ASA VPN RA

I just put a VPN RA on a new ASA5505. I followed the Cisco documentation on getting it set up. I can connect but I can't ping anything inside. At the beginning I had vpn pool overlooking the Interior of intellectual property, but I read that it was incorrect. So, I assigned a different pattern of intellectual property. I'm not sure how to make NAT correctly so that I could get inside the IP addresses. If anyone could help, I'd appreciate it.

Thank you!

Check the configuration of firewall for...

ISAKMP nat-traversal crypto

and add it if it is absent.

Tags: Cisco Security

Similar Questions

  • ASA VPN with Fortgate

    Hello people!

    I still have the problem with VPN... Laughing out loud

    I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    But if I ask the other peer to change in Group 2, the msg in the SAA is:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

    Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    The show isakmp his:

    9 counterpart IKE: 179.124.32.181
    Type: user role: answering machine
    Generate a new key: no State: MM_WAIT_MSG3

    I have delete and creat VPN 3 x and the same error occurs.

    Everyone has seen this kind of problem?

    Is it using Fortigate version 5 by chance?

    I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

    The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

    Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

    Try on the side of the ASA:

    debug crypto isakmp 7
    You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

  • ASA VPN - allow user based on LDAP Group

    Hello friends

    I have create a configuration to allow connection based on LDAP Group.

    I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

    http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Anyone know how I can do?

    Thank you

    Marcio

    I like to use the Protocol DAP (dynamic access policies) to control this.  Follow this guide:

    https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

  • Assign the static IP address by ISE, ASA VPN clients

    We will integrate the remote access ASA VPN service with a new 1.2 ISE.

    Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

    This means that the same VPN user will always get the same IP address. Thank you.

    Daniel,

    You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

    However if I may make a suggestion:

    Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

    In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

    M.

  • Device behind a Firewall other, ASA VPN

    I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet.  Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

    Topology:

    Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

    ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

    On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN.  Inside = 192.168.254.1 outside = public IP address.

    Configured on the VPN / ASA, ASA standard SSL Remote Access.

    When I hit the NAT public IP address, nothing happens.  I've run packet - trace on the FW outside, and everything seems good.

    Someone at - it a sampling plan / config for a similar topology?     Internet > ASA/FW > dmz-leg > ASA/VPN

    Thanks in advance,
    Bob

    Can share you your NAT and routing configuration? Of these two ASAs

  • ASDM conc (ASA) VPN access

    I have the script like this:

    an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

    This sets up on the conc VPN:

    management-access inside
    

    After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
    

    hth
    
    Herbert
    
    (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )

  • ASA VPN positive = SSL VPN?

    Hello

    I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750

    Can I use an ASA5520 with ASA5500-SSL-750 instead

    Regards Tony

    Yes, it is always available on order. Part number: ASA5520-VPN-PL =

    In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.

    Thank you

    Kiran

  • New ASA/VPN configuration

    So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.

    All I want this new ASA to do is handle my site anyconnect VPN connections.  I'm pretty new to ASAs if any help would be great.  I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.

    My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN?  ACLs are used for VPN traffic and do I need them to traffic the route via VPN?

    I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.

    Thank you

    I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.

    You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.

    When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.

    Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.

  • ASA VPN on physical IP address only?

    Hello

    Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?

    I don't want to use the physical IP address on my external interface.

    Thank you

    No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.

  • ASA Vpn load balancing and failover

    Hi all.

    We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

    Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

    Thank you

    Daniele

    Hi Daniele,

    You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

    Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

    ASA1 (active FO) - ASA2 (TF Standby)

    (VPN virtual master)

    |

    |

    |

    |

    (Backup VPN device)

    ASA3 (active FO) - ASA4 (TF Standby)

    Kind regards

    Wajih

  • Certificate on ASA VPN

    Hello

    I want to apply AnyConnect VPN of RA IPSec on SAA with the users that can connect using cards to chip. So I need to install digital certificates on SAA.

    Follows 4 things of my contacts (who is on holiday and so I have to find via this portal what exactly what I need to do with them)

    1 root-ORG - CA.cer - Root CA from our own CA .cer format

    2 Proc-ORG - CA.cer - he says that it is of "issued by: root-ORG-CA. Do not know what exactly is this certificate. Again the extension is .cer.

