I recently received and downloaded my CCSA PDF cert from the Check Point User Center portal. I called the Check Point support hotline and was told they've stopped shipping the hard copy cert last year (2015). Creating a User Center account is one of the prerequisites before taking the CCSA exam. This is my second cert for this year and hopefully I could add a couple more. I'm currently studying for ITILv3 Foundation and planning to sit for the exam by next month.
Below is the continuation of my IPsec VPN lab but this time it's between a Check Point firewall and a Cisco IOS router.
Before Gateways can exchange encryption keys and build VPN tunnels, they first need to authenticate to each other. Gateways authenticate to each other by presenting one of two types of "credentials"
* Certificates - Each Gateway presents a Certificate which contains identifying information of the Gateway itself, and the gateway's public key, both of which are signed by the trusted CA. For convenience, Check Point has its own Internal CA that automatically issues Certificates for all internally managed Gateways, requiring no configuration by the user. In addition, Check Point supports other PKI solutions.
* Pre-shared secret - A pre-shared is defined for a pair of Gateways. Each Gateway proves that it knows the agreed-upon pre-shared secret. The pre-shared secret can be a mixture of letters and numbers, a password of some kind.
Considered more secure, Certificates are the preferred means. In addition, since the Internal CA on the Security Management Server automatically provides a Certificate to each Check Point Gateway it manages, it is more convenient to use this type of authentication.
However, if a VPN tunnel needs to be created with an externally managed Gateway (a Gateway managed by a different Security Management Server), the externally managed Gateway:
* Might support Certificates, but certificates issued by an external CA, in which case both Gateways need to trust the other's CA.
* May not support Certificates; in which case, VPN supports the use of a pre-shared secret. A "secret" is defined per external Gateway. If there are five internal Gateways and two externally managed Gateways, then there are two pre-shared secrets. The two pre-shared secrets are used by the five internally managed Gateways. In other words, all the internally managed Gateways use the same pre-shared secret when communicating with a particular externally managed Gateway.
There's an excellent guide in Check Point's website for configuring IPsec VPN between a Check Point security gateway and a Cisco IOS router. In my virtual lab, I configured a site-to-site IPsec VPN tunnel between R1 and CP-SG1.
These are the IKE Phase 1 and IKE Phase 2 policies configured in R1. The IKE Phase 1 hash SHA1 is the default and it's not shown in the output.
Verify the IKE Phase 1 and IKE Phase 2 SA using the vpn tu command on the Security Gateway and view the logs in SmartView Tracker.
Use the debug crypto isakmp and debug crypto ipsec commands on the Cisco IOS router.
R1#
*Mar 2 11:15:14.735: ISAKMP (0): received packet from 192.168.1.111 dport 500 sport 500 Global (N) NEW SA
*Mar 2 11:15:14.735: ISAKMP: Created a peer struct for 192.168.1.111, peer port 500
*Mar 2 11:15:14.739: ISAKMP: New peer created peer = 0x655B09E4 peer_handle = 0x80000006
*Mar 2 11:15:14.739: ISAKMP: Locking peer struct 0x655B09E4, refcount 1 for crypto_isakmp_process_block
*Mar 2 11:15:14.743: ISAKMP: local port 500, remote port 500
*Mar 2 11:15:14.747: ISAKMP:(0):insert sa successfully sa = 682CBF70
*Mar 2 11:15:14.747: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 11:15:14.751: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 2 11:15:14.759: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 2 11:15:14.759: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Mar 2 11:15:14.763: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 2 11:15:14.767: ISAKMP:(0):found peer pre-shared key matching 192.168.1.111
*Mar 2 11:15:14.771: ISAKMP:(0): local preshared key found
*Mar 2 11:15:14.771: ISAKMP : Scanning profiles for xauth ...
