Any traffic sent through my IPsec tunnel

Similar Questions

• Cannot reach the destination of an IPSec tunnel through another IPSec tunnel

  Hi all

  I have a PIX 515E version 8.0 (2).

  I have two remote sites connected to this PIX via IPSec tunnels.

  Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.

  Thus,.

  SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254

  SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21

  SiteA can ping SiteX

  SiteB can ping SiteX

  SiteA cannot ping SiteB

  SiteB cannot ping SiteA

  If I do not show crypto isakmp ipsec his I see appropriate subnets:

  Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1

  permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254

  local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

  Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

  current_peer: 104.86.2.4

  Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1

  access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240

  local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

  Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

  current_peer: 216.178.200.200

  Journal messages that seem to point to the problem...

  April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1.  Inside the package décapsulés does not match policy negotiated in the SA.  The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6.  SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0

  My question is really what I have to do something funky to allow traffic to pass between the two tunnels?

  Hello

  This could be much easier if we have seen the real configurations.

  But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)

  • Make sure that each firewall, you set the appropriate VPN L2L ACL
  • Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
  • Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.

  To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)

  Central PIX

  permit same-security-traffic intra-interface

  A connection to the site

  SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254

  SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

  Site B connection

  SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240

  SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

  NAT0

  access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254

  access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

  OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

  NAT (outside) 0-list of access OUTSIDE-NAT0

  Site has

  CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0

  CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

  the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0

  the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  Site B

  CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0

  CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

  the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0

  the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  Hope this helps

  -Jouni

• RV180 dhcp via IPSEC Tunnel

  Hello

  I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.

  Any help is greatly appreciated.

  Ralf

  Dear Ralf,

  Thank you to reach small business support community.

  Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel.  I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.

  Kind regards

  Jeffrey Rodriguez S... : | :. : | :.
  Support Engineer Cisco client

  * Please rate the Post so other will know when an answer has been found.

• IPSec tunnel and NetFlow packets

  I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

  Thank you.

  Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

• Traffic is failed on plain IPSec tunnel between two 892 s

  Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.

  Note: I replaced the Networkid real to a mentined below.

  Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.

  Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.

  Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.

  Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.

  I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.

  So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.

  Any idea? Two routers config are below

  -------

  892_DC #show ru

  !

  crypto ISAKMP policy 10

  BA aes 256

  hash sha256

  preshared authentication

  Group 2

  isakmp encryption key * address 1.2.3.4

  ISAKMP crypto keepalive 10 periodicals

  !

  address of 1.2.3.4 crypto isakmp peers

  Description of-COIL-892

  !

  !

  Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

  Crypto ipsec df - bit clear

  !

  map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

  defined peer 1.2.3.4

  disable the kilobytes of life together - the security association

  86400 seconds, life of security association set

  the transform-set IT-IPSec-Transform-Set value

  match a lists 101

  market arriere-route

  QoS before filing

  !

  interface GigabitEthernet0

  IP 10,20,30,40 255.255.255.240

  IP 1400 MTU

  IP tcp adjust-mss 1360

  automatic duplex

  automatic speed

  card crypto IT-IPSec-Crypto-map

  !

  IP route 0.0.0.0 0.0.0.0 10.20.30.41

  !

  access list 101 ip allow any 100.100.100.0 0.0.0.255 connect

  access list 101 ip allow any 100.100.200.0 0.0.0.255 connect

  -------------------------------------------------------------------------------------

  Branch_892 #sh run

  !

  crypto ISAKMP policy 10

  BA aes 256

  hash sha256

  preshared authentication

  Group 2

  isakmp encryption key * address 10,20,30,40

  ISAKMP crypto keepalive 10 periodicals

  !

  address peer isakmp crypto 10,20,30,40

  !

  !

  Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

  Crypto ipsec df - bit clear

  !

  map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

  defined peer 10,20,30,40

  disable the kilobytes of life together - the security association

  86400 seconds, life of security association set

  the transform-set IT-IPSec-Transform-Set value

  match address 101

  market arriere-route

  QoS before filing

  !

