Solved

Cisco C881 Router Site to Site VPN

Posted on 2013-01-14
7
1,803 Views
Last Modified: 2013-01-23
All,

I have having some difficulty getting a site to site VPN tunnel to connect between my Cisco C881 router and a customers Watchguard firewall.  I have done this in the past with the same model router, and I believe my VPN configuration is exactly the same.  Below is the router config and the output I am getting from debug crypto isakmp and debug crypto ipsec.

Current configuration : 11583 bytes
!
! Last configuration change at 16:44:55 UTC Mon Jan 14 2013 by synergy
! NVRAM config last updated at 16:45:19 UTC Mon Jan 14 2013 by synergy
! NVRAM config last updated at 16:45:19 UTC Mon Jan 14 2013 by synergy
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MB-ROC-C881-1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 4 sQSpU5y9dBaNd1lvAu3G0YyzjHVYh5wROTjqRDA0kEw
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock summer-time EDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
network-clock-participate wic 0 
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3106417551
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3106417551
 revocation-check none
 rsakeypair TP-self-signed-3106417551
!
!
crypto pki certificate chain TP-self-signed-3106417551
 certificate self-signed 02
  3082022B 30820194 A0030201 02020102 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33313036 34313735 3531301E 170D3133 30313131 31393234 
  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31303634 
  31373535 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100A38C 7857047C 04B1446A 4824EDA7 1B5F701E 73CA660F EDEC3354 D5B085EE 
  B4BB1567 6236F119 3A7FAD07 5225944F 3C298B3E 468EECAB DD63CDA0 04DB0971 
  FC6BB46A 07C6303A 343DB099 E89B93A2 64DB21EF AB3FC14D 1BAE7D3A 92A3A143 
  CADBCF3A 486C67A1 BBF5C6E3 C802F17A 87AB1C6B 011CA6A1 28123FCC 3D546AF9 
  00BB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 14DBE795 68F1590D 542F552F 85F58E47 77D114C8 41301D06 
  03551D0E 04160414 DBE79568 F1590D54 2F552F85 F58E4777 D114C841 300D0609 
  2A864886 F70D0101 05050003 8181006D 19130487 6686DAFA F5805994 4F77DF7F 
  B0845CC7 BB43BFBC 39DE96FC E27D4528 604F92C6 686E7909 5E80179E CFB7DC51 
  CC020599 89CD9A71 0CC97BB4 ACCA1267 A6CB4380 F6D19687 43666176 9A36D035 
  B94BD752 63A779FC C322ED42 201A509D DEA21E53 5B353084 063CFBC0 2699C00B 
  5FB9B393 EC115CA9 0735557C EADE38
  	quit
no ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool PC-static
 import all
 host 192.168.3.3 255.255.255.248
 client-identifier 0100.25b3.7bbc.52
 default-router 192.168.3.1 
 domain-name XXXXXXX.local
 dns-server 192.168.0.10 
 client-name MBVPNPC1
 lease 1 23
!
ip dhcp pool PHONE-static
 import all
 host 192.168.3.2 255.255.255.248
 client-identifier 01c8.f9f9.6888.24
 domain-name XXXXXXX.local
 dns-server 192.168.0.10 
 client-name 7942IPPHONE
 option 150 ip 192.168.110.10 
 default-router 192.168.3.1 
 lease 1 23
!
ip dhcp pool HomeUse
 import all
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1 
 domain-name local.local
 dns-server 4.2.2.2 
 lease 0 2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name mollenburgbetz.local
ip host MBCUCM 192.168.110.10
ip name-server 8.8.8.8
ip name-server 192.168.0.10
ip name-server 192.168.0.2
ip name-server 4.2.2.2
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
no ipv6 cef
!
!
!
multilink bundle-name authenticated
parameter-map type inspect global
 log dropped-packets enable
!
!
!
!
!
!
!
voice-card 0
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 10
! 
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXX address 72.45.207.42 no-xauth
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORMATION esp-3des esp-md5-hmac 
!
crypto map MAPtoMAIN 1 ipsec-isakmp 
 set peer 72.45.207.42
 set security-association lifetime kilobytes 1280000
 set transform-set TRANSFORMATION 
 match address 100
!
bridge irb
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface BRI1
 no ip address
!
interface BRI2
 no ip address
!
interface FastEthernet0
 description Cisco Phone
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 description Home Use
 no ip address
!
interface FastEthernet3
 description Home Use
 no ip address
!
interface FastEthernet4
 description $FW_OUTSIDE$$ETH-WAN$
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip flow ingress
 ip nat outside
 ip inspect SDM_MEDIUM out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map MAPtoMAIN
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NONAT interface FastEthernet4 overload
!
ip sla 1
 icmp-echo 192.168.0.1 source-ip 192.168.3.1
 frequency 240
ip sla schedule 1 life forever start-time now
logging trap debugging
access-list 100 remark ALLOW
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.113.0 0.0.0.255
access-list 101 remark NONAT
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.112.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.113.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map NONAT permit 100
 match ip address 101
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
voice-port 1
!
voice-port 2
!
voice-port 3
!
voice-port 4
!
voice-port 5
!
voice-port 6
!
voice-port 7
!
!
!
mgcp profile default
!
!
line con 0
 privilege level 15
 logging synchronous
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 privilege level 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler interval 500
end

