devices to set up a site to site vpn
I have a stupid question. In a site to site vpn environment, can I do the installation program by using an asa5505 on one end and a router 1811 on the other end or do I need to have two asa5505 or two 1811 routers? Can another word, I mix and match devices and perform still a site to site vpn configuration or do I have to have the same features on the two end?
You can mix and match all you want. To him my friend. Reference the link below.
https://supportforums.Cisco.com/videos/2763
Tags: Cisco Security
Similar Questions
-
Which device to use for the site to site VPN
Hello
Can someone recommend some inexpensive VPN devices, which will be set up to connect a few VPN site to site (20-30) (each site should not exceed 5 to 10 computers. The sites will be equipped with different VPN devices (like Linksys regular or any other - just able to site IPsec VPN). What I need is for my main site and hope get some suggestions.
Thank you
Ashok
Hey Ashok
Well, I'd say the firewall Cisco ASA 5500-x and Cisco ISR / ASR, two supported VPN from Site to Site on several sites.
You can look into those if they meet your criteria.
Concerning
Véronique
-
Site to SIte VPN through a NAT device
I have, I am having trouble running a vpn site-to site between two 3725 routers running c3725-advsecurityk9-mz124 - 15 T 1, that I hope I can get some help with, I am probably missing something here. The VPN ran very well when both VPN routers were connected directly to the internet and had on WAN interfaces public IP addresses, but I had to move one of the firewall inside on a private IP address. Installation is now as below
Router VPN one (192.168.248.253) - internal company network - Fortigate FW - internet-(217.155.113.179) router VPN B
The fortigate FW is doing some translations address
-traffic between 192.168.248.253 and 217.155.113.179 has its source in 37.205.62.5
-traffic between 217.155.113.179 and 37.205.62.5 has its destination translated to 192.168.248.253
-Firewall rules allow all traffic between the 2 devices, no port locking enabled.-The 37.205.62.5 address is used by anything else.
I basically have a GRE tunnel between two routers, and I'm trying to encrypt it.
The router shows below
Card crypto SERVER-RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 217.155.113.179
Expand the access IP 101 list
access-list 101 permit gre 192.168.248.253 host 217.155.113.179
Current counterpart: 217.155.113.179
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1SERVER-RTR #show crypto sessio
Current state of the session cryptoInterface: FastEthernet0/1
The session state: down
Peer: 217.155.113.179 port 500
FLOW IPSEC: allowed 47 192.168.248.253 host 217.155.113.179
Active sAs: 0, origin: card cryptoInterface: FastEthernet0/1
The session state: IDLE-UP
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactiveRouter B shows below
Card crypto BSU - RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 37.205.62.5
Expand the access IP 101 list
access-list 101 permit gre 217.155.113.179 host 37.205.62.5
Current counterpart: 37.205.62.5
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1BSU - RTR #show sess crypto
Current state of the session cryptoInterface: FastEthernet0/1
The session state: down
Peer: 37.205.62.5 port 500
FLOW IPSEC: allowed 47 217.155.113.179 host 37.205.62.5
Active sAs: 0, origin: card cryptoInterface: FastEthernet0/1
The session state: IDLE-UP
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactiveI can see counters incrementing on the ACL on both routers, so I don't know the traffic free WILL is interesting.
Here are a few debugs too
--------------
RouterDebug crypto ISAKMP
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 940426884
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 1837874301
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node-475409474
* 23:07:20.794 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet dport 500 sport 500 SA NEW Global (N)
* 23:07:20.794 Mar 2: ISAKMP: created a struct peer 217.155.113.179, peer port 500
* 23:07:20.794 Mar 2: ISAKMP: new position created post = 0x64960C04 peer_handle = 0x80000F0E
* 23:07:20.794 Mar 2: ISAKMP: lock struct 0x64960C04, refcount 1 to peer crypto_isakmp_process_block
* 23:07:20.794 Mar 2: ISAKMP: 500 local port, remote port 500
* 23:07:20.794 Mar 2: ISAKMP: find a dup her to the tree during the isadb_insert his 6464D3F0 = call BVA
* 23:07:20.794 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.794 Mar 2: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1* 2 Mar 23:07:20.794: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 2 Mar 23:07:20.794: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.794: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.798: ISAKMP: (0): pre-shared key local found
* 23:07:20.798 Mar 2: ISAKMP: analysis of the profiles for xauth...
