Troubleshooting VPN in IOS

HA scenarios
Edinson Ramirez M
TL CO VPN
Agenda
• HSRP Review (includes configuration and verification)- 40 minutes
• IPSEC stateful failover (includes configuration and verification) -20
minutes
• Troubleshooting IPSEC SSO - 45 minutes.
HSRP Review
• Hot Standby Router Protocol
• When HSRP is configured on a network or segment, it provides a virtual
Media Access Control (MAC) address and an IP address that is shared
among a group of configured routers.
• Cisco Proprietary
• Two roles: Active and Standby
• HSRP router with highest priority is considered “Active”.
• Default priority = 100
• MAC address: 0000.0c07.acxx. Where xx refers to the group number in
hexadecimal
• Preemption disabled by default
 HSRP Versions
• HSRPv1—Version 1 of the HSRP, the default version of HSRP. It has these
features:
– The HSRP group number can be from 0 to 255.
– HSRPv1 uses the multicast address 224.0.0.2 (UDP port 1985) to send hello
packets.

• HSRPv2—Version 2 of the HSRP has these features:

– To match the HSRP group number to the VLAN ID of a subinterface,
HSRPv2 can use a group number from 0 to 4095 and a MAC address from
0000.0C9F.F000 to 0000.0C9F.FFFF.
– HSRPv2 uses the multicast address 224.0.0.102 to send hello packets.

HSRPv2 has a different packet format than HRSPv1. They are not interoperable.
 HSRP Packet format

OP Code: The Op Code describes the type of message that the packet contains. Possible values are: 0 - hello, 1 -
coup, and 2 - resign.
Hello: Hello messages are sent to indicate that a router runs HSRP and is able to become the active router.
Coup: Coup messages are sent when a router wishes to become the active router.
Resign: Resign messages are sent when a router no longer wishes to be the active router.

These are details on the individual states: 0 - initial, 1 - learn, 2 - listen, 4 - speak, 8 - standby, and 16 - active.
HSRP Router Communication
- Routers that run HSRP communicate HSRP information between each other
through HSRP hello packets.
- These packets are sent to the destination IP multicast address 224.0.0.2 on
User Datagram Protocol (UDP) port 1985 (HSRPv1).
- IP multicast address 224.0.0.2 is a reserved multicast address that is used
to communicate to all routers.
- The active router sources hello packets from its configured IP address and
the HSRP virtual MAC address. The standby router sources hellos from its
configured IP address and the burned-in MAC address (BIA).
- This use of source addressing is necessary so that HSRP routers can
correctly identify each other.
 HSRP Router Communication

Virtual IP: 10.1.1.1 Virtual MAC: 0000.0c07.ac01

Router A’s BIA: 4000.0000.0010 Packet Flow SRC MAC DST MAC SRC IP DST IP
Router B’s BIA: 4000.0000.0020
PC1 MAC: 0000.0c00.0001 Hello Act-Stb 0000.0c07.ac01 4000.0000.0020 10.1.1.2 224.0.0.2
PC2 MAC: 0000.0c00.1110
Hello Stb-Act 4000.0000.0020 4000.0000.0010 10.1.1.3 224.0.0.2

