Decision on DMVPN and L2L simple IPsec tunnels

I have a project where I need to make a decision on which solution to implement... environment is as follows...

4 branches.
Each branch has 2 subnets; one for DATA and another for VOICE
2 ISPS in each (an Internet access provider and a provider of MPLS)
Branch #1 isn't necessarily the HUB office that all database servers and files are there are
Branch #2 is actually where the phone equipment
Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
MPLS is currently used for telephone traffic.
ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.

My #1 Option

Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

My #2 Option

My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

Thanks in advance

Hi ciscobigcat

Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

QoS, it is important to use "prior qos rank".

See for example

http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

HTH

Herbert

Tags: Cisco Security

Similar Questions

Packet encryption and decryption by IPSEC Tunnel

Hello world

You must confirm if Site A has VPN IPSEC to Site B through Public network.

PCs on site say a package is sent in clear text to the switch, then switch sends to the VPN router.

Router VPN to site A will make encryption and send over a WAN link encrypted.

When the packet reaches a router B Site it will decrypt the packet and send clear text to PC right of the site B?

Thank you

MAhesh

Hello Manu,

Yes, you are right.

Encryption and decryption will perform VPN closing devices.

Best regards

Eugene

Strange problem in IPSec Tunnel - 8.4 NAT (2)

Helloo all,.

This must be the strangest question I've seen since the year last on my ASA.

I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:

A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen

The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!

Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:

my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)

CISCO ASA - IPSec network details

LAN - 10.2.4.0/28

REMOTE NETWORK - 192.168.171.8/32

JUNIPER SSG 140 - IPSec networks details

ID OF THE PROXY:

LAN - 192.168.171.8/32

REMOTE NETWORK - 10.2.4.0/28

Name host # sh cry counterpart his ipsec

peer address:

Tag crypto map: outside_map, seq num: 5, local addr:

outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)

Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)

current_peer:

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 0, remote Start. crypto: 0

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

current outbound SPI: 5041C19F

current inbound SPI: 0EC13558

SAS of the esp on arrival:

SPI: 0x0EC13558 (247543128)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 22040576, crypto-card: outside_map

calendar of his: service life remaining key (s): 3232

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0x5041C19F (1346486687)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 22040576, crypto-card: outside_map

calendar of his: service life remaining key (s): 3232

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

CONTEXTS for this IPSEC VPN tunnel:

# Sh asp table det vpn context host name

VPN CTX = 0x0742E6BC

By peer IP = 192.168.171.8

Pointer = 0x78C94BF8

State = upwards

Flags = BA + ESP

ITS = 0X9C28B633

SPI = 0x5041C19D

Group = 0

Pkts = 0

Pkts bad = 0

Incorrect SPI = 0

Parody = 0

Bad crypto = 0

Redial Pkt = 0

Call redial = 0

VPN = filter

VPN CTX = 0x07430D3C

By peer IP = 192.168.1.8

Pointer = 0x78F62018

State = upwards

Flags = DECR + ESP

ITS = 0X9C286E3D

SPI = 0x9B6910C5

Group = 1

Pkts = 297

Pkts bad = 0

Incorrect SPI = 0

Parody = 0

Bad crypto = 0

Redial Pkt = 0

Call redial = 0

VPN = filter

outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

network of the Ren - around object

subnet 10.2.4.0 255.255.255.240

network of the host object counterpart

Home 192.168.171.8

HS cry ipsec his

IKE Peer:

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7789d788, priority = 70, domain = encrypt, deny = false

Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol

IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = none, output_ifc = external

VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.

A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false

hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

input_ifc = output_ifc = any to inside,

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 192.168.171.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true

hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = output_ifc = any to inside,

Phase: 4

Type:

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false

hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = output_ifc = any to inside,

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

Additional information:

Definition of static 10.2.4.1/2700 to 10.2.4.1/2700

Direct flow from returns search rule:

ID = 0x77e0a878, priority = 6, area = nat, deny = false

hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto

IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = inside, outside = output_ifc

(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false

hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto

IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = none, output_ifc = external

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false

hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0

IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0

input_ifc = out, output_ifc = any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true

hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = out, output_ifc = any

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 119880921 id, package sent to the next module

Information module for forward flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Information for reverse flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

Hostname # sh Cap A1

8 packets captured

1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request

2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply

3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request

4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request

5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request

6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply

7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request

8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request

8 packets shown

As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.

