ikev2 - ASA & IOS - part two

In this post I would like to analyze most common mistakes and check how we can troubleshoot them. Please check my previous post to learn more about scenario and the configuration.

http://myitmicroblog.svbtle.com/ikev2-asa-ios-part-one

  1. problem #1

The configuration has been changed and now I try to establish the secure connection.

R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18#

on the ASA and the router I enabled debug command:

asa2# debug crypto ikev2 protocol 127
asa2# IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (6): Getting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (6): Setting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (6): Computing DH public key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (6): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     da 9a 09 1c 89 68 ed e3 93 49 3c 3f 61 52 2d 78
     cc 9f 94 6a 09 1b d5 06 e3 5f ce c8 e0 b9 24 aa
     b4 9c dd 5c 1f 11 38 67 e9 50 36 66 c9 9f 3b c3
     cf 1d 66 c8 81 7c db 09 18 23 a2 51 01 ed cf b7
     a0 99 22 63 9c ba cb 95 23 9e 90 8c e2 bd 54 7d
     46 fb cc 18 32 12 96 a1 20 08 b0 83 8a 51 cb b8
     b8 3d c0 ea 2d e1 4c 0e fe c2 ea 1a 43 96 2a 11
     82 27 c8 1a 4e 35 d4 ad b1 9e 5f de 78 bf 35 bc
     f5 9c b8 1c 7b 5e 6f bd de 92 98 d3 a4 1a c9 23
     51 c0 f7 dc df 4a 5b 04 d7 9f 9e 56 78 ee 17 1b
     6b ed ee f0 d6 22 68 64 1b 3d 05 ec 52 05 3d 71
     6e b4 f6 b0 44 3f 33 08 f1 d2 c1 b1 97 65 38 0f
 N  Next payload: VID, reserved: 0x0, length: 24

     aa 82 7f f6 7f 67 7c f4 90 4a af 59 26 7b 65 54
     2a e1 a6 77
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     89 f1 c8 72 bd 5b 57 1e f7 21 d0 81 16 8f 75 25
     5e f6 19 84
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     98 9a 8e 2d 5d 13 97 79 4a ac 1d a2 91 f9 72 80
     11 5d a9 c4
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (6): Insert SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 02AD478BFCD634F5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 02AD478BFCD634F5
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     02 6b 5c bd c3 d3 04 4f d8 59 57 89 25 f5 3f b9
     33 b1 ce da
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     6d 8c ef c5 ff 11 6e fb 8b 5b da 12 5e 2f 51 e4
     ef 60 2d 18
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     dc 48 fd 54 b3 53 4a 78 91 32 0b e5 db c8 fb 22
     04 8b 1a 27
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (6): Verify SA init message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (6): Process NAT discovery notify
IKEv2-PROTO-5: (6): Processing nat detect src notify
IKEv2-PROTO-5: (6): Remote address matched
IKEv2-PROTO-5: (6): Processing nat detect dst notify
IKEv2-PROTO-5: (6): Local address matched
IKEv2-PROTO-5: (6): No NAT found
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (6): Check NAT discovery
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (6): Computing DH secret key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (6): Generate skeyid
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (6): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (6): Complete SA init exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (6): Generate my authentication data
IKEv2-PROTO-3: (6): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (6): Get my authentication method
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (6): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (6): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     71 a2 4c 9f 2d d2 d0 32 76 e7 08 35 2b 14 f2 8f
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 02AD478BFCD634F5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 02AD478BFCD634F5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 02AD478BFCD634F5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 02AD478BFCD634F5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     03 ad 46 8b ef e1 c7 b2 76 e7 08 35 2b 14 f2 8f
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: NO_PROPOSAL_CHOSEN NOTIFY(NO_PROPOSAL_CHOSEN)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

the above message (NO_PROPOSAL_CHOSEN) can lead us to the configuration error.

Now I check the syslog messages on the router:

R17#debug crypto ikev2
IKEv2 default debugging is on
R17#

*Dec 13 18:33:18.843: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 18:33:18.863: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 18:33:18.867: IKEv2:(SA ID = 1):Insert SA
*Dec 13 18:33:18.871: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:18.875: IKEv2:Found Policy '10'
*Dec 13 18:33:18.879: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 13 18:33:18.883: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:18.887: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:18.895: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:18.899: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 18:33:18.899: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 18:33:18.995: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:18.9
R17#95: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 13 18:33:18.999: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 18:33:19.003: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:19.007: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:19.007: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:19.0
R17#07: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 13 18:33:19.007: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 18:33:19.015: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 18:33:19.019: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 18:33:19.119: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 18:33:19.143: IK
R17#Ev2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 13 18:33:19.143: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 18:33:19.147: IKEv2:(SA ID = 1):NAT not found
*Dec 13 18:33:19.151: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 13 18:33:19.155: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 18:33:19.155: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 18:33:19.159: IKEv2:% Matched peer block 'ASA2'
*Dec 13 18:33:19.163: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:19.163: IKEv2:Found Policy '10'
*Dec 13 18:33:19.171: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 18:33:19.171: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 1
R17#8:33:19.175: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 18:33:19.175: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 18:33:19.175: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 18:33:19.179: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 18:33:19.191: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:19.191: IKEv2:(SA ID = 1):Received Policies: ESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN
*Dec 13 18:33:19.195:
*Dec 13 18:33:19.195:
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Failed to find a matching policy

R17#
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Expected Policies:
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Sending no proposal chosen notify
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.1, key len 5
*Dec 13 18:33:19.199: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 18:33:19.199: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 18:33:19.203: IKEv2:(S
R17#A ID = 1):Generating IKE_AUTH message
*Dec 13 18:33:19.203: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'IPv4 address'
*Dec 13 18:33:19.203: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

as you see above, there is the same message above.

