We help IT Professionals succeed at work.

Cisco easy VPN issue

L-Plate
L-Plate asked
on
hello all,

i am having issues trying to connect a Cisco IOS router as easy VPN client to the HQ easy VPN server - VPN 3000 series concentrator. can anybody tell from the crypto debugs on the remote router what the issue might be?

RTRSlovakiaWH#
RTRSlovakiaWH#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RTRSlovakiaWH(config)#int eth 1
000123: *Mar  1 00:03:59.095 UTC: IPSEC(key_engine): major = 1
000124: *Mar  1 00:03:59.095 UTC: IPSEC(key_engine): expired_timer
RTRSlovakiaWH(config-if)#crypto ipsec client ezvpn uk
RTRSlovakiaWH(config-if)#
000125: *Mar  1 00:04:02.631 UTC: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
000126: *Mar  1 00:04:02.631 UTC: ISAKMP: Looking for a matching key for 212.86.84.40 in default
000127: *Mar  1 00:04:02.635 UTC: ISAKMP: received ke message (1/1)
000128: *Mar  1 00:04:02.635 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
000129: *Mar  1 00:04:02.635 UTC: ISAKMP: Created a peer struct for 212.86.84.40, peer port 500
000130: *Mar  1 00:04:02.635 UTC: ISAKMP: Locking peer struct 0x81A6EFB4, IKE refcount 1 for isakmp_initiator
000131: *Mar  1 00:04:02.635 UTC: ISAKMP:(0:0:N/A:0):Setting client config settings 81B52744
000132: *Mar  1 00:04:02.635 UTC: ISAKMP: local port 500, remote port 500
000133: *Mar  1 00:04:02.639 UTC: insert sa successfully sa = 818AB56C
000134: *Mar  1 00:04:02.639 UTC: ISAKMP:(0:1:HW:2): client mode configured.
000135: *Mar  1 00:04:02.639 UTC: ISAKMP:(0:1:HW:2): constructed NAT-T vendor-03 ID
000136: *Mar  1 00:04:02.643 UTC: ISAKMP:(0:1:HW:2): constructed NAT-T vendor-02 ID
A pre-shared key for address mask 212.86.84.40 255.255.255.255 already exists!

000137: *Mar  1 00:04:03.083 UTC: ISAKMP:(0:1:HW:2):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
000138: *Mar  1 00:04:03.083 UTC: ISAKMP (0:268435457): ID payload
      next-payload : 13
      type         : 11
      group id     : NCHSlovakiaWH100
      protocol     : 17
      port         : 0
      length       : 24
000139: *Mar  1 00:04:03.083 UTC: ISAKMP:(0:1:HW:2):Total payload length: 24
000140: *Mar  1 00:04:03.083 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
000141: *Mar  1 00:04:03.083 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_READY  New State = ýo)úbal (I) AG_INIT_EXCH
000145: *Mar  1 00:04:03.423 UTC: ISAKMP:(0:1:HW:2): processing SA payload. message ID = 0
000146: *Mar  1 00:04:03.423 UTC: ISAKMP:(0:1:HW:2): processing ID payload. message ID = 0
000147: *Mar  1 00:04:03.423 UTC: ISAKMP (0:268435457): ID payload
      next-payload : 8
      type         : 1
      address      : 212.86.84.40
      protocol     : 17
      port         : 0
      length       : 12
000148: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): processing vendor id payload
000149: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): vendor ID is Unity
000150: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): processing vendor id payload
000151: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): vendor ID seems Unity/DPD but major 215 mismatch
000152: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): vendor ID is XAUTH
000153: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): processing vendor id payload
000154: *Mar  1 00:04:03.427 UTC: ISAKMP:(0:1:HW:2): vendor ID is DPD
000155: *Mar  1 00:04:03.431 UTC: ISAKMP:(0:1:HW:2): local preshared key found
000156: *Mar  1 00:04:03.431 UTC: ISAKMP : Scanning profiles for xauth ...
000157: *Mar  1 00:04:03.431 UTC: ISAKMP:(0:1:HW:2): Authentication by xauth preshared
000158: *Mar  1 00:04:03.431 UTC: ISAKMP:(0:1:HW:2):Checking ISAKMP transform 2 against priority 65527 policy
000159: *Mar  1 00:04:03.431 UTC: ISAKMP:      encryption 3DES-CBC
000160: *Mar  1 00:04:03.431 UTC: ISAKMP:      hash MD5
000161: *Mar  1 00:04:03.431 UTC: ISAKMP:      default group 2
000162: *Mar  1 00:04:03.431 UTC: ISAKMP:      auth XAUTHInitPreShared
000163: *Mar  1 00:04:03.435 UTC: ISAKMP:      life type in seconds
000164: *Mar  1 00:04:03.435 UTC: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
000165: *Mar  1 00:04:03.435 UTC: ISAKMP:(0:1:HW:2):Hash algorithm offered does not match policy!
000166: *Mar  1 00:04:03.435 UTC: ISAKMP:(0:1:HW:2):atts are not acceptable. Next payload is 0
000167: *Mar  1 00:04:03.435 UTC: ISAKMP:(0:1:HW:2):Checking ISAKMP transform 2 against priority 65528 policy
000168: *Mar  1 00:04:03.435 UTC: ISAKMP:      encryption 3DES-CBC
000169: *Mar  1 00:04:03.435 UTC: ISAKMP:      hash MD5
000170: *Mar  1 00:04:03.435 UTC: ISAKMP:      default group 2
000171: *Mar  1 00:04:03.439 UTC: ISAKMP:      auth XAUTHInitPreShared
000172: *Mar  1 00:04:03.439 UTC: ISAKMP:      life type in seconds
000173: *Mar  1 00:04:03.439 UTC: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
000174: *Mar  1 00:04:03.439 UTC: ISAKMP:(0:1:HW:2):atts are acceptable. Next payload is 0
000175: *Mar  1 00:04:03.439 UTC: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 0
000176: *Mar  1 00:04:03.879 UTC: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID = 0
000177: *Mar  1 00:04:03.883 UTC: ISAKMP:(0:1:HW:2):SKEYID state generated
000178: *Mar  1 00:04:03.883 UTC: ISAKMP:(0:1:HW:2): processing HASH payload. message ID = 0
000179: *Mar  1 00:04:03.891 UTC: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v2
000180: *Mar  1 00:04:03.891 UTC: ISAKMP:received payload type 17
000181: *Mar  1 00:04:03.891 UTC: ISAKMP:received payload type 17
000182: *Mar  1 00:04:03.891 UTC: ISAKMP:(0:1:HW:2):SA has been authenticated with 212.86.84.40
000183: *Mar  1 00:04:03.891 UTC: ISAKMP: Trying to insert a peer 211.86.83.218/212.86.84.40/500/,  and inserted successfully.
000184: *Mar  1 00:04:03.891 UTC: ISAKMP:(0:1:HW:2):: peer matches *none* of the profiles
000185: *Mar  1 00:04:03.891 UTC: ISAKMP:(0:1:HW:2):Send initial contact
000186: *Mar  1 00:04:03.899 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000187: *Mar  1 00:04:03.899 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000188: *Mar  1 00:04:03.899 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE

000189: *Mar  1 00:04:03.903 UTC: ISAKMP:(0:1:HW:2):Need XAUTH
000190: *Mar  1 00:04:03.903 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000191: *Mar  1 00:04:03.903 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000192: *Mar  1 00:04:03.911 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) CONF_XAUTH  
000193: *Mar  1 00:04:03.911 UTC: ISAKMP: set new node 1393683013 to CONF_XAUTH  
000194: *Mar  1 00:04:03.915 UTC: ISAKMP:(0:1:HW:2):processing transaction payload from 212.86.84.40. message ID = 1393683013
000195: *Mar  1 00:04:03.919 UTC: ISAKMP: Config payload REQUEST
000196: *Mar  1 00:04:03.919 UTC: ISAKMP:(0:1:HW:2):checking request:
000197: *Mar  1 00:04:03.919 UTC: ISAKMP:    XAUTH_TYPE_V2
000198: *Mar  1 00:04:03.919 UTC: ISAKMP:    XAUTH_USER_NAME_V2
000199: *Mar  1 00:04:03.919 UTC: ISAKMP:    XAUTH_USER_PASSWORD_V2
000200: *Mar  1 00:04:03.923 UTC: ISAKMP:    XAUTH_MESSAGE_V2
000201: *Mar  1 00:04:03.923 UTC: ISAKMP:(0:1:HW:2):Xauth process request
000202: *Mar  1 00:04:03.923 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
000203: *Mar  1 00:04:03.923 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REPLY_AWAIT

000204: *Mar  1 00:04:03.927 UTC:         xauth-type: 0
000205: *Mar  1 00:04:03.927 UTC:         username: NCHSlovakiaWH200
000206: *Mar  1 00:04:03.927 UTC:         password: <omitted>
000207: *Mar  1 00:04:03.927 UTC:         message <Enter Username and Password.>
000208: *Mar  1 00:04:03.931 UTC: ISAKMP:(0:1:HW:2): responding to peer config from 212.86.84.40. ID = 1393683013
000209: *Mar  1 00:04:03.931 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) CONF_XAUTH  
000210: *Mar  1 00:04:03.939 UTC: ISAKMP:(0:1:HW:2):deleting node 1393683013 error FALSE reason "done with xauth request/reply exchange"
000211: *Mar  1 00:04:03.939 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR
000212: *Mar  1 00:04:03.939 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_XAUTH_REPLY_AWAIT  New State = IKE_XAUTH_REPLY_SENT

000213: *Mar  1 00:04:04.247 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) CONF_XAUTH  
000214: *Mar  1 00:04:04.247 UTC: ISAKMP: set new node -556280520 to CONF_XAUTH  
000215: *Mar  1 00:04:04.251 UTC: ISAKMP:(0:1:HW:2):processing transaction payload from 212.86.84.40. message ID = -556280520
000216: *Mar  1 00:04:04.255 UTC: ISAKMP: Config payload SET
000217: *Mar  1 00:04:04.255 UTC: ISAKMP:(0:1:HW:2):Xauth process set, status = 1
000218: *Mar  1 00:04:04.255 UTC: ISAKMP:(0:1:HW:2):checking SET:
000219: *Mar  1 00:04:04.255 UTC: ISAKMP:    XAUTH_STATUS_V2 XAUTH-OK
000220: *Mar  1 00:04:04.255 UTC: ISAKMP:(0:1:HW:2):attributes sent in message:
000221: *Mar  1 00:04:04.255 UTC:         Status: 1
000222: *Mar  1 00:04:04.267 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) CONF_XAUTH  
000223: *Mar  1 00:04:04.267 UTC: ISAKMP:(0:1:HW:2):deleting node -556280520 error FALSE reason ""
000224: *Mar  1 00:04:04.267 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_SET
000225: *Mar  1 00:04:04.267 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_XAUTH_REPLY_SENT  New State = IKE_P1_COMPLETE

000226: *Mar  1 00:04:04.271 UTC: ISAKMP:(0:1:HW:2):Need config/address
000227: *Mar  1 00:04:04.271 UTC: ISAKMP:(0:1:HW:2):Need config/address
000228: *Mar  1 00:04:04.271 UTC: ISAKMP: set new node -868256208 to CONF_ADDR    
000229: *Mar  1 00:04:04.271 UTC: ISAKMP: Sending APPLICATION_VERSION string:
Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(2)XE, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(3.5)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by Cisco Systems, Inc.
Compiled Wed 19-Nov-03 03:13 by ealyon
000230: *Mar  1 00:04:04.271 UTC: ISAKMP:(0:1:HW:2): initiating peer config to 212.86.84.40. ID = -868256208
000231: *Mar  1 00:04:04.275 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) CONF_ADDR    
000232: *Mar  1 00:04:04.275 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000233: *Mar  1 00:04:04.275 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT

000234: *Mar  1 00:04:04.283 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) CONF_ADDR    
000235: *Mar  1 00:04:04.287 UTC: ISAKMP:(0:1:HW:2):processing transaction payload from 212.86.84.40. message ID = -868256208
000236: *Mar  1 00:04:04.291 UTC: ISAKMP: Config payload REPLY
000237: *Mar  1 00:04:04.291 UTC: ISAKMP(0:268435457) process config reply
000238: *Mar  1 00:04:04.291 UTC: ISAKMP:(0:1:HW:2):deleting node -868256208 error FALSE reason "done with transaction"
000239: *Mar  1 00:04:04.291 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
000240: *Mar  1 00:04:04.291 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_CONFIG_MODE_REQ_SENT  New State = IKE_P1_COMPLETE

000241: *Mar  1 00:04:04.315 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000242: *Mar  1 00:04:04.315 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000243: *Mar  1 00:04:04.315 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.0.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xFF5455B9(4283717049), conn_id= 0, keysize= 0, flags= 0x400A
000244: *Mar  1 00:04:04.319 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.0.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x28BE689F(683567263), conn_id= 0, keysize= 0, flags= 0x400A
000245: *Mar  1 00:04:04.319 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.0.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x4F649719(1331992345), conn_id= 0, keysize= 0, flags= 0x400A
000246: *Mar  1 00:04:04.323 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.0.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xCA427891(3393353873), conn_id= 0, keysize= 0, flags= 0x400A
000247: *Mar  1 00:04:04.327 UTC: ISAKMP: received ke message (1/4)
000248: *Mar  1 00:04:04.327 UTC: ISAKMP: set new node 0 to QM_IDLE      
000249: *Mar  1 00:04:04.327 UTC: ISAKMP:(0:1:HW:2): sitting IDLE. Starting QM immediately (QM_IDLE      )
000250: *Mar  1 00:04:04.327 UTC: ISAKMP:(0:1:HW:2):beginning Quick Mode exchange, M-ID of -1767969252
000251: *Mar  1 00:04:04.339 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xB8711355(3094418261), conn_id= 0, keysize= 0, flags= 0x400A
000252: *Mar  1 00:04:04.347 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x81E02099(2178949273), conn_id= 0, keysize= 0, flags= 0x400A
000253: *Mar  1 00:04:04.347 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x4E143C9B(1309949083), conn_id= 0, keysize= 0, flags= 0x400A
000254: *Mar  1 00:04:04.351 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xE4B6ABFE(3837176830), conn_id= 0, keysize= 0, flags= 0x400A
000255: *Mar  1 00:04:04.359 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) QM_IDLE      
000256: *Mar  1 00:04:04.359 UTC: ISAKMP:(0:1:HW:2):Node -1767969252, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000257: *Mar  1 00:04:04.359 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
000258: *Mar  1 00:04:04.359 UTC: ISAKMP: received ke message (1/4)
000259: *Mar  1 00:04:04.359 UTC: ISAKMP: set new node 0 to QM_IDLE      
000260: *Mar  1 00:04:04.359 UTC: ISAKMP:(0:1:HW:2): sitting IDLE. Starting QM immediately (QM_IDLE      )
000261: *Mar  1 00:04:04.359 UTC: ISAKMP:(0:1:HW:2):beginning Quick Mode exchange, M-ID of 808372997
000262: *Mar  1 00:04:04.367 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.16.71/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xF88A3E55(4169809493), conn_id= 0, keysize= 0, flags= 0x400A
000263: *Mar  1 00:04:04.371 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.16.71/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x592F1CBC(1496259772), conn_id= 0, keysize= 0, flags= 0x400A
000264: *Mar  1 00:04:04.371 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.16.71/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x41869D2C(1099341100), conn_id= 0, keysize= 0, flags= 0x400A
000265: *Mar  1 00:04:04.375 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.16.71/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xBF73A07C(3212025980), conn_id= 0, keysize= 0, flags= 0x400A
000266: *Mar  1 00:04:04.391 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.80.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xF8F7F182(4176998786), conn_id= 0, keysize= 0, flags= 0x400A
000267: *Mar  1 00:04:04.395 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.80.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x1F9A25DA(530195930), conn_id= 0, keysize= 0, flags= 0x400A
000268: *Mar  1 00:04:04.395 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.80.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x7A977E69(2056748649), conn_id= 0, keysize= 0, flags= 0x400A
000269: *Mar  1 00:04:04.399 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.0.80.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xDDA2D5E4(3718436324), conn_id= 0, keysize= 0, flags= 0x400A
000270: *Mar  1 00:04:04.403 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) QM_IDLE      
000271: *Mar  1 00:04:04.407 UTC: ISAKMP:(0:1:HW:2):Node 808372997, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000272: *Mar  1 00:04:04.407 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
000273: *Mar  1 00:04:04.415 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.2.128.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x3AE2B059(987934809), conn_id= 0, keysize= 0, flags= 0x400A
000274: *Mar  1 00:04:04.415 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.2.128.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x46A4B4A3(1185199267), conn_id= 0, keysize= 0, flags= 0x400A
000275: *Mar  1 00:04:04.419 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.2.128.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0x8173E299(2171855513), conn_id= 0, keysize= 0, flags= 0x400A
000276: *Mar  1 00:04:04.419 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 211.86.83.218, remote= 212.86.84.40,
    local_proxy= 10.4.80.0/255.255.240.0/0/0 (type=4),
    remote_proxy= 10.2.128.0/255.255.240.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 2147483s and 4608000kb,
    spi= 0xA31707A3(2736195491), conn_id= 0, keysize= 0, flags= 0x400A
000277: *Mar  1 00:04:04.423 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000278: *Mar  1 00:04:04.423 UTC: ISAKMP: set new node -833937446 to QM_IDLE      
000279: *Mar  1 00:04:04.431 UTC: ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -833937446
000280: *Mar  1 00:04:04.431 UTC: ISAKMP:(0:1:HW:2): processing NOTIFY RESPONDER_LIFETIME protocol 1
      spi 0, message ID = -833937446, sa = 818AB56C
000281: *Mar  1 00:04:04.431 UTC: ISAKMP:(0:1:HW:2): processing responder lifetime
000282: *Mar  1 00:04:04.431 UTC: ISAKMP:(0:1:HW:2): start processing isakmp responder lifetime
000283: *Mar  1 00:04:04.431 UTC: ISAKMP:(0:1:HW:2): restart ike sa timer to 86400 secs
000284: *Mar  1 00:04:04.439 UTC: ISAKMP:(0:1:HW:2):deleting node -833937446 error FALSE reason "informational (in) state 1"
000285: *Mar  1 00:04:04.439 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
000286: *Mar  1 00:04:04.439 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000287: *Mar  1 00:04:04.439 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000288: *Mar  1 00:04:04.439 UTC: ISAKMP: set new node -527525587 to QM_IDLE      
000289: *Mar  1 00:04:04.443 UTC: ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -527525587
000290: *Mar  1 00:04:04.443 UTC: ISAKMP:(0:1:HW:2): processing DELETE payload. message ID = -527525587
000291: *Mar  1 00:04:04.443 UTC: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