* 23:07:20.798 Mar 2: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 23:07:20.798 Mar 2: ISAKMP: DES-CBC encryption
* 23:07:20.798 Mar 2: ISAKMP: SHA hash
* 23:07:20.798 Mar 2: ISAKMP: default group 1
* 23:07:20.798 Mar 2: ISAKMP: pre-shared key auth
* 23:07:20.798 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.798 Mar 2: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 23:07:20.798 Mar 2: ISAKMP: (0): atts are acceptable. Next payload is 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts: real life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts:life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his vpi_length:4
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 23:07:20.798 Mar 2: ISAKMP: (0): return real life: 86400
* 23:07:20.798 Mar 2: ISAKMP: (0): timer life Started: 86400.* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.798 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1* 2 Mar 23:07:20.802: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 2 Mar 23:07:20.802: ISAKMP: (0): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
* 23:07:20.802 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.
* 23:07:20.802 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.802 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2* 23:07:20.822 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet 500 Global 500 (R) sport dport MM_SA_SETUP
* 23:07:20.822 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.822 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3* 2 Mar 23:07:20.822: ISAKMP: (0): processing KE payload. Message ID = 0
* 2 Mar 23:07:20.850: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 23:07:20.854 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is the unit
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is DPD
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): addressing another box of IOS!
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP (0:1027): NAT found, the node inside the NAT
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.854 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM3* 2 Mar 23:07:20.854: ISAKMP: (1027): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
* 23:07:20.854 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.858 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.858 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM4* 23:07:20.898 Mar 2: ISAKMP: (1024): serving SA., his is 64D5723C, delme is 64D5723C
* 23:07:20.902 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
* 23:07:20.902 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.902 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM4 = IKE_R_MM5* 2 Mar 23:07:20.902: ISAKMP: (1027): payload ID for treatment. Message ID = 0
* 23:07:20.902 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
* 2 Mar 23:07:20.902: ISAKMP: (0): peer games * no * profiles
* 2 Mar 23:07:20.906: ISAKMP: (1027): HASH payload processing. Message ID = 0
* 2 Mar 23:07:20.906: ISAKMP: (1027): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA has been authenticated with 217.155.113.179
* 23:07:20.906 Mar 2: ISAKMP: (1027): port detected floating port = 4500
* 23:07:20.906 Mar 2: ISAKMP: try to find found and existing peer 192.168.248.253/217.155.113.179/4500/ peer 648EAD00 to reuse existing, free 64960 04
* 23:07:20.906 Mar 2: ISAKMP: Unlocking counterpart struct 0x64960C04 Reuse existing peer count 0
* 23:07:20.906 Mar 2: ISAKMP: delete peer node by peer_reap for 217.155.113.179: 64960 04
* 23:07:20.906 Mar 2: ISAKMP: lock struct 0x648EAD00, refcount 2 for peer peer reuse existing
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 2 Mar 23:07:20.906: ISAKMP: (1027): process of first contact.
lowering existing phase 1 and 2 with local 192.168.248.253 217.155.113.179 remote remote port 4500
* 23:07:20.906 Mar 2: ISAKMP: (1026): received first contact, delete SA
* 23:07:20.906 Mar 2: ISAKMP: (1026): peer does not paranoid KeepAlive.* 23:07:20.906 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.906 Mar 2: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 23:07:20.906 Mar 2: ISAKMP: (1027): UDP ENC parameter counterpart struct 0x0 his = 0x6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.906 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_R_MM5* 23:07:20.910 Mar 2: ISAKMP: node set-98987637 to QM_IDLE
* 2 Mar 23:07:20.910: ISAKMP: (1026): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.910 Mar 2: ISAKMP: (1026): sending a packet IPv4 IKE.
