{"id":1962,"date":"2015-01-22T14:35:59","date_gmt":"2015-01-22T14:35:59","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1962"},"modified":"2015-03-06T18:27:00","modified_gmt":"2015-03-06T18:27:00","slug":"troubleshooting-isakmp-phase-1-messages","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1962","title":{"rendered":"Troubleshooting ISAKMP Phase 1 Messages &#8211; Part 1"},"content":{"rendered":"<p>This is a must-keep aide-memoir for troubleshooting VPN connections.<\/p>\n<p><strong>IKE (PHASE 1) Messages:<!--more--><\/strong><\/p>\n<p>MM_WAIT_MSG2 Initiator Initial DH public key sent to responder. Awaiting initial contact reply from other side. Initiator sends encr\/hash\/dh ike policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from its peer. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down.<\/p>\n<ul>\n<li>MM_WAIT_MSG3 Receiver Receiver is sending back its IKE policy to the initiator. Initiator sends encr\/hash\/dh ike policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from its peer.\u00a0Hang ups here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.<\/li>\n<\/ul>\n<ul>\n<li>MM_WAIT_MSG4 Initiator Initiator is sending the Pre-Shared-Key hash to its peer. Initiator sends a hash of its PSK. Initiator will stay at MSG4 until it gets a PSK back from its peer. If the receiver is missing a tunnel group or PSK the initiator will stay at MM_WAIT_MSG4<\/li>\n<\/ul>\n<ul>\n<li>MM_WAIT_MSG5 Receiver Receiver is sending its PSK hash to its peer. Receiver does not yet check if PSK hashes match. If receiver has a tunnel-group and PSK configured for this peer it will send the PSK hash to the peer. If PSKs don?t match, receiver will stay at MM_WAIT_MSG5. I have also seen the tunnel stop here when NAT-T was on when it needed to be turned off.<\/li>\n<\/ul>\n<ul>\n<li>MM_WAIT_MSG6 Initiator Initiator checks if PSK hashes match. If PSK keys match, Initiator becomes MM_ACTIVE and lets receiver know of match. If PSK doesn?t match, initiator stays at MM_WAIT_MSG6. I have also seen the tunnel stop here when NAT-T was on when it needed to be turned off. However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to stay at MM_ACTIVE.<\/li>\n<\/ul>\n<ul>\n<li>AM_ACTIVE \/ MM_ACTIVE The ISAKMP negotiations are complete. Phase 1 has successfully completed.de exchanges.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2014\/01\/IKE_Phase1_MSGs.png\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-1963\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2014\/01\/IKE_Phase1_MSGs.png\" alt=\"IKE_Phase1_MSGs\" width=\"800\" height=\"600\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2014\/01\/IKE_Phase1_MSGs.png 800w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2014\/01\/IKE_Phase1_MSGs-300x225.png 300w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>TROUBLESHOOTING:<\/strong><\/span><\/p>\n<p>First enable debug of phase 1 and phase 2:<\/p>\n<ul>\n<li>debug crypto isakmp 128<\/li>\n<li>debug crypto ipsec 128<\/li>\n<\/ul>\n<p>Use the &#8220;packet-tracer&#8221; command to generate interesting traffic (see <a href=\"http:\/\/darenmatthews.com\/blog\/?p=1944\">http:\/\/darenmatthews.com\/blog\/?p=1944<\/a> for an explanation of what this means).\u00a0 Example:<\/p>\n<p>packet-tracer input inside tcp 172.23.100.50 1234 123.123.123.123 80<\/p>\n<ul>\n<li>If you observe in the debug output, that phase 1 reaches MM_WAIT_MSG6 and stays there, the problem is likely to be a mismatch of the pre-shared key.<\/li>\n<li>If you observe in the debug output, that phase 1 reaches MM_WAIT_MSG6 and then transitions back to &#8220;no sa&#8221; that indicates that phase 1 DID complete but phase 2 is wrong.<\/li>\n<\/ul>\n<p>Compare the crypto settings on each ASA.\u00a0 NOTE: use the &#8220;show run full&#8221; syntax as it reveals some rather important phase 2 settings.