ejjnyyo@SRX3400-1> show security ok ^ syntax error, expecting . ejjnyyo@SRX3400-1> show security pki ca-certificate node0: -------------------------------------------------------------------------- Certificate identifier: LTEIPsecNEcusRootCA Issued to: LTEIPSecNEcusRootCA, Issued by: O = Ericsson, CN = LTEIPSecNEcusRootCA Validity: Not before: 10-31-2013 07:20 UTC Not after: 10-30-2018 07:20 UTC Public key algorithm: rsaEncryption(2048 bits) Certificate identifier: LTEIPsecSEGRootCA Issued to: LTEIPSecSEGRootCA, Issued by: O = Ericsson, CN = LTEIPSecSEGRootCA Validity: Not before: 10-31-2013 07:20 UTC Not after: 10-30-2018 07:20 UTC Public key algorithm: rsaEncryption(2048 bits) Certificate identifier: EricssonVCRootCA Issued to: VC_Root_CA_A1, Issued by: C = SE, O = Ericsson, CN = VC_Root_CA_A1 Validity: Not before: 11-30-2012 13:25 UTC Not after: 12-31-2052 08:00 UTC Public key algorithm: rsaEncryption(4096 bits) {primary:node0} ejjnyyo@SRX3400-1> show security pki local-certificate node0: -------------------------------------------------------------------------- Certificate identifier: SRX3400-key-pair-1 Issued to: SecGW_SRX_Site1, Issued by: O = Ericsson, CN = LTEIPSecSEGRootCA Validity: Not before: 04- 8-2014 08:38 UTC Not after: 10-30-2018 07:20 UTC Public key algorithm: rsaEncryption(2048 bits) {primary:node0} ejjnyyo@SRX3400-1> show configuration security pki ca-profile LTEIPsecSEGRootCA { ca-identity LTEIPsecSEGRootCA; revocation-check { disable; } } ca-profile LTEIPsecNEcusRootCA { ca-identity LTEIPsecNEcusRootCA; revocation-check { disable; } } ca-profile EricssonVCRootCA { ca-identity EricssonVCRootCA; revocation-check { disable; } } {primary:node0} ejjnyyo@SRX3400-1> show configuration security ike traceoptions { file kmd; flag ike; flag policy-manager; flag routing-socket; flag all; } proposal Cabritos-ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } proposal ike-proposal-pRBS-cert { authentication-method rsa-signatures; dh-group group14; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy Cabritos1-ike-phase1-policy { mode main; proposals Cabritos-ike-phase1-proposal; pre-shared-key ascii-text "$9$pOOVuRSvMX-b2Lx"; ## SECRET-DATA } policy ike-policy-pRBS-cert { mode main; proposals ike-proposal-pRBS-cert; certificate { local-certificate SRX3400-key-pair-1; peer-certificate-type x509-signature; } } gateway Cabritos-GW01 { ike-policy Cabritos1-ike-phase1-policy; address 2.2.2.1; external-interface reth1.341; } gateway ike-gw-pRBS-cert { ike-policy ike-policy-pRBS-cert; address 10.185.49.194; dead-peer-detection { always-send; interval 10; threshold 1; } external-interface reth7.32; version v2-only; } {primary:node0} ejjnyyo@SRX3400-1> show configuration security ipsec traceoptions { flag security-associations; flag all; } proposal Cabritos-ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } proposal ipsec-SA-proposals { authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 1800; } policy Cabritos-ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals Cabritos-ipsec-phase2-proposal; } policy ipsec-policy { proposals ipsec-SA-proposals; } vpn Cabritos-GRX-1 { bind-interface st0.3; vpn-monitor; ike { gateway Cabritos-GW01; proxy-identity { local 10.4.4.0/24; remote 10.3.3.0/24; service any; } ipsec-policy Cabritos-ipsec-phase2-policy; } establish-tunnels immediately; } vpn tunnel-pRBS-cert-TEMP { bind-interface st0.10; ike { gateway ike-gw-pRBS-cert; ipsec-policy ipsec-policy; } establish-tunnels immediately; } {primary:node0} ejjnyyo@SRX3400-1> show configuration routing-instances VR_Temp_VPN instance-type virtual-router; interface reth7.32; interface st0.10; routing-options { static { route 10.185.49.192/29 next-hop 10.185.49.209; route 10.185.28.8/30 next-hop st0.10; } } {primary:node0} ejjnyyo@SRX3400-1> show configuration interfaces st0 unit 3 { description "IPSec interface for Cabritos"; family inet { mtu 1420; } } unit 10 { family inet { address 10.185.28.9/30; } } {primary:node0} ejjnyyo@SRX3400-1> ping 10.185.49.194 source 10.185.49.212 routing-instance VR_Temp_VPN PING 10.185.49.194 (10.185.49.194): 56 data bytes 64 bytes from 10.185.49.194: icmp_seq=0 ttl=63 time=5.090 ms 64 bytes from 10.185.49.194: icmp_seq=1 ttl=63 time=5.583 ms ^C --- 10.185.49.194 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 5.090/5.337/5.583/0.246 ms {primary:node0} ejjnyyo@SRX3400-1> show log kmd | no-more [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121708 [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121708 [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f8d000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f8e000 from freelist [Apr 14 02:25:00 PIC 1/7/0 KMD1]Added (spi=0xec3e2aa, protocol=0) entry to the spi table [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:25:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121708 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:25:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121708 [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f89800 from freelist [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121708 [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f89800/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f89800/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f89800/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:25:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f89800/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:25:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:25:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:25:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:25:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121708 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:25:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121708 [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121708 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:25:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:25:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f8a800 from freelist [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f92000 from freelist [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121709 [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121709 [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121709 [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f92000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f77800 from freelist [Apr 14 02:26:00 PIC 1/7/0 KMD1]Added (spi=0xe2ea7cb, protocol=0) entry to the spi table [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:26:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121709 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:26:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121709 [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f65800 from freelist [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121709 [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f65800/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f65800/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f65800/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:26:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f65800/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:26:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:26:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:26:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:26:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121709 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:26:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121709 [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121709 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:26:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:26:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f92800 from freelist [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f90000 from freelist [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121710 [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121710 [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121710 [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f90000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f8e800 from freelist [Apr 14 02:27:00 PIC 1/7/0 KMD1]Added (spi=0xeebb982, protocol=0) entry to the spi table [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:27:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121710 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:27:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121710 [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f8b000 from freelist [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121710 [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f8b000/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f8b000/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f8b000/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:27:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f8b000/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:27:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:27:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:27:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:27:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121710 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:27:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121710 [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121710 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:27:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:27:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f95800 from freelist [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f94000 from freelist [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121711 [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121711 [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121711 [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f94000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f90800 from freelist [Apr 14 02:28:00 PIC 1/7/0 KMD1]Added (spi=0xe1f27d3, protocol=0) entry to the spi table [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:28:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121711 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:28:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121711 [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f86800 from freelist [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121711 [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f86800/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f86800/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f86800/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:28:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f86800/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:28:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:28:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:28:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:28:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121711 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:28:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121711 [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121711 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:28:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:28:04 PIC 1/6/0 KMD1]Soft life timer expired for inbound Cabritos-GRX-1 with spi 0xc6f4ffe [Apr 14 02:28:04 PIC 1/6/0 KMD1]Added (spi=0xc14c5f0, protocol=0) entry to the spi table [Apr 14 02:28:04 PIC 1/6/0 KMD1]Added (spi=0xc478d06, protocol=0) entry to the spi table [Apr 14 02:28:04 PIC 1/6/0 KMD1]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00010000 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_alloc_negotiation: Start, SA = { 468581b9 6fe39684 - 91107b0a c15409da} [Apr 14 02:28:04 PIC 1/6/0 KMD1]ssh_ike_connect_ipsec: SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_init_qm_negotiation: Start, initiator = 1, message_id = c8a4cee5 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_hash_1: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_sa_proposals: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_nonce: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_policy_reply_qm_nonce_data_len: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_optional_ke: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_optional_ids: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_qm_optional_id: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_qm_optional_id: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_private: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]Construction NHTB payload for local:2.2.2.2, remote:2.2.2.1 IKEv1 P1 SA index 1618693701 sa-cfg Cabritos-GRX-1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_get_interface_primary_ip_by_family:Can Not find family for tunnel interface st0.3 [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_nhtb_get_tunnel_ip:Can Not get primary IP for tunnel interface st0.3 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Could not get local tunnel ip address. Not sending NHTB notify payload for sa-cfg Cabritos-GRX-1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_policy_reply_private_payload_out: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_encrypt: Marking encryption for packet [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_encode_packet: Start, SA = { 0x468581b9 6fe39684 - 91107b0a c15409da } / c8a4cee5, nego = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_finalize_qm_hash_1: Hash[0..20] = a34c7d59 b51e4b1e ... [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_send_packet: Start, send SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0, dst = 2.2.2.1:500, routing table id = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ikev2_packet_allocate: Allocated packet 100f76000 from freelist [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_sa_find: Found SA = { 468581b9 6fe39684 - 91107b0a c15409da } [Apr 14 02:28:04 PIC 1/6/0 KMD1]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_get_sa: Start, SA = { 468581b9 6fe39684 - 91107b0a c15409da } / c8a4cee5, remote = 2.2.2.1:500 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_sa_find: Found SA = { 468581b9 6fe39684 - 91107b0a c15409da } [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_decode_packet: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_decode_packet: Start, SA = { 468581b9 6fe39684 - 91107b0a c15409da} / c8a4cee5, nego = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_decode_payload_sa: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_decode_payload_t: Start, # trans = 1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_encrypt: Check that packet was encrypted succeeded [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_qm_hash_2: Start, hash[0..20] = 8d1a7287 801c7dfe ... [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_qm_sa_values: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_qm_nonce: Nonce[0..32] = 8b619a6d 9418fc78 ... [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_qm_ke: Ke[0..128] = 61367614 37a879e1 ... [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_status_n: Start, doi = 1, protocol = 3, code = unknown (40001), spi[0..4] = 9a77bad1 00000000 ..., data[0..8] = 00010004 0a010101 ... [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_pm_ike_spd_notify_received: Received authenticated notification payload unknown from local:2.2.2.2 remote:2.2.2.1 IKEv1 for P1 SA 1618693701 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Received NHTB payload from local:2.2.2.2, remote:2.2.2.1 IKEv1 P1 SA index 