Ok so we hooked it up and it looks like we are close but I keep getting an error.... see output below.
(Aruba3600) (config) #show log security 100 | include ike
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IKE_addIPsecKey spi:64d60d00 opp-spi:f304c700 src:192.168.168.254 dst:192.168.168.32 initiator:NO out:1
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IPSEC_keyAddEx spdid:0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IPSEC_newSa pxSaTmp-flags 1001 Dst-IP-Port:192.168.168.32:4500 status:-8814
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IPSEC_newSa: found older SA
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IPSEC_delSa SADB Proto:50 SPI:fc00d200 OppSPI:bf04a100 Dst:192.168.168.32 Src:192.168.168.254 natt:4500 Dport:0 Sport:0 Oprot:0 Mode:2 DstIP:192.168.168.32 DstIPe:192.168.168.32 SrcIP:0.0.0.0 SrcIPe
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> arubaIPSecSetKeys:IPSECKEY proto:50 ospi:fc00d200 ispi:bf04a100 auth:2 len:20 enc:4 len:32 add:0 out:1
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:0.0.0.0/0.0.0.0 dstnet:192.168.168.32/255.255.255.255
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:1 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:fc00d200 oppspi:bf04a100 esrc:c0a8a8fe edst:c0a8a820 dstnet:c0a8a820 dstmask:ffffffff nattport:4500 trust:0 dpd:0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> Setup the IPSEC SA --- DONE !!
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:192.168.168.32/255.255.255.255 dstnet:0.0.0.0/0.0.0.0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:0 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:bf04a100 oppspi:fc00d200 esrc:c0a8a820 edst:c0a8a8fe dstnet:0 dstmask:0 nattport:4500 trust:0 dpd:0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> Setup the IPSEC SA --- DONE !!
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IPSEC_newSa Added outbound-hash for pxSa 0x102c3c34 IP:192.168.168.32 status:0 inbound:0 hash:2361489640
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> IPSEC_newSa SADB:0x102c3c34 Proto:50 SPI:64d60d00 OppSPI:f304c700 Dst:192.168.168.32 Src:192.168.168.254 natt:4500 Dport:0 Sport:0 Oprot:0 Mode:2 DstIP:192.168.168.32 DstIPe:192.168.168.32 SrcIP:0.0
Jan 10 16:03:42 :103076: <INFO> |ike| IKEv2 IPSEC Tunnel created for peer 192.168.168.32:4500
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> arubaIPSecSetKeys:IPSECKEY proto:50 ospi:64d60d00 ispi:f304c700 auth:2 len:20 enc:4 len:32 add:1 out:1
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:0.0.0.0/0.0.0.0 dstnet:192.168.168.32/255.255.255.255
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:1 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:64d60d00 oppspi:f304c700 esrc:c0a8a8fe edst:c0a8a820 dstnet:c0a8a820 dstmask:ffffffff nattport:4500 trust:0 dpd:0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> Setup the IPSEC SA --- DONE !!
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:192.168.168.32/255.255.255.255 dstnet:0.0.0.0/0.0.0.0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:0 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:f304c700 oppspi:64d60d00 esrc:c0a8a820 edst:c0a8a8fe dstnet:0 dstmask:0 nattport:4500 trust:0 dpd:0
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> Setup the IPSEC SA --- DONE !!
