Screenos Site to Site VPN debug
FW1 debug ike detail
SSG320-.140-> get db str ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ike packet, len 184, action 1 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: received 156 bytes from socket. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ****** Recv packet if <ethernet0/1> of vsys <Root> ****** ==> 1st Packet Received ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: get 156 bytes. src port 500 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > ISAKMP msg: len 156, nxp 1[SA], exch 2[MM], flag 00 ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Recv : [SA] [VID] [VID] [VID] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> found peer vpn1 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Found peer entry (vpn1) from 1.1.1.2. ## 2013-07-27 18:53:00 : responder create sa: 1.1.1.2->1.1.1.1 ## 2013-07-27 18:53:00 : init p1sa, pidt = 0x0 ## 2013-07-27 18:53:00 : change peer identity for p1 sa, pidt = 0x0 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > create peer identity 0xbd45154 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2013-07-27 18:53:00 : peer identity bd45154 created. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > EDIPI disabled ## 2013-07-27 18:53:00 : IKE<1.1.1.2> getProfileFromP1Proposal-> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> find profile[0]=<00000001 00000001 00000001 00000001> for p1 proposal (id 0), xauth(0) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> responder create sa: 1.1.1.2->1.1.1.1 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 1: Responder starts MAIN mode negotiations. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> MM in state OAK_MM_NO_STATE. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [VID]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Vendor ID: ## 2013-07-27 18:53:00 : 1c 9c c5 6f ce 38 2e 3a 04 0b 69 2c da 85 42 7d ## 2013-07-27 18:53:00 : 73 06 db 4b 11 00 00 00 1e 06 00 00 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> peer is an NetScreen box, model=SSG-520, ver=6.30 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [VID]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Vendor ID: ## 2013-07-27 18:53:00 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [VID]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Vendor ID: ## 2013-07-27 18:53:00 : 48 65 61 72 74 42 65 61 74 5f 4e 6f 74 69 66 79 ## 2013-07-27 18:53:00 : 38 6b 01 00 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> rcv HeartBeat vid, ver 1.0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [SA]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Proposal received: xauthflag 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> xauth attribute: disabled ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 1 proposal [0] selected. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> SA Life Type = seconds ## 2013-07-27 18:53:00 : IKE<1.1.1.2> SA lifetime (TV) = 28800 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> DH_BG_consume OK. p1 resp ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 1 MM Responder constructing 2nd message. ==> 2nd Packet Prepared ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Msg header built (next payload #1) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [SA] for ISAKMP ## 2013-07-27 18:53:00 : IKE<1.1.1.2> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> xauth attribute: disabled ## 2013-07-27 18:53:00 : IKE<1.1.1.2> lifetime/lifesize (28800/0) ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > set_phase1_transform, dh_group(1). ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct NetScreen [VID] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct custom [VID] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct custom [VID] ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Xmit : [SA] [VID] [VID] [VID] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Send Phase 1 packet (len=156) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE msg done: PKI state<0> IKE state<1/804203> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ike packet, len 192, action 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: received 164 bytes from socket. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ****** Recv packet if <ethernet0/1> of vsys <Root> ****** ==> 3rd Packet Received ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: get 164 bytes. src port 500 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > ISAKMP msg: len 164, nxp 4[KE], exch 2[MM], flag 00 ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Recv : [KE] [NONCE] ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > extract payload (136): ## 2013-07-27 18:53:00 : IKE<1.1.1.2> MM in state OAK_MM_SA_SETUP. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [KE]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> processing ISA_KE in phase 1. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase1: his_DH_pub_len is 96 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [NONCE]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> processing NONCE in phase 1. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE msg done: PKI state<0> IKE state<1/280620b> ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<96> dmax<64> ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > finished job d<f86963c6><808dc6e5><defdd73f><2e746ef6> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> MM in state OAK_MM_SA_SETUP. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> re-enter MM after offline DH done ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 1 MM Responder constructing 4th message. ==> 4th Packet Prepared ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Msg header built (next payload #4) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [KE] for ISAKMP ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [NONCE] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> throw packet to the peer, paket_len=164 ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Xmit : [KE] [NONCE] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Send Phase 1 packet (len=164) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ike packet, len 96, action 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: received 68 bytes from socket. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ****** Recv packet if <ethernet0/1> of vsys <Root> ****** ==> 5th Packet Received ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: get 68 bytes. src port 500 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > ISAKMP msg: len 68, nxp 5[ID], exch 2[MM], flag 01 E ## 2013-07-27 18:53:00 : IKE<1.1.1.2> gen_skeyid() ## 2013-07-27 18:53:00 : IKE<1.1.1.2> gen_skeyid: returning 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Decrypting payload (length 40) ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Recv*: [ID] [HASH] ## 2013-07-27 18:53:00 : valid id checking, id type:IP Address, len:12. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > extract payload (40): ## 2013-07-27 18:53:00 : valid id checking, id type:IP Address, len:12. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> MM in state OAK_MM_KEY_EXCH. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [ID]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ID received: type=ID_IPV4_ADDR, ip = 1.1.1.2, port=500, protocol=17 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> peer gateway entry has no peer id configured ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ID processed. return 0. sa->p1_state = 2. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [HASH]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ID, len=8, type=1, pro=17, port=500, ## 2013-07-27 18:53:00 : IKE<1.1.1.2> addr=1.1.1.2 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 1 MM Responder constructing 6th message. ==> 6th Packet Prepared ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Msg header built (next payload #5) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [ID] for ISAKMP ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [HASH] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ID, len=8, type=1, pro=17, port=500, ## 2013-07-27 18:53:00 : IKE<1.1.1.2> addr=1.1.1.1 ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Xmit*: [ID] [HASH] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Encrypt P1 payload (len 60) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Send Phase 1 packet (len=68) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> completing Phase 1 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> sa_pidt = bd45154 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> found existing peer identity bd44ea0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> peer_identity_unregister_p1_sa. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > delete peer identity 0xbd45154 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> peer_idt.c peer_identity_unregister_p1_sa 685: pidt deleted. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 1: Completed Main mode negotiation with a <28800>-second lifetime. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ike packet, len 200, action 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: received 172 bytes from socket. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ****** Recv packet if <ethernet0/1> of vsys <Root> ****** ==> Ph2 1st Packet Received ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: get 172 bytes. src port 500 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > ISAKMP msg: len 172, nxp 8[HASH], exch 32[QM], flag 01 E ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Create conn entry... ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ...done(new 708c83e5) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 2 msg-id <e5838c70>: Responded to the first peer message. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Decrypting payload (length 144) ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Recv*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:53:00 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:00 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > extract payload (144): ## 2013-07-27 18:53:00 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:00 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> QM in state OAK_QM_SA_ACCEPT. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Start by finding matching member SA (verify -1/-1) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE: Matching policy: gw ip <1.1.1.2> peer entry id<0> ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2013-07-27 18:53:00 : ipvx = IPV4 ## 2013-07-27 18:53:00 : rcv_local_addr = 3.3.3.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 3.3.3.0 ## 2013-07-27 18:53:00 : rcv_remote_addr = 4.4.4.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 4.4.4.0 ## 2013-07-27 18:53:00 : ike_p2_id->local_ip = 3.3.3.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 3.3.3.0 ## 2013-07-27 18:53:00 : ike_p2_id->remote_ip = 4.4.4.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 4.4.4.0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Proxy ID match: Located matching Phase 2 SA <4>. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [SA]: ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > Check P2 Proposal ## 2013-07-27 18:53:00 : IKE<1.1.1.2> SA life type = seconds ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > SA life duration (TLV) = 0x 00 00 0e 10 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > encap mode from peer = 1. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > encap mode after converting it to private value = 1. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 2 received: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> P2 proposal [0] selected. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > add sa list for msg id <e5838c70> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [NONCE]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> processing NONCE in phase 2. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [ID]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Process [ID]: ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 2 Responder constructing 2nd message. ==> Ph2 2nd Packet Prepared ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Msg header built (next payload #8) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [HASH] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [SA] for IPSEC ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > Set IPSEC SA attrs tunnel(1) MD5 grp0 lifetime(3600/0) ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > Before NAT-T attr unmap: P2 prop tunnel = 1. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > After NAT-T attr unmap: P2 prop tunnel = 1. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Initiator P2 ID built: .^.. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Responder P2 ID built: .^.. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [NONCE] for IPSec ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [ID] for Phase 2 ## 2013-07-27 18:53:00 : id payload constructed. type(4),ip(4.4.4.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Construct [ID] for Phase 2 ## 2013-07-27 18:53:00 : id payload constructed. type(4),ip(3.3.3.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> construct QM HASH ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Encrypt P2 payload (len 168) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Send Phase 2 packet (len=172) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> oakley_process_quick_mode():exit ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ike packet, len 80, action 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: received 52 bytes from socket. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ****** Recv packet if <ethernet0/1> of vsys <Root> ****** ==> Ph2 3rd Packet Received ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Catcher: get 52 bytes. src port 500 ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > ISAKMP msg: len 52, nxp 8[HASH], exch 32[QM], flag 01 E ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Decrypting payload (length 24) ## 2013-07-27 18:53:00 : IKE<1.1.1.2 > Recv*: [HASH] ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > extract payload (24): ## 2013-07-27 18:53:00 : IKE<1.1.1.2> QM in state OAK_QM_AUTH_AWAIT. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> xauth_cleanup() ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Done cleaning up IKE Phase 1 SA ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Start by finding matching member SA (verify 0/0) ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Verify sa: index 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE: Matching policy: gw ip <1.1.1.2> peer entry id<0> ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2013-07-27 18:53:00 : ipvx = IPV4 ## 2013-07-27 18:53:00 : rcv_local_addr = 3.3.3.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 3.3.3.0 ## 2013-07-27 18:53:00 : rcv_remote_addr = 4.4.4.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 4.4.4.0 ## 2013-07-27 18:53:00 : ike_p2_id->local_ip = 3.3.3.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 3.3.3.0 ## 2013-07-27 18:53:00 : ike_p2_id->remote_ip = 4.4.4.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 4.4.4.0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Proxy ID match: Located matching Phase 2 SA <4>. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > life (sec or kb): lcl 3600, peer 3600, set 3600. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > life (sec or kb): lcl 0, peer 0, set 0. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> gen_qm_key() ## 2013-07-27 18:53:00 : IKE<1.1.1.2> load_sa_keys(): enter. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> gen_qm_key() ## 2013-07-27 18:53:00 : IKE<1.1.1.2> load_sa_keys(): enter. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> ikmpd.c 3962. sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > SPI = 0, do not remove ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > SPI = 0, do not remove ## 2013-07-27 18:53:00 : IKE<1.1.1.2> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> no relocate earlier SA-state, not active. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> key_modify: sa index <0> bk_idx <0>. ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<9f0446d5>, sa_index<0>, Incoming ## 2013-07-27 18:53:00 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<ff157fce>, sa_index<0>, Outgoing ## 2013-07-27 18:53:00 : IKE<1.1.1.2> update acvpn flags for sa 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> update acvpn flags for sa 0 - 0x400063 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> modify esp tunnel: src (peer) ipv4 <1.1.1.2> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> modifying esp tunnel: self <ipv4 1.1.1.1> ## 2013-07-27 18:53:00 : IKE<1.1.1.2> update auto NHTB status for sa 0 ## 2013-07-27 18:53:00 : IKE<1.1.1.2> after mod, out nsptunnel <05087bb0>. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Phase 2 msg-id <e5838c70>: Completed Quick Mode negotiation with SPI <9f0446d5>, tunnel ID <4>, and lifetime <3600> seconds/<0> KB. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> Application sa installed. ## 2013-07-27 18:53:00 : IKE<1.1.1.2> oakley_process_quick_mode():exit ## 2013-07-27 18:53:00 : IKE<1.1.1.2> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:53:02 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<96> dmax<64> ## 2013-07-27 18:53:02 : IKE<0.0.0.0 > finished job d<726c019a><eba40d38><11eeea57><927f6ed2> ## 2013-07-27 18:53:02 : IKE<0.0.0.0 > BN, top24 dmax64 zero<no> ## 2013-07-27 18:53:23 : sys_set_peer_vpn-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> setIkeConfig-> ## 2013-07-27 18:53:23 : peer_ent->peer_gw_ipaddr = 1.1.1.2, pVpnEntry->vpn_gateway = 1.1.1.2 ## 2013-07-27 18:53:23 : peer_ent->peer_local_addr = 1.1.1.1 ## 2013-07-27 18:53:23 : sys_modify_vpn-> ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > VerifyP2Proposals-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> mod vpn vpn1: SPI 0/0, passwd ## 2013-07-27 18:53:23 : IKE<1.1.1.2> vpn_modify-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> fix_vpn_key-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> fix_vpn_key exit ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > getProfileFromP2Proposal-> ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > proposal[0] idx<1> proto<3> auth<1> encrypt<1> ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > 0 profile[0]=<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa_ipsec-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa_ipsec: phase 2 idle time <0>. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa_ipsec exit ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa_ipsec-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa_ipsec: phase 2 idle time <0>. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa_ipsec exit ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update_sa exit ## 2013-07-27 18:53:23 : IKE<1.1.1.2> vpn modify sa: tunnel local v4 IP 1.1.1.1. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> modify key, send delete if needed. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> deactive p2 sa 0 send_delete 1 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Send IPSEC delete for sa 0, mode 1 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port ## 2013-07-27 18:53:23 : IKE<1.1.1.2> sending phase 2 (SA0) delete to <ip 1.1.1.2> spi<9f0446d5> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Create conn entry... ## 2013-07-27 18:53:23 : IKE<1.1.1.2> ...done(new 7738ad33) ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Msg header built (next payload #8) ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Construct [HASH] ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > Construct [DELETE] for IPSec ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > ipsec del payload constructed, protocol=3, spi=9f0446d5 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> construct QM HASH ## 2013-07-27 18:53:23 : IKE<1.1.1.2 > Xmit*: [HASH] [DELETE] ==> DELETE Sent ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Encrypt P2 payload (len 64) ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Send Phase 2 packet (len=68) ## 2013-07-27 18:53:23 : IKE<1.1.1.2> ipsec delete packet sent, type=3, spi=9f0446d5 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> Delete conn entry... ## 2013-07-27 18:53:23 : IKE<1.1.1.2> ...found conn entry(33ad3877) ## 2013-07-27 18:53:23 : IKE<1.1.1.2> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<9f0446d5>,ip<1.1.1.1> ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<ff157fce>,ip<1.1.1.2> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> no relocate earlier SA-state, not active. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> key_modify: sa index <0> bk_idx <0>. ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > SPI = 0, do not insert ## 2013-07-27 18:53:23 : IKE<0.0.0.0 > SPI = 0, do not insert ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update acvpn flags for sa 0 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update acvpn flags for sa 0 - 0x400020 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> modify esp tunnel: src (peer) ipv4 <1.1.1.2> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> modifying esp tunnel: self <ipv4 1.1.1.1> ## 2013-07-27 18:53:23 : IKE<1.1.1.2> update auto NHTB status for sa 0 ## 2013-07-27 18:53:23 : IKE<1.1.1.2> turning off monitor on the vpn. ## 2013-07-27 18:53:23 : IKE<1.1.1.2> vpn_modify exit 0 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> ****** Recv kernel msg IDX-0, TYPE-5 ****** ## 2013-07-27 18:53:26 : IKE<1.1.1.2> ****** Recv kernel msg IDX-0, TYPE-5 ****** ## 2013-07-27 18:53:26 : IKE<1.1.1.2> sa orig index<0>, peer_id<1>. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Phase 2: Initiated negotiation, p1 state (3/80522f). ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Phase-2: start quick mode negotiation ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Phase-2: no tunnel interface binding for Modecfg IPv4 address. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Create conn entry... ## 2013-07-27 18:53:26 : IKE<1.1.1.2> ...done(new a6261908) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Initiator not set commit bit on 1st QM. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > add sa list for msg id <081926a6> ## 2013-07-27 18:53:26 : IKE<1.1.1.2> 0,0/0(0)/spi(d646049f)/keylen(0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Msg header built (next payload #8) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct [HASH] ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct [SA] for IPSEC ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Set IPSEC SA attrs: lifetime(3600/0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:53:26 : IKE<1.1.1.2> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Before NAT-T attr unmap: private tunnel = 1. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> After NAT-T attr unmap: private tunnel = 1. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Policy have separate SA. Use P2 ID from policy sa (4). ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Initiator P2 ID built: ._= ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Responder P2 ID built: ._= ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct [NONCE] for IPSec ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct [ID] for Phase 2 ## 2013-07-27 18:53:26 : id payload constructed. type(4),ip(3.3.3.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct [ID] for Phase 2 ## 2013-07-27 18:53:26 : id payload constructed. type(4),ip(4.4.4.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> construct QM HASH ## 2013-07-27 18:53:26 : IKE<1.1.1.2 > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] ==> Ph2 1st Packet Sent ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Encrypt P2 payload (len 168) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Send Phase 2 packet (len=172) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> negotiating p2 -195084 seconds before SA <spi 00000000> expires ## 2013-07-27 18:53:26 : IKE<1.1.1.2> ike packet, len 200, action 0 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Catcher: received 172 bytes from socket. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> ****** Recv packet if <ethernet0/1> of vsys <Root> ****** ==> Ph2 2nd Packet Received ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Catcher: get 172 bytes. src port 500 ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > ISAKMP msg: len 172, nxp 8[HASH], exch 32[QM], flag 01 E ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Decrypting payload (length 144) ## 2013-07-27 18:53:26 : IKE<1.1.1.2 > Recv*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:53:26 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:26 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > extract payload (144): ## 2013-07-27 18:53:26 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:26 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> QM in state OAK_QM_SA_ACCEPT. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Process [SA]: ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > Check P2 Proposal ## 2013-07-27 18:53:26 : IKE<1.1.1.2> SA life type = seconds ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > SA life duration (TLV) = 0x 00 00 0e 10 ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > encap mode from peer = 1. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > encap mode after converting it to private value = 1. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Phase 2 received: ## 2013-07-27 18:53:26 : IKE<1.1.1.2> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:53:26 : IKE<1.1.1.2> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> P2 proposal [0] selected. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Process [NONCE]: ## 2013-07-27 18:53:26 : IKE<1.1.1.2> processing NONCE in phase 2. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Process [ID]: ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Process [ID]: ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Start by finding matching member SA (verify 0/0) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Verify sa: index 0 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> IKE: Matching policy: gw ip <1.1.1.2> peer entry id<0> ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2013-07-27 18:53:26 : ipvx = IPV4 ## 2013-07-27 18:53:26 : rcv_local_addr = 3.3.3.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 3.3.3.0 ## 2013-07-27 18:53:26 : rcv_remote_addr = 4.4.4.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 4.4.4.0 ## 2013-07-27 18:53:26 : ike_p2_id->local_ip = 3.3.3.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 3.3.3.0 ## 2013-07-27 18:53:26 : ike_p2_id->remote_ip = 4.4.4.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 4.4.4.0 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Proxy ID match: Located matching Phase 2 SA <4>. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > life (sec or kb): lcl 3600, peer 3600, set 3600. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > life (sec or kb): lcl 0, peer 0, set 0. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> gen_qm_key() ## 2013-07-27 18:53:26 : IKE<1.1.1.2> load_sa_keys(): enter. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> gen_qm_key() ## 2013-07-27 18:53:26 : IKE<1.1.1.2> load_sa_keys(): enter. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> ikmpd.c 3962. sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > SPI = 0, do not remove ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > SPI = 0, do not remove ## 2013-07-27 18:53:26 : IKE<1.1.1.2> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:53:26 : IKE<1.1.1.2> no relocate earlier SA-state, not active. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> key_modify: sa index <0> bk_idx <0>. ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<9f0446d6>, sa_index<0>, Incoming ## 2013-07-27 18:53:26 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<ff157fcf>, sa_index<0>, Outgoing ## 2013-07-27 18:53:26 : IKE<1.1.1.2> update acvpn flags for sa 0 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> update acvpn flags for sa 0 - 0x4000e3 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> modify esp tunnel: src (peer) ipv4 <1.1.1.2> ## 2013-07-27 18:53:26 : IKE<1.1.1.2> modifying esp tunnel: self <ipv4 1.1.1.1> ## 2013-07-27 18:53:26 : IKE<1.1.1.2> update auto NHTB status for sa 0 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> after mod, out nsptunnel <05087bb0>. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Phase 2 msg-id <081926a6>: Completed Quick Mode negotiation with SPI <9f0446d6>, tunnel ID <4>, and lifetime <3600> seconds/<0> KB. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Application sa installed. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Phase 2 Initiator constructing 3rd(last) message. ==> Ph2 3rd Packet Prepared ## 2013-07-27 18:53:26 : IKE<1.1.1.2> oakley_final_qm():enter ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct ISAKMP header. ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Msg header built (next payload #8) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Construct [HASH] in QM ## 2013-07-27 18:53:26 : IKE<1.1.1.2> oakley_final_qm():exit ## 2013-07-27 18:53:26 : IKE<1.1.1.2 > Xmit*: [HASH] ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Encrypt P2 payload (len 48) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Responder sending IPv4 IP 1.1.1.2/port 500 ## 2013-07-27 18:53:26 : IKE<1.1.1.2> Send Phase 2 packet (len=52) ## 2013-07-27 18:53:26 : IKE<1.1.1.2> oakley_process_quick_mode():exit ## 2013-07-27 18:53:26 : IKE<1.1.1.2> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:53:30 : IKE<1.1.1.2> Delete conn entry... ## 2013-07-27 18:53:30 : IKE<1.1.1.2> ...found conn entry(e5838c70) SSG320-.140->
FW1 get config
SSG320-.140-> get config set interface "ethernet0/1" zone "Untrust" set interface "loopback.1" zone "Trust" set interface ethernet0/1 ip 1.1.1.1/24 set interface loopback.1 ip 3.3.3.3/24 set ike gateway "vpn1" address 1.1.1.2 Main outgoing-interface "ethernet0/1" preshare "ffobK5U/NgSP1GsMhmCG7yC9HhnmpKigdw==" proposal "pre-g1-des-md5" set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 set vpn "vpn1" gateway "vpn1" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" set vpn "vpn1" monitor rekey set policy id 10 from "Untrust" to "Trust" "4.4.4.0/24" "3.3.3.0/24" "ANY" tunnel vpn "vpn1" id 0x4 pair-policy 9 log set policy id 10 set policy id 9 from "Trust" to "Untrust" "3.3.3.0/24" "4.4.4.0/24" "ANY" tunnel vpn "vpn1" id 0x4 pair-policy 10 log set policy id 9 set route 4.4.4.0/24 interface ethernet0/1 gateway 1.1.1.2
FW1 get sa
SSG320-.140->get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000004< 1.1.1.2 500 esp: des/md5 00000000 expir unlim I/I 10 0 00000004> 1.1.1.2 500 esp: des/md5 00000000 expir unlim I/I 9 0 SSG320-.140->get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000004< 1.1.1.2 500 esp: des/md5 9f0446d1 3569 unlim A/U 10 0 00000004> 1.1.1.2 500 esp: des/md5 ff157fcb 3569 unlim A/U 9 0
FW1 get ike cookie
SSG320-.140-> get ike cookie IKEv1 SA -- Active: 1, Dead: 0, Total 1 80522f/0003, 1.1.1.2:500->1.1.1.1:500, PRESHR/grp1/DES/MD5, xchg(2) (vpn1/grp-1/usr-1) resent-tmr 27746560 lifetime 28800 lt-recv 28800 nxt_rekey 28765 cert-expire 0 responder, err cnt 0, send dir 1, cond 0x0 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 0 DPD seq local 0, peer 0 IKEv2 SA -- Active: 0, Dead: 0, Total 0
FW1 get vpn
SSG320-.140-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- --------------- vpn1 vpn1 tunl No nopfs-esp-des-md5 on 2 eth0/1 Total Auto VPN: 1 Total Pure Transport Mode IPSEC VPN: 0 Name Gateway Interface Lcl SPI Rmt SPI Algorithm Monitor Tunnel ID ---------- --------------- --------------- -------- -------- ---------------- ------- ---------- Total Manual VPN 0
FW2 debug ike detail