I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!

Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.

If someone could help me, that would be greatt and greatly appreciated!

Thanks heaps. !

Perfect! Now you must find something else inside for tomorrow--> forecast rain again

Please kindly marks the message as answered while others may learn from it. Thank you.

ASA5510-CISCO871 DOWN IPSEC TUNNEL

Help!

Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established.

Config and debug info:

ASA:
1.1.1.26 external ip address
1.1.1.254 the gateway ip
3.3.3.0 LAN network
3.3.3.250 ip LAN
3.3.3.20 PC in LAN

ROUTER 871
2.2.2.226 external ip address
2.2.2.225 the gateway ip
4.4.4.0 network LAN
4.4.4.254 ip LAN
4.4.4.28 PC in LAN

ASA 5510 CONFIG:

interface Ethernet0/0
WAN description
nameif AI_WAN
security-level 0
IP 1.1.1.26 255.255.255.248

interface GigabitEthernet1/0
network LAN AB Description
nameif AB_LAN
security-level 100
IP 3.3.3.250 255.255.255.0

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road

card crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap
card crypto AI_WAN_map 1 set peer 2.2.2.226
AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
AI_WAN_map AI_WAN crypto map interface

ISAKMP crypto enable AI_WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
crypto ISAKMP disconnect - notify

Route 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254
Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226

AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0

tunnel-group 2.2.2.226 type ipsec-l2l
tunnel-group 2.2.2.226 General-attributes
IPSec-attributes tunnel-group 2.2.2.226
pre-shared key *.

CONFIG ROUTER 871:

crypto ISAKMP policy 2
preshared authentication
Group 2
isakmp encryption key * address 1.1.1.26

Crypto ipsec transform-set esp - esp-md5-hmac des-md5

map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to1.1.1.26
defined by peer 1.1.1.26
the transform-set des-md5 value
match address 100

interface FastEthernet4
IP 2.2.2.226 255.255.255.0
IP virtual-reassembly
automatic duplex
automatic speed
map SDM_CMAP_1 crypto

interface Vlan1
IP 4.4.4.254 255.255.255.0
IP virtual-reassembly

IP route 0.0.0.0 0.0.0.0 2.2.2.225
IP route 3.3.3.0 255.255.255.0 1.1.1.26

access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255

DEBUGGING OF ASA 5510

ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason

DEBUGGING OF 871 ROUTER

871_router #debu cry isa
871_router #ping 3.3.3.20 4.4.4.254 source

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
Packet sent with a source address of 4.4.4.254

Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL)
21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
25 Feb 21:58:06.799: insert his with his 83476114 = success
21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1

Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
Success rate is 0% (0/5)
Sokuluk #.
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.

21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SA

Here is the download page for 871 router - IOS 12.4 (15) T14:

http://www.Cisco.com/Cisco/software/release.html?mdfid=279624003&dvdid=279978467&flowid=8212&softwareid=280805680&release=12.4.15T14&rellifecycle=MD&relind=available&RelType=all

However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software.

Resolution in real-time for IPSec Tunnel peer

Hello

There is a document on Cisco's Web site

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html

explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message:

ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0]

Virtually no SAs are set up and malfunctioning coming IPSec tunnel.

Everyone tried and had the same problem? I would appreciate your help on this.

Thank you

Remi

What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT.

Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel?

Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?

Your explanation is much appreciated.

Hi Deepak,

In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.

Cisco ASA - l2l IPSEC tunnel two dynamic hosts

Hello

I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

Hello

ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

On ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.

For routers, you can follow this link.
I hope this helps.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

ASA 8.6 - l2l IPsec tunnel established - not possible to ping

Hello world

I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

Here is the output of "show run":

---------------------------------------------------------------------------------------------------------------------------------------------

ASA 1.0000 Version 2

!

ciscoasa hostname

activate oBGOJTSctBcCGoTh encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface GigabitEthernet0/0

nameif outside

security-level 0

address IP X.X.X.X 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

the IP 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

passive FTP mode

internal subnet object-

192.168.0.0 subnet 255.255.255.0

object Web Server external network-ip

host Y.Y.Y.Y

Network Web server object

Home 192.168.2.100

network vpn-local object - 192.168.2.0

Subnet 192.168.2.0 255.255.255.0

network vpn-remote object - 192.168.3.0

subnet 192.168.3.0 255.255.255.0

outside_acl list extended access permit tcp any object Web server

outside_acl list extended access permit tcp any object webserver eq www

access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

dmz_acl access list extended icmp permitted an echo

pager lines 24

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

MTU 1500 DMZ

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

!