* 23:07:20.910 Mar 2: ISAKMP: (1026): purge the node-98987637
* 23:07:20.910 Mar 2: ISAKMP: (1026): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 23:07:20.910 Mar 2: ISAKMP: (1026): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA* 23:07:20.910 Mar 2: ISAKMP: (1027): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 23:07:20.910 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
* 23:07:20.910 Mar 2: ISAKMP: (1027): the total payload length: 12
* 2 Mar 23:07:20.914: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE* 23:07:20.914 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.914 Mar 2: ISAKMP: Unlocking counterpart struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
* 23:07:20.914 Mar 2: ISAKMP: (1026): error suppression node 334747020 FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-1580729900 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-893929227 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1026): former State = new State IKE_DEST_SA = IKE_DEST_SA* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE* 23:07:20.930 Mar 2: ISAKMP (0:1026): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_NO_STATE sport
* 23:07:20.934 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:20.934 Mar 2: ISAKMP: node set 1860263019 to QM_IDLE
* 2 Mar 23:07:20.934: ISAKMP: (1027): HASH payload processing. Message ID = 1860263019
* 2 Mar 23:07:20.934: ISAKMP: (1027): treatment ITS payload. Message ID = 1860263019
* 23:07:20.934 Mar 2: ISAKMP: (1027): proposal of IPSec checking 1
* 23:07:20.934 Mar 2: ISAKMP: turn 1, ESP_AES
* 23:07:20.934 Mar 2: ISAKMP: attributes of transformation:
* 23:07:20.934 Mar 2: ISAKMP: program is 3 (Tunnel-UDP)
* 23:07:20.934 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.934 Mar 2: ISAKMP: life of HIS (basic) 3600
* 23:07:20.934 Mar 2: ISAKMP: type of life in kilobytes
* 23:07:20.934 Mar 2: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 23:07:20.934 Mar 2: ISAKMP: key length is 128
* 23:07:20.934 Mar 2: ISAKMP: (1027): atts are acceptable.
* 2 Mar 23:07:20.934: ISAKMP: (1027): IPSec policy invalidated proposal with error 32
* 2 Mar 23:07:20.934: ISAKMP: (1027): politics of ITS phase 2 is not acceptable! (local 192.168.248.253 remote 217.155.113.179)
* 23:07:20.938 Mar 2: ISAKMP: node set 1961554007 to QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1688526152, message ID = 1961554007
* 2 Mar 23:07:20.938: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.938 Mar 2: ISAKMP: (1027): purge the node 1961554007
* 23:07:20.938 Mar 2: ISAKMP: (1027): error suppression node 1860263019 REAL reason "QM rejected."
* 23:07:20.938 Mar 2: ISAKMP: (1027): entrance, node 1860263019 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* 23:07:20.938 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_READY
* 23:07:24.510 Mar 2: ISAKMP: set new node 0 to QM_IDLE
* 2 Mar 23:07:24.510: ITS a exceptional applications (100.100.213.56 local port 4500, 100.100.213.84 remote port 4500)
* 2 Mar 23:07:24.510: ISAKMP: (1027): sitting IDLE. From QM immediately (QM_IDLE)
* 23:07:24.510 Mar 2: ISAKMP: (1027): start Quick Mode Exchange, M - ID 670698820
* 23:07:24.510 Mar 2: ISAKMP: (1027): initiator QM gets spi
* 2 Mar 23:07:24.510: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:24.510 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:24.514 Mar 2: ISAKMP: (1027): entrance, node 670698820 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 23:07:24.514 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 23:07:24.530 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:24.534 Mar 2: ISAKMP: node set 1318257670 to QM_IDLE
* 2 Mar 23:07:24.534: ISAKMP: (1027): HASH payload processing. Message ID = 1318257670
* 2 Mar 23:07:24.534: ISAKMP: (1027): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 3268378219, message ID = 1318257670, a = 6464D3F0
* 2 Mar 23:07:24.534: ISAKMP: (1027): removal of spi 3268378219 message ID = 670698820
* 23:07:24.534 Mar 2: ISAKMP: (1027): node 670698820 REAL reason error suppression "remove larval.
