Исходное сообщение
"Cisco C921-4P как L2TP server" Отправлено Slot, 09-Апр-21 11:17
Доброго времени суток! Ни как не могу запустить L2TP сервер, конфигурация и логи ниже. Подключаюсь с Win7 с адреса 2.2.2.2 на 5.5.5.5 через другого провайдера. Доходит до надписи "проверка пользователя и пароля" и через 3-4 секунды ошибка 691... Этот же роутер используется как NAT в инет. Из ошибок в логе вижу что в начале семерка предлагает варианты и в конце они с циской сходятся на *Apr  9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 5 against priority 10 policy *Apr  9 07:24:48.665: ISAKMP: (0):      encryption 3DES-CBC *Apr  9 07:24:48.665: ISAKMP: (0):      hash SHA *Apr  9 07:24:48.665: ISAKMP: (0):      default group 2 *Apr  9 07:24:48.665: ISAKMP: (0):      auth pre-share *Apr  9 07:24:48.665: ISAKMP: (0):      life type in seconds Дальше по логам вроде всё не плохо до места *Apr  9 07:24:48.737: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list Тут как я понимаю роутер не может найти у себя в каком то списке какой то индекс. Насколько это фатально я не в курсе... Вроде и иос не npe, и модуль загружен соответствующий... Лог выводил при deb cry isakmp deb cry ipsec Может не достаточно? Всегда плавал в алгоритмах шифрования :( Или сейчас провайдеры режут такой трафик? Или пытаются вклиниться? Помогите разобраться. Конфигурация aaa new-model ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list vpnuser attribute type addr 192.168.2.200 service vpdn protocol ip ! aaa session-id common ! no ip domain lookup ip domain name tdts ip cef no ipv6 cef ! multilink bundle-name authenticated ! vpdn enable ! vpdn-group 1 ! Default L2TP VPDN group accept-dialin   protocol l2tp   virtual-template 1 no l2tp tunnel authentication ! license boot module c900 technology-package securityk9 ! username vpnuser password 123 redundancy ! crypto keyring keyring_l2tp   pre-shared-key address 0.0.0.0 0.0.0.0 key cisco no crypto isakmp default policy ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0         no-xauth crypto isakmp aggressive-mode disable crypto isakmp profile L2TP    keyring keyring_l2tp    match identity address 0.0.0.0 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac mode transport ! crypto dynamic-map CRYPTO_MAP_REMOTE_USERS 10 set nat demux set transform-set ESP-3DES-SHA ESP-AES-SHA set isakmp-profile L2TP reverse-route ! crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic CRYPTO_MAP_REMOTE_USERS ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 no ip address ! interface GigabitEthernet2 no ip address ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 ip address 192.168.1.244 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet5 ip address 5.5.5.5 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto no cdp enable crypto map CRYPTO_MAP ! interface Virtual-Template1 ip unnumbered GigabitEthernet4 peer default ip address pool l2tppool_for_clients keepalive 5 ppp encrypt mppe auto ppp authentication ms-chap ms-chap-v2 ! interface Vlan1 no ip address ! ip local pool l2tppool_for_clients 192.168.2.200 192.168.2.210 ip default-gateway 5.5.5.6 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat pool natpool 5.5.5.5 5.5.5.5 prefix-length 24 ip nat inside source list 33 interface GigabitEthernet5 overload ip route 0.0.0.0 0.0.0.0 5.5.5.6 ip ssh version 2 Логи *Apr  9 07:24:48.663: ISAKMP-PAK: (0):received packet from 2.2.2.2 dport 500 sport 500 Global (N) NEW SA *Apr  9 07:24:48.663: ISAKMP: (0):Created a peer struct for 2.2.2.2, peer port 500 *Apr  9 07:24:48.663: ISAKMP: (0):New peer created peer = 0x141FF2D8 peer_handle = 0x80000066 *Apr  9 07:24:48.663: ISAKMP: (0):Locking peer struct 0x141FF2D8, refcount 1 for crypto_isakmp_process_block *Apr  9 07:24:48.663: ISAKMP: (0):local port 500, remote port 500 *Apr  9 07:24:48.663: ISAKMP: (0):insert sa successfully sa = FF838BC *Apr  9 07:24:48.663: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Apr  9 07:24:48.663: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1 *Apr  9 07:24:48.663: ISAKMP: (0):processing SA payload. message ID = 0 *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):processing IKE frag vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):Support for IKE Fragmentation not enabled *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID is NAT-T RFC 3947 *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID is NAT-T v2 *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch *Apr  9 07:24:48.663: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch *Apr  9 07:24:48.665: ISAKMP: (0):found peer pre-shared key matching 2.2.2.2 *Apr  9 07:24:48.665: ISAKMP: (0):local preshared key found *Apr  9 07:24:48.665: ISAKMP: (0):Scanning profiles for xauth ... L2TP *Apr  9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy *Apr  9 07:24:48.665: ISAKMP: (0):      encryption AES-CBC *Apr  9 07:24:48.665: ISAKMP: (0):      keylength of 256 *Apr  9 07:24:48.665: ISAKMP: (0):      hash SHA *Apr  9 07:24:48.665: ISAKMP: (0):      default group 20 *Apr  9 07:24:48.665: ISAKMP: (0):      auth pre-share *Apr  9 07:24:48.665: ISAKMP: (0):      life type in seconds *Apr  9 07:24:48.665: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80 *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy! *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 *Apr  9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 2 against priority 10 policy *Apr  9 07:24:48.665: ISAKMP: (0):      encryption AES-CBC *Apr  9 07:24:48.665: ISAKMP: (0):      keylength of 128 *Apr  9 07:24:48.665: ISAKMP: (0):      hash SHA *Apr  9 07:24:48.665: ISAKMP: (0):      default group 19 *Apr  9 07:24:48.665: ISAKMP: (0):      auth pre-share *Apr  9 07:24:48.665: ISAKMP: (0):      life type in seconds *Apr  9 07:24:48.665: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80 *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy! *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 *Apr  9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 3 against priority 10 policy *Apr  9 07:24:48.665: ISAKMP: (0):      encryption AES-CBC *Apr  9 07:24:48.665: ISAKMP: (0):      keylength of 256 *Apr  9 07:24:48.665: ISAKMP: (0):      hash SHA *Apr  9 07:24:48.665: ISAKMP: (0):      default group 14 *Apr  9 07:24:48.665: ISAKMP: (0):      auth pre-share *Apr  9 07:24:48.665: ISAKMP: (0):      life type in seconds *Apr  9 07:24:48.665: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80 *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy! *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 *Apr  9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 4 against priority 10 policy *Apr  9 07:24:48.665: ISAKMP: (0):      encryption 3DES-CBC *Apr  9 07:24:48.665: ISAKMP: (0):      hash SHA *Apr  9 07:24:48.665: ISAKMP: (0):      default group 14 *Apr  9 07:24:48.665: ISAKMP: (0):      auth pre-share *Apr  9 07:24:48.665: ISAKMP: (0):      life type in seconds *Apr  9 07:24:48.665: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80 *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy! *Apr  9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 *Apr  9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 5 against priority 10 policy *Apr  9 07:24:48.665: ISAKMP: (0):      encryption 3DES-CBC *Apr  9 07:24:48.665: ISAKMP: (0):      hash SHA *Apr  9 07:24:48.665: ISAKMP: (0):      default group 2 *Apr  9 07:24:48.665: ISAKMP: (0):      auth pre-share *Apr  9 07:24:48.665: ISAKMP: (0):      life type in seconds *Apr  9 07:24:48.665: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80 *Apr  9 07:24:48.665: ISAKMP: (0):atts are acceptable. Next payload is 0 *Apr  9 07:24:48.665: ISAKMP: (0):Acceptable atts:actual life: 86400 *Apr  9 07:24:48.665: ISAKMP: (0):Acceptable atts:life: 0 *Apr  9 07:24:48.665: ISAKMP: (0):Fill atts in sa vpi_length:4 *Apr  9 07:24:48.665: ISAKMP: (0):Fill atts in sa life_in_seconds:28800 *Apr  9 07:24:48.665: ISAKMP: (0):Returning Actual lifetime: 28800 *Apr  9 07:24:48.665: ISAKMP: (0):Started lifetime timer: 28800. *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):processing IKE frag vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):Support for IKE Fragmentation not enabled *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID is NAT-T RFC 3947 *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID is NAT-T v2 *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch *Apr  9 07:24:48.667: ISAKMP: (0):processing vendor id payload *Apr  