  FastEthernet6 interface

  Description VL92

  switchport access vlan 92

  !

  interface FastEthernet7

  Description VL93

  switchport access vlan 93

  !

  interface GigabitEthernet0

  Description # to WAN #.

  no ip address

  automatic duplex

  automatic speed

  PPPoE-client dial-pool-number 1

  !

  interface Vlan1

  Description # local to #.

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  interface Vlan92

  Description fa6-nexus e100/0/40

  IP 100.100.200.1 255.255.255.0

  !

  interface Vlan93

  Description fa7-nexus e100/0/38

  IP 100.100.100.1 255.255.255.0

  !

  interface Dialer0

  no ip address

  No cdp enable

  !

  interface Dialer1

  IP 1.2.3.4 255.255.255.248

  IP mtu 1454

  NAT outside IP

  IP virtual-reassembly in max-pumping 256

  encapsulation ppp

  IP tcp adjust-mss 1414

  Dialer pool 1

  Dialer-Group 1

  Authentication callin PPP chap Protocol

  PPP chap hostname ~ ~ ~

  PPP chap password =.

  No cdp enable

  card crypto IT-IPSec-Crypto-map

  !

  Dialer-list 1 ip protocol allow

  !

  access-list 101 permit ip 100.100.100.0 0.0.0.255 any

  access-list 101 permit ip 100.100.200.0 0.0.0.255 any

  !

  IP route 0.0.0.0 0.0.0.0 Dialer1

  Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?

• Cisco's ASA IPsec tunnel disconnects after a while

  Hi all

  I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.

  I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.

  But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.

  This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.

  SonicWALL publicip 1.1.1.2 192.168.10.0 subnet

  Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0

  ciscoasa # sh run
  : Saved
  :
  ASA Version 8.2 (1)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  Speed 100
  full duplex
  nameif outside
  security-level 0
  IP 1.1.1.1 255.255.255.248
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  192.168.5.1 IP address 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  management only
  !
  passive FTP mode
  DNS domain-lookup outside
  DNS lookup field inside
  DNS server-group DefaultDNS
  Server name 66.28.0.45
  Server name 66.28.0.61
  domain default.domain.invalid
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  object-group service rdp tcp
  EQ port 3389 object
  object-group service tcp OpenVPN
  port-object eq 1194
  access list outside extended permit icmp any any echo response
  access list outside extended permit tcp any host # eq pptp
  outside allowed extended access will list any host #.
  list of extended outside access permit udp any any eq 1701
  extended outdoor access allowed icmp a whole list
  access list outside extended permit tcp any host # eq ftp
  access list outside extended permit tcp any host # eq ssh
  list of extended outside access permit tcp any host # object - group rdp
  turn off journal
  access list outside extended permit tcp any host 1.1.1.1 object - group Open
  VPN
  access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
  . 255.255.0
  access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
  . 255.255.0
  L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
  55.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
  IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (outside) 1 192.168.10.0 255.255.255.0
  NAT (outside) 1 192.168.5.0 255.255.255.0
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 192.168.5.0 255.255.255.0
  outside access-group in external interface
  Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.5.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 5 the value reverse-road
  Crypto easyvpn dynamic-map 10 transform-set RIGHT
  Crypto-map dynamic easyvpn 10 reverse-drive value
  card crypto mymap 10 correspondence address l2l
  card crypto mymap 10 set peer 1.1.1.2
  card crypto mymap 10 transform-set RIGHT
  map mymap 30000-isakmp ipsec crypto dynamic easyvpn
  mymap outside crypto map interface
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 3600
  Telnet 192.168.5.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  Hello to tunnel L2TP 10
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal DefaultRAGroup group strategy
  attributes of Group Policy DefaultRAGroup
  value of 66.28.0.45 DNS server 66.28.0.61
  Protocol-tunnel-VPN IPSec l2tp ipsec
  field default value cisco.com
  attributes of Group Policy DfltGrpPolicy
  internal band easyvpn strategy
  attributes of the strategy of band easyvpn
  value of 66.28.0.45 DNS server 66.28.0.61
  Protocol-tunnel-VPN IPSec
  enable IPSec-udp
  Split-tunnel-policy tunnelall
  the address value ippool pools
  VPN-group-policy DefaultRAGroup
  attributes global-tunnel-group DefaultRAGroup
  address l2tppool pool
  Group Policy - by default-DefaultRAGroup
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared-key *.
  tunnel-group DefaultRAGroup ppp-attributes
  No chap authentication
  ms-chap-v2 authentication
  tunnel-group 1.1.1.2 type ipsec-l2l
  1.1.1.2 tunnel-group ipsec-attributes
  pre-shared-key *.
  tunnel-group easyvpn type remote access
  tunnel-group easyvpn General attributes
  Group Policy - by default-easyvpn
  easyvpn group tunnel ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  inspect the tftp
  inspect the pptp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:5542615c178d2803f764c9b8f104732b
  : end