000292: *Mar  1 00:04:04.443 UTC: ISAKMP:(0:1:HW:2):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 212.86.84.40) input queue 0
000293: *Mar  1 00:04:04.443 UTC: ISAKMP:(0:1:HW:2):deleting node -527525587 error FALSE reason "informational (in) state 1"
000294: *Mar  1 00:04:04.447 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE
000295: *Mar  1 00:04:04.447 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000296: *Mar  1 00:04:04.447 UTC: ISAKMP: received ke message (1/4)
000297: *Mar  1 00:04:04.447 UTC: ISAKMP: set new node 0 to QM_IDLE      
000298: *Mar  1 00:04:04.447 UTC: ISAKMP:(0:1:HW:2): sitting IDLE. Starting QM immediately (QM_IDLE      )
000299: *Mar  1 00:04:04.447 UTC: ISAKMP:(0:1:HW:2):beginning Quick Mode exchange, M-ID of 297923612
000300: *Mar  1 00:04:04.455 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) QM_IDLE      
000301: *Mar  1 00:04:04.455 UTC: ISAKMP:(0:1:HW:2):Node 297923612, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000302: *Mar  1 00:04:04.455 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
000303: *Mar  1 00:04:04.459 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000304: *Mar  1 00:04:04.459 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

000305: *Mar  1 00:04:04.459 UTC: ISAKMP: received ke message (1/4)
000306: *Mar  1 00:04:04.459 UTC: ISAKMP: set new node 0 to QM_IDLE      
000307: *Mar  1 00:04:04.463 UTC: ISAKMP:(0:1:HW:2): sitting IDLE. Starting QM immediately (QM_IDLE      )
000308: *Mar  1 00:04:04.463 UTC: ISAKMP:(0:1:HW:2):beginning Quick Mode exchange, M-ID of 2017300063
000309: *Mar  1 00:04:04.471 UTC: ISAKMP:(0:1:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) QM_IDLE      
000310: *Mar  1 00:04:04.471 UTC: ISAKMP:(0:1:HW:2):Node 2017300063, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
000311: *Mar  1 00:04:04.471 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
000312: *Mar  1 00:04:04.475 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000313: *Mar  1 00:04:04.475 UTC: ISAKMP (0:268435457): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000314: *Mar  1 00:04:04.479 UTC: ISAKMP:(0:1:HW:2):deleting SA reason "" state (I) QM_IDLE       (peer 212.86.84.40) input queue 0
000315: *Mar  1 00:04:04.479 UTC: ISAKMP: Unlocking IKE struct 0x81A6EFB4 for isadb_mark_sa_deleted(), count 0
000316: *Mar  1 00:04:04.479 UTC: ISAKMP: Deleting peer node by peer_reap for 212.86.84.40: 81A6EFB4
000317: *Mar  1 00:04:04.483 UTC: ISAKMP:(0:1:HW:2):deleting node -1767969252 error FALSE reason ""
000318: *Mar  1 00:04:04.483 UTC: ISAKMP:(0:1:HW:2):deleting node 808372997 error FALSE reason ""
000319: *Mar  1 00:04:04.483 UTC: ISAKMP:(0:1:HW:2):deleting node 297923612 error FALSE reason ""
000320: *Mar  1 00:04:04.487 UTC: ISAKMP:(0:1:HW:2):deleting node 2017300063 error FALSE reason ""
000321: *Mar  1 00:04:04.487 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000322: *Mar  1 00:04:04.487 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

000323: *Mar  1 00:04:04.487 UTC: ISAKMP: received ke message (1/4)
000324: *Mar  1 00:04:04.487 UTC: ISAKMP: set new node 0 to QM_IDLE      
000325: *Mar  1 00:04:04.487 UTC: ISAKMP:(0:1:HW:2): beginning Main Mode exchange
000326: *Mar  1 00:04:04.519 UTC: ISAKMP: received ke message (1/1)
000327: *Mar  1 00:04:04.523 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
000328: *Mar  1 00:04:04.523 UTC: ISAKMP: Created a peer struct for 212.86.84.40, peer port 500
000329: *Mar  1 00:04:04.523 UTC: ISAKMP: Locking peer struct 0x818AAADC, IKE refcount 1 for isakmp_initiator
000330: *Mar  1 00:04:04.523 UTC: ISAKMP:(0:0:N/A:0):Setting client config settings 8153B2EC
000331: *Mar  1 00:04:04.523 UTC: ISAKMP: local port 500, remote port 500
000332: *Mar  1 00:04:04.527 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 81C345E8
000333: *Mar  1 00:04:04.527 UTC: ISAKMP:(0:2:HW:2): client mode configured.
000334: *Mar  1 00:04:04.527 UTC: ISAKMP:(0:2:HW:2): constructed NAT-T vendor-03 ID
000335: *Mar  1 00:04:04.531 UTC: ISAKMP:(0:2:HW:2): constructed NAT-T vendor-02 ID
000336: *Mar  1 00:04:04.979 UTC: ISAKMP:(0:2:HW:2):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
000337: *Mar  1 00:04:04.979 UTC: ISAKMP (0:268435458): ID payload
      next-payload : 13
      type         : 11
      group id     : NCHSlovakiaWH100
      protocol     : 17
      port         : 0
      length       : 24
000338: *Mar  1 00:04:04.979 UTC: ISAKMP:(0:2:HW:2):Total payload length: 24
000339: *Mar  1 00:04:04.979 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
000340: *Mar  1 00:04:04.983 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_READY  New State = IKE_I_AM1