*Dec 13 18:33:19.207: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 18:33:19.211: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 13 18:33:19.211: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Dec 13 18:33:19.215: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 13 18:33:19.219: IKEv2:(SA ID = 1):Session with IKE ID PAIR (8.8.8.2, 8.8.8.1) is UP
*Dec 13 18:33:19.223: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 13 18:33:19.231: IKE
R17#v2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 13 18:33:19.231: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Dec 13 18:33:19.235: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context

*Dec 13 18:33:19.255: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 DELETE

*Dec 13 18:33:19.267: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE

*Dec 13 18:33:19.275: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 18:33:19.283: IKEv2:(SA ID = 1):Process delete request from peer
*Dec 13 18:33:19.287: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x7
R17#3A24D9F3EE52375 RSPI: 0x02AD478BFCD634F5]
*Dec 13 18:33:19.291: IKEv2:(SA ID = 1):Check for existing active SA
*Dec 13 18:33:19.311: IKEv2:(SA ID = 1):Accounting not started for this session

*Dec 13 18:33:19.311: IKEv2:(SA ID = 1):
*Dec 13 18:33:19.311: IKEv2:(SA ID = 1):Delete all IKE SAs
*Dec 13 18:33:19.315: IKEv2:(SA ID = 1):Deleting SA

*Dec 13 18:33:20.823: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 6C2475277EC2B02B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 18:33:20.843: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 18:33:20.847: IKEv2:(SA ID = 1):Insert SA
*Dec 13 18:33:20.851: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:20.851: IKEv2:Found Policy '10'
*Dec 13 18:33:20.855: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 1
R17#3 18:33:20.863: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:20.867: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:20.871: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:20.875: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 18:33:20.879: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 18:33:20.883: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 18:33:20.887: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 18:33:20.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:20.895: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 18:33:20.899: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 18:33:21.019
R17#: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:21.023: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 13 18:33:21.023: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 18:33:21.027: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 18:33:21.027: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 18:33:21.027: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 18:33:21.027: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 18:33:21.031: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:21.035: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:21.035:
R17# IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:21.035: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 13 18:33:21.039: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 6C2475277EC2B02B - Responder SPI : D87E933BD02ADFA0 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 18:33:21.039: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 18:33:21.043: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 18:33:21.143: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 6C2475277EC2B02B - Responder SPI : D87E933BD02ADFA0 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIA
R17#L_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 18:33:21.163: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 13 18:33:21.167: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 18:33:21.171: IKEv2:(SA ID = 1):NAT not found
*Dec 13 18:33:21.171: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 13 18:33:21.171: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 18:33:21.171: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 18:33:21.175: IKEv2:% Matched peer block 'ASA2'
*Dec 13 18:33:21.175: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:21.175: IKEv2:Found Policy '10'
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK
R17#'
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 18:33:21.175: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 18:33:21.175: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 18:33:21.179: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 18:33:21.179: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 18:33:21.191: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Received Policies: ESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN
*Dec 13 18:33:21.195:
*Dec 13
R17#18:33:21.195:
*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Expected Policies:
*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Failed to find a matching policy

as we can see in the above messages, there are not the same ipsec policies on these devices.

R17#sh run | i crypto ipsec transform-set
crypto ipsec transform-set TS esp-aes esp-sha256-hmac
R17#

and on the ASA we have:

asa2# sh run crypto
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1

Let’s fix it on the router:

R17(config)#crypto ipsec transform-set TS esp-sha-hmac esp-aes 256

and test it once again:

R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/86/112 ms
R18#
  1. problem #2

In the second case there is another problem which I tried to identify from debug outputs.

R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18#

As you see above the ping is unsuccessful. Let’s look on these outputs.

ASA2:

asa2# debug crypto ikev2 protocol 127
asa2# IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (12): Getting configured policies
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (12): Setting configured policies
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (12): Computing DH public key
IKEv2-PROTO-3: (12):
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (12): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (12): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:DBEC9B46CEB86DE1 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: DBEC9B46CEB86DE1 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     a0 38 c9 d0 f1 1b 26 e1 1f fc 27 ea 7d bc e6 47
     1d 30 9d ef fe 27 d4 2d 25 81 7b 70 f0 c5 b8 e8
     ba 6c 00 8b c5 08 bf 0f 99 42 7d 65 bf 9a 56 42
     3f 2b ba fd 53 e0 0a 09 e7 6f 3e d4 b4 be 52 60
     f6 a2 f2 d1 7c 9d 0a 05 75 e7 83 61 08 5f 6d a0
     11 36 14 fc 09 f5 9e 63 40 43 99 3f bf 9b 7e b1
     34 64 b9 40 ca 5b 7e 0d 50 af c6 94 8d d7 6c 0d
     32 f6 f9 01 c2 c7 73 46 53 ba d0 d7 10 5f 7a 56
     cf 03 23 65 5d ae b6 14 d3 8d ba 56 6e 2a 09 84
     e9 66 7f 03 40 72 5c 93 75 a8 87 a1 f7 2a da ce
     29 ef 04 49 6f 48 a8 e9 6f 67 5e f8 41 1c 53 98
     b5 98 0d 33 44 ca b3 7e f7 b9 81 9d 2f e6 84 b2
 N  Next payload: VID, reserved: 0x0, length: 24

     0e 72 b1 6e 8c 09 36 79 27 12 9a fa 41 d5 11 3c
     06 09 e7 31
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     ba e6 11 75 42 1f a4 97 55 74 5f b5 0d e2 c0 23
     17 31 5d b2
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     05 a5 df 15 80 46 5e cb 2f 1f 8d fd ff f9 86 51
     9f 18 1e a3
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (12): Insert SA
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:DBEC9B46CEB86DE1 - r: D73F5C9F9113FDA8]
IKEv2-PROTO-4: IKEV2 HDR ispi: DBEC9B46CEB86DE1 - rspi: D73F5C9F9113FDA8
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     cf d7 00 09 da 2c e2 78 58 17 c8 a6 b4 18 a9 19
     ec ec 44 9f
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     a6 7c 95 7a 6b d2 6e c5 7c a7 f0 e0 76 41 a8 44
     42 db 0b 21
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     7d 88 64 3a 94 72 99 54 bf 43 fd 36 30 da 41 a7
     88 04 ba cd
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (12): Processing initial message
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (12): Processing initial message
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (12): Verify SA init message
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (12): Processing initial message
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (12): Process NAT discovery notify
IKEv2-PROTO-5: (12): Processing nat detect src notify
IKEv2-PROTO-5: (12): Remote address matched
IKEv2-PROTO-5: (12): Processing nat detect dst notify
IKEv2-PROTO-5: (12): Local address matched
IKEv2-PROTO-5: (12): No NAT found
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (12): Check NAT discovery
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (12): Computing DH secret key
IKEv2-PROTO-3: (12):
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (12): Generate skeyid
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (12): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (12): Complete SA init exchange
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (12): Check for EAP exchange
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (12): Generate my authentication data
IKEv2-PROTO-3: (12): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (12): Get my authentication method
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (12): Check for EAP exchange
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (12): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (12): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     d9 ec 9a 46 dd 8f 9e a6 fd 89 23 cf 52 1c c0 80
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (12): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:DBEC9B46CEB86DE1 - r: D73F5C9F9113FDA8]
IKEv2-PROTO-4: IKEV2 HDR ispi: DBEC9B46CEB86DE1 - rspi: D73F5C9F9113FDA8
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:DBEC9B46CEB86DE1 - r: D73F5C9F9113FDA8]
IKEv2-PROTO-4: IKEV2 HDR ispi: DBEC9B46CEB86DE1 - rspi: D73F5C9F9113FDA8
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     d6 3f 5d 9f 82 24 0e ef fd 89 23 cf 52 1c c0 80
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: TS_UNACCEPTABLE