* 23:07:24.534 Mar 2: ISAKMP: (1027): error suppression node 1318257670 FALSE reason 'informational (en) State 1.
* 23:07:24.534 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 23:07:24.534 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-238086324
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-1899972726
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-321906720Router B
----------
Debug crypto ISAKMP1d23h: ISAKMP: (0): profile of THE request is (NULL)
1d23h: ISAKMP: created a struct peer 37.205.62.5, peer port 500
1d23h: ISAKMP: new position created post = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: lock struct 0x652C3B54, refcount 1 to peer isakmp_initiator
1d23h: ISAKMP: 500 local port, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: find a dup her to the tree during the isadb_insert his 652CBDC4 = call BVA
1d23h: ISAKMP: (0): cannot start aggressive mode, try the main mode.
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
1d23h: ISAKMP: (0): built the seller-07 ID NAT - t
1d23h: ISAKMP: (0): built of NAT - T of the seller-03 ID
1d23h: ISAKMP: (0): built the seller-02 ID NAT - t
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM11d23h: ISAKMP: (0): Beginner Main Mode Exchange
1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM21d23h: ISAKMP: (0): treatment ITS payload. Message ID = 0
1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): pre-shared key local found
1d23h: ISAKMP: analysis of the profiles for xauth...
1d23h: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
1d23h: ISAKMP: DES-CBC encryption
1d23h: ISAKMP: SHA hash
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: pre-shared key auth
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
1d23h: ISAKMP: (0): atts are acceptable. Next payload is 0
1d23h: ISAKMP: (0): Acceptable atts: real life: 0
1d23h: ISAKMP: (0): Acceptable atts:life: 0
1d23h: ISAKMP: (0): fill atts in his vpi_length:4
1d23h: ISAKMP: (0): fill atts in his life_in_seconds:86400
1d23h: ISAKMP: (0): return real life: 86400
1d23h: ISAKMP: (0): timer life Started: 86400.1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM21d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM31d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM41d23h: ISAKMP: (0): processing KE payload. Message ID = 0
1d23h: ISAKMP: (0): processing NONCE payload. Message ID = 0
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is the unit
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is DPD
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): addressing another box of IOS!
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM41d23h: ISAKMP: (1034): send initial contact
1d23h: ISAKMP: (1034): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (1034): the total payload length: 12
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM51d23h: ISAKMP: (1031): serving SA., his is 652D60C8, delme is 652D60C8
1d23h: ISAKMP (0:1033): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 33481563 to QM_IDLE
1d23h: ISAKMP: (1033): HASH payload processing. Message ID = 33481563
1d23h: ISAKMP: receives the payload type 18
1d23h: ISAKMP: (1033): treatment remove with load useful reason
1d23h: ISAKMP: (1033): remove the doi = 1
1d23h: ISAKMP: (1033): remove Protocol id = 1
1d23h: ISAKMP: (1033): remove spi_size = 16
1d23h: ISAKMP: (1033): remove the spis num = 1
1d23h: ISAKMP: (1033): delete_reason = 11
1d23h: ISAKMP: (1033): load DELETE_WITH_REASON, processing of message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP: (1033): peer does not paranoid KeepAlive.1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: node set 1618266182 to QM_IDLE
1d23h: ISAKMP: (1033): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1033): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1033): purge the node 1618266182
1d23h: ISAKMP: (1033): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP: (1033): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): payload ID for treatment. Message ID = 0
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (0): peer games * no * profiles
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 0
1d23h: ISAKMP: (1034): SA authentication status:
authenticated
1d23h: ISAKMP: (1034): SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: try to insert a 217.155.113.179/37.205.62.5/4500/ peer and found existing in a 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking counterpart struct 0x652C3B54 Reuse existing peer count 0
1d23h: ISAKMP: delete peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: lock struct 0x643BCA10, refcount 2 for peer peer reuse existing
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM5 = IKE_I_MM61d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (0): cannot decrement IKE Call Admission Control outgoing_active stat because he's already 0.