*Mar 2 11:15:14.771: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 2 11:15:14.775: ISAKMP: encryption 3DES-CBC
*Mar 2 11:15:14.775: ISAKMP: hash SHA
*Mar 2 11:15:14.775: ISAKMP: auth pre-share
*Mar 2 11:15:14.779: ISAKMP: default group 2
*Mar 2 11:15:14.779: ISAKMP: life type in seconds
*Mar 2 11:15:14.779: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 2 11:15:14.787: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 2 11:15:14.787: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 2 11:15:14.787: ISAKMP:(0):Acceptable atts:life: 0
*Mar 2 11:15:14.791: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 2 11:15:14.791: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 2 11:15:14.795: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 2 11:15:14.795: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 2 11:15:14.795: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.799: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Mar 2 11:15:14.799: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.803: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 2 11:15:14.803: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 11:15:14.807: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 2 11:15:14.819: ISAKMP:(0): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R)
MM_SA_SETUP
*Mar 2 11:15:14.819: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 2 11:15:14.823: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 11:15:14.827: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 2 11:15:14.883: ISAKMP (0): received packet from 192.168.1.111 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 2 11:15:14.887: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 11:15:14.887: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 2 11:15:14.895: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 2 11:15:15.023: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 2 11:15:15.027: ISAKMP:(0):found peer pre-shared key matching 192.168.1.111
*Mar 2 11:15:15.035: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 11:15:15.035: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 2 11:15:15.047: ISAKMP:(1002): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
*Mar 2 11:15:15.051: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Mar 2 11:15:15.051: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 11:15:15.055: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 2 11:15:15.095: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 2 11:15:15.099: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 11:15:15.099: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 2 11:15:15.107: ISAKMP:(1002): processing ID payload. message ID = 0
*Mar 2 11:15:15.107: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 192.168.1.111
protocol : 0
port : 0
length : 12
*Mar 2 11:15:15.111: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 2 11:15:15.115: ISAKMP:(1002): processing HASH payload. message ID = 0
*Mar 2 11:15:15.115: ISAKMP:(1002):SA authentication status:
authenticated
*Mar 2 11:15:15.119: ISAKMP:(1002):SA has been authenticated with 192.168.1.111
*Mar 2 11:15:15.119: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.111/500/, and inserted
successfully 655B09E4.
*Mar 2 11:15:15.123: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 11:15:15.127: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 2 11:15:15.139: ISAKMP:(1002):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Mar 2 11:15:15.139: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Mar 2 11:15:15.143: ISAKMP:(1002):Total payload length: 12
*Mar 2 11:15:15.147: ISAKMP:(1002): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
*Mar 2 11:15:15.151: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Mar 2 11:15:15.155: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 11:15:15.155: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 2 11:15:15.163: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 2 11:15:15.167: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R1#
*Mar 2 11:15:15.207: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) QM_IDLE
*Mar 2 11:15:15.211: ISAKMP: set new node -609086266 to QM_IDLE
*Mar 2 11:15:15.215: ISAKMP:(1002): processing HASH payload. message ID = 3685881030
*Mar 2 11:15:15.219: ISAKMP:(1002): processing SA payload. message ID = 3685881030
*Mar 2 11:15:15.219: ISAKMP:(1002):Checking IPSec proposal 1
*Mar 2 11:15:15.219: ISAKMP: transform 1, ESP_3DES
*Mar 2 11:15:15.223: ISAKMP: attributes in transform:
*Mar 2 11:15:15.223: ISAKMP: SA life type in seconds
*Mar 2 11:15:15.223: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Mar 2 11:15:15.231: ISAKMP: authenticator is HMAC-SHA
*Mar 2 11:15:15.231: ISAKMP: encaps is 1 (Tunnel)
*Mar 2 11:15:15.231: ISAKMP:(1002):atts are acceptable.
