manualshive.com logo in svg

Cisco SRP500, Configuration Manual, Page: 6 / 9

Share
Download
Cisco SRP500 Configuration Manual Download Page 6

 

 
All contents are Copyright © 1992-2011 Cisco Systems, Inc.  All rights reserved.  This document is Cisco Public Information. 

Page 6 of 9

 

#######  Site 2 SRP500 Initiates the connection here using the status page 
ISAKMP (0): received packet from 192.168.200.162 dport 500 sport 500 Global (N) NEW SA 
ISAKMP: Created a peer struct for 192.168.200.162, peer port 500 
ISAKMP: New peer created peer = 0x83952688 peer_handle = 0x8000001E 
ISAKMP: Locking peer struct 0x83952688, refcount 1 for crypto_isakmp_process_block 
ISAKMP: local port 500, remote port 500 
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83953838 
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 
ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 
 
ISAKMP:(0): processing SA payload. message ID = 0 
ISAKMP:(0): processing vendor id payload 
ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch 
ISAKMP:(0): processing vendor id payload 
ISAKMP:(0): vendor ID is DPD 
ISAKMP:(0):found peer pre-shared key matching 192.168.200.162 
ISAKMP:(0): local preshared key found 
ISAKMP : Scanning profiles for xauth ... 
ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy 
ISAKMP:      life type in seconds 
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53 
ISAKMP:      encryption 3DES-CBC 
ISAKMP:      hash SHA 
ISAKMP:      auth pre-share 
ISAKMP:      default group 2 
ISAKMP:(0):atts are acceptable. Next payload is 0 
ISAKMP:(0):Acceptable atts:actual life: 28800 
ISAKMP:(0):Acceptable atts:life: 0 
ISAKMP:(0):Fill atts in sa vpi_length:4 
ISAKMP:(0):Fill atts in sa life_in_seconds:86355 
ISAKMP:(0):Returning Actual lifetime: 28800 
ISAKMP:(0)::Started lifetime timer: 28800. 
 
ISAKMP:(0): processing vendor id payload 
ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch 
ISAKMP:(0): processing vendor id payload 
ISAKMP:(0): vendor ID is DPD 
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 
 
ISAKMP:(0): sending packet to 192.168.200.162 my_port 500 peer_port 500 (R) MM_SA_SETUP 
ISAKMP:(0):Sending an IKE IPv4 Packet. 
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 
 
ISAKMP (0): received packet from 192.168.200.162 dport 500 sport 500 Global (R) 
MM_SA_SETUP 
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 
ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3 
 
ISAKMP:(0): processing KE payload. message ID = 0 
ISAKMP:(0): processing NONCE payload. message ID = 0 
ISAKMP:(0):found peer pre-shared key matching 192.168.200.162 
ISAKMP:(2026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 
ISAKMP:(2026):Old State = IKE_R_MM3  New State = IKE_R_MM3 
 
ISAKMP:(2026): sending packet to 192.168.200.162 my_port 500 peer_port 500 (R) 
MM_KEY_EXCH 
ISAKMP:(2026):Sending an IKE IPv4 Packet. 
ISAKMP:(2026):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 
ISAKMP:(2026):Old State = IKE_R_MM3  New State = IKE_R_MM4 
 
ISAKMP (2026): received packet from 192.168.200.162 dport 500 sport 500 Global (R) 
MM_KEY_EXCH 
ISAKMP:(2026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 
ISAKMP:(2026):Old State = IKE_R_MM4  New State = IKE_R_MM5 
 

Summary of Contents for SRP500

Page 1: ...Cisco Small Business Managed Router Feature Configuration Guide SRP500 Site to Site IPSec VPNs ...

Page 2: ...1 SRP541W running v1 1 19 004 Site 2 SRP521W running v1 2 0 023 Site 3 SR520 running IOS 15 1 1 T Configuring the SRP500 for IPSec The following screenshots illustrate how to configure the SRP500 IKE and IPSec policies for connecting to a remote IOS device Connecting to a remote SRP500 can follow exactly the same approach allowing of course the appropriate address and subnet in that case IKE Polic...

Page 3: ...This document is Cisco Public Information Page 3 of 9 This configuration is summarised as follows once the configuration is submitted IPSec Policy Configuration An IPSec policy must be created for each site to site tunnel Each SRP500 device may define up to five IPSec policies ...

Page 4: ...ish a VPN tunnel to the IOS device at site 3 Access the VPN IPSec Policy SRP500 page and click Add Entry to define a new policy For these configurations it should be sufficient to use the Auto Policy type setting Once submitted the IPSec policy is summarised as follows Note that in this case IPSec NAT traversal NAT T is not required NAT Traversal may be configured using the VPN NAT Traversal page ...

Page 5: ... are configured the VPN tunnel will automatically establish The SRP500 Status VPN page can be used to verify that the connection has been established This page may also be used to manually Disconnect Connect the tunnel if required To monitor the VPN connection process on the IOS device you may use the debug crypto isakmp and debug crypto ipsec features The following capture illustrates the connect...

Page 6: ...AKMP 0 Acceptable atts life 0 ISAKMP 0 Fill atts in sa vpi_length 4 ISAKMP 0 Fill atts in sa life_in_seconds 86355 ISAKMP 0 Returning Actual lifetime 28800 ISAKMP 0 Started lifetime timer 28800 ISAKMP 0 processing vendor id payload ISAKMP 0 vendor ID seems Unity DPD but major 0 mismatch ISAKMP 0 processing vendor id payload ISAKMP 0 vendor ID is DPD ISAKMP 0 Input IKE_MESG_INTERNAL IKE_PROCESS_MAI...

Page 7: ... RESPONDER_LIFETIME protocol 1 spi 2227348128 message ID 1956323662 ISAKMP 2026 sending packet to 192 168 200 162 my_port 500 peer_port 500 R MM_KEY_EXCH ISAKMP 2026 Sending an IKE IPv4 Packet ISAKMP 2026 purging node 1956323662 ISAKMP Sending phase 1 responder lifetime 28800 ISAKMP 2026 Input IKE_MESG_INTERNAL IKE_PROCESS_COMPLETE ISAKMP 2026 Old State IKE_R_MM5 New State IKE_P1_COMPLETE ISAKMP 2...

Page 8: ...192 168 9 0 dst addr 192 168 15 0 protocol 0 src port 0 dst port 0 IPSEC crypto_ipsec_sa_find_ident_head reconnecting with the same proxies and peer 192 168 200 162 IPSEC policy_db_add_ident src 192 168 9 0 dest 192 168 15 0 dest_port 0 IPSEC create_sa sa created sa sa_dest 192 168 200 146 sa_proto 50 sa_spi 0xBDE1EBFF 3185699839 sa_trans esp 3des esp sha hmac sa_conn_id 353 sa_lifetime k sec 4519...

Page 9: ... 0 type 4 remote_proxy 192 168 15 0 255 255 255 0 0 0 type 4 ISAKMP 2026 received packet from 192 168 200 162 dport 500 sport 500 Global R QM_IDLE ISAKMP set new node 1973569393 to QM_IDLE ISAKMP 2026 processing HASH payload message ID 1973569393 ISAKMP 2026 processing DELETE payload message ID 1973569393 ISAKMP 2026 peer does not do paranoid keepalives ISAKMP 2026 deleting SA reason No reason sta...

Reviews:

No comments