1812-IPSEC Site to Site PIX 6.3
We have a 1812 and need to create a vpn site-to-site with a PIX 6.3 running tunnel. Yes, I know the PIX is old, but we cannot control it. It's a firewall hosted, that we don't have this kind of control. My configs are displayed for each. Please advise on what you think I should do to get these two to talk.
Thank you
-= = 1812 is-
adminfirewall #sh run
Building configuration...
Current configuration: 2649 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname adminfirewall
!
boot-start-marker
boot-end-marker
!
!
AAA new-model
!
!
!
AAA - the id of the joint session
!
resources policy
!
MMI-60 polling interval
No mmi self-configuring
No pvc mmi
MMI snmp-timeout 180
IP subnet zero
!
!
IP cef
!
!
no ip domain search
Chrysalis IP domain name - shelter.org
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
address of butterfly key crypto isakmp 1.1.1.1 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac admtrans
!
adminvpn 1 ipsec-isakmp crypto map
defined peer 1.1.1.1
Set transform-set admtrans
PFS group2 Set
match address 100
!
!
!
!
interface FastEthernet0
Wan outside description
IP address 2.2.2.2 255.255.255.240
no ip unreachable
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
Fair/fair-queue 1 256 0
adminvpn card crypto
!
interface FastEthernet1
Local network inside description
no ip address
no ip unreachable
Shutdown
automatic duplex
automatic speed
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
Local network inside description
IP 192.168.254.253 255.255.255.252
IP nat inside
IP virtual-reassembly
!
IP classless
IP route 0.0.0.0 0.0.0.0 FastEthernet0 2.2.2.3
IP route 10.1.0.0 Vlan1 192.168.254.254 255.255.255.0
IP route 10.2.0.0 Vlan1 192.168.254.254 255.255.255.0
IP route 10.3.0.0 255.255.255.0 Vlan1 192.168.254.254
!
!
no ip address of the http server
no ip http secure server
overload of IP nat inside source list 101 interface FastEthernet0
!
Note access-list 100 VPN SHEEP
access-list 100 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Note access-list 101 NAT
access-list 101 permit ip 10.1.0.0 0.0.0.255 any
access-list 101 permit ip 10.2.0.0 0.0.0.255 any
access-list 101 permit ip 10.3.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.252 0.0.0.3 all
!
!
!
!
control plan
!
!
Line con 0
telnet output transport
line to 0
telnet output transport
line vty 0 4
exec-timeout 0 9
privilege level 15
entry ssh transport
!
No Scheduler allocate
end
-= = PIX IS-
pixfirewall # sh run
: Saved
:
6.3 (5) PIX version
interface ethernet0 100full
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
pixfirewall hostname
WR domain name
clock timezone STD - 7
clock to summer time recurring MDT
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
chrysalisadmin name 10.1.0.0
name 10.3.0.0 chrysalis10.3
name 10.2.0.0 chrysalis10.2
outside_access_in ip access list allow a whole
outside_access_in list access permit tcp any any eq ftp - data
outside_access_in list access permit tcp any any eq ftp
outside_access_in list access permit tcp any any eq ssh
outside_access_in list access permit tcp any any eq 42
outside_access_in list access permit udp any any eq name server
outside_access_in list access permit tcp any any eq field
outside_access_in list of access permit udp any any eq field
outside_access_in list access permit tcp any any eq www
outside_access_in list access permit tcp any any eq pop3
outside_access_in tcp allowed access list everything all https eq
outside_access_in list access permit tcp any any eq 465
outside_access_in list access permit tcp any any eq 587
outside_access_in list access permit tcp any any eq 995
outside_access_in list access permit tcp any any eq 993
outside_access_in list access permit tcp any any eq 3389
outside_access_in list access permit tcp any any eq 2006
outside_access_in list access permit tcp any any eq 8447
outside_access_in list access permit tcp any any eq 8443
outside_access_in list access permit tcp any any eq 9999
outside_access_in list access permit tcp any any eq 2086
outside_access_in list access permit tcp any any eq 2087
outside_access_in list access permit tcp any any eq 2082
outside_access_in list access permit tcp any any eq 2083
outside_access_in list access permit tcp any any eq 2096
outside_access_in list access permit tcp any any eq 2095
outside_access_in tcp access list deny any any eq telnet