*Mar 2 11:15:15.235: IPSEC(validate_proposal_request): proposal part #1
*Mar 2 11:15:15.235: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1:0, remote= 192.168.1.111:0,
local_proxy= 10.3.3.0/255.255.255.0/256/0,
remote_proxy= 10.1.1.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 2 11:15:15.243: Crypto mapdb : proxy_match
src addr : 10.3.3.0
dst addr : 10.1.1.0
protocol : 0
src port : 0
dst port : 0
*Mar 2 11:15:15.247: ISAKMP:(1002): processing NONCE payload. message ID = 3685881030
*Mar 2 11:15:15.247: ISAKMP:(1002): processing ID payload. message ID = 3685881030
*Mar 2 11:15:15.251: ISAKMP:(1002): processing ID payload. message ID = 3685881030
*Mar 2 11:15:15.267: ISAKMP:(1002):QM Responder gets spi
*Mar 2 11:15:15.271: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 11:15:15.271: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Mar 2 11:15:15.279: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Mar 2 11:15:15.279: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State =
IKE_QM_IPSEC_INSTALL_AWAIT
*Mar 2 11:15:15.287: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 2 11:15:15.291: Crypto mapdb : proxy_match
src addr : 10.3.3.0
dst addr : 10.1.1.0
protocol : 256
src port : 0
dst port : 0
*Mar 2 11:15:15.291: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Mar 2 11:15:15.299: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and
peer 192.168.1.111
*Mar 2 11:15:15.319: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xB6BF9D8D(3066011021),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
sa_lifetime(k/sec)= (4608000/3600)
*Mar 2 11:15:15.323: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.111, sa_proto= 50,
sa_spi= 0x954B4C1A(2504739866),
sa_trans= esp-3des
R1#esp-sha-hmac , sa_conn_id= 2
sa_lifetime(k/sec)= (4608000/3600)
*Mar 2 11:15:15.331: ISAKMP: Failed to find peer index node to update peer_info_list
*Mar 2 11:15:15.335: ISAKMP:(1002):Received IPSec Install callback... proceeding with the negotiation
*Mar 2 11:15:15.403: ISAKMP:(1002): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 2 11:15:15.403: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Mar 2 11:15:15.411: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Mar 2 11:15:15.411: ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Mar 2 11:15:15.459: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) QM_IDLE
*Mar 2 11:15:15.463: ISAKMP:(1002):deleting node -609086266 error FALSE reason "QM done (await)
*Mar 2 11:15:15.463: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 11:15:15.467: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Mar 2 11:15:15.471: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 2 11:15:15.471: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar 2 11:15:15.479: IPSEC: Expand action denied, notify RP
*Mar 2 11:15:15.543: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R)
QM_IDLE
*Mar 2 11:15:15.547: ISAKMP:(1002): phase 2 packet is a duplicate of a previous packet.
*Mar 2 11:15:15.547: ISAKMP:(1002): retransmitting due to retransmit phase 2
*Mar 2 11:15:15.551: ISAKMP:(1002): ignoring retransmission,because phase2 node marked dead -
609086266
*Mar 2 11:15:15.655: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) QM_IDLE
*Mar 2 11:15:15.655: ISAKMP:(1002): phase 2 packet is a duplicate of a previous packet.
*Mar 2 11:15:15.659: ISAKMP:(1002): retransmitting due to retransmit phase 2
*Mar 2 11:15:15.659: ISAKMP:(1002): ignoring retransmission,because phase2 node marked dead -609086266
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.1.111 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: CMAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 192.168.1.111 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.111
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x954B4C1A(2504739866)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB6BF9D8D(3066011021)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4258294/3575)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x954B4C1A(2504739866)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4258294/3575)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Below is the continuation of my IPsec VPN lab but this time it's between a Check Point firewall and a Cisco IOS router.
Before Gateways can exchange encryption keys and build VPN tunnels, they first need to authenticate to each other. Gateways authenticate to each other by presenting one of two types of "credentials"
* Certificates - Each Gateway presents a Certificate which contains identifying information of the Gateway itself, and the gateway's public key, both of which are signed by the trusted CA. For convenience, Check Point has its own Internal CA that automatically issues Certificates for all internally managed Gateways, requiring no configuration by the user. In addition, Check Point supports other PKI solutions.
* Pre-shared secret - A pre-shared is defined for a pair of Gateways. Each Gateway proves that it knows the agreed-upon pre-shared secret. The pre-shared secret can be a mixture of letters and numbers, a password of some kind.