000341: *Mar  1 00:04:04.983 UTC: ISAKMP:(0:2:HW:2): beginning Aggressive Mode exchange
000342: *Mar  1 00:04:04.983 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000343: *Mar  1 00:04:05.323 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) AG_INIT_EXCH
000344: *Mar  1 00:04:05.327 UTC: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 0
000345: *Mar  1 00:04:05.327 UTC: ISAKMP:(0:2:HW:2): processing ID payload. message ID = 0
000346: *Mar  1 00:04:05.327 UTC: ISAKMP (0:268435458): ID payload
      next-payload : 8
      type         : 1
      address      : 212.86.84.40
      protocol     : 17
      port         : 0
      length       : 12
000347: *Mar  1 00:04:05.327 UTC: ISAKMP:(0:2:HW:2): processing vendor id payload
000348: *Mar  1 00:04:05.327 UTC: ISAKMP:(0:2:HW:2): vendor ID is Unity
000349: *Mar  1 00:04:05.331 UTC: ISAKMP:(0:2:HW:2): processing vendor id payload
000350: *Mar  1 00:04:05.331 UTC: ISAKMP:(0:2:HW:2): vendor ID seems Unity/DPD but major 215 mismatch
000351: *Mar  1 00:04:05.331 UTC: ISAKMP:(0:2:HW:2): vendor ID is XAUTH
000352: *Mar  1 00:04:05.331 UTC: ISAKMP:(0:2:HW:2): processing vendor id payload
000353: *Mar  1 00:04:05.331 UTC: ISAKMP:(0:2:HW:2): vendor ID is DPD
000354: *Mar  1 00:04:05.331 UTC: ISAKMP:(0:2:HW:2): local preshared key found
000355: *Mar  1 00:04:05.331 UTC: ISAKMP : Scanning profiles for xauth ...
000356: *Mar  1 00:04:05.335 UTC: ISAKMP:(0:2:HW:2): Authentication by xauth preshared
000357: *Mar  1 00:04:05.335 UTC: ISAKMP:(0:2:HW:2):Checking ISAKMP transform 2 against priority 65527 policy
000358: *Mar  1 00:04:05.335 UTC: ISAKMP:      encryption 3DES-CBC
000359: *Mar  1 00:04:05.335 UTC: ISAKMP:      hash MD5
000360: *Mar  1 00:04:05.335 UTC: ISAKMP:      default group 2
000361: *Mar  1 00:04:05.335 UTC: ISAKMP:      auth XAUTHInitPreShared
000362: *Mar  1 00:04:05.335 UTC: ISAKMP:      life type in seconds
000363: *Mar  1 00:04:05.335 UTC: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
000364: *Mar  1 00:04:05.335 UTC: ISAKMP:(0:2:HW:2):Hash algorithm offered does not match policy!
000365: *Mar  1 00:04:05.339 UTC: ISAKMP:(0:2:HW:2):atts are not acceptable. Next payload is 0
000366: *Mar  1 00:04:05.339 UTC: ISAKMP:(0:2:HW:2):Checking ISAKMP transform 2 against priority 65528 policy
000367: *Mar  1 00:04:05.339 UTC: ISAKMP:      encryption 3DES-CBC
000368: *Mar  1 00:04:05.339 UTC: ISAKMP:      hash MD5
000369: *Mar  1 00:04:05.339 UTC: ISAKMP:      default group 2
000370: *Mar  1 00:04:05.339 UTC: ISAKMP:      auth XAUTHInitPreShared
000371: *Mar  1 00:04:05.339 UTC: ISAKMP:      life type in seconds
000372: *Mar  1 00:04:05.343 UTC: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
000373: *Mar  1 00:04:05.343 UTC: ISAKMP:(0:2:HW:2):atts are acceptable. Next payload is 0
000374: *Mar  1 00:04:05.343 UTC: ISAKMP:(0:2:HW:2): processing KE payload. message ID = 0
000375: *Mar  1 00:04:05.775 UTC: ISAKMP:(0:2:HW:2): processing NONCE payload. message ID = 0
000376: *Mar  1 00:04:05.783 UTC: ISAKMP:(0:2:HW:2):SKEYID state generated
000377: *Mar  1 00:04:05.783 UTC: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 0
000378: *Mar  1 00:04:05.791 UTC: ISAKMP:(0:2:HW:2): vendor ID is NAT-T v2
000379: *Mar  1 00:04:05.791 UTC: ISAKMP:received payload type 17
000380: *Mar  1 00:04:05.791 UTC: ISAKMP:received payload type 17
000381: *Mar  1 00:04:05.791 UTC: ISAKMP:(0:2:HW:2):SA has been authenticated with 212.86.84.40
000382: *Mar  1 00:04:05.791 UTC: ISAKMP: Trying to insert a peer 211.86.83.218/212.86.84.40/500/,  and inserted successfully.
000383: *Mar  1 00:04:05.791 UTC: ISAKMP:(0:2:HW:2):: peer matches *none* of the profiles
000384: *Mar  1 00:04:05.795 UTC: ISAKMP:(0:2:HW:2):Send initial contact
000385: *Mar  1 00:04:05.799 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) AG_INIT_EXCH
000386: *Mar  1 00:04:05.799 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000387: *Mar  1 00:04:05.799 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE

000388: *Mar  1 00:04:05.799 UTC: ISAKMP:(0:2:HW:2):Need XAUTH
000389: *Mar  1 00:04:05.799 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000390: *Mar  1 00:04:05.803 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000391: *Mar  1 00:04:05.811 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) CONF_XAUTH  
000392: *Mar  1 00:04:05.811 UTC: ISAKMP: set new node -1006186145 to CONF_XAUTH  
000393: *Mar  1 00:04:05.815 UTC: ISAKMP:(0:2:HW:2):processing transaction payload from 212.86.84.40. message ID = -1006186145
000394: *Mar  1 00:04:05.819 UTC: ISAKMP: Config payload REQUEST
000395: *Mar  1 00:04:05.819 UTC: ISAKMP:(0:2:HW:2):checking request:
000396: *Mar  1 00:04:05.819 UTC: ISAKMP:    XAUTH_TYPE_V2
000397: *Mar  1 00:04:05.819 UTC: ISAKMP:    XAUTH_USER_NAME_V2
000398: *Mar  1 00:04:05.819 UTC: ISAKMP:    XAUTH_USER_PASSWORD_V2
000399: *Mar  1 00:04:05.819 UTC: ISAKMP:    XAUTH_MESSAGE_V2
000400: *Mar  1 00:04:05.819 UTC: ISAKMP:(0:2:HW:2):Xauth process request
000401: *Mar  1 00:04:05.819 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
000402: *Mar  1 00:04:05.823 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REPLY_AWAIT

000403: *Mar  1 00:04:05.823 UTC:         xauth-type: 0
000404: *Mar  1 00:04:05.823 UTC:         username: NCHSlovakiaWH200
000405: *Mar  1 00:04:05.823 UTC:         password: <omitted>
000411: *Mar  1 00:04:05.835 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_XAUTH_REPLY_AWAIT  New State = IKE_XAUTH_REPLY_SENT

000412: *Mar  1 00:04:06.175 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) CONF_XAUTH  
000413: *Mar  1 00:04:06.175 UTC: ISAKMP: set new node -1101248849 to CONF_XAUTH  
000414: *Mar  1 00:04:06.179 UTC: ISAKMP:(0:2:HW:2):processing transaction payload from 212.86.84.40. message ID = -1101248849
000415: *Mar  1 00:04:06.183 UTC: ISAKMP: Config payload SET
000416: *Mar  1 00:04:06.183 UTC: ISAKMP:(0:2:HW:2):Xauth process set, status = 1
000417: *Mar  1 00:04:06.183 UTC: ISAKMP:(0:2:HW:2):checking SET:
000429: *Mar  1 00:04:06.203 UTC: ISAKMP:(0:2:HW:2): initiating peer config to 212.86.84.40. ID = -1249823783
000430: *Mar  1 00:04:06.203 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) CONF_ADDR    
000431: *Mar  1 00:04:06.203 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000432: *Mar  1 00:04:06.203 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT

000433: *Mar  1 00:04:06.859 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) CONF_ADDR    
000452: *Mar  1 00:04:14.211 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000453: *Mar  1 00:04:14.211 UTC: ISAKMP:(0:2:HW:2): phase 2 packet is a duplicate of a previous packet.
000454: *Mar  1 00:04:14.211 UTC: ISAKMP:(0:2:HW:2): retransmitting due to retransmit phase 2
000455: *Mar  1 00:04:14.211 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 QM_IDLE       -1249823783 ...
000456: *Mar  1 00:04:14.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 QM_IDLE       -1249823783 ...
000457: *Mar  1 00:04:14.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000458: *Mar  1 00:04:14.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000459: *Mar  1 00:04:14.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 -1249823783 QM_IDLE      
000460: *Mar  1 00:04:14.711 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) QM_IDLE      
000461: *Mar  1 00:04:19.095 UTC: IPSEC(key_engine): major = 1
000462: *Mar  1 00:04:19.095 UTC: IPSEC(key_engine): expired_timer
000463: *Mar  1 00:04:22.211 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000464: *Mar  1 00:04:22.211 UTC: ISAKMP:(0:2:HW:2): phase 2 packet is a duplicate of a previous packet.
000465: *Mar  1 00:04:22.211 UTC: ISAKMP:(0:2:HW:2): retransmitting due to retransmit phase 2
000466: *Mar  1 00:04:22.211 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 QM_IDLE       -1249823783 ...
000467: *Mar  1 00:04:22.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 QM_IDLE       -1249823783 ...
000468: *Mar  1 00:04:22.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000469: *Mar  1 00:04:22.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000470: *Mar  1 00:04:22.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 -1249823783 QM_IDLE      
000471: *Mar  1 00:04:22.711 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) QM_IDLE      
000472: *Mar  1 00:04:22.715 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000473: *Mar  1 00:04:22.719 UTC: ISAKMP:(0:2:HW:2): phase 2 packet is a duplicate of a previous packet.
000474: *Mar  1 00:04:22.719 UTC: ISAKMP:(0:2:HW:2): retransmission skipped for phase 2 (time since last transmission 4)
000475: *Mar  1 00:04:30.719 UTC: ISAKMP (0:268435458): received packet from 212.86.84.40 dport 500 sport 500 Global (I) QM_IDLE      
000476: *Mar  1 00:04:30.719 UTC: ISAKMP: set new node 840256213 to QM_IDLE      
000477: *Mar  1 00:04:30.723 UTC: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 840256213
000478: *Mar  1 00:04:30.723 UTC: ISAKMP:(0:2:HW:2): processing DELETE payload. message ID = 840256213
000479: *Mar  1 00:04:30.723 UTC: ISAKMP:(0:2:HW:2):peer does not do paranoid keepalives.