Open in new window




000740: Jan 14 16:52:00.731 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 50.75.182.73:500, remote= 72.45.207.42:500, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 86400s and 1280000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000741: Jan 14 16:52:00.731 UTC: ISAKMP:(0): SA request profile is (NULL)
000742: Jan 14 16:52:00.731 UTC: ISAKMP: Created a peer struct for 72.45.207.42, peer port 500
000743: Jan 14 16:52:00.731 UTC: ISAKMP: New peer created peer = 0x88089548 peer_handle = 0x80000009
000744: Jan 14 16:52:00.731 UTC: ISAKMP: Locking peer struct 0x88089548, refcount 1 for isakmp_initiator
000745: Jan 14 16:52:00.731 UTC: ISAKMP: local port 500, remote port 500
000746: Jan 14 16:52:00.731 UTC: ISAKMP: set new node 0 to QM_IDLE      
000747: Jan 14 16:52:00.731 UTC: ISAKMP:(0):insert sa successfully sa = 8AACE9D4
000748: Jan 14 16:52:00.731 UTC: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000749: Jan 14 16:52:00.731 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000750: Jan 14 16:52:00.731 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
000751: Jan 14 16:52:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000752: Jan 14 16:52:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
000753: Jan 14 16:52:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
000754: Jan 14 16:52:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
000755: Jan 14 16:52:00.731 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000756: Jan 14 16:52:00.731 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

000757: Jan 14 16:52:00.731 UTC: ISAKMP:(0): beginning Main Mode exchange
000758: Jan 14 16:52:00.731 UTC: ISAKMP:(0): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_NO_STATE
000759: Jan 14 16:52:00.731 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
000760: Jan 14 16:52:00.747 UTC: ISAKMP (0): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_NO_STATE
000761: Jan 14 16:52:00.747 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000762: Jan 14 16:52:00.747 UTC: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

000763: Jan 14 16:52:00.747 UTC: ISAKMP:(0): processing SA payload. message ID = 0
000764: Jan 14 16:52:00.747 UTC: ISAKMP:(0): processing vendor id payload
000765: Jan 14 16:52:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
000766: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID is XAUTH
000767: Jan 14 16:52:00.751 UTC: ISAKMP:(0): processing vendor id payload
000768: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000769: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID is NAT-T v2
000770: Jan 14 16:52:00.751 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
000771: Jan 14 16:52:00.751 UTC: ISAKMP:(0): local preshared key found
000772: Jan 14 16:52:00.751 UTC: ISAKMP : Scanning profiles for xauth ...
000773: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
000774: Jan 14 16:52:00.751 UTC: ISAKMP:      encryption 3DES-CBC
000775: Jan 14 16:52:00.751 UTC: ISAKMP:      hash MD5
000776: Jan 14 16:52:00.751 UTC: ISAKMP:      default group 2
000777: Jan 14 16:52:00.751 UTC: ISAKMP:      auth pre-share
000778: Jan 14 16:52:00.751 UTC: ISAKMP:      life type in seconds
000779: Jan 14 16:52:00.751 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
000780: Jan 14 16:52:00.751 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
000781: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
000782: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Acceptable atts:life: 0
000783: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
000784: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000785: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
000786: Jan 14 16:52:00.751 UTC: ISAKMP:(0)::Started lifetime timer: 86400.

000787: Jan 14 16:52:00.751 UTC: ISAKMP:(0): processing vendor id payload
000788: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
000789: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID is XAUTH
000790: Jan 14 16:52:00.751 UTC: ISAKMP:(0): processing vendor id payload
000791: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000792: Jan 14 16:52:00.751 UTC: ISAKMP:(0): vendor ID is NAT-T v2
000793: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000794: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

000795: Jan 14 16:52:00.751 UTC: ISAKMP:(0): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_SA_SETUP
000796: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
000797: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000798: Jan 14 16:52:00.751 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

000799: Jan 14 16:52:00.819 UTC: ISAKMP (0): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_SA_SETUP
000800: Jan 14 16:52:00.819 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000801: Jan 14 16:52:00.819 UTC: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