Considered more secure, Certificates are the preferred means. In addition, since the Internal CA on the Security Management Server automatically provides a Certificate to each Check Point Gateway it manages, it is more convenient to use this type of authentication.
However, if a VPN tunnel needs to be created with an externally managed Gateway (a Gateway managed by a different Security Management Server), the externally managed Gateway:
* Might support Certificates, but certificates issued by an external CA, in which case both Gateways need to trust the other's CA.
* May not support Certificates; in which case, VPN supports the use of a pre-shared secret. A "secret" is defined per external Gateway. If there are five internal Gateways and two externally managed Gateways, then there are two pre-shared secrets. The two pre-shared secrets are used by the five internally managed Gateways. In other words, all the internally managed Gateways use the same pre-shared secret when communicating with a particular externally managed Gateway.
There's an excellent guide in Check Point's website for configuring IPsec VPN between a Check Point security gateway and a Cisco IOS router. In my virtual lab, I configured a site-to-site IPsec VPN tunnel between R1 and CP-SG1.
Create the Security Gateway under Network Objects > Check
Point and tick IPsec VPN blade under General Properties.
Choose the VPN encryption domain under Topology > VPN
Domain > Manually defined.
Create the Interoperable Device object by doing a
right-click on Network Objects > Others > Interoperable Device.
In SmartDashboard go to More > IPsec VPN tab > New
> choose Meshed Community.
Create a VPN Community Name under General properties.
Choose both the Check Point firewall and Cisco router network objects as the Participating Gateways and click OK.
Choose IKEv1 only (default option) > VPN A which is a custom
Encryption suite that uses 3DES, SHA1 and DH Group 2.
Under Advanced Settings > Shared Secret > tick Use
only Shared Secret for all External members > click Edit and type the same
pre-shared key on the Cisco IPsec VPN peer (cisco123). Click OK and then Yes.
It’s also recommended to tick Disable NAT inside the VPN
community under Advanced VPN Properties.
Create the remote VPN Domain for the Cisco VPN peer by going
to Network Objects > right-click on Networks > choose Network.
Assign the remote VPN encryption domain by double-click on
Cisco-VPN Interoperable Device > Topology > Manually defined and choose
the created Cisco-VPN-peer-network.
In SmartDashboard go to Firewall tab > Policy and create
the IPsec VPN rule. Right-click under VPN column and choose Edit Cell.
Choose Only connections encrypted in specific VPN
Communities > Add > choose the created Meshed VPN Community CP-Cisco-VPN and click OK twice.
Choose Accept and Log under Action and Track columns respectively.
Click Save and Install Policy.
Verify the IKE Phase 1 and IKE Phase 2 SA using the vpn tu command on the Security Gateway and view the logs in SmartView Tracker.
Use the debug crypto isakmp and debug crypto ipsec commands on the Cisco IOS router.
R1#
*Mar 2 11:15:14.735: ISAKMP (0): received packet from 192.168.1.111 dport 500 sport 500 Global (N) NEW SA
*Mar 2 11:15:14.735: ISAKMP: Created a peer struct for 192.168.1.111, peer port 500
*Mar 2 11:15:14.739: ISAKMP: New peer created peer = 0x655B09E4 peer_handle = 0x80000006
*Mar 2 11:15:14.739: ISAKMP: Locking peer struct 0x655B09E4, refcount 1 for crypto_isakmp_process_block
*Mar 2 11:15:14.743: ISAKMP: local port 500, remote port 500
*Mar 2 11:15:14.747: ISAKMP:(0):insert sa successfully sa = 682CBF70
*Mar 2 11:15:14.747: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 11:15:14.751: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 2 11:15:14.759: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 2 11:15:14.759: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.763: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Mar 2 11:15:14.763: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.767: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 2 11:15:14.767: ISAKMP:(0):found peer pre-shared key matching 192.168.1.111
*Mar 2 11:15:14.771: ISAKMP:(0): local preshared key found
*Mar 2 11:15:14.771: ISAKMP : Scanning profiles for xauth ...