  I guess you have typo in the configuration of the ASA?

  L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
  list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

  Can you confirm that you have configured instead the following:

  access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

  Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2

  In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):

  NAT (outside) 1 192.168.10.0 255.255.255.0

  Finally, pls turn off keepalive to SonicWall.

  If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.

• ASA5505 - connection reset when you try to SSH IPSEC tunnel

  Hello

  VPN IPSEC just bought myself an ASA5505 to replace a PIX 501 and having been transferred to the bulk of the previous configuration, I managed to get the two tunnels to work as before.

  Unfortunately when I try and SSH for the SAA the right connection restores instantly even when the tunnel is up. It seems as if the ASA actively refuses the connection, if the journal does not specify this. I had always assumed that the traffic on an established IPSEC tunnel has been implicitly trust and not subject to the usual rules of access list.

  I can't SSH to the ASA in the 10.0.0.x range, but I can't SSH to a machine on 10.27.0.4 (I know the tunnel is up and working)

  Reference attached config (less sensitive information not relevant).

  Also - although I'm not sure of the relevance is given the tunnels seem to work - when I get the line "meepnet-map outside crypto map interface" in the reports of the ASA configuration mode "warning: the crypto map entry is incomplete!" even though I provided the access list, peers, and transform-set variables.

  Any help gratefully received! :)

  Thank you

  DAZ

  Hello Darren,

  Please mark as answer, if your querry is resolved. Enjoy your time!

  Kind regards

  Ankur Thukral

  Community Manager - security & VPN

• Test on IPSEC Tunnel MTU size

  How can I test the MTU size, through an IPSEC tunnel to an ASA 5520 to an ASA 5510? I have fears that problems with my equipment are due to the insufficient MTU size.

  You can use extended ping to see the size of the package you can send through the tunnel with little DF

  game do not fragment. for ex: -.

  If you have two windows machines, one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.

  Ping 10.2.2.10 to help: -.

  Ping 10.3.3.10

  success of the response

  Ping 10.3.3.10-l 1500 f {where-l 1500 sets the MTU to 1500 and f said do not fragment}

  package has need to be fragmented but df set

  package has need to be fragmented but df set

  Ping 10.3.3.10-l 1300 f

  the fragmentation of packets needs but df set

  Ping 10.3.3.10 l - 1270 f

  success of the response

  success of the response

  Thank you

  Manish

• GRE over IPSec tunnel cannot pass traffic through it

  I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

  Head office

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.89
  game of transformation-IPSec_PLC
  match address 100
  !
  !
  !
  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.94 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial0/1/0:0
  tunnel destination 167.134.216.89

  interface Serial0/1/0:0
  IP 167.134.216.90 255.255.255.252
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.90 host 167.134.216.8