000802: Jan 14 16:52:00.819 UTC: ISAKMP:(0): processing KE payload. message ID = 0
000803: Jan 14 16:52:00.851 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
000804: Jan 14 16:52:00.851 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
000805: Jan 14 16:52:00.851 UTC: ISAKMP:received payload type 20
000806: Jan 14 16:52:00.851 UTC: ISAKMP (2008): His hash no match - this node outside NAT
000807: Jan 14 16:52:00.851 UTC: ISAKMP:received payload type 20
000808: Jan 14 16:52:00.851 UTC: ISAKMP (2008): No NAT Found for self or peer
000809: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000810: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Old State = IKE_I_MM4  New State = IKE_I_MM4 

000811: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Send initial contact
000812: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000813: Jan 14 16:52:00.851 UTC: ISAKMP (2008): ID payload 
	next-payload : 8
	type         : 1 
	address      : 50.75.182.73 
	protocol     : 17 
	port         : 500 
	length       : 12
000814: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Total payload length: 12
000815: Jan 14 16:52:00.851 UTC: ISAKMP:(2008): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000816: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000817: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE.
000818: Jan 14 16:52:00.851 UTC: ISAKMP:(2008):Old State = IKE_I_MM4  New State = IKE_I_MM5 
.
000819: Jan 14 16:52:03.899 UTC: ISAKMP (2008): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
000820: Jan 14 16:52:03.899 UTC: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet.
000821: Jan 14 16:52:03.899 UTC: ISAKMP:(2008): retransmitting due to retransmit phase 1
000822: Jan 14 16:52:04.399 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...
000823: Jan 14 16:52:04.399 UTC: ISAKMP (2008): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000824: Jan 14 16:52:04.399 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH
000825: Jan 14 16:52:04.399 UTC: ISAKMP:(2008): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000826: Jan 14 16:52:04.399 UTC: ISAKMP:(2008):Sending an IKE IPv4 Packet..
000827: Jan 14 16:52:06.447 UTC: ISAKMP (2008): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
000828: Jan 14 16:52:06.447 UTC: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet.
000829: Jan 14 16:52:06.447 UTC: ISAKMP:(2008): retransmitting due to retransmit phase 1
000830: Jan 14 16:52:06.947 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...
000831: Jan 14 16:52:06.947 UTC: ISAKMP (2008): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000832: Jan 14 16:52:06.947 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH.
000833: Jan 14 16:52:06.947 UTC: ISAKMP:(2008): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000834: Jan 14 16:52:06.947 UTC: ISAKMP:(2008):Sending an IKE IPv4 Packet..
Success rate is 0 percent (0/5)
MB-ROC-C881-1#
000835: Jan 14 16:52:09.995 UTC: ISAKMP (2008): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
000836: Jan 14 16:52:09.995 UTC: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet.
000837: Jan 14 16:52:09.995 UTC: ISAKMP:(2008): retransmitting due to retransmit phase 1
000838: Jan 14 16:52:10.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...
000839: Jan 14 16:52:10.495 UTC: ISAKMP (2008): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000840: Jan 14 16:52:10.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH
000841: Jan 14 16:52:10.495 UTC: ISAKMP:(2008): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000842: Jan 14 16:52:10.495 UTC: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000843: Jan 14 16:52:20.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...
000844: Jan 14 16:52:20.495 UTC: ISAKMP (2008): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000845: Jan 14 16:52:20.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH
000846: Jan 14 16:52:20.495 UTC: ISAKMP:(2008): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000847: Jan 14 16:52:20.495 UTC: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000848: Jan 14 16:52:30.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...
000849: Jan 14 16:52:30.495 UTC: ISAKMP (2008): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000850: Jan 14 16:52:30.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH
000851: Jan 14 16:52:30.495 UTC: ISAKMP:(2008): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000852: Jan 14 16:52:30.495 UTC: ISAKMP:(2008):Sending an IKE IPv4 Packet.
000853: Jan 14 16:52:30.731 UTC: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 50.75.182.73:0, remote= 72.45.207.42:0, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
000854: Jan 14 16:52:30.731 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 50.75.182.73:500, remote= 72.45.207.42:500, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 86400s and 1280000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000855: Jan 14 16:52:30.731 UTC: ISAKMP: set new node 0 to QM_IDLE      
000856: Jan 14 16:52:30.731 UTC: ISAKMP:(2008):SA is still budding. Attached new ipsec request to it. (local 50.75.182.73, remote 72.45.207.42)
000857: Jan 14 16:52:30.731 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
000858: Jan 14 16:52:30.731 UTC: ISAKMP: Error while processing KMI message 0, error 2.
000859: Jan 14 16:52:40.495 UTC: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...
000860: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):peer does not do paranoid keepalives.