Ping PC1-PC2 0000.0c00.0001 0000.0c07.ac01 10.1.1.10 10.1.2.10

Ping PC1-Act 0000.0c00.0001 4000.0000.0010 10.1.1.10 10.1.1.2

HSRP States
• Initial: The beginning sate. The initial state indicates that HSRP does not run. This state in entered
via a configuration change or when an interface first come up.
• Learn: The router has not determined the virtual IP address and has not yet seen an
authenticated hello message from the active router. In this state, the router still waits to hear
from the active router.
• Listen: The router knows the virtual IP address, but the router is neither the active router nor the
standby router. It listens for hello messages from those routers.
• Speak: The router sends periodic hello messages and actively participate in the election of the
active or standby router. A router cannot enter speak state unless the router has the virtual IP
address.
• Standby: The router is a candidate to become the next active router and sends periodic hello
messages. With the exclusion of transient conditions, there is, at most, one router in the group in
standby state.
• Active: The router currently forwards packets that are sent to the group virtual MAC address. The
router sends periodic hello messages, with the exclusion of transient conditions, there must be, at
the most, one router in the active state in the group.
HSRP Hello Timers
• The Hello Time is the the interval between successive HSRP hello messages from
a given router
• Default Hello timer = 3s
• The interval between the receipt of a hello message and the presumption that
the sending router has failed
• Default Hold Timer = 10s (or 3x Hello)
HSRP Preemption
• An HSRP-enabled router with preempt configured attempts to
assume control as the active router when its Hot Standby priority is
higher than the current active router.
• The standby preempt command is needed in situations when you
want an occurring state change of a tracked interface to cause a
standby router to take over from the active router.
HSRP Authentication
• Authentication supported
• Plain text
• MD5
• Plain-text configuration
• Sw1(config-if)#standby <group-id> authentication <password>
• MD5 configuration
• Sw1(config-if)#standby <group-id> authentication md5 key-string [0|7] string
Key chain HSRP
key 1
Key string cisco
Sw1(config-if)#standby <group-id> authentication md5 key-chain HSRP
HSRP Object Tracking
• HSRP can track objects (typically interfaces)
• If tracked object fails, HSRP priority is reduced by configurable amount
(default=10)
• First, create a “track object” globally
Router-1(config)#track 1 ?
application Application
interface Select an interface to track
ip IP protocol
ipv6 IPv6 protocol
list Group objects in a list
stub-object Stub tracking object
• »(config-if)#standby <group> track <object#> [decrement value]
IPSEC stateful failover: Overview
• IPSec Stateful Failover (VPN High Availability) is a feature that enables
a router to continue processing and forwarding packets after a
planned or unplanned outage.
• Benefits:
• Any transition from an active router to a standby router is transparent to
peers, and requires no remote peer adjustment or reconfiguration.
• Utilizing IPSec Stateful Failover (VPN High Availability) does not appreciably
affect overall router performance.
• Businesses employing IPSec Stateful Failover (VPN High Availability) are 100%
redundant with regard to IPSec VPN traffic
IPSEC stateful failover: Overview
• Restrictions
• Both the active and standby devices must run the identical version of the Cisco IOS
software, and both the active and standby devices must be connected via a hub or
switch.
• IPsec idle timers are not supported when used with stateful failover.
• Requires that IKE keepalives must not be used; enabling this feature will cause the
connection to be torn down after the standby router assumes ownership control.
• Supports keepalives only with dead peer detection (DPD).
• Requires that priority values are equal on both active and standby routers for IP
redundancy. The IP addresses on the HSRP-tracked interfaces of the standby and
active routers should both be either lower or higher on one router than the other.
• Requires that active and standby routers be connected to an Ethernet interface.
• Does not support PKI certificates.
SSP
• SSP stands for: Sate Synchronization Protocol. It is a platform specific
feature (only supported on 7200 routers) and only works on specific
IOS releases: 12.2(14)SU2, 12.2(14)SU1, 12.2(14)SU, 12.2(11)YX1, or
Cisco IOS Release 12.2(11)YX.
• It is setup by issuing ssp group <Group> command in the global
configuration mode. Then you include isakmp/ipsec in the ssp process
by issuing:
• crypto isakmp ssp <Group>
• Crypto map <name> ha replay-interval inbound <> outbound<>
IPSEC stateful failover with SSP
The information that the active router transmits to the standby router includes:

• IKE cookies stamp

I

• S ession keys
S

• Cisco Service Assurance (SA) Agent attributes

• Sequence number counter and window state
• Kilobyte (KB) lifetime expirations
• Dead peer detection (DPD) sequence number updates

SSO won’t share this information between peers.

Note: Each time an active device relinquishes control to become the standby device,
the active device will reload. This functionality ensures that the state of the new
standby device synchronizes correctly with the new active device.
IPSEC stateful failover with SSO configuration
tasks
1. Enable HSRP
2. Enable SSO (stateful switch over)
2.1 Enable the inter-device redundancy protocol
2.2 Define Inter-process Communication (IPC) association
2.3 Define the local and remote end points of the SCTP connection
3. Copy the same config in the standby router
4. Reload both devices
5. Enable stateful failover for IPSEC
HSRP Configuration for IPSEC stateful failover

interface Ethernet0/0
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 preempt
standby 1 name HA-out
Standby 1 timer 1 5 Note: For the best stability, it is recommended that you set the hold time
between 5 and 10 times the hello interval time; otherwise, a failover could falsely occur when
no actual failure has happened.
standby 1 track Ethernet1/0 Note: Track of the private interface
standby delay reload 120 Note: It is suggested to leave the min-delay argument at
the preconfigured default value.
Stateful Switch Over
• SSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is
necessary for IPsec and IKE to learn about the redundancy state of the network and to synchronize their internal
application state with their redundant peers.
• We enable the inter-device redundancy protocol

redundancy inter-device
scheme standby <standby group name>
exit

Upon configuring inter-device redundancy, you may receive this notice on one of the routers:

% Standby scheme configuration cannot be processed now group BRANCH-5-TUNNEL

is not in active state

This simply indicates that this is the standby HSRP router. The router will need to be reloaded before the redundancy
scheme configuration can take effect.
Stateful SwitchOver
• We define an Inter-process Communication (IPC) association. We will start by
creating a new association to define the redundancy relationship between R1 and
R2:

ipc zone default

association <association-ID> ! Valid numbers are 1 through 255
 Stateful SwitchOver
Stream Control Transmission Protocol is used to synchronize state across the routers. We complete the SSO
configuration by defining the local and remote end points of the SCTP connection. The physical address of the
HSRP interface on each router will be used, but the port number is arbitrary (so long as R1's local port matches
R2's remote port and vice versa).
protocol sctp

local-port local-port-number ! Valid numbers are 1-65535. There is no default port, but it should match the port on peer.

local-ip device-real-ip-address [device-real-ip-address2] ! This ip must match remote ip in peer router.

retransmit-timeout retran-min [msec] retra-max [msec] ! Interval in msec it will wait to retransmit data. Suggested 300-10000

path-retransmit max-path-retries ! Number of retransmition before failing a path within an association. Suggested 10

assoc-retransmit max-association-retries ! Number of retransmition before failing an association. Suggested 10

exit

remote-port remote-port-number

remote-ip peer-real-ip-address [peer-real-ip-address2]

no shutdown

end
 Enabling Stateful Failover for IPsec
For Crypto Maps For tunnel protection
1. enable 1. enable

2. configure terminal
2. configure terminal
3. crypto ipsec profile name
3. interface type number
4. redundancy standby-group-name stateful
4. crypto map map-name [redundancy
standby-group-name [stateful]] 5. exit

5. end 6. interface tunnel number

7. tunnel protection ipsec profile name

8. tunnel source virtual-ip-address

Note: No configuration is needed to enable Failover for IKE
9. end
Configuration Templates
! authentication pre-share ip virtual-reassembly in

hostname HSRP-1 group 5 standby 0 timers 5 20

! lifetime 600 standby 1 ip 200.200.200.254

ipc zone default crypto isakmp profile Tunnel-to-Site2 standby 1 preempt

association 1 keyring tunnel-to-site-2 standby 1 authentication md5 key-string cisco

no shutdown self-identity address standby 1 name HQ-WAN

protocol sctp match identity address 50.50.50.2 255.255.255.255 standby 1 track 2 decrement 10

local-port 5000 crypto isakmp profile Tunnel-to-Site3! crypto map mymap redundancy HQ-WAN stateful

local-ip 200.200.200.1 keyring tunnel-to-site-3

retransmit-timeout 300 10000 self-identity address interface Ethernet0/1

path-retransmit 10 match identity address 100.100.100.2 255.255.255.255 description LAN

assoc-retransmit 10 ! ip address 10.0.0.1 255.255.255.0

remote-port 5000 crypto ipsec transform-set ESP-AES256-SHA-256 esp-aes 256 esp-sha256-hmac ip nat inside

remote-ip 200.200.200.2 mode tunnel ip virtual-reassembly in

! ! standby 0 ip 10.0.0.254

redundancy inter-device crypto map mymap local-address Ethernet0/0 standby 0 timers 5 20

scheme standby HQ-WAN crypto map mymap 1 ipsec-isakmp standby 0 preempt

! set peer 50.50.50.2 standby 0 authentication md5 key-string cisco

track 1 interface Ethernet0/0 line-protocol set transform-set ESP-AES256-SHA-256 standby 0 name HQ-LAN

! set isakmp-profile Tunnel-to-Site2 standby 0 track 1 decrement 10

track 2 interface Ethernet0/1 line-protocol match address Tunnel-To-Site2 !