000480: *Mar  1 00:04:30.727 UTC: ISAKMP:(0:2:HW:2):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 212.86.84.40) input queue 0
000481: *Mar  1 00:04:30.727 UTC: ISAKMP:(0:2:HW:2):deleting node 840256213 error FALSE reason "informational (in) state 1"
000482: *Mar  1 00:04:30.727 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE
000483: *Mar  1 00:04:30.727 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000484: *Mar  1 00:04:30.731 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000485: *Mar  1 00:04:30.731 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

000486: *Mar  1 00:04:30.731 UTC: ISAKMP:(0:2:HW:2):deleting SA reason "" state (I) QM_IDLE       (peer 212.86.84.40) input queue 0
000487: *Mar  1 00:04:30.731 UTC: ISAKMP: Unlocking IKE struct 0x818AAADC for isadb_mark_sa_deleted(), count 0
000488: *Mar  1 00:04:30.735 UTC: ISAKMP: Deleting peer node by peer_reap for 212.86.84.40: 818AAADC
000489: *Mar  1 00:04:30.735 UTC: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000490: *Mar  1 00:04:30.735 UTC: ISAKMP:(0:2:HW:2):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

000491: *Mar  1 00:04:32.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 MM_NO_STATE -1249823783 ...
000492: *Mar  1 00:04:32.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000493: *Mar  1 00:04:32.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000494: *Mar  1 00:04:32.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 -1249823783 MM_NO_STATE
000495: *Mar  1 00:04:32.711 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) MM_NO_STATE
000496: *Mar  1 00:04:39.095 UTC: IPSEC(key_engine): major = 1
000497: *Mar  1 00:04:39.095 UTC: IPSEC(key_engine): expired_timer
000498: *Mar  1 00:04:42.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 MM_NO_STATE -1249823783 ...
000499: *Mar  1 00:04:42.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000500: *Mar  1 00:04:42.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000501: *Mar  1 00:04:42.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 -1249823783 MM_NO_STATE
000502: *Mar  1 00:04:42.711 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) MM_NO_STATE
000503: *Mar  1 00:04:49.823 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet1 (not full duplex), with INTERNET-SWITCH GigabitEthernet0/13 (full duplex).
000504: *Mar  1 00:04:52.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 MM_NO_STATE -1249823783 ...
000505: *Mar  1 00:04:52.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000506: *Mar  1 00:04:52.711 UTC: ISAKMP:(0:2:HW:2):incrementing error counter on sa: retransmit phase 2
000507: *Mar  1 00:04:52.711 UTC: ISAKMP:(0:2:HW:2): retransmitting phase 2 -1249823783 MM_NO_STATE
000508: *Mar  1 00:04:52.711 UTC: ISAKMP:(0:2:HW:2): sending packet to 212.86.84.40 my_port 500 peer_port 500 (I) MM_NO_STATE
000509: *Mar  1 00:04:54.291 UTC: ISAKMP:(0:1:HW:2):purging node -868256208
000510: *Mar  1 00:04:54.439 UTC: ISAKMP:(0:1:HW:2):purging node -833937446
000511: *Mar  1 00:04:54.443 UTC: ISAKMP:(0:1:HW:2):purging node -527525587
000512: *Mar  1 00:04:54.483 UTC: ISAKMP:(0:1:HW:2):purging node -1767969252
000513: *Mar  1 00:04:54.483 UTC: ISAKMP:(0:1:HW:2):purging node 808372997
000514: *Mar  1 00:04:54.483 UTC: ISAKMP:(0:1:HW:2):purging node 297923612
000515: *Mar  1 00:04:54.487 UTC: ISAKMP:(0:1:HW:2):purging node 2017300063
000516: *Mar  1 00:04:56.871 UTC: ISAKMP:(0:2:HW:2):purging node -1249823783
000517: *Mar  1 00:04:59.095 UTC: IPSEC(key_engine): major = 1
000518: *Mar  1 00:04:59.095 UTC: IPSEC(key_engine): expired_timer
000519: *Mar  1 00:05:04.487 UTC: ISAKMP:(0:1:HW:2):purging SA., sa=818AB56C, delme=818AB56C
000520: *Mar  1 00:05:04.487 UTC: ISAKMP:(0:1:HW:2):purging node -1908192671
000521: *Mar  1 00:05:04.487 UTC: ISAKMP:(0:1:HW:2):purging node -556280520
000522: *Mar  1 00:05:04.487 UTC: ISAKMP:(0:1:HW:2):purging node 1393683013
000523: *Mar  1 00:05:19.095 UTC: IPSEC(key_engine): major = 1
000524: *Mar  1 00:05:19.095 UTC: IPSEC(key_engine): expired_timer
000525: *Mar  1 00:05:20.727 UTC: ISAKMP:(0:2:HW:2):purging node 840256213
000526: *Mar  1 00:05:30.735 UTC: ISAKMP:(0:2:HW:2):purging SA., sa=81C345E8, delme=81C345E8
000527: *Mar  1 00:05:30.735 UTC: ISAKMP:(0:2:HW:2):purging node -1101248849
000528: *Mar  1 00:05:30.735 UTC: ISAKMP:(0:2:HW:2):purging node -1006186145
RTRSlovakiaWH(config-if)#
RTRSlovakiaWH(config-if)#
RTRSlovakiaWH(config-if)#
RTRSlovakiaWH(config-if)#
RTRSlovakiaWH(config-if)#
RTRSlovakiaWH(config-if)#^Z
RTRSlovakiaWH#
RTRSlovakiaWH#
000529: *Mar  1 00:05:39.095 UTC: IPSEC(key_engine): major = 1
000530: *Mar  1 00:05:39.095 UTC: IPSEC(key_engine): expired_timer
RTRSlovakiaWH#
RTRSlovakiaWH#un
000531: *Mar  1 00:05:39.103 UTC: %SYS-5-CONFIG_I: Configured from console by 5Targat3 on console alll
undebug alll
           ^
% Invalid input detected at '^' marker.

RTRSlovakiaWH#
RTRSlovakiaWH#un alll 
All possible debugging has been turned off
RTRSlovakiaWH#
RTRSlovakiaWH#
RTRSlovakiaWH#exit

























Comment
Watch Question

Verify the hasing for both sides.

000165: *Mar  1 00:04:03.435 UTC: ISAKMP:(0:1:HW:2):Hash algorithm offered does not match policy!
And set your eth1 interface to FULL DUPLEX.

000503: *Mar  1 00:04:49.823 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet1 (not full duplex), with INTERNET-SWITCH GigabitEthernet0/13 (full duplex).