1618693701 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Received NHTB private IP address 10.1.1.1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]QM notification `(null)' (40001) (size 8 bytes) from 2.2.2.1 for protocol ESP spi[0...3]=9a 77 ba d1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_i_private: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_hash_3: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_private: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_policy_reply_private_payload_out: Start [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_encrypt: Marking encryption for packet [Apr 14 02:28:04 PIC 1/6/0 KMD1]:500 (Initiator) <-> 2.2.2.1:500 { 468581b9 6fe39684 - 91107b0a c15409da [0] / 0xc8a4cee5 } QM; MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2 [Apr 14 02:28:04 PIC 1/6/0 KMD1]:500 (Initiator) <-> 2.2.2.1:500 { 468581b9 6fe39684 - 91107b0a c15409da [0] / 0xc8a4cee5 } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/3600 sec, group = 2, tunnel, hmac-md5-96, Extended seq not used, key len = 128, [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/3600 sec, group = 2, tunnel, hmac-md5-96, Extended seq not used, key len = 128, key rounds = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_pm_ipsec_sa_install: local:2.2.2.2, remote:2.2.2.1 IKEv1 for SA-CFG Cabritos-GRX-1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_pm_ipsec_sa_create: encr key len 16, auth key len: 16, salt len: 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Added (spi=0xc14c5f0, protocol=ESP dst=2.2.2.2) entry to the peer hash table [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Added (spi=0x9a77bad1, protocol=ESP dst=2.2.2.1) entry to the peer hash table [Apr 14 02:28:04 PIC 1/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Hardlife timer started for inbound Cabritos-GRX-1 with 3600 seconds/0 kilobytes [Apr 14 02:28:04 PIC 1/6/0 KMD1]Softlife timer started for inbound Cabritos-GRX-1 with 2966 seconds/0 kilobytes [Apr 14 02:28:04 PIC 1/6/0 KMD1]Rekey was initiated by us. So restart timer so that we can send delete notification [Apr 14 02:28:04 PIC 1/6/0 KMD1]Hardlife timer restarted for rekeyed sa of outbound Cabritos-GRX-1 with 5 seconds/0 kilobytes [Apr 14 02:28:04 PIC 1/6/0 KMD1]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xc14c5f0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Added dependency on SA config blob with tunnelid = 131073 [Apr 14 02:28:04 PIC 1/6/0 KMD1]Successfully added ipsec SA PAIR [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_st_o_qm_wait_done: Marking for waiting for done [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_encode_packet: Start, SA = { 0x468581b9 6fe39684 - 91107b0a c15409da } / c8a4cee5, nego = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_send_packet: Start, send SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0, dst = 2.2.2.1:500, routing table id = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]ike_send_notify: Connected, SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0 [Apr 14 02:28:04 PIC 1/6/0 KMD1]IPSec negotiation done successfully for SA-CFG Cabritos-GRX-1 for local:2.2.2.2, remote:2.2.2.1 IKEv1 [Apr 14 02:22:25 PIC 2/6/0 KMD1]Added (spi=0xc14c5f0, protocol=ESP dst=2.2.2.2) entry to the peer hash table [Apr 14 02:22:25 PIC 2/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:22:25 PIC 2/6/0 KMD1]Added (spi=0x9a77bad1, protocol=ESP dst=2.2.2.1) entry to the peer hash table [Apr 14 02:22:25 PIC 2/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:22:25 PIC 2/6/0 KMD1]Hardlife timer started for inbound Cabritos-GRX-1 with 3600 seconds/0 kilobytes [Apr 14 02:22:25 PIC 2/6/0 KMD1]Softlife timer started for inbound Cabritos-GRX-1 with 2966 seconds/0 kilobytes [Apr 14 02:22:25 PIC 2/6/0 KMD1]Creating dependency on SA config blob with tunnelid = 131073 [Apr 14 02:22:25 PIC 2/6/0 KMD1]Added dependency on SA config blob with tunnelid = 131073 [Apr 14 02:22:25 PIC 2/6/0 KMD1]Successfully added ipsec SA PAIR [Apr 14 02:28:04 KMD-RE]Added (spi=0xc14c5f0, protocol=ESP dst=2.2.2.2) entry to the peer hash table [Apr 14 02:28:04 KMD-RE]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:04 KMD-RE]Added (spi=0x9a77bad1, protocol=ESP dst=2.2.2.1) entry to the peer hash table [Apr 14 02:28:04 KMD-RE]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]Hard life timer expired for outbound Cabritos-GRX-1 with spi 0x9a77bad0 [Apr 14 02:28:09 PIC 1/6/0 KMD1]Deleted (spi=0x9a77bad0, protocol=ESP dst=2.2.2.1) entry from the peer hash table. Reason: Lifetime expired [Apr 14 02:28:09 PIC 1/6/0 KMD1]In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131073;SPI-In = 0xc6f4ffe [Apr 14 02:28:09 PIC 1/6/0 KMD1]Deleted SA pair for tunnel = 131073 with SPI-In = 0xc6f4ffe to kernel [Apr 14 02:28:09 PIC 1/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]Deleted (spi=0xc6f4ffe, protocol=ESP dst=2.2.2.2) entry from the peer hash table. Reason: Lifetime expired [Apr 14 02:28:09 PIC 1/6/0 KMD1]ssh_ike_connect_delete: Start, remote_name = :500, flags = 00010000 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ssh_ike_create_delete_internal: Start, remote_name = :500, flags = 00010000 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ike_alloc_negotiation: Start, SA = { 468581b9 6fe39684 - 91107b0a c15409da} [Apr 14 02:28:09 PIC 1/6/0 KMD1]ssh_ike_create_delete_internal: SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ike_encode_packet: Start, SA = { 0x468581b9 6fe39684 - 91107b0a c15409da } / 2be7fb39, nego = 1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ike_send_packet: Start, send SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 1, dst = 2.2.2.1:500, routing table id = 0 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ike_delete_negotiation: Start, SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ike_free_negotiation_info: Start, nego = 1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]ike_free_negotiation: Start, nego = 1 [Apr 14 02:28:09 PIC 1/6/0 KMD1]Deleted (spi=0xc6f4ffe, protocol=ESP) entry from the inbound sa spi hash table [Apr 14 02:28:09 PIC 1/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:22:30 PIC 2/6/0 KMD1]Deleted (spi=0xc6f4ffe, protocol=ESP dst=2.2.2.2) entry from the peer hash table. Reason: Cleared from HA peer [Apr 14 02:22:30 PIC 2/6/0 KMD1]In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131073;SPI-In = 0xc6f4ffe [Apr 14 02:22:30 PIC 2/6/0 KMD1]Deleted SA pair for tunnel = 131073 with SPI-In = 0xc6f4ffe to kernel [Apr 14 02:22:30 PIC 2/6/0 KMD1]Deleted (spi=0xc6f4ffe, protocol=ESP) entry from the inbound sa spi hash table [Apr 14 02:22:30 PIC 2/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:22:30 PIC 2/6/0 KMD1]Deleted (spi=0x9a77bad0, protocol=ESP dst=2.2.2.1) entry from the peer hash table. Reason: Cleared from HA peer [Apr 14 02:22:30 PIC 2/6/0 KMD1]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:09 KMD-RE]Deleted (spi=0x9a77bad0, protocol=ESP dst=2.2.2.1) entry from the peer hash table. Reason: Lifetime expired [Apr 14 02:28:09 KMD-RE]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:09 KMD-RE]Deleted (spi=0xc6f4ffe, protocol=ESP dst=2.2.2.2) entry from the peer hash table. Reason: Lifetime expired [Apr 14 02:28:09 KMD-RE]Deleted (spi=0xc6f4ffe, protocol=ESP) entry from the inbound sa spi hash table [Apr 14 02:28:09 KMD-RE]iked_sa_cfg_update_sa_cfg_child_sa_count Parent not found for sa_cfg Cabritos-GRX-1 [Apr 14 02:28:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f93800 from freelist [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f94800 from freelist [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121712 [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121712 [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121712 [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f94800/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f95000 from freelist [Apr 14 02:29:00 PIC 1/7/0 KMD1]Added (spi=0xed953d0, protocol=0) entry to the spi table [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:29:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121712 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:29:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121712 [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f8f800 from freelist [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121712 [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f8f800/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f8f800/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f8f800/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:29:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f8f800/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:29:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:29:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:29:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:29:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121712 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:29:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121712 [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121712 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:29:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:23:57 PIC 2/6/0 KMD1]Config download: Processed 99 - 100 messages [Apr 14 02:23:57 PIC 2/6/0 KMD1]Config download time: 0 secs [Apr 14 02:23:57 PIC 2/6/0 KMD1]iked_config_process_config_list, configuration diff complete [Apr 14 02:23:51 PIC 2/7/0 KMD2]Config download: Processed 99 - 100 messages [Apr 14 02:23:51 PIC 2/7/0 KMD2]Config download time: 0 secs [Apr 14 02:23:51 PIC 2/7/0 KMD2]iked_config_process_config_list, configuration diff complete [Apr 14 02:29:36 KMD-RE]kmd_iked_cfgbuf_addrec: 530: ** Allocated recptr is 0, reclen = 0 ** [Apr 14 02:29:36 KMD-RE]kmd_iked_cfgbuf_addrec: 530: ** Allocated recptr is c, reclen = 0 ** [Apr 14 02:29:36 KMD-RE]Error: Unknown record, type = 25 [Apr 14 02:29:36 KMD-RE]kmd_iked_cfgbuf_addrec: 530: ** Allocated recptr is 41c, reclen = 0 ** [Apr 14 02:29:36 KMD-RE]kmd_iked_cfgbuf_addrec: 530: ** Allocated recptr is 4, reclen = 0 ** [Apr 14 02:29:36 KMD-RE]kmd_iked_cfgbuf_addrec: 530: ** Allocated recptr is 0, reclen = 0 ** [Apr 14 02:29:36 KMD-RE]Config download: Processed 99 - 100 messages [Apr 14 02:29:36 KMD-RE]Config download time: 0 secs [Apr 14 02:29:37 KMD-RE]iked_config_process_config_list, configuration diff complete [Apr 14 02:23:51 PIC 2/7/0 KMD1]Config