length: 228
(65): Encrypted data: 224 bytes
(65):
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-2: (65): Received an IKE msg id outside supported window
IKEv2-PROTO-2: (65): Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
IKEv2-PROTO-2: Received an IKE msg id outside supported window
IKEv2-PROTO-2: Couldn't find matching SA
IKEv2-PROTO-4: Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 80IKEv2-PROTO-2: A supplied parameter is incorrect
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-4: (65): Retransmitting packet
(65):
IKEv2-PROTO-4: (65): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
(65): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (65): Next payload: ENCR, version: 2.0 (65): Exchange type: IKE_AUTH, flags: INITIATOR (65): Message id: 1, length: 256(65):
Payload contents:
(65): ENCR(65): Next payload: VID, reserved: 0x0, length: 228
(65): Encrypted data: 224 bytes
(65):
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-2: (65): Received an IKE msg id outside supported window
IKEv2-PROTO-2: (65): Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
IKEv2-PROTO-2: Received an IKE msg id outside supported window
IKEv2-PROTO-2: Couldn't find matching SA
IKEv2-PROTO-4: Received Packet [From 203.0.113.10:500/To 203.0.113.20:500/VRF i0:f0]
Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 80IKEv2-PROTO-2: A supplied parameter is incorrect
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-4: (65): Retransmitting packet
(65):
IKEv2-PROTO-4: (65): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
(65): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (65): Next payload: ENCR, version: 2.0 (65): Exchange type: IKE_AUTH, flags: INITIATOR (65): Message id: 1, length: 256(65):
Payload contents:
(65): ENCR(65): Next payload: VID, reserved: 0x0, length: 228
(65): Encrypted data: 224 bytes
(65):
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-4: (65): Retransmitting packet
(65):
IKEv2-PROTO-4: (65): Sending Packet [To 203.0.113.10:500/From 203.0.113.20:500/VRF i0:f0]
(65): Initiator SPI : DE8AAE2CC0D635E2 - Responder SPI : 4F824C671999D462 Message id: 1
(65): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (65): Next payload: ENCR, version: 2.0 (65): Exchange type: IKE_AUTH, flags: INITIATOR (65): Message id: 1, length: 256(65):
Payload contents:
(65): ENCR(65): Next payload: VID, reserved: 0x0, length: 228
(65): Encrypted data: 224 bytes
(65):
IKEv2-PROTO-7: (65): SM Trace-> SA: I_SPI=DE8AAE2CC0D635E2 R_SPI=4F824C671999D462 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
Palo:
tail follow yes mp-log ikemgr.log
Comments
Post a Comment