SSG520-> get db str ## 2013-07-27 18:56:49 : sys_set_peer_vpn-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> setIkeConfig-> ## 2013-07-27 18:56:49 : peer_ent->peer_gw_ipaddr = 1.1.1.1, pVpnEntry->vpn_gateway = 1.1.1.1 ## 2013-07-27 18:56:49 : peer_ent->peer_local_addr = 1.1.1.2 ## 2013-07-27 18:56:49 : sys_modify_vpn-> ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > VerifyP2Proposals-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> mod vpn vpn2: SPI 0/0, passwd ## 2013-07-27 18:56:49 : IKE<1.1.1.1> vpn_modify-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> fix_vpn_key-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> fix_vpn_key exit ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > getProfileFromP2Proposal-> ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > proposal[0] idx<1> proto<3> auth<1> encrypt<1> ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > 0 profile[0]=<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa_ipsec-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa_ipsec: phase 2 idle time <0>. ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa_ipsec exit ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa_ipsec-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa_ipsec: phase 2 idle time <0>. ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa_ipsec exit ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update_sa exit ## 2013-07-27 18:56:49 : IKE<1.1.1.1> vpn modify sa: tunnel local v4 IP 1.1.1.2. ## 2013-07-27 18:56:49 : IKE<1.1.1.1> modify key, send delete if needed. ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<ff157fcd>,ip<1.1.1.2> ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<9f0446d4>,ip<1.1.1.1> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> no relocate earlier SA-state, not active. ## 2013-07-27 18:56:49 : IKE<1.1.1.1> key_modify: sa index <1> bk_idx <1>. ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > SPI = 0, do not insert ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > SPI = 0, do not insert ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update acvpn flags for sa 1 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update acvpn flags for sa 1 - 0x400020 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> modify esp tunnel: src (peer) ipv4 <1.1.1.1> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> modifying esp tunnel: self <ipv4 1.1.1.2> ## 2013-07-27 18:56:49 : IKE<1.1.1.1> update auto NHTB status for sa 1 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> turning off monitor on the vpn. ## 2013-07-27 18:56:49 : IKE<1.1.1.1> vpn_modify exit 0 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> clear auto sa sent: 1 ## 2013-07-27 18:56:49 : IKE<0.0.0.0 > I got hit by mail. 1 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> clear sa recv: 1 ## 2013-07-27 18:56:49 : IKE<1.1.1.1> deactive p2 sa 1 send_delete 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> clear auto sa sent: 1 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > I got hit by mail. 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> clear sa recv: 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> deactive p2 sa 1 send_delete 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ****** Recv kernel msg IDX-1, TYPE-5 ****** ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ****** Recv kernel msg IDX-1, TYPE-5 ****** ## 2013-07-27 18:56:59 : IKE<1.1.1.1> sa orig index<1>, peer_id<1>. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port ## 2013-07-27 18:56:59 : IKE<1.1.1.1> create sa: 1.1.1.2->1.1.1.1 ## 2013-07-27 18:56:59 : getProfileFromP1Proposal-> ## 2013-07-27 18:56:59 : find profile[0]=<00000001 00000001 00000001 00000001> for p1 proposal (id 0), xauth(0) ## 2013-07-27 18:56:59 : init p1sa, pidt = 0x0 ## 2013-07-27 18:56:59 : change peer identity for p1 sa, pidt = 0x0 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0> ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > create peer identity 0x257c614 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1> ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2> ## 2013-07-27 18:56:59 : peer identity 257c614 created. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > EDIPI disabled ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 1: Initiated negotiation in main mode. <1.1.1.2 => 1.1.1.1> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct ISAKMP header. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Msg header built (next payload #1) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [SA] for ISAKMP ## 2013-07-27 18:56:59 : IKE<1.1.1.1> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> xauth attribute: disabled ## 2013-07-27 18:56:59 : IKE<1.1.1.1> lifetime/lifesize (28800/0) ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > set_phase1_transform, dh_group(1). ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct NetScreen [VID] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct custom [VID] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct custom [VID] ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Xmit : [SA] [VID] [VID] [VID] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Send Phase 1 packet (len=156) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 2 task added ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ike packet, len 184, action 0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: received 156 bytes from socket. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: get 156 bytes. src port 500 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > ISAKMP msg: len 156, nxp 1[SA], exch 2[MM], flag 00 ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Recv : [SA] [VID] [VID] [VID] ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > extract payload (128): ## 2013-07-27 18:56:59 : IKE<1.1.1.1> MM in state OAK_MM_NO_STATE. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [VID]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Vendor ID: ## 2013-07-27 18:56:59 : c3 28 9f 97 ea dc 9d 4f 2a 9e 7a 81 8f 1e 2a fe ## 2013-07-27 18:56:59 : c7 52 b3 52 18 00 00 00 1e 06 00 00 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> peer is an NetScreen box, model=SSG-320M, ver=6.30 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [VID]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Vendor ID: ## 2013-07-27 18:56:59 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [VID]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Vendor ID: ## 2013-07-27 18:56:59 : 48 65 61 72 74 42 65 61 74 5f 4e 6f 74 69 66 79 ## 2013-07-27 18:56:59 : 38 6b 01 00 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> rcv HeartBeat vid, ver 1.0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [SA]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Proposal received: xauthflag 0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> xauth attribute: disabled ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 1 proposal [0] selected. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> SA Life Type = seconds ## 2013-07-27 18:56:59 : IKE<1.1.1.1> SA lifetime (TV) = 28800 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> DH_BG_consume OK. p1 resp ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 1 MM Initiator constructing 3rd message. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct ISAKMP header. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Msg header built (next payload #4) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [KE] for ISAKMP ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [NONCE] ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Xmit : [KE] [NONCE] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Send Phase 1 packet (len=164) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<1/804207> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ike packet, len 192, action 0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: received 164 bytes from socket. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: get 164 bytes. src port 500 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > ISAKMP msg: len 164, nxp 4[KE], exch 2[MM], flag 00 ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Recv : [KE] [NONCE] ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > extract payload (136): ## 2013-07-27 18:56:59 : IKE<1.1.1.1> MM in state OAK_MM_SA_SETUP. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [KE]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> processing ISA_KE in phase 1. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase1: his_DH_pub_len is 96 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [NONCE]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> processing NONCE in phase 1. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<1/a80420f> ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<96> dmax<64> ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > finished job d<f86963c6><808dc6e5><defdd73f><2e746ef6> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> gen_skeyid() ## 2013-07-27 18:56:59 : IKE<1.1.1.1> gen_skeyid: returning 0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> MM in state OAK_MM_SA_SETUP. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> re-enter MM after offline DH done ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 1 MM Initiator constructing 5th message. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct ISAKMP header. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Msg header built (next payload #5) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [ID] for ISAKMP ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [HASH] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ID, len=8, type=1, pro=17, port=500, ## 2013-07-27 18:56:59 : IKE<1.1.1.1> addr=1.1.1.2 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> throw packet to the peer, paket_len=60 ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Xmit*: [ID] [HASH] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Encrypt P1 payload (len 60) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Send Phase 1 packet (len=68) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ike packet, len 96, action 0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: received 68 bytes from socket. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: get 68 bytes. src port 500 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > ISAKMP msg: len 68, nxp 5[ID], exch 2[MM], flag 01 E ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Decrypting payload (length 40) ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Recv*: [ID] [HASH] ## 2013-07-27 18:56:59 : valid id checking, id type:IP Address, len:12. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > extract payload (40): ## 2013-07-27 18:56:59 : valid id checking, id type:IP Address, len:12. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> MM in state OAK_MM_KEY_EXCH. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [ID]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ID received: type=ID_IPV4_ADDR, ip = 1.1.1.1, port=500, protocol=17 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> peer gateway entry has no peer id configured ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ID processed. return 0. sa->p1_state = 2. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [HASH]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ID, len=8, type=1, pro=17, port=500, ## 2013-07-27 18:56:59 : IKE<1.1.1.1> addr=1.1.1.1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> completing Phase 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> sa_pidt = 257c614 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> found existing peer identity 257c360 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> peer_identity_unregister_p1_sa. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > delete peer identity 0x257c614 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > peer_identity_remove_from_peer: num entry before remove <2> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> peer_idt.c peer_identity_unregister_p1_sa 686: pidt deleted. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 1: Completed Main mode negotiation with a <28800>-second lifetime. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 2: Initiated Quick Mode negotiation. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase-2: start quick mode negotiation ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase-2: no tunnel interface binding for Modecfg IPv4 address. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Create conn entry... ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ...done(new 708c83e5) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator not set commit bit on 1st QM. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > add sa list for msg id <e5838c70> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> get_unique_spi 0, 4279599054, ff157fce ## 2013-07-27 18:56:59 : IKE<1.1.1.1> 0,0/0(0)/spi(ce7f15ff)/keylen(0) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct ISAKMP header. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Msg header built (next payload #8) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [HASH] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [SA] for IPSEC ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Set IPSEC SA attrs: lifetime(3600/0) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Before NAT-T attr unmap: private tunnel = 1. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> After NAT-T attr unmap: private tunnel = 1. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Policy have separate SA. Use P2 ID from policy sa (4). ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator P2 ID built: .9= ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Responder P2 ID built: .9= ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [NONCE] for IPSec ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [ID] for Phase 2 ## 2013-07-27 18:56:59 : id payload constructed. type(4),ip(4.4.4.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [ID] for Phase 2 ## 2013-07-27 18:56:59 : id payload constructed. type(4),ip(3.3.3.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> construct QM HASH ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Encrypt P2 payload (len 168) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Send Phase 2 packet (len=172) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ike packet, len 200, action 0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: received 172 bytes from socket. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Catcher: get 172 bytes. src port 500 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > ISAKMP msg: len 172, nxp 8[HASH], exch 32[QM], flag 01 E ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Decrypting payload (length 144) ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Recv*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:56:59 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:56:59 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > extract payload (144): ## 2013-07-27 18:56:59 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:56:59 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> QM in state OAK_QM_SA_ACCEPT. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [SA]: ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > Check P2 Proposal ## 2013-07-27 18:56:59 : IKE<1.1.1.1> SA life type = seconds ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > SA life duration (TLV) = 0x 00 00 0e 10 ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > encap mode from peer = 1. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > encap mode after converting it to private value = 1. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 2 received: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> P2 proposal [0] selected. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [NONCE]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> processing NONCE in phase 2. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [ID]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Process [ID]: ## 2013-07-27 18:56:59 : IKE<1.1.1.1> xauth_cleanup() ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Done cleaning up IKE Phase 1 SA ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Start by finding matching member SA (verify 1/1) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Verify sa: index 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> IKE: Matching policy: gw ip <1.1.1.1> peer entry id<0> ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2013-07-27 18:56:59 : ipvx = IPV4 ## 2013-07-27 18:56:59 : rcv_local_addr = 4.4.4.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 4.4.4.0 ## 2013-07-27 18:56:59 : rcv_remote_addr = 3.3.3.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 3.3.3.0 ## 2013-07-27 18:56:59 : ike_p2_id->local_ip = 4.4.4.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 4.4.4.0 ## 2013-07-27 18:56:59 : ike_p2_id->remote_ip = 3.3.3.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 3.3.3.0 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Proxy ID match: Located matching Phase 2 SA <4>. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > life (sec or kb): lcl 3600, peer 3600, set 3600. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > life (sec or kb): lcl 0, peer 0, set 0. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> gen_qm_key() ## 2013-07-27 18:56:59 : IKE<1.1.1.1> load_sa_keys(): enter. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> gen_qm_key() ## 2013-07-27 18:56:59 : IKE<1.1.1.1> load_sa_keys(): enter. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> ikmpd.c 3999. sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > SPI = 0, do not remove ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > SPI = 0, do not remove ## 2013-07-27 18:56:59 : IKE<1.1.1.1> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> no relocate earlier SA-state, not active. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> key_modify: sa index <1> bk_idx <1>. ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<ff157fce>, sa_index<1>, Incoming ## 2013-07-27 18:56:59 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<9f0446d5>, sa_index<1>, Outgoing ## 2013-07-27 18:56:59 : IKE<1.1.1.1> update acvpn flags for sa 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> update acvpn flags for sa 1 - 0x4000e3 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> modify esp tunnel: src (peer) ipv4 <1.1.1.1> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> modifying esp tunnel: self <ipv4 1.1.1.2> ## 2013-07-27 18:56:59 : IKE<1.1.1.1> update auto NHTB status for sa 1 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> after mod, out nsptunnel <0612a210>. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 2 msg-id <e5838c70>: Completed Quick Mode negotiation with SPI <ff157fce>, tunnel ID <4>, and lifetime <3600> seconds/<0> KB. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Application sa installed. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Phase 2 Initiator constructing 3rd(last) message. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> oakley_final_qm():enter ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct ISAKMP header. ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Msg header built (next payload #8) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Construct [HASH] in QM ## 2013-07-27 18:56:59 : IKE<1.1.1.1> oakley_final_qm():exit ## 2013-07-27 18:56:59 : IKE<1.1.1.1 > Xmit*: [HASH] ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Encrypt P2 payload (len 48) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 ## 2013-07-27 18:56:59 : IKE<1.1.1.1> Send Phase 2 packet (len=52) ## 2013-07-27 18:56:59 : IKE<1.1.1.1> oakley_process_quick_mode():exit ## 2013-07-27 18:56:59 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:57:02 : IKE<0.0.0.0 > finished job pkaidx <0> dh_len<96> dmax<64> ## 2013-07-27 18:57:02 : IKE<0.0.0.0 > finished job d<55ac8db5><a2e70b92><3d528feb><bc85ffa6> ## 2013-07-27 18:57:02 : IKE<0.0.0.0 > BN, top24 dmax64 zero<no> ## 2013-07-27 18:57:22 : IKE<1.1.1.1> ike packet, len 96, action 0 ## 2013-07-27 18:57:22 : IKE<1.1.1.1> Catcher: received 68 bytes from socket. ## 2013-07-27 18:57:22 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:57:22 : IKE<1.1.1.1> Catcher: get 68 bytes. src port 500 ## 2013-07-27 18:57:22 : IKE<0.0.0.0 > ISAKMP msg: len 68, nxp 8[HASH], exch 5[INFO], flag 01 E ## 2013-07-27 18:57:22 : IKE<1.1.1.1> Create conn entry... ## 2013-07-27 18:57:22 : IKE<1.1.1.1> ...done(new 7738ad33) ## 2013-07-27 18:57:22 : IKE<1.1.1.1> Decrypting payload (length 40) ## 2013-07-27 18:57:22 : IKE<1.1.1.1 > Recv*: [HASH] [DELETE] ## 2013-07-27 18:57:22 : IKE<1.1.1.1> Process [DELETE]: ## 2013-07-27 18:57:22 : IKE<1.1.1.1> ipsec del msg received, (SA1 d546049f) deleted. ## 2013-07-27 18:57:22 : IKE<1.1.1.1> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:57:22 : IKE<1.1.1.1> Delete conn entry... ## 2013-07-27 18:57:22 : IKE<1.1.1.1> ...found conn entry(33ad3877) ## 2013-07-27 18:57:22 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> ike packet, len 200, action 0 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Catcher: received 172 bytes from socket. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Catcher: get 172 bytes. src port 500 ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > ISAKMP msg: len 172, nxp 8[HASH], exch 32[QM], flag 01 E ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Create conn entry... ## 2013-07-27 18:57:24 : IKE<1.1.1.1> ...done(new a6261908) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Phase 2 msg-id <081926a6>: Responded to the first peer message. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Decrypting payload (length 144) ## 2013-07-27 18:57:24 : IKE<1.1.1.1 > Recv*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:57:24 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:57:24 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > extract payload (144): ## 2013-07-27 18:57:24 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:57:24 : valid id checking, id type:IP Subnet, len:16. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> QM in state OAK_QM_SA_ACCEPT. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Start by finding matching member SA (verify -1/-1) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> IKE: Matching policy: gw ip <1.1.1.1> peer entry id<0> ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2013-07-27 18:57:24 : ipvx = IPV4 ## 2013-07-27 18:57:24 : rcv_local_addr = 4.4.4.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 4.4.4.0 ## 2013-07-27 18:57:24 : rcv_remote_addr = 3.3.3.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 3.3.3.0 ## 2013-07-27 18:57:24 : ike_p2_id->local_ip = 4.4.4.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 4.4.4.0 ## 2013-07-27 18:57:24 : ike_p2_id->remote_ip = 3.3.3.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 3.3.3.0 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Proxy ID match: Located matching Phase 2 SA <4>. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Process [SA]: ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > Check P2 Proposal ## 2013-07-27 18:57:24 : IKE<1.1.1.1> SA life type = seconds ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > SA life duration (TLV) = 0x 00 00 0e 10 ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > encap mode from peer = 1. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > encap mode after converting it to private value = 1. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Phase 2 received: ## 2013-07-27 18:57:24 : IKE<1.1.1.1> atts<00000003 00000000 00000002 00000001 00000001 00000000> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(0) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> P2 proposal [0] selected. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > add sa list for msg id <081926a6> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> get_unique_spi 0, 4279599055, ff157fcf ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Process [NONCE]: ## 2013-07-27 18:57:24 : IKE<1.1.1.1> processing NONCE in phase 2. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Process [ID]: ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Process [ID]: ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Phase 2 Responder constructing 2nd message. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Construct ISAKMP header. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Msg header built (next payload #8) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Construct [HASH] ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Construct [SA] for IPSEC ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > Set IPSEC SA attrs tunnel(1) MD5 grp0 lifetime(3600/0) ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > Before NAT-T attr unmap: P2 prop tunnel = 1. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > After NAT-T attr unmap: P2 prop tunnel = 1. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Initiator P2 ID built: .B.. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Responder P2 ID built: .B.. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Construct [NONCE] for IPSec ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Construct [ID] for Phase 2 ## 2013-07-27 18:57:24 : id payload constructed. type(4),ip(3.3.3.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Construct [ID] for Phase 2 ## 2013-07-27 18:57:24 : id payload constructed. type(4),ip(4.4.4.0),mask(255.255.255.0), prot(0), port(0) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> construct QM HASH ## 2013-07-27 18:57:24 : IKE<1.1.1.1 > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Encrypt P2 payload (len 168) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Initiator sending IPv4 IP 1.1.1.1/port 500 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Send Phase 2 packet (len=172) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> oakley_process_quick_mode():exit ## 2013-07-27 18:57:24 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> ike packet, len 80, action 0 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Catcher: received 52 bytes from socket. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> ****** Recv packet if <ethernet0/3> of vsys <Root> ****** ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Catcher: get 52 bytes. src port 500 ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > ISAKMP msg: len 52, nxp 8[HASH], exch 32[QM], flag 01 E ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Decrypting payload (length 24) ## 2013-07-27 18:57:24 : IKE<1.1.1.1 > Recv*: [HASH] ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > extract payload (24): ## 2013-07-27 18:57:24 : IKE<1.1.1.1> QM in state OAK_QM_AUTH_AWAIT. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Start by finding matching member SA (verify 1/1) ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Verify sa: index 1 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> IKE: Matching policy: gw ip <1.1.1.1> peer entry id<0> ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > protocol matched expected<0>. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > port matched expect l:<0>, r<0>. ## 2013-07-27 18:57:24 : ipvx = IPV4 ## 2013-07-27 18:57:24 : rcv_local_addr = 4.4.4.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 4.4.4.0 ## 2013-07-27 18:57:24 : rcv_remote_addr = 3.3.3.0, rcv_remote_mask = 255.255.255.0, p_rcv_remote_real = 3.3.3.0 ## 2013-07-27 18:57:24 : ike_p2_id->local_ip = 4.4.4.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 4.4.4.0 ## 2013-07-27 18:57:24 : ike_p2_id->remote_ip = 3.3.3.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 3.3.3.0 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Proxy ID match: Located matching Phase 2 SA <4>. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > life (sec or kb): lcl 3600, peer 3600, set 3600. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > life (sec or kb): lcl 0, peer 0, set 0. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> gen_qm_key() ## 2013-07-27 18:57:24 : IKE<1.1.1.1> load_sa_keys(): enter. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> gen_qm_key() ## 2013-07-27 18:57:24 : IKE<1.1.1.1> load_sa_keys(): enter. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> ikmpd.c 3999. sa ID for phase 2 sa is <4>. IP version is 4. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<ff157fce>,ip<1.1.1.2> ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > spi hash node removed: type<2>,spi<9f0446d5>,ip<1.1.1.1> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> clean_all_sa_state_node_from_list-> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> no relocate earlier SA-state, not active. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> key_modify: sa index <1> bk_idx <1>. ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<ff157fcf>, sa_index<1>, Incoming ## 2013-07-27 18:57:24 : IKE<0.0.0.0 > insert_sa_state_to_spi_hash spi<9f0446d6>, sa_index<1>, Outgoing ## 2013-07-27 18:57:24 : IKE<1.1.1.1> update acvpn flags for sa 1 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> update acvpn flags for sa 1 - 0x4001e3 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> crypto_ctx 11, 8, 8, 8, 0, 0, 16, 0, 12, 48 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> modify esp tunnel: src (peer) ipv4 <1.1.1.1> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> modifying esp tunnel: self <ipv4 1.1.1.2> ## 2013-07-27 18:57:24 : IKE<1.1.1.1> update auto NHTB status for sa 1 ## 2013-07-27 18:57:24 : IKE<1.1.1.1> after mod, out nsptunnel <0612a210>. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Phase 2 msg-id <081926a6>: Completed Quick Mode negotiation with SPI <ff157fcf>, tunnel ID <4>, and lifetime <3600> seconds/<0> KB. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> Application sa installed. ## 2013-07-27 18:57:24 : IKE<1.1.1.1> oakley_process_quick_mode():exit ## 2013-07-27 18:57:24 : IKE<1.1.1.1> IKE msg done: PKI state<0> IKE state<3/80522f> ## 2013-07-27 18:57:33 : IKE<1.1.1.1> Delete conn entry... ## 2013-07-27 18:57:33 : IKE<1.1.1.1> ...found conn entry(e5838c70) SSG520->
FW2 get config
SSG520-> get config set interface ethernet0/3 ip 1.1.1.2/24 set interface ethernet0/3 route set interface loopback.1 ip 4.4.4.4/24 set interface loopback.1 nat set ike gateway "vpn2" address 1.1.1.1 Main outgoing-interface "ethernet0/3" preshare "51Hv+Jp4N/VS7SsGmLCPrAr/uunXaaep+w==" proposal "pre-g1-des-md5" set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 set vpn "vpn2" gateway "vpn2" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" set vpn "vpn2" monitor rekey set policy id 4 from "Untrust" to "Trust" "3.3.3.0/24" "4.4.4.0/24" "ANY" tunnel vpn "vpn2" id 0x4 pair-policy 3 log set policy id 3 from "Trust" to "Untrust" "4.4.4.0/24" "3.3.3.0/24" "ANY" tunnel vpn "vpn2" id 0x4 pair-policy 4 log set route 3.3.3.0/24 interface ethernet0/3 gateway 1.1.1.1
FW2 get sa
SSG520-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000004< 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 4 0 00000004> 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 3 0 SSG520-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000004< 1.1.1.1 500 esp: des/md5 ff157fcb 3578 unlim A/U 4 0 00000004> 1.1.1.1 500 esp: des/md5 9f0446d1 3578 unlim A/U 3 0
FW2 get ike cookie
SSG520-> get ike cookie IKEv1 SA -- Active: 1, Dead: 0, Total 1 80522f/0003, 1.1.1.2:500->1.1.1.1:500, PRESHR/grp1/DES/MD5, xchg(2) (vpn2/grp-1/usr-1) resent-tmr 26845440 lifetime 28800 lt-recv 28800 nxt_rekey 28593 cert-expire 0 initiator, err cnt 0, send dir 0, cond 0x0 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 0 DPD seq local 0, peer 0 IKEv2 SA -- Active: 0, Dead: 0, Total 0
FW2 get vpn
SSG520-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- --------------- vpn2 vpn2 tunl No nopfs-esp-des-md5 on 2 eth0/3 Total Auto VPN: 1 Total Pure Transport Mode IPSEC VPN: 0 Name Gateway Interface Lcl SPI Rmt SPI Algorithm Monitor Tunnel ID ---------- --------------- --------------- -------- -------- ---------------- ------- ---------- Total Manual VPN 0
{{#widget:DISQUS
|id=networkm
|uniqid=Screenos Site to Site VPN debug
|url=https://aman.awiki.org/wiki/Screenos_Site_to_Site_VPN_debug
}}