! crypto map mymap 2 ipsec-isakmp ip access-list extended Tunnel-To-Site2

crypto keyring tunnel-to-site-2 set peer 100.100.100.2 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

pre-shared-key address 50.50.50.2 key cisco set transform-set ESP-AES256-SHA-256 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

crypto keyring tunnel-to-site-3 match address Tunnel-To-Site3 ip access-list extended Tunnel-To-Site3

pre-shared-key address 100.100.100.2 key cisco ! permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

! interface Ethernet0/0 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

crypto isakmp policy 10 description WAN !

encr aes 256 ip address 200.200.200.1 255.255.255.0 end

hash sha256 ip nat outside

Configuration Templates
! authentication pre-share ip virtual-reassembly in

hostname HSRP-2 group 5 standby 0 timers 5 20

! lifetime 600 standby 1 ip 200.200.200.254

ipc zone default crypto isakmp invalid-spi-recovery standby 1 preempt

association 1 crypto isakmp profile Tunnel-to-Site2 standby 1 authentication md5 key-string cisco

no shutdown keyring tunnel-to-site-2 standby 1 name HQ-WAN

protocol sctp self-identity address standby 1 track 2 decrement 10

local-port 5000 match identity address 50.50.50.2 255.255.255.255 crypto map mymap redundancy HQ-WAN stateful

local-ip 200.200.200.2 crypto isakmp profile Tunnel-to-Site3 !

retransmit-timeout 300 10000 keyring tunnel-to-site-3 interface Ethernet0/1

path-retransmit 10 self-identity address description LAN

assoc-retransmit 10 match identity address 100.100.100.2 255.255.255.255 ip address 10.0.0.2 255.255.255.0

remote-port 5000 ! ip nat inside

remote-ip 200.200.200.1 crypto ipsec transform-set ESP-AES256-SHA-256 esp-aes 256 esp-sha256-hmac ip virtual-reassembly in

! mode tunnel standby 0 ip 10.0.0.254

redundancy inter-device ! standby 0 timers 5 20

scheme standby HQ-WAN crypto map mymap 1 ipsec-isakmp standby 0 preempt

! set peer 50.50.50.2 standby 0 authentication md5 key-string cisco

track 1 interface Ethernet0/0 line-protocol set transform-set ESP-AES256-SHA-256 standby 0 name HQ-LAN

! set isakmp-profile Tunnel-to-Site2 standby 0 track 1 decrement 10

track 2 interface Ethernet0/1 line-protocol match address Tunnel-To-Site2 !

! crypto map mymap 2 ipsec-isakmp ip access-list extended Tunnel-To-Site2

crypto keyring tunnel-to-site-2 set peer 100.100.100.2 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

pre-shared-key address 50.50.50.2 key cisco set transform-set ESP-AES256-SHA-256 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

crypto keyring tunnel-to-site-3 match address Tunnel-To-Site3 ip access-list extended Tunnel-To-Site3

pre-shared-key address 100.100.100.2 key cisco ! permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

! interface Ethernet0/0 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

crypto isakmp policy 10 description WAN !

encr aes 256 ip address 200.200.200.2 255.255.255.0 end

hash sha256 ip nat outside

Troubleshooting Commands

1. show redundancy [states | inter-device] : After the two devices

have negotiated with each other, one device should show an “ACTIVE”
state and the other device should show a “STANDBY HOT” state.
Troubleshooting Commands
2. Show standby /show standby brief:
Troubleshooting Commands

3. show crypto isakmp sa/ clear crypto isakmp <C-id>

Troubleshooting Commands

4. show crypto ipsec sa| I ident|encaps|decaps|spi /clear crypto sa

spi <peer ip> esp <spi to clear>
Troubleshooting Commands
5. show crypto session detail / clear crypto session remote <peer ip>
Demo
• To access the demo follow these steps:
1. Access 10.168.109.45 from a browser (it is recommended Mozilla Firefox)
2. Enter Username: VPNtrainee / Password: VPN123
3. Browse the folder vpn-training and open the lab: Training_HA_IOS
4. Let firefox use putty to open the console after double clicking on the device’s icon.
5. DGs will be DHCP servers to clients and servers. On these devices just type ip dhcp to
get an available ip.
Topology
Troubleshooting Case
Issue #1:Site to site tunnel can be initiated from the remote location but not from
HQ. There is no tunnel established yet.
Symptoms: Tunnel won’t come up.

