试验目的:熟悉配置IPSEC ***的步骤
试验拓扑:
配置步骤:
R1:lo0:1.1.1.1/24
lo1:192.168.12.2/24
ser1/1:202.100.12.2
R2:ser1/0:202.100.12.1
ser1/1:202.100.23.1
R3:lo0:3.3.3.3/24
ser1/0:202.100.23.3
配置文件;
R1:
ip route 0.0.0.0 0.0.0.0 Serial1/1
第一步:
ip access-list extended *** //定义感兴趣的流量通过IPSEC的隧道
permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255//允许源192.168.12.0到目的地址 位192.168.23.0的地址
第二步:
ISAKMP的 策略:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
R1(config-isakmp)#au
R1(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
R1(config-isakmp)#authentication pr
R1(config-isakmp)#authentication pre-share ?
R1(config-isakmp)#authentication pre-share //配置验证方法
R1(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
R1(config-isakmp)#hash md5 ?//配置散列算法
R1(config-isakmp)#enc
R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
R1(config-isakmp)#encryption des ?
R1(config-isakmp)#encryption des //配置加密算法
R1(config-isakmp)#lis
R1(config-isakmp)#lif
R1(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds
R1(config-isakmp)#lifetime //默认是86400,即一天的生存时间
R1(config)#crypto isakmp key 0 cisco address 202.100.23.3 //配置ISAKMP预共享密钥
意思是与对等体202.100.23.3共享的预共享密钥配置位cisco,并且是明文的。其中KEY后面的数字有2个:0---代表不加密,6---代表加密
R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
第三步:
配置IPSEC变换集:
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac //ipsec变换集中指定了IKE阶段2期间协商的IPSEC SA使用的加密参数,定义的参数包括安全和压缩协议,散列算法和加密算法
//此例中定义了一个名为myset的变换集,他指定了2种变换,使用3des算法进行加密的ESP ,使用MD5-HMAC算法的认证
R1(cfg-crypto-trans)#mode tunnel
第四步:
配置加密映射表:
R1(config)#crypto map mymap 10 ipsec-isakmp //创建mymap的加密映射表,并配置了序号位10的条目
R1(config-crypto-map)#match address *** //指定加密列表为命名的访问控制列表VPN
R1(config-crypto-map)#set transform-set myset ?//指定IPSEC的变换集myset
WORD Proposal tag
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#set peer 202.100.23.3//指定对等体的IP地址,这里指的是R3的s1/0的接口地址
加密映射表将对等体地址,变换集和加密访问控制列表组合在一起,指定了要保护那些数据流,以及向IPSEC对等体发送数据流和接受来自该对等体的数据流时如何对他们进行加密。
第五步:
将加密映射表应用于外部接口:
interface Serial1/1
ip address 202.100.12.2 255.255.255.0
serial restart-delay 0
crypto map mymap
查看命令:
R1#show crypto isakmp sa //查看第一阶段的sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.12.2 202.100.23.3 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA//说明IKE中模式协商成功了,快速模式处于空闲状态,如果不是这个状态(MM_NO_STATE)说明协商有问题。
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.12.2 202.100.23.3 MM_NO_STATE 1002 0 ACTIVE (deleted)
R1# show crypto ipsec sa //产科第二阶段的转换集
interface: Serial1/1
Crypto map tag: mymap, local addr 202.100.12.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 202.100.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 63, #pkts encrypt: 63, #pkts digest: 63
#pkts decaps: 62, #pkts decrypt: 62, #pkts verify: 62
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.100.12.2, remote crypto endpt.: 202.100.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x2FD22A7A(802302586)
inbound esp sas:
spi: 0xC4CCBD8F(3301752207) 这个值应该和R3的outbound一致,意思是双方通过这个值的计算,从而知道双方用的是什么认证方法,什么加密算法。
transform: esp-3des esp-md5-hmac ,
--More--
*Jun 8 17:12:22.135: ISAKMP:(1003):purging node -482876207
in use settings ={Tunnel, }
conn id: 5, flow_id: 5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4605658/3556)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2FD22A7A(802302586)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: 6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4605658/3520)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
R1#sho crypto engine connections active //显示第二阶段SA的概要信息
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
5 Se1/1 IPsec 3DES+MD5 0 4 202.100.12.2
6 Se1/1 IPsec 3DES+MD5 4 0 202.100.12.2
1003 Se1/1 IKE MD5+DES 0 0 202.100.12.2
隧道的终结:
分两种形式:1.自动终结 2.手动终结
自动终结通过下面的lifetime终结,他有两种方法进行修改:sa timing: remaining key lifetime (k/sec): (4605658/3520)一种是通过流量(即当该隧道接收一定的流量阀值后,隧道将自动的更改两边的共享密钥)和通过时间修改
R1(config)#crypto map mymap 10
R1(config-crypto-map)#set
R1(config-crypto-map)#set se
R1(config-crypto-map)#set security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
level specify a security association granularity level for identities
lifetime security association lifetime
replay Set replay checking.