Decrypted packet:Data: 160 bytes
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (12): Process auth response notify
IKEv2-PROTO-1: (12):
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (12): Getting configured policies
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (12): Verify peer's policy
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (12): Get peer authentication method
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (12): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (12): Verify authentication data
IKEv2-PROTO-3: (12): Use preshared key for id 8.8.8.1, key len 5
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (12): Check for EAP exchange
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (12): Closing the PKI session
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (12): SA created; inserting SA into database
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (12):
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (12): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (12): Checking for duplicate SA
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-3: (12): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-5: (12): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-2: (12): Sending DEL info message
IKEv2-PROTO-3: (12): Building packet for encryption; contents are:
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

IKEv2-PROTO-3: (12): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:DBEC9B46CEB86DE1 - r: D73F5C9F9113FDA8]
IKEv2-PROTO-4: IKEV2 HDR ispi: DBEC9B46CEB86DE1 - rspi: D73F5C9F9113FDA8
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x2, length: 80
 ENCR  Next payload: DELETE, reserved: 0x0, length: 52
Encrypted data: 48 bytes

IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-3: (12): Check for existing active SA
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-3: (12): Delete all IKE SAs
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:DBEC9B46CEB86DE1 - r: D73F5C9F9113FDA8]
IKEv2-PROTO-4: IKEV2 HDR ispi: DBEC9B46CEB86DE1 - rspi: D73F5C9F9113FDA8
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x2, length: 80

REAL Decrypted packet:Data: 8 bytes
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (12): Processing ACK to informational exchange
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-5: (12): Action: Action_Null
IKEv2-PROTO-5: (12): SM Trace-> SA: I_SPI=DBEC9B46CEB86DE1 R_SPI=D73F5C9F9113FDA8 (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-3: (12): Deleting SA
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (13): Getting configured policies
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (13): Setting configured policies
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (13): Computing DH public key
IKEv2-PROTO-3: (13):
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (13): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (13): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:5533B0B3BE2AECD6 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5533B0B3BE2AECD6 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     03 e1 4a a4 9f 29 0a 2a 8c e3 b2 de 89 66 cc 9c
     0c 96 1d a0 14 61 6f cf b5 fa 4e 2c 9c 34 78 2d
     21 7e 0f 3c 47 3e 80 96 51 70 fa 6e 90 ee dd fc
     d2 09 dd dc 3a e0 95 f6 e1 a4 3b 33 f7 e0 73 7b
     21 84 46 5f 55 06 ff ae 35 69 b8 24 c3 d9 6e 0a
     01 f5 85 b5 85 7e 41 08 af 89 11 1c 22 53 cf b5
     43 64 19 7e ea 2f 1c 60 79 cc 5d c4 78 7a a7 8c
     c5 0c 51 7e ce dd f5 c2 aa f4 b2 c0 a5 aa 78 b0
     1f d7 b1 25 bf a6 18 bb 7f 7b d5 f8 4f 1e b8 44
     12 a1 da 6a 9c f4 4f ac 03 b0 96 97 3a e9 d1 81
     4f 26 e9 27 18 18 1d 24 5f cb 56 83 5b d5 ff 8b
     8a 88 f5 f1 22 1d 16 55 66 cf fe 28 54 58 9e 4e
 N  Next payload: VID, reserved: 0x0, length: 24

     b8 58 63 8f 7a 5c 57 5d 81 68 62 12 02 78 1c 55
     76 20 f2 49
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     9a 6c 1a d2 fb eb bf 6a bb bd f3 5a 75 e9 bf 80
     21 b5 4a ec
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     09 d2 34 5a 16 71 50 75 29 93 07 55 ed e9 37 85
     b3 86 8d 9c
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (13): Insert SA
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:5533B0B3BE2AECD6 - r: E1D42E5805CEDA73]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5533B0B3BE2AECD6 - rspi: E1D42E5805CEDA73
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     a9 ed bf 11 48 5e 56 1b 31 94 c4 aa 5c a5 37 59
     77 dd 40 d5
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     b5 26 de ac b6 79 0b 11 11 32 55 7a 11 20 21 cb
     02 ec d0 f4
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     81 5e d8 34 ee 89 de 50 49 b5 f3 e4 68 a6 95 eb
     11 df d7 a0
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (13): Processing initial message
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (13): Processing initial message
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (13): Verify SA init message
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (13): Processing initial message
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (13): Process NAT discovery notify
IKEv2-PROTO-5: (13): Processing nat detect src notify
IKEv2-PROTO-5: (13): Remote address matched
IKEv2-PROTO-5: (13): Processing nat detect dst notify
IKEv2-PROTO-5: (13): Local address matched
IKEv2-PROTO-5: (13): No NAT found
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (13): Check NAT discovery
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (13): Computing DH secret key
IKEv2-PROTO-3: (13):
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (13): Generate skeyid
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (13): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (13): Complete SA init exchange
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (13): Check for EAP exchange
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (13): Generate my authentication data
IKEv2-PROTO-3: (13): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (13): Get my authentication method
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (13): Check for EAP exchange
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (13): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (13): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     57 33 b1 b3 ad 1d 1f 91 75 fa 1a 7b 72 45 76 0a
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (13): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:5533B0B3BE2AECD6 - r: E1D42E5805CEDA73]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5533B0B3BE2AECD6 - rspi: E1D42E5805CEDA73
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:5533B0B3BE2AECD6 - r: E1D42E5805CEDA73]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5533B0B3BE2AECD6 - rspi: E1D42E5805CEDA73
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     e0 d4 2f 58 16 f9 29 34 75 fa 1a 7b 72 45 76 0a
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: TS_UNACCEPTABLE

