cisco ikev2 error address type not supported
Cisco recommends that you have knowledge of the packet exchange for IKEv2. You wrote "had to change source interface to Service VPN". These parameters are identical to the one that was received from ASA1. The Notify Payload, is used to transmit informational data, such as error conditions and state transitions, to an IKE peer. For more information, refer to IKEv2 Packet Exchange and Protocol Level Debugging. IKEv2 is the supporting protocol for IP Security Protocol (IPsec) and is used for performing mutual authentication and establishing and maintaining security associations (SAs). Following is the output of above router debug crypto ikev2: 189014: *Aug 8 14:01:22.145 Chicago: IKEv2:Received Packet [From 2.2.2.2:500/To 1.1.1.1:500/VRF i0:f0], Initiator SPI : 8A15E970577C6140 - Responder SPI : 0000000000000000 Message id: 0, SA KE N NOTIFY(REDIRECT_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430), 189015: *Aug 8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify SA init message, 189016: *Aug 8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Insert SA, 189017: *Aug 8 14:01:22.145 Chicago: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1, 189018: *Aug 8 14:01:22.145 Chicago: IKEv2:Found Policy 'ikev2policy', 189019: *Aug 8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Processing IKE_SA_INIT message, 189020: *Aug 8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s), 189021: *Aug 8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-653483565', 189022: *Aug 8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints, 189023: *Aug 8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED, 189024: *Aug 8 14:01:22.145 Chicago: IKEv2:Failed to retrieve Certificate Issuer list, 189025: *Aug 8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14, 189026: *Aug 8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED, 189027: *Aug 8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Request queued for computation of DH key, 189028: *Aug 8 14:01:22.149 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14, 189029: *Aug 8 14:01:22.149 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Request queued for computation of DH secret, 189030: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED, 189031: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA, 189032: *Aug 8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED, 189033: *Aug 8 14:01:22.161 Chicago: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch, 189034: *Aug 8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Generating IKE_SA_INIT message. Find answers to your questions by entering keywords or phrases in the Search bar above. The CHILD_SA packet typically contains: Router 2 now builds the reply for the CHILD_SA exchange. We may get it in march release if everything will be on track. The keys used for the encryption and integrity protection are derived from SKEYID and are known as: SK_e (encryption), SK_a (authentication), SK_d is derived and used for derivation of further keying material for CHILD_SAs, and a separate SK_e and SK_a is computed for each direction. You cannot use PSK for authentication of a Remote Access FlexVPN, see this screenshot below from Cisco live presentation BRKSEX-2881. Cisco Community Technology and Support Security VPN Remote Access IKEv2 Auth exchange failed 33016 5 2 Remote Access IKEv2 Auth exchange failed Go to solution mustafa.chapal Beginner 08-08-2018 01:52 PM - edited 03-12-2019 05:29 AM Hi, If it guesses wrong, the CREATE_CHILD_SA exchange fails, and it will have to retry with a different KEi. *Nov 11 19:30:34.835: IKEv2:KMI message 12 consumed. Refer toCisco Technical Tips Conventionsfor more information on document conventions. Edit your Feature Template for the VPN Interface Ethernet that is applied to your physical interface in VPN0.Under ACL/QOS add a IPv4 Ingress Access List using the name of the ACL you created in the first step. These debug commands are used in this document: *Nov 11 20:28:34.003: IKEv2:Got a packet from dispatcher *Nov 11 20:28:34.003: IKEv2: Processing an item off the pak queue *Nov 11 19:30:34.811: IKEv2:% Getting preshared key by address 10.0.0.2 *Nov 11 19:30:34.811: IKEv2:Adding Proposal PHASE1-prop to toolkit policyle *Nov 11 19:30:34.811: IKEv2:(1): Choosing IKE profile IKEV2-SETUP *Nov 11 19:30:34.811: IKEv2:New ikev2 sa request admitted *Nov 11 19:30:34.811: IKEv2:Incrementing outgoing negotiating sa count by one. It seems like it's not passing domain information. IKEv2 Packet Exchange and Protocol Level Debugging, Technical Support & Documentation - Cisco Systems, Router 1 receives a packet that matches the crypto acl for peer ASA 10.0.0.2. The difference between IKEv1 and IKEv2 is that, in the latter, the Child SAs are created as part of AUTH exchange itself. You can configure IPsec on tunnels for VPN 1 through 65530, except for 512. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/System-Interface/systems-interfaces-book/configure-interfaces.html. Relevant Configuration:crypto ikev2 proposal PHASE1-prop encryption 3des aes-cbc-128 integrity sha1 group 2crypto ikev2 keyring KEYRNG peer peer1 address 10.0.0.2 255.255.255.0 hostname host1 pre-shared-key local cisco pre-shared-key remote cisco, *Nov 11 19:30:34.814: IKEv2:Got a packet from dispatcher *Nov 11 19:30:34.814: IKEv2:Processing an item off the pak queue *Nov 11 19:30:34.814: IKEv2:New ikev2 sa request admitted *Nov 11 19:30:34.814: IKEv2:Incrementing incoming negotiating sa count by one, *Nov 11 19:30:34.814: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 344 Payload contents: SA Next payload: KE, reserved: 0x0, length: 56 last proposal: 0x0, reserved: 0x0, length: 52 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5 last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 KE Next payload: N, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 *Nov 11 19:30:34.814: IKEv2:Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0, length: 23 *Nov 11 19:30:34.814: IKEv2:Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NOTIFY, reserved: 0x0, length: 21 *Nov 11 19:30:34.814: IKEv2:Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP *Nov 11 19:30:34.814: IKEv2:Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP, *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: IDLE Event:EV_RECV_INIT *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_INIT Event:EV_VERIFY_MSG *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_INIT Event:EV_INSERT_SA *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_INIT Event:EV_GET_IKE_POLICY *Nov 11 19:30:34.814: IKEv2:Adding Proposal default to toolkit policy *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_INIT Event:EV_PROC_MSG *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_INIT Event: EV_DETECT_NAT *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Process NAT discovery notify *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Processing nat detect src notify *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Remote address matched *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Processing nat detect dst notify *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Local address matched *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):No NAT found *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_INIT Event: EV_CHK_CONFIG_MODE *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_SET_POLICY *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Setting configured policies *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_CHK_AUTH4PKI *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_PKI_SESH_OPEN *Nov 11 19:30:34.814: IKEv2:(SA ID = 1):Opening a PKI session *Nov 11 19:30:34.815: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event:EV_GEN_DH_KEY *Nov 11 19:30:34.815: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_NO_EVENT *Nov 11 19:30:34.815: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event:EV_OK_RECD_DH_PUBKEY_RESP *Nov 11 19:30:34.815: IKEv2:(SA ID = 1):Action: Action_Null *Nov 11 19:30:34.815: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event:EV_GEN_DH_SECRET *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_NO_EVENT *Nov 11 19:30:34.822: IKEv2:%Getting preshared key by address 10.0.0.1 *Nov 11 19:30:34.822: IKEv2:Adding Proposal default to toolkit policy *Nov 11 19:30:34.822: IKEv2:(2): Choosing IKE profile IKEV2-SETUP *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_SECRET_RESP *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):Action: Action_Null *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event:EV_GEN_SKEYID *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):Generate skeyid *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_GET_CONFIG_MODE *Nov 11 19:30:34.822: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Nov 11 19:30:34.822: IKEv2:No config data to send to toolkit: *Nov 11 19:30:34.822: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_BLD_MSG *Nov 11 19:30:34.822: IKEv2:Construct Vendor Specific Payload: DELETE-REASON *Nov 11 19:30:34.822: IKEv2:Construct Vendor Specific