Author

Commented:
will try this tomorrow and let you know how it goes.

thanks for your reply.
John MeggersNetwork Architect
Commented:
I suspect the duplex issue is not related, as I see MM_NO_STATE messages prior to the duplex message.  Agreed on double checking the configurations to make sure they are compatible.  Looks to me like Phase 1 is completing and there's something wrong with Phase 2. Any chance you could post sanitized confiigs?

Duplex is not related, I just saw the console message, won't hurt to fix. The "000165: *Mar  1 00:04:03.435 UTC: ISAKMP:(0:1:HW:2):Hash algorithm offered does not match policy!" indicates that the configs on the devices don't agree on the hashing.

Author

Commented:
am still getting the same issue guys, even with trying alternative IPSEC hash algorithm. On the VPN concentrator, in the security association, IPSEC authentication algorithm, there is only 2 options - SHA1 or MD5. I have tried using both options. also, at phase 1, i have tried main and aggresive mode, with both hash algorithms at phase 2, nothing works.

my current router config is this...

Current configuration : 2934 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname RTRSlovakiaWH
!
boot-start-marker
boot-end-marker
!
enable secret................
enable password ................
!
username ..............................
no aaa new-model
ip subnet-zero
 --More--         !
!
ip dhcp excluded-address 10.4.80.0 10.4.80.100
!
ip dhcp pool USERS
   network 10.4.80.0 255.255.240.0
   dns-server 10.0.0.113 10.0.0.114
   default-router 10.4.80.1
   lease 2
!
!
no ip domain lookup
ip domain name nch.com
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
login block-for 20 attempts 3 within 60
no ftp-server write-enable
 --More--         no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn uk
 connect auto
 group NCHSlovakiaWH100 key 3xpAn510nNcH776
 mode network-extension
 peer 215.23.45.111
 username NCHSlovakiaWH200 password  .........................
!
!
!
!
interface Ethernet0
 description ## CONNECTS TO LAN ##
 ip address 10.4.80.1 255.255.240.0
 --More--          ip tcp adjust-mss 1452
 crypto ipsec client ezvpn uk inside
!
interface Ethernet1
 ip address 211.84.54.218 255.255.255.224
 ip inspect FIREWALL out
 duplex auto
 crypto ipsec client ezvpn uk
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 --More--          duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip nat inside source route-map EZVPN interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 211.84.54.193
!
no ip http server
no ip http secure-server
!
!
ip access-list extended outside_access_in
 permit esp host 215.23.45.111 host 192.168.1.2
 permit udp host 215.23.45.111 host 192.168.1.2 eq non500-isakmp
 permit udp host 215.23.45.111 host 192.168.1.2 eq isakmp
 permit esp host 215.23.45.111 host 211.84.54.218
 permit udp host 215.23.45.111 host 211.84.54.218 eq non500-isakmp
 permit udp host 215.23.45.111 host 211.84.54.218 eq isakmp
access-list 177 deny   ip 10.4.80.0 0.0.15.255 10.0.0.0 0.255.255.255
access-list 177 permit ip 10.4.80.0 0.0.15.255 any
dialer-list 1 protocol ip permit
route-map EZVPN permit 10
 match ip address 177
!
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 exec-timeout 5 0
 password .....................
 --More--          login
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

RTRSlovakiaWH#                                                      exit



















Author

Commented:
also i have tried this on a cisco 1721 router, again it does not connect. strange thing on this router - i noticed it does not support the username and password command under the crypto config. i see the following error message on the 1721 router when trying to connect...

000251: Jul  6 06:43:05.827 UTC: EZVPN(uk): Pending XAuth Request, Please enter the following command:
000252: Jul  6 06:43:05.827 UTC: EZVPN: crypto ipsec client ezvpn xauth

000253: Jul  6 06:43:16.739 UTC: EZVPN(uk): Pending XAuth Request, Please enter the following command:
000254: Jul  6 06:43:16.739 UTC: EZVPN: crypto ipsec client ezvpn xauth

000255: Jul  6 06:43:26.739 UTC: EZVPN(uk): Pending XAuth Request, Please enter the following command:
000256: Jul  6 06:43:26.739 UTC: EZVPN: crypto ipsec client ezvpn xauth


strange thing is, i really cant see anywhere where i can put the command it tells me to execute - it does not accept it anywhere.

Would it be the:
crypto ipsec client ezvpn uk
 connect auto
 group NCHSlovakiaWH100 key 3xpAn510nNcH776
 mode network-extension
 peer 215.23.45.111
 
part of the config they want you to enter:

crypto ipsec client ezvpn xauth
 connect auto
 group NCHSlovakiaWH100 key 3xpAn510nNcH776
 mode network-extension
 peer 215.23.45.111


???

Sorry, haven't configured EVPN before, only site-to-site.

Author

Commented:
tried that but still getting the same...

RTRSlovakiaWH#sh crypto isakmp sa
dst             src             state          conn-id slot
21...........   21..........  CONF_XAUTH          27    0
21........    21........   MM_NO_STATE         26    0 (deleted)

RTRSlovakiaWH#sh crypto isakmp sa
dst             src             state          conn-id slot
21..............    21..........   CONF_XAUTH          27    0
21..............    21...........   MM_NO_STATE         26    0 (deleted)

RTRSlovakiaWH#
RTRSlovakiaWH#
000804: Jul  6 07:30:34.195 UTC: EZVPN(xauth): Pending XAuth Request, Please enter the following command:
000805: Jul  6 07:30:34.195 UTC: EZVPN: crypto ipsec client ezvpn xauth

Author

Commented:
is my 1st attempt at easy vpn also. normally standard IPSEC site to site.

i am trying to facilitate a site which has a standard DSL connection with dynamic ISP assigned public IP address.

Not finding the easy vpn all that easy lol :)
I hate to suggest it, but have you tried to config this part of the router via CCP?

Author

Commented:
i'm not familiar with CCP to be honest. all my router configs are done via the CLI. Is this a web based tool?
It's the "config for dummies" GUI that Cisco has. I've used SDM to study for exam becuase it was required, I would assume that it would be about the same. Not sure if that would help or not.  http://www.cisco.com/en/US/products/ps9422/index.html