\u00a0 Compare the output of the two:<\/p>\n<p>CiscoASA# sh run crypt | inc IPSEC-VPN<br \/>\ncrypto ipsec transform-set IPSEC esp-3des esp-sha-hmac<br \/>\ncrypto dynamic-map MY-IPSEC-TRANSFER-SET 65535 set transform-set ESP-AES-128-SHA ESP-3DES-SHA<br \/>\ncrypto map MY-CRYPTO-MAP 1 match address IPSEC-VPN-INTERESTING-TRAFFIC<br \/>\ncrypto map MY-CRYPTO-MAP 1 set pfs<br \/>\ncrypto map MY-CRYPTO-MAP 1 set peer 213.121.63.108<br \/>\ncrypto map MY-CRYPTO-MAP 1 set transform-set ESP-AES-128-SHA ESP-3DES-SHA<br \/>\ncrypto map MY-CRYPTO-MAP interface outside<br \/>\nCiscoASA#<br \/>\nCiscoASA#<br \/>\nCiscoASA# sh run all crypt | inc IPSEC-VPN<br \/>\ncrypto ipsec transform-set IPSEC esp-3des esp-sha-hmac<br \/>\ncrypto dynamic-map MY-IPSEC-TRANSFER-SET 65535 set transform-set ESP-AES-128-SHA ESP-3DES-SHA<br \/>\ncrypto map MY-CRYPTO-MAP 1 match address IPSEC-VPN-INTERESTING-TRAFFIC<br \/>\n<strong>crypto map MY-CRYPTO-MAP 1 set pfs group2<\/strong><br \/>\ncrypto map MY-CRYPTO-MAP 1 set connection-type bi-directional<br \/>\ncrypto map MY-CRYPTO-MAP 1 set peer 213.121.63.108<br \/>\ncrypto map MY-CRYPTO-MAP 1 set transform-set ESP-AES-128-SHA ESP-3DES-SHA<br \/>\ncrypto map MY-CRYPTO-MAP 1 set inheritance rule<br \/>\ncrypto map MY-CRYPTO-MAP 1 set phase1-mode main<br \/>\ncrypto map MY-CRYPTO-MAP interface outside<\/p>\n<p>The problem with Phase 1 completing but phase 2 not was in this case caused bytb the fact that DH Group 2 was NOT configured on the peer.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>SUCCESSFUL PHASE 1 DEBUG MESSAGES:<\/strong><\/span><\/p>\n<p><strong>MM_WAIT_MSG1 (connection initialised):<\/strong><\/p>\n<p>CiscoASA# Jan 22 10:09:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0<br \/>\nIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=172.23.129.11, sport=7287, daddr=129.0.0.2, dport=7287<br \/>\nIPSEC(crypto_map_check)-3: Checking crypto map MY-CRYPTO-MAP 1: matched.<br \/>\nJan 22 10:09:26 [IKEv1]: IP = 123.123.123.123, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 123.123.123.123\u00a0 local Proxy Address 172.23.128.0, remote Proxy Address 129.0.0.0,\u00a0 Crypto map (MY-CRYPTO-MAP)<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing ISAKMP SA payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing NAT-Traversal VID ver 02 payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing NAT-Traversal VID ver 03 payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing NAT-Traversal VID ver RFC payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing Fragmentation VID + extended capabilities payload<\/p>\n<p><strong>MM_WAIT_MSG2 (send hash\/encrypt\/dh infor and agree upon them):<\/strong><\/p>\n<p>Jan 22 10:09:26 [IKEv1]: IP = 123.123.123.123, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204<br \/>\nJan 22 10:09:26 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, processing SA payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, Oakley proposal is acceptable<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, Received NAT-Traversal RFC VID<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, Received Fragmentation VID<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, IKE Peer included IKE fragmentation capability flags:\u00a0 Main Mode:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 True\u00a0 Aggressive Mode:\u00a0 True<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing ke payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing nonce payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing Cisco Unity VID payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing xauth V6 VID payload<\/p>\n<p><strong>MM_WAIT_MSG3 (find compatible vendors):<\/strong><\/p>\n<p>Jan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, Send IOS VID<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing VID payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, Send Altiga\/Cisco VPN3000\/Cisco ASA GW VID<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing NAT-Discovery payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, computing NAT Discovery hash<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, constructing NAT-Discovery payload<br \/>\nJan 22 10:09:26 [IKEv1 DEBUG]: IP = 123.123.123.123, computing NAT Discovery