3DES IPSEC, the tunnels on routers

Can someone give me a limit suggested on the number of IPSEC tunnels can be deleted on Cisco 3745, 2611, 1721? When you recommend the hardware accelerator?

The load on the routers is minimal. Memory requirements have not been specified. How much influence the memory recommendations?

Thank you!

I think I understand your question?

-Maximum number of encrypted tunnels:

-Up to 100 tunnel encrypted on a 1700 up to 300 tunnels on

Cisco 2600 up to 800 for 2650 with aim-vpn / ep up to 800 tunnels

For the 2600xms of cisco 2691 and 3725 until 800 tunnels on cisco

3620 and 3640 and up to 2 000 tunnels on cisco 3660 and 3745.

Tags: Cisco Security

Similar Questions

I get the error message on debugging ipsec-l2l tunnel

Hello

Can someone help me understand the debug message?
I get the error message on debugging ipsec-l2l tunnel

I tried to configure an ASA5520 with an ipsec-l2l to ios router 1721

= 1721 router =.

Cisco 1721 (flash: c1700-k9o3sy7 - mz.123 - 2.XC2.bin)
80.89.47.102 outside
inside 10.100.110.1 255.255.255.0

Debug crypto ipsec
Debug crypto ISAKMP

-config-
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
0 1234567890 128.39.189.10 crypto isakmp key address
!
!
Crypto ipsec transform-set esp-3des pix-series
!
ASA 10 ipsec-isakmp crypto map
defined by peer 128.39.189.10
transform-set pix - Set
match address 101
!
!
interface FastEthernet0

Outside-interface description

IP 80.89.47.102 255.255.255.252

NAT outside IP

card crypto asa

!

interface Vlan10
Inside description
IP 10.100.110.1 255.255.255.0
IP nat inside

!

!

IP nat inside source overload map route interface FastEthernet0 sheep

!

access-list 101 permit ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255

!

access-list 110 deny ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
access-list 110 permit ip 10.100.110.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 110
!

= Config ASA =.

Cisco 5520 ASA Version 8.2 (1)
128.39.189.10 outside
inside 10.100.4.255 255.255.252.0

Debug crypto ipsec
Debug crypto ISAKMP

-Config-
!
Allow Access-list extended sheep 255.255.252.0 IP 10.100.4.0 10.100.110.0 255.255.255.0
!
access extensive list ip 10.100.4.0 outside110 allow 255.255.252.0 10.100.110.0 255.255.255.0
!

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 11 match address outside110
peer set card crypto outside_map 11 80.89.47.102
card crypto outside_map 11 game of transformation-ESP-3DES-MD5
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

!

attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec

!

tunnel-group 80.89.47.102 type ipsec-l2l
IPSec-attributes tunnel-group 80.89.47.102
pre-shared key 1234567890

Concerning
Tor

You have a transformation defined on the SAA named ESP-3DES-MD5? Your crypto card refers to that but I don't see it listed in the config you have posted. I don't have much experience with routers, but is MD5 hashing algoritm (and why it is not)?

James

Router (IPSec)-> INTERNET-> Router (IPsec) where to put the TUNNEL IP POOL?

Hello

I'm still learning the VPN (IPsec), I was able to create a tunnel between my PC and my router, but now I want to connect two routers:

F0/1=192.168.0.1 ROUTER A-> INTERNET-> ROUTER B F0/1=192.168.10.1

Both routers receive an IP address from my ISP, I can't do a ping to a site at the other site, I mean, I am able to PING ROUTER A from ROUTER B with the ISP addresses and otherwise.

Two ROUTERS have the same configuration, except for the IP addresses and the ACL, they are opposite.

I think I know what I did wrong, but I don't know how to solve: the TUNNEL need also an IP from a POOL where should I put up, the ROUTER A or ROUTER B?

ROUTER

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

router host name

!

boot-start-marker

boot-end-marker

!

No aaa new-model

IP cef

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key cisco address 81.83.201.BB

!

!

Crypto ipsec transform-set esp-3des RIGHT

!

router_A_to_router_B 1000 ipsec-isakmp crypto map

set of peer 81.83.201.BB

transformation-RIGHT game

match address 101

!

interface FastEthernet0/0

DHCP IP address

automatic speed

full-duplex

router_A_to_router_B card crypto

!

interface FastEthernet0/1

the IP 192.168.0.1 255.255.255.0

automatic speed

full-duplex

!