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> encr=aes ESP spi=64d60d00 192.168.168.32 << 192.168.168.254 udp-enc* spd=0(0) exp=7200 secs
Jan 10 16:03:42 :103078: <INFO> |ike| IKEv2 CHILD_SA successful for peer 192.168.168.32:4500
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> CHILD_SA [v2 R
Jan 10 16:03:42 :103063: <DBUG> |ike| 192.168.168.32:4500-> udp_encap_handle_message IKEv2 pkt status:0
Jan 10 16:03:47 :103063: <DBUG> |ike| IKE2_updateSadb Permanently Deleting IKE_SA
Jan 10 16:03:47 :103063: <DBUG> |ike| IKE2_delSa error:0 saflags:20100109 arflags:5
Jan 10 16:03:47 :103063: <DBUG> |ike| IKE2_delSa
Jan 10 16:03:47 :103063: <DBUG> |ike| IKE_SA (id=0xe50d7108) deleted
Jan 10 16:03:47 :103063: <DBUG> |ike| , status = -8972
Jan 10 16:03:47 :103063: <DBUG> |ike| IKE2_delSa
Jan 10 16:04:02 :103063: <DBUG> |ike| 209.255.10.251:500-> message_recv: invalid cookie(s) cdc412f883afb873 2b8947529d14b67c
Jan 10 16:04:02 :103060: <DBUG> |ike| 209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_COOKIE
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> exchange_setup_p1: ID is IPv4
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> exchange_setup_p1: USING exchange type AGGRESSIVE
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> New(2) AGGRESSIVE Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
Jan 10 16:04:04 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:850 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 209.255.10.251.
Jan 10 16:04:04 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1.c:attribute_unacceptable:2730 Proposal match failed in group desc, configured=MODP_768, peer using=MODP_1024
Jan 10 16:04:04 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1.c:attribute_unacceptable:2689 Proposal match failed in encryption algo, configured=AES_CBC, peer using=3DES_CBC
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> group_get entered id:2
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> group_get ike_group:0x10000178
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> modp_init entered
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> group_get group:0x10469774
Jan 10 16:04:04 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1000 Ike Phase 1 received SA
Jan 10 16:04:04 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1.c:ike_phase_1_recv_ID:2097 received IKE ID Type 1 exchange:209.255.10.251
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:209.255.10.251
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1_send_KE_NONCE 209.255.10.251
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_auth_get_key: Ike type 1
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> GetFirstMatchIsakmpPSK: entering
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> mask FFFFFFFF, ip D1FF0AFB, key_ip D1FF0AFA
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> mask FFFFFFFF, ip D1FF0AFB, key_ip D1FF0AFB
Jan 10 16:04:04 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_auth.c:ike_auth_get_key:593 Found isakmp policy for peer 209.255.10.251 client:yes
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1_post_exchange_KE_NONCE IV len:8
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1_post_exchange_KE_NONCE done 209.255.10.251 g_x_len:128 skeyid_len:20
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1_send_ID 209.255.10.251
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_auth_hash
Jan 10 16:04:04 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_1_send_AUTH
Jan 10 16:04:06 :103062: <INFO> |ike| 209.255.10.251:500-> IKE Aggressive Mode Phase 1 succeeded for peer 209.255.10.251
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ->Delete AGGRESSIVE Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> modp_free entered
Jan 10 16:04:06 :103060: <DBUG> |ike| 209.255.10.251:500-> message.c:message_validate_hash:881 DELETE notification received with proper hash
Jan 10 16:04:06 :103060: <DBUG> |ike| 209.255.10.251:500-> ipsec.c:ipsec_delete_spi_list:1699 DELETE made us delete Phase-2 SA 0x1054a464 (1 references) for proto 3 Peer:209.255.10.251
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> sa_release: decrement limit 0
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ipsec_sa 0x1049cb1c, proto 0x10461914
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ipc_setup_ipsec_dp_sa add=0, out=1, sa=0x1054a464, proto=0x10461914
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ipc_setup_ipsec_dp_sa sa src=0x0a010132, dst=0xd1ff0afb
Jan 10 16:04:06 :103060: <DBUG> |ike| 209.255.10.251:500-> ipc.c:ipc_print_dp_packet:2610 DP: :TUNNEL::SA_DEL::L2TP: OFF::outgoing::ESP::3DES or DES::Auth = SHA1:, SPI DD7D6BDE, esrc A010132, edst_ip D1FF0AFB, dst_ip 0, natt 0, natt_dport 0, l2tp_tunid 0, l2tp_sessid 0, l2tp_hello 0
Jan 10 16:04:06 :103060: <DBUG> |ike| 209.255.10.251:500-> ipc.c:ipc_modify_sb_data:2016 IPSEC dst_ip=0.0.0.0, dst_mask 0.0.0.0 inner_ip 0.0.0.0 client:yestrusted:no, Master-Local:no
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> Setup the outgoing IPSEC SA --- DONE !!