Decrypted packet:Data: 160 bytes
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (13): Process auth response notify
IKEv2-PROTO-1: (13):
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (13): Getting configured policies
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (13): Verify peer's policy
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (13): Get peer authentication method
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (13): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (13): Verify authentication data
IKEv2-PROTO-3: (13): Use preshared key for id 8.8.8.1, key len 5
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (13): Check for EAP exchange
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (13): Closing the PKI session
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (13): SA created; inserting SA into database
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (13):
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (13): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (13): Checking for duplicate SA
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-3: (13): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-5: (13): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-2: (13): Sending DEL info message
IKEv2-PROTO-3: (13): Building packet for encryption; contents are:
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

IKEv2-PROTO-3: (13): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:5533B0B3BE2AECD6 - r: E1D42E5805CEDA73]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5533B0B3BE2AECD6 - rspi: E1D42E5805CEDA73
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x2, length: 80
 ENCR  Next payload: DELETE, reserved: 0x0, length: 52
Encrypted data: 48 bytes

IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-3: (13): Check for existing active SA
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-3: (13): Delete all IKE SAs
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:5533B0B3BE2AECD6 - r: E1D42E5805CEDA73]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5533B0B3BE2AECD6 - rspi: E1D42E5805CEDA73
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x2, length: 80

REAL Decrypted packet:Data: 8 bytes
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (13): Processing ACK to informational exchange
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-5: (13): Action: Action_Null
IKEv2-PROTO-5: (13): SM Trace-> SA: I_SPI=5533B0B3BE2AECD6 R_SPI=E1D42E5805CEDA73 (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-3: (13): Deleting SA
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (14): Getting configured policies
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (14): Setting configured policies
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (14): Computing DH public key
IKEv2-PROTO-3: (14):
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (14): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (14): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:FE502BC262A4FC1F - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: FE502BC262A4FC1F - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     12 cc e6 83 b4 16 e7 f2 05 4e ae 97 35 66 65 52
     14 de 3e df 55 9e e0 1c d2 d4 c7 da 80 4b aa c7
     64 f0 29 00 12 5d e0 2a a1 42 63 d9 45 89 fe 51
     4a 90 d9 dd 09 55 d0 4d d3 04 54 2e a8 75 9b 91
     d0 df f2 e6 a7 df af bc fa 37 ba 6d 18 91 10 39
     1d eb 70 04 c0 af 1d 5f 58 e6 6a d9 10 34 74 85
     d9 a8 b0 be fd 75 2c 81 b6 6a bc 43 44 01 d9 1c
     0e a7 67 b6 0f e2 63 e8 61 2f 49 28 3a 07 93 c7
     23 c0 8e 86 0a ec b2 22 a4 06 28 2f 5e b8 d7 53
     4c 6c ef 30 eb a2 b4 db 61 ae c3 83 10 85 b3 79
     a4 7c 98 cc 6f 76 13 7b 08 a6 6b 0c 18 5c 20 37
     28 14 33 71 90 87 9c 15 90 ff d8 6c 0f 7f 9e 3c
 N  Next payload: VID, reserved: 0x0, length: 24

     15 92 f7 c6 15 a4 e3 c6 f6 37 bd ae 08 1f df 44
     f0 d5 73 06
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     76 d6 38 e3 55 dc 0d 7c d8 3a cd 47 50 84 9d 03
     87 fb a3 33
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     ce 0a f7 18 87 f3 80 2f cb ba 10 7a c7 c5 d8 c5
     b8 bb 47 03
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (14): Insert SA
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:FE502BC262A4FC1F - r: 4EC80F17BA5C693F]
IKEv2-PROTO-4: IKEV2 HDR ispi: FE502BC262A4FC1F - rspi: 4EC80F17BA5C693F
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     9b 08 99 62 13 d5 b0 3b f4 d8 b5 5d e4 d6 51 74
     63 cf 57 df
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     bf 58 8f 90 a8 44 7e b7 25 e8 5d a0 6b ba d6 00
     33 64 6d 92
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     3a 1a a0 d8 6a ac e1 1f 9d b6 45 2a b7 8b 30 f3
     9d be 8c c2
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (14): Processing initial message
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (14): Processing initial message
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (14): Verify SA init message
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (14): Processing initial message
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (14): Process NAT discovery notify
IKEv2-PROTO-5: (14): Processing nat detect src notify
IKEv2-PROTO-5: (14): Remote address matched
IKEv2-PROTO-5: (14): Processing nat detect dst notify
IKEv2-PROTO-5: (14): Local address matched
IKEv2-PROTO-5: (14): No NAT found
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (14): Check NAT discovery
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (14): Computing DH secret key
IKEv2-PROTO-3: (14):
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (14): Generate skeyid
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (14): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (14): Complete SA init exchange
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (14): Check for EAP exchange
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (14): Generate my authentication data
IKEv2-PROTO-3: (14): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (14): Get my authentication method
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (14): Check for EAP exchange
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (14): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (14): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     fc 50 2a c2 71 93 0f 58 7e 26 48 18 75 39 76 ee
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (14): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:FE502BC262A4FC1F - r: 4EC80F17BA5C693F]
IKEv2-PROTO-4: IKEV2 HDR ispi: FE502BC262A4FC1F - rspi: 4EC80F17BA5C693F
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:FE502BC262A4FC1F - r: 4EC80F17BA5C693F]
IKEv2-PROTO-4: IKEV2 HDR ispi: FE502BC262A4FC1F - rspi: 4EC80F17BA5C693F
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     4f c8 0e 17 a9 6b 9a 78 7e 26 48 18 75 39 76 ee
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: TS_UNACCEPTABLE

Decrypted packet:Data: 160 bytes
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (14): Process auth response notify
IKEv2-PROTO-1: (14):
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (14): Getting configured policies
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (14): Verify peer's policy
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (14): Get peer authentication method
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (14): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (14): Verify authentication data
IKEv2-PROTO-3: (14): Use preshared key for id 8.8.8.1, key len 5
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (14): Check for EAP exchange
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (14): Closing the PKI session
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (14): SA created; inserting SA into database
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (14):
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (14): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (14): Checking for duplicate SA
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-3: (14): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-5: (14): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-2: (14): Sending DEL info message
IKEv2-PROTO-3: (14): Building packet for encryption; contents are:
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

IKEv2-PROTO-3: (14): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:FE502BC262A4FC1F - r: 4EC80F17BA5C693F]
IKEv2-PROTO-4: IKEV2 HDR ispi: FE502BC262A4FC1F - rspi: 4EC80F17BA5C693F
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x2, length: 80
 ENCR  Next payload: DELETE, reserved: 0x0, length: 52
Encrypted data: 48 bytes

IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-3: (14): Check for existing active SA
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-3: (14): Delete all IKE SAs
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:FE502BC262A4FC1F - r: 4EC80F17BA5C693F]
IKEv2-PROTO-4: IKEV2 HDR ispi: FE502BC262A4FC1F - rspi: 4EC80F17BA5C693F
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x2, length: 80

REAL Decrypted packet:Data: 8 bytes
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (14): Processing ACK to informational exchange
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-5: (14): Action: Action_Null
IKEv2-PROTO-5: (14): SM Trace-> SA: I_SPI=FE502BC262A4FC1F R_SPI=4EC80F17BA5C693F (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-3: (14): Deleting SA
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (15): Getting configured policies
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (15): Setting configured policies
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (15): Computing DH public key
IKEv2-PROTO-3: (15):
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (15): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (15): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:A7015CCB5476482E - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: A7015CCB5476482E - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     77 69 d6 be b0 99 04 e8 03 02 d8 9b fa de c3 13
     f6 44 7e 4c ab d7 27 41 73 0e 0e 16 72 a1 c9 11
     4d d3 db ea d3 6f 7f 24 62 a0 fa fc bd 12 58 53
     a8 e0 72 ad a3 b3 75 bf 2f 82 2e 23 26 41 db b8
     bf e4 9d 69 3d 69 0c 52 32 dc bc b5 2e 1d 82 77
     10 8e 85 5b 67 b7 83 88 87 24 d0 68 18 97 0b e4
     52 00 e8 61 42 86 3e 04 34 a5 5b 8b 0b 12 d7 05
     70 80 19 9a 77 1e bf 17 18 2a 5b fe ce ac 94 e7
     37 1e 46 d9 d3 c4 f3 f1 48 4f 73 98 1a 60 e0 0a
     90 f9 c2 9c d8 97 45 25 a1 e7 db a5 73 75 11 20
     d3 f4 de d7 8a b8 b9 ce 40 20 5c 77 2d da ad a8
     10 04 ec 46 c4 aa 7d ed a3 b9 37 15 d8 ab 1f 1a
 N  Next payload: VID, reserved: 0x0, length: 24

     bf d2 d6 0f b8 55 02 5f f5 69 dd d2 07 43 e7 8d
     4b 1b c2 dd
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     83 0d 9e e9 8c a9 bb 3c f7 16 92 0a 66 f2 50 26
     24 ce 07 9a
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     1e be 62 84 6c 89 df 59 4d 92 c7 18 51 3c e0 55
     4a 00 ee 88
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (15): Insert SA
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:A7015CCB5476482E - r: EDB6B5D44FA2C075]
IKEv2-PROTO-4: IKEV2 HDR ispi: A7015CCB5476482E - rspi: EDB6B5D44FA2C075
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     0a 40 29 a9 81 9c 30 f4 a2 fa 68 4a a9 a6 55 2d
     93 a6 2b 19
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     7a 27 4e 87 dc ba 41 1b 12 f2 a9 2b d8 ee d6 77
     9d 28 ae f1
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     58 33 f3 03 0e f6 ec 72 b6 e5 8b 4c 34 39 08 83
     b5 50 92 09
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (15): Processing initial message
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (15): Processing initial message
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (15): Verify SA init message
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (15): Processing initial message
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (15): Process NAT discovery notify
IKEv2-PROTO-5: (15): Processing nat detect src notify
IKEv2-PROTO-5: (15): Remote address matched
IKEv2-PROTO-5: (15): Processing nat detect dst notify
IKEv2-PROTO-5: (15): Local address matched
IKEv2-PROTO-5: (15): No NAT found
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (15): Check NAT discovery
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (15): Computing DH secret key
IKEv2-PROTO-3: (15):
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (15): Generate skeyid
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (15): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (15): Complete SA init exchange
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (15): Check for EAP exchange
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (15): Generate my authentication data
IKEv2-PROTO-3: (15): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (15): Get my authentication method
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (15): Check for EAP exchange
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (15): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (15): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     a5 01 5d cb 47 41 bb 69 c9 59 cd 50 b2 bf 77 29
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (15): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:A7015CCB5476482E - r: EDB6B5D44FA2C075]
IKEv2-PROTO-4: IKEV2 HDR ispi: A7015CCB5476482E - rspi: EDB6B5D44FA2C075
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:A7015CCB5476482E - r: EDB6B5D44FA2C075]
IKEv2-PROTO-4: IKEV2 HDR ispi: A7015CCB5476482E - rspi: EDB6B5D44FA2C075
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     ec b6 b4 d4 5c 95 33 32 c9 59 cd 50 b2 bf 77 29
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: TS_UNACCEPTABLE

Decrypted packet:Data: 160 bytes
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (15): Process auth response notify
IKEv2-PROTO-1: (15):
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (15): Getting configured policies
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (15): Verify peer's policy
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (15): Get peer authentication method
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (15): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (15): Verify authentication data
IKEv2-PROTO-3: (15): Use preshared key for id 8.8.8.1, key len 5
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (15): Check for EAP exchange
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (15): Closing the PKI session
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (15): SA created; inserting SA into database
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (15):
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (15): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (15): Checking for duplicate SA
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-3: (15): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-5: (15): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-2: (15): Sending DEL info message
IKEv2-PROTO-3: (15): Building packet for encryption; contents are:
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

IKEv2-PROTO-3: (15): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:A7015CCB5476482E - r: EDB6B5D44FA2C075]
IKEv2-PROTO-4: IKEV2 HDR ispi: A7015CCB5476482E - rspi: EDB6B5D44FA2C075
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x2, length: 80
 ENCR  Next payload: DELETE, reserved: 0x0, length: 52
Encrypted data: 48 bytes

IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-3: (15): Check for existing active SA
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-3: (15): Delete all IKE SAs
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:A7015CCB5476482E - r: EDB6B5D44FA2C075]
IKEv2-PROTO-4: IKEV2 HDR ispi: A7015CCB5476482E - rspi: EDB6B5D44FA2C075
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x2, length: 80