  Router eigrp 100
  network 167.134.216.92 0.0.0.3

  Directorate-General of the

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.90
  game of transformation-IPSec_PLC
  match address 100

  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.93 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial1/0/0:1
  tunnel destination 167.134.216.90

  interface Serial1/0/0:1
  bandwidth 1984
  IP 167.134.216.89 255.255.255.252
  IP access-group 101 in
  load-interval 30
  no fair queue
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.89 host 167.134.216.90

  ER-7600 #sh crypto isakmp his
  conn-id State DST CBC slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0

  ER-3845 #sh crypto isakmp his
  status of DST CBC State conn-id slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

  ER-3845 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
  3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
  3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

  ER-7600 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
  2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
  2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

  I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

  Please help, it's so frustrating...

  Thanks in advance

  Oscar

  Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  It may be useful

  Manish

• Routing access to Internet through an IPSec VPN Tunnel

  Hello

  I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

  I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

  Any help would be greatly appreciated.

  Thank you.

  Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

• Unable to Ping hosts through IPSec Tunnel

  I have a configuration of lab home with a PIX 515 running code 8.03.  I've made several changes over the last week and now when I finish a VPN connection to the external interface, I'm unable to hit all internal resources.  My VPN connection comes from a 10.22.254.0/24 trying to knock the internal nodes to 10.22.1.0/24, see below.  When I finish a VPN connection with the inside interface works, so I guess that I'm dealing with a NAT problem?   I have not idea why Phase 9 is a failure:-------.  Any help would be great!

  -------

  IP 10.22.254.0 allow Access-list extended sheep 255.255.255.0 10.22.1.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  -------

  Global 1 interface (outside)

  -------

  access-list extended split allow ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

  -------

  Packet-trace entry inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2bb3450, priority = 0, sector = option-ip-enabled, deny = true

  hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 4

  Type: VPN

  Subtype: ipsec-tunnel-flow

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x304ae48, priority = 12, area = ipsec-tunnel-flow, deny = true

  hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 5

  Type: NAT-FREE

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside) 0 access-list sheep

  NAT-control

  is the intellectual property inside 10.22.1.0 outside 10.22.254.0 255.255.255.0 255.255.255.0

  Exempt from NAT

  translate_hits = 6, untranslate_hits = 5

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2be2a00, priority = 6, free = area of nat, deny = false

  Hits = 5, user_data is 0x2be2960, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol

  SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

  DST ip = 10.22.254.0, mask is 255.255.255.0, port = 0

  Phase: 6

  Type: NAT

  Subtype: host-limits

  Result: ALLOW

  Config:

  static (inside, DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

  NAT-control

  is the intellectual property inside 10.22.1.0 255.255.255.0 DMZ all

  static translation at 10.22.1.0

  translate_hits = 10, untranslate_hits = 0

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2d52800, priority = 5, area = host, deny = false

  hits = 21654, user_data = 0x2d51dc8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 7

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT-control

  is the intellectual property inside everything outside of any

  dynamic translation of hen 1 (192.168.20.20 [Interface PAT])

  translate_hits = 2909, untranslate_hits = 9

  Additional information:

  Direct flow from returns search rule:

  ID = 0x2d4a7d0, priority = 1, sector = nat, deny = false

  hits = 16973, user_data = 0x2d4a730, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Phase: 8

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0 x 3328000, priority = 70, domain = encrypt, deny = false

  hits = 0, user_data is 0x1efa0cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

  DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

  Phase: 9

  Type: ACCESS-LIST

  Subtype: ipsec-user

  Result: DECLINE

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x3329a48, priority = 69, domain = ipsec - user, deny = true

  Hits = 37, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: flow (acl-drop) is denied by the configured rule

  No, the sheep ACL requires that defining the internal network traffic to the

  Pool VPN.  You must remove the other entries.

  Delete:

  allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 DM_INLINE_NETWORK_18 object-group
  allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

• Tunnel traffic inside IPSEC tunnel

  Hello world

  Site has a Site B through ASA IP Sec Tunnel.