Payload: (CUSTOM) *Nov 11 19:30:34.822: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP *Nov 11 19:30:34.822: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP *Nov 11 19:30:34.822: IKEv2:Construct Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED. Learn more about how Cisco is using Inclusive Language. This packet contains: ISAKMP Header(SPI/ version/flags), SAr1(cryptographic algorithm that IKE responder chooses), KEr(DH public Key value of the responder), and Responder Nonce. Description (partial) Symptom: Garbage value (non-comprehensible) seen in the ikev2 error line "Address type 4132115430 not supported" Conditions: When ikev2 error debugging is turned on. 4 Sep 18 2018 17:40:58 750003 Local:80.x.y.z:500 Remote:51.a.b.c:500 Username:51.a.b.c IKEv2 Negotiation aborted due to ERROR: Detected unsupported . If this CREATE_CHILD_SA exchange is not rekeying an existing SA, the N payload must be omitted. You can also check the output of theshow crypto sessioncommand on both routers; this output shows the tunnel session status as UP-ACTIVE. #proposal cisco. If this CREATE_CHILD_SA exchange is not rekeying an existing SA, the N payload MUST be omitted. Router 2 builds the responder message for IKE_SA_INIT exchange, which is received by ASA1. Relevant Configuration:crypto ipsec transform-set TS esp-3des esp-sha-hmac crypto ipsec profile phse2-prof set transform-set TS set ikev2-profile IKEV2-SETUP, *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event:EV_GEN_AUTH *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN *Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH *Nov 11 19:30:34.831: IKEv2:Construct Vendor Specific Payload: CISCO-GRANITE *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: INITIAL_CONTACT *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: SET_WINDOW_SIZE *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: ESP_TFC_NO_SUPPORT *Nov 11 19:30:34.831: IKEv2:Construct Notify Payload: NON_FIRST_FRAGS Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDiNext payload: AUTH, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 AUTHNext payload: CFG, reserved: 0x0, length: 28 Auth method PSK, reserved: 0x0, reserved 0x0 CFGNext payload: SA, reserved: 0x0, length: 309 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0, *Nov 11 19:30:34.831: SA Next payload:TSi, reserved: 0x0, length: 40 last proposal: 0x0, reserved: 0x0, length: 36 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSiNext payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TSrNext payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255, NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS *Nov 11 19:30:34.832: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type:IKE_AUTH, flags:INITIATORMessage id: 1, length: 556 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 528 *Nov 11 19:30:34.833: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000001CurState: I_WAIT_AUTHEvent: EV_NO_EVENT, *Nov 11 19:30:34.832: IKEv2:Got a packet from dispatcher *Nov 11 19:30:34.832: IKEv2:Processing an item off the pak queue *Nov 11 19:30:34.832: IKEv2:(SA ID = 1):Request has mess_id 1; expected 1 through 1 *Nov 11 19:30:34.832:IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type:IKE_AUTH, flags:INITIATORMessage id: 1, length: 556 Payload contents: *Nov 11 19:30:34.832: IKEv2:Parse Vendor Specific Payload: (CUSTOM) VID Next payload: IDi, reserved: 0x0, length: 20 IDiNext payload: AUTH, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 AUTH Next payload: CFG, reserved: 0x0, length: 28 Auth method PSK, reserved: 0x0, reserved 0x0 CFG Next payload: SA, reserved: 0x0, length: 309 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 *Nov 11 19:30:34.832: attrib type: internal IP4 DNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 DNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 NBNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 NBNS, length: 0 *Nov 11 19:30:34.832: attrib type: internal IP4 subnet, length: 0 *Nov 11 19:30:34.832: attrib type: application version, length: 257 attrib type: Unknown - 28675, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28672, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28692, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28681, length: 0 *Nov 11 19:30:34.832: attrib type: Unknown - 28674, length: 0 *Nov 11 19:30:34.832:SANext payload: TSi, reserved: 0x0, length: 40 last proposal: 0x0, reserved: 0x0, length: 36 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSiNext payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255.