hash<br \/>\nJan 22 10:09:26 [IKEv1]: IP = 123.123.123.123, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304<br \/>\nJan 22 10:09:27 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing ke payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing ISA_KE payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing nonce payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, Received Cisco Unity client VID<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, Received xauth V6 VID<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, Processing VPN3000\/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, Received Altiga\/Cisco VPN3000\/Cisco ASA GW VID<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing NAT-Discovery payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, computing NAT Discovery hash<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, processing NAT-Discovery payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, computing NAT Discovery hash<\/p>\n<p><strong>MM_WAIT_MSG4 (Exchange PSK&#8217;s):<\/strong><\/p>\n<p>Jan 22 10:09:27 [IKEv1]: IP = 123.123.123.123, Connection landed on tunnel_group 123.123.123.123<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Generating keys for Initiator&#8230;<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing ID payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing hash payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Computing hash for ISAKMP<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, Constructing IOS keep alive payload: proposal=32767\/32767 sec.<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing dpd vid payload<\/p>\n<p>Jan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing ID payload<br \/>\nJan 22 10:09:27 [IKEv1 DECODE]: Group = 123.123.123.123, IP = 123.123.123.123, ID_IPV4_ADDR ID received<br \/>\n123.123.123.123<\/p>\n<p><strong>MM_WAIT_MSG5 (check to ensure that has for both PSK&#8217;s are correct):<\/strong><br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing hash payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Computing hash for ISAKMP<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: IP = 123.123.123.123, Processing IOS keep alive payload: proposal=32767\/32767 sec.<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing VID payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Received DPD VID<br \/>\nJan 22 10:09:27 [IKEv1]: IP = 123.123.123.123, Connection landed on tunnel_group 123.123.123.123<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Oakley begin quick mode<\/p>\n<p><strong>MM_WAIT_MSG6<\/strong><br \/>\nJan 22 10:09:27 [IKEv1 DECODE]: Group = 123.123.123.123, IP = 123.123.123.123, IKE Initiator starting QM: msg id = c4aad28b<br \/>\nJan 22 10:09:27 [IKEv1]: Group = 123.123.123.123, IP = 123.123.123.123, <strong>PHASE 1 COMPLETED<\/strong><br \/>\nJan 22 10:09:27 [IKEv1]: IP = 123.123.123.123, Keep-alive type for this connection: DPD<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Starting P1 rekey timer: 24480 seconds.<\/p>\n<p><strong>SUCCESSFUL PHASE 2 DEBUG MESSAGES:<\/strong><\/p>\n<p>IPSEC: New embryonic SA created @ 0xAFF0BF10,<br \/>\nSCB: 0xB00DD118,<br \/>\nDirection: inbound<br \/>\nSPI\u00a0\u00a0\u00a0\u00a0\u00a0 : 0xF0724F55<br \/>\nSession ID: 0x0007D000<br \/>\nVPIF num\u00a0 : 0x00000004<br \/>\nTunnel type: l2l<br \/>\nProtocol\u00a0\u00a0 : esp<br \/>\nLifetime\u00a0\u00a0 : 240 seconds<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, IKE got SPI from key engine: SPI = 0xf0724f55<br \/>\nIPSEC: New embryonic SA created @ 0xAFACD218,<br \/>\nSCB: 0xACD38528,<br \/>\nDirection: inbound<br \/>\nSPI\u00a0\u00a0\u00a0\u00a0\u00a0 : 0xE301C31A<br \/>\nSession ID: 0x0007D000<br \/>\nVPIF num\u00a0 : 0x00000004<br \/>\nTunnel type: l2l<br \/>\nProtocol\u00a0\u00a0 : esp<br \/>\nLifetime\u00a0\u00a0 : 240 seconds<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, IKE got SPI from key engine: SPI = 0xe301c31a<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, oakley constucting quick