!

no ip address of the http server

no ip http secure server

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

!

!

control plan

!

Line con 0

Speed 115200

line to 0

line vty 0 4

!

!

end

ROUTER B

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

router host name

!

boot-start-marker

boot-end-marker

!

No aaa new-model

IP cef

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key cisco address 81.83.201.AA

!

!

Crypto ipsec transform-set esp-3des RIGHT

!

router_B_to_router_A 1000 ipsec-isakmp crypto map

set of peer 81.83.201.AA

transformation-RIGHT game

match address 101

!

interface FastEthernet0/0

DHCP IP address

automatic speed

full-duplex

router_B_to_router_A card crypto

!

interface FastEthernet0/1

IP 192.168.10.1 255.255.255.0

automatic speed

full-duplex

!

!

no ip address of the http server

no ip http secure server

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

!

!

control plan

!

Line con 0

Speed 115200

line to 0

line vty 0 4

!

!

end

!

!

!

!

!

!

Best regards

Didier

Didier, there are a number of things missing in your config file to make it work, what I can say fa0/1 is inside and the fa0/0 are outdoors. There is no NAT translation to activate the computers inside the network, allowing access to the Internet. You will also need to exclude the EIGRP NAT roads in order to reach the remote network. Each router must have a default gateway to the Internet, this should be done with the following command:

IP route 0.0.0.0 0.0.0.0 fa0/0 dhcp

This will use the default gateway of the DHCP server that assigns IP address on fa0/0. Once that each router has a path to another and the tunnel connects EIGRP will handle the rest given the information to the router 90, this is the spectacle of one of my spoke routers route:

NTR-2620XM #show ip route
Code: C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static

Gateway of last resort is to network 0.0.0.0 0.0.0.0

65.0.0.0/32 is divided into subnets, subnets 1
C 65.14.24.190 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
D EX 172.16.50.31 [170/3074560] via 172.19.8.1, 20:04:58, Tunnel0
172.19.0.0/24 is divided into subnets, subnets 1
C 172.19.8.0 is directly connected, Tunnel0
10.0.0.0/8 is variably divided into subnets, subnets 14, 6 masks
D EX 10.13.13.8/29 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D EX 10.11.7.0/28 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D 10.13.13.0/29 [90/2818560] via 172.19.8.1, 20:04:58, Tunnel0
C 10.19.9.0/27 is directly connected, Vlan200
C 10.19.8.0/24 is directly connected, Vlan100
C 10.19.10.0/28 is directly connected, Vlan900
D EX 10.20.7.0/24 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D [90/3097600] 10.22.7.0/24 through 172.19.8.1, 17:34:52, Tunnel0
D 10.37.4.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.15.50.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D EX 10.24.40.0/24 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.12.85.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
C 10.19.9.192/26 is directly connected, Vlan500
D EX 10.244.0.0/22 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
74.0.0.0/32 is divided into subnets, subnets 1
C 74.23.201.24 is directly connected, Dialer0
S * 0.0.0.0/0 is directly connected, Dialer0

All designated routes D are dynamic routes drawn other routers on the DMVPN EIGRP. It will propagate the routing table and they point to the appropriate star. If you follow the example that I gave you, you will have a functional DMVPN.

See you soon,.

Sam

Cisco 877 site to site VPN routers a DHCP end cannot get the tunnel

Hello

I have two 877 cisco routers with the static ip address and other (3 routers more) with ADSL DHCP using the no - IP.com.

Currently I'm doing tests with only the static IP router and a DHCP router.

I can't go up the tunnel and running, I can connect using Cisco VPN client, but a site that is the most important of them does not work

I followed the example of configuration on this document http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

But I have no session encryption of output as well as no ipsec or isakmp output using this command (it's on the static IP router)

SH crypto ipsec his

Crypto isakmp HS her

SH encryption session

on the dynamic ip on the router side, I exit that with the sh command its crypto ipsec

This is the output

R3 #sh crypto ipsec his

Interface: Dialer1

Tag crypto map: mymap, local addr xxx.xxx.xxx.xxx

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.xxx (Static ip of the router hub) port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

endpt local crypto. : xxx.xxx.xxx.xxx, remote Start crypto. : xxx.xxx.xxx.xxx

Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

Interface: ATM0

Tag crypto map: mymap, local addr 0.0.0.0

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.xxx port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx

Path mtu 1500, mtu 1500 ip, ip mtu IDB ATM0

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1

Tag crypto map: mymap, local addr 0.0.0.0

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.xxx port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx

Path mtu 1492 mtu 1492 ip, ip mtu IDB virtual Network1

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

Set the configuration is for both routers

Thanks in advance

Kind regards

Hello

Try the following changes:

HUB

NAT extended IP access list

deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

ip permit 192.168.1.0 0.0.0.255 any

!