• Configuration on HSRP-1 • Configuration on Site2

• crypto isakmp policy 10 • crypto isakmp policy 10
• encr aes 256 • encr aes 256
• hash sha256 • hash sha256
• authentication pre-share • authentication pre-share
• group 5 • group 5
• lifetime 600 • lifetime 600
• crypto isakmp key cisco address 50.50.50.2 • crypto isakmp key cisco address 200.200.200.254
• crypto ipsec transform-set ESP-AES256-SHA256 esp-aes 256 • crypto ipsec transform-set ESP-AES256-SHA256 esp-aes 256
esp-sha256-hmac esp-sha256-hmac
• mode tunnel • mode tunnel
• crypto map mymap 1 ipsec-isakmp • crypto map mymap 1 ipsec-isakmp
• set peer 50.50.50.2 • set peer 200.200.200.254
• set transform-set ESP-AES256-SHA256 • set transform-set ESP-AES256-SHA256
• match address tunnel-to-site2 • match address tunnel-to-HQ
• crypto map mymap • crypto map mymap
 Issue #1: Client wants to ping Server 1. There is no tunnel established yet.
Symptoms: Tunnel won’t come up.
• Debug crypto isakmp on HSRP-1 • Debug crypto isakmp on Site2
• HSRP-1#

• *May 11 13:33:21.424: ISAKMP:(0): SA request profile is (NULL) • *May 11 13:33:21.430: ISAKMP:(0): processing vendor id payload

• *May 11 13:33:21.424: ISAKMP: Created a peer struct for 50.50.50.2, peer port 500 • *May 11 13:33:21.430: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

• *May 11 13:33:21.424: ISAKMP: New peer created peer = 0xC30A3F68 peer_handle = 0x80000004 • *May 11 13:33:21.430: ISAKMP:(0): vendor ID is NAT-T v2

• *May 11 13:33:21.424: ISAKMP: Locking peer struct 0xC30A3F68, refcount 1 for isakmp_initiator • *May 11 13:33:21.430: ISAKMP:(0):No pre-shared key with 200.200.200.1!

• *May 11 13:33:21.424: ISAKMP: local port 500, remote port 500 • *May 11 13:33:21.430: ISAKMP : Scanning profiles for xauth ...

• *May 11 13:33:21.424: ISAKMP: set new node 0 to QM_IDLE • *May 11 13:33:21.430: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

• *May 11 13:33:21.424: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = C38DCBF0 • *May 11 13:33:21.430: ISAKMP: encryption AES-CBC

• *May 11 13:33:21.424: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. • *May 11 13:33:21.430: ISAKMP: keylength of 256

• *May 11 13:33:21.424: ISAKMP:(0):found peer pre-shared key matching 50.50.50.2 • *May 11 13:33:21.430: ISAKMP: hash SHA256

• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID • *May 11 13:33:21.430: ISAKMP: default group 5

• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-07 ID • *May 11 13:33:21.430: ISAKMP: auth pre-share

• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-03 ID • *May 11 13:33:21.430: ISAKMP: life type in seconds

• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-02 ID • *May 11 13:33:21.430: ISAKMP: life duration (basic) of 600

• *May 11 13:33:21.424: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM • *May 11 13:33:21.430: ISAKMP:(0):Preshared authentication offered but does not match policy!

• *May 11 13:33:21.424: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 • *May 11 13:33:21.430: ISAKMP:(0):atts are not acceptable. Next payload is 0

• *May 11 13:33:21.430: ISAKMP:(0):no offers accepted!

• *May 11 13:33:21.424: ISAKMP:(0): beginning Main Mode exchange • *May 11 13:33:21.430: ISAKMP:(0): phase 1 SA policy not acceptable! (local 50.50.50.2 remote 200.200.200.1)

• *May 11 13:33:21.424: ISAKMP:(0): sending packet to 50.50.50.2 my_port 500 peer_port 500 (I) MM_NO_STATE • *May 11 13:33:21.430: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

• *May 11 13:33:21.424: ISAKMP:(0):Sending an IKE IPv4 Packet. • *May 11 13:33:21.430: ISAKMP:(0): Failed to construct AG informational message.

