Cisco 1941 DMVPN and Ipsec

Hello

You start to replace all of our ISA Server with with DMVPN cisco routers.  So far, we are happy with everything, but I ran into a problem.  I've just set up one of our agencies and the DMVPN works very well, but this location also has a VPN tunnel to another branch that we have not replaced with Cisco equipment yet.  The problem I have is that as soon as I associate an ipsec site-to-site VPN on the router, the DMVPN drops.

I create the Ipsec VPN:

map VPN_Crypto 1 ipsec-isakmp crypto

game of transformation-ESP-3DES-SHA

the value of aa.aa.aa.aa peer

match address 103 (where address is allow remote local IP subnet the IP subnet)

and everything works fine.  As soon as I do the following:

interface GigabitEthernet0/1

card crypto VPN_Crypto

The DMVPN drops.  If I can connect to and run:

interface GigabitEthernet0/1

No crypto card

The DMVPN happens immediately.

What could I do it wrong?  Here is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

192.168.10.31 IP address 255.255.255.0

no ip redirection

IP 1400 MTU

authentication of the PNDH IP DMVPN_NW

map of PNDH IP xx.xx.xx.xx multicast

property intellectual PNDH card 192.168.10.10 xx.xx.xx.xx

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 192.168.10.10

dmvpn-safe area of Member's area

IP tcp adjust-mss 1360

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel CiscoCP_Profile1 ipsec protection profile

If you need anything else the config for help just let me know.  Our main site router, I had no problem with him being the DMVPN hub and also having a handful of Ipsec VPN set up on it well.  I appreciate a lot of help, I really need to get both of these tunnels running simultaneously as soon as possible.

Yes, but I don't see anything looking for strange (well, configs generated by CCP always sound strange...).

Maybe you run into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I have to. You can try 15.0 (1) M8 and see if it works.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Tags: Cisco Security

Similar Questions

  • DMVPN and IPsec CLIENT?

    Hello

    I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?

    To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.

    Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?

    My stitching question may be stupid, sorry for that, I'm still learning, and I love it

    Here below the full work DMVPN + IPsec:

    Best regards

    Didier

    ROUTER1841 #sh run

    Building configuration...

    Current configuration: 9037 bytes

    !

    ! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin

    ! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin

    !

    version 12.4

    horodateurs service debug datetime localtime

    Log service timestamps datetime msec

    encryption password service

    !

    hostname ROUTER1841

    !

    boot-start-marker

    boot-end-marker

    !

    forest-meter operation of syslog messages

    logging buffered 4096 notifications

    enable password 7 05080F1C2243

    !

    AAA new-model

    !

    !

    AAA authentication banner ^ C

    THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS

    ^ C

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    !

    !

    AAA - the id of the joint session

    clock time zone gmt + 1 1 schedule

    clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00

    dot11 syslog

    no ip source route

    !

    !

    No dhcp use connected vrf ip

    DHCP excluded-address IP 192.168.10.1

    DHCP excluded-address IP 192.168.20.1

    DHCP excluded-address IP 192.168.30.1

    DHCP excluded-address IP 192.168.100.1

    IP dhcp excluded-address 192.168.1.250 192.168.1.254

    !

    IP dhcp pool vlan10

    import all

    network 192.168.10.0 255.255.255.0

    default router 192.168.10.1

    lease 5

    !

    IP dhcp pool vlan20

    import all

    network 192.168.20.0 255.255.255.0

    router by default - 192.168.20.1

    lease 5

    !

    IP dhcp pool vlan30

    import all

    network 192.168.30.0 255.255.255.0

    default router 192.168.30.1

    !

    IP TEST dhcp pool

    the host 192.168.100.20 255.255.255.0

    0100.2241.353f.5e client identifier

    !

    internal IP dhcp pool

    network 192.168.100.0 255.255.255.0

    Server DNS 192.168.100.1

    default router 192.168.100.1

    !

    IP dhcp pool vlan1

    network 192.168.1.0 255.255.255.0

    Server DNS 8.8.8.8

    default router 192.168.1.1

    lease 5

    !

    dhcp MAC IP pool

    the host 192.168.10.50 255.255.255.0

    0100.2312.1c0a.39 client identifier

    !

    IP PRINTER dhcp pool

    the host 192.168.10.20 255.255.255.0

    0100.242b.4d0c.5a client identifier

    !

    MLGW dhcp IP pool

    the host 192.168.10.10 255.255.255.0

    address material 0004.f301.58b3

    !

    pool of dhcp IP pc-vero

    the host 192.168.10.68 255.255.255.0

    0100.1d92.5982.24 client identifier

    !

    IP dhcp pool vlan245

    import all

    network 192.168.245.0 255.255.255.0

    router by default - 192.168.245.1

    !

    dhcp VPN_ROUTER IP pool

    0100.0f23.604d.a0 client identifier

    !

    dhcp QNAP_NAS IP pool

    the host 192.168.10.100 255.255.255.0

    0100.089b.ad17.8f client identifier

    name of the client QNAP_NAS

    !

    !

    IP cef

    no ip bootp Server

    IP domain name dri

    host IP SW12 192.168.1.252

    host IP SW24 192.168.1.251

    IP host tftp 192.168.10.50

    host IP of Router_A 192.168.10.5

    host IP of Router_B 10.0.1.1

    IP ddns update DynDNS method

    HTTP

    Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=

    maximum interval 1 0 0 0

    minimum interval 1 0 0 0

    !

    NTP 66.27.60.10 Server

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    Flow-Sampler-map mysampler1

    Random mode one - out of 100

    !

    Crypto pki trustpoint TP-self-signed-2996752687

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 2996752687

    revocation checking no

    rsakeypair TP-self-signed-2996752687

    !

    !

    VTP version 2

    username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.

    username cisco password 7 02050D 480809

    Archives

    The config log

    hidekeys

    !

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

    !

    ISAKMP crypto client configuration group 3000client

    key cisco123

    DNS 8.8.8.8

    dri.eu field

    pool VPNpool

    ACL 150

    !

    !

    Crypto ipsec transform-set strong esp-3des esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    !

    Profile cisco ipsec crypto

    define security-association life seconds 120

    transformation-strong game

    !

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    !

    !

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    !

    !

    !

    property intellectual ssh time 60

    property intellectual ssh authentication-2 retries

    IP port ssh 8096 Rotary 1

    property intellectual ssh version 2

    !

    !

    !

    interface Loopback0

    IP 192.66.66.66 255.255.255.0

    !

    interface Tunnel0

    172.16.0.1 IP address 255.255.255.0

    no ip redirection

    IP mtu 1440

    no ip next-hop-self eigrp 90

    property intellectual PNDH authentication cisco123

    dynamic multicast of IP PNDH map

    PNDH network IP-1 id

    No eigrp split horizon ip 90

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    0 button on tunnel

    Cisco ipsec protection tunnel profile

    !

    interface FastEthernet0/0

    DMZ description

    IP ddns update hostname mlgw.dyndns.info

    IP ddns update DynDNS

    DHCP IP address

    no ip unreachable

    no ip proxy-arp

    NAT outside IP

    IP virtual-reassembly

    automatic duplex

    automatic speed

    clientmap card crypto

    !

    interface FastEthernet0/0,241

    Description VLAN 241

    encapsulation dot1Q 241

    DHCP IP address

    IP access-group dri-acl-in in

    NAT outside IP

    IP virtual-reassembly

    No cdp enable

    !

    interface FastEthernet0/0.245

    encapsulation dot1Q 245

    DHCP IP address

    IP access-group dri-acl-in in

    NAT outside IP

    IP virtual-reassembly

    No cdp enable

    !

    interface FastEthernet0/1

    Description INTERNAL ETH - LAN$

    IP 192.168.100.1 address 255.255.255.0

    no ip proxy-arp

    IP nat inside

    IP virtual-reassembly

    Shutdown

    automatic duplex

    automatic speed

    !

    interface FastEthernet0/0/0

    switchport access vlan 10

    spanning tree portfast

    !

    interface FastEthernet0/0/1

    switchport access vlan 245

    spanning tree portfast

    !

    interface FastEthernet0/0/2

    switchport access vlan 30

    spanning tree portfast

    !

    interface FastEthernet0/0/3

    switchport mode trunk

    !

    interface Vlan1

    IP address 192.168.1.250 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface Vlan10

    IP 192.168.10.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface Vlan20

    address 192.168.20.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    Vlan30 interface

    192.168.30.1 IP address 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface Vlan245

    IP 192.168.245.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    Router eigrp 90

    network 172.16.0.0

    network 192.168.10.0

    No Auto-resume

    !

    IP pool local VPNpool 172.16.1.1 172.16.1.100

    IP forward-Protocol ND

    no ip address of the http server

    local IP http authentication

    IP http secure server

    !

    IP flow-cache timeout idle 130

    IP flow-cache timeout active 20

    cache IP flow-aggregation prefix

    cache timeout idle 400

    active cache expiration time 25

    !

    !

    overload of IP nat inside source list 170 interface FastEthernet0/0

    overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

    IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

    !

    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

    access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

    access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

    access-list 170 permit ip 192.168.10.0 0.0.0.255 any

    access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

    access-list 180 permit ip 192.168.10.0 0.0.0.255 any

    not run cdp

    !

    !

    !

    route NAT allowed 10 map

    corresponds to the IP 180

    !

    !

    !

    control plan

    !

    exec banner ^ C

    WELCOME YOU ARE NOW LOGED IN

    ^ C

    connection of the banner ^ C

    WARNING!

    IF YOU ARE NOT:

    Didier Ribbens

    Please leave NOW!

    YOUR IP and MAC address will be LOGGED.

    ^ C

    !

    Line con 0

    Speed 115200

    line to 0

    line vty 0 4

    access-class 5

    privilege level 15

    Rotary 1

    transport input telnet ssh

    line vty 5 15

    access-class 5

    Rotary 1

    !

    Scheduler allocate 20000 1000

    end

    Didier,

    Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.

    https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2010/12/08/advantages-of-VTI-configuration-for-IPSec-tunnels

    The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).

    If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.

    With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)

    Anyway let me know if you face any problems.

    Marcin

  • Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?

    Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?

    I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect?  You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.

    You shouldn't have any problem using IPSEC with LDAP client.  It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.

    -Jason

  • Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN

    Hi all

    I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941.  I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here.  Have I not IOS bad? I thought that a picture of K9 would do the trick.

    Any suggestions are appreciated

    That's what I get:

    Router (config) #crypto?
    CA Certification Authority
    main activities key long-term
    public key PKI components

    SEE THE WORM

    Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Updated Thursday, March 10, 10 22:27 by prod_rel_team

    ROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)

    The availability of router is 52 minutes
    System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
    System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
    Last reload type: normal charging
    Reload last reason: reload command

    This product contains cryptographic features...

    Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
    Card processor ID FTX142281F4
    2 gigabit Ethernet interfaces
    2 interfaces Serial (sync/async)
    Configuration of DRAM is 64 bits wide with disabled parity.
    255K bytes of non-volatile configuration memory.
    254464K bytes of system CompactFlash ATA 0 (read/write)

    License info:

    License IDU:

    -------------------------------------------------
    Device SN # PID
    -------------------------------------------------
    * 0 FTX142281F4 CISCO1941/K9

    Technology for the Module package license information: "c1900".

    ----------------------------------------------------------------
    Technology-technology-package technology
    Course Type next reboot
    -----------------------------------------------------------------
    IPBase ipbasek9 ipbasek9 Permanent
    security, none none none
    given none none none

    Configuration register is 0 x 2102

    You need get the license of security feature to configure the IPSec VPN.

    Currently, you have 'none' for the security feature:

    ----------------------------------------------------------------
    Technology-technology-package technology
    Course Type next reboot
    -----------------------------------------------------------------
    IPBase ipbasek9 ipbasek9 Permanent
    security, none none none
    given none none none

    Here is the information about the licenses on router 1900 series:

    http://www.Cisco.com/en/us/partner/docs/routers/access/1900/hardware/installation/guide/Software_Licenses.html

  • Cisco VPN Client and Windows XP VPN Client IPSec to ASA

    I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

    PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

    Config is:

    !

    interface GigabitEthernet0/2.30

    Description remote access

    VLAN 30

    nameif remote access

    security-level 0

    IP 85.*. *. 1 255.255.255.0

    !

    access-list 110 scope ip allow a whole

    NAT list extended access permit tcp any host 10.254.17.10 eq ssh

    NAT list extended access permit tcp any host 10.254.17.26 eq ssh

    access-list extended ip allowed any one sheep

    access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

    sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

    tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

    flow-export destination inside-Bct 192.168.1.27 9996

    IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

    ARP timeout 14400

    global (outside-Baku) 1 interface

    global (outside-Ganja) interface 2

    NAT (inside-Bct) 0 access-list sheep-vpn

    NAT (inside-Bct) 1 access list nat

    NAT (inside-Bct) 2-nat-ganja access list

    Access-group rdp on interface outside-Ganja

    !

    Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

    Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

    Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

    Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

    Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

    Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

    Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

    dynamic-access-policy-registration DfltAccessPolicy

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    Crypto ipsec transform-set newset aes - esp esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

    Crypto ipsec transform-set vpnclienttrans transport mode

    Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

    life crypto ipsec security association seconds 214748364

    Crypto ipsec kilobytes of life security-association 214748364

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

    card crypto interface for remote access vpnclientmap

    crypto isakmp identity address

    ISAKMP crypto enable vpntest

    ISAKMP crypto enable outside-Baku

    ISAKMP crypto enable outside-Ganja

    crypto ISAKMP enable remote access

    ISAKMP crypto enable Interior-Bct

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    No vpn-addr-assign aaa

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.192 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside Baku

    SSH 10.254.17.18 255.255.255.255 outside Baku

    SSH 10.254.17.10 255.255.255.255 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside-Ganja

    SSH 10.254.17.18 255.255.255.255 outside-Ganja

    SSH 10.254.17.10 255.255.255.255 outside-Ganja

    SSH 192.168.1.0 255.255.255.192 Interior-Bct

    internal vpn group policy

    attributes of vpn group policy

    value of DNS-server 192.168.1.3

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    BCT.AZ value by default-field

    attributes global-tunnel-group DefaultRAGroup

    raccess address pool

    Group-RADIUS authentication server

    Group Policy - by default-vpn

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    Hello

    For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

    Please see configuration below:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    or

    http://tinyurl.com/5t67hd

    Please see the section of tunnel-group config of the SAA.

    There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

    So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

    Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

    "crypto isakmp nat-traversal.

    Thirdly, change the transformation of the value

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    Let me know the result.

    Thank you

    Gilbert

  • Cisco 1941 hit crypto speed limit

    I have read the documentation about the 85Meg / 170 Meg limit on the SRI G2s

    As far as I know - this does NOT apply to the 1941.

    I have a 1941 with sec - k9 license, you can not buy a license of h - s for this device.

    "

    The SSEC-K9 license removes the reduction applied by the US Government on the encrypted tunnel and encrypted flow export restrictions. SSEC-K9 is available only on the Cisco 2921, 2951 Cisco, Cisco 3925, 3945 Cisco, Cisco 3925th and 3945TH Cisco.

    With the SSEC-K9 license, the ISR G2 router can go above the limit of the reduction of the maximum of 225 tunnels for IP (IPsec) security and the flow rate of 85 Mbps of one-way traffic in or out the ISR G2 router encrypted, with a total of 170 Mbps bidirectional / s.

    Cisco 1941 and 2901 2911 already have maximum encryption within the limits of export capabilities. The HSEC license requires pre-installed image of the universalk9 and the DRY license. »

    I took this means that '1941 and 2901 2911' must go faster than that?  It seems that they are limited to 85Mbit!

    MEL-4-TX_BW_LIMIT %: bandwidth limit Maximum Tx 85000 Kbps reached for the cryptographic functionality with technology securityk9 package license.

    MEL-4-TX_BW_LIMIT %: bandwidth limit Maximum Tx 85000 Kbps reached for the cryptographic functionality with technology securityk9 package license.

    Can anyone confirm if they got more than 85 Mbps out of one of these devices? FYI, I'm not nat'ing nothing - this is purely static device VTI.  Ive sent the packages using iPerf via this device @ 500 + Mbit.

    Well, you can communicate with Cisco and talk to them about your concerns about the text of this.  It would probably help others in the future also.

    Regarding this site selling the 1941 with license of k9 SSEC, according to me, is either a typo or that they do not know the product.

    According to this document the 1941 has the regular permit of K9 SEC available to her.

    1900

    CISCO1941-SEC/K9

    License of Cisco 1941 PAK, 256 MB of DRAM Security Bundle w/sec

     

    CISCO1941W-SEC/K9

    Cisco 1941W Security Bundle w/sec license PAK, 802.11a/b/g/n

    --

    Please do not forget to select a correct answer and rate useful posts

  • DRY 1941/licenses K9 IPSec Remote Access

    Hi all

    I had some difficulty trying to get a definitive answer on this and im hoping some can clear this up for me once and for all.

    On the ISR G2 1941 with SECURITY license on IOS 15 technology...

    1. Are ipsec VPN for remote access is supported?
    2. If so, do I buy any other feature of the licenses for the number of "seats"? (SSLVPN for example, even if I do not wish to use SSLVPN, only of the IPSec remote access)

    Short and sweet

    Thanks for all the help

    See you soon

    Shaun

    Security technology licenses is sufficient.

    Please refer to This Q & A , which States:

    Q. what bitrate County and the performance of the tunnel are available on the Cisco ISR G2 routers with SECK9 license?
    A. the SEC - K9 permanent licenses apply to the Cisco 1900, 2900 and 3900 ISR G2 platforms; These licenses limit all counts of tunnel encrypted to maximum of 225 tunnels for safety IP (IPsec), Secure Sockets Layer VPN (SSL VPN), a secure gateway of multiplexing (TDM) of distribution time and secure Cisco Unified border element (CUBE) and 1000 tunnels for sessions of the Transport Layer Security (TLS).
    The license of SEC - K9 limit flow to less than or equal to 85 Mbps traffic unidirectional or not the router ISR G2, with a total of 170 Mbps two-way encrypted. This requirement applies to the Cisco 1900, 2900 and 3900 ISR G2 platforms.

  • Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue

    Hello

    Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).

    The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.

    Please, what missing am me?

    A few exits:

    ISAKMP crypto to show her:

    isakmp crypto #show her

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    Crypto ipsec to show her:

    Interface: GigabitEthernet0/0

    Tag crypto map: QRIOSMAP, local addr 62.173.32.122

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

    current_peer 62.173.32.50 port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50

    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0

    current outbound SPI: 0x4D7E4817 (1300121623)

    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:

    SPI: 0xEACF9A (15388570)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP

    calendar of his: service life remaining (k/s) key: (4491222/1015)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    Please see my config:

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    encryption... isakmp key address 62.X.X... 50

    ISAKMP crypto keepalive 10 periodicals

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS

    !

    QRIOSMAP 10 ipsec-isakmp crypto map

    peer 62.X.X set... 50

    transformation-TS-QRIOS game

    PFS group2 Set

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    Description WAN CONNECTION

    62.X.X IP... 124 255.255.255.248 secondary

    62.X.X IP... 123 255.255.255.248 secondary

    62.X.X IP... 122 255.255.255.248

    NAT outside IP

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    card crypto QRIOSMAP

    !

    interface GigabitEthernet0/0.2

    !

    interface GigabitEthernet0/1

    LAN CONNECTION description $ES_LAN$

    address 192.168.20.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    !

    IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length

    IP nat inside source list 1 pool mypool overload

    overload of IP nat inside source list 100 interface GigabitEthernet0/0

    !

    access-list 1 permit 192.168.20.0 0.0.0.255

    access-list 2 allow 10.2.0.0 0.0.0.255

    Note access-list 100 category QRIOSVPNTRAFFIC = 4

    Note access-list 100 IPSec rule

    access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122

    access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122

    access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122

    access-list 101 deny ip any any newspaper

    access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 110 permit ip 192.168.20.0 0.0.0.255 any

    !

    !

    !

    !

    sheep allowed 10 route map

    corresponds to the IP 110

    The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?

    Here are the things I see in your config

    I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?

    IP route 0.0.0.0 0.0.0.0 62.X.X... 121

    IP route 0.0.0.0 0.0.0.0 62.172.32.121

    This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?

    IP route 10.2.0.0 255.255.255.0 192.168.20.2

    In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.

    IP route 172.17.0.0 255.255.0.0 Tunnel20

    IP route 172.17.2.0 255.255.255.0 Tunnel20

    And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?

    IP route 172.18.0.0 255.255.0.0 Tunnel20

    IP route 172.18.0.0 Tunnel20 255.255.255.252

    HTH

    Rick

  • DMVPN without IPsec

    Hi all

    Is the operation of DMVPN without IPsec configuration supported?

    I'm testing it right now and hubs are losing conncetivity to rays. I wonder if it is because of not using IPsec.

    Anyone tried this?

    Attila

    I guess you meant PNDH. If so look at the http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080435815.html

  • DMVPN and VRF Lite

    Someone at - it an example of use of several networks DMVPN and VRF (no MPLS) interfaces

    I have a requirment to use a common link to transmit three talking about networks isolated to the Hub as encrypted data. It could be VTI doesn't bother me, but I can't use MPLS.

    Thank you

    Hello

    "back in the day", I made this config:

    of http://isamology.blogspot.com/2010/01/IPSec-and-vrfs-so-who-faire-vrf.html

    But normally, I guess you've seen this:
    http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

    Same principles apply to the VRF lite little matter DMVPN/VTI/GREoIPsec configuration.

    tunnel vrf VRF door =

    IP vrf forwarding = inside the VRF

    Now, if you add the cheat of Nico (for isakmp profiles) sheet especially if necessary, you should be all set.

    https://supportforums.Cisco.com/docs/doc-13524

    Marcin

  • Help to configure the router Cisco 1941

    Help!

    I just bought a router cisco 1941, I understand, it came with the Cisco CP, but I don't know how get you to the part where I can use it.

    Also, how can I connect to the router directly without using the HyperTerminal console, all I want to be able to do is configure the address IP of the ISP and my IP address so I can use it for surfing the internet.

    Help, please.

    Hello

    Thanks for the screenshots and show the output! You will need a few lines of command for CCP to work:

    Configure the terminal

    username username privilege 15 secret PASSWORD

    IP http server

    local IP authentication

    Sent by Cisco Support technique iPad App

  • Cisco 1941: no risk in "ip Routing" or "ip cef" for NetFlow when bypass

    Hello

    It's on a router Cisco 1941.  version 15.1 ipv4 only.

    I would like to enable Netflow v9 for use with PRTG bandwidth monitoring.

    I tried the instructions at http://kb.paessler.com/en/topic/563-do-you-have-any-configuration-tips-for-cisco-routers-and-prtg and the first step fails because I

    no ip Routing
    No cef

    in my running-config.  More precisely, this

     interface GigabitEthernet 0/1 ip route-cache flow exit 

    fails with the error message "ip Routing not enabled."

    I have read conflicting information on the question if I need to change one or both of these lines.  And I have enough to http://www.cisco.com/c/en/us/td/docs/ios/15_1/release/notes/15_1m_and_t/151-4MCAVS.html afraid to try just scanned.

    I hope that's enough of my config for someone to give some useful information.  Note the BYPASS.

    interface GigabitEthernet0/0
     no ip address
     no ip redirects
     no ip unreachables
     no ip route-cache
     load-interval 30
     duplex auto
     speed auto
     no cdp enable
     no mop enabled
     bridge-group 1
     bridge-group 1 spanning-disabled
    !
    interface GigabitEthernet0/1
     bandwidth 10000
     ip address 201.201.201.51 255.255.255.0
     ip access-group 110 in
     ip access-group 120 out
     no ip redirects
     no ip unreachables
     no ip route-cache
     load-interval 30
     duplex auto
     speed 10
     no cdp enable
     bridge-group 1
     bridge-group 1 spanning-disabled
    !
    ip default-gateway 201.201.201.1
    ip forward-protocol nd
    !
    no ip http server
    no ip http secure-server
    ip flow-export version 9
    ip flow-export destination 201.201.201.89 9991

    Looking forward to comments from a person with experience, do something similar.

    Thank you.

    We do not know anything about your environment or why you decided to activate ip Routing and fill. But there is probably a reason why you did that.

    The importance of this is that NetFlow data are generated as part of the routing decisions. And you prevent your router to make routing decisions as you have disabled ip Routing. So I don't see anyway that you can get this router NetFlow, as long you have disabled ip Routing.

    HTH

    Rick

  • On DMVPNs selective IPSec encryption

    Hello

    I have a DMVPN with two rays on a MPLS-L3-IPVPN network. IPSec over GRE profiles using crypto. Works very well. Now, he only need to encrypt all traffic except EF DSCP. Tried with the help of ACB defining IP-Next Hop for EF-packages and just normal dug routing for all other types of traffic.

    My question is, I know cryptographic cards that use ACLs can selectively encrypt traffic through the IPSec/GRE tunnels. Cryptographic profiles don't seem to have this feature. Is there another way to do this?

    A snip Config by couple spoke it as below.

    ===============

    interface GigabitEthernet0/0.1
    DESC LAN i / f
    IP 10.10.10.1 255.255.255.0
    political intellectual property map route ACB

    interface Tunnel100
    IP 172.16.254.13 255.255.254.0
    no ip redirection
    property intellectual PNDH card 172.16.254.1 103.106.169.10
    map of PNDH IP multicast 103.106.169.10
    PNDH network IP-1 id
    property intellectual PNDH nhs 172.16.254.1
    property intellectual shortened PNDH
    KeepAlive 10 3
    source of tunnel GigabitEthernet0/1.401
    multipoint gre tunnel mode
    key 1 tunnel
    Profile of tunnel DMVPN-Crypto ipsec protection
    end

    GIE Router 1
    no car
    NET 172.16.254.0 0.0.1.255
    EIGRP log-neighbor-warnings
    EIGRP log-neighbor-changes
    ! - router id
    NET 10.10.10.0 0.0.0.255

    ACB allowed 10 route map
    ACB match ip address
    IP 11.2.100.2 jump according to the value
    !
    ACB allowed 20 route map

    ACB extended IP access list
    permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
    allow icmp host 10.10.10.5 host 15.1.1.1 dscp 41
    deny ip any any newspaper

    ===============

    Note: the routing table contains only a default route learned via EIGRP. Thus, if the ACB 10 past, policy would transmit to the Next-hop (PE). Or would otherwise use 0/0 and route thro' the tunnel.

    Thanks in advance!

    See you soon
    Aravind

    With DMVPN, no.  You will need to return to the use of just cryptographic cards, only using access lists to control what is and is not encrypted.

    If the "EF" traffic was dedicated VoIP subnets so you would have more options, you can choose everything just don't not to route these subnets above the Tunnel.

  • Problem Cisco 2811 with L2TP IPsec VPN

    Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication

    My config:

    !
    AAA new-model
    !
    !
    AAA authentication login default local
    Ray of AAA for authentication ppp default local group
    AAA authorization network default authenticated if
    start-stop radius group AAA accounting network L2TP_RADIUS

    !
    dhcp L2tp IP pool
    network 192.168.100.0 255.255.255.0
    default router 192.168.100.1
    domain.local domain name
    192.168.101.12 DNS server
    18c0.a865.c0a8.6401 hexagonal option 121
    18c0.a865.c0a8.6401 hexagonal option 249

    VPDN enable
    !
    VPDN-group sec_groupe
    ! Default L2TP VPDN group
    accept-dialin
    L2tp Protocol
    virtual-model 1
    no authentication of l2tp tunnel

    session of crypto consignment
    !
    crypto ISAKMP policy 5
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 55
    BA 3des
    md5 hash
    preshared authentication
    Group 2

    ISAKMP crypto key... address 0.0.0.0 0.0.0.0
    invalid-spi-recovery crypto ISAKMP
    ISAKMP crypto keepalive 10 periodicals
    !
    life crypto ipsec security association seconds 28000
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
    transport mode
    Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
    need transport mode
    !