TALK

NAT extended IP access list

deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

ip licensing 192.168.5.0 0.0.0.255 any

the example you mentioned was not using NAT while you are. Check following link:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml?referring_site=smartnavRD

HTH

Andy

IPsec VPN between two routers - mode ESP Transport and Tunnel mode

Hi experts,

I have this question about the Transport mode and Tunnel mode for awhile.

Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.

To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.

My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.

R1:

crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 2.2.2.2
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 2.2.2.2
transformation-ESP_null game
match address VPN

!

list of IP - VPN access scope
ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!

R3:

crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 1.1.1.2
!
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 1.1.1.2
transformation-ESP_null game
match address VPN

!

list of IP - VPN access scope
Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

I configured transform-"null" value, while it will not encrypt the traffic.

Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.

Packets encapsulated in exactly the same way!

It's just SPI + sequence No. + + padding

I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...

I guess my next step is to check if the two modes to make the difference when the GRE is used.

Thank you

Difan

Hi Difan,

As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).

A typical scenario in this mode of transport is used:

-Encryption between two hosts

-GRE tunnels

-L2TP over IPsec

Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.

I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.

HTH,

Marcin

Double IPSec tunnel between routers

I am facing the following challenge:

I have two routers and want to build two IPSec encapsulated between them, with the help of ASIT tunnel interfaces.

The interaces two tunnel would in that case the same source and destination ip addresses.

With a single tunnel interface defined, it works well, however, as soon as the second tunnel interface is defined, the first breaks down.

Here is an example configuration:

interface Tunnel0
IP 192.168.1.1 255.255.255.252
source of tunnel Serial1/0
tunnel destination 10.1.1.6
ipv4 ipsec tunnel mode
protection of ipsec profile ipsecprofile tunnel
!
Tunnel1 interface
IP 192.168.1.5 255.255.255.252
source of tunnel Serial1/0
tunnel destination 10.1.1.6
ipv4 ipsec tunnel mode
protection of ipsec profile ipsecprofile tunnel
!

In fact, the matter is rather a conceptual issue than a direct. What is the root cause, this type of configuration does not work?

ESP protocol is the distinction between endponits ESP SAs based on SPI identifier as well, isn't? If so, what is wrong here?

Thanks in advance...

Hi Frank,.

As a general rule, you cannot have two interfaces of tunnel with the same tunnel source (series 1/0) and destinations (10.1.1.6) tunnel; with the same method (ipv4) tunel.

The work around that would be to bounce one of the tunnels on a loopback interface.

This tunnel 1: tunnel_interface_1 - series 1/0---internet---10.1.1.6

and tunnel 2: tunnel_interface_2---loopback---serial1/0---internet---10.1.1.6

In this way the two tunnels can be up at the same time.

I hope this helps.

-Shrikant

P.S.: Please check question one answer, if it has been resolved. Note the useful messages. Thank you.

ASA Cisco IPSEC VPN tunnel has not managed the traffic

Hi guys

I am trying to set up a new connection IPSEC VPN between a Cisco ASA 5520 (verion 8.4 (4)) and Checkpoint Firewall. I managed to establish the phases IKE and IPSEC and I can see the tunnel is UP. But I can't see any traffic through the tunnel. I checked the cryptomap both ends and try to test with a contionuous ping from within the network of the SAA.

I made a screenshot of ICMP packets but cannot see in ASA. I welcomed the icmp inside ASA interface.

I did a package tracer and it ends with a fall of vpn - filter the packets. But can not see any configured filters...

Your help is very appreciated...

