一、实验拓扑

二、具体配置
R1#sh running-config
Building configuration...
Current configuration : 1448 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
 
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set vpn esp-aes esp-sha-hmac
!
crypto dynamic-map map1 10
set transform-set vpn
reverse-route
!
!
crypto map map2 10 ipsec-isakmp dynamic map1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 99.1.1.1 255.255.255.0
duplex full
standby ip 99.1.1.3
standby timers 1 4
standby name vpn
standby track Ethernet1/1
crypto map map2 redundancy vpn
!
interface Ethernet1/1
ip address 172.16.1.1 255.255.255.0
duplex full
!
interface Ethernet1/2
no ip address
shutdown
 duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
router ospf 10
log-adjacency-changes
redistribute static subnets
network 172.16.1.0 0.0.0.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 99.1.1.20
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end
 R2#sh running-config
Building configuration...
Current configuration : 1448 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set vpn esp-aes esp-sha-hmac
!
crypto dynamic-map map1 10
set transform-set vpn
reverse-route
!
!
crypto map map2 10 ipsec-isakmp dynamic map1
!
 
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 99.1.1.2 255.255.255.0
duplex full
standby ip 99.1.1.3
standby timers 1 4
standby name vpn
standby track Ethernet1/1
crypto map map2 redundancy vpn
!
interface Ethernet1/1
ip address 172.16.1.2 255.255.255.0
duplex full
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
router ospf 10
log-adjacency-changes
redistribute static subnets
network 172.16.1.0 0.0.0.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 99.1.1.20
!
no ip http server
no ip http secure-server
!
!
!
 
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
endIR#sh running-config
Building configuration...
Current configuration : 1273 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
 
!
!
!
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 99.1.1.3 no-xauth
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set vpn esp-aes esp-sha-hmac
!
crypto map map1 10 ipsec-isakmp
set peer 99.1.1.3
set transform-set vpn
match address accvpn
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.101 255.255.255.0
duplex half
!
interface Ethernet1/0
ip address 88.1.1.1 255.255.255.0
duplex full
crypto map map1
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
 
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 88.1.1.2
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended accvpn
permit ip 192.168.20.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end
insdie#sh run
insdie#sh running-config
Building configuration...
Current configuration : 869 bytes
 
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname insdie
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.100 255.255.255.0
duplex half
!
interface Ethernet1/0
ip address 172.16.1.10 255.255.255.0
duplex full
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half 
!
router ospf 10
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end三、验证配置

IR#ping 172.16.1.1 source 192.168.20.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.101
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 204/252/292 ms
 

R2#sh crypto isakmp sa
dst src state conn-id slot status
99.1.1.3 88.1.1.1 QM_IDLE 1 0 ACTIVE
R2#sh crypto ipsec sa
interface: Ethernet1/0
Crypto map tag: map2, local addr 99.1.1.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 88.1.1.1 port 500
PERMIT, flags={}
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 99.1.1.3, remote crypto endpt.: 88.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
current outbound spi: 0x64B5B4BF(1689629887)
inbound esp sas:
spi: 0x56891EF1(1451826929)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4401086/2712)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x64B5B4BF(1689629887)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
 conn id: 2002, flow_id: SW:2, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4401086/2711)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et1/0 0 100 Standby 99.1.1.2 local 99.1.1.3
R2#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et1/0 0 100 Active local 99.1.1.1 99.1.1.3
R2#
R2(config)#int e1/0
R2(config-if)#shutdown
R2(config-if)#
*Apr 8 22:19:00.131: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 0 state Active -> Init
*Apr 8 22:19:02.151: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
*Apr 8 22:19:03.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down
IR#ping 172.16.1.1 source 192.168.20.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.101
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 72/148/224 ms
R1#
*Apr 8 22:19:30.543: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 0 state Standby -> Active
*Apr 8 22:20:08.607: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=99.1.1.3, prot=50, spi=0x56891EF1(1451826929),
 