*Mar 2 11:15:14.771: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 2 11:15:14.775: ISAKMP: encryption 3DES-CBC
*Mar 2 11:15:14.775: ISAKMP: hash SHA
*Mar 2 11:15:14.775: ISAKMP: auth pre-share
*Mar 2 11:15:14.779: ISAKMP: default group 2
*Mar 2 11:15:14.779: ISAKMP: life type in seconds
*Mar 2 11:15:14.779: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 2 11:15:14.787: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 2 11:15:14.787: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 2 11:15:14.787: ISAKMP:(0):Acceptable atts:life: 0
*Mar 2 11:15:14.791: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 2 11:15:14.791: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 2 11:15:14.795: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 2 11:15:14.795: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 2 11:15:14.795: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.799: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Mar 2 11:15:14.799: ISAKMP:(0): processing vendor id payload
*Mar 2 11:15:14.803: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 2 11:15:14.803: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 11:15:14.807: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 2 11:15:14.819: ISAKMP:(0): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R)
MM_SA_SETUP
*Mar 2 11:15:14.819: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 2 11:15:14.823: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 11:15:14.827: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 2 11:15:14.883: ISAKMP (0): received packet from 192.168.1.111 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 2 11:15:14.887: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 11:15:14.887: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 2 11:15:14.895: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 2 11:15:15.023: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 2 11:15:15.027: ISAKMP:(0):found peer pre-shared key matching 192.168.1.111
*Mar 2 11:15:15.035: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 11:15:15.035: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 2 11:15:15.047: ISAKMP:(1002): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
*Mar 2 11:15:15.051: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Mar 2 11:15:15.051: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 11:15:15.055: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 2 11:15:15.095: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 2 11:15:15.099: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 11:15:15.099: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 2 11:15:15.107: ISAKMP:(1002): processing ID payload. message ID = 0
*Mar 2 11:15:15.107: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 192.168.1.111
protocol : 0
port : 0
length : 12
*Mar 2 11:15:15.111: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 2 11:15:15.115: ISAKMP:(1002): processing HASH payload. message ID = 0
*Mar 2 11:15:15.115: ISAKMP:(1002):SA authentication status:
authenticated
*Mar 2 11:15:15.119: ISAKMP:(1002):SA has been authenticated with 192.168.1.111
*Mar 2 11:15:15.119: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.111/500/, and inserted
successfully 655B09E4.
*Mar 2 11:15:15.123: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 11:15:15.127: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 2 11:15:15.139: ISAKMP:(1002):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Mar 2 11:15:15.139: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 192.168.1.1
protocol : 17
port : 500
length : 12
*Mar 2 11:15:15.143: ISAKMP:(1002):Total payload length: 12
*Mar 2 11:15:15.147: ISAKMP:(1002): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
*Mar 2 11:15:15.151: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Mar 2 11:15:15.155: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 11:15:15.155: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 2 11:15:15.163: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 2 11:15:15.167: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R1#
*Mar 2 11:15:15.207: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) QM_IDLE
*Mar 2 11:15:15.211: ISAKMP: set new node -609086266 to QM_IDLE
*Mar 2 11:15:15.215: ISAKMP:(1002): processing HASH payload. message ID = 3685881030
*Mar 2 11:15:15.219: ISAKMP:(1002): processing SA payload. message ID = 3685881030
*Mar 2 11:15:15.219: ISAKMP:(1002):Checking IPSec proposal 1
*Mar 2 11:15:15.219: ISAKMP: transform 1, ESP_3DES
*Mar 2 11:15:15.223: ISAKMP: attributes in transform:
*Mar 2 11:15:15.223: ISAKMP: SA life type in seconds
*Mar 2 11:15:15.223: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Mar 2 11:15:15.231: ISAKMP: authenticator is HMAC-SHA
*Mar 2 11:15:15.231: ISAKMP: encaps is 1 (Tunnel)
*Mar 2 11:15:15.231: ISAKMP:(1002):atts are acceptable.