000861: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 72.45.207.42)
000862: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 72.45.207.42) 
000863: Jan 14 16:52:40.495 UTC: ISAKMP: Unlocking peer struct 0x88089548 for isadb_mark_sa_deleted(), count 0
000864: Jan 14 16:52:40.495 UTC: ISAKMP: Deleting peer node by peer_reap for 72.45.207.42: 88089548
000865: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):deleting node -1996397608 error FALSE reason "IKE deleted"
000866: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):deleting node 1273595071 error FALSE reason "IKE deleted"
000867: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000868: Jan 14 16:52:40.495 UTC: ISAKMP:(2008):Old State = IKE_I_MM5  New State = IKE_DEST_SA 

000869: Jan 14 16:52:40.495 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000870: Jan 14 16:53:00.731 UTC: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 50.75.182.73:0, remote= 72.45.207.42:0, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
000871: Jan 14 16:53:30.495 UTC: ISAKMP:(2008):purging node -1996397608
000872: Jan 14 16:53:30.495 UTC: ISAKMP:(2008):purging node 1273595071
000873: Jan 14 16:53:40.495 UTC: ISAKMP:(2008):purging SA., sa=8AACE9D4, delme=8AACE9D4
000874: Jan 14 16:56:00.731 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 50.75.182.73:500, remote= 72.45.207.42:500, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 86400s and 1280000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000875: Jan 14 16:56:00.731 UTC: ISAKMP:(0): SA request profile is (NULL)
000876: Jan 14 16:56:00.731 UTC: ISAKMP: Created a peer struct for 72.45.207.42, peer port 500
000877: Jan 14 16:56:00.731 UTC: ISAKMP: New peer created peer = 0x8A532D0C peer_handle = 0x8000000A
000878: Jan 14 16:56:00.731 UTC: ISAKMP: Locking peer struct 0x8A532D0C, refcount 1 for isakmp_initiator
000879: Jan 14 16:56:00.731 UTC: ISAKMP: local port 500, remote port 500
000880: Jan 14 16:56:00.731 UTC: ISAKMP: set new node 0 to QM_IDLE      
000881: Jan 14 16:56:00.731 UTC: ISAKMP:(0):insert sa successfully sa = 8A21ED98
000882: Jan 14 16:56:00.731 UTC: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000883: Jan 14 16:56:00.731 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000884: Jan 14 16:56:00.731 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
000885: Jan 14 16:56:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000886: Jan 14 16:56:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
000887: Jan 14 16:56:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
000888: Jan 14 16:56:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
000889: Jan 14 16:56:00.731 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000890: Jan 14 16:56:00.731 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

000891: Jan 14 16:56:00.731 UTC: ISAKMP:(0): beginning Main Mode exchange
000892: Jan 14 16:56:00.731 UTC: ISAKMP:(0): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_NO_STATE
000893: Jan 14 16:56:00.731 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
000894: Jan 14 16:56:00.747 UTC: ISAKMP (0): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_NO_STATE
000895: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000896: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

000897: Jan 14 16:56:00.747 UTC: ISAKMP:(0): processing SA payload. message ID = 0
000898: Jan 14 16:56:00.747 UTC: ISAKMP:(0): processing vendor id payload
000899: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
000900: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID is XAUTH
000901: Jan 14 16:56:00.747 UTC: ISAKMP:(0): processing vendor id payload
000902: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000903: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID is NAT-T v2
000904: Jan 14 16:56:00.747 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
000905: Jan 14 16:56:00.747 UTC: ISAKMP:(0): local preshared key found
000906: Jan 14 16:56:00.747 UTC: ISAKMP : Scanning profiles for xauth ...
000907: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
000908: Jan 14 16:56:00.747 UTC: ISAKMP:      encryption 3DES-CBC
000909: Jan 14 16:56:00.747 UTC: ISAKMP:      hash MD5
000910: Jan 14 16:56:00.747 UTC: ISAKMP:      default group 2
000911: Jan 14 16:56:00.747 UTC: ISAKMP:      auth pre-share
000912: Jan 14 16:56:00.747 UTC: ISAKMP:      life type in seconds
000913: Jan 14 16:56:00.747 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
000914: Jan 14 16:56:00.747 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
000915: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
000916: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Acceptable atts:life: 0
000917: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
000918: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000919: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
000920: Jan 14 16:56:00.747 UTC: ISAKMP:(0)::Started lifetime timer: 86400.

