Below is a successful negotiation between the two test Sarians. This log is taken from the responder.
Key elements are outlined below in bold to make it easier to see the steps in the communication.
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):IKE context located. Local session ID: 0x504 ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Checking packet
---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Validating payloads --- IKE DEBUG (504):Checking payload (10) Nonce ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Checking payload (5) ID ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Checking payload (13) Vendor ID ---
--- 21-4-2008 15:51:01.140 ---
Page | 27
IKE DEBUG (504):Checking payload (13) Vendor ID---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Checking payload (13) Vendor ID ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Checking payload (13) Vendor ID ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Packet payloads check out OK ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Packet type (4) Agressive mode ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):IKE role Responder
---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Handling aggressive mode packet and SA state is (0) IDLE ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Processing SA message ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Processing Vendor ID payloads af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 Peer supports our version of DPD
---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 Peer supports our version of NAT traversal
---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f Peer supports our version of NAT traversal
--- IKE DEBUG (504):Processing ID payload ---
Page | 28
--- 21-4-2008 15:51:01.140 ---IKE DEBUG (504):Checking next SA payload ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Checking SA proposals ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Checking proposal number 1 ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Checking transform payloads. Expecting 1 transforms ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Transforms payloads OK ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Proposal payload OK ---
Attribute 4: DH group description Maths group: 2: DH group 2
Attribute 11: Life type
Life type (1) secs. Expecting life duration attribute next Attribute 12: Life duration
Life duration value 1260 ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Selecting transform from proposal 1 Checking transform attributes
---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
Checking attribute 1: Encryption algorithm Enc Alg: 5: 3DES
Alg. is supported ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
Checking attribute 2: Hash algorithm HASH alg: 1: MD5
Alg. is supported ---
--- 21-4-2008 15:51:01.140 ---
Page | 29
IKE DEBUG (504):Checking attribute 3: Authentication method Auth Method: 1: PRESHARED
Method is supported ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
Checking attribute 4: DH group description Maths group: 2: DH group 2
Group is supported ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
Checking attribute 11: Life type
Life type (1) secs. Expecting life duration attribute next ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):
Checking attribute 12: Life duration Life duration value 1260
---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Transform 1 has all required attributes ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Selected transform
---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Retrieving password ---
IKE DEBUG (504):Password retrieved for ID initiator ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Requesting DH KE data from DH task ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):Waiting on data from DH task ---
--- 21-4-2008 15:51:01.140 --- IKE DEBUG (504):IKE aggressive mode result 1 ---
Page | 30
--- 21-4-2008 15:51:01.140 ---IKE DEBUG (504):Requesting DH shared secret from DH task ---
--- 21-4-2008 15:51:01.140 ---
IKE DEBUG (504):Changing IKE SA state from IDLE to Awaiting DH data --- IKE DEBUG (504):Generating SKEYID
---
--- 21-4-2008 15:51:01.320 --- IKE DEBUG (504):Generating SKEYID_d ---
--- 21-4-2008 15:51:01.320 --- IKE DEBUG (504):Generating SKEYID_a ---
--- 21-4-2008 15:51:01.320 --- IKE DEBUG (504):Generating SKEYID_e ---
--- 21-4-2008 15:51:01.320 --- IKE DEBUG (504):Generating key material ---
--- 21-4-2008 15:51:01.320 --- IKE DEBUG (504):IKE key material generated ---
--- 21-4-2008 15:51:01.320 ---
IKE DEBUG (504):Sending aggressive mode SA message ---
Attribute 4: DH group description Maths group: 2: DH group 2
Attribute 11: Life type
Life type (1) secs. Expecting life duration attribute next Attribute 12: Life duration
Life duration value 1260 ---
--- 21-4-2008 15:51:01.330 ---
Page | 31
IKE DEBUG (504):Create HASH using password 0 --- IKE DEBUG (504):Adding NATD payloads ------ 21-4-2008 15:51:01.330 ---