1d23h: ISAKMP: Unlocking counterpart struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP: (1033): error suppression node 1267924911 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 1074093103 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): node-183194519 error suppression FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1033): former State = new State IKE_DEST_SA = IKE_DEST_SA1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_I_MM61d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE1d23h: ISAKMP: (1034): start Quick Mode Exchange, M - ID 1297417008
1d23h: ISAKMP: (1034): initiator QM gets spi
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entrance, node 1297417008 = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_I_QM1
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set-874376893 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID =-874376893
1d23h: ISAKMP: (1034): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 56853244, message ID =-874376893, his 652CBDC4 =
1d23h: ISAKMP: (1034): removal of spi 56853244 message ID = 1297417008
1d23h: ISAKMP: (1034): node 1297417008 REAL reason error suppression "remove larval.
1d23h: ISAKMP: (1034): node-874376893 error suppression FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 439453045 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 439453045
1d23h: ISAKMP: (1034): treatment ITS payload. Message ID = 439453045
1d23h: ISAKMP: (1034): proposal of IPSec checking 1
1d23h: ISAKMP: turn 1, ESP_AES
1d23h: ISAKMP: attributes of transformation:
1d23h: ISAKMP: program is 3 (Tunnel-UDP)
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life of HIS (basic) 3600
1d23h: ISAKMP: type of life in kilobytes
1d23h: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP: (1034): atts are acceptable.
1d23h: ISAKMP: (1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP: (1034): politics of ITS phase 2 is not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: node set 1494356901 to QM_IDLE
1d23h: ISAKMP: (1034): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1687353736, message ID = 1494356901
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): purge the node 1494356901
1d23h: ISAKMP: (1034): error suppression node 439453045 REAL reason "QM rejected."
1d23h: ISAKMP: (1034): entrance, node 439453045 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_READY
1d23h: ISAKMP: (1032): purge the node 1513722556
1d23h: ISAKMP: (1032): purge the node-643121396
1d23h: ISAKMP: (1032): purge the node 1350014243
1d23h: ISAKMP: (1032): purge the node 83247347Hi Nav,
I'm happy it's working now. Your interpretation is correct. Transport mode IPSEC encrypts the payload, while tunnel mode figure the whole ip packet (original header / payload) and inserts a new ip header. Thus, the tunnel mode is used for ipsec site to site VPN and transport is used for point to point VPN ipsec. GRE is used with ipsec, all packages will be encapsulated with a GRE header first, so, essentially, this is a point to point VPN ipsec.
The problem that you are having with tunnel mode, the router's package is going to be wrapped with the header 192.168.248.253 GRE source 217.155.113.179 destination. The whole package is then encrypted and a new header is added with the same source/destination. This new header will be coordinated by the FW, but not incorporated or encrypted GRE header. When the packet arrives at Router B, after decrypt them the package, router B will see the GRE header, which is different from that of source/destination tunnel she uses. This breaks the GRE tunnel and the routing between router A and router B Protocol.
HTH,
Lei Tian
-
Provision of phone is the device used to access the site by default.
I tried to figure this out on my own & have had zero luck after hours and hours. I hope someone can provide assistance.