outside_access_in list access permit tcp any any eq smtp
outside_access_in tcp access list deny any any eq imap4
outside_access_in tcp access-list deny any any eq 1433
outside_access_in tcp access-list deny any any eq 3306
outside_access_in tcp access-list deny any any eq 9080
outside_access_in tcp access-list deny any any eq 9090
outside_access_in list access permit icmp any any echo response
outside_access_in list access permit icmp any any source-quench
outside_access_in list all permitted access all unreachable icmp
access-list outside_access_in allow icmp all once exceed
allow the ip host 64.202.161.122 access list outside_access_in a
allow the ip host 208.109.188.21 access list outside_access_in a
allow the ip host 208.109.188.22 access list outside_access_in a
allow the ip host 208.109.188.10 access list outside_access_in a
outside_access_in list of allowed access host icmp 64.202.161.122 no echo
outside_access_in list of allowed access host icmp 208.109.188.21 no echo
outside_access_in list of allowed access host icmp 208.109.188.22 no echo
outside_access_in list of allowed access host icmp 208.109.188.10 no echo
outside_access_in list of access permit udp any any eq isakmp
inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalisadmin 255.255.255.0
inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.2 255.255.255.0
inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.3 255.255.255.0
Note to outside_cryptomap_1 to access list GoDaddy for Chrysalis Admin network 10.1.0.0
outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalisadmin 255.255.255.0
Note to outside_cryptomap_1 to access list GoDaddy network 10.2.0.0 Chrysalis
outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.2 255.255.255.0
Note to outside_cryptomap_1 to access list GoDaddy to Chrysalis 10.3.0.0 network
outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.3 255.255.255.0
pager lines 24
opening of session
Outside 1500 MTU
Within 1500 MTU
2.2.2.2 foreign IP address 255.255.255.0
IP address inside 10.0.0.254 255.255.255.0
IP verify reverse path to the outside interface
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.0.0.1 255.255.255.255 inside
location of PDM 192.168.1.0 255.255.255.0 inside
location of PDM 72.167.38.79 255.255.255.255 outside
location of PDM 208.109.96.4 255.255.255.255 outside
location of PDM 208.109.188.4 255.255.255.255 outside
location of PDM 216.69.160.4 255.255.255.255 outside
location of PDM 64.202.161.122 255.255.255.255 outside
location of PDM 208.109.188.21 255.255.255.255 outside
location of PDM 208.109.188.22 255.255.255.255 outside
location of PDM 208.109.188.10 255.255.255.255 outside
PDM location chrysalisadmin 255.255.255.0 outside
PDM location chrysalis10.2 255.255.255.0 outside
PDM location chrysalis10.3 255.255.255.0 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static 10.0.0.1 (exterior, Interior) 72.167.38.79 netmask 255.255.255.255 0 0
public static 72.167.38.79 (Interior, exterior) 10.0.0.1 netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 72.167.38.254 1
Route outside 208.109.96.4 255.255.255.255 72.167.38.254 1
Route outside 208.109.188.4 255.255.255.255 72.167.38.254 1
Route outside 216.69.160.4 255.255.255.255 72.167.38.254 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set strong esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Chrysalis 1 ipsec-isakmp crypto map
card crypto Chrysalis 1 corresponds to the address outside_cryptomap_1
card crypto Chrysalis 1 set peer 1.1.1.1
Chrysalis 1 transform-set ESP-3DES-SHA crypto card game
Chrysalis crypto card 1 set security-association seconds of life 86400 4608000 kilobytes
Chrysalis outside crypto map interface
ISAKMP allows outside
ISAKMP key * address 1.1.1.1 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP identity address
part of pre authentication ISAKMP policy 1
ISAKMP policy 1 3des encryption
ISAKMP policy 1 sha hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
outside access management
Console timeout 0
terminal width 511
Cryptochecksum:80ccff6b5b84bdd6b0359afd7ee44b48
: end
(1) is there a typing error in your configuration? The two 1812 and PIX has the same outside interface IP address, IE 2.2.2.2 in your example. So I don't know if there is a typing error, which can lead to the incorrect configuration on 'card crypto defined peer' as well as «crypo isakmp key» configuration Please kindly check.
(2) you have also "set pfs group2" configured on the router, however, not on the PIX. You either need to remove it from the router, OR configured the same policy on the PIX.
(3) 101 ACL that applies to education of a NAT should be as follows:
access-list 101 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny 10.2.0.0 ip 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.1.0.0 0.0.0.255 any
access-list 101 permit ip 10.2.0.0 0.0.0.255 any
access-list 101 permit ip 10.3.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.252 0.0.0.3 all
Please kindly make sure all statements 'decline' are above the "permit" as statement above.
Finally, please please advise where the site to site VPN is a failure. After the above changes, please clear the tunnel on both sides establish the tunnel again and if it still does not work, please let us know the output of:
See the isa scream his
See the ipsec scream his
And also to share the latest config after the above changes. Hope that helps.
Tags: Cisco Security
Similar Questions
-
VPN clients cannot access remote sites - PIX, routing problem?
I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)
Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.
Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.
Very good and works very well.
When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.
However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.
On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.
Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?
(Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)
with pix v6, no traffic is allowed to redirect to the same interface.
for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.
with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you
Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints
Cisco PIX Firewall Version 6.3 (3)
* Main Site Config *.
client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
NAT (inside) 0-list of access client_vpn
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 60 ipsec-isakmp crypto map
address for correspondence card crypto outside_map 60 VPN_to_Site2
crypto outside_map 60 peer 64.X.X.19 card game
card crypto outside_map 60 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Site 2 config
* only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.
Cisco PIX Firewall Version 6.3 (5) *.
permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0
NAT (inside) 0-list of access VPN_to_Main
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 10 ipsec-isakmp crypto map
outside_map card crypto 10 corresponds to the address VPN_to_Main
crypto outside_map 10 peer 207.X.X.13 card game
card crypto outside_map 10 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Errors
PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created
authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address
I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)
IPSec (sa_initiate): ACL = deny; No its created
I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.
I suggest the following solution:
-remove the external interface (the two pix) cryptographic card
-Cree claire isa his and trendy clear ipsec his (the two pix)
-Reapply the card encryption on external interfaces.
If this doesn't solve the problem, restart the equipment.
Kind regards
Ajit
-
IPsec site to Site VPN on Wi - Fi router
Hello!
Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?
I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?
See you soon!
Michael
I suspect that.
Thank you very much for the reply.
See you soon!
-
IPSec Site to Site VPN Solution needed?
Hi all
I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.
Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.
Could you please give me the solution how is that possible?
Concerning
Uzair Hussain
Hi uzair.infotech,
Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:
INFO - RITA - NIDA
You can check this guide that explains step by step how to configure grouping:
https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...
Hope this info helps!
Note If you help!
-JP-
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
Failed to configure two AnyConnect &; IPSEC site to site VPN
I have established a VPN IPSEC site-to-site
When I configure the AnyConnect (make it work) and I lose the tunnel from site to site and vice versa.
I think that my NAT syatements are incorrect.
Here is the config NAT when AnyConnect works properly...
Overall (101 outside interface)
NAT (inside) 0-list of access sslnonat
NAT (inside) 101 0.0.0.0 0.0.0.0access extensive list ip 192.168.65.0 sslnonat allow 255.255.255.0 192.168.66.0 255.255.255.0
When the IPSEC tunnel site-to-site work properly, here's the NAT config...
Overall (101 outside interface)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group
How do I get to the AnyConnect and the IPSEC Site to site both to work properly? I need not reach on the other.
Network within 192.168.65.0/24
AnyCOnnect address pool 192.168.66.0/24
Any help would be appreciated.