IKE DEBUG: Adding CISCO UNITY Vendor ID payload ---
--- 21-4-2008 15:51:01.330 --- IKE DEBUG (504):Transmit IKE packet ---
--- 21-4-2008 15:51:01.330 ---
IKE DEBUG (504):Transmit to peer 212.183.134.66 ---
Page | 32
IKE DEBUG (504):Changing IKE SA state from Awaiting DH data to PH1 sent KE ---
Page | 33
IKE DEBUG (504):Located SA for existing phase 1 negotiation ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):IKE context located. Local session ID: 0x504 ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Checking packet
---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):IKE decrypting packet ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Validating payloads ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Checking payload (8) Hash
Page | 34
------ 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Checking payload (130) NATD ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Checking payload (130) NATD ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Packet payloads check out OK ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Packet type (4) Agressive mode ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):IKE role Responder
---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Handling aggressive mode packet and SA state is (3) PH1 sent KE
---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Processing agressive mode HASH message ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Processing NATD payloads ---
IKE DEBUG (504):Verifying phase 1 HASH payload ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Phase 1 agressive mode negotiation completed successfully ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Changing IKE SA state from PH1 sent KE to PH1 complete ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Saving completed phase 1 negotiation local ID: 0x1f8 ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Send IKE lifetime (1200) notification to peer ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):IKE aggressive mode result 0 ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (504):Resetting IKE context 0 ---
--- 21-4-2008 15:51:01.710 ---
Page | 35
IKE DEBUG (504):Retaining completed phase 1 SA local ID: 0x1f8---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG: IKE request to send LIFETIME notification ---
--- 21-4-2008 15:51:01.710 ---
IKE DEBUG (504):Prepare for new Phase 2 negotiation ---
IKE DEBUG (505):Changing IKE SA state from PH1 complete to PH2 Initial ---
--- 21-4-2008 15:51:01.710 --- IKE DEBUG (505):Encrypting IKE packet ---
--- 21-4-2008 15:51:01.730 ---
IKE DEBUG: send LIFETIME notification lifetime 1200 ---
--- 21-4-2008 15:51:01.730 --- IKE DEBUG (505):Transmit IKE packet ---
--- 21-4-2008 15:51:01.730 ---
IKE DEBUG (505):Transmit to peer 212.183.134.66 ---
Page | 36
IKE DEBUG (505):Resetting IKE context 50 ---Page | 37
IKE DEBUG (504):Prepare for new Phase 2 negotiation ---
--- 21-4-2008 15:51:01.840 --- IKE DEBUG (506):New phase 2 session ---
--- 21-4-2008 15:51:01.840 ---
IKE DEBUG (506):Changing IKE SA state from PH1 complete to PH2 Initial ---
--- 21-4-2008 15:51:01.840 ---
IKE DEBUG (506):IKE context located. Local session ID: 0x506 ---
--- 21-4-2008 15:51:01.840 --- IKE DEBUG (506):Checking packet
---
--- 21-4-2008 15:51:01.840 --- IKE DEBUG (506):IKE decrypting packet ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Validating payloads ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking payload (8) Hash ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking payload (1) SA ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking payload (10) Nonce --- IKE DEBUG (506):Checking payload (11) Notify
Page | 38
------ 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Packet payloads check out OK ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Packet type (32) Quick mode ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):IKE role Responder
---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Handling quick mode packet and SA state is (6) PH2 Initial ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Process phase 2 SA message ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking phase 2 HASH payload ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):HASH payload valid
---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Handling NOTIFY payload with message type 24578 ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking next SA payload ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking SA proposals ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Checking proposal number 1 ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Checking transform payloads. Expecting 1 transforms ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Transforms payloads OK ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Proposal payload OK --- IPSec Protocol ID 3: ESP ESP Alg: 3: 3DES
Attribute (4) Mode Mode: 61443: ???