9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch *Apr  9 07:24:48.667: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Apr  9 07:24:48.667: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1 *Apr  9 07:24:48.667: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID *Apr  9 07:24:48.667: ISAKMP-PAK: (0):sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP *Apr  9 07:24:48.667: ISAKMP: (0):Sending an IKE IPv4 Packet. *Apr  9 07:24:48.667: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Apr  9 07:24:48.667: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2 *Apr  9 07:24:48.691: ISAKMP-PAK: (0):received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP *Apr  9 07:24:48.691: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Apr  9 07:24:48.691: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3 *Apr  9 07:24:48.691: ISAKMP: (0):processing KE payload. message ID = 0 *Apr  9 07:24:48.693: ISAKMP: (0):processing NONCE payload. message ID = 0 *Apr  9 07:24:48.693: ISAKMP: (0):found peer pre-shared key matching 2.2.2.2 *Apr  9 07:24:48.693: ISAKMP: (1090):received payload type 20 *Apr  9 07:24:48.693: ISAKMP: (1090):His hash no match - this node outside NAT *Apr  9 07:24:48.693: ISAKMP: (1090):received payload type 20 *Apr  9 07:24:48.693: ISAKMP: (1090):His hash no match - this node outside NAT *Apr  9 07:24:48.693: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Apr  9 07:24:48.693: ISAKMP: (1090):Old State = IKE_R_MM3  New State = IKE_R_MM3 *Apr  9 07:24:48.693: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Apr  9 07:24:48.693: ISAKMP: (1090):Sending an IKE IPv4 Packet. *Apr  9 07:24:48.693: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Apr  9 07:24:48.693: ISAKMP: (1090):Old State = IKE_R_MM3  New State = IKE_R_MM4 *Apr  9 07:24:48.715: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) MM_KEY_EXCH *Apr  9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Apr  9 07:24:48.715: ISAKMP: (1090):Old State = IKE_R_MM4  New State = IKE_R_MM5 *Apr  9 07:24:48.715: ISAKMP: (1090):processing ID payload. message ID = 0 *Apr  9 07:24:48.715: ISAKMP: (1090):ID payload         next-payload : 8         type         : 1 *Apr  9 07:24:48.715: ISAKMP: (1090):   address      : 192.168.1.132 *Apr  9 07:24:48.715: ISAKMP: (1090):   protocol     : 0         port         : 0         length       : 12 *Apr  9 07:24:48.715: ISAKMP: (0):peer matches L2TP profile *Apr  9 07:24:48.715: ISAKMP: (1090):Found ADDRESS key in keyring keyring_l2tp *Apr  9 07:24:48.715: ISAKMP: (1090):processing HASH payload. message ID = 0 *Apr  9 07:24:48.715: ISAKMP: (1090):SA authentication status:         authenticated *Apr  9 07:24:48.715: ISAKMP: (1090):SA has been authenticated with 2.2.2.2 *Apr  9 07:24:48.715: ISAKMP: (1090):Detected port floating to port = 4500 *Apr  9 07:24:48.715: ISAKMP: (0):Trying to insert a peer 5.5.5.5/2.2.2.2/4500/, *Apr  9 07:24:48.715: ISAKMP: (0): and inserted successfully 141FF2D8. *Apr  9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Apr  9 07:24:48.715: ISAKMP: (1090):Old State = IKE_R_MM5  New State = IKE_R_MM5 *Apr  9 07:24:48.715: ISAKMP: (1090):SA is doing *Apr  9 07:24:48.715: ISAKMP: (1090):pre-shared key authentication using id type ID_IPV4_ADDR *Apr  9 07:24:48.715: ISAKMP: (1090):ID payload         next-payload : 8         type         : 1 *Apr  9 07:24:48.715: ISAKMP: (1090):   address      : 5.5.5.5 *Apr  9 07:24:48.715: ISAKMP: (1090):   protocol     : 17         port         : 0         length       : 12 *Apr  9 07:24:48.715: ISAKMP: (1090):Total payload length: 12 *Apr  9 07:24:48.715: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH *Apr  9 07:24:48.715: ISAKMP: (1090):Sending an IKE IPv4 Packet. *Apr  9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Apr  9 07:24:48.715: ISAKMP: (1090):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE *Apr  9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Apr  9 07:24:48.715: ISAKMP: (1090):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE *Apr  9 07:24:48.737: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE *Apr  9 07:24:48.737: ISAKMP: (1090):set new node 1 to QM_IDLE *Apr  9 07:24:48.737: ISAKMP: (1090):processing HASH payload. message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):processing SA payload. message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):processing NAT-OAi payload. addr = 192.168.1.132, message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):processing NAT-OAr payload. addr = 5.5.5.5, message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):Checking IPSec proposal 1 *Apr  9 07:24:48.737: ISAKMP: (1090):transform 1, ESP_AES *Apr  9 07:24:48.737: ISAKMP: (1090):   attributes in transform: *Apr  9 07:24:48.737: ISAKMP: (1090):      encaps is 4 (Transport-UDP) *Apr  9 07:24:48.737: ISAKMP: (1090):      key length is 128 *Apr  9 07:24:48.737: ISAKMP: (1090):      authenticator is HMAC-SHA *Apr  9 07:24:48.737: ISAKMP: (1090):      SA life type in seconds *Apr  9 07:24:48.737: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10 *Apr  9 07:24:48.737: ISAKMP: (1090):      SA life type in kilobytes *Apr  9 07:24:48.737: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90 *Apr  9 07:24:48.737: ISAKMP: (1090):atts are acceptable. *Apr  9 07:24:48.737: IPSEC(validate_proposal_request): proposal part #1 *Apr  9 07:24:48.737: IPSEC(validate_proposal_request): proposal part #1,   (key eng. msg.) INBOUND local= 5.5.5.5:0, remote= 2.2.2.2:0,     local_proxy= 5.5.5.5/255.255.255.255/17/1701,     remote_proxy= 2.2.2.2/255.255.255.255/17/1701,     protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport-UDP),     lifedur= 0s and 0kb,     spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Apr  9 07:24:48.737: (ipsec_process_proposal)Map Accepted: CRYPTO_MAP_REMOTE_USERS, 10 *Apr  9 07:24:48.737: ISAKMP: (1090):processing NONCE payload. message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):processing ID payload. message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):processing ID payload. message ID = 1 *Apr  9 07:24:48.737: ISAKMP: (1090):received payload type 21 *Apr  9 07:24:48.737: ISAKMP: (1090):received payload type 21 *Apr  9 07:24:48.737: ISAKMP: (1090):QM Responder gets spi *Apr  9 07:24:48.737: ISAKMP: (1090):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Apr  9 07:24:48.737: ISAKMP: (1090):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE *Apr  9 07:24:48.737: ISAKMP: (1090):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Apr  9 07:24:48.737: ISAKMP: (1090):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT *Apr  9 07:24:48.737: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Apr  9 07:24:48.737: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYPTO_MAP_REMOTE_USERS, 10 *Apr  9 07:24:48.737: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 11B177E0 *Apr  9 07:24:48.737: IPSEC(create_sa): sa created,   (sa) sa_dest= 5.5.5.5, sa_proto= 50,     sa_spi= 0x23DB241A(601564186),     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2167     sa_lifetime(k/sec)= (250000/3600),   (identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,     local_proxy= 5.5.5.5/255.255.255.255/17/1701,     remote_proxy= 2.2.2.2/255.255.255.255/17/4500 *Apr  9 07:24:48.737: IPSEC(create_sa): sa created,   (sa) sa_dest= 2.2.2.2, sa_proto= 50,     sa_spi= 0x5BC75391(1539789713),     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2168     sa_lifetime(k/sec)= (250000/3600),   (identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,     local_proxy= 5.5.5.5/255.255.255.255/17/1701,     remote_proxy= 2.2.2.2/255.255.255.255/17/4500 *Apr  9 07:24:48.737: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list *Apr  9 07:24:48.737: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 2.2.2.2 *Apr  9 07:24:48.737: ISAKMP: (1090):Received IPSec Install callback... proceeding with the negotiation *Apr  9 07:24:48.737: ISAKMP: (1090):Successfully installed IPSEC SA (SPI:0x23DB241A) on GigabitEthernet5 *Apr  9 07:24:48.737: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 4500 peer_port 4500 (R) QM_IDLE     *Apr  9 07:24:48.737: ISAKMP: (1090):Sending an IKE IPv4 Packet. *Apr  9 07:24:48.737: ISAKMP: (1090):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE *Apr  9 07:24:48.737: ISAKMP: (1090):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2 *Apr  9 07:24:48.757: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE *Apr  9 07:24:48.757: ISAKMP: (1090):deleting node 1 error FALSE