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ipc_setup_ipsec_dp_sa add=0, out=0, sa=0x1054a464, proto=0x10461914
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ipc_setup_ipsec_dp_sa sa src=0x0a010132, dst=0xd1ff0afb
Jan 10 16:04:06 :103060: <DBUG> |ike| 209.255.10.251:500-> ipc.c:ipc_print_dp_packet:2610 DP: :TUNNEL::SA_DEL::L2TP: OFF::incoming::ESP::3DES or DES::Auth = SHA1:, SPI 3F4C0B00, esrc D1FF0AFB, edst_ip A010132, dst_ip 0, natt 0, natt_dport 0, l2tp_tunid 0, l2tp_sessid 0, l2tp_hello 0
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> Setup the incoming IPSEC SA --- DONE !!
Jan 10 16:04:06 :103063: <DBUG> |ike| 209.255.10.251:500-> ->Delete INFO Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
Jan 10 16:04:07 :103060: <DBUG> |ike| 209.255.10.251:500-> sa.c:ike_sa_setup_ph2complete_timer:2860 SA 0x10549374 ph2-completion timeout in 30 seconds
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_2_validate_prop_for_client dyn-map default-dynamicmap
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> ike_phase_2_validate_prop_for_client map default-dynamicmap v:1
Jan 10 16:04:07 :103060: <DBUG> |ike| 209.255.10.251:500-> ike_quick_mode.c:responder_recv_HASH_SA_NONCE:2589 message negotiation succeeded
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> post_quick_mode keymat:0 len:44
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> post_quick_mode keymat:1 len:44
Jan 10 16:04:07 :103022: <INFO> |ike| IKE Quick Mode succeeded for peer 209.255.10.251
Jan 10 16:04:07 :103034: <INFO> |ike| IKE Quick Mode succeeded from client external 209.255.10.251
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> ipsec_finalize_exchange: src_net 10.1.1.50 src_mask 255.255.255.255 dst_net 192.168.233.1 dst_mask 255.255.255.0 tproto 0 sport 0 dport 0
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> ipsec_sa 0x1046bc4c, proto 0x10461914
To me it looks like we are good right up to this point................
Jan 10 16:04:07 :103043: <ERRS> |ike| IPSEC tunnel mode with bad inner 0.0.0.0, cannot add IPSEC SA to datapath
Jan 10 16:04:07 :103060: <DBUG> |ike| 209.255.10.251:500-> pf_key_v2.c:pf_key_v2_enable_sa:551 error calling ipc_modify_sb_data transport entry
Jan 10 16:04:07 :103052: <ERRS> |ike| Failed to enable IPSec SA
Jan 10 16:04:07 :103063: <DBUG> |ike| 209.255.10.251:500-> ->Delete DOI_MIN Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
Jan 10 16:04:12 :103063: <DBUG> |ike| 209.255.10.251:500-> message_parse_payloads: invalid next payload type <Unknown 67> in payload of type 8
Jan 10 16:04:12 :103060: <DBUG> |ike| 209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_PAYLOAD_TYPE
Jan 10 16:04:17 :103063: <DBUG> |ike| 209.255.10.251:500-> message_parse_payloads: invalid next payload type <Unknown 67> in payload of type 8
Jan 10 16:04:17 :103060: <DBUG> |ike| 209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_PAYLOAD_TYPE
Jan 10 16:04:22 :103063: <DBUG> |ike| 209.255.10.251:500-> message_parse_payloads: invalid next payload type <Unknown 67> in payload of type 8
Jan 10 16:04:22 :103060: <DBUG> |ike| 209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_PAYLOAD_TYPE