download: Processed 99 - 100 messages [Apr 14 02:23:51 PIC 2/7/0 KMD1]Config download time: 0 secs [Apr 14 02:23:51 PIC 2/7/0 KMD1]iked_config_process_config_list, configuration diff complete [Apr 14 02:29:36 PIC 1/7/0 KMD2]Config download: Processed 99 - 100 messages [Apr 14 02:29:36 PIC 1/7/0 KMD2]Config download time: 0 secs [Apr 14 02:29:36 PIC 1/7/0 KMD2]iked_config_process_config_list, configuration diff complete [Apr 14 02:23:57 PIC 2/6/0 KMD2]Config download: Processed 99 - 100 messages [Apr 14 02:23:57 PIC 2/6/0 KMD2]Config download time: 0 secs [Apr 14 02:23:57 PIC 2/6/0 KMD2]iked_config_process_config_list, configuration diff complete [Apr 14 02:29:36 PIC 1/6/0 KMD1]Config download: Processed 99 - 100 messages [Apr 14 02:29:36 PIC 1/6/0 KMD1]Config download time: 0 secs [Apr 14 02:29:36 PIC 1/6/0 KMD1]iked_config_process_config_list, configuration diff complete [Apr 14 02:29:36 PIC 1/7/0 KMD1]Config download: Processed 99 - 100 messages [Apr 14 02:29:36 PIC 1/7/0 KMD1]Config download time: 0 secs [Apr 14 02:29:36 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f91800 from freelist [Apr 14 02:29:36 PIC 1/7/0 KMD1]iked_config_process_config_list, configuration diff complete [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f91000 from freelist [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121713 [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121713 [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121713 [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f91000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f6c000 from freelist [Apr 14 02:29:37 PIC 1/7/0 KMD1]Added (spi=0xe21fb38, protocol=0) entry to the spi table [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:29:37 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121713 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:29:37 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121713 [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f66000 from freelist [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121713 [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f66000/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f66000/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_process_notify: [100f66000/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:29:37 PIC 1/7/0 KMD1]ikev2_state_error: [100f66000/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:29:37 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:29:37 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:29:37 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:29:37 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121713 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:29:37 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121713 [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121713 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:29:37 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:29:36 PIC 1/6/0 KMD2]Config download: Processed 99 - 100 messages [Apr 14 02:29:36 PIC 1/6/0 KMD2]Config download time: 0 secs [Apr 14 02:29:36 PIC 1/6/0 KMD2]iked_config_process_config_list, configuration diff complete [Apr 14 02:29:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f68000 from freelist [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f69800 from freelist [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121714 [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121714 [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121714 [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f69800/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f68800 from freelist [Apr 14 02:30:00 PIC 1/7/0 KMD1]Added (spi=0xefbeb89, protocol=0) entry to the spi table [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:30:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121714 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:30:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121714 [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f6e800 from freelist [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121714 [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f6e800/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f6e800/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f6e800/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:30:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f6e800/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:30:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:30:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:30:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:30:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121714 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:30:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121714 [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121714 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:30:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:30:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f97800 from freelist [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f78000 from freelist [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121715 [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121715 [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121715 [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f78000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f97000 from freelist [Apr 14 02:31:00 PIC 1/7/0 KMD1]Added (spi=0xe5c3dc1, protocol=0) entry to the spi table [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:31:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121715 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:31:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121715 [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f65000 from freelist [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121715 [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f65000/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f65000/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f65000/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:31:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f65000/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:31:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:31:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:31:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:31:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121715 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:31:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121715 [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121715 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:31:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_state_restart_packet: Start, restart packet SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_st_o_qm_done: Quick Mode negotiation done [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_send_notify: Connected, SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_delete_negotiation: Start, SA = { 468581b9 6fe39684 - 91107b0a c15409da}, nego = 0 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_free_negotiation_qm: Start, nego = 0 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_free_negotiation: Start, nego = 0 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_free_id_payload: Start, id type = 4 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_free_id_payload: Start, id type = 4 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_free_id_payload: Start, id type = 4 [Apr 14 02:31:04 PIC 1/6/0 KMD1]ike_free_id_payload: Start, id type = 4 [Apr 14 02:31:59 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f70800 from freelist [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f67000 from freelist [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121716 [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121716 [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121716 [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f67000/100fc7800] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED) [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f71800 from freelist [Apr 14 02:32:00 PIC 1/7/0 KMD1]Added (spi=0xea86ed8, protocol=0) entry to the spi table [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_ike_conf_request: SA-CFG tunnel-pRBS-cert-TEMP not configured for config payload. Skipping... [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_request: Sending Initial contact [Apr 14 02:32:00 PIC 1/7/0 KMD1]Construction NHTB payload for local:10.185.49.212, remote:10.185.49.194 IKEv2 P1 SA index 1887121716 sa-cfg tunnel-pRBS-cert-TEMP [Apr 14 02:32:00 PIC 1/7/0 KMD1]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg tunnel-pRBS-cert-TEMP, p1_sa=1887121716 [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_packet_allocate: Allocated packet 100f6f800 from freelist [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.185.49.212 remote:10.185.49.194 IKEv2 for P1 SA 1887121716 [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_decode_packet: [100f6f800/100fc7800] Received packet: HDR, N(AUTHENTICATION_FAILED) [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_state_auth_initiator_in: [100f6f800/100fc7800] Error: IKE_AUTH packet is missing IDr or AUTH payload [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_process_notify: [100f6f800/100fc7800] Received error notify Authentication failed (24) [Apr 14 02:32:00 PIC 1/7/0 KMD1]ikev2_state_error: [100f6f800/100fc7800] Negotiation failed because of error Authentication failed (24) [Apr 14 02:32:00 PIC 1/7/0 KMD1]IKE negotiation fail for local:10.185.49.212, remote:10.185.49.194 IKEv2 with status: Authentication failed [Apr 14 02:32:00 PIC 1/7/0 KMD1]IPSec negotiation failed for SA-CFG tunnel-pRBS-cert-TEMP for local:10.185.49.212, remote:10.185.49.194 IKEv2. status: Authentication failed [Apr 14 02:32:00 PIC 1/7/0 KMD1] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 14 02:32:00 PIC 1/7/0 KMD1]IKE SA delete called for p1 sa 1887121716 (ref cnt 1) local:10.185.49.212, remote:10.185.49.194, IKEv2 [Apr 14 02:32:00 PIC 1/7/0 KMD1]Freeing all P2 SAs for IKEv2 p1 SA 1887121716 [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_pm_p1_sa_destroy: p1 sa 1887121716 (ref cnt 0), waiting_for_del 0x0 [Apr 14 02:32:00 PIC 1/7/0 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s) {primary:node0} ejjnyyo@SRX3400-1> exit