000921: Jan 14 16:56:00.747 UTC: ISAKMP:(0): processing vendor id payload
000922: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
000923: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID is XAUTH
000924: Jan 14 16:56:00.747 UTC: ISAKMP:(0): processing vendor id payload
000925: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000926: Jan 14 16:56:00.747 UTC: ISAKMP:(0): vendor ID is NAT-T v2
000927: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000928: Jan 14 16:56:00.747 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

000929: Jan 14 16:56:00.751 UTC: ISAKMP:(0): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_SA_SETUP
000930: Jan 14 16:56:00.751 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
000931: Jan 14 16:56:00.751 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000932: Jan 14 16:56:00.751 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

000933: Jan 14 16:56:00.799 UTC: ISAKMP (0): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_SA_SETUP
000934: Jan 14 16:56:00.799 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000935: Jan 14 16:56:00.799 UTC: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

000936: Jan 14 16:56:00.799 UTC: ISAKMP:(0): processing KE payload. message ID = 0
000937: Jan 14 16:56:00.827 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
000938: Jan 14 16:56:00.827 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
000939: Jan 14 16:56:00.831 UTC: ISAKMP:received payload type 20
000940: Jan 14 16:56:00.831 UTC: ISAKMP (2009): His hash no match - this node outside NAT
000941: Jan 14 16:56:00.831 UTC: ISAKMP:received payload type 20
000942: Jan 14 16:56:00.831 UTC: ISAKMP (2009): No NAT Found for self or peer
000943: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000944: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Old State = IKE_I_MM4  New State = IKE_I_MM4 

000945: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Send initial contact
000946: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000947: Jan 14 16:56:00.831 UTC: ISAKMP (2009): ID payload 
	next-payload : 8
	type         : 1 
	address      : 50.75.182.73 
	protocol     : 17 
	port         : 500 
	length       : 12
000948: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Total payload length: 12
000949: Jan 14 16:56:00.831 UTC: ISAKMP:(2009): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000950: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Sending an IKE IPv4 Packet.
000951: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000952: Jan 14 16:56:00.831 UTC: ISAKMP:(2009):Old State = IKE_I_MM4  New State = IKE_I_MM5 

000953: Jan 14 16:56:03.875 UTC: ISAKMP (2009): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
000954: Jan 14 16:56:03.875 UTC: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
000955: Jan 14 16:56:03.875 UTC: ISAKMP:(2009): retransmitting due to retransmit phase 1
000956: Jan 14 16:56:04.375 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH...
000957: Jan 14 16:56:04.375 UTC: ISAKMP (2009): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000958: Jan 14 16:56:04.375 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH
000959: Jan 14 16:56:04.375 UTC: ISAKMP:(2009): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000960: Jan 14 16:56:04.375 UTC: ISAKMP:(2009):Sending an IKE IPv4 Packet.
000961: Jan 14 16:56:06.419 UTC: ISAKMP (2009): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
000962: Jan 14 16:56:06.419 UTC: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
000963: Jan 14 16:56:06.419 UTC: ISAKMP:(2009): retransmitting due to retransmit phase 1
000964: Jan 14 16:56:06.919 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH...
000965: Jan 14 16:56:06.919 UTC: ISAKMP (2009): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000966: Jan 14 16:56:06.919 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH
000967: Jan 14 16:56:06.919 UTC: ISAKMP:(2009): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000968: Jan 14 16:56:06.919 UTC: ISAKMP:(2009):Sending an IKE IPv4 Packet.
000969: Jan 14 16:56:09.511 UTC: ISAKMP (2009): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
000970: Jan 14 16:56:09.511 UTC: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
000971: Jan 14 16:56:09.511 UTC: ISAKMP:(2009): retransmitting due to retransmit phase 1
000972: Jan 14 16:56:10.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH...
000973: Jan 14 16:56:10.011 UTC: ISAKMP (2009): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000974: Jan 14 16:56:10.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH
000975: Jan 14 16:56:10.011 UTC: ISAKMP:(2009): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000976: Jan 14 16:56:10.011 UTC: ISAKMP:(2009):Sending an IKE IPv4 Packet.
000977: Jan 14 16:56:20.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH...
000978: Jan 14 16:56:20.011 UTC: ISAKMP (2009): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000979: Jan 14 16:56:20.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH
000980: Jan 14 16:56:20.011 UTC: ISAKMP:(2009): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000981: Jan 14 16:56:20.011 UTC: ISAKMP:(2009):Sending an IKE IPv4 Packet.
000982: Jan 14 16:56:30.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH...
000983: Jan 14 16:56:30.011 UTC: ISAKMP (2009): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000984: Jan 14 16:56:30.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH
000985: Jan 14 16:56:30.011 UTC: ISAKMP:(2009): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
000986: Jan 14 16:56:30.011 UTC: ISAKMP:(2009):Sending an IKE IPv4 Packet.
000987: Jan 14 16:56:30.731 UTC: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 50.75.182.73:0, remote= 72.45.207.42:0, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
000988: Jan 14 16:56:30.731 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 50.75.182.73:500, remote= 72.45.207.42:500, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 86400s and 1280000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000989: Jan 14 16:56:30.731 UTC: ISAKMP: set new node 0 to QM_IDLE      
000990: Jan 14 16:56:30.731 UTC: ISAKMP:(2009):SA is still budding. Attached new ipsec request to it. (local 50.75.182.73, remote 72.45.207.42)
000991: Jan 14 16:56:30.731 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
000992: Jan 14 16:56:30.731 UTC: ISAKMP: Error while processing KMI message 0, error 2.
000993: Jan 14 16:56:40.011 UTC: ISAKMP:(2009): retransmitting phase 1 MM_KEY_EXCH...
000994: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):peer does not do paranoid keepalives.