reason "QM done (await)" *Apr  9 07:24:48.757: ISAKMP: (1090):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Apr  9 07:24:48.757: ISAKMP: (1090):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE *Apr  9 07:24:48.757: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Apr  9 07:24:48.757: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Apr  9 07:24:48.759: IPSEC: Expand action denied, notify RP *Apr  9 07:24:53.925: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE *Apr  9 07:24:53.925: ISAKMP: (1090):set new node 1444909779 to QM_IDLE *Apr  9 07:24:53.925: ISAKMP: (1090):processing HASH payload. message ID = 1444909779 *Apr  9 07:24:53.925: ISAKMP: (1090):processing DELETE payload. message ID = 1444909779 *Apr  9 07:24:53.925: ISAKMP: (1090):peer does not do paranoid keepalives. *Apr  9 07:24:53.925: ISAKMP: (1090):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x5BC75391) *Apr  9 07:24:53.925: ISAKMP: (1090):deleting node 1444909779 error FALSE reason "Informational (in) state 1" *Apr  9 07:24:53.925: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Apr  9 07:24:53.925: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5502 *Apr  9 07:24:53.925: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Apr  9 07:24:53.925: IPSEC: still in use sa: 0x135D01F8 *Apr  9 07:24:53.925: IPSEC(key_engine_delete_sas): delete SA with spi 0x5BC75391 proto 50 for 2.2.2.2 *Apr  9 07:24:53.925: IPSEC(delete_sa): deleting SA,   (sa) sa_dest= 5.5.5.5, sa_proto= 50,     sa_spi= 0x23DB241A(601564186),     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2167     sa_lifetime(k/sec)= (250000/3600),   (identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,     local_proxy= 5.5.5.5/255.255.255.255/17/1701,     remote_proxy= 2.2.2.2/255.255.255.255/17/4500 *Apr  9 07:24:53.925: IPSEC(delete_sa): deleting SA,   (sa) sa_dest= 2.2.2.2, sa_proto= 50,     sa_spi= 0x5BC75391(1539789713),     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2168     sa_lifetime(k/sec)= (250000/3600),   (identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,     local_proxy= 5.5.5.5/255.255.255.255/17/1701,     remote_proxy= 2.2.2.2/255.255.255.255/17/4500 *Apr  9 07:24:53.925: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS *Apr  9 07:24:53.925: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list *Apr  9 07:24:53.925: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE *Apr  9 07:24:53.925: ISAKMP: (1090):set new node -159405345 to QM_IDLE *Apr  9 07:24:53.925: ISAKMP: (1090):processing HASH payload. message ID = 4135561951 *Apr  9 07:24:53.925: ISAKMP: (1090):processing DELETE payload. message ID = 4135561951 *Apr  9 07:24:53.925: ISAKMP: (1090):peer does not do paranoid keepalives. *Apr  9 07:24:53.925: ISAKMP: (1090):deleting SA reason "No reason" state (R) QM_IDLE       (peer 2.2.2.2) *Apr  9 07:24:53.925: ISAKMP: (1090):deleting node -159405345 error FALSE reason "Informational (in) state 1" *Apr  9 07:24:53.925: ISAKMP: (1090):set new node 829896282 to QM_IDLE *Apr  9 07:24:53.925: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 4500 peer_port 4500 (R) QM_IDLE     *Apr  9 07:24:53.925: ISAKMP: (1090):Sending an IKE IPv4 Packet. *Apr  9 07:24:53.925: ISAKMP: (1090):purging node 829896282 *Apr  9 07:24:53.925: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Apr  9 07:24:53.925: ISAKMP: (1090):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA *Apr  9 07:24:53.925: ISAKMP: (1090):deleting SA reason "No reason" state (R) QM_IDLE       (peer 2.2.2.2) *Apr  9 07:24:53.925: ISAKMP: (0):Unlocking peer struct 0x141FF2D8 for isadb_mark_sa_deleted(), count 0 *Apr  9 07:24:53.925: ISAKMP: (1090):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Apr  9 07:24:53.925: ISAKMP: (1090):Old State = IKE_DEST_SA  New State = IKE_DEST_SA *Apr  9 07:24:53.925: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS *Apr  9 07:24:53.925: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x11B177E0 ikmp handle 0x80000066 IPSEC IKMP peer index 0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x340000A7,peer index 0 *Apr  9 07:24:53.925: ISAKMP: (0):Deleting peer node by peer_reap for 2.2.2.2: 141FF2D8 *Apr  9 07:24:53.925: IPSEC(key_engine): got a queue event with 1 KMI message(s)