Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? >
Some updated info: For whatever reason, the last two packets in the packet capture show a DELETE action: 20:14:24.117160 10.107.208.20.isakmp > router.arswiki.org.isakmp: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) 20:15:06.955703 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange INFO cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 8c2a671f len: 68 payload: HASH len: 24 payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1 SPI: 0xa3ee9768 [ttl 0] (id 1, len 96) 20:15:06.958120 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange INFO cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: b81113d3 len: 80 payload: HASH len: 24 payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1 cookie: 5ad2b89593ca41af->acd59e7bdeb12259 [ttl 0] (id 1, len 108) *** ipsecctl output: # date Sun Sep 3 20:14:33 EDT 2006 # ipsecctl -s all FLOWS: flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20 flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20 SADB: esp transport from 10.107.208.1 to 10.107.208.20 spi 0xbb351f90 enc 3des-cbc auth hmac-md5 esp transport from 10.107.208.20 to 10.107.208.1 spi 0xa3ee9768 enc 3des-cbc auth hmac-md5 *** isakmpd output: # isakmpd -L -d -4 -DA=10 201358.608890 Default log_debug_cmd: log level changed from 0 to 10 for class 0 [priv] 201358.610514 Default log_debug_cmd: log level changed from 0 to 10 for class 1 [priv] 201358.611163 Default log_debug_cmd: log level changed from 0 to 10 for class 2 [priv] 201358.611570 Default log_debug_cmd: log level changed from 0 to 10 for class 3 [priv] 201358.612056 Default log_debug_cmd: log level changed from 0 to 10 for class 4 [priv] 201358.612448 Default log_debug_cmd: log level changed from 0 to 10 for class 5 [priv] 201358.612928 Default log_debug_cmd: log level changed from 0 to 10 for class 6 [priv] 201358.613299 Default log_debug_cmd: log level changed from 0 to 10 for class 7 [priv] 201358.613755 Default log_debug_cmd: log level changed from 0 to 10 for class 8 [priv] 201358.614134 Default log_debug_cmd: log level changed from 0 to 10 for class 9 [priv] 201358.614628 Default log_debug_cmd: log level changed from 0 to 10 for class 10 [priv] 201358.624595 Misc 10 monitor_init: privileges dropped for child process 201359.285220 Default log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" 201423.864748 Timr 10 timer_add_event: event exchange_free_aux(0x4af26c00) added last, expiration in 120s 201423.865819 Exch 10 exchange_setup_p1: 0x4af26c00 client Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0 201423.866355 Exch 10 exchange_setup_p1: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201423.866923 Exch 10 exchange_setup_p1: msgid 00000000 201423.867580 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 201423.868493 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 201423.869011 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 201423.869577 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 201423.871151 Timr 10 timer_add_event: event message_send_expire(0x45a64e00) added before exchange_free_aux(0x4af26c00), expiration in 7s 201423.906614 Timr 10 timer_remove_event: removing event message_send_expire(0x45a64e00) 201423.996634 Timr 10 timer_add_event: event message_send_expire(0x45a64a00) added before exchange_free_aux(0x4af26c00), expiration in 7s 201424.097443 Timr 10 timer_remove_event: removing event message_send_expire(0x45a64a00) 201424.099859 Exch 10 exchange_finalize: 0x4af26c00 client Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6 201424.100502 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201424.100925 Exch 10 exchange_finalize: msgid 00000000 201424.101661 Exch 10 exchange_finalize: phase 1 done: initiator id 0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src: 10.107.208.1 dst: 10.107.208.20 201424.102202 Timr 10 timer_add_event: event sa_soft_expire(0x4af26e00) added last, expiration in 27302s 201424.102757 Timr 10 timer_add_event: event sa_hard_expire(0x4af26e00) added last, expiration in 28800s 201424.107976 Timr 10 timer_add_event: event exchange_free_aux(0x4af27000) added before sa_soft_expire(0x4af26e00), expiration in 120s 201424.108592 Exch 10 exchange_setup_p2: 0x4af27000 <unnamed> <no policy> policy responder phase 2 doi 1 exchange 32 step 0 201424.109035 Exch 10 exchange_setup_p2: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201424.109560 Exch 10 exchange_setup_p2: msgid 44aa1cd7 sa_list 201424.114593 Timr 10 timer_add_event: event message_send_expire(0x45a65000) added