000995: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 72.45.207.42)
000996: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 72.45.207.42) 
000997: Jan 14 16:56:40.011 UTC: ISAKMP: Unlocking peer struct 0x8A532D0C for isadb_mark_sa_deleted(), count 0
000998: Jan 14 16:56:40.011 UTC: ISAKMP: Deleting peer node by peer_reap for 72.45.207.42: 8A532D0C
000999: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):deleting node 1227480504 error FALSE reason "IKE deleted"
001000: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):deleting node 519197175 error FALSE reason "IKE deleted"
001001: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001002: Jan 14 16:56:40.011 UTC: ISAKMP:(2009):Old State = IKE_I_MM5  New State = IKE_DEST_SA 

001003: Jan 14 16:56:40.011 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001004: Jan 14 16:57:00.731 UTC: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 50.75.182.73:0, remote= 72.45.207.42:0, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
001005: Jan 14 16:57:30.011 UTC: ISAKMP:(2009):purging node 1227480504
001006: Jan 14 16:57:30.011 UTC: ISAKMP:(2009):purging node 519197175
001007: Jan 14 16:57:40.011 UTC: ISAKMP:(2009):purging SA., sa=8A21ED98, delme=8A21ED98
001008: Jan 14 17:00:00.731 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 50.75.182.73:500, remote= 72.45.207.42:500, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 86400s and 1280000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001009: Jan 14 17:00:00.731 UTC: ISAKMP:(0): SA request profile is (NULL)
001010: Jan 14 17:00:00.731 UTC: ISAKMP: Created a peer struct for 72.45.207.42, peer port 500
001011: Jan 14 17:00:00.731 UTC: ISAKMP: New peer created peer = 0x8A532D0C peer_handle = 0x8000000B
001012: Jan 14 17:00:00.731 UTC: ISAKMP: Locking peer struct 0x8A532D0C, refcount 1 for isakmp_initiator
001013: Jan 14 17:00:00.731 UTC: ISAKMP: local port 500, remote port 500
001014: Jan 14 17:00:00.731 UTC: ISAKMP: set new node 0 to QM_IDLE      
001015: Jan 14 17:00:00.731 UTC: ISAKMP:(0):insert sa successfully sa = 8A21ED98
001016: Jan 14 17:00:00.731 UTC: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
001017: Jan 14 17:00:00.731 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001018: Jan 14 17:00:00.731 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
001019: Jan 14 17:00:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001020: Jan 14 17:00:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
001021: Jan 14 17:00:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
001022: Jan 14 17:00:00.731 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
001023: Jan 14 17:00:00.731 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001024: Jan 14 17:00:00.731 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

001025: Jan 14 17:00:00.731 UTC: ISAKMP:(0): beginning Main Mode exchange
001026: Jan 14 17:00:00.731 UTC: ISAKMP:(0): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_NO_STATE
001027: Jan 14 17:00:00.731 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
001028: Jan 14 17:00:00.747 UTC: ISAKMP (0): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_NO_STATE
001029: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001030: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

001031: Jan 14 17:00:00.747 UTC: ISAKMP:(0): processing SA payload. message ID = 0
001032: Jan 14 17:00:00.747 UTC: ISAKMP:(0): processing vendor id payload
001033: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
001034: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID is XAUTH
001035: Jan 14 17:00:00.747 UTC: ISAKMP:(0): processing vendor id payload
001036: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
001037: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID is NAT-T v2
001038: Jan 14 17:00:00.747 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
001039: Jan 14 17:00:00.747 UTC: ISAKMP:(0): local preshared key found
001040: Jan 14 17:00:00.747 UTC: ISAKMP : Scanning profiles for xauth ...
001041: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
001042: Jan 14 17:00:00.747 UTC: ISAKMP:      encryption 3DES-CBC
001043: Jan 14 17:00:00.747 UTC: ISAKMP:      hash MD5
001044: Jan 14 17:00:00.747 UTC: ISAKMP:      default group 2
001045: Jan 14 17:00:00.747 UTC: ISAKMP:      auth pre-share
001046: Jan 14 17:00:00.747 UTC: ISAKMP:      life type in seconds
001047: Jan 14 17:00:00.747 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
001048: Jan 14 17:00:00.747 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
001049: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
001050: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Acceptable atts:life: 0
001051: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
001052: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
001053: Jan 14 17:00:00.747 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
001054: Jan 14 17:00:00.747 UTC: ISAKMP:(0)::Started lifetime timer: 86400.