Page | 39
Attribute (5) Authentication AlgorithmAuth Alg: 1 MD5
Attribute (1) Life type
Life type (1) secs. Expecting life duration attribute next Attribute (2) Life duration
Life duration value 1200 ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Selecting transform from proposal 1 Select from 1 tranforms IKE DEBUG (506):Checking attribute (4) Mode Mode: 61443: UDP Tunnel
---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Checking attribute (5) Authentication Algorithm Auth Alg: 1 MD5
Alg. is supported ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Checking attribute (1) Life type
Life type (1) secs. Expecting life duration attribute next ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Checking attribute (2) Life duration Life duration value 1200
---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Transform 1 has all required transform attributes ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Getting remote subnet details ID type 4 len 8
Subnet mask is 255.255.255.0 Subnet IP is 10.1.63.0
---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Getting local subnet details ID type 4 len 8
Subnet mask is 255.255.255.0 Subnet IP is 10.1.89.0
---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Locating eroute matching this negotiation ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Located eroute 0 our ID: responder ---
Page | 40
IPSec Protocol ID 3: ESP ESP Alg: 3: 3DESLife type (1) secs. Expecting life duration attribute next Attribute (2) Life duration
Life duration value 1200 ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Sending phase 2 SA message ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG: Adding SA payload header doi: 1, situation 1 ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Not doing PFS. KE payload not required ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Adding remote subnet details ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Adding subnet ID IP: 10.1.63.0 MASK: 255.255.255.0 ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Adding local subnet details ---
--- 21-4-2008 15:51:01.850 ---
IKE DEBUG (506):Adding subnet ID IP: 10.1.89.0 MASK: 255.255.255.0 ---
--- 21-4-2008 15:51:01.850 --- IKE DEBUG (506):Encrypting IKE packet ---
--- 21-4-2008 15:51:01.860 --- IKE DEBUG (506):Transmit IKE packet ---
--- 21-4-2008 15:51:01.860 ---
IKE DEBUG (506):Transmit to peer 212.183.134.66
Page | 41
IKE DEBUG (506):Changing IKE SA state from PH2 Initial to PH2 sent SA ---
Page | 42
IKE DEBUG (506):Located SA for existing phase 2 negotiation ---
--- 21-4-2008 15:51:02.030 ---
IKE DEBUG (506):IKE context located. Local session ID: 0x506 ---
--- 21-4-2008 15:51:02.030 --- IKE DEBUG (506):Checking packet
---
--- 21-4-2008 15:51:02.030 --- IKE DEBUG (506):IKE decrypting packet ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):Validating payloads ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):Checking payload (8) Hash ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):Packet payloads check out OK
Page | 43
------ 21-4-2008 15:51:02.040 --- IKE DEBUG (506):Packet type (32) Quick mode ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):IKE role Responder
---
--- 21-4-2008 15:51:02.040 ---
IKE DEBUG (506):Handling quick mode packet and SA state is (7) PH2 sent SA ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):Processing HASH reply message ---
--- 21-4-2008 15:51:02.040 ---
IKE DEBUG (506):Phase 2 negotiation completed successfully ---
--- 21-4-2008 15:51:02.040 ---
IKE DEBUG (506):Preparing to create IPSec SA's ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):Generating IPSec key material ---
--- 21-4-2008 15:51:02.040 ---
IKE DEBUG (506):40 bytes of key material required ---
--- 21-4-2008 15:51:02.040 ---
IKE DEBUG (506):Changing IKE SA state from PH2 sent SA to PH2 complete ---
--- 21-4-2008 15:51:02.040 --- IKE DEBUG (506):IKE quick mode result 1 ---
--- 21-4-2008 15:51:04.050 --- IKE DEBUG (506):IKE SA timed out
---
--- 21-4-2008 15:51:04.050 --- IKE DEBUG: Resetting IKE context 0 ---
--- 21-4-2008 15:51:04.050 --- IKE DEBUG (506):Removing IKE SA
---