Hello
Try this:
Overall (101 outside interface)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group
Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 192.168.66.0 255.255.255.0The problem is that when you apply the IPsec NAT configuration, you remove the entry for the AnyConnect pool.
Try the above and we will see if it works.Federico.
-
IPsec Site to Site VPN multisession?
Hi people.
I recently faced a problem at work. Customers want to dismiss ipsec site to site vpn. I have 2 asa 5520 working in a stack. Is it possible to configure the vpn site to site in a redundant mode, as the first ip address is x.x.x.x and secondary is y.y.y.y (backup)?
Thank you much in advance.
Hello
You can define several counterparts in the card encryption, see:
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c5_72.html#wp2066090
You can define several tunnels and leave the routing protocol to choose the best route.
Hope this helps,
Bastien.
-
Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN
Hello
I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.At the end of the branch, I have the 192.168.244.0/24 subnet.
At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
The inside interface of the ASA at Headquarters is 172.16.0.15/22When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.
I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]
I suspect it might have something to do with NAT?
Help, please.
Hello
Peer VPN you do not accept the LAN between these two peers of vpn segment.
On your ASA
inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0
and
Router:
access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255
access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255
Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.
Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.
outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0
Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW
Let me know the result.
Thank you
Rizwan James
-
Help the Site VPN Site PIX 501
Hello
I'm pretty new to PIX firewall, so I hope someone here can help me.
I have two PIX and try to create a private network virtual between the two PIX. I posted the configs below.
The problem is that I can ping PIX on a PIX two, but I can't ping the servers behind TWO PIX. On two PIX, I cannot ping PIX ONE or all the servers behind it.
Any advice would be appreciated.
Thank you
PIX 1
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
hostname TMAXWALES
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
inside_outbound_nat0_acl ip 192.168.254.0 access list allow 255.255.255.0 192.1
68.1.0 255.255.255.0
outside_cryptomap_20 ip 192.168.254.0 access list allow 255.255.255.0 192.168.1
.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *.198.139 255.255.255.248
IP address inside 192.168.254.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.254.10 255.255.255.255 inside
location of PDM 192.168.1.0 255.255.255.0 outside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.254.10 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set *. *.198.138
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address *. *.198.138 netmask 255.255.255.255 No.-xauth non - co
Nfig-mode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
Terminal width 80
PIX 2
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
hostname tmaxbangor
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 192.168
. 254.0 255.255.255.0
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 192.168.254
.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *.198.138 255.255.255.248
IP address inside 192.168.1.1 255.255.255.0
IP verify reverse path to the outside interface
IP verify reverse path inside interface
the IP audit info action alarm reset drop
reset the IP audit attack alarm drop action
location of PDM 192.168.1.0 255.255.255.0 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.84.7.111 255.255.255.255 inside
http 192.168.1.10 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set *. *.198.139
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address *. *.198.139 netmask 255.255.255.255 No.-xauth non - co
Nfig-mode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 50
SSH timeout 5
Terminal width 80
Can't see anything obviously wrong with the configs. You have these connected back to back on the same subnet, it looks that it even if you have xxx out IP addresses? If so it's maybe a routing problem, in what they send everything to the default gateway of xxx.x.198.137 rather than to the other.
Try to add a static route to the remote subnet to each PIX that points directly to the peer, so on PIX1 you should have:
Route outside 192.168.1.0 255.255.255.0 xxx.x.198.138
and on PIX2 do:
Route outside 192.168.254.0 255.255.255.0 xxx.x.198.139
and see if that makes a difference. Note that you wouldn't encounter this problem when these two PIX is on separate networks and uses the default gateway for all routing decisions.
If this still fails, run 'debug cryp isa' and ' debug cry ipsec "on the two PIX are trying to build a tunnel again, and then and send us the output.
Also, make sure your tests that you're rattling to a host behind a PIX to a host behind the other PIX, ping PIX to PIX or host because of PIX that won't test your VPN connection.
-
VPN IPsec over TCP on PIX 6.3
Hi all:
Does anyone know how config IPsec over TCP on PIX6.3?