R1(config-crypto-map)#set security-association lif
R1(config-crypto-map)#set security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
R1(config-crypto-map)#set security-association lifetime
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit //意思是如果一天都没有流量通过的话,系统自动将中断这个隧道。
手动终结:
R3#clear crypto isakmp //手动清除第一阶段的
R3#clear crypto sa ? //手动清除第二阶段的
手动清除后R1上的debug crypto isakmp后的调试信息:
*Jun 8 17:22:45.111: ISAKMP (0:1003): received packet from 202.100.23.3 dport 500 sport 500 Global (R) QM_IDLE
*Jun 8 17:22:45.115: ISAKMP: set new node -1433032546 to QM_IDLE
*Jun 8 17:22:45.119: ISAKMP:(1003): processing HASH payload. message ID = -1433032546
*Jun 8 17:22:45.123: ISAKMP:received payload type 18
*Jun 8 17:22:45.123: ISAKMP:(1003): processing DELETE_WITH_REASON payload, message ID = -1433032546, reason: Unknown delete reason!
*Jun 8 17:22:45.127: ISAKMP:(1003):peer does not do paranoid keepalives.
*Jun 8 17:22:45.131: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (R) QM_IDLE (peer 202.100.23.3)
*Jun 8 17:22:45.135: ISAKMP:(1003):deleting node -1433032546 error FALSE reason "Informational (in) state 1"
*Jun 8 17:22:45.135: ISAKMP: set new node 1529654592 to QM_IDLE
*Jun 8 17:22:45.135: ISAKMP:(1003): sending packet to 202.100.23.3 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 8 17:22:45.135: ISAKMP:(1003
R1#):purging node 1529654592
*Jun 8 17:22:45.135: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 8 17:22:45.135: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jun 8 17:22:45.135: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (R) QM_IDLE (peer 202.100.23.3)
*Jun 8 17:22:45.135: ISAKMP: Unlocking peer struct 0x66392FD0 for isadb_mark_sa_deleted(), count 0
*Jun 8 17:22:45.135: ISAKMP:(1003):deleting node -1433032546 error FALSE reason "IKE deleted"
*Jun 8 17:22:45.135: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 17:22:45.135: ISAKMP:(1003):Old State = IKE_DEST_SA New State = IKE_DEST_SA
在R3上激活:
R3#ping 192.168.12.2 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.23.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/84/120 ms
R3#show cry
R3#show crypto is
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.12.2 202.100.23.3 QM_IDLE 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#
*Jun 8 17:24:08.455: ISAKMP (0:0): received packet from 202.100.23.3 dport 500 sport 500 Global (N) NEW SA
*Jun 8 17:24:08.459: ISAKMP: Found a peer struct for 202.100.23.3, peer port 500
*Jun 8 17:24:08.463: ISAKMP: Locking peer struct 0x66392FD0, refcount 1 for crypto_isakmp_process_block
*Jun 8 17:24:08.467: ISAKMP: local port 500, remote port 500
*Jun 8 17:24:08.471: insert sa successfully sa = 65568894
*Jun 8 17:24:08.471: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 17:24:08.475: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jun 8 17:24:08.487: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 8 17:24:08.491: ISAKMP:(0): processing vendor id payload
*Jun 8 17:24:08.491: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 8 17:24:08.495: ISAKMP (0:0): vendor ID is NAT-T v7
*Jun 8 17:24:08.495: ISAKMP:(0): processing vendor id payload
*Jun 8 17:24:08.499: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mi
R1#smatch
*Jun 8 17:24:08.499: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 8 17:24:08.503: ISAKMP:(0): processing vendor id payload
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 8 17:24:08.503: ISAKMP:(0):found peer pre-shared key matching 202.100.23.3
*Jun 8 17:24:08.503: ISAKMP:(0): local preshared key found
*Jun 8 17:24:08.503: ISAKMP : Scanning profiles for xauth ...