internal subnet object-

NAT dynamic interface (indoor, outdoor)

Network Web server object

NAT (DMZ, outside) Web-external-ip static tcp www www Server service

Access-Group global dmz_acl

Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

Crypto ipsec ikev2 proposal ipsec 3des-GNAT

Esp 3des encryption protocol

Esp integrity md5 Protocol

Crypto dynamic-map dynMidgeMap 1 match l2l-address list

Crypto dynamic-map dynMidgeMap 1 set pfs

Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

Crypto dynamic-map dynMidgeMap 1 the value reverse-road

midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

midgeMap interface card crypto outside

ISAKMP crypto identity hostname

IKEv2 crypto policy 1

3des encryption

the md5 integrity

Group 2

FRP md5

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal midgeTrialPol group policy

attributes of the strategy of group midgeTrialPol

L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

enable IPSec-udp

tunnel-group midgeVpn type ipsec-l2l

tunnel-group midgeVpn General-attributes

Group Policy - by default-midgeTrialPol

midgeVpn group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

: end

------------------------------------------------------------------------------------------------------------------------------

X.X.X.X - ASA public IP

Y.Y.Y.Y - a web server

Z.Z.Z.Z - default gateway

-------------------------------------------------------------------------------------------------------------------------------

ASA PING:

ciscoasa # ping DMZ 192.168.3.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

?????

Success rate is 0% (0/5)

PING from router (debug on CISCO):

NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

-------------------------------------------------------------------------------------------------------------------------------

ciscoasa # show the road outside

Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

* - candidate by default, U - static route by user, o - ODR

P periodical downloaded static route

Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

-------------------------------------------------------------------------------------------------------------------------------

Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

Please, if you have an idea, let me know! Thank you very much!

Hello

I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

You ACL: access-list extended dmz_acl to any any icmp echo

For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

Then to initiate router, the ASA Launches echo-reply being blocked again.

Try to add permit-response to echo as well.

In addition, you can use both "inspect icmp" in world politics than the ACL.

If none does not work, you can run another t-shoot with control packet - trace on SAA.

THX

MS

DMVPN and IPsec CLIENT?

Hello

I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?

To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.

Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?

My stitching question may be stupid, sorry for that, I'm still learning, and I love it

Here below the full work DMVPN + IPsec:

Best regards

Didier

ROUTER1841 #sh run

Building configuration...

Current configuration: 9037 bytes

!

! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin

! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin

!

version 12.4

horodateurs service debug datetime localtime

Log service timestamps datetime msec

encryption password service

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

forest-meter operation of syslog messages

logging buffered 4096 notifications

enable password 7 05080F1C2243

!

AAA new-model

!

!

AAA authentication banner ^ C

THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS

^ C

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

!

AAA - the id of the joint session

clock time zone gmt + 1 1 schedule

clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00

dot11 syslog

no ip source route

!

!

No dhcp use connected vrf ip

DHCP excluded-address IP 192.168.10.1

DHCP excluded-address IP 192.168.20.1

DHCP excluded-address IP 192.168.30.1

DHCP excluded-address IP 192.168.100.1

IP dhcp excluded-address 192.168.1.250 192.168.1.254

!

IP dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.1

lease 5

!

IP dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

router by default - 192.168.20.1

lease 5

!

IP dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

default router 192.168.30.1

!

IP TEST dhcp pool

the host 192.168.100.20 255.255.255.0

0100.2241.353f.5e client identifier

!

internal IP dhcp pool

network 192.168.100.0 255.255.255.0

Server DNS 192.168.100.1

default router 192.168.100.1

!

IP dhcp pool vlan1

network 192.168.1.0 255.255.255.0

Server DNS 8.8.8.8

default router 192.168.1.1

lease 5

!

dhcp MAC IP pool

the host 192.168.10.50 255.255.255.0

0100.2312.1c0a.39 client identifier

!

IP PRINTER dhcp pool

the host 192.168.10.20 255.255.255.0

0100.242b.4d0c.5a client identifier

!