Thank you all...
Ted Wen.
Hello
You can enable IPSec over TCP to PIX Security Appliance Software Version 7.0 with the command "isakmp ipsec-over-tcp port. But I can't make it work and have posted my problem on the Forums of Discussion.
Thank you.
B.Rgds,
Lim TS
-
Remote monitoring Pix on IPSEC site to site VPN
I have a few 501 s PIX that connect through the VPN site-to site. We use Orion NPM and I can't add monitoring. I was able to add remote routers that connect through site-to-site VPNs. I guess that the rules of the Pix security/NAT prevent that. The configuration of the remote Pix is attached.
You need on the 2800...
access-list 131 permit ip host 172.16.30.19 24.172.234.126
-
I'm having a terrible time linking two Site to Site VPN PIX. I don't spin all VPN Clients, nor will I in the future. When I start debugging on the VPN connection, it gives me this result:
Peer VPN: ISAKMP: approved new addition: ip:xxx.xxx.xxx.3 Total VPN peer: 1
Peer VPN: ISAKMP: ip:xxx.xxx.xxx.3 Ref cnt is incremented to peers: 1 Total peer VPN: 1
ISAKMP (0): early changes of Main Mode
crypto_isakmp_process_block: CBC xxx.xxx.xxx.3, dest xxx.xxx.xxx.246
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block: CBC xxx.xxx.xxx.3, dest xxx.xxx.xxx.246
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0
ISAKMP (0): processing NONCE payload. Message ID = 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): provider v6 code received xauth
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): Peer Remote supports dead peer detection
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): addressing another box of IOS!
ISAKMP (0): ID payload
next payload: 8
type: 1
Protocol: 17
Port: 500
Length: 8
ISAKMP (0): the total payload length: 12
to return to the State is IKMP_NO_ERROR
ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = xxx.xxx.xxx.246, distance = xxx.xxx.xxx.3,
local_proxy = 192.168.0.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 10.1.1.0/255.255.255.0/0/0 (type = 4)
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): delete SA: src xxx.xxx.xxx.246 dst xxx.xxx.xxx.3
ISADB: Reaper checking HIS 0x814265e8, id_conn = 0 DELETE IT!
If I run an isakmp crypto see the his
Total: 1
Embryonic: 1
Src DST in the meantime created State
xxx.xxx.xxx.3 xxx.xxx.xxx.246 MM_KEY_EXCH 0 0
He won't let the State (other than to take down the tunnel) MM_KEY_EXCH. I'm positive 99% that correspond to public keys. Is there something else that could cause it to give the MM_KEY_EXCH message and do not create the tunnel? Public keys are case-sensitive? What is the message of "talking with another box of IOS"? Here is a copy of the configuration:
name 192.168.0.0 vpn
permit access ip 10.0.0.0 list inside_outbound_nat0_acl 255.0.0.0 255.255.0.0 vpn
permit access ip 10.0.0.0 list outside_cryptomap_20 255.0.0.0 255.255.0.0 vpn
NAT (inside) 0-list of access inside_outbound_nat0_acl
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set xxx.xxx.xxx.246
outside_map card crypto 20 the transform-set ESP-DES-MD5 value
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address xxx.xxx.xxx.246 netmask 255.255.255.255 No.-xauth-no-config-mode
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Any help would be greatly appreciated.
Daryl,
You can post a new ISAKMP debug output. You can test the remote peer? Don't you see the on the ACL crypto access numbers? You will see the 'talk to another box of IOS' on output debugging because the two boxes are running IOS - this isn't a mistake!
Let me know-
Jay
-
I'm trying to get a site to site VPN working between two routers RV110W, obviously in different places with different public IPs and different internal addressed IP networks.
For some reason, the IPsec Security Association gets 'established', but no traffic will travel between the two.
I use the "basic VPN setup" on routers and type in their respective information below.
Public IP have been replaced by x.x.x.x.
Router A:
Connection: - name -.
Key: - PSK-
IP / domain FULL: - public IP address of the remote site.
Local WAN: - local WAN.
Remote LAN: 10.151.238.0
Remote mask: 255.255.255.0
Local NETWORK: 10.151.237.0
Local mask: 255.255.255.0
Router b:
Connection: - name -.
Key: - PSK-
IP / domain FULL: - public IP address of the remote site.
Local WAN: - local WAN.
Remote LAN: 10.151.237.0
Remote mask: 255.255.255.0
Local NETWORK: 10.151.238.0
Local mask: 255.255.255.0
I am very confused.
Site A:
Public IP address
10.151.237.0/24 network
Cisco VPN Firewall RV110W
2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: meet the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: hand mode peer ID is ID_IPV4_ADDR: \'x.x.x.x\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: the proposed peer: 10.151.237.0/24:0/0-> 10.151.238.0/24:0/0
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: response to a proposal of fast Mode {msgid:6ecb39e8}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: us: 10.151.237.0/24===x.x.x.x
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: them: x.x.x.x===10.151.238.0/24
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R2: IPsec Security Association established the {-online 0x2fadc90d ESP tunnel mode<0xa6393cfc xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0xa6393cfc>
2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: hand mode peer ID is ID_IPV4_ADDR: \'96.2.164.121\'
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp proposal d = AES (12) msgid:0779895 #3 _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0xad4da835>
' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0xad4da835>
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:53 RV110W kern.debug wl0.0: IEEE 802.11 Association request for e0: c9:7 has: 7 a: 3d:2 b b8:62:1f:51:ad:a9 BSSID
2013-07-11 16:16:54 RV110W kern.info wl0.0: e0:c9:7 a: 7 a: 3d:2 b IEEE 802.11 STA associated BSSID b8:62:1f:51:ad:a9
2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: received REQUEST from E0:C9:7 A: 7 A: 3D:2 B
2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: sending acknowledgement to 10.151.237.5
' 2013-07-11 16:17:23 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: max number of retransmissions (2) reached STATE_MAIN_R2
2013-07-11 16:17:43 RV110W daemon.info udhcpd [2541]: INFORMATION from 38:60:77:13:C0:48
Site B:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Public IP address
10.151.238.0/24 network
Cisco VPN Firewall RV110W
2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined
2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: Ok (ret = 0) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0x2fadc90d>
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0x2fadc90d>
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0x8d260557>
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9
2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105
2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101
2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined
2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: Ok (ret = 0) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation
: FAILURE (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0x2fadc90d>
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0x2fadc90d>
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: '\x.x.x.x\ '.
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">0x8d260557>
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9
2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105
2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101
Please help if you can.
Aaron,
When the tunnel is up, you can ping the LAN IP of the remote router? What type of traffic you are trying to send? What equipment and what device?
If you are trying to reach a PC through the tunnel, be sure that there is no firewall software blocking traffic between a different LAN. Repeatedly PCs will respond to connections on the same network, but not to a different subnet.
Please give us more information about what devices are involved and what they try to do.
-Marty
Maybe you are looking for
-
I tried to install windows 7 on my mac desktop and now I have a white screen. any ideas to return me to the world of apple?
-
What is the limit of storage for "indexDB" in Firefox 4?
What is the limit of storage for "indexDB" in Firefox 4? I need to know because I write a significant demand with local storage requirements. More the 5 MB limit in the Local Storage API. Your response is appreciated. Thank youDavid
-
KODAK printer fails to communicate
Even if it seems my Kodak 3200 Series printer is installed in my test computer I may it doesn't communicate. [Moved from comments]
-
I have a dell laptop running XP and when automatic update download: KB911895 it keeps failing. What must I do to solve this problem? My screensaver is done by this problem. I did a restore of the system several times, but the problem persists. I also
-
Windows XP explorer.exe keeps hanging, freezing and crashing
Recently installed the new copy of Windows XP SP2 on a new SSD and updated to SP3. My old hard drive is used to store the data now. I also have an external hard drive. I have 4 GB of RAM installed (I know Windows uses only about 3). The problem I hav