REAL Decrypted packet:Data: 8 bytes
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (15): Processing ACK to informational exchange
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-5: (15): Action: Action_Null
IKEv2-PROTO-5: (15): SM Trace-> SA: I_SPI=A7015CCB5476482E R_SPI=EDB6B5D44FA2C075 (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-3: (15): Deleting SA
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (16): Getting configured policies
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (16): Setting configured policies
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (16): Computing DH public key
IKEv2-PROTO-3: (16):
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (16): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (16): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:A94CAE1FB3B4D096 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: A94CAE1FB3B4D096 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     90 8d ab c1 63 85 3e 3b 81 98 c3 27 1e 26 1d 3d
     66 e5 f4 fb 8b d9 eb 5a 19 a2 8b 64 74 95 2e 1c
     3d a4 38 d4 ff c6 0e 26 f2 a1 a9 3b fd 67 01 7c
     dd 08 91 cb d5 d3 cf 87 ce d5 a4 09 e9 1c e3 e5
     36 bc 2f 7e 45 ac e8 ef 3a 02 99 56 60 51 c8 a4
     40 68 b1 f1 3b 5f 05 a3 ac 62 fa 92 8d 58 34 49
     ed dd 8c 43 e1 f0 37 81 75 44 80 29 75 e6 14 84
     46 59 6a e7 78 66 38 45 be 28 a4 7f f1 b1 85 8e
     81 de d3 8e 7b 9b 4f 88 e3 d8 f0 17 c1 4c 4c 07
     d4 20 3d 2b 52 2c 9e 00 72 57 ed 62 47 24 6d 57
     cc e5 2d 7a 4a c0 67 98 99 8c d8 23 60 c1 9c c4
     f6 5f 5f 58 15 35 27 42 d6 94 28 63 8d cd e9 d9
 N  Next payload: VID, reserved: 0x0, length: 24

     6b 87 8c 6e 82 0c bf 2b 62 49 35 52 10 d8 5c 30
     a6 c5 ea 27
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     31 9c a8 38 5d 40 1f 2e d6 ce fb 0b f6 15 66 4d
     a6 30 75 a9
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     72 28 2b 77 f7 ab 4a c2 2a 58 8b 1a da 97 0e 9e
     12 55 68 d4
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (16): Insert SA
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:A94CAE1FB3B4D096 - r: 76622C371B0924E4]
IKEv2-PROTO-4: IKEV2 HDR ispi: A94CAE1FB3B4D096 - rspi: 76622C371B0924E4
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     6a a5 55 39 ec 87 a6 1c bf 68 16 2f 68 9a b0 39
     58 1b c6 86
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     f8 34 42 c4 c7 8e 6b 2e 08 b5 b8 89 84 93 73 bf
     86 df 54 f2
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     04 2a ad 49 92 c1 3b ea 02 0a 59 1f dd 9b 5d 95
     5f e6 fd fc
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (16): Processing initial message
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (16): Processing initial message
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (16): Verify SA init message
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (16): Processing initial message
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (16): Process NAT discovery notify
IKEv2-PROTO-5: (16): Processing nat detect src notify
IKEv2-PROTO-5: (16): Remote address matched
IKEv2-PROTO-5: (16): Processing nat detect dst notify
IKEv2-PROTO-5: (16): Local address matched
IKEv2-PROTO-5: (16): No NAT found
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (16): Check NAT discovery
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (16): Computing DH secret key
IKEv2-PROTO-3: (16):
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (16): Generate skeyid
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (16): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (16): Complete SA init exchange
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (16): Check for EAP exchange
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (16): Generate my authentication data
IKEv2-PROTO-3: (16): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (16): Get my authentication method
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (16): Check for EAP exchange
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (16): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (16): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     ab 4c af 1f a0 83 23 d1 30 57 34 0c 51 40 9b cd
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (16): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:A94CAE1FB3B4D096 - r: 76622C371B0924E4]
IKEv2-PROTO-4: IKEV2 HDR ispi: A94CAE1FB3B4D096 - rspi: 76622C371B0924E4
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:A94CAE1FB3B4D096 - r: 76622C371B0924E4]
IKEv2-PROTO-4: IKEV2 HDR ispi: A94CAE1FB3B4D096 - rspi: 76622C371B0924E4
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     77 62 2d 37 08 3e d7 a3 30 57 34 0c 51 40 9b cd
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: TS_UNACCEPTABLE NOTIFY(TS_UNACCEPTABLE)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: TS_UNACCEPTABLE

Decrypted packet:Data: 160 bytes
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (16): Process auth response notify
IKEv2-PROTO-1: (16):
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (16): Getting configured policies
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-3: (16): Verify peer's policy
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (16): Get peer authentication method
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-3: (16): Get peer's preshared key for 8.8.8.1
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (16): Verify authentication data
IKEv2-PROTO-3: (16): Use preshared key for id 8.8.8.1, key len 5
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (16): Check for EAP exchange
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-3: (16): Closing the PKI session
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (16): SA created; inserting SA into database
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-3: (16):
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-3: (16): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-3: (16): Checking for duplicate SA
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: READY Event: EV_I_UPDATE_CAC_STATS
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-3: (16): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-5: (16): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-2: (16): Sending DEL info message
IKEv2-PROTO-3: (16): Building packet for encryption; contents are:
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

IKEv2-PROTO-3: (16): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:A94CAE1FB3B4D096 - r: 76622C371B0924E4]
IKEv2-PROTO-4: IKEV2 HDR ispi: A94CAE1FB3B4D096 - rspi: 76622C371B0924E4
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x2, length: 80
 ENCR  Next payload: DELETE, reserved: 0x0, length: 52
Encrypted data: 48 bytes

IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-3: (16): Check for existing active SA
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-3: (16): Delete all IKE SAs
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
IKEv2-PROTO-5: Process delete IPSec API
IKEv2-PROTO-5: ipsec delete
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x2
IKEv2-PROTO-3: HDR[i:A94CAE1FB3B4D096 - r: 76622C371B0924E4]
IKEv2-PROTO-4: IKEV2 HDR ispi: A94CAE1FB3B4D096 - rspi: 76622C371B0924E4
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x2, length: 80

REAL Decrypted packet:Data: 8 bytes
 DELETE  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, num of spi: 0

Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (16): Processing ACK to informational exchange
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-5: (16): Action: Action_Null
IKEv2-PROTO-5: (16): SM Trace-> SA: I_SPI=A94CAE1FB3B4D096 R_SPI=76622C371B0924E4 (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-3: (16): Deleting SA
no de
asa2# no debug all

and then on the router:


R17#debug crypto ikev2
IKEv2 default debugging is on
R17#
R17#
R17#
R17#

*Dec 13 19:26:26.903: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : DBEC9B46CEB86DE1 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 19:26:26.923: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 19:26:26.927: IKEv2:(SA ID = 1):Insert SA
*Dec 13 19:26:26.931: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 19:26:26.931: IKEv2:Found Policy '10'
*Dec 13 19:26:26.935: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 13 19:26:26.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 19:26:26.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 19:26:26.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 19:26:26
R17#.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 19:26:26.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 19:26:26.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 19:26:26.939: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 19:26:26.939: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 19:26:26.939: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 19:26:26.939: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 19:26:27.023: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 19:26:27.027: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 13 19:26:27.031: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 19:26:27.031: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calcu
R17#lation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 19:26:27.031: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 19:26:27.035: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 19:26:27.035: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 19:26:27.035: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 19:26:27.035: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 19:26:27.035: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 19:26:27.039: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 13 19:26:27.039: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : DBEC9B46CEB86DE1 - Responder SPI : D73F5C9F9113FDA
R17#8 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 19:26:27.047: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 19:26:27.051: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 19:26:27.151: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : DBEC9B46CEB86DE1 - Responder SPI : D73F5C9F9113FDA8 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 19:26:27.171: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 13 19:26:27.175: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 19:26:27.179: IKEv2:(SA ID = 1):NAT not found
*Dec 13 19:26:27.183: IKEv2:(SA ID = 1):Searching policy based on peer's identity '
R17#8.8.8.2' of type 'IPv4 address'
*Dec 13 19:26:27.187: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 19:26:27.187: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 19:26:27.191: IKEv2:% Matched peer block 'ASA2'
*Dec 13 19:26:27.195: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 19:26:27.195: IKEv2:Found Policy '10'
*Dec 13 19:26:27.199: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 19:26:27.203: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 19:26:27.211: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 19:26:27.21
R17#1: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 19:26:27.211: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 19:26:27.211: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):There was no IPSEC policy found for received TS

*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Sending TS unacceptable notify
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Use preshared key for id 8
R17#.8.8.1, key len 5
*Dec 13 19:26:27.215: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 19:26:27.215: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Dec 13 19:26:27.215: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'IPv4 address'
*Dec 13 19:26:27.219: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

*Dec 13 19:26:27.219: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : DBEC9B46CEB86DE1 - Responder SPI : D73F5C9F9113FDA8 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 19:26:27.223: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 13 19:26:27.22
R17#7: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Dec 13 19:26:27.227: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 13 19:26:27.231: IKEv2:(SA ID = 1):Session with IKE ID PAIR (8.8.8.2, 8.8.8.1) is UP
*Dec 13 19:26:27.231: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 13 19:26:27.235: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 13 19:26:27.235: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Dec 13 19:26:27.239: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context

*Dec 13 19:26:27.263: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : DBEC9B46CEB86DE1 - Responder SPI : D73F5C9F9113FDA8 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 DELETE

*Dec 13 19:26:27.279: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE

*Dec 13 19:26:27.287: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : DBEC9B46CEB86DE1 - Responder SPI : D73F5C9F9113FDA8 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 19:26:27.299: IKEv2:(SA ID = 1):Process delete request from peer
*Dec 13 19:26:27.299: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xDBEC9B46CEB86DE1 RSPI: 0xD73F5C9F9113FDA8]
*Dec 13 19:26:27.303: IKEv2:(SA ID = 1):Check for existing active SA
*Dec 13 19:26:27.323: IKEv2:(SA ID = 1):Accounting not started for this session

*Dec 13 19:26:27.323: IKEv2:(SA ID = 1):
*Dec 13 19:26:27.323: IKEv2:(SA ID = 1):Delete all IKE SAs
*Dec 13 19:26:27.323: IKEv2:(SA ID = 1):Deleting SA

*Dec 13 19:26:28.875: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 5533B0B3BE2AECD6 - Responder SPI : 0000000000000000 Message id: 0
I
R17#KEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 19:26:28.895: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 19:26:28.899: IKEv2:(SA ID = 1):Insert SA
*Dec 13 19:26:28.903: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 19:26:28.907: IKEv2:Found Policy '10'
*Dec 13 19:26:28.911: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 13 19:26:28.915: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 19:26:28.919: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 19:26:28.927: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 19:26:28.931: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 19:26:28.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 19:26:
R17#28.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 19:26:28.939: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 19:26:28.943: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 19:26:28.947: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 19:26:28.947: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 19:26:29.067: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 19:26:29.067: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 13 19:26:29.075: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 19:26:29.075: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 19:26:29.075: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 19:26:29.075: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 19:26:29.075: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 19:26:29.083: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 19:26:29.083: IKEv2:(SA I
R17#D = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 19:26:29.087: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 19:26:29.087: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 13 19:26:29.087: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 5533B0B3BE2AECD6 - Responder SPI : E1D42E5805CEDA73 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 19:26:29.091: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 19:26:29.095: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 19:26:29.191: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 5533B0B3BE2AECD
R17#6 - Responder SPI : E1D42E5805CEDA73 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 19:26:29.211: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 13 19:26:29.215: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 19:26:29.219: IKEv2:(SA ID = 1):NAT not found
*Dec 13 19:26:29.223: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 13 19:26:29.227: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 19:26:29.227: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 19:26:29.231: IKEv2:% Matched peer block 'ASA2'
*Dec 13 19:26:29.235: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 19:26:29.235: IKEv2:Found Policy '10'
*Dec 13 19:26:29.235: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 1
R17#3 19:26:29.239: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 19:26:29.239: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 19:26:29.239: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 19:26:29.239: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 19:26:29.243: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 19:26:29.243: IKEv2:(SA ID = 1):There was no IPSEC policy found fo
R17#r received TS

*Dec 13 19:26:29.243: IKEv2:(SA ID = 1):
*Dec 13 19:26:29.243: IKEv2:(SA ID = 1):Sending TS unacceptable notify
*Dec 13 19:26:29.243: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.1, key len 5
*Dec 13 19:26:29.247: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 19:26:29.247: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'I
R17#Pv4 address'
*Dec 13 19:26:29.247: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

*Dec 13 19:26:29.255: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 5533B0B3BE2AECD6 - Responder SPI : E1D42E5805CEDA73 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 19:26:29.259: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 13 19:26:29.263: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Dec 13 19:26:29.263: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 13 19:26:29.267: IKEv2:(SA ID = 1):Session with IKE ID PAIR (8.8.8.2, 8.8.8.1) is UP
*Dec 13 19:26:29.275: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 13 19:26:29.279: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 13 19:26:29.279: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Dec 13 19:
R17#26:29.279: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context

*Dec 13 19:26:29.295: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 5533B0B3BE2AECD6 - Responder SPI : E1D42E5805CEDA73 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 DELETE