• *May 11 13:33:21.435: ISAKMP (0): received packet from 50.50.50.2 dport 500 sport 500 Global (I) MM_NO_STATE • *May 11 13:33:21.430: ISAKMP:(0): sending packet to 200.200.200.1 my_port 500 peer_port 500 (R) MM_NO_STATE

• *May 11 13:33:21.435: ISAKMP:(0):Notify has no hash. Rejected. • *May 11 13:33:21.430: ISAKMP:(0):Sending an IKE IPv4 Packet.

• *May 11 13:33:21.430: ISAKMP:(0):peer does not do paranoid keepalives.

 Issue #1: Server1 wants to ping Client.
Symptoms: IKE will come up successfully but IPSEC will fail without specific error.
• Debug crypto isakmp on Site2
• Debug crypto isakmp on HSRP-1
• HSRP-1#*May 11 13:59:11.568: ISAKMP (0): received packet from 50.50.50.2 dport 500 sport 500 Global (N) NEW SA • *May 11 13:59:11.561: ISAKMP:(0): beginning Main Mode exchange

• *May 11 13:59:11.568: ISAKMP: Created a peer struct for 50.50.50.2, peer port 500 • *May 11 13:59:11.561: ISAKMP:(0): sending packet to 200.200.200.254 my_port 500 peer_port 500 (I) MM_NO_STATE

• *May 11 13:59:11.568: ISAKMP: New peer created peer = 0xC4CA8750 peer_handle = 0x80000005 • *May 11 13:59:11.561: ISAKMP:(0):Sending an IKE IPv4 Packet.

• *May 11 13:59:11.568: ISAKMP:(0):found peer pre-shared key matching 50.50.50.2 • *May 11 13:59:11.573: ISAKMP (0): received packet from 200.200.200.254 dport 500 sport 500 Global (I)
MM_NO_STATE
• *May 11 13:59:11.568: ISAKMP:(0): local preshared key found
• *May 11 13:59:11.573: ISAKMP:(0):found peer pre-shared key matching 200.200.200.254
• *May 11 13:59:11.568: ISAKMP : Scanning profiles for xauth ...
• *May 11 13:59:11.573: ISAKMP:(0): local preshared key found
• *May 11 13:59:11.568: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
• *May 11 13:59:11.573: ISAKMP : Scanning profiles for xauth ...
• *May 11 13:59:11.568: ISAKMP: encryption AES-CBC
• *May 11 13:59:11.573: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
• *May 11 13:59:11.568: ISAKMP: keylength of 256
• *May 11 13:59:11.573: ISAKMP: encryption AES-CBC
• *May 11 13:59:11.568: ISAKMP: hash SHA256
• *May 11 13:59:11.573: ISAKMP: keylength of 256
• *May 11 13:59:11.568: ISAKMP: default group 5
• *May 11 13:59:11.573: ISAKMP: hash SHA256
• *May 11 13:59:11.568: ISAKMP: auth pre-share
• *May 11 13:59:11.573: ISAKMP: default group 5
• *May 11 13:59:11.568: ISAKMP: life type in seconds
• *May 11 13:59:11.573: ISAKMP: auth pre-share
• *May 11 13:59:11.568: ISAKMP: life duration (basic) of 600
• *May 11 13:59:11.573: ISAKMP: life type in seconds
• *May 11 13:59:11.568: ISAKMP:(0):atts are acceptable. Next payload is 0
• *May 11 13:59:11.573: ISAKMP: life duration (basic) of 600
• *May 11 13:59:11.568: ISAKMP:(0):Acceptable atts:actual life: 600
• *May 11 13:59:11.573: ISAKMP:(0):atts are acceptable. Next payload is 0
• *May 11 13:59:11.568: ISAKMP:(0):Acceptable atts:life: 0
• *May 11 13:59:11.573: ISAKMP:(0):Acceptable atts:actual life: 0
• *May 11 13:59:11.568: ISAKMP:(0):Basic life_in_seconds:600
• *May 11 13:59:11.573: ISAKMP:(0):Acceptable atts:life: 0
• *May 11 13:59:11.568: ISAKMP:(0):Returning Actual lifetime: 600
• *May 11 13:59:11.573: ISAKMP:(0):Basic life_in_seconds:600
• *May 11 13:59:11.568: ISAKMP:(0)::Started lifetime timer: 600.
• *May 11 13:59:11.573: ISAKMP:(0):Returning Actual lifetime: 600

• *May 11 13:59:11.573: ISAKMP:(0)::Started lifetime timer: 600.