I have built many sites using Muse, if I build a 'Phone' layout, transfer it with the layout "Desktop" or "Compressed", that the 'phone' comes back every time, little matter device used to access the site. Current site I'm working on and who need to get the mobile layout working for client is www.limegreenmasonry.com .
I discovered the site of my Surface Pro 3, 5 Nexus and Nexus 7, all with the same result of 'Phone' of loading default layout. I use the latest version of Muse, but had these problems with the last build too. Firefox is underway on SP3, mobile Chrome on 5 of Nexus and Nexus 7.
Help will be very appreciated.
Remove the following custom code of the
section of the Properties Page or the Site properties:Muse.Redirect.redirect('desktop', '', 'phone/index.html', '');
Not sure why that would have been added, but it is certainly not there.
Then update to version 2015.1 recently published Muse and re-publish/upload.
There was a bug which translates a generated Muse site evil redirecting to available phone in some browsers on Windows 10 if the computer or the device has a HiDPI touch screen (i.e. a Surface Pro or similar laptop / Tablet hybrid with a screen HiDPI). 2015.1 release changes exit Muse to properly manage display information provided by browsers when running on Windows 10.
That said, there is still a philosophical question about whether a device hybrid as a Surface Pro is a desktop computer or a Tablet, and there is certainly no consensus. Browsers IE and edge Act mainly as if it is a tablet. Chrome and Firefox act like the desktop browser they are. And to complicate things more, a Muse site chooses to charge your shelf or desk combination by looking at the "reference pixel" browser width of your screen. So depending on the browser used, the size of the physical screen, the parameters of the screen (i.e. "Display scaling" setting) the orientation of the device (portrait or landscape) and the browser used, you can get the presentation of the Tablet, otherwise you might get the office layout.
It is generally a good practice to provide 'Go to the site of office', 'Go to the tablet site' and 'Go to the site of phone' links when creating an Adaptive development site.
-
Using the same set processing on several site to site VPN tunnels
Hi all. I have a rather strange situation about site-to-site VPN tunnel.
On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.
The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.
I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.
Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?
Use it on PIX
card crypto set pfs group2
Or on ASA, use:
card crypto set pfs Group1
-
Cannot ping computers on the subnet remote site vpn while to set up
Hi all
I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.
the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip
Here is my scenario:
LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant
LAN1: 192.168.x.0/24
LAN2: 172.25.88.0/24
remote_machine_ip: 172.25.87.30
LAN1 can ping to ASA5505 inside interface (172.25.88.1)
but cannot ping ordinateur_distant (172.25.87.30)
Inside of the interface ASA5505 can ping ordinateur_distant
LAN2 can ASA5510 ping inside the machines on LAN1 and interface
Is there something I missed?
Thanks much for the reply
I don't think it's something you really want to do.
If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.
So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1
But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.
If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.
http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858
Kind regards
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
RV180 restrict access to the Site to Site VPN
Hello
I'm trying to set up my network so that VPN traffic is routed only to a physical single on the RV180 port or to a certain subset of devices on a network.
I have a site to site vpn configuration in a Home Office and connect to the corporate network. The user has a couple of devices on the home network who need to access the corporate network.
We hope to leave his PC accessible to its home network and the corporate network, but limit other devices to access the vpn.
I think that I could do playing with the subnet, but I just can't get my head around it.
It must be something simpleish to do this, isn't there?
I'd appreciate any help you have.
Thank you
Gary
Hi boys, here's a hypothetical situation.
VLAN 1 is port 1
VLAN 2 is port 2
VLAN 1 has a switch connected to your local network of services
VLAN 2 has a switch to maintain your VPN.
The configuration of the port for each port would be the vlan respective unidentified.
You can disable the router in order to prohibit intervlan communication. But also, and especially, the vpn is a specific meaning, subnet, you specify the specific ip subnet on the config of the tunnel because the config include not a second subnet will not work it's traffic in the tunnel.
-Tom
Please mark replied messages useful -
Site to site VPN with router IOS
I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.
I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.
Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?
My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).
Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.
And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)
Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?
I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.
We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).
I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.
Thank you in advance.
Pete.
Pete
I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:
-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.
-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.
-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.
-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.
-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.
-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).
-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.
-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.
I hope that your application is fine and that my suggestions could be useful.
[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.
HTH
Rick
-
Several subnets in the site to Site VPN
Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American
(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcdGroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN
/////////////////////////////////////////////////////////////////////The router configuration:
(1) part SA
proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1
(2) TransformsetCrypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode(3) access-list
IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
(5) crypto cardcrypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2
//////////////////////////////////////////////////////////////////////This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.
192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0Hello Jay,
I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:
(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:
address for correspondence card crypto 10 CM - STSVPN STSVPN-US
You must change this setting to avoid any problems with the negotiation of traffic:
no matching address card crypto 10 CM-STSVPN STSVPN-US
10 CM-STSVPN crypto card matches the address ACL_STSVPN-US
(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter valueKeep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.
(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.
ASA:
card crypto 10 CM-STSVPN set group14 pfs
Router:
crypto CM card. 30 VPN ipsec-isakmp
No group14 set pfs
Hope this help you to raise the tunnel,
Luis.
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
Design site to Site VPN w/NAT traversal issue
Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.
If I configure NAT traversal on the PIX, affected my other VPN?
Thanks in advance
DOM
Hi Dom,
Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).
Do you do any NAT on PIX thru the router?
If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.
Example:
When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)
Hope that helps.
* Please indicate the post
-
ASA ASA from Site to Site VPN IPSec Tunnel
Any help would be greatly appreciated...
I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.
Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24
Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24
Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.
Internet access works very well in all workstations of this site. A static route is configured to redirect all traffic to a public router upstream.
Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address. A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA. A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253. This device then performs its own private Public NAT. Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)
The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24). The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254). The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem. However, all traffic passing on networks ICMP does not end and the Syslog reports the following-
Site #1-
6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 Site #2-
6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP It's the same for any form of traffic passing over the tunnel. The ACL is configured to allow segments of LAN out to any destination. At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).
Anyone can shed light on a possible cause of this problem?
Thank you
Nick
did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?
Please provide the following information
-set up the tunnel
-show the isa cry his
-show the ipsec cry his
-ping of the site 1 site 2 via tunnel
-capture "crypto ipsec to show his" once again
-ping from site 2 to 1 by the tunnel of the site
-capture "crypto ipsec to show his" once again
-two ASA configuration.
-
Hello
I have created a new site to site vpn connection and can't know why it does not work.
All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?
!
vpn hostname
domain name
activate the encrypted password of Pp6RUfdBBUU
ucU7iJnNlZ passwd / encrypted
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address 87.117.xxx.xx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP address 78.129.xxx.x 255.255.255.128
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain msiuk.com
permit same-security-traffic inter-interface
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
EQ object of port 8080
port-object eq www
EQ object of the https port
Http81 tcp service object-group
port-object eq 81
DM_INLINE_TCP_3 tcp service object-group
port-object eq 81
port-object eq www
the DM_INLINE_NETWORK_1 object-group network
host of the object-Network 172.19.60.52