  Now turn on Site a GRE tunnel and the tunnel destination is happening inside the IPSEC tunnel.

  In other words, IPSEC tunnel between 2 sites also leads the GRE Tunnel traffic.

  Who's in charge, I can run on ASA whether IPSEC is transport traffic of the GRE tunnel or

  Which line in config ASA will tell me that this IPSEC also conducts traffic GRE tunnel?

  Thank you

  MAhesh

  Hello

  I think that you will probably see GRE in the ASA connection table when the connection is in use.

  You can try the command

  Show conn | Volition Inc.

  And see if this produceses matter what exit.

  Can you possibly provide "interface Tunnelx" configurations and if its using other interfaces such as 'tunnel source' and 'destination tunnel' then their configurations also.

  -Jouni

• force the IPSec tunnel to stay in place even if no traffic

  Hello

  We had exactly the same problem, as already described here;

  https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...

  We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.

  Concerning

  Nothing new was built in the SAA to take account of this requirement.

  I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.

• EIGRP plain IPsec tunnel?

  Hi all

  I was always under the impression that plain IPsec pass through the tunnel unicast IP traffic.

  When I need pass non-unicast or non - IP traffic, I created an IPsec with GRE or VTI.

  But I am currently on the customer site where all EIGRP routes are exchanged between sites that communicate through a single tunnel ordinary IPsec.

  I have added/changed/deleted routes on both sides, and the changes are reflected on the routing of the other table.

  The neighbors are not statically configured on the router, configuring EIGRP is simply 'no Auto-resume', then 'network 172.16.0.0'

  My question is...

  How is it all EIGRP traffic is going through the tunnel without any problem?

  Both are 2811 s 12.4 (18) running

  Thanks for any help!

  Federico.

  Federico

  Indeed, I believe that this is the case. It is quite clear according to the additional information that you have posted that these two routers are connected directly (in this case connected via FastEthernet) and connection interfaces running EIGRP, so that the EIGRP Hellos are sent the FastEthernet interfaces. The access list has failed for EIGRP, so there is no effort to encrypt the Hellos and they are sent in the clear. If routers become neighbors and EIGRP updates are sent through the FastEthernet interfaces. Data destinations that are learned traffic is sent on the FastEthernet interfaces, and when data traffic matches access list it is encrypted by IPSec.

  HTH

  Rick

• DROP in flow of the IPSec tunnel

  Hello

  I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.

  This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2

  Vpn connects, but there is no packets sent or received...

  I get this packet tracer...

  Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
  hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
  input_ifc = teeessyou, output_ifc = any

  Phase: 2
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.195.1/80 to 192.168.195.1/80

  Phase: 3
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group teeessyou_access_in in the teeessyou interface
  teeessyou_access_in of access allowed any ip an extended list
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae24d310, priority = 13, area = allowed, deny = false
  hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = any

  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
  Direct flow from returns search rule:
  ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
  hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = external

  Phase: 5
  Type: NAT
  Subtype: volatile
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
  hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = none, output_ifc = any

  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
  hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = any

  Phase: 7
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
  hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = none, output_ifc = external

  Phase: 8
  Type: NAT
  Subtype: rpf check
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
  hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = external

  Phase: 9
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: DECLINE
  Config:
  Additional information:
  Reverse flow from returns search rule:
  ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
  hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
  IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = out, output_ifc = any

  Hello Spencerallsop,

  I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:

  1. remove the NAT statement:

  -no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS

  2 fix the NAT statement with the keyword "No.-proxy-arp" :

  -nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp

  3 disable the VPN ISA SA:

  -claire crypto ikev1 his

  4. run the packet tracer to check that the L2L has developed,

  To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation.

  In fact, this bug affects 9.1.7 (may affect your environment):

  - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710

  Please don't forget to rate and score as of this post, keep me posted!

  Kind regards

  David Castro,