*Mar 2 11:15:15.235: IPSEC(validate_proposal_request): proposal part #1
*Mar 2 11:15:15.235: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1:0, remote= 192.168.1.111:0,
local_proxy= 10.3.3.0/255.255.255.0/256/0,
remote_proxy= 10.1.1.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 2 11:15:15.243: Crypto mapdb : proxy_match
src addr : 10.3.3.0
dst addr : 10.1.1.0
protocol : 0
src port : 0
dst port : 0
*Mar 2 11:15:15.247: ISAKMP:(1002): processing NONCE payload. message ID = 3685881030
*Mar 2 11:15:15.247: ISAKMP:(1002): processing ID payload. message ID = 3685881030
*Mar 2 11:15:15.251: ISAKMP:(1002): processing ID payload. message ID = 3685881030
*Mar 2 11:15:15.267: ISAKMP:(1002):QM Responder gets spi
*Mar 2 11:15:15.271: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 11:15:15.271: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Mar 2 11:15:15.279: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Mar 2 11:15:15.279: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State =
IKE_QM_IPSEC_INSTALL_AWAIT
*Mar 2 11:15:15.287: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 2 11:15:15.291: Crypto mapdb : proxy_match
src addr : 10.3.3.0
dst addr : 10.1.1.0
protocol : 256
src port : 0
dst port : 0
*Mar 2 11:15:15.291: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Mar 2 11:15:15.299: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and
peer 192.168.1.111
*Mar 2 11:15:15.319: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xB6BF9D8D(3066011021),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1
sa_lifetime(k/sec)= (4608000/3600)
*Mar 2 11:15:15.323: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.111, sa_proto= 50,
sa_spi= 0x954B4C1A(2504739866),
sa_trans= esp-3des
R1#esp-sha-hmac , sa_conn_id= 2
sa_lifetime(k/sec)= (4608000/3600)
*Mar 2 11:15:15.331: ISAKMP: Failed to find peer index node to update peer_info_list
*Mar 2 11:15:15.335: ISAKMP:(1002):Received IPSec Install callback... proceeding with the negotiation
*Mar 2 11:15:15.403: ISAKMP:(1002): sending packet to 192.168.1.111 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 2 11:15:15.403: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Mar 2 11:15:15.411: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Mar 2 11:15:15.411: ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Mar 2 11:15:15.459: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) QM_IDLE
*Mar 2 11:15:15.463: ISAKMP:(1002):deleting node -609086266 error FALSE reason "QM done (await)
*Mar 2 11:15:15.463: ISAKMP:(1002):Node 3685881030, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 11:15:15.467: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Mar 2 11:15:15.471: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 2 11:15:15.471: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar 2 11:15:15.479: IPSEC: Expand action denied, notify RP
*Mar 2 11:15:15.543: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R)
QM_IDLE
*Mar 2 11:15:15.547: ISAKMP:(1002): phase 2 packet is a duplicate of a previous packet.
*Mar 2 11:15:15.547: ISAKMP:(1002): retransmitting due to retransmit phase 2
*Mar 2 11:15:15.551: ISAKMP:(1002): ignoring retransmission,because phase2 node marked dead -
609086266
*Mar 2 11:15:15.655: ISAKMP (1002): received packet from 192.168.1.111 dport 500 sport 500 Global (R) QM_IDLE
*Mar 2 11:15:15.655: ISAKMP:(1002): phase 2 packet is a duplicate of a previous packet.
*Mar 2 11:15:15.659: ISAKMP:(1002): retransmitting due to retransmit phase 2
*Mar 2 11:15:15.659: ISAKMP:(1002): ignoring retransmission,because phase2 node marked dead -609086266
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.1.111 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: CMAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 192.168.1.111 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.111
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x954B4C1A(2504739866)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB6BF9D8D(3066011021)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4258294/3575)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x954B4C1A(2504739866)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4258294/3575)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
No comments:
Post a Comment