    !
    !
    crypto dynamic-map DYN - map 10
    Set nat demux
    game of transformation-L2TP
    !
    !
    Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map

    interface Loopback1
    Description * L2TP GateWay *.
    IP 192.168.100.1 address 255.255.255.255

    interface FastEthernet0/0
    Description * Internet *.
    address IP 95.6... 255.255.255.248
    IP access-group allow-in-of-wan in
    IP access-group allows-off-of-wan on
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    NAT outside IP
    IP virtual-reassembly
    IP route cache policy
    automatic duplex
    automatic speed
    L2TP-VPN crypto card
    !

    interface virtual-Template1
    Description * PPTP *.
    IP unnumbered Loopback1
    IP access-group L2TP_VPN_IN in
    AutoDetect encapsulation ppp
    default IP address dhcp-pool L2tp peer
    No keepalive
    PPP mtu Adaptive
    PPP encryption mppe auto
    PPP authentication ms-chap-v2 callin
    PPP accounting L2TP_RADIUS

    L2TP_VPN_IN extended IP access list
    permit any any icmp echo
    IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
    IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
    allow udp any any eq bootps
    allow udp any any eq bootpc
    deny ip any any journal entry

    RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
    RADIUS server retry method reorganize
    RADIUS server retransmit 2
    Server RADIUS 7 key...

    Debugging shows me

    234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
    234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
    234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
    234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
    234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
    234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
    234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
    234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
    234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
    234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
    234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
    234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
    234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
    234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
    234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
    234218: * 3 Feb 18:53:38: ISAKMP: (0): success
    234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
    234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
    234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
    234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
    234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
    234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
    234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
    234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
    234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
    234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
    234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
    234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
    234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
    234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
    234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
    234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
    234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
    234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
    234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

    234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
    234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
    234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

    234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
    234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

    234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
    234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
    234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
    234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
    234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
    234257: * 3 Feb 18:53:38: ISAKMP: (0): success
    234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
    234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
    234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
    234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
    234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
    234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
    234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3

    234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
    234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4

    234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
    234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
    234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
    234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5

    234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
    234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
    next payload: 8
    type: 1
    address: 192.168.1.218
    Protocol: 17
    Port: 500
    Length: 12
    234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
    234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
    234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
    234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
    234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
    authenticated
    234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
    234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
    234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
    234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
    234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5

    234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
    next payload: 8
    type: 1
    address: 95.6...
    Protocol: 17
    Port: 0
    Length: 12
    234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
    234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
    234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
    234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
    routerindc #.
    234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
    234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
    234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

    234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
    234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
    234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
    234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
    234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
    234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
    234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
    234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
    SPI 0, message ID =-893966165, his 480CFF64 =
    234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
    authenticated
    234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
    dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
    234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
    234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
    234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
    234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
    234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
    234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
    234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
    234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
    234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
    234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
    234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
    234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
    234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
    234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
    234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
    234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
    234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
    234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
    234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
    234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
    234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
    (Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
    local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
    remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
    Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
    lifedur = 0 and 0kb in
    SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
    234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
    234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
    234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
    234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
    234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
    234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
    234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
    234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
    of 95.6... to 93.73.161.229 for prot 3
    234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
    234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
    234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
    routerindc #.
    234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
    234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
    234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
    234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
    234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
    (93.73.161.229 to 95.6 proxy...)
    234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
    234350: * 3 Feb 18:53:39: life of 28800 seconds
    234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
    (proxy 95.6... to 93.73.161.229)
    234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
    234353: * 3 Feb 18:53:39: life of 28800 seconds
    234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
    234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
    234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
    234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
    234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
    234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500

    234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
    (his) sa_dest = 95.6..., sa_proto = 50.
    sa_spi = 0x31C17753 (834762579).
    sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
    234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
    (his) sa_dest = 93.73.161.229, sa_proto = 50,.
    sa_spi = 0x495A4BD (76915901).
    sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
    234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
    234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
    234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
    234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
    234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
    234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
    234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
    234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
    routerindc #.
    234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
    234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
    234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
    234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
    234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
    routerindc #.
    234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
    routerindc #.
    234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identity

    Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.

    I hope that you will help me. Thank you.

    Hi dvecherkin1,

    Who IOS you're running, you could hit the next default.

    https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

    It may be useful

    -Randy-

    Evaluate the ticket to help others find the answer quickly.

  • Policy Nat and IPSec tunnel

    Hello

    I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client.  Unfortunately, we have two overlapping of 10 network IP addresses.

    Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

    I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming.    The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

    See attachment

    Kind regards

    They are wrong to installation.  Remote local networks are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

Maybe you are looking for