Thank you

You probably need to add nat negate statements:-something like.

object-group network OBJ-LOCAL
Network 10.155.176.0 255.255.255.0
object-group network OBJ / remote
object-network 192.168.101.0 255.255.255.0
NAT static OBJ-LOCALOBJ-LOCAL source destination (indoor, outdoor) static OBJ-REMOTE OBJ-REMOTE-no-proxy-arp

You are running 8.4 nat 0 has been amortized

Site VPN to IPsec with PAT through the tunnel configuration example

Hello

as I read a lot about vpn connections site-2-site
and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

now, I got suite facility with two locations A and B.

192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
172.16.16.0/24 Site has

---------------------------------------------------------------------------

Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

---------------------------------------------------------------------------

Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
witch need to access a server terminal server on the SITE b.

As I have no influence on where and when guests pop up in my Site.
I would like to hide them behind a single ip address to SITE B.

If in the event that a new hosts need access, or old hosts can be deleted,
its as simple as the ACL or conviniently inlet remove the object from the network.

so I guess that the acl looks like this:

---------------------------------------------------------------------------

access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

---------------------------------------------------------------------------

But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
address for the translation of PAT?

something like this he will say, it must be treated according to the policy:

NAT (1-access VPN INVOLVED-HOST internal list)

Now how do I do that?
The rest of the config, I guess that will be quite normal as follows:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of AA peers. ABM CC. DD
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

---------------------------------------------------------------------------

On SITE B

the config is pretty simple:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of peer SITE has IP
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

---------------------------------------------------------------------------

Thank you for you're extra eyes and precious time!

Colin

You want to PAT the traffic that goes through the tunnel?

list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

NAT (inside) 1 access list PAT

Global (outside) 1 192.168.0.3 255.255.255.255

Then, the VPN ACL applied to the card encryption:

list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

The interesting thing is that traffic can only be activated from your end.

The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

Is that what you are looking for?

Federico.

Configure several IPSec VPN between Cisco routers

I would like to create multiple ipsec VPN between 3 routers. Before applying it, I would like to check on the config I wrote to see if it works. It's just on RouterA configuration for virtual private networks to RouterB, and RouterC.

As you can apply in a cyptomap by interface, I say with the roadmap, that it should be able to manage traffic for both routers. Or is there a better way to do it?

RouterA - 1.1.1.1

RouterB - 2.2.2.2

RouterC - 3.3.3.3

RouterA

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto key RouterB address 2.2.2.2

ISAKMP crypto keys RouterC address 3.3.3.3

invalid-spi-recovery crypto ISAKMP

ISAKMP crypto keepalive 5 10 periodicals

ISAKMP crypto nat keepalive 30

!

life crypto ipsec security association seconds 28800

!

Crypto ipsec transform-set AES - SHA esp - aes 256 esp-sha-hmac

!

outsidemap 20 ipsec-isakmp crypto map

defined peer 2.2.2.2

game of transformation-AES-SHA

match address 222

outsidemap 30 ipsec-isakmp crypto map

defined peer 3.3.3.3

game of transformation-AES-SHA

match address 333

!

interface GigabitEthernet0/0

Description * Internet *.

NAT outside IP

outsidemap card crypto

!

interface GigabitEthernet0/1

Description * LAN *.

IP 1.1.1.1 255.255.255.0

IP nat inside

!

IP nat inside source map route RouterA interface GigabitEthernet0/0 overload

!

access-list 222 allow ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 223 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 223 allow ip 1.1.1.0 0.0.0.255 any

access-list 333 allow ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 334 allow ip 1.1.1.0 0.0.0.255 any

!

!

RouterA route map permit 10

corresponds to the IP 223 334

Hi Chris,

The two will remain active.

The configuration you have is for several ste VPN site is not for the redundant VPN.

The config for the redundant VPN is completely different allows so don't confuse is not with it.

In the redundant VPN configuration both peers are defined in the same card encryption.

Traffic that should be passed through the tunnel still depend on the access list, we call in the card encryption.

This access-lsist is firstly cheked and as a result, the traffic is passed through the correct tunnel

HTH!

Concerning

Regnier

Please note all useful posts

Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

HelloW everyone.

I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

but the vpn does not come to the top. can someone tell me what can be the root cause?

Here is the configuration of twa asa: (I changed the ip address all the)

Singapore:

See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">

!
<--- more="" ---="">

interface GigabitEthernet0/3
<--- more="" ---="">

Shutdown
<--- more="" ---="">

No nameif
<--- more="" ---="">

no level of security
<--- more="" ---="">

no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">

192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">

service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">

ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server

Community trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">

IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">

inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: end

Malaysia:

:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">

!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">

Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">

tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">

host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">

Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server

No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">

tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">

inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good news, that VPN has been implemented!

According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

In addition, you can try to enable ICMP inspection:

Policy-map global_policy
class inspection_default

inspect the icmp

inspect the icmp error

name of the tunnel-group

Hello

In the configuration below I put in place a tunnel-group name that is the same as the counterpart of VPN tunnel. Is that what you have to do, or could call you the tunnel-group what you want?

part of pre authentication ISAKMP policy 1

ISAKMP policy 1 3des encryption

ISAKMP policy 1 sha hash

Group of ISAKMP policy 1 2

ISAKMP policy 1 life 43200

ISAKMP allows outside

Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

l2l_list to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

tunnel-group 10.10.10.1 type ipsec-l2l

tunnel-group 10.10.10.1 ipsec-attributes

pre-shared key xxx

card crypto abcmap 1 match address l2l_list

card crypto abcmap 1 set counterpart 10.10.10.1

card crypto abcmap 1 set of transformation-FirstSet

abcmap interface card crypto outside

Robert,

The tunnekl group should be the IP address of the remote end - because it is used as ID. The only time where ever you need to use a specific name - is if you are certificate authentication.

HTH.

Force traffic into the tunnel?

No IPSEC applied anywhere yet.

If you have 2 routers configured back to back with the physical interfaces tunnel interfaces - which way will be the traffic travels above?

Answer - It will follow the path of the routing table that I guess. OSPF or static or other routes.

Series enough.

Now add one IPSEC.

OSPF fails as IPSEC does not support multicast.

Series enough.

Now, add IPSEC and GRE to the mix. Apply card crypto both physical and tunnel interfaces.

Included here is the common ACL associated with free WILL. That is: -.

access-list 100 permit will host [address physical source] [address physical destination]

It's the ACL that is supposed to define what traffic is 'interesting' and which must be encrypted.

We will repeat the question: what should be the traffic?

I guess it's the same answer. Refer to the routing table.

But that traffic is encrypted? Answer - ONLY traffic destined to the IP tunnel interface.

If you ping from physics to physics, it will be clear.

Question - do you need to force ALL traffic to the bottom of the tunnel interface in the order so he could match the ACL and therefore get encrypted?

How do accomplish us this?

Discussion and debate would be greatly appreciated.

He

Only traffic with the source/destination of the tunnel interfaces - you just encapsulate & encrypt what happens / leaves the tunnel. If you have two sites connected through a VPN IPSEC, 'interesting' traffic for VPN is the source/destination on tunnel interfaces you need to LAN traffic in the tunnel interfaces. If you have either the static routes, or run you a dynamic routing such as OSPF or EIGRP Protocol.

You may have a default route pointing to the firewall, a routing protocol dynamic running - so that all "internal" traffic will take place on the tunnel = encrypted vpn to a remote site, while all the 'internet' traffic routes to the firewall and leaves normally.

HTH

Command to check the tunnel VPN S2S awhile in the cisco router

Dear all,

Please share the command check S2S tunnel of time that is configured on the router.

There are commands that define the lifetimes of (his) IPSec Security Associations, ISAKMP.

For example:

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600

life 3599 seconds crypto ipsec security association

... and you can determine the remaining lifetime for these SAs with the following commands:

SH detail session crypto

SH in detail its crypto isakmp

SH crypto ipsec his

The delta between the lifetime (s) configured and remaining life will tell you how much time has passed since the last regeneration, but that is as close you are likely to have to determine when the tunnel came first.

You could use other means as States of syslog for you say when a Tunnel is a transitioning upwards or downwards.

Best regards

Mike

IPSEC VPN tunnel on issue of Zonebased Firewall

Help, please!

I'm trying to configure a router lab ISR1921 to build the VPN tunnel with vmware vshield edge. The configuration of the 1921 is pasted below. There is not a lot of adjustment on the side of vshield really and I'm sure both sides are adapting to phase 1 & 2.

The question I have: the tunnel can be built correctly and I also see from show crypto ipsec release encap and decap counters. However the devices on each side can communicate. That said, I can ping from 1921 to the IP of the internal interface of the vshield with IP source specified. But just no communication part and other...

I did debugs and only "error" messages are:

01:58:03.193 20 February: ISAKMP: (1001): error suppression node 1656104565 FALSE reason 'informational (in) State d1.

...

01:58:03.193 20 February: ISAKMP: (1001): purge the node-1657220080

I hope that I did a stupid thing to configure error, but I spent too much time on it. It is supposed to be a really simple installation... Please help!

!

version 15.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

Lab-1900 host name

!

boot-start-marker

boot system flash: c1900-universalk9-mz. Spa. 154 - 1.T1.bin

boot system flash: c1900-universalk9-mz. Spa. 151 - 4.M7.bin

boot system flash: c1900-universalk9-mz. Spa. 150 - 1.M4.bin

boot-end-marker

!

AAA new-model

!

AAA authentication login default local

authorization AAA console

AAA authorization exec default local

!

AAA - the id of the joint session

clock timezone AST - 4 0

clock to summer time recurring ADT 3 Sun Mar 2 Sun Nov 02:00 02:00

!

DHCP excluded-address IP 192.168.100.1 192.168.100.40

!

dhcp DHCPPOOL IP pool

import all

network 192.168.100.0 255.255.255.0

LAB domain name

DNS 8.8.8.8 Server 4.2.2.2

default router 192.168.100.1

4 rental

!

Laboratory of IP domain name

8.8.8.8 IP name-server

IP-server names 4.2.2.2

inspect the IP log drop-pkt

IP cef

No ipv6 cef

!

type of parameter-card inspect global

Select a dropped packet newspapers

Max-incomplete 18000 low

20000 high Max-incomplete

Authenticated MultiLink bundle-name Panel

!

redundancy

!

property intellectual ssh version 2

!

type of class-card inspect entire game ESP_CMAP

match the name of group-access ESP_ACL

type of class-card inspect the correspondence SDM_GRE_CMAP

match the name of group-access GRE_ACL

type of class-card inspect entire game PAC-cls-icmp-access

match icmp Protocol

tcp protocol match

udp Protocol game

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-13

game group-access 154

class-card type check ALLOW-VPN-TRAFFIC-OUT match-all

match the ALLOW-VPN-TRAFFIC-OUT access group name

type of class-card inspect entire game PAC-cls-insp-traffic

match Protocol pptp

dns protocol game

ftp protocol game

https protocol game

match icmp Protocol

match the imap Protocol

pop3 Protocol game

netshow Protocol game

Protocol shell game

match Protocol realmedia

match rtsp Protocol

smtp Protocol game

sql-net Protocol game

streamworks Protocol game

tftp Protocol game

vdolive Protocol game

tcp protocol match

udp Protocol game

http protocol game

type of class-card inspect entire game AH_CMAP

match the name of group-access AH_ACL

inspect the class-map match ALLOW VPN TRAFFIC type

match the ALLOW-VPN-TRAFFIC-OUT access group name

type of class-card inspect correspondence ccp-invalid-src

game group-access 126

type of class-card inspect entire game PAC-insp-traffic

corresponds to the class-map PAC-cls-insp-traffic

type of class-card inspect entire game SDM_VPN_TRAFFIC

match Protocol isakmp

match Protocol ipsec-msft

corresponds to the AH_CMAP class-map

corresponds to the ESP_CMAP class-map

type of class-card inspect correspondence ccp-icmp-access

corresponds to the class-ccp-cls-icmp-access card

type of class-card inspect the correspondence SDM_VPN_PT

game group-access 137

corresponds to the SDM_VPN_TRAFFIC class-map

!

type of policy-card inspect self-out-pmap

class type inspect PCB-icmp-access

inspect

class class by default

Pass

policy-card type check out-self-pmap

class type inspect SDM_VPN_PT

Pass

class class by default

Drop newspaper

policy-card type check out-pmap

class type inspect PCB-invalid-src

Drop newspaper

class type inspect ALLOW VPN TRAFFIC OUT

inspect

class type inspect PCB-insp-traffic

inspect

class class by default

Drop newspaper

policy-card type check out in pmap

class type inspect sdm-cls-VPNOutsideToInside-13

inspect

class class by default

Drop newspaper

!

security of the area outside the area

safety zone-to-zone

safety zone-pair zp-self-out source destination outside zone auto

type of service-strategy inspect self-out-pmap

safety zone-pair zp-out-to source out-area destination in the area

type of service-strategy check out in pmap

safety zone-pair zp-in-out source in the area of destination outside the area

type of service-strategy inspect outside-pmap

source of zp-out-auto security area outside zone destination auto pair

type of service-strategy check out-self-pmap

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key iL9rY483fF address 172.24.92.103

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

tunnel mode

!