*Dec 13 19:26:29.307: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE

*Dec 13 19:26:29.315: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 5533B0B3BE2AECD6 - Responder SPI : E1D42E5805CEDA73 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 19:26:29.327: IKEv2:(SA ID = 1):Process delete request from peer
*Dec 13 19:26:29.331: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x5533B0B3BE2AECD6 RSPI: 0xE1D42E5805CEDA73]
*Dec 13 19:26:29.335: IKEv2:(SA ID = 1):Check for existing active SA
*Dec 13 19:26:2
R17#9.347: IKEv2:(SA ID = 1):Accounting not started for this session

*Dec 13 19:26:29.347: IKEv2:(SA ID = 1):
*Dec 13 19:26:29.347: IKEv2:(SA ID = 1):Delete all IKE SAs
*Dec 13 19:26:29.347: IKEv2:(SA ID = 1):Deleting SA

*Dec 13 19:26:30.883: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FE502BC262A4FC1F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 19:26:30.903: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 19:26:30.907: IKEv2:(SA ID = 1):Insert SA
*Dec 13 19:26:30.911: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 19:26:30.911: IKEv2:Found Policy '10'
*Dec 13 19:26:30.915: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 13 19:26:30.923: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 19:26:30.927: IKEv2:(SA ID = 1):[PKI
R17# -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 19:26:30.931: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 19:26:30.931: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 19:26:30.931: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 19:26:30.931: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 19:26:30.931: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 19:26:30.931: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 19:26:30.935: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 19:26:30.935: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 19:26:31.039: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 19:26:31.043: IKEv2:(SA ID = 1):Request queued f
R17#or computation of DH secret
*Dec 13 19:26:31.047: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 19:26:31.051: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 19:26:31.051: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 19:26:31.051: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 19:26:31.051: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 19:26:31.055: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 19:26:31.055: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 19:26:31.059: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 19:26:31.059: IKEv2:(SA ID = 1):[PKI -> IKEv2] G
R17#etting of Public Key Hashes of trustpoints PASSED

*Dec 13 19:26:31.063: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FE502BC262A4FC1F - Responder SPI : 4EC80F17BA5C693F Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 19:26:31.063: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 19:26:31.067: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 19:26:31.171: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FE502BC262A4FC1F - Responder SPI : 4EC80F17BA5C693F Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 19:26:31.171: IKEv2:(SA ID = 1):Stopping timer to wait
R17# for auth message
*Dec 13 19:26:31.175: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 19:26:31.179: IKEv2:(SA ID = 1):NAT not found
*Dec 13 19:26:31.183: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 13 19:26:31.187: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 19:26:31.187: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 19:26:31.191: IKEv2:% Matched peer block 'ASA2'
*Dec 13 19:26:31.195: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 19:26:31.195: IKEv2:Found Policy '10'
*Dec 13 19:26:31.199: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 19:26:31.203: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 13 19:26:31.211: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 19:26:31.211: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 13 19:26:31.215: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 19:26:31.219: IKEv2:(SA ID = 1):Verify
R17#no dpeer's authentication data
*Dec 13 19:26:31.223: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 19:26:31.223: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 19:26:31.227: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 19:26:31.227: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 19:26:31.231: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 19:26:31.239: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 19:26:31.239: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):There was no IPSEC policy found for received TS

*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Sending TS unacceptable notify
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):My authentication method is 'PS
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.1, key len 5
*Dec 13 19:26:31.243: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 19:26:31.243: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'IPv4 address'
*Dec 13 19:26:31.243: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)

*Dec 13 19:26:31.247: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : FE50
R17#no debug all

and next ipsec (phase 2):

asa2:

asa2# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d6d0,
    SCB: 0xBB9BA1B8,
    Direction: inbound
    SPI      : 0xC3021D7D
    Session ID: 0x0001B000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d6d0,
    SCB: 0xBB9BA1B8,
    Direction: inbound
    SPI      : 0x725630C6
    Session ID: 0x0001C000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d708,
    SCB: 0xBB9BA1B8,
    Direction: inbound
    SPI      : 0xBB6B8641
    Session ID: 0x0001D000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d708,
    SCB: 0xBB9C0D18,
    Direction: inbound
    SPI      : 0xBE0D887B
    Session ID: 0x0001E000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d708,
    SCB: 0xBB9C4370,
    Direction: inbound
    SPI      : 0x103D3833
    Session ID: 0x0001F000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
no deb
asa2# no debug all

there is not too much information in the above output. Let’s check the output from the router:

R17#
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: map_db_find_best did not find matching map
*Dec 13 19:57:40.187: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.183: map_db_find_best did not find matching map
*Dec 13 19:57:42.183: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: map_db_find_best did not find matching map
*Dec 13 19:57:44.223: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.255: map_db_find_best did not find matching map
*Dec 13 19:57:46.255: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
R17#
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:48.211: map_db_find_best did not find matching map
*Dec 13 19:57:48.211: IPSEC(ipsec_process_proposal): R17#
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: map_db_find_best did not find matching map
*Dec 13 19:57:40.187: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.183: map_db_find_best did not find matching map
*Dec 13 19:57:42.183: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: map_db_find_best did not find matching map
*Dec 13 19:57:44.223: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.255: map_db_find_best did not find matching map
*Dec 13 19:57:46.255: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
R17#
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:48.211: map_db_find_best did not find matching map
*Dec 13 19:57:48.211: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
R17#no de
R17#no debug all
All possible debugging has been turned off
R17#

As you see above there is a problem with an access list: “proxy identities not supported”. Let’s check access lists on both peers:

asa2# sh run | i access-list
access-list VPN extended permit ip host 7.7.7.1 host 9.9.9.9
R17#sh run | i access
access-list 101 permit ip host 9.9.9.9 host 7.7.7.7
R17#

As you see there is a problem with the access list on R17. It should be:

access-list 101 permit ip host 9.9.9.9 host 7.7.7.7

Let’s fix it and test it once again:

R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/75/84 ms
R18#

As you see to investigate the problem you need to check debug outputs from two peers becuase in most cases one side can’t help you in your troubleshooting.

 
20
Kudos
 
20
Kudos

Now read this

Zone-Based Policy Firewall High Availability

Today I’m going to present how to implement a high availability for ZBPF. Below you can see the scenario I work on: As you see I have two routers (R1 and R2) which now operates separately. From R4 we can reach R5 via R1 and R2: R4#sh ip... Continue →