srcaddr=88.1.1.1
*Apr 8 22:20:12.527: %CRYPTO-4-IKMP_NO_SA: IKE message from 88.1.1.1 has no SA and is not an initialization offer
R1#sh crypto isakmp sa
dst src state conn-id slot status
99.1.1.3 88.1.1.1 QM_IDLE 1 0 ACTIVE
R1#sh crypto ipsec sa
interface: Ethernet1/0
Crypto map tag: map2, local addr 99.1.1.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 88.1.1.1 port 500
PERMIT, flags={}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 99.1.1.3, remote crypto endpt.: 88.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
current outbound spi: 0xD2F9BF4F(3539582799)
inbound esp sas:
spi: 0xCD6A2AA6(3446287014)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4400262/3549)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
 
spi: 0xD2F9BF4F(3539582799)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4400262/3549)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et1/0 0 100 Active local unknown 99.1.1.3
R1#
insdie#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Ethernet1/0
O E2 192.168.20.0/24 [110/20] via 172.16.1.1, 00:04:23, Ethernet1/0
O*E2 0.0.0.0/0 [110/1] via 172.16.1.1, 00:05:17, Ethernet1/0
四、Troubleshoot
R2#sh debugging
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
R2#
 
*Apr 8 22:29:49.967: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 0 state Standby -> Active
R2#
*Apr 8 22:29:59.379: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=99.1.1.3, prot=50, spi=0xCD6A2AA6(3446287014), srcaddr=88.1.1.1
*Apr 8 22:29:59.387: ISAKMP: received ke message (3/1)
*Apr 8 22:29:59.387: ISAKMP: set new node -98533463 to QM_IDLE
*Apr 8 22:29:59.395: ISAKMP:(0:1:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
*Apr 8 22:29:59.395: ISAKMP:(0:1:SW:1):purging node -98533463
*Apr 8 22:29:59.395: ISAKMP: Trying to decrement ipsec count below 0
*Apr 8 22:29:59.399: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Apr 8 22:29:59.399: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Apr 8 22:30:03.435: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Apr 8 22:30:03.435: %CRYPTO-4-IKMP_NO_SA: IKE message from 88.1.1.1 has no SA and is not an initialization offer
*Apr 8 22:30:05.367: ISAKMP: received ke message (3/1)
*Apr 8 22:30:05.371: ISAKMP: set new node 636067551 to QM_IDLE
*Apr 8 22:30:05.375: ISAKMP:(0:1:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
*Apr 8 22:30:05.375: ISAKMP:(0:1:SW:1):purging node 636067551
*Apr 8 22:30:05.379: ISAKMP: Trying to decrement ipsec count below 0
*Apr 8 22:30:05.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Apr 8 22:30:05.379: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Apr 8 22:30:05.391: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Apr 8 22:30:07.443: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Apr 8 22:30:09.403: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Apr 8 22:30:11.383: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Apr 8 22:30:13.403: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Apr 8 22:30:16.091: ISAKMP (0:0): received packet from 88.1.1.1 dport 500 sport 500 Global (N) NEW SA
 
*Apr 8 22:30:16.091: ISAKMP: Found a peer struct for 88.1.1.1, peer port 500
*Apr 8 22:30:16.091: ISAKMP: Locking peer struct 0x654AB864, IKE refcount 2 for crypto_isakmp_process_block
*Apr 8 22:30:16.095: ISAKMP: local port 500, remote port 500
*Apr 8 22:30:16.095: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 654C1340
*Apr 8 22:30:16.099: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 8 22:30:16.099: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
*Apr 8 22:30:16.107: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Apr 8 22:30:16.107: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Apr 8 22:30:16.107: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 8 22:30:16.111: ISAKMP (0:0): vendor ID is NAT-T v7
*Apr 8 22:30:16.111: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Apr 8 22:30:16.111: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 8 22:30:16.115: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Apr 8 22:30:16.115: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Apr 8 22:30:16.115: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 8 22:30:16.115: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Apr 8 22:30:16.119: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 88.1.1.1
*Apr 8 22:30:16.119: ISAKMP:(0:0:N/A:0): local preshared key found
*Apr 8 22:30:16.119: ISAKMP : Scanning profiles for xauth ...
*Apr 8 22:30:16.123: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Apr 8 22:30:16.123: ISAKMP: encryption AES-CBC
*Apr 8 22:30:16.123: ISAKMP: keylength of 128
*Apr 8 22:30:16.123: ISAKMP: hash MD5
*Apr 8 22:30:16.123: ISAKMP: default group 2
*Apr 8 22:30:16.127: ISAKMP: auth pre-share
*Apr 8 22:30:16.127: ISAKMP: life type in seconds
*Apr 8 22:30:16.127: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 8 22:30:16.131: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Apr 8 22:30:16.199: ISAKMP:(0:2:SW:1): processing vendor id payload
*Apr 8 22:30:16.199: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 8 22:30:16.203: ISAKMP (0:134217730): vendor ID is NAT-T v7
*Apr 8 22:30:16.203: ISAKMP:(0:2:SW:1): processing vendor id payload
*Apr 8 22:30:16.203: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
 
*Apr 8 22:30:16.203: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v3
*Apr 8 22:30:16.207: ISAKMP:(0:2:SW:1): processing vendor id payload
*Apr 8 22:30:16.207: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 8 22:30:16.207: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v2
*Apr 8 22:30:16.211: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 8 22:30:16.211: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Apr 8 22:30:16.219: ISAKMP:(0:2:SW:1): constructed NAT-T vendor-07 ID
*Apr 8 22:30:16.223: ISAKMP:(0:2:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 8 22:30:16.223: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 8 22:30:16.223: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Apr 8 22:30:16.683: ISAKMP (0:134217730): received packet from 88.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 8 22:30:16.687: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 8 22:30:16.687: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Apr 8 22:30:16.691: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
*Apr 8 22:30:16.767: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
*Apr 8 22:30:16.771: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 88.1.1.1
*Apr 8 22:30:16.775: ISAKMP:(0:2:SW:1):SKEYID state generated
*Apr 8 22:30:16.775: ISAKMP:(0:2:SW:1): processing vendor id payload
*Apr 8 22:30:16.779: ISAKMP:(0:2:SW:1): vendor ID is Unity
*Apr 8 22:30:16.779: ISAKMP:(0:2:SW:1): processing vendor id payload
*Apr 8 22:30:16.779: ISAKMP:(0:2:SW:1): vendor ID is DPD
*Apr 8 22:30:16.783: ISAKMP:(0:2:SW:1): processing vendor id payload
*Apr 8 22:30:16.783: ISAKMP:(0:2:SW:1): speaking to another IOS box!
*Apr 8 22:30:16.783: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 8 22:30:16.787: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Apr 8 22:30:16.791: ISAKMP:(0:2:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Apr 8 22:30:16.795: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
 
*Apr 8 22:30:16.795: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Apr 8 22:30:17.239: ISAKMP (0:134217730): received packet from 88.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Apr 8 22:30:17.243: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 8 22:30:17.243: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Apr 8 22:30:17.247: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
*Apr 8 22:30:17.247: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 88.1.1.1
protocol : 17
port : 500
length : 12
*Apr 8 22:30:17.251: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
*Apr 8 22:30:17.251: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
*Apr 8 22:30:17.255: ISAKMP:received payload type 17
*Apr 8 22:30:17.255: ISAKMP:(0:2:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 654C1340
*Apr 8 22:30:17.259: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
*Apr 8 22:30:17.259: ISAKMP:(0:2:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 99.1.1.3 remote 88.1.1.1 remote port 500
*Apr 8 22:30:17.263: ISAKMP:(0:1:SW:1):received initial contact, deleting SA
*Apr 8 22:30:17.263: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
*Apr 8 22:30:17.263: ISAKMP:(0:1:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 88.1.1.1)
*Apr 8 22:30:17.267: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
*Apr 8 22:30:17.267: ISAKMP:(0:2:SW:1):SA has been authenticated with 88.1.1.1
*Apr 8 22:30:17.267: ISAKMP:(0:2:SW:1):IKE_DPD is enabled, initializing timers
*Apr 8 22:30:17.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 8 22:30:17.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Apr 8 22:30:17.275: IPSEC(key_engine): got a queue event with 1 kei messages
 
*Apr 8 22:30:17.279: ISAKMP: set new node -1288721922 to QM_IDLE
*Apr 8 22:30:17.283: ISAKMP:(0:1:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
*Apr 8 22:30:17.287: ISAKMP:(0:1:SW:1):purging node -1288721922
*Apr 8 22:30:17.287: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 8 22:30:17.291: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Apr 8 22:30:17.295: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 8 22:30:17.295: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 99.1.1.3
protocol : 17
port : 500
length : 12
*Apr 8 22:30:17.299: ISAKMP:(0:2:SW:1):Total payload length: 12
*Apr 8 22:30:17.303: ISAKMP:(0:2:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Apr 8 22:30:17.303: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 8 22:30:17.307: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Apr 8 22:30:17.311: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 88.1.1.1)
*Apr 8 22:30:17.311: ISAKMP: Unlocking IKE struct 0x654AB864 for isadb_mark_sa_deleted(), count 1
*Apr 8 22:30:17.315: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 8 22:30:17.319: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Apr 8 22:30:17.323: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Apr 8 22:30:17.323: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Apr 8 22:30:17.803: ISAKMP (0:134217730): received packet from 88.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Apr 8 22:30:17.803: ISAKMP: set new node -1360568730 to QM_IDLE
*Apr 8 22:30:17.811: ISAKMP:(0:2:SW:1): processing HASH payload. message ID =
 
-1360568730
*Apr 8 22:30:17.811: ISAKMP:(0:2:SW:1): processing SA payload. message ID = -1360568730
*Apr 8 22:30:17.811: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1
*Apr 8 22:30:17.811: ISAKMP: transform 1, ESP_AES
*Apr 8 22:30:17.815: ISAKMP: attributes in transform:
*Apr 8 22:30:17.815: ISAKMP: encaps is 1 (Tunnel)
*Apr 8 22:30:17.815: ISAKMP: SA life type in seconds
*Apr 8 22:30:17.815: ISAKMP: SA life duration (basic) of 3600
*Apr 8 22:30:17.815: ISAKMP: SA life type in kilobytes
*Apr 8 22:30:17.819: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Apr 8 22:30:17.819: ISAKMP: authenticator is HMAC-SHA
*Apr 8 22:30:17.819: ISAKMP: key length is 128
*Apr 8 22:30:17.819: ISAKMP:(0:2:SW:1):atts are acceptable.
*Apr 8 22:30:17.823: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 99.1.1.3, remote= 88.1.1.1,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Apr 8 22:30:17.831: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = -1360568730
*Apr 8 22:30:17.831: ISAKMP:(0:2:SW:1): processing ID payload. message ID = -1360568730
*Apr 8 22:30:17.831: ISAKMP:(0:2:SW:1): processing ID payload. message ID = -1360568730
*Apr 8 22:30:17.835: ISAKMP:(0:2:SW:1): asking for 1 spis from ipsec
*Apr 8 22:30:17.835: ISAKMP:(0:2:SW:1):Node -1360568730, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Apr 8 22:30:17.835: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Apr 8 22:30:17.843: IPSEC(key_engine): got a queue event with 1 kei messages
*Apr 8 22:30:17.843: IPSEC(spi_response): getting spi 957834060 for SA
from 99.1.1.3 to 88.1.1.1 for prot 3
*Apr 8 22:30:17.847: ISAKMP: received ke message (2/1)
*Apr 8 22:30:17.855: ISAKMP: Locking peer struct 0x654AB864, IPSEC refcount 1 for for stuff_ke
*Apr 8 22:30:17.855: ISAKMP:(0:2:SW:1): Creating IPSec SAs
*Apr 8 22:30:17.859: inbound SA from 88.1.1.1 to 99.1.1.3 (f/i) 0/ 0
(proxy 192.168.20.0 to 172.16.1.0)
*Apr 8 22:30:17.859: has spi 0x3917634C and conn_id 0 and flags 2
*Apr 8 22:30:17.859: lifetime of 3600 seconds
*Apr 8 22:30:17.859: lifetime of 4608000 kilobytes
 
*Apr 8 22:30:17.863: has client flags 0x0
*Apr 8 22:30:17.863: outbound SA from 99.1.1.3 to 88.1.1.1 (f/i) 0/0
(proxy 172.16.1.0 to 192.168.20.0)
*Apr 8 22:30:17.863: has spi 793704121 and conn_id 0 and flags A
*Apr 8 22:30:17.863: lifetime of 3600 seconds
*Apr 8 22:30:17.867: lifetime of 4608000 kilobytes
*Apr 8 22:30:17.867: has client flags 0x0
*Apr 8 22:30:17.871: ISAKMP:(0:2:SW:1): sending packet to 88.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
*Apr 8 22:30:17.871: ISAKMP:(0:2:SW:1):Node -1360568730, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Apr 8 22:30:17.875: ISAKMP:(0:2:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Apr 8 22:30:17.875: IPSEC(key_engine): got a queue event with 2 kei messages
*Apr 8 22:30:17.875: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 99.1.1.3, remote= 88.1.1.1,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3917634C(957834060), conn_id= 0, keysize= 128, flags= 0x2
*Apr 8 22:30:17.883: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 99.1.1.3, remote= 88.1.1.1,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x2F4EF6B9(793704121), conn_id= 0, keysize= 128, flags= 0xA
*Apr 8 22:30:17.891: IPSEC(rte_mgr): VPN Route Event static keyword or dynamic SA create for peer 88.1.1.1
*Apr 8 22:30:17.891: IPSEC(rte_mgr): VPN Route Refcount 1 Ethernet1/0
*Apr 8 22:30:17.891: IPSEC(rte_mgr): VPN Route Added 192.168.20.0 255.255.255.0 via 88.1.1.1 in IP DEFAULT TABLE with tag 0
*Apr 8 22:30:17.895: IPSec: Flow_switching Allocated flow for sibling 80000003
*Apr 8 22:30:17.895: IPSEC(policy_db_add_ident): src 172.16.1.0, dest 192.168.20.0, dest_port 0
*Apr 8 22:30:17.899: ISAKMP: Locking peer struct 0x654AB864, IPSEC refcount 2 for from create_transforms
*Apr 8 22:30:17.899: IPSEC(create_sa): sa created,
(sa) sa_dest= 99.1.1.3, sa_proto= 50,
sa_spi= 0x3917634C(957834060),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2002
*Apr 8 22:30:17.903: IPSEC(create_sa): sa created,
 
(sa) sa_dest= 88.1.1.1, sa_proto= 50,
sa_spi= 0x2F4EF6B9(793704121),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2001
*Apr 8 22:30:17.903: ISAKMP: Unlocking IPSEC struct 0x654AB864 from create_transforms, count 1
*Apr 8 22:30:18.119: ISAKMP (0:134217730): received packet from 88.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Apr 8 22:30:18.123: ISAKMP:(0:2:SW:1):deleting node -1360568730 error FALSE reason "QM done (await)"
*Apr 8 22:30:18.123: ISAKMP:(0:2:SW:1):Node -1360568730, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Apr 8 22:30:18.127: ISAKMP:(0:2:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Apr 8 22:30:18.127: IPSEC(key_engine): got a queue event with 1 kei messages
*Apr 8 22:30:18.131: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Apr 8 22:30:18.131: IPSEC(key_engine_enable_outbound): enable SA with spi 793704121/50