host of the object-Network 172.19.60.53
host of the object-Network 172.19.60.68
host of the object-Network 172.19.60.69
host of the object-Network 172.19.60.84
host of the object-Network 172.19.60.85
host of the object-Network 172.19.60.86
access-list extended basic permit icmp any any echo response
access-list extended basic permit icmp any one time exceed
access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx
permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group
access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128
SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0
access list allow extended permit ip any one
MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203
MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0
SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
Access SMTP-NAT NAT (inside) 1 list
NAT (inside) 1 10.1.1.0 255.255.255.0
NAT (inside) 1 10.2.2.0 255.255.255.0
Access-group basic in external interface
Access-group allow external interface
Access-group allow the interface inside
Access-group allow the interface inside
Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1
Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1
Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1
Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1
Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform
Crypto ipsec transform-set esp-3des esp-md5-hmac kwset
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES
card crypto VPNPEER 1 corresponds to the address MATCHJLS
card crypto VPNPEER 1 set peer 94.128.xxx.xx
card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto VPNPEER 10 corresponds to the address MATCHVPN3
card crypto VPNPEER 10 set peer 94.128.xxx.xx
crypto VPNPEER 10 the transform-set jlstransformset value card
card crypto VPNPEER 10 set nat-t-disable
card crypto VPNPEER 30 corresponds to the address MATCHVPN2
card crypto VPNPEER 30 212.118.xxx.xx peer value
card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto VPNPEER 30 the value reverse-road map
card crypto VPNPEER 40 corresponds to the address MATCHVPN4
VPNPEER 40 crypto map set peer 94.128.xxx.xx
crypto VPNPEER 40 the transform-set kwset value card
card crypto VPNPEER 50 corresponds to the address MATCHVPN3
card crypto VPNPEER 50 set pfs
card crypto VPNPEER 50 set peer 94.128.xxx.xx
card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA
card crypto VPNPEER 50 set nat-t-disable
card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP
VPNPEER interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 3600
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
SSH version 2
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
value of VPN-filter MATCHKW
Protocol-tunnel-VPN IPSec l2tp ipsec
internal CLIENTGROUP group policy
CLIENTGROUP group policy attributes
value of server DNS 10.1.1.10 10.1.1.2
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUN
msiuk.local value by default-field
Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q
tunnel-group msi type remote access
msi General attributes tunnel-group
address LOCPOOL pool
Group Policy - by default-CLIENTGROUP
MSI group tunnel ipsec-attributes
pre-shared key *.
tunnel-group msi ppp-attributes
ms-chap-v2 authentication
tunnel-group 212.118.xxx.xx type ipsec-l2l
212.118.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
!
class-map ftpdefault
match default-inspection-traffic
class-map default inspection
!
!
Policy-map global_policy
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:b251877ef24a1dc161b594dc052c44
: end
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
Hello
OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.
It seems that you get no traffic back from the remote end
This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.
If you go ask about this since the admins of the remote site, let us know how to do the thing.
If you found this information useful, please note the answer/answers and naturally ask more if necessary
-Jouni
-
Site to site VPN, I need all internet traffic to exit the site.
I have 2 sites connected via a pair of SRX5308
A = 192.168.1.0/24
IP WAN = 1.1.1.1
B = 192.168.2.0/24
IP WAN = 2.2.2.2
Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.
On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.
I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.
Anyone have any ideas?
I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.
Thank you
Dave.
After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.
(1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0
(2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the remote IP address.
(c) to apply the change
3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the local IP address
(c) to apply the change
Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.
Maybe you are looking for
-
I go to a website and log on to it.Firefox asks me if I want to save the password.I say no.Later, I decide that I don't want Firefox to save the password on this website. How can I make Firefox ask me if I want to save this password again? The Web si
-
find my iphone won't get message update of your apple ID
When I go to icloud on the web on my pc and click on find my iphone and enter my apple ID and password you are prompted, I get the message "update of your apple ID" and cannot go any further. Sometimes I quick check if ID valid and I'm rejected when
-
Portege M400: Where should I put the PIN for the Sim Card?
I had the Tablet, I got the SIM... I turned on the wireless wan. Now, where should I put the pin code of the card? See you soon,.Miguel
-
Satellite M60-182 does not start on AC supply
After press the "button" is about 5 sec blue lighting and computer is turn off. But I can run on battery power. The computer and is now operating normally. I don't know what the problem is? Please someone help me.Answer might be in Polish.
-
Using 'Organize bookmarks' I can delete individual bookmarks, but when I try to remove the empty folder, the "Delete" option is grayed out.