    3 ASA - CERT.cer - here, he argues that it is "issued by: Proc-ORG-CA. The name I guess that's the identity certificate should I install on ASA. Once the extension is .cer

    4 ASA - Priv.key - it is the private key in the .key file, I can read in Notepad.

    Now according to my knowledge goes, I think: I have to install the root-ORG - CA.cer on SAA. Then, I need some kind installation private key + certificate of individual or combined identity. But I am confused how to proceed

    (a) what could be the Proc-ORG - CA.cer ?

    (b) what is the exact order in which I should install things?

    (c) is the most convenient for these things or paste content in CLI ASDM?

    (d) for each file what extensions do I need? I need to convert certificates in other formats?

    Thanks in advance!

    Hello

    Here are answers to your questions:

    a. Proc-ORG - CA.cer seems to be the server intermediate CA that signs the certificate and it has been authorized by your certification authority root to do it.

    b. you must first import the root CA, then intermediate authority and finally the ASA CA

    c. you can do both using ASDM and CLI. However, I personally prefer CLI

    d. REB is good for the intermediate and root. For SAA, if you RECs and a private key, you must convert the pkcs12 format.

    Hope this is clear.

    Thank you

    PS: Please do not forget to rate and score as correct answer if this answered your question

  • Unable to connect to other remote access (ASA) VPN clients

    Hello

    I have a cisco ASA 5510 appliance configured with remote VPN access

    I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.

    For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.

    Any help is welcome.

    Thanks in advance.

    Hello

    I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.

    It seems to me that you currently have dynamic PAT configured for the VPN users you have this

    NAT (outside) 1 10.40.170.0 255.255.255.0

    If your traffic is probably corresponding to it.

    The only thing I can think of at the moment would be to configure

    Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients

    list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

    NAT (outside) 0-list of access VPN-CLIENT-NAT0

    I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.

    -Jouni

  • Can I run an ASA VPN dedicated?

    I currently have a 5525 ASA that I use for general purposes of firewall.  This includes mainly the Nat'ed surfing and some translations static address for some servers such as mail and so on.  I realized that it is only a year old, is running well and I am reluctant to change the config and add features to it.  I have a new 5525 to be used as a replacement, but also via Anyconnect VPN.  I have several unused public IPs from my ISP, and there is a switch between the router of the provider and my ASA current.  Could I let just the current firewall to do its work and put the new in place by using a different ip address on the inside and the outside and connect it to the switch between the router and my main ASA?  This we would tweek the VPN without endangering the work of the company's main production.

    Thanks in advance for your help

    Hi Brad,

    Yes you can do it.

    It should work fine, as the new ASA would serve as the endpoint Anyconnect which seems fine and the ASA old would still serve the NATTING and static translations for your internal servers.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • ASA VPN

    Hello

    I have a question concerning the VPN, is it possible to configure the two IPsec VPN site-to-site and remote access vpn on the same ASA and working at the same time, does require one or two different public ip addresses?

    I have cisco ASA 5540 - version 9.1

    Best regards

    Hello

    Yes, you can with 1 single public ip address. You need to activate the same-security-traffic allow intra-interface functionality to allow a customer vpn site-to-site vpn access if you need.

    Take a look at the Cisco documentation;

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Thank you

    PS: Please do not forget to rate and score as good response if this solves your problem

  • ASA VPN RA, iPad, PC

    Hello

    I apologize if this has already been asked.  If you see a thread asked that same question, please link.

    I am currently overseas and want to set up my house (WE) ASA 5505 with two profiles VPN; a complete tunnel, a tunnel split.  This will allow me to connect to my PC or iPad and access my things at home (split tunnel), or reach Web sites are supplied with of my U.S. address (full-tunnel).

    I prefer to go on this configuration via CLI as I am not too familiar with the GUI.

    My first question is just a base: what I?  Remote access VPN with several groups?  AnyConnect?  Eazy VPN?  I'm not strong on the platform of the SAA, so any help would be appreciated.  I'd like to use the iPad built-in optional IPSEC VPN (marked "Cisco").

    Thanks for any help

    -Scott

    ASA 5505 9.1 (1)

    Do you mean to give your VPN internet access users while using the complete tunnel? Then Yes you would do a NAT and allow also the ASA send traffic on the same interface, that he received the.

    purpose of VPN network

    subnet 192.168.1.0 255.255.255.0

    dynamic NAT interface (outdoors, outdoor)

    permit same-security-traffic intra-interface

  • L2l 1941 to ASA VPN

    Hi all

    I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.

    The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge

    Here's a cry full debugging isakmp:
    * 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C
    * Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)
    * 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500
    * 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004
    * 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator
    * 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500
    * 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE
    * 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA
    * 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.
    * 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t
    * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t
    * 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    * 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
     
    * Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange
    * Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE
    * 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
    * 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE
    * 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
     
    * Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0
    * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
    * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload
    * 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
    * 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found
    * 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...
    * 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
    * 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption
    * 05:12:05.475 Jun 10: ISAKMP: keylength 256
    * 05:12:05.475 Jun 10: ISAKMP: SHA hash
    * 05:12:05.475 Jun 10: ISAKMP: group by default 2
    * 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth
    * 05:12:05.475 Jun 10: ISAKMP: type of life in seconds
    * 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable
    . Next payload is 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.
     
    * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
    * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload
    * 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
    * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
     
    * Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
    * 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
    * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
     
    * 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP
    * 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
     
    * Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0
    * Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0
    * 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS
    !
    * Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment
    * 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch
    * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
    * 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT
    * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
    * 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer
    * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4
     
    * 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact
    * 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    * 05:12:05.763 Jun 10: ISAKMP (1003): payload ID
    next payload: 8
    type: 1
    address: 82.117.193.82
    Protocol: 17
    Port: 500
    Length: 12
    * 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12
    * Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
    * 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5
     
    * 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
    * Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0
    * 05:12:05.975 Jun 10: ISAKMP (1003): payload ID
    next payload: 8
    type: 1
    address: 41.223.4.83
    Protocol: 17
    Port: 0
    Length: 12
    * Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles
    * Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing
    . Message ID = 0
    * 05:12:05.975 Jun 10: ISAKMP: received payload type 17
    * 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:
    authenticated
    * 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83
    * 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874
    * 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi
    * Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
     
    * 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
    * 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE
    * Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing
    . Message ID = 169965215
    * Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
    0, message ID SPI = 169965215, a = 0x3AD3BE6C
    * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.
    * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
     
    * 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
    * 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE
    * Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416
    * Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE
    . Message ID = 1149953416
    * 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.
     
    * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
    * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.
    * 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE
    * Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
    * 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650
    * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
     
    * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
    * 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0
    * 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724
    * 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.
    * 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA
     
    * 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073

    Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin

    Before that, I had 15.3, same thing.

    BGPR1 # running sho
    Building configuration...
     
    Current configuration: 5339 bytes
    !
    ! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris
    !
    version 15.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname BGPR1
    !
    boot-start-marker
    start the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.bin
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    No aaa new-model
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    IP flow-cache timeout active 1
    IP cef
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    CTS verbose logging
    !
    Crypto pki trustpoint TP-self-signed-
    enrollment selfsigned
    name of the object cn = IOS-Self-signed-certificate-
    revocation checking no
    rsakeypair TP-self-signed-3992366821
    !
    !
    chain pki crypto TP-self-signed certificates.
    certificate self-signed 01
    quit smoking
    udi pid CISCO1941/K9 sn CF license
    !
    !
    username
    username
    !
    redundancy
    !
    !
    !
    No crypto ikev2 does diagnosis error
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address 41.223.4.83
    !
    !
    Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256
    tunnel mode
    !
    !
    !
    Meridian 10 map ipsec-isakmp crypto
    VODACOM VPN description
    defined by peer 41.223.4.83
    86400 seconds, life of security association set
    the transform-set Meridian value
    match address 100
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    Description peer na Telekom
    IP 79.101.96.6 255.255.255.252
    penetration of the IP stream
    stream IP output
    automatic duplex
    automatic speed
    No cdp enable
    !
    interface GigabitEthernet0/1
    Description peer na SBB
    IP 82.117.193.82 255.255.255.252
    penetration of the IP stream
    stream IP output
    automatic duplex
    automatic speed
    No cdp enable
    Meridian of the crypto map
    !
    interface FastEthernet0/0/0
    no ip address
    !
    interface FastEthernet0/0/1
    no ip address
    !
    interface FastEthernet0/0/2
    no ip address
    !
    interface FastEthernet0/0/3
    switchport access vlan 103
    no ip address
    !
    interface Vlan1
    IP 37.18.184.1 255.255.255.0
    penetration of the IP stream
    stream IP output
    !
    interface Vlan103
    IP 10.10.10.1 255.255.255.0
    !
    router bgp 198370
    The log-neighbor BGP-changes
    37.18.184.0 netmask 255.255.255.0
    10.10.10.2 neighbor remote - as 201047
    map of route-neighbor T-OUT 10.10.10.2 out
    neighbour 79.101.96.5 distance - 8400
    neighbor 79.101.96.5 fall-over
    neighbor 79.101.96.5 LOCALPREF route map in
    79.101.96.5 T-OUT out neighbor-route map
    neighbour 82.117.193.81 distance - as 31042
    neighbor 82.117.193.81 fall-over
    neighbor 82.117.193.81 route LocalOnly outside map
    !
    IP forward-Protocol ND
    !
    IP as path access list 10 permit ^ $
    IP as path access list 20 permits ^ $ 31042
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP flow-export Vlan1 source
    peer of IP flow-export version 5 - as
    37.18.184.8 IP flow-export destination 2055
    !
    IP route 37.18.184.0 255.255.255.0 Null0
    IP route 104.28.15.63 255.255.255.255 79.101.96.5
    IP route 217.26.67.79 255.255.255.255 79.101.96.5
    !
    !
    IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0
    !
    T-OUT route map permit 10
    match 10 way
    !
    route allowed LOCALPREF 10 map
    set local preference 90
    !
    SBBOnly allowed 10 route map
    20 as path game
    !
    LocalOnly allowed 10 route map
    match 10 way
    !
    !
    m3r1d1an RO SNMP-server community
    Server SNMP ifindex persist
    access-list 100 permit ip host 37.18.184.4 41.217.203.234
    access-list 100 permit ip host 37.18.184.169 41.217.203.234
    !
    control plan
    !
    !
    !
    Line con 0
    Synchronous recording
    local connection
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    privilege level 15
    local connection
    entry ssh transport
    line vty 5 15
    privilege level 15
    local connection
    entry ssh transport
    !
    Scheduler allocate 20000 1000
    !
    end
     
    BGPR1 #.

    BGPR1 #sho cry isa his

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)

    41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)

    For "sho cry ipsec his" I get only a lot of mistakes to send.

    For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.

    I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.

    Any input appreciated.

    Corresponds to the phase 2 double-checking on the SAA, including PFS.

    crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256  mode tunnel

Maybe you are looking for

  • HP Mini 110-1006TU: BIOS password

    BIOS password reset HP Mini 110-1006TU Serial number:-[personal information] Product number:-VB696PA #ABG Operating system with version:-Windows XP 32-bit

  • stop abrupt Lenovo G450

    My stop suddenly experienced cell phone 2 times but cannot always function normally.it is a problem with the graphics driver intel?

  • Can I synchronize Windows Live Hotmail for mac os x in the mail application? How?

    Just a PC to an iMac.  I love.  I can shoot e-mail in the Mail application that comes with mac os x, but I can't seem to synchronize.  In other words, when I delete a hotmail on the iMac message that the message is still on the hotmail web site.  In

  • Media player does not recognize my cd/dvd burner

    I use Media Player 11.0 on XP SP3.  The tab device recognizes my cd/dvd burner, but when I select the Recorder tab, it says: connect a burner and restart the player.  Any ideas why the burner tab does not recognize the burner? Mike. T.

  • Laptop was dropped, now my CD player is not recognized

    I dropped my laptop for a long time and about a week later, I tried to burn a CD and I realized that my cd drive is not recognized by my laptop. The Player opens and closes smoothly, but it is not just recognized. When I go to 'my computer' the drive