001055: Jan 14 17:00:00.747 UTC: ISAKMP:(0): processing vendor id payload
001056: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 128 mismatch
001057: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID is XAUTH
001058: Jan 14 17:00:00.747 UTC: ISAKMP:(0): processing vendor id payload
001059: Jan 14 17:00:00.747 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
001060: Jan 14 17:00:00.751 UTC: ISAKMP:(0): vendor ID is NAT-T v2
001061: Jan 14 17:00:00.751 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
001062: Jan 14 17:00:00.751 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

001063: Jan 14 17:00:00.751 UTC: ISAKMP:(0): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_SA_SETUP
001064: Jan 14 17:00:00.751 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
001065: Jan 14 17:00:00.751 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001066: Jan 14 17:00:00.751 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

001067: Jan 14 17:00:00.799 UTC: ISAKMP (0): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_SA_SETUP
001068: Jan 14 17:00:00.799 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001069: Jan 14 17:00:00.799 UTC: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

001070: Jan 14 17:00:00.803 UTC: ISAKMP:(0): processing KE payload. message ID = 0
001071: Jan 14 17:00:00.847 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
001072: Jan 14 17:00:00.847 UTC: ISAKMP:(0):found peer pre-shared key matching 72.45.207.42
001073: Jan 14 17:00:00.847 UTC: ISAKMP:received payload type 20
001074: Jan 14 17:00:00.847 UTC: ISAKMP (2010): His hash no match - this node outside NAT
001075: Jan 14 17:00:00.851 UTC: ISAKMP:received payload type 20
001076: Jan 14 17:00:00.851 UTC: ISAKMP (2010): No NAT Found for self or peer
001077: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
001078: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Old State = IKE_I_MM4  New State = IKE_I_MM4 

001079: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Send initial contact
001080: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
001081: Jan 14 17:00:00.851 UTC: ISAKMP (2010): ID payload 
	next-payload : 8
	type         : 1 
	address      : 50.75.182.73 
	protocol     : 17 
	port         : 500 
	length       : 12
001082: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Total payload length: 12
001083: Jan 14 17:00:00.851 UTC: ISAKMP:(2010): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
001084: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Sending an IKE IPv4 Packet.
001085: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001086: Jan 14 17:00:00.851 UTC: ISAKMP:(2010):Old State = IKE_I_MM4  New State = IKE_I_MM5 

001087: Jan 14 17:00:03.895 UTC: ISAKMP (2010): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
001088: Jan 14 17:00:03.895 UTC: ISAKMP:(2010): phase 1 packet is a duplicate of a previous packet.
001089: Jan 14 17:00:03.895 UTC: ISAKMP:(2010): retransmitting due to retransmit phase 1
001090: Jan 14 17:00:04.395 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH...
001091: Jan 14 17:00:04.395 UTC: ISAKMP (2010): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
001092: Jan 14 17:00:04.395 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH
001093: Jan 14 17:00:04.395 UTC: ISAKMP:(2010): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
001094: Jan 14 17:00:04.395 UTC: ISAKMP:(2010):Sending an IKE IPv4 Packet.
001095: Jan 14 17:00:06.439 UTC: ISAKMP (2010): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
001096: Jan 14 17:00:06.439 UTC: ISAKMP:(2010): phase 1 packet is a duplicate of a previous packet.
001097: Jan 14 17:00:06.439 UTC: ISAKMP:(2010): retransmitting due to retransmit phase 1
001098: Jan 14 17:00:06.939 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH...
001099: Jan 14 17:00:06.939 UTC: ISAKMP (2010): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
001100: Jan 14 17:00:06.939 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH
001101: Jan 14 17:00:06.939 UTC: ISAKMP:(2010): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
001102: Jan 14 17:00:06.939 UTC: ISAKMP:(2010):Sending an IKE IPv4 Packet.
001103: Jan 14 17:00:10.019 UTC: ISAKMP (2010): received packet from 72.45.207.42 dport 500 sport 500 Global (I) MM_KEY_EXCH
001104: Jan 14 17:00:10.019 UTC: ISAKMP:(2010): phase 1 packet is a duplicate of a previous packet.
001105: Jan 14 17:00:10.019 UTC: ISAKMP:(2010): retransmitting due to retransmit phase 1
001106: Jan 14 17:00:10.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH...
001107: Jan 14 17:00:10.519 UTC: ISAKMP (2010): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
001108: Jan 14 17:00:10.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH
001109: Jan 14 17:00:10.519 UTC: ISAKMP:(2010): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
001110: Jan 14 17:00:10.519 UTC: ISAKMP:(2010):Sending an IKE IPv4 Packet.
001111: Jan 14 17:00:20.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH...
001112: Jan 14 17:00:20.519 UTC: ISAKMP (2010): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
001113: Jan 14 17:00:20.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH
001114: Jan 14 17:00:20.519 UTC: ISAKMP:(2010): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
001115: Jan 14 17:00:20.519 UTC: ISAKMP:(2010):Sending an IKE IPv4 Packet.
001116: Jan 14 17:00:30.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH...
001117: Jan 14 17:00:30.519 UTC: ISAKMP (2010): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001118: Jan 14 17:00:30.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH
001119: Jan 14 17:00:30.519 UTC: ISAKMP:(2010): sending packet to 72.45.207.42 my_port 500 peer_port 500 (I) MM_KEY_EXCH
001120: Jan 14 17:00:30.519 UTC: ISAKMP:(2010):Sending an IKE IPv4 Packet.
001121: Jan 14 17:00:30.731 UTC: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 50.75.182.73:0, remote= 72.45.207.42:0, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
001122: Jan 14 17:00:30.731 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 50.75.182.73:500, remote= 72.45.207.42:500, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 86400s and 1280000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001123: Jan 14 17:00:30.731 UTC: ISAKMP: set new node 0 to QM_IDLE      
001124: Jan 14 17:00:30.731 UTC: ISAKMP:(2010):SA is still budding. Attached new ipsec request to it. (local 50.75.182.73, remote 72.45.207.42)
001125: Jan 14 17:00:30.731 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
001126: Jan 14 17:00:30.731 UTC: ISAKMP: Error while processing KMI message 0, error 2.
001127: Jan 14 17:00:40.519 UTC: ISAKMP:(2010): retransmitting phase 1 MM_KEY_EXCH...
001128: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):peer does not do paranoid keepalives.

