Select Page

IPsec VPN IOS MM-QM Debug (Responder)

by | 3-May-2021 | Cisco, Security, VPN

Applied version

  • R2 R4
    • Cisco IOS version 15.6(2)T

Cisco IOS version 15.6(2)T

  • #debug crypto isakmp
  • #debug crypto ipsec

 

!! R4 !! The responder

MM1 – Receive & check Phase 1 Proposal
! includes: Encryption, Hashing, DH group, Lifetime

*17:21:43.778: ISAKMP-PAK: (0):received packet (N) NEW SA
*17:21:43.779: ISAKMP: (0):Created a peer struct, New peer created, Locking peer struct
*17:21:43.782: ISAKMP: (0):insert sa successfully sa = 10D15C38
*17:21:43.783: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
*17:21:43.785: ISAKMP: (0):processing SA payload. message ID = 0
*17:21:43.786: ISAKMP: (0):processing Unity/DPD, NAT-T, pre-shared, xauth
*17:21:43.792: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
*17:21:43.792: ISAKMP: (0):encryption, hash, DH group, auth, life
*17:21:43.795: ISAKMP: (0):atts are acceptable. (…)
*17:21:43.797: ISAKMP: (0):processing vendor id payload (DPD, NAT-T)
*17:21:43.801: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

 

MM2 – Send Phase 1 Proposal reply

*17:21:43.806: ISAKMP-PAK: (0):sending packet (R) MM_SA_SETUP
*17:21:43.808: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

 

MM3 – Receive and process DH public key, NONCE, NAT-D, Vendor ID
! Includes: NAT discovery, DH exchange part one

*17:21:43.834: ISAKMP-PAK: (0):received packet (R) MM_SA_SETUP
*17:21:43.835: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*17:21:43.838: ISAKMP: (0):processing KE, NONCE payload, pre-shared key, vendor ID, NAT-D

 

MM4 – DH exchange is done, shared secret generated, determine NAT
! Includes: Determine NAT, Continuation of DH exchange

*17:21:43.846: ISAKMP: (1004):No NAT Found for self or peer
*17:21:43.847: ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM3

*17:21:43.850: ISAKMP-PAK: (1004):sending packet (R) MM_KEY_EXCH
*17:21:43.852: ISAKMP: (1004):Old State = IKE_R_MM3 New State = IKE_R_MM4

 

MM5 – Receive peer Identity, authenticating peer
*17:21:43.880: ISAKMP-PAK: (1004):received packet (R) MM_KEY_EXCH
*17:21:43.882: ISAKMP: (1004):Old State = IKE_R_MM4 New State = IKE_R_MM5
*17:21:43.885: ISAKMP: (1004):processing payload (authenticating HASH)
*17:21:43.888: ISAKMP: (1004):SA authentication status: authenticated (with 2.2.2.2)
*17:21:43.889: ISAKMP: (1004):Process initial contact, insert peer
*17:21:43.892: ISAKMP: (1004):Old State = IKE_R_MM5 New State = IKE_R_MM5

 

MM6 – Sends Identity, Phase 1 Complete
*17:21:43.895: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*17:21:43.896: ISAKMP: (1004):pre-shared key authentication, payload details
*17:21:43.900: ISAKMP-PAK: (1004):sending packet (R) MM_KEY_EXCH
*17:21:43.905: ISAKMP: (1004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

 

QM1 – Receive and check Phase 2 Proposal

*17:21:43.931: ISAKMP-PAK: (1004):received packet (R) QM_IDLE
*17:21:43.932: ISAKMP: (1004):processing HASH, SA payload
*17:21:43.934: ISAKMP: (1004):Checking IPSec proposal 1, transform 1
*17:21:43.934: ISAKMP: (1004)::protocol, encr, mode, lifedur, hash, PFS
*17:21:43.939: ISAKMP: (1004):atts are acceptable.
*17:21:43.939: IPSEC(validate_proposal_request): local/remote_proxy, protocol, transform, lifedur, spi
*17:21:43.942: Crypto mapdb : proxy_match
*17:21:43.942: (ipsec_process_proposal)Map Accepted: MAP1, 10
*17:21:43.943: ISAKMP: (1004):processing NONCE, KE, ID payload
*17:21:43.951: ISAKMP: (1004):QM Responder gets spi
*17:21:43.952: ISAKMP: (1004):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*17:21:43.954: ISAKMP: (1004):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT

 

QM2 – Create IPsec SA, send Phase 2 Proposal reply
! Includes: Parameters from peer, Choose the shorter phase 2 lifetimes

*17:21:43.958: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*17:21:43.958: Crypto mapdb : proxy_match
*17:21:43.966: IPSEC(create_sa): sa created, outbound sa, inbound sa
*17:21:43.974: ISAKMP: (1004):Successfully installed IPSEC SA (SPI:0xBEDC9551) on GigabitEthernet0/0
*17:21:43.981: ISAKMP-PAK: (1004):sending packet (R) QM_IDLE
*17:21:43.984: ISAKMP: (1004):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2

 

QM3 – Receive Phase 2 completion, Phase 2 complete

*17:21:44.039: ISAKMP-PAK: (1004):received packet (R) QM_IDLE
*17:21:44.042: ISAKMP: (1004):deleting node -1060470919 error FALSE reason “QM done (await)”
*17:21:44.042: ISAKMP: (1004):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *