Decision on DMVPN and L2L simple IPsec tunnels
I have a project where I need to make a decision on which solution to implement... environment is as follows...
- 4 branches.
- Each branch has 2 subnets; one for DATA and another for VOICE
- 2 ISPS in each (an Internet access provider and a provider of MPLS)
- Branch #1 isn't necessarily the HUB office that all database servers and files are there are
- Branch #2 is actually where the phone equipment
- Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
- MPLS is currently used for telephone traffic.
- ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
- I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.
My #1 Option
Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.
My #2 Option
My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.
Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option
Thanks in advance
Hi ciscobigcat
Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.
The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).
Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.
So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.
QoS, it is important to use "prior qos rank".
See for example
http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html
http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
Packet encryption and decryption by IPSEC Tunnel
Hello world
You must confirm if Site A has VPN IPSEC to Site B through Public network.
PCs on site say a package is sent in clear text to the switch, then switch sends to the VPN router.
Router VPN to site A will make encryption and send over a WAN link encrypted.
When the packet reaches a router B Site it will decrypt the packet and send clear text to PC right of the site B?
Thank you
MAhesh
Hello Manu,
Yes, you are right.
Encryption and decryption will perform VPN closing devices.
Best regards
Eugene
-
Strange problem in IPSec Tunnel - 8.4 NAT (2)
Helloo all,.
This must be the strangest question I've seen since the year last on my ASA.
I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen
The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!
Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:
my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)
CISCO ASA - IPSec network details
LAN - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networks details
ID OF THE PROXY:
LAN - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28
Name host # sh cry counterpart his ipsec
peer address:
Tag crypto map: outside_map, seq num: 5, local addr:
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)
current_peer:
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. :
0, remote Start. crypto: 0 Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 5041C19F
current inbound SPI: 0EC13558
SAS of the esp on arrival:
SPI: 0x0EC13558 (247543128)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x5041C19F (1346486687)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
CONTEXTS for this IPSEC VPN tunnel:
# Sh asp table det vpn context host name
VPN CTX = 0x0742E6BC
By peer IP = 192.168.171.8
Pointer = 0x78C94BF8
State = upwards
Flags = BA + ESP
ITS = 0X9C28B633
SPI = 0x5041C19D
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
VPN CTX = 0x07430D3C
By peer IP = 192.168.1.8
Pointer = 0x78F62018
State = upwards
Flags = DECR + ESP
ITS = 0X9C286E3D
SPI = 0x9B6910C5
Group = 1
Pkts = 297
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
network of the Ren - around object
subnet 10.2.4.0 255.255.255.240
network of the host object counterpart
Home 192.168.171.8
HS cry ipsec his
IKE Peer:
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7789d788, priority = 70, domain = encrypt, deny = false
Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.
A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false
hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = output_ifc = any to inside,
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.171.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true
hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false
hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
Additional information:
Definition of static 10.2.4.1/2700 to 10.2.4.1/2700
Direct flow from returns search rule:
ID = 0x77e0a878, priority = 6, area = nat, deny = false
hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false
hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0
IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true
hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 119880921 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
Hostname # sh Cap A1
8 packets captured
1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request
2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply
3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request
4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request
5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request
6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply
7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request
8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request
8 packets shown
As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.
I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!
Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.
If someone could help me, that would be greatt and greatly appreciated!
Thanks heaps. !
Perfect! Now you must find something else inside for tomorrow--> forecast rain again
Please kindly marks the message as answered while others may learn from it. Thank you.
-
ASA5510-CISCO871 DOWN IPSEC TUNNEL
Help!
Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established.
Config and debug info:
ASA:
1.1.1.26 external ip address
1.1.1.254 the gateway ip
3.3.3.0 LAN network
3.3.3.250 ip LAN
3.3.3.20 PC in LANROUTER 871
2.2.2.226 external ip address
2.2.2.225 the gateway ip
4.4.4.0 network LAN
4.4.4.254 ip LAN
4.4.4.28 PC in LANASA 5510 CONFIG:
interface Ethernet0/0
WAN description
nameif AI_WAN
security-level 0
IP 1.1.1.26 255.255.255.248interface GigabitEthernet1/0
network LAN AB Description
nameif AB_LAN
security-level 100
IP 3.3.3.250 255.255.255.0Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 associationcrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-roadcard crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap
card crypto AI_WAN_map 1 set peer 2.2.2.226
AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
AI_WAN_map AI_WAN crypto map interfaceISAKMP crypto enable AI_WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
crypto ISAKMP disconnect - notifyRoute 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254
Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0
tunnel-group 2.2.2.226 type ipsec-l2l
tunnel-group 2.2.2.226 General-attributes
IPSec-attributes tunnel-group 2.2.2.226
pre-shared key *.CONFIG ROUTER 871:
crypto ISAKMP policy 2
preshared authentication
Group 2
isakmp encryption key * address 1.1.1.26Crypto ipsec transform-set esp - esp-md5-hmac des-md5
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to1.1.1.26
defined by peer 1.1.1.26
the transform-set des-md5 value
match address 100interface FastEthernet4
IP 2.2.2.226 255.255.255.0
IP virtual-reassembly
automatic duplex
automatic speed
map SDM_CMAP_1 cryptointerface Vlan1
IP 4.4.4.254 255.255.255.0
IP virtual-reassemblyIP route 0.0.0.0 0.0.0.0 2.2.2.225
IP route 3.3.3.0 255.255.255.0 1.1.1.26access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
DEBUGGING OF ASA 5510
ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8), : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8), : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reasonDEBUGGING OF 871 ROUTER
871_router #debu cry isa
871_router #ping 3.3.3.20 4.4.4.254 sourceType to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
Packet sent with a source address of 4.4.4.254Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL)
21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
25 Feb 21:58:06.799: insert his with his 83476114 = success
21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
Success rate is 0% (0/5)
Sokuluk #.
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SAHere is the download page for 871 router - IOS 12.4 (15) T14:
However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software.
-
Resolution in real-time for IPSec Tunnel peer
Hello
There is a document on Cisco's Web site
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html
explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message:
ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0]
Virtually no SAs are set up and malfunctioning coming IPSec tunnel.
Everyone tried and had the same problem? I would appreciate your help on this.
Thank you
Remi
What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT.
-
Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?
Your explanation is much appreciated.
Hi Deepak,
In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.
-
Cisco ASA - l2l IPSEC tunnel two dynamic hosts
Hello
I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?
Hello
ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcrOn ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.For routers, you can follow this link.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
Hello
I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?
To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.
Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?
My stitching question may be stupid, sorry for that, I'm still learning, and I love it
Here below the full work DMVPN + IPsec:
Best regards
Didier
ROUTER1841 #sh run
Building configuration...
Current configuration: 9037 bytes
!
! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin
! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin
!
version 12.4
horodateurs service debug datetime localtime
Log service timestamps datetime msec
encryption password service
!
hostname ROUTER1841
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 notifications
enable password 7 05080F1C2243
!
AAA new-model
!
!
AAA authentication banner ^ C
THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS
^ C
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
clock time zone gmt + 1 1 schedule
clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00
dot11 syslog
no ip source route
!
!
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.10.1
DHCP excluded-address IP 192.168.20.1
DHCP excluded-address IP 192.168.30.1
DHCP excluded-address IP 192.168.100.1
IP dhcp excluded-address 192.168.1.250 192.168.1.254
!
IP dhcp pool vlan10
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.1
lease 5
!
IP dhcp pool vlan20
import all
network 192.168.20.0 255.255.255.0
router by default - 192.168.20.1
lease 5
!
IP dhcp pool vlan30
import all
network 192.168.30.0 255.255.255.0
default router 192.168.30.1
!
IP TEST dhcp pool
the host 192.168.100.20 255.255.255.0
0100.2241.353f.5e client identifier
!
internal IP dhcp pool
network 192.168.100.0 255.255.255.0
Server DNS 192.168.100.1
default router 192.168.100.1
!
IP dhcp pool vlan1
network 192.168.1.0 255.255.255.0
Server DNS 8.8.8.8
default router 192.168.1.1
lease 5
!
dhcp MAC IP pool
the host 192.168.10.50 255.255.255.0
0100.2312.1c0a.39 client identifier
!
IP PRINTER dhcp pool
the host 192.168.10.20 255.255.255.0
0100.242b.4d0c.5a client identifier
!
MLGW dhcp IP pool
the host 192.168.10.10 255.255.255.0
address material 0004.f301.58b3
!
pool of dhcp IP pc-vero
the host 192.168.10.68 255.255.255.0
0100.1d92.5982.24 client identifier
!
IP dhcp pool vlan245
import all
network 192.168.245.0 255.255.255.0
router by default - 192.168.245.1
!
dhcp VPN_ROUTER IP pool
0100.0f23.604d.a0 client identifier
!
dhcp QNAP_NAS IP pool
the host 192.168.10.100 255.255.255.0
0100.089b.ad17.8f client identifier
name of the client QNAP_NAS
!
!
IP cef
no ip bootp Server
IP domain name dri
host IP SW12 192.168.1.252
host IP SW24 192.168.1.251
IP host tftp 192.168.10.50
host IP of Router_A 192.168.10.5
host IP of Router_B 10.0.1.1
IP ddns update DynDNS method
HTTP
Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=
maximum interval 1 0 0 0
minimum interval 1 0 0 0
!
NTP 66.27.60.10 Server
!
Authenticated MultiLink bundle-name Panel
!
!
Flow-Sampler-map mysampler1
Random mode one - out of 100
!
Crypto pki trustpoint TP-self-signed-2996752687
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2996752687
revocation checking no
rsakeypair TP-self-signed-2996752687
!
!
VTP version 2
username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.
username cisco password 7 02050D 480809
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
!
ISAKMP crypto client configuration group 3000client
key cisco123
DNS 8.8.8.8
dri.eu field
pool VPNpool
ACL 150
!
!
Crypto ipsec transform-set strong esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Profile cisco ipsec crypto
define security-association life seconds 120
transformation-strong game
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
IP port ssh 8096 Rotary 1
property intellectual ssh version 2
!
!
!
interface Loopback0
IP 192.66.66.66 255.255.255.0
!
interface Tunnel0
172.16.0.1 IP address 255.255.255.0
no ip redirection
IP mtu 1440
no ip next-hop-self eigrp 90
property intellectual PNDH authentication cisco123
dynamic multicast of IP PNDH map
PNDH network IP-1 id
No eigrp split horizon ip 90
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
0 button on tunnel
Cisco ipsec protection tunnel profile
!
interface FastEthernet0/0
DMZ description
IP ddns update hostname mlgw.dyndns.info
IP ddns update DynDNS
DHCP IP address
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface FastEthernet0/0,241
Description VLAN 241
encapsulation dot1Q 241
DHCP IP address
IP access-group dri-acl-in in
NAT outside IP
IP virtual-reassembly
No cdp enable
!
interface FastEthernet0/0.245
encapsulation dot1Q 245
DHCP IP address
IP access-group dri-acl-in in
NAT outside IP
IP virtual-reassembly
No cdp enable
!
interface FastEthernet0/1
Description INTERNAL ETH - LAN$
IP 192.168.100.1 address 255.255.255.0
no ip proxy-arp
IP nat inside
IP virtual-reassembly
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet0/0/0
switchport access vlan 10
spanning tree portfast
!
interface FastEthernet0/0/1
switchport access vlan 245
spanning tree portfast
!
interface FastEthernet0/0/2
switchport access vlan 30
spanning tree portfast
!
interface FastEthernet0/0/3
switchport mode trunk
!
interface Vlan1
IP address 192.168.1.250 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan10
IP 192.168.10.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan20
address 192.168.20.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Vlan30 interface
192.168.30.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan245
IP 192.168.245.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Router eigrp 90
network 172.16.0.0
network 192.168.10.0
No Auto-resume
!
IP pool local VPNpool 172.16.1.1 172.16.1.100
IP forward-Protocol ND
no ip address of the http server
local IP http authentication
IP http secure server
!
IP flow-cache timeout idle 130
IP flow-cache timeout active 20
cache IP flow-aggregation prefix
cache timeout idle 400
active cache expiration time 25
!
!
overload of IP nat inside source list 170 interface FastEthernet0/0
overload of IP nat inside source list interface FastEthernet0/0.245 NAT1
IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 permit ip 192.168.10.0 0.0.0.255 any
access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
not run cdp
!
!
!
route NAT allowed 10 map
corresponds to the IP 180
!
!
!
control plan
!
exec banner ^ C
WELCOME YOU ARE NOW LOGED IN
^ C
connection of the banner ^ C
WARNING!
IF YOU ARE NOT:
Didier Ribbens
Please leave NOW!
YOUR IP and MAC address will be LOGGED.
^ C
!
Line con 0
Speed 115200
line to 0
line vty 0 4
access-class 5
privilege level 15
Rotary 1
transport input telnet ssh
line vty 5 15
access-class 5
Rotary 1
!
Scheduler allocate 20000 1000
end
Didier,
Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.
The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).
If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.
With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)
Anyway let me know if you face any problems.
Marcin
-
In which case I use a DMVPN IPSEC technology for branch connectivity, used ISP know what kind of traffic I run because it is encrypted in the end.