IPSEC_MAP 1 ipsec-isakmp crypto map

Tunnel Sandbox2 description

defined by peer 172.24.92.103

Set security-association second life 28800

game of transformation-ESP-3DES-SHA

PFS group2 Set

match address 150

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

WAN description

IP 172.24.92.18 255.255.255.0

NAT outside IP

No virtual-reassembly in ip

outside the area of security of Member's area

automatic duplex

automatic speed

No mop enabled

card crypto IPSEC_MAP

Crypto ipsec df - bit clear

!

interface GigabitEthernet0/1

LAN description

IP 192.168.100.1 address 255.255.255.0

IP nat inside

IP virtual-reassembly in

Security members in the box area

automatic duplex

automatic speed

!

IP forward-Protocol ND

!

IP http server

access-class 2 IP http

local IP http authentication

IP http secure server

!

IP nat inside source map route RMAP_4_PAT interface GigabitEthernet0/0 overload

IP route 0.0.0.0 0.0.0.0 172.24.92.254

!

AH_ACL extended IP access list

allow a whole ahp

ALLOW-VPN-TRAFFIC-OUT extended IP access list

IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

ESP_ACL extended IP access list

allow an esp

TELNET_ACL extended IP access list

permit tcp any any eq telnet

!

allowed RMAP_4_PAT 1 route map

corresponds to the IP 108

!

1snmp2use RO SNMP-server community

access-list 108 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 108 allow ip 192.168.100.0 0.0.0.255 any

access-list 126 allow the ip 255.255.255.255 host everything

access-list 126 allow ip 127.0.0.0 0.255.255.255 everything

access-list 137 allow ip 172.24.92.0 0.0.0.255 any

access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 154 allow ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

!

control plan

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line 2

no activation-character

No exec

preferred no transport

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class TELNET_ACL in

exec-timeout 0 0

Synchronous recording

transport of entry all

line vty 5 15

access-class TELNET_ACL in

exec-timeout 0 0

Synchronous recording

transport of entry all

!

Scheduler allocate 20000 1000

0.ca.pool.ntp.org server NTP prefer

1.ca.pool.ntp.org NTP server

!

end

NAT looks fine.

Please create an ACL with bidirecctional ACEs and add it as a group of access to the interface of penetration:

IP access-list extended 180

IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255 connect

ip permit 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 connect

allow an ip

interface GigabitEthernet0/1

IP access-group 180 to

IP access-group out 180

Generer generate traffic, then run the command display 180 access lists .

Also, if possible activate debug ip icmp at the same time.

Share the results.

Thank you

Return VPN traffic flows do not on the tunnel

Hello.

I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.

In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.

(Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).

Here is the version of cisco:

version ADSL #show
Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 1 May 08 02:07 by prod_rel_team

ROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE

ADSL availability is 1 day, 19 hours, 27 minutes
System to regain the power ROM
System restarted at 17:20:56 CEST Sunday, October 10, 2010
System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".

Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
Card processor ID FCZ122391F5
MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
4 interfaces FastEthernet
1 ATM interface
128 KB of non-volatile configuration memory.
20480 bytes K of on board flash system (Intel Strataflash) processor

Configuration register is 0 x 2102

And here is the cisco configuration (IP address, etc. changed of course):