*Jun 8 17:24:08.503: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jun 8 17:24:08.503: ISAKMP: encryption DES-CBC
*Jun 8 17:24:08.503: ISAKMP: hash MD5
*Jun 8 17:24:08.503: ISAKMP: default group 1
*Jun 8 17:24:08.503: ISAKMP: auth pre-share
*Jun 8 17:24:08.503: ISAKMP: life type in seconds
*Jun 8 17:24:08.503: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 8 17:24:08.503: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 8 17:24:08.503:
R1# ISAKMP:(0): processing vendor id payload
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 8 17:24:08.503: ISAKMP (0:0): vendor ID is NAT-T v7
*Jun 8 17:24:08.503: ISAKMP:(0): processing vendor id payload
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 8 17:24:08.503: ISAKMP:(0): processing vendor id payload
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 8 17:24:08.503: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 8 17:24:08.503: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 8 17:24:08.503: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jun 8 17:24:08.515: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 8 17:24:08.519: ISAKMP:(0): sending packet to 202.100.23.3 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jun 8 17:24:08.523: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_
R1#PROCESS_COMPLETE
*Jun 8 17:24:08.523: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jun 8 17:24:08.655: ISAKMP (0:0): received packet from 202.100.23.3 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jun 8 17:24:08.659: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 17:24:08.663: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jun 8 17:24:08.675: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 8 17:24:08.687: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 8 17:24:08.695: ISAKMP:(0):found peer pre-shared key matching 202.100.23.3
*Jun 8 17:24:08.703: ISAKMP:(1004): processing vendor id payload
*Jun 8 17:24:08.703: ISAKMP:(1004): vendor ID is Unity
*Jun 8 17:24:08.703: ISAKMP:(1004): processing vendor id payload
*Jun 8 17:24:08.703: ISAKMP:(1004): vendor ID is DPD
*Jun 8 17:24:08.703: ISAKMP:(1004): processing vendor id payload
*Jun 8 17:24:08.703: ISAKMP:(1004): speaking to another IOS box!
*Jun 8 17:24:08.7
R1#03: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 8 17:24:08.703: ISAKMP:(1004):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jun 8 17:24:08.703: ISAKMP:(1004): sending packet to 202.100.23.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jun 8 17:24:08.703: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 8 17:24:08.703: ISAKMP:(1004):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jun 8 17:24:08.755: ISAKMP (0:1004): received packet from 202.100.23.3 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jun 8 17:24:08.763: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 8 17:24:08.763: ISAKMP:(1004):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jun 8 17:24:08.767: ISAKMP:(1004): processing ID payload. message ID = 0
*Jun 8 17:24:08.767: ISAKMP (0:1004): ID payload
next-payload : 8
type : 1
address : 202.100.23.3
protocol : 17
port : 500
length : 12
*Jun 8 17:24:08.767: ISA
R1#KMP:(0):: peer matches *none* of the profiles
*Jun 8 17:24:08.767: ISAKMP:(1004): processing HASH payload. message ID = 0
*Jun 8 17:24:08.767: ISAKMP:(1004): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 65568894
*Jun 8 17:24:08.767: ISAKMP:(1004):SA authentication status:
authenticated
*Jun 8 17:24:08.767: ISAKMP:(1004):SA has been authenticated with 202.100.23.3
*Jun 8 17:24:08.767: ISAKMP:(1004):SA authentication status:
authenticated
*Jun 8 17:24:08.767: ISAKMP:(1004): Process initial contact,
bring down existing phase 1 and 2 SA's with local 202.100.12.2 remote 202.100.23.3 remote port 500