DMVPN package use is first encapsulated in GRE and then encrypted with IPSEC authentication information. Because the ultimate traffic is IPSEC requires ISP/provider leave the port UDP 500 and ESP open. Once the tunnel is created I can pass any type of traffic because it will use ESP.
Given what I saw a few deployments where we put in place this kind of solution and telephone traffic did not and ip phones were unable to register. Most of the guys have pointed out that it could possibly be because ISP blocks the SCCP traffic, but my concern is that if we have a branch at Headquarters IPSEC tunnel how the ISP can detect this thing and drop it.
Please provide feedback on this.
The provider cannot see inside the tunnel. Only, he could assume that it could be the voice traffic:
The voice parameters the value DSCP-in IP header when they send traffic. These values are copied to the outer IP header when the traffic is encrypted. With this function you can also do QoS on encrypted traffic.
But I do not think that a provider might filter on this traffic.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
IPSec tunnel between a client connection mobility and WRV200
Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.
Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
I purchased Mikrotik hardware devices and want to use routeros seat firewall cisco asa establish VPN. Aims to establish that a branch may be two IPSEC VPN access devices at the headquarters of the server via the public network.
But now, I'm having some trouble, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
(1) branch routeros WAN port using a private IP address and is a member of the asa above outdoor sound created vpn ipsec, vpn successfully established internal servers and I ping the switch at the headquarters of the branch. However, there is a problem, I go through routeros visit that the headquarters of the https server pages can not be opened, telnet internal switches can telnet to the top, but were unable to penetrate into the character.
(2) in addition, I left the branch routeros on a public IP address WAN port and asa VPN IPSEC created seat, said problems above are not, the server can also be accessed, telnet switch can also enter text and control.
At the present time, I have encountered this problem of interface not CAN not because I need to create of very, very many industries and the need to establish headquarters communications branch offices so I have to use private IP addresses to access the Wan, unable to do wan are public IP address and headquarters to establish IPSEC VPN.now, I can't telnet asa inside the cisco router and open the web inside https, I can't solve the problems.
now, registrants of asa:
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 49.239.3.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.17.0.111 255.255.255.0network of the object inside
172.17.1.0 subnet 255.255.255.0
network outsidevpn object
Subnet 192.168.0.0 255.255.0.0QQQ
NAT (inside, outside) static source inside inside destination static outsidevpn outsidevpn non-proxy-arp-search to itinerary
Route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
Route inside 172.17.1.0 255.255.255.0 172.17.0.5 1Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 cisco
Crypto ipsec pmtu aging infinite - the security association
Crypto dynamic-map cisco 1000 set pfs
Crypto dynamic-map cisco 1000 set transform-set cisco ikev1
Crypto dynamic-map cisco 1000 value reverse-road
Cisco-cisco ipsec isakmp dynamic 1000 card crypto
cisco interface card crypto outside
trustpool crypto ca policy
Crypto isakmp nat-traversal 60
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400IPSec-attributes tunnel-group DefaultL2LGroup
IKEv1 pre-shared-key *.Hello
Could you share the output of the counterpart of its IPSec cry see the 49.239.3.10 of the other device?
Kind regards
Aditya
-
Hello
I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client. Unfortunately, we have two overlapping of 10 network IP addresses.
Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?
I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming. The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.
See attachment
Kind regards
They are wrong to installation. Remote local networks are not 10.134.206.0 and 10.134.206/42. It is simply your public IP address.
-
IPSec tunnel and NetFlow packets
I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?
Thank you.
Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.
Maybe you are looking for
-
iCloud does not connect with the Apple ID server
I changed my password Apple ID. The new password works in all devices. However, it does not work with iCloud in my Macbook. He said that there is a connection error with the Apple ID I server disconnected icloud and signed nothing doesn't. Help? MacB
-
I see that there is a deal with a secondary battery for iPhone 6. No idea if he's going for 6 + and 6 s +?
-
I can't click on links email on all pages. It causes Firefox open multiple tabs a lot, a lot, I can't close. My only recourse is to exit Firefox and restart it. It happens most of the time, while for clicking an e-mail link I have to open another bro
-
Can anyone recommend a compatible 3G card for the Satellite P10
Can anyone recommend a compatible 3G card for the Satellite P10?I tried to use a vodafone gprs card that the machine would not work with. Thank you
-
Hello I just got my new Ideacentre A310 all-in-one desktop computer. I never intend to use the operating system pre-installed, so I started the system, read the license agreement of MS and rebooted with my Ubuntu 10.10 live-USB. Now, something strang