Configuration of VPN - IKE phase 1...

Similar Questions

• ASDM IKE Phase 2 parameters

  Hello.

  I'll put up the part remote site VPN and you can't find IKE Phase 1 settings in ASDM.  Can someone tell me where I can find the phase 2 settings?  Thank you.

  If this is the case, by ASDM 6.3 above, you can use link below to verify:

  Go to the Configuration > VPN Site to Site > advanced > Crypto Maps pane.

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080b9b90a.shtml#asdmconfig

• Ports used in IKE Phase 1

  Hello world

  He had to confirm IKE Phase 1

  We use port UDP 500

  IKE Phase 2, we use ports

  ESP - 50

  NAT - T UDP 4500

  ESP TCP-1000-50
  NAT - T UDP 4500
  TCP-1000

  Concerning

  Mahesh

  IKE phase 1 (main mode/aggressive mode) is udp src and dst 500

  Phase 2 of IKE could be:

  • Protocol IP 50 (ESP)
  • NAT - T is udp src (customer) ephemeral dst (server) udp 4500
  • In former VPN clients tcp encapsulation was CBC (customer), ephemeral dst (server) tcp 10000 (10,000 in US) and 10,000 in most of the other countries

• Pre shared keys used in IKE Phase 1

  Hello world

  Need to confirm if we use the buttons pre shared during IKE Phase 1 main mode and aggressive mode

  Concerning

  MAhesh

  The pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same preshared key is configured on each IPSec peer. IKE peers authenticate each other computer and sending a hash key data that includes the pre-shared key.

• Understanding, IKE Phase I and II

  Hi, I've been through the concept of a lot of time, but what confuses me, is encryption algorithm and a key to the DH, how they go hand in hand in IKE phase II.  I understand phase I authenticates the vpn peers and negotiates policy ISAKMP which includes Exchange Diffie-Hellman and symmetric encryption example WITH or TDES.  What I don't understand is what Exchange Diffie-Hellman (key derived from the public/private function) is used for, it encrypts the exchange of IKE2 already encrypted with DES/TDES/AES.

  Also if m do not use PFS in Phase II, would I by using the same key DH derived at the time of the phase I, if yes which is secure enough?

  Another issue is when the peers authenticate each other and then the protocol IKE phase I policy are exchanged, happens in clear text?

  Could someone please explain the process step by step in the two phases stressing precisely on the Diffie-Hellman exchange and how it is used with encryption algorithms.

  Concerning

  Sonu

  Sonu,

  Looks like you want to go back to RFC to take a peek. We have also a series of documents explaining IKEv1 and goes with debugging.

  What you miss is that in IKEv1 (main mode), messages, 5 and 6 are already encyrpted, while the previous, including Diffie-Hellman exchange are not.

  MM5 MM6 is when we exchange their identities. Those who must be protected, where the DH before negotiating.

  Phase 2 is a separate Exchange protected with the result of the phase 1. The role of DH for the phase 2 is to ensure that the encryption keys are not from previous key material.

  Start here:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a0080094203.shtml

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bce100.shtml

  https://supportforums.Cisco.com/docs/doc-18522

  M.

• Configuration of VPN Cisco RV220W wireless

  Hello expert support.

  We have a RV220 Wireless Network Security Cisco Firewall.  It is currently configured to provide access only to select users.  Asked me to configure it to provide access to users of hotspots or home networks.  Thought which is on the road, or at home that they would use their home network or a location of hot point to the VPN to the RV220 to access the documents they needed.

  My hypothesis was set up VPN with the users who access the QuickVPN client.  I followed the setup steps, but VPN access failed.

  Anyone who has tried or succeeded in a configuration like that?  I have read a number of posts with users having problems, just configure the VPN and access with QuickVPN.

  Any help would be greatly appreciated.

  Best regards

  Michael

  Try this first.

  http://www.Cisco.com/en/us/docs/routers/CSBR/app_notes/QuickVPN_an_OL-25680.PDF

  If the problem persists, please call the support help center.

  http://www.Cisco.com/en/us/support/tsd_cisco_small_business_support_center_contacts.html

• Configuration of VPN RV110W - please help

  First of all, I would like to thank you for all the tips I have ever set up a VPN before.

  I am looking for help on setting up a VPN connection to a remote device. I need to be able to connect from a laptop that could be in my office, home, or a hotel room in a city at random in North America. The RV110W will have a static IP address and the device behind him that I need to connect. What I need to know, I have to also take a RV110W with me when I travel to connect through a VPN for this device? Or can it be set up if I can connect from anywhere?

  Hi Bill,

  My name is Mehdi from the Cisco Technical Support.

  Customer support RV110W VPN IPsec and PPTP, and you can connect from anywhere using QVPN client or a Windows-based PPTP client.

  Before evrything, check if you have the latest firmware, if not here's the link to download the latest firmware: http://software.cisco.com/download/release.html?mdfid=283879340&software...

  Latest firmware is 1.2.0.10

  Here are the steps:

  Solution 1: Configure PPTP

  ---> Under VPN--> VPN Clients enable the PPTP server

  -IP address for the PPTP server: IP address of the PPTP server, for example if the router has the IP 192.168.1.1, we can have 192.168.1.200 (must be in the same subnet as the LAN and DHCP server)

  -IP address for the PPTP Clients: will give the range of the IP address to clients, in my view, is of maximum 5 IP

  -Under VPN--> Clients VPN--> VPN Client configuration table

  -Click Add a line and add the user name and password to enable checkbox and choose PPTP

  -Click the button Save

  Now on the PC to configure the client, here's example:

  http://www.strongvpn.com/setup_windows_7_pptp.shtml

  Solution 2:

  We need to download and install the client use IPsec QVPN QVPN from this link:

  http://software.Cisco.com/download/release.html?mdfid=283879340&software...

  -On the router under VPN--> VPN Client--> add Row and do the same steps, but instead of PPTP, choose QVPN

  -Also under firewall allow remote management on port 443

  now on the client he will ask for username and password for the client who already configured on the router and the server, the server is the public IP address of the router's WAN interface

  I hope that I was clear for these steps to configure the VPN, please rate and click on answer to help other client from cisco for more of her.

• Can the NAT of ASA configuration for vpn local pool

  We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel.

  Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA.  I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool.  If so, how to set up this NAT.

  Thank you

  Haiying

  Elijah,

  NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0

  public static 192.168.33.0 (external, outside) - NAT_VPNClients access list

  The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers).

  To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order:

  permit same-security-traffic intra-interface

  Federico.

• ASA Configuration of VPN Site to Site - NAT issues

  Greetings,

  I am responsible to configure a VPN connection from site to site to a business partner in which I want to firstly NAT to my internal IP to a public IP address and then send it through the tunnel, and vice versa when they try to access my servers I want to get to them through the external IP address.  Here's what I think I do, but I was wondering what were the thoughts of the community.

  All of the IP addresses represented below are fictitious.

  Internal servers Public IP address         

  10.50.220.150 208.180.170.182

  10.50.220.151 208.180.170.183

  10.50.220.152 208.180.170.184

  Local peer IP: 208.180.254.29

  Distance from peer IP: 207.190.218.31

  Local network: 208.180.170.0/24

  Remote network: 207.190.239.0/24

  From my understanding, NAT occur before being sent to a tunnel, or to the internet, etc, so the configuration that I think I need is the following:

  NAT (inside) 0 access-list sheep

  NAT (inside) 2 10.50.220.150

  NAT (inside) 3 10.50.220.151

  NAT (inside) 4 10.50.220.152

  Global 2 208.180.170.182 (outside)

  overall 3 208.180.170.183 (outside)

  Global 4 208.180.170.184 (outside)

  IP 208.180.170.0 allow Access-list extended sheep 255.255.255.0 207.190.239.0 255.255.255.0 (do I still need this since coordinated to a public IP address still?)

  access-list s2s client scope ip 208.180.170.0 allow 255.255.255.0 207.190.239.0 255.255.255.0

  Route outside 207.190.239.0 255.255.255.0 207.190.218.31

  card crypto off peers set 1 207.190.218.31

  Crypto card outside 1 correspondence address s2s-customer

  [... rest of the configuration failed..]

  That look / her right? If this isn't the case, please advise.

  Thank you.

  Yes.

  PAT (nat/global) will take care of outgoing and static traffic will take care of incoming traffic.

  You can create political NAT as well to handle this traffic.

  Federico.

• HOWTO configure SSL VPN router Cisco 1941?

  Hello.

  How to configure SSL VPN on a router Cisco 1941? I would like a howto guide that is step by step. I've found myself so far.

  Best regards Tommy Svensson

  Here are a few links that might help:

  http://www.Cisco.com/en/us/products/ps6657/prod_configuration_examples_list.html

  http://security-blog.netcraftsmen.NET/2009/02/Cisco-IOS-SSL-VPN-example.html

• VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

  We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.

  It is a vpn L2L, I wonder if the guy saying user is related to the issue?

  ASA_Initiator

  IKE Peer: 71.13.xxx.xxx
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  ASA_Receiving

  # show crypto isakmp his

  There is no isakmp sas

  Hey,.

  is the remote end ASA as well?

  If so, the capture below on the ASA:

  capture capout match udp host host interface

  The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:

  1 either a problem with the policies of the phase 1 of the remote end or

  2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.

  Concerning

• VPN - failure IKE Phase 1

  Hi all

  IM challenges with a site to site vpn where it cannot be initiated/based on one side of the VPN.

  For 1 side of the vpn, I could ping everywhere without problems and vpn tunnel is established successfully, but when I try it the other side of the vpn it never sets and the State is stuck in MM_KEY_EXCH.

  I have verfied configurations at both ends and everything seems to be going well (see below), also, please find an isakmp crypto debugging attached to the router that does not seem to establish the vpn - no idea why this is a failure?

  VPN is set up on a C837 to a C857.

  ***

  crypto ISAKMP policy 10

  the BA
  md5 hash
  preshared authentication
  Group 2
  secret key crypto ISAKMP address 81.140.73.140 No.-xauth
  !
  life 3000 seconds crypto ipsec security association
  !
  Crypto ipsec transform-set esp course - esp-md5-hmac
  !
  vpn 10 ipsec-isakmp crypto map
  defined by peer 81.140.73.140
  secure Set transform-set
  match address VPN-traffic

  ***

  Thank you very much

  That could very well be causing this problem.

  If you have the static configuration to the dynamic for IPsec between two routers, please make sure that you have this configuration:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093f86.shtml

  You see that the dynamic IP site has a normal static encryption card, but the side static IP has a dynamic encryption card.

  This example assumes that you do NAT too.

  With this configuration, the tunnel can only be started from the dynamic side.

  It will be useful.

  Federico.

• IKE Phase 2 SA expires immediately - site 2 site ipsec over gre

  Hello

  I'm migrating a config site to IPsec for a new 'face', a ASR1001 router VPN (ipsec-tools + racoon) Linux machine.

  As the Debian Linux does not VTI, I use a card encryption.

  The config of work is given below, with corresponding newspapers, with Linux.

  When I try to apply what worked before config for the ASR1001, I get the following error:

  000855: * 18:28:21.859 Dec 12 UTC: % ACE-3-TRANSERR: IOSXE-ESP (14): IKEA trans 0 x 1350; opcode 0 x 60; Param 0x2EE; error 0 x 5; Retry cnt 0

  Suspicion about the error code 0 x 5?

  The newspapers aside Linux show sync issues...

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: new phase 1 opening of negotiation: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: mode of Identity Protection.

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: ISAKMP - ITS established 194.214.196.2 [500] - 130.120.124.8 [500] spi: 5f8e6339fb954d45:e513d25e42e19d11

  12 Dec 18:50:20 FALSE-AUCH-GW racoon: INFO: new phase 2 negotiation opening: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:50:39 FAKE-AUCH-GW racoon: INFO: answer for negotiation of the new phase 2: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: ESP/Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 30866420 (0x1d6fbf4)

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: WARNING: EXPIRES PF_KEY message received from core for SA under negotiation. Judgment of the negotiations.

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: AH / Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 258959 (0x3f38f)

  12 Dec 18:50:59 FAKE-AUCH-GW racoon: INFO: new phase 2 negotiation opening: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:51 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: ESP/Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 95427747 (0x5b01ca3)

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: WARNING: EXPIRES PF_KEY message received from core for SA under negotiation. Judgment of the negotiations.

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: AH / Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 159198575 (0x97d2d6f)

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: answer for negotiation of the new phase 2: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:51:10 FALSE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

  !###########################################

  ! Config of IOS running

  !

  crypto ISAKMP policy 10

  BA aes 256

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key MY-0WN-T3RR1F1C-PR35H4R3D-K3Y address 192.0.2.66 No.-xauth

  !

  !

  Crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp - aes 256 esp-md5-hmac

  transport mode

  !

  card crypto ipsec-isakmp MY-0WN-map 1

  defined peer 192.0.2.66

  game of transformation-MY-0WN-TS-MD5

  PFS group2 Set

  match address 120

  !

  interface Tunnel0

  bandwidth 45000

  IP 198.51.100.1 255.255.255.252

  no ip redirection

  no ip proxy-arp

  IP 1400 MTU

  IP virtual-reassembly in

  IP tcp adjust-mss 1360

  source of tunnel GigabitEthernet0/0

  tunnel destination 192.0.2.66

  tunnel path-mtu-discovery

  bandwidth tunnel pass 45000

  bandwidth tunnel receive 45000

  !

  interface GigabitEthernet0/0

  IP 192.0.2.34 255.255.255.224

  no ip redirection

  no ip proxy-arp

  IP virtual-reassembly in

  full duplex

  Speed 1000

  GBIC media type

  auto negotiation

  Crypto map MY-0WN-map

  ###########################################

  Newspapers aside Linux

  Dec 12 08:18:30 racoon GLA: INFO: ISAKMP Security Association expired 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49ea8ffe38:e568a2dd27cbec5d

  Dec 12 08:18:30 racoon GLA: INFO: ISAKMP Security Association deleted 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49ea8ffe38:e568a2dd27cbec5d

  Dec 12 08:18:31 racoon GLA: INFO: respond new phase 1 negotiation: 192.0.2.66 [500]<=>192.0.2.34 [500]

  Dec 12 08:18:31 racoon GLA: INFO: mode of Identity Protection.

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: RFC 3947

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: DPD

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

  Dec 12 08:18:31 racoon GLA: [192.0.2.34] INFO: received INITIAL-CONTACT

  Dec 12 08:18:31 racoon GLA: INFO: ISAKMP - HIS established 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49e027808c:b17ba35c5b7f1e82

  Dec 12 08:18:31 racoon GLA: INFO: answer for negotiation of the new phase 2: 192.0.2.66 [500]<=>192.0.2.34 [500]

  [[Dec 12 08:18:31 racoon GLA: INFO: update generated politics: 192.0.2.34/32[0] 192.0.2.66/32[0] proto = all dir = in

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: AH / Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 88493238 (0x5464cb6)

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: ESP/Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 21367141(0x1460965)

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: AH / Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 1579505880 (0x5e2558d8)

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: ESP/Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 838280164 (0x31f723e4)

  Could adjust your game of transformation?

  Right now you have: crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp - aes 256 esp-md5-hmac

  Could you change strictly cela ESP or AH on both sides rather than mix them.

  There is a known issue with the ASR and the mixture AH / ESP in ipsec configuration. I'll post below:

  CSCtb60545 / CSCsv96390

  Mixing protocols AH and ESP in transformation defined on ASR may not work. This is an enhancement request who will introduce support for this.

  Symptoms:

  Router can display as a result of messages to the console:
  % 3-ACE-TRANSERR: ASR1000-ESP (14): IKEA trans 0x27E; opcode 0 x 60; Param 0x2A.
  error 0 x 5; Retry cnt 0
  Conditions:
  This symptom is observed on a Cisco ASR1000 series router when works as an IPSec
  final point, and when nested transformation is applied, such as:
  Crypto ipsec transform-set transform-1 ah-sha-hmac esp-3des esp-md5-hmac
  Crypto ipsec transform-set transform-1 ah-md5-hmac esp-3des esp-md5-hmac
  Workaround solution:
  Remove the unsupported configuration.

• the WAN connection becomes too slow after you have configured the VPN (Site Site)

  Hello

  I have two branches connected via WAN (MPLS) connection using two 2921 routers.the connection is 2 M.

  I set up a VPN between these two sites, but after the connection has become very slow.

  y at - it something I can do to speed up the speed of connection.

  VPN proposals are:

  Proposals of the phase 1: 3DES, pre-shared,.

  Phase 2 proposals: esp-3des esp-sha-hmac

  I don't think that lower levels of security proposals will add a lot to the speed...

  Hi Marc,

  one thing you should definitely is a hardware encryption go if you do not already tht, it also reduces the load on your cpu

  You can try other things is play with mtu, according to your line mtu and what applications are mainly used. try setting the mtu of at least 60 odd bytes lower than the mtu and also sometimes server line recommended mtu settings like server many have obligation to mtu to 1300 or 1400, if that's not it can cause a lot of re transmissions, you can also try fragmentation before encryption

  http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/VSPA/configuration/guide/ivmvpnb.PDF

• How to configure the vpn using two segments in a tunnel?

  Hi guys,.

  Please help me how to set up two segment in a vpn tunnel. Our client has two segments which is 10.15 and 192.168. We have already established VPN connectivity. We can ping the 10.15 segment, but we can not ping 192.168. Attached is the sample configuration.

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key xxxxxx address 11.11.11.11

  !

  86400 seconds, duration of life crypto ipsec security association

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  !

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Tunnel description

  defined peer 11.11.11.11

  Set security-association second life 28800

  game of transformation-ESP-3DES-SHA

  match address 102

  access-list 101 deny ip 192.168.202.0 0.0.0.255 host 10.15.0.177

  access-list 101 deny ip 192.168.202.0 0.0.0.255 host 192.168.30.174

  access-list 101 permit ip 192.168.202.0 0.0.0.255 any

  access-list 102 permit ip 192.168.202.0 0.0.0.255 host 10.15.0.178

  access-list 102 permit ip 192.168.202.0 0.0.0.255 host 192.168.30.174

  Here is the extended ping.

  Router #ping

  Protocol [ip]:

  Target IP address: 10.15.0.177

  Number of repetitions [5]:

  Size of datagram [100]:

  Timeout in seconds [2]:

  Extended commands [n]: y

  Source address or the interface: 192.168.202.3

  Type of service [0]:

  Set the DF bit in the IP header? [None]:

  Validate the response data? [None]:

  Data model [0xABCD]:

  In bulk, Strict, Record, Timestamp, Verbose [no]:

  Scan the range of sizes [n]:

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.15.0.177, wait time is 2 seconds:

  Packet sent with a source address of 192.168.202.3

  .!!!!

  Success rate is 80% (4/5), round-trip min/avg/max = 172/172/172 ms

  Router #ping

  Protocol [ip]:

  Target IP address: 192.168.30.174

  Number of repetitions [5]:

  Size of datagram [100]:

  Timeout in seconds [2]:

  Extended commands [n]: y

  Source address or the interface: 192.168.202.3

  Type of service [0]:

  Set the DF bit in the IP header? [None]:

  Validate the response data
  ? [None]:
  Data model [0xABCD]:
  In bulk, Strict, Record, Timestamp, Verbose [no]:
  Scan the range of sizes [n]:
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.30.174, wait time is 2 seconds:
  Packet sent with a source address of 192.168.202.3
  .....
  Success rate is 0% (0/5)
  And here is the result of its crypto isakmp.
  Crypto ISAKMP router #show its

  status of DST CBC State conn-id slot

  11.11.11.11 22.22.22.22 QM_IDLE 1 0 ACTIVE

  And here is the encryption session.

  Router #show crypto sessio

  Session encryption router #show

  Current state of the session crypto

  Interface: FastEthernet0/0

  The session state: UP-ACTIVE

  Peer: 11.11.11.11 port 500

  FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 192.168.30.174

  Active sAs: 2, origin: card crypto

  FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 10.15.0.177

  Active sAs: 2, origin: card crypto

  And here are the details of the encryption session.

  Router #show crypto session detail

  Current state of the session crypto

  Code: C - IKE Configuration mode, D - Dead Peer Detection

  K - KeepAlive, N - NAT-traversal, X - IKE extended authentication

  Interface: FastEthernet0/0

  The session state: UP-ACTIVE

  Peer: 11.11.11.11 port fvrf 500: (none) ivrf: (none)

  Phase1_id: 11.11.11.11

  DESC: (none)

  IKE SA: local 22.22.22.22/500 remote 11.11.11.11/500 Active

  Capabilities: (None) connid:1 life time: 23:44:02

  FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 192.168.30.174

  Active sAs: 2, origin: card crypto

  On arrival: dec #pkts'ed drop 0 0 life (KB/s) 4568454/27867

  Outbound: #pkts enc'ed 4 drop 1 life (KB/s) 4568453/27867

  FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 10.15.0.177

  Active sAs: 2, origin: card crypto

  On arrival: #pkts dec' 8 drop 0 ed life (KB/s) 4591368/27842

  Outbound: #pkts enc'ed 8 drop 2 life (KB/s) 4591368/27842

   

  Hello

  Your side has 192.168.202.0/24 and you are trying to PING 10.15 successfully but not 192.168.30.174

  Check that the ASA has a route to 192.168.30.174 pointing to the external interface.

  Also check that the customer has defined the 192.168.30.174 as part of the VPN traffic correctly.

  Federico.