mode<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing blank hash payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing IPSec SA payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing IPSec nonce payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing pfs ke payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing proxy ID<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Transmitting Proxy Id:<br \/>\nLocal subnet:\u00a0 172.23.128.0\u00a0 mask 255.255.252.0 Protocol 0\u00a0 Port 0<br \/>\nRemote subnet: 129.0.0.0\u00a0 Mask 255.255.0.0 Protocol 0\u00a0 Port 0<br \/>\nJan 22 10:09:27 [IKEv1 DECODE]: Group = 123.123.123.123, IP = 123.123.123.123, IKE Initiator sending Initial Contact<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, constructing qm hash payload<br \/>\nJan 22 10:09:27 [IKEv1 DECODE]: Group = 123.123.123.123, IP = 123.123.123.123, IKE Initiator sending 1st QM pkt: msg id = c4aad28b<br \/>\nJan 22 10:09:27 [IKEv1]: IP = 123.123.123.123, IKE_DECODE SENDING Message (msgid=c4aad28b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 388<br \/>\nJan 22 10:09:27 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=c4aad28b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 308<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing hash payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing SA payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing nonce payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing ke payload<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing ISA_KE for PFS in phase 2<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing ID payload<br \/>\nJan 22 10:09:27 [IKEv1 DECODE]: Group = 123.123.123.123, IP = 123.123.123.123, ID_IPV4_ADDR_SUBNET ID received&#8211;172.23.128.0&#8211;255.255.252.0<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, processing ID payload<br \/>\nJan 22 10:09:27 [IKEv1 DECODE]: Group = 123.123.123.123, IP = 123.123.123.123, ID_IPV4_ADDR_SUBNET ID received&#8211;129.0.0.0&#8211;255.255.0.0<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Pitcher: received key delete msg, spi 0xe301c31a<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, loading all IPSEC SAs<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Generating Quick Mode Key!<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, NP encrypt rule look up for crypto map DST-TROWE-CRYPTO-MAP 1 matching ACL TROWE-VPN-INTERESTING-TRAFFIC: returned cs_id=ae29fab8; rule=afe1d3b0<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, Generating Quick Mode Key!<br \/>\nIPSEC: New embryonic SA created @ 0xAFACD218,<br \/>\nSCB: 0xACD38528,<br \/>\nDirection: outbound<br \/>\nSPI\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x0CD10E9B<br \/>\nSession ID: 0x0007D000<br \/>\nVPIF num\u00a0 : 0x00000004<br \/>\nTunnel type: l2l<br \/>\nProtocol\u00a0\u00a0 : esp<br \/>\nLifetime\u00a0\u00a0 : 240 seconds<br \/>\nIPSEC: Completed host OBSA update, SPI 0x0CD10E9B<br \/>\nIPSEC: Creating outbound VPN context, SPI 0x0CD10E9B<br \/>\nFlags: 0x00000005<br \/>\nSA\u00a0\u00a0 : 0xAFACD218<br \/>\nSPI\u00a0 : 0x0CD10E9B<br \/>\nMTU\u00a0 : 1500 bytes<br \/>\nVCID : 0x00000000<br \/>\nPeer : 0x00000000<br \/>\nSCB\u00a0 : 0x0FE92425<br \/>\nChannel: 0xA7A9C280<br \/>\nIPSEC: Completed outbound VPN context, SPI 0x0CD10E9B<br \/>\nVPN handle: 0x0001BFAC<br \/>\nIPSEC: New outbound encrypt rule, SPI 0x0CD10E9B<br \/>\nSrc addr: 172.23.128.0<br \/>\nSrc mask: 255.255.252.0<br \/>\nDst addr: 129.0.0.0<br \/>\nDst mask: 255.255.0.0<br \/>\nSrc ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nDst ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nProtocol: 0<br \/>\nUse protocol: false<br \/>\nSPI: 0x00000000<br \/>\nUse SPI: false<br \/>\nIPSEC: Completed outbound encrypt rule, SPI 0x0CD10E9B<br \/>\nRule ID: 0xACD25390<br \/>\nIPSEC: New outbound permit rule, SPI 0x0CD10E9B<br \/>\nSrc addr: 192.160.242.66<br \/>\nSrc mask: 255.255.255.255<br \/>\nDst addr: 123.123.123.123<br \/>\nDst mask: 255.255.255.255<br \/>\nSrc ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nDst ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nProtocol: 50<br \/>\nUse protocol: true<br \/>\nSPI: 0x0CD10E9B<br \/>\nUse SPI: true<br \/>\nIPSEC: Completed outbound permit rule, SPI 0x0CD10E9B<br \/>\nRule ID: 0xACD20520<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, NP encrypt rule look up for crypto map DST-TROWE-CRYPTO-MAP 1 matching ACL TROWE-VPN-INTERESTING-TRAFFIC: returned cs_id=ae29fab8; rule=afe1d3b0<br \/>\nJan 22 10:09:27 [IKEv1]: Group = 123.123.123.123, IP = 123.123.123.123, Security negotiation complete for LAN-to-LAN Group (123.123.123.123)\u00a0 Initiator, Inbound SPI = 0xf0724f55, Outbound SPI = 0x0cd10e9b<br \/>\nJan 22 10:09:27 [IKEv1 DEBUG]: Group = 123.123.123.123, IP = 123.123.123.123, oakley constructing final quick mode<br \/>\nIPSEC: Completed host IBSA update, SPI 0xF0724F55<br \/>\nIPSEC: Creating inbound VPN context, SPI 0xF0724F55<br \/>\nFlags: 0x00000006<br \/>\nSA\u00a0\u00a0 : 0xAFF0BF10<br \/>\nSPI\u00a0 : 0xF0724F55<br \/>\nMTU\u00a0 : 0 bytes<br \/>\nVCID : 0x00000000<br \/>\nPeer : 0x0001BFAC<br \/>\nSCB\u00a0 : 0x0FE7DCEF<br \/>\nChannel: 0xA7A9C280<br \/>\nIPSEC: Completed inbound VPN context, SPI 0xF0724F55<br \/>\nVPN handle: 0x0001C524<br \/>\nIPSEC: Updating outbound VPN context 0x0001BFAC, SPI 0x0CD10E9B<br \/>\nFlags: 0x00000005<br \/>\nSA\u00a0\u00a0 : 0xAFACD218<br \/>\nSPI\u00a0 : 0x0CD10E9B<br \/>\nMTU\u00a0 : 1500 bytes<br \/>\nVCID : 0x00000000<br \/>\nPeer : 0x0001C524<br \/>\nSCB\u00a0 : 0x0FE92425<br \/>\nChannel: 0xA7A9C280<br \/>\nIPSEC: Completed outbound VPN context, SPI 0x0CD10E9B<br \/>\nVPN handle: 0x0001BFAC<br \/>\nIPSEC: Completed outbound inner rule, SPI 0x0CD10E9B<br \/>\nRule ID: 0xACD25390<br \/>\nIPSEC: Completed outbound outer SPD rule, SPI 0x0CD10E9B<br \/>\nRule ID: 0xACD20520<br \/>\nIPSEC: New inbound tunnel flow rule, SPI 0xF0724F55<br \/>\nSrc addr: 129.0.0.0<br \/>\nSrc mask: 255.255.0.0<br \/>\nDst addr: 172.23.128.0<br \/>\nDst mask: 255.255.252.0<br \/>\nSrc ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nDst ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nProtocol: 0<br \/>\nUse protocol: false<br \/>\nSPI: 0x00000000<br \/>\nUse SPI: false<br \/>\nIPSEC: Completed inbound tunnel flow rule, SPI 0xF0724F55<br \/>\nRule ID: 0xAFDB3670<br \/>\nIPSEC: New inbound decrypt rule, SPI 0xF0724F55<br \/>\nSrc addr: 123.123.123.123<br \/>\nSrc mask: 255.255.255.255<br \/>\nDst addr: 192.160.242.66<br \/>\nDst mask: 255.255.255.255<br \/>\nSrc ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nDst ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nProtocol: 50<br \/>\nUse protocol: true<br \/>\nSPI: 0xF0724F55<br \/>\nUse SPI: true<br \/>\nIPSEC: Completed inbound decrypt rule, SPI 0xF0724F55<br \/>\nRule ID: 0xACCF7240<br \/>\nIPSEC: New inbound permit rule, SPI 0xF0724F55<br \/>\nSrc addr: 123.123.123.123<br \/>\nSrc mask: 255.255.255.255<br \/>\nDst addr: 192.160.242.66<br \/>\nDst mask: 255.255.255.255<br \/>\nSrc ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nDst ports<br \/>\nUpper: 0<br \/>\nLower: 0<br \/>\nOp\u00a0\u00a0 : ignore<br \/>\nProtocol: 50<br \/>\nUse protocol: true<br \/>\nSPI: 0xF0724F55<br \/>\nUse SPI: true<br \/>\nIPSEC: Completed inbound permit rule, SPI 0xF0724F55<br \/>\nRule ID: 0xAFD157E8<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>messages and diagram reproduced from\u00a0 tunnelsup.com<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a must-keep aide-memoir for troubleshooting VPN connections. IKE (PHASE 1) Messages:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,13],"tags":[36,69,70],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1962"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1962"}],"version-history":[{"count":7,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1962\/revisions"}],"predecessor-version":[{"id":2165,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1962\/revisions\/2165"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1962"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}