001129: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 72.45.207.42)
001130: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 72.45.207.42) 
001131: Jan 14 17:00:40.519 UTC: ISAKMP: Unlocking peer struct 0x8A532D0C for isadb_mark_sa_deleted(), count 0
001132: Jan 14 17:00:40.519 UTC: ISAKMP: Deleting peer node by peer_reap for 72.45.207.42: 8A532D0C
001133: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):deleting node 2027497640 error FALSE reason "IKE deleted"
001134: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):deleting node -401727971 error FALSE reason "IKE deleted"
001135: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001136: Jan 14 17:00:40.519 UTC: ISAKMP:(2010):Old State = IKE_I_MM5  New State = IKE_DEST_SA 

001137: Jan 14 17:00:40.519 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001138: Jan 14 17:01:00.731 UTC: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 50.75.182.73:0, remote= 72.45.207.42:0, 
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
001139: Jan 14 17:01:30.519 UTC: ISAKMP:(2010):purging node 2027497640
001140: Jan 14 17:01:30.519 UTC: ISAKMP:(2010):purging node -401727971
001141: Jan 14 17:01:40.519 UTC: ISAKMP:(2010):purging SA., sa=8A21ED98, delme=8A21ED98

Open in new window

0
Comment
Question by:csg-unit
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:Leeeee
Comment Utility
Do you have anything between the source and destination doing NAT? If so, you might need to enable NAT traversal.

One thing to verify is that both devices ISAKMP policies are identical ( Authentication , encryption , and Deff helman Group).
0
 
LVL 1

Author Comment

by:csg-unit
Comment Utility
Both devices have direct connections to the Internet.  Also, I have verified all IKE policies and everything matches.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
add following

crypto isakmp policy 20
 lifetime 28800
!
crypto isakmp keepalive 60 periodic
!
crypto map MAPtoMAIN 1 ipsec-isakmp
 set pfs group2
!

If possible remove :
!
crypto isakmp policy 20
no hash md5
!

and use the transformset:

crypto ipsec transform-set TRANSFORMATION esp-3des esp-sha-hmac

!

Recently I experience hash md5 was creating problem in one off my configs..I don't know why but as soon as I removed everything worked.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:csg-unit
Comment Utility
Thanks for the tips guys.  I will remember those for next time.  I did find the solution.  It ended up being something on the watchguard.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
Did you get resolution?

I want add you to check on firewall if port 50, 51 and 500 is opened
0
 
LVL 1

Accepted Solution

by:
csg-unit earned 0 total points
Comment Utility
I ended up recreating the tunnel on the remote side and it started working.  I am not sure why, but I should have done that first.  I do not trust Watchguard firewalls.
0
 
LVL 1

Author Closing Comment

by:csg-unit
Comment Utility
I found the answer on my own and posted it.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now