MLGW dhcp IP pool

the host 192.168.10.10 255.255.255.0

address material 0004.f301.58b3

!

pool of dhcp IP pc-vero

the host 192.168.10.68 255.255.255.0

0100.1d92.5982.24 client identifier

!

IP dhcp pool vlan245

import all

network 192.168.245.0 255.255.255.0

router by default - 192.168.245.1

!

dhcp VPN_ROUTER IP pool

0100.0f23.604d.a0 client identifier

!

dhcp QNAP_NAS IP pool

the host 192.168.10.100 255.255.255.0

0100.089b.ad17.8f client identifier

name of the client QNAP_NAS

!

!

IP cef

no ip bootp Server

IP domain name dri

host IP SW12 192.168.1.252

host IP SW24 192.168.1.251

IP host tftp 192.168.10.50

host IP of Router_A 192.168.10.5

host IP of Router_B 10.0.1.1

IP ddns update DynDNS method

HTTP

Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=

maximum interval 1 0 0 0

minimum interval 1 0 0 0

!

NTP 66.27.60.10 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Flow-Sampler-map mysampler1

Random mode one - out of 100

!

Crypto pki trustpoint TP-self-signed-2996752687

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2996752687

revocation checking no

rsakeypair TP-self-signed-2996752687

!

!

VTP version 2

username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.

username cisco password 7 02050D 480809

Archives

The config log

hidekeys

!

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

!

ISAKMP crypto client configuration group 3000client

key cisco123

DNS 8.8.8.8

dri.eu field

pool VPNpool

ACL 150

!

!

Crypto ipsec transform-set strong esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Profile cisco ipsec crypto

define security-association life seconds 120

transformation-strong game

!

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

!

!

property intellectual ssh time 60

property intellectual ssh authentication-2 retries

IP port ssh 8096 Rotary 1

property intellectual ssh version 2

!

!

!

interface Loopback0

IP 192.66.66.66 255.255.255.0

!

interface Tunnel0

172.16.0.1 IP address 255.255.255.0

no ip redirection

IP mtu 1440

no ip next-hop-self eigrp 90

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH network IP-1 id

No eigrp split horizon ip 90

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

0 button on tunnel

Cisco ipsec protection tunnel profile

!

interface FastEthernet0/0

DMZ description

IP ddns update hostname mlgw.dyndns.info

IP ddns update DynDNS

DHCP IP address

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

interface FastEthernet0/0,241

Description VLAN 241

encapsulation dot1Q 241

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/0.245

encapsulation dot1Q 245

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/1

Description INTERNAL ETH - LAN$

IP 192.168.100.1 address 255.255.255.0

no ip proxy-arp

IP nat inside

IP virtual-reassembly

Shutdown

automatic duplex

automatic speed

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 245

spanning tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

IP address 192.168.1.250 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan10

IP 192.168.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan20

address 192.168.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Vlan30 interface

192.168.30.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan245

IP 192.168.245.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Router eigrp 90

network 172.16.0.0

network 192.168.10.0

No Auto-resume

!

IP pool local VPNpool 172.16.1.1 172.16.1.100

IP forward-Protocol ND

no ip address of the http server

local IP http authentication

IP http secure server

!

IP flow-cache timeout idle 130

IP flow-cache timeout active 20

cache IP flow-aggregation prefix

cache timeout idle 400

active cache expiration time 25

!

!

overload of IP nat inside source list 170 interface FastEthernet0/0

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

not run cdp

!

!

!

route NAT allowed 10 map

corresponds to the IP 180

!

!

!

control plan

!

exec banner ^ C

WELCOME YOU ARE NOW LOGED IN

^ C

connection of the banner ^ C

WARNING!

IF YOU ARE NOT:

Didier Ribbens

Please leave NOW!

YOUR IP and MAC address will be LOGGED.

^ C

!

Line con 0

Speed 115200

line to 0

line vty 0 4

access-class 5

privilege level 15

Rotary 1

transport input telnet ssh

line vty 5 15

access-class 5

Rotary 1

!

Scheduler allocate 20000 1000

end

Didier,

Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.

https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2010/12/08/advantages-of-VTI-configuration-for-IPSec-tunnels

The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).

If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.

With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)

Anyway let me know if you face any problems.