before exchange_free_aux(0x4af26c00), expiration in 7s 201424.115987 Timr 10 timer_remove_event: removing event message_send_expire(0x45a65000) 201424.117592 Exch 10 exchange_finalize: 0x4af27000 <unnamed> <no policy> policy responder phase 2 doi 1 exchange 32 step 2 201424.118178 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201424.118603 Exch 10 exchange_finalize: msgid 44aa1cd7 sa_list 0x4af27200 201424.119271 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI 0xbb351f90 201424.119775 Timr 10 timer_add_event: event sa_soft_expire(0x4af27200) added before sa_soft_expire(0x4af26e00), expiration in 3214s 201424.120325 Timr 10 timer_add_event: event sa_hard_expire(0x4af27200) added before sa_soft_expire(0x4af26e00), expiration in 3600s 201424.121373 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI 0xa3ee9768 201424.122977 Timr 10 timer_remove_event: removing event exchange_free_aux(0x4af27000) ^C201506.955032 Default isakmpd: shutting down... 201506.955273 Timr 10 timer_add_event: event exchange_free_aux(0x4af27000) added before sa_soft_expire(0x4af27200), expiration in 120s 201506.955356 Exch 10 exchange_establish_p2: 0x4af27000 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 0 201506.955413 Exch 10 exchange_establish_p2: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201506.955463 Exch 10 exchange_establish_p2: msgid 8c2a671f sa_list 201506.956197 Timr 10 timer_remove_event: removing event sa_hard_expire(0x4af27200) 201506.956269 Timr 10 timer_remove_event: removing event sa_soft_expire(0x4af27200) 201506.957292 Timr 10 timer_add_event: event exchange_free_aux(0x4af27200) added before sa_soft_expire(0x4af26e00), expiration in 120s 201506.957384 Exch 10 exchange_establish_p2: 0x4af27200 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 0 201506.957438 Exch 10 exchange_establish_p2: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201506.957487 Exch 10 exchange_establish_p2: msgid b81113d3 sa_list 201506.958611 Timr 10 timer_remove_event: removing event sa_hard_expire(0x4af26e00) 201506.958693 Timr 10 timer_remove_event: removing event sa_soft_expire(0x4af26e00) 201506.959032 Exch 10 exchange_finalize: 0x4af27000 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 1 201506.959109 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201506.959159 Exch 10 exchange_finalize: msgid 8c2a671f sa_list 201506.959215 Timr 10 timer_remove_event: removing event exchange_free_aux(0x4af27000) 201506.959443 Exch 10 exchange_finalize: 0x4af27200 <unnamed> <no policy> policy initiator phase 2 doi 1 exchange 5 step 1 201506.959568 Exch 10 exchange_finalize: icookie 5ad2b89593ca41af rcookie acd59e7bdeb12259 201506.959618 Exch 10 exchange_finalize: msgid b81113d3 sa_list 201506.959670 Timr 10 timer_remove_event: removing event exchange_free_aux(0x4af27200) 201506.959823 Default log_packet_stop: stopped capture 201506.959873 Default isakmpd: exit *** packet capture: 20:14:23.863975 10.107.208.20.isakmp > 10.107.208.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5ad2b89593ca41af->0000000000000000 msgid: 00000000 len: 168 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: VENDOR len: 24 payload: VENDOR len: 20 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 [ttl 0] (id 1, len 196) 20:14:23.870231 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 164 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192) 20:14:23.907209 10.107.208.20.isakmp > 10.107.208.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 232 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260) 20:14:23.995432 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 232 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260) 20:14:24.098552 10.107.208.20.isakmp > 10.107.208.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 68 payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20 payload: HASH len: 24 [ttl 0] (id 1, len 96) 20:14:24.099112 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 00000000 len: 92 payload: ID len: 12 type: IPV4_ADDR = 10.107.208.1 payload: HASH len: 24 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (5ad2b89593ca41af->acd59e7bdeb12259) [ttl 0] (id 1, len 120) 20:14:24.107774 10.107.208.20.isakmp > 10.107.208.1.isakmp: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 1300 payload: HASH len: 24 payload: SA len: 1196 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 92 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 2 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: TRANSFORM len: 40 transform: 2 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 52 proposal: 2 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 48 proposal: 2 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 36 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT payload: PROPOSAL len: 52 proposal: 3 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 48 proposal: 3 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 36 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 40 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 40 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 92 proposal: 6 proto: IPSEC_ESP spisz: 4 xforms: 2 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: TRANSFORM len: 40 transform: 2 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 52 proposal: 7 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 48 proposal: 7 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 36 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT payload: PROPOSAL len: 52 proposal: 8 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 48 proposal: 8 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 36 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_AH spisz: 4 xforms: 1 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x5c207dad payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 92 proposal: 11 proto: IPSEC_ESP spisz: 4 xforms: 2 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: NULL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: TRANSFORM len: 40 transform: 2 ID: NULL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: PROPOSAL len: 92 proposal: 12 proto: IPSEC_AH spisz: 4 xforms: 2 SPI: 0xbb351f90 payload: TRANSFORM len: 40 transform: 1 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: TRANSFORM len: 40 transform: 2 ID: SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.107.208.20 payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.107.208.1 [ttl 0] (id 1, len 1328) 20:14:24.113525 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 164 payload: HASH len: 24 payload: SA len: 64 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 52 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xa3ee9768 payload: TRANSFORM len: 40 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00000e10 attribute LIFE_TYPE = KILOBYTES attribute LIFE_DURATION = 0003d090 attribute ENCAPSULATION_MODE = TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 24 payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.107.208.20 payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.107.208.1 [ttl 0] (id 1, len 192) 20:14:24.117160 10.107.208.20.isakmp > 10.107.208.1.isakmp: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 44aa1cd7 len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) 20:15:06.955703 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange INFO cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: 8c2a671f len: 68 payload: HASH len: 24 payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1 SPI: 0xa3ee9768 [ttl 0] (id 1, len 96) 20:15:06.958120 10.107.208.1.isakmp > 10.107.208.20.isakmp: [udp sum ok] isakmp v1.0 exchange INFO cookie: 5ad2b89593ca41af->acd59e7bdeb12259 msgid: b81113d3 len: 80 payload: HASH len: 24 payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1 cookie: 5ad2b89593ca41af->acd59e7bdeb12259 [ttl 0] (id 1, len 108) *** The config files: *** isakmpd.conf # cat isakmpd.conf [General] Listen-On= 10.107.208.1 [Phase 1] # Default= <ISAKMP-peer> Default= client [Phase 2] # Passive-connections= <IPsec connection> Passive-connections= client-netB # <ISAKMP-peer> [client] Phase= 1 Transport= udp # Configuration= <ISAKMP-configuration> Configuration= Default-main-mode Authentication= sharedsecret # <IPsec connection> [client-netB] Phase= 2 ISAKMP-peer= client # Configuration= <IPsec-configuration> Configuration= Default-quick-mode # Local-ID= <IPsec-ID> Local-ID= netB # Remote-ID= <IPsec-ID> Remote-ID= client # <IPsec-ID> [client] ID-type= IPV4_ADDR Address= 10.107.208.20 # <IPsec-ID> [netB] ID-type= IPV4_ADDR_SUBNET Network= 10.180.0.0 Netmask= 255.255.0.0 # <ISAKMP-configuration> [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT # Transforms= <ISAKMP-transform> Transforms= AES-SHA,3DES-SHA # <IPsec-configuration> [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE # Suites= <IPsec-suite> Suites= QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE *** isakmpd.policy # cat isakmpd.policy Keynote-version: 2 Authorizer: "POLICY" Licensees: "passphrase:sharedsecret" Conditions: esp_present == "yes" && esp_enc_alg != "null" -> "true";