Current configuration: 7782 bytes
!
! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname adsl
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
AAA new-model
!
!
AAA authentication login local_authen local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec local local_author
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone gmt 0
clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
!
!
dot11 syslog
no ip source route
dhcp IP database dhcpinternal
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.7.1 10.10.7.99
DHCP excluded-address IP 10.10.7.151 10.10.7.255
!
IP dhcp pool dhcpinternal
import all
Network 10.10.7.0 255.255.255.0
router by default - 10.10.7.1
Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
no ip bootp Server
nfs1 host IP 10.10.140.207
name of the IP-server 212.159.11.150
name of the IP-server 212.159.13.150
!
!
!
username password cable 7
username password bautsche 7
vpnuser password username 7
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
Prior authentication group part 2
the local address SDM_POOL_1 pool-crypto isakmp client configuration
!
ISAKMP crypto client configuration group groupname2
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
!
ISAKMP crypto client configuration group groupname1
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
groupname2 group identity match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
ISAKMP crypto profile sdm-ike-profile-2
groupname1 group identity match
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
crypto dynamic-map SDM_DYNMAP_1 2
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description $FW_INSIDE$
10.10.7.1 IP address 255.255.255.0
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
map SDM_CMAP_1 crypto
Hold-queue 100 on
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
No cutting of the ip horizon
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname
PPP chap password 7
map SDM_CMAP_1 crypto
!
local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
IP local pool public_184 123.12.12.184
IP local pool public_186 123.12.12.186
IP local pool public_187 123.12.12.187
IP local pool internal_9 10.10.7.9
IP local pool internal_8 10.10.7.8
IP local pool internal_223 10.10.7.223
IP local pool internal_47 10.10.7.47
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 10.10.140.0 255.255.255.0 10.10.7.2
!
no ip address of the http server
no ip http secure server
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source static 10.10.7.9 123.12.12.184
IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
IP nat inside source static 10.10.7.223 123.12.12.186
IP nat inside source static 10.10.7.47 123.12.12.187
!
record 10.10.140.213
access-list 18 allow one
access-list 23 permit 10.10.140.0 0.0.0.255
access-list 23 permit 10.10.7.0 0.0.0.255
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole
Note access-list 121 SDM_ACL category = 17
access-list 121 deny udp any eq netbios-dgm all
access-list 121 deny udp any eq netbios-ns everything
access-list 121 deny udp any eq netbios-ss all
access-list 121 tcp refuse any eq 137 everything
access-list 121 tcp refuse any eq 138 everything
access-list 121 tcp refuse any eq 139 all
access ip-list 121 allow a whole
access-list 125 permit tcp any any eq www
access-list 125 permit udp any eq isakmp everything
access-list 125 permit udp any any eq isakmp
access-list 194 deny udp any eq isakmp everything
access-list 194 deny udp any any eq isakmp
access-list 194 allow the host ip 123.12.12.184 all
IP access-list 194 allow any host 123.12.12.184
access-list 194 allow the host ip 10.10.7.9 all
IP access-list 194 allow any host 10.10.7.9
access-list 195 deny udp any eq isakmp everything
access-list 195 deny udp any any eq isakmp
access-list 195 allow the host ip 123.12.12.185 all
IP access-list 195 allow any host 123.12.12.185
access-list 195 allow the host ip 10.10.7.8 all
IP access-list 195 allow any host 10.10.7.8
not run cdp
public_185 allowed 10 route map
corresponds to the IP 195
!
public_184 allowed 10 route map
corresponds to the IP 194
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
!
Line con 0
connection of authentication local_authen
no activation of the modem
preferred no transport
telnet output transport
StopBits 1
line to 0
connection of authentication local_authen
telnet output transport
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
connection of authentication local_authen
length 0
preferred no transport
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
130.88.202.49 SNTP server
130.88.200.98 SNTP server
130.88.200.6 SNTP server
130.88.203.64 SNTP server
end

Any help would be appreciated.

Thank you very much.

Ciao,.

Eric

Hi Eric,.

(Sorry for the late reply - needed some holidays)

So I see that you have a few steps away now. I think that there are 2 things we can try:

1)

I guess you have provided that:

IP nat inside source overload map route SDM_RMAP_1 interface Dialer1

Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:

Access-list 100 category SDM_ACL = 2 Note

access-list 100 deny ip 123.12.12.185 host everything
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole

Which should prevent the source udp 4500 to 1029 changing port

OR

2)

If you prefer to use a different ip address for VPN,

Then, you can use a loop like this:

loopback interface 0

123.12.12.187 the IP 255.255.255.255

No tap

map SDM_CMAP_1 crypto local-address loopback 0

I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).

HTH

Herbert

3DES IPSEC, the tunnels on routers

Similar Questions

Maybe you are looking for