Marcin

Voice and IPSEC Tunnels

In which case I use a DMVPN IPSEC technology for branch connectivity, used ISP know what kind of traffic I run because it is encrypted in the end.

DMVPN package use is first encapsulated in GRE and then encrypted with IPSEC authentication information. Because the ultimate traffic is IPSEC requires ISP/provider leave the port UDP 500 and ESP open. Once the tunnel is created I can pass any type of traffic because it will use ESP.

Given what I saw a few deployments where we put in place this kind of solution and telephone traffic did not and ip phones were unable to register. Most of the guys have pointed out that it could possibly be because ISP blocks the SCCP traffic, but my concern is that if we have a branch at Headquarters IPSEC tunnel how the ISP can detect this thing and drop it.

Please provide feedback on this.

The provider cannot see inside the tunnel. Only, he could assume that it could be the voice traffic:

The voice parameters the value DSCP-in IP header when they send traffic. These values are copied to the outer IP header when the traffic is encrypted. With this function you can also do QoS on encrypted traffic.

But I do not think that a provider might filter on this traffic.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

IPSec tunnel between a client connection mobility and WRV200

Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.

Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

Hello

My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

NAT takes place before the encryption verification!

In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

Thanks for any help

Best regards

Heiko

Hello

Try to change your static NAT with static NAT based policy.

That is to say the static NAT should not be applicable for VPN traffic

permissible static route map 1

corresponds to the IP 104

access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 allow the host ip 10.1.110.10 all

IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

HTH

Kind regards

GE.

IPSec Tunnel site to Site between ASA (static IP) to the firewall Microtick (dynamic IP) cannot telnet routeros and open https

I purchased Mikrotik hardware devices and want to use routeros seat firewall cisco asa establish VPN. Aims to establish that a branch may be two IPSEC VPN access devices at the headquarters of the server via the public network.

But now, I'm having some trouble, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
(1) branch routeros WAN port using a private IP address and is a member of the asa above outdoor sound created vpn ipsec, vpn successfully established internal servers and I ping the switch at the headquarters of the branch. However, there is a problem, I go through routeros visit that the headquarters of the https server pages can not be opened, telnet internal switches can telnet to the top, but were unable to penetrate into the character.
(2) in addition, I left the branch routeros on a public IP address WAN port and asa VPN IPSEC created seat, said problems above are not, the server can also be accessed, telnet switch can also enter text and control.
At the present time, I have encountered this problem of interface not CAN not because I need to create of very, very many industries and the need to establish headquarters communications branch offices so I have to use private IP addresses to access the Wan, unable to do wan are public IP address and headquarters to establish IPSEC VPN.

now, I can't telnet asa inside the cisco router and open the web inside https, I can't solve the problems.

now, registrants of asa:

interface GigabitEthernet0/0
nameif outside
security-level 0
IP 49.239.3.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.17.0.111 255.255.255.0

network of the object inside
172.17.1.0 subnet 255.255.255.0
network outsidevpn object
Subnet 192.168.0.0 255.255.0.0

QQQ

NAT (inside, outside) static source inside inside destination static outsidevpn outsidevpn non-proxy-arp-search to itinerary

Route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
Route inside 172.17.1.0 255.255.255.0 172.17.0.5 1

Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 cisco
Crypto ipsec pmtu aging infinite - the security association
Crypto dynamic-map cisco 1000 set pfs
Crypto dynamic-map cisco 1000 set transform-set cisco ikev1
Crypto dynamic-map cisco 1000 value reverse-road
Cisco-cisco ipsec isakmp dynamic 1000 card crypto
cisco interface card crypto outside
trustpool crypto ca policy
Crypto isakmp nat-traversal 60
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

IPSec-attributes tunnel-group DefaultL2LGroup
IKEv1 pre-shared-key *.

Hello

Could you share the output of the counterpart of its IPSec cry see the 49.239.3.10 of the other device?

Kind regards

Aditya

Policy Nat and IPSec tunnel

Hello

I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client. Unfortunately, we have two overlapping of 10 network IP addresses.

Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming. The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

See attachment

Kind regards

They are wrong to installation. Remote local networks are not 10.134.206.0 and 10.134.206/42. It is simply your public IP address.

IPSec tunnel and NetFlow packets

I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

Thank you.

Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

Decision on DMVPN and L2L simple IPsec tunnels

Similar Questions

Maybe you are looking for