*Jun 8 17:24:08.767: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 8 17:24:08.767: ISAKMP:(1004):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jun 8 17:24:08.783: ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 8 17:24:08.783: ISAKMP (0:1004): ID payload
next-payload : 8
t
R1#ype : 1
address : 202.100.12.2
protocol : 17
port : 500
length : 12
*Jun 8 17:24:08.791: ISAKMP:(1004):Total payload length: 12
*Jun 8 17:24:08.795: ISAKMP:(1004): sending packet to 202.100.23.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jun 8 17:24:08.799: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 8 17:24:08.803: ISAKMP:(1004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jun 8 17:24:08.819: ISAKMP: set new node -527725077 to QM_IDLE
*Jun 8 17:24:08.827: ISAKMP:(1004): sending packet to 202.100.23.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jun 8 17:24:08.831: ISAKMP:(1004):purging node -527725077
*Jun 8 17:24:08.831: ISAKMP:(1004):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jun 8 17:24:08.835: ISAKMP:(1004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 8 17:24:08.839: ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 8 17:24:08.843: ISAKMP:(10
R1#04):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 8 17:24:09.023: ISAKMP (0:1004): received packet from 202.100.23.3 dport 500 sport 500 Global (R) QM_IDLE
*Jun 8 17:24:09.027: ISAKMP: set new node -1887564288 to QM_IDLE
*Jun 8 17:24:09.031: ISAKMP:(1004): processing HASH payload. message ID = -1887564288
*Jun 8 17:24:09.031: ISAKMP:(1004): processing SA payload. message ID = -1887564288
*Jun 8 17:24:09.031: ISAKMP:(1004):Checking IPSec proposal 1
*Jun 8 17:24:09.031: ISAKMP: transform 1, ESP_3DES
*Jun 8 17:24:09.031: ISAKMP: attributes in transform:
*Jun 8 17:24:09.031: ISAKMP: encaps is 1 (Tunnel)
*Jun 8 17:24:09.031: ISAKMP: SA life type in seconds
*Jun 8 17:24:09.031: ISAKMP: SA life duration (basic) of 3600
*Jun 8 17:24:09.031: ISAKMP: SA life type in kilobytes
*Jun 8 17:24:09.031: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 8 17:24:09.031: ISAKMP: authenticator is HMAC-MD5
*J
R1#un 8 17:24:09.031: ISAKMP:(1004):atts are acceptable.
*Jun 8 17:24:09.031: ISAKMP:(1004): processing NONCE payload. message ID = -1887564288
*Jun 8 17:24:09.031: ISAKMP:(1004): processing ID payload. message ID = -1887564288
*Jun 8 17:24:09.031: ISAKMP:(1004): processing ID payload. message ID = -1887564288
*Jun 8 17:24:09.031: ISAKMP:(1004):QM Responder gets spi
*Jun 8 17:24:09.035: ISAKMP:(1004):Node -1887564288, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 8 17:24:09.035: ISAKMP:(1004):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jun 8 17:24:09.055: ISAKMP:(1004): Creating IPSec SAs
*Jun 8 17:24:09.055: inbound SA from 202.100.23.3 to 202.100.12.2 (f/i) 0/ 0
(proxy 192.168.23.0 to 192.168.12.0)
*Jun 8 17:24:09.059: has spi 0xAAD36E3E and conn_id 0
*Jun 8 17:24:09.059: lifetime of 3600 seconds
*Jun 8 17:24:09.063: lifetime of 4608000 kilobytes
*Jun 8 17:24:09.067: outbound SA from 202.100.12.2 to
R1#202.100.23.3 (f/i) 0/0
(proxy 192.168.12.0 to 192.168.23.0)
*Jun 8 17:24:09.067: has spi 0x1DC528BB and conn_id 0
*Jun 8 17:24:09.071: lifetime of 3600 seconds
*Jun 8 17:24:09.071: lifetime of 4608000 kilobytes
*Jun 8 17:24:09.075: ISAKMP:(1004): sending packet to 202.100.23.3 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 8 17:24:09.079: ISAKMP:(1004):Node -1887564288, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jun 8 17:24:09.079: ISAKMP:(1004):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jun 8 17:24:09.143: ISAKMP (0:1004): received packet from 202.100.23.3 dport 500 sport 500 Global (R) QM_IDLE
*Jun 8 17:24:09.151: ISAKMP:(1004):deleting node -1887564288 error FALSE reason "QM done (await)"
*Jun 8 17:24:09.151: ISAKMP:(1004):Node -1887564288, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 8 17:24:09.155: ISAKMP:(1004):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE