DMVPN questions - IPsec packets
Hi all
Currently, I am configuring DMVPN for the first time. I followed the guide to configuring cisco and Googling a bit other strands however seems to have hit a brick wall.
The Setup is in a lab environment, so I can post as much information as required, but here's the important bits:
I have 3 routers Cisco 2821 running IOS 12.4 (15) with a layer 3 switch in the Middle connecting ports 'wan' together. the routing works fine, I can ping to each of the other router router.
Excerpts from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 10000
ip address 172.17.100.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 450
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description HQ WAN
ip address 1.1.1.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
and here's the config on the first router spoke:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 3000
ip address 172.17.100.10 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map 172.17.100.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 101
ip nhrp holdtime 450
ip nhrp nhs 172.17.100.1
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description Site 1 WAN
ip address 11.11.11.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
If I closed/no farm tunnel0 on RADIUS 1 interface, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im lack some config on the side talking to encrypt the traffic, but I'm not sure what.
Here's the output router spoke:
RTR_SITE1#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 172.17.100.10
Source addr: 11.11.11.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 172.17.100.1 E
Type:Spoke, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32
Interface: Tunnel0
Session: [0x48E31B98]
Crypto Session Status: DOWN
fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
Outbound SPI : 0x 0, transform :
Socket State: Closed
Pending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail
172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire
Type: static, Flags: used
NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 46, #recv errors 0
local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
All these commands appear as empty when I throw them on the hub router.
Any help appreciated.
Thank you
No negotiate is because you do not have an Ike key implemented. You need
Crypto ISAKMP policy 1
BA (whatever)
AUTH pre-shared
Group (whatever)
ISAKMP crypto key 0 some secret address 0.0.0.0 0.0.0.0
Hun and talks must match.
Your IPSec transform-set should also have "transport mode".
Sent by Cisco Support technique iPad App
Tags: Cisco Security
Similar Questions
-
On DMVPNs selective IPSec encryption
Hello
I have a DMVPN with two rays on a MPLS-L3-IPVPN network. IPSec over GRE profiles using crypto. Works very well. Now, he only need to encrypt all traffic except EF DSCP. Tried with the help of ACB defining IP-Next Hop for EF-packages and just normal dug routing for all other types of traffic.
My question is, I know cryptographic cards that use ACLs can selectively encrypt traffic through the IPSec/GRE tunnels. Cryptographic profiles don't seem to have this feature. Is there another way to do this?
A snip Config by couple spoke it as below.
===============
interface GigabitEthernet0/0.1
DESC LAN i / f
IP 10.10.10.1 255.255.255.0
political intellectual property map route ACBinterface Tunnel100
IP 172.16.254.13 255.255.254.0
no ip redirection
property intellectual PNDH card 172.16.254.1 103.106.169.10
map of PNDH IP multicast 103.106.169.10
PNDH network IP-1 id
property intellectual PNDH nhs 172.16.254.1
property intellectual shortened PNDH
KeepAlive 10 3
source of tunnel GigabitEthernet0/1.401
multipoint gre tunnel mode
key 1 tunnel
Profile of tunnel DMVPN-Crypto ipsec protection
endGIE Router 1
no car
NET 172.16.254.0 0.0.1.255
EIGRP log-neighbor-warnings
EIGRP log-neighbor-changes
! - router id
NET 10.10.10.0 0.0.0.255ACB allowed 10 route map
ACB match ip address
IP 11.2.100.2 jump according to the value
!
ACB allowed 20 route mapACB extended IP access list
permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
allow icmp host 10.10.10.5 host 15.1.1.1 dscp 41
deny ip any any newspaper===============
Note: the routing table contains only a default route learned via EIGRP. Thus, if the ACB 10 past, policy would transmit to the Next-hop (PE). Or would otherwise use 0/0 and route thro' the tunnel.
Thanks in advance!
See you soon
AravindWith DMVPN, no. You will need to return to the use of just cryptographic cards, only using access lists to control what is and is not encrypted.
If the "EF" traffic was dedicated VoIP subnets so you would have more options, you can choose everything just don't not to route these subnets above the Tunnel.
-
Hi all
Is the operation of DMVPN without IPsec configuration supported?
I'm testing it right now and hubs are losing conncetivity to rays. I wonder if it is because of not using IPsec.
Anyone tried this?
Attila
I guess you meant PNDH. If so look at the http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080435815.html
-
DMVPN Question ISAKMP Security Association
Hi all
I have implemented a full mesh base DMVPN, similar to the int of config used life package
http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.
I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.
My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...
How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?
status of DST CBC State conn-id slot
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
A similar result on the hub
status of DST CBC State conn-id slot
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
Still 1 spoke only a 2
172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE
Crypto config for all:
crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile
Config of Tunnel hub
interface Tunnel0
10.0.100.1 IP address 255.255.255.0
dynamic multicast of IP PNDH map
PNDH network IP-1 id
tunnel source fa0/0
multipoint gre tunnel mode
Spoke 1 Tunnel Config
!
interface FastEthernet0/0
address 172.16.3.2 IP 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
10.0.100.2 IP address 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
Spoke 2 Config of Tunnel
!
interface FastEthernet0/0
IP 172.16.2.2 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
IP 10.0.100.3 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).
You could get in double sessions of the two scenarios IKE, are the most common.
(1) the negotiation started at both ends "simultaneously".
(2) renegotiation of IKE.
What is strange to me, is that you seem to have initiated session and responsed by the hub.
What I would do, is to add:
-ip server only PNDH (on the hub, it is not a provided ASR)
-DPD (on all devices).
Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.
-
Hello
I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?
To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.
Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?
My stitching question may be stupid, sorry for that, I'm still learning, and I love it
Here below the full work DMVPN + IPsec:
Best regards
Didier
ROUTER1841 #sh run
Building configuration...
Current configuration: 9037 bytes
!
! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin
! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin
!
version 12.4
horodateurs service debug datetime localtime
Log service timestamps datetime msec
encryption password service
!
hostname ROUTER1841
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 notifications
enable password 7 05080F1C2243
!
AAA new-model
!
!
AAA authentication banner ^ C
THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS
^ C
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
clock time zone gmt + 1 1 schedule
clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00
dot11 syslog
no ip source route
!
!
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.10.1
DHCP excluded-address IP 192.168.20.1
DHCP excluded-address IP 192.168.30.1
DHCP excluded-address IP 192.168.100.1
IP dhcp excluded-address 192.168.1.250 192.168.1.254
!
IP dhcp pool vlan10
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.1
lease 5
!
IP dhcp pool vlan20
import all
network 192.168.20.0 255.255.255.0
router by default - 192.168.20.1
lease 5
!
IP dhcp pool vlan30
import all
network 192.168.30.0 255.255.255.0
default router 192.168.30.1
!
IP TEST dhcp pool
the host 192.168.100.20 255.255.255.0
0100.2241.353f.5e client identifier
!
internal IP dhcp pool
network 192.168.100.0 255.255.255.0
Server DNS 192.168.100.1
default router 192.168.100.1
!
IP dhcp pool vlan1
network 192.168.1.0 255.255.255.0
Server DNS 8.8.8.8
default router 192.168.1.1
lease 5
!
dhcp MAC IP pool
the host 192.168.10.50 255.255.255.0
0100.2312.1c0a.39 client identifier
!
IP PRINTER dhcp pool
the host 192.168.10.20 255.255.255.0
0100.242b.4d0c.5a client identifier
!
MLGW dhcp IP pool
the host 192.168.10.10 255.255.255.0
address material 0004.f301.58b3
!
pool of dhcp IP pc-vero
the host 192.168.10.68 255.255.255.0
0100.1d92.5982.24 client identifier
!
IP dhcp pool vlan245
import all
network 192.168.245.0 255.255.255.0
router by default - 192.168.245.1
!
dhcp VPN_ROUTER IP pool
0100.0f23.604d.a0 client identifier
!
dhcp QNAP_NAS IP pool
the host 192.168.10.100 255.255.255.0
0100.089b.ad17.8f client identifier
name of the client QNAP_NAS
!
!
IP cef
no ip bootp Server
IP domain name dri
host IP SW12 192.168.1.252
host IP SW24 192.168.1.251
IP host tftp 192.168.10.50
host IP of Router_A 192.168.10.5
host IP of Router_B 10.0.1.1
IP ddns update DynDNS method
HTTP
Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=
maximum interval 1 0 0 0
minimum interval 1 0 0 0
!
NTP 66.27.60.10 Server
!
Authenticated MultiLink bundle-name Panel
!
!
Flow-Sampler-map mysampler1
Random mode one - out of 100
!
Crypto pki trustpoint TP-self-signed-2996752687
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2996752687
revocation checking no
rsakeypair TP-self-signed-2996752687
!
!
VTP version 2
username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.
username cisco password 7 02050D 480809
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
!
ISAKMP crypto client configuration group 3000client
key cisco123
DNS 8.8.8.8
dri.eu field
pool VPNpool
ACL 150
!
!
Crypto ipsec transform-set strong esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Profile cisco ipsec crypto
define security-association life seconds 120
transformation-strong game
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
IP port ssh 8096 Rotary 1
property intellectual ssh version 2
!
!
!
interface Loopback0
IP 192.66.66.66 255.255.255.0
!
interface Tunnel0
172.16.0.1 IP address 255.255.255.0
no ip redirection
IP mtu 1440
no ip next-hop-self eigrp 90
property intellectual PNDH authentication cisco123
dynamic multicast of IP PNDH map
PNDH network IP-1 id
No eigrp split horizon ip 90
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
0 button on tunnel
Cisco ipsec protection tunnel profile
!
interface FastEthernet0/0
DMZ description
IP ddns update hostname mlgw.dyndns.info
IP ddns update DynDNS
DHCP IP address
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface FastEthernet0/0,241
Description VLAN 241
encapsulation dot1Q 241
DHCP IP address
IP access-group dri-acl-in in
NAT outside IP
IP virtual-reassembly
No cdp enable
!
interface FastEthernet0/0.245
encapsulation dot1Q 245
DHCP IP address
IP access-group dri-acl-in in
NAT outside IP
IP virtual-reassembly
No cdp enable
!
interface FastEthernet0/1
Description INTERNAL ETH - LAN$
IP 192.168.100.1 address 255.255.255.0
no ip proxy-arp
IP nat inside
IP virtual-reassembly
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet0/0/0
switchport access vlan 10
spanning tree portfast
!
interface FastEthernet0/0/1
switchport access vlan 245
spanning tree portfast
!
interface FastEthernet0/0/2
switchport access vlan 30
spanning tree portfast
!
interface FastEthernet0/0/3
switchport mode trunk
!
interface Vlan1
IP address 192.168.1.250 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan10
IP 192.168.10.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan20
address 192.168.20.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Vlan30 interface
192.168.30.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan245
IP 192.168.245.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Router eigrp 90
network 172.16.0.0
network 192.168.10.0
No Auto-resume
!
IP pool local VPNpool 172.16.1.1 172.16.1.100
IP forward-Protocol ND
no ip address of the http server
local IP http authentication
IP http secure server
!
IP flow-cache timeout idle 130
IP flow-cache timeout active 20
cache IP flow-aggregation prefix
cache timeout idle 400
active cache expiration time 25
!
!
overload of IP nat inside source list 170 interface FastEthernet0/0
overload of IP nat inside source list interface FastEthernet0/0.245 NAT1
IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 permit ip 192.168.10.0 0.0.0.255 any
access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
not run cdp
!
!
!
route NAT allowed 10 map
corresponds to the IP 180
!
!
!
control plan
!
exec banner ^ C
WELCOME YOU ARE NOW LOGED IN
^ C
connection of the banner ^ C
WARNING!
IF YOU ARE NOT:
Didier Ribbens
Please leave NOW!
YOUR IP and MAC address will be LOGGED.
^ C
!
Line con 0
Speed 115200
line to 0
line vty 0 4
access-class 5
privilege level 15
Rotary 1
transport input telnet ssh
line vty 5 15
access-class 5
Rotary 1
!
Scheduler allocate 20000 1000
end
Didier,
Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.
The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).
If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.
With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)
Anyway let me know if you face any problems.
Marcin
-
Random Tunnel IPSec Packet drops
Hi experts,
I am trying to solve a problem of fall of random package for tunneling IPSec between two VTI. For more than a month, we could not see not any question, and from today, we have 30% through a tunnel packet loss IPSec.
After analysis, I have concluded that packet loss is located somewhere on the way to the uc520 to the 2921. Package account see the correctly on the output interface physics uc520, but the number of packets is low on the interface of penetration on the 2921.
Pings outside of the tunnel by the way are very good.
I also deleted the tunnels on both ends and after they have recovery, the question was always present.
Pointers on research where packets get lost?
RR-hq-2921 #ping 10.1.13.1 g0/1 source rep 100
Type to abort escape sequence.
Send 100, echoes ICMP 100 bytes to 10.1.13.1, wait time is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!..!.!!!!!!!!!..!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
..!!.!!!!!!!!!!!.!!!!!!!!.!!!!
Topology:
[uc520] == HAVE == {{{cloud}}} == MODEM == [2921]
Test:
Claire 2921 # counters g0/0
Disable "show interface" counters on this interface [confirm]
% CLEAR-5-COUNTERS: claire counter on interface GigabitEthernet0/0
Execute on uc520: ping
source timeout 0 rep 4000 This is supposed to increase rapidly the number of packets at a distance of 4000 packages, as it has done on the output uc520 interface
# 2921 sho int g0/0 | I entered the packages
3348 packets input, 607812 bytes, 0 no buffer< missing="" ~650="">
# 2921 sho int g0/0
GigabitEthernet0/0 is up, line protocol is up
Material is CN Gigabit Ethernet, the address is XXXXXXXX
Description: Outdoors - WAN port
The Internet address is XXX.XXX.XXX.XXX/YY
MTU 1500 bytes, BW 35000 Kbit/s, 10 DLY usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-Duplex, 1 Gbps, media type is RJ45
control output stream is XON, control of input stream is XON
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:00, 00:00:00 exit, exit hang never
Final cleaning of the counters 'show interface' 00:00:42
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
30 second entry rate 75000 bps, 51 packets/s
exit rate of 30 seconds 77000 bps, 52 packets/s
3456 packets input, 619794 bytes, 0 no buffer
Received 0 emissions (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Watchdog 0, multicast 0, break 0 comments
3454 packets output, 632194 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
carrier, 0 no carrier, lost 0 0 interrupt output
output buffer, the output buffers 0 permuted 0 failures
Good infor
Now, did you ask your ISP if they made the last changes made?
I think that your suspcious is correct and if the number of packets do not match, then probably something in the environment has changed, since it worked before with the same configuration and IOS versions.
HTH.
-
DMVPN question "" change btwn CONF_XAUTH &; MM_NO_STATE ".
Hi all
can you please help on below: thanks in advance.
HQ which is configured to accept remote vpn client using crypto map and also it is configured for dynamic vpn with branch.
Static public IP HQ is 82.114.179.120, tunnel 10 172.16.10.1 and local lan ip is 192.168.1.0
Branch has dynamic public ip, 10 ip 172.16.10.32 tunnel local lan is 192.168.32.0 It is also configured by using tunnel 0 with an another CA that works very well.
Directorate-General for the Lan (192.168.32.0) is required to access lan (192.168.1.0) HQ...
Debug files attached
HQ:
AAA authentication login local acs
AAA authorization network local acs
!
AAA - the id of the joint session
!
IP cef
!8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!redundancy
!VDSL 0/1/0 controller
!cryptographic keys ccp-dmvpn-keyring keychain
pre-shared key address 0.0.0.0 0.0.0.0 key [email protected] / * /
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto 5 3600 keepalive
ISAKMP crypto nat keepalive 3600
ISAKMP xauth timeout 60 crypto!
ISAKMP crypto client configuration group NAMA
namanama key
pool mypool
ACL 101
Save-password
Profile of crypto isakmp dmvpn-ccp-isakmprofile
CCP-dmvpn-keyring keychain
function identity address 0.0.0.0
!
Crypto ipsec transform-set esp-3des esp-md5-hmac test
tunnel mode
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
define the profile of isakmp dmvpn-ccp-isakmprofile
!card dynamic crypto map 10
Set transform-set test
market arriere-route
!
the i-card card crypto client authentication list acs
card crypto i-card isakmp authorization list acs
card crypto i-map client configuration address respond
card crypto i-card 10 isakmp ipsec dynamic map!
interface Tunnel10
bandwidth 1000
address 172.16.10.1 IP 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 360
IP tcp adjust-mss 1360
delay of 1000
Shutdown
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 192.168.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
ATM0/1/0 interface
DSL Interface Description
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5snap encapsulation
PPPoE-client dial-pool-number 1!
interface Dialer0
no ip address
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
PPP authentication chap callin pap
PPP chap hostname nama20004
password PPP chap 0 220004
PPP pap sent-username nama20004 password 0 220004
i-crypto map
!
IP local pool mypool 192.168.30.1 192.168.30.100
IP forward-Protocol ND
!
IP http server
IP http secure server
!
overload of IP nat inside source list 171 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access ip-list 171 allow a whole
Dialer-list 2 ip protocol allow
!HQ #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)See the branch to execute:
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 11
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key [email protected] / * / address 82.114.179.105
ISAKMP crypto key [email protected] / * / address 82.114.179.120
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
Crypto ipsec transform-set esp - aes Taiz esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
!
Profile of crypto ipsec to Taiz-profile-
the value of the transform-set in Taiz
!
interface Tunnel0
bandwidth 1000
IP 172.16.0.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
map of PNDH 172.16.0.1 IP 82.114.179.105
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.0.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.105
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Tunnel10
bandwidth 1000
IP 172.16.10.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
property intellectual PNDH 172.16.10.1 card 82.114.179.120
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.10.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.120
key to tunnel 22334455
tunnel of ipsec to Taiz-profile protection
!
interface Ethernet0
no ip address
Shutdown
!
ATM0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0.1
PVC 8/35
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet1
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet2
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet3
# CONNECT TO LAN description #.
no ip address
!
interface Vlan1
# LAN INTERFACE description #.
customer IP dhcp host name no
IP 192.168.32.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1412
!
interface Dialer0
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname mohammadaa
password PPP chap 0-123456
PPP pap sent-name of user mohammadaa password 123456 0
!
IP forward-Protocol ND
IP http server
10 class IP http access
local IP http authentication
no ip http secure server
!
the IP nat inside source 1 interface Dialer0 overload list
IP route 0.0.0.0 0.0.0.0 Dialer0
Route IP 192.168.0.0 255.255.255.0 172.16.0.1
IP route 192.168.1.0 255.255.255.0 172.16.10.1
!
auto discovering IP sla
Dialer-list 1 ip protocol allow
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!Branch #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 MM_NO_STATE ACTIVE 2061 (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)Mohammed,
No probs, ensure safety.
The config you home has only one profile of IKE again. i.e. your DMVPN and ezvpn fall into the same basket.
What you need is a clean separation.
In the example you have
crypto isakmp profile VPNclient match identity group hw-client-groupname client authentication list userauthen isakmp authorization list hw-client-groupname client configuration address respond
which is then linked to:crypto dynamic-map dynmap 10 set isakmp-profile VPNclient reverse-route set transform-set strong
and separately a Profile of IKE DMVPN:
crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0
linked to your profile DMVPN IPsec:
crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN
You apply the same logic here and clean to the top of your current config (i.e. move the features that you have applied to the level of the crypto map to your new profile of IKE).
M.
-
IPSEC packets are not encrypted
Hello (and Happy Thanksgiving in the USA),
We recently switched our ASA and applied again the saved for the new device configuration. There is a VPN site-to site that works and a remote VPN client that does not work. We use certain Cisco VPN clients and some Shrew Soft VPN clients. I compared the config of the ASA again to that of ASA old and I can't find all the differences (but the remote client VPN was working on the old ASA). Remote clients connect and a tunnel is created, but they are unable to pass traffic. Systems on the network where the ASA are able to access the internet.
Out of sho isakmp crypto his (ignore peer #1, this is the site to site VPN work)
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 generate a new key ITS d)
Total SA IKE: 2
1 peer IKE: xx.168.155.98
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: xx.211.206.48
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE
Output of sho crypto ipsec his (info about VPN site-to-site deleted). Packets are decrypted but unencrypted.
Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c ip
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.1.100/255.255.255.255/0/0)
current_peer: xx.211.206.48, username: me
dynamic allocated peer ip: 10.20.1.100
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts check: 20
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : public-ip/4500, crypto endpt distance. : xx.211.206.48/4
500
Path mtu 1500, fresh ipsec generals 82, media, mtu 1500
current outbound SPI: 7E0BF9B9
current inbound SPI: 41B75CCD
SAS of the esp on arrival:
SPI: 0x41B75CCD (1102535885)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28776
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xC06BF0DD (3228299485)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x000003FF 0xFFF80001
outgoing esp sas:
SPI: 0x7E0BF9B9 (2114714041)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xCBF945AC (3422111148)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28772
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Config of ASA
: Saved
: Written by me at 19:56:37.957 pst Tuesday, November 26, 2013
!
ASA Version 8.2 (4)
!
hostname mfw01
domain company.int
enable encrypted password xxx
XXX encrypted passwd
names of
Name xx.174.143.97 description cox cox-gateway Gateway
name 172.16.10.0 iscsi-description iscsi network
name 192.168.1.0 network heritage heritage network description
name 10.20.50.0 management-description management network
name 10.20.10.0 network server server-description
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 description of private Exchange private-Exchange
name 10.20.10.3 description of private-private ftp ftp
name 192.168.1.202 description private-private-ip-phones ip phones,
name 10.20.10.6 private-kaseya kaseya private description
name 192.168.1.2 private mitel 3300 description private mitel 3300
name 10.20.10.1 private-pptp pptp private description
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal private-tportal description
name 10.20.10.8 private-xarios private-xarios description
name 192.168.1.215 private-xorcom description private-xorcom
Name xx.174.143.99 description public Exchange public-Exchange
public xx.174.143.100 public-ftp ftp description name
Name xx.174.143.101 public-tportal public tportal description
Name xx.174.143.102 public-sharepoint description public-sharepoint
name of the public ip description public-ip-phones-phones xx.174.143.103
name mitel-public-3300 xx.174.143.104 description public mitel 3300
Name xx.174.143.105 public-xorcom description public-xorcom
xx.174.143.108 public-remote control-support name description public-remote control-support
Name xx.174.143.109 public-xarios public xarios description
Name xx.174.143.110 public-kaseya kaseya-public description
Name xx.174.143.111 public-pptp pptp-public description
name Irvine_LAN description Irvine_LAN 192.168.2.0
Name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
Name xx.174.143.107 public-RevProxy description public RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
Name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-bridge description private-bridge
name 192.168.1.96 description private-remote control-support private-remote control-support
!
interface Ethernet0/0
public nameif
security-level 0
IP address public ip 255.255.255.224
!
interface Ethernet0/1
Speed 100
full duplex
nameif private
security-level 100
address private-gateway IP, 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
the IP 192.168.0.1 255.255.255.0
management only
!
passive FTP mode
clock timezone pst - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain mills.int
object-group service ftp
the tcp eq ftp service object
the purpose of the tcp eq ftp service - data
object-group service DM_INLINE_SERVICE_1
Group-object ftp
the eq tftp udp service object
DM_INLINE_TCP_1 tcp service object-group
port-object eq 40
EQ port ssh object
object-group service web-server
the purpose of the service tcp eq www
the eq https tcp service object
object-group service DM_INLINE_SERVICE_2
EQ-tcp smtp service object
object-group web server
object-group service DM_INLINE_SERVICE_3
EQ-ssh tcp service object
object-group web server
object-group service kaseya
the purpose of the service tcp eq 4242
the purpose of the service tcp 5721 eq
EQ-8080 tcp service object
the eq 5721 udp service object
object-group service DM_INLINE_SERVICE_4
Group-object kaseya
object-group web server
object-group service DM_INLINE_SERVICE_5
will the service object
the eq pptp tcp service object
object-group service VPN
will the service object
ESP service object
the purpose of the service ah
the eq pptp tcp service object
EQ-udp 4500 service object
the eq isakmp udp service object
the MILLS_VPN_VLANS object-group network
object-network 10.20.1.0 255.255.255.0
Server-network 255.255.255.0 network-object
user-network 255.255.255.0 network-object
255.255.255.0 network-object-network management
legacy-network 255.255.255.0 network-object
object-group service InterTel5000
the purpose of the service tcp 3998 3999 range
the 6800-6802 range tcp service object
the eq 20001 udp service object
the purpose of the udp 5004 5007 range service
the purpose of the udp 50098 50508 range service
the purpose of the udp 6604 7039 range service
the eq bootpc udp service object
the eq tftp udp service object
the eq 4000 tcp service object
the purpose of the service tcp eq 44000
the purpose of the service tcp eq www
the eq https tcp service object
the purpose of the service tcp eq 5566
the eq 5567 udp service object
the purpose of the udp 6004 6603 range service
the eq 6880 tcp service object
object-group service DM_INLINE_SERVICE_6
ICMP service object
the eq 2001 tcp service object
the purpose of the service tcp eq 2004
the eq 2005 tcp service object
object-group service DM_INLINE_SERVICE_7
ICMP service object
Group object InterTel5000
object-group service DM_INLINE_SERVICE_8
ICMP service object
the eq https tcp service object
EQ-ssh tcp service object
RevProxy tcp service object-group
RevProxy description
port-object eq 5500
XenDesktop tcp service object-group
Xen description
EQ object of port 8080
port-object eq 2514
port-object eq 2598
object-port 27000 eq
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
public_access_in list any host public-ip extended access allowed object-group DM_INLINE_SERVICE_8
public_access_in list any host public-ip extended access allowed object-group VPN
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_7 any host public-ip-phones
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any public ftp host
public_access_in allowed extended access list tcp any host public-xorcom DM_INLINE_TCP_1 object-group
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any host public-Exchange
public_access_in allowed extended access list tcp all welcome RevProxy-public-group of objects RevProxy
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 any host public-remote control-support
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any host public-xarios
public_access_in list extended access allowed object-group web server any host public-sharepoint
public_access_in list extended access allowed object-group web server any host public-tportal
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any host public-kaseya
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any host public-pptp
public_access_in list extended access permit ip any host public-XenDesktop
private_access_in list extended access permit icmp any one
private_access_in of access allowed any ip an extended list
VPN_Users_SplitTunnelAcl list standard allowed server-network access 255.255.255.0
VPN_Users_SplitTunnelAcl list standard allowed user-network access 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow management-network 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow 10.20.1.0 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow legacy-network 255.255.255.0
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
public_1_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
public_2_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
Enable logging
list of logging level warnings error events
Monitor logging warnings
logging warnings put in buffered memory
logging trap warnings
exploitation forest asdm warnings
e-mail logging warnings
private private-kaseya host connection
forest-hostdown operating permits
logging of trap auth class alerts
MTU 1500 public
MTU 1500 private
management of MTU 1500
mask 10.20.1.100 - 10.20.1.110 255.255.255.0 IP local pool VPN_Users
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 101 (public)
private_nat0_outbound of access list NAT 0 (private)
NAT (private) 101 0.0.0.0 0.0.0.0
NAT (management) 101 0.0.0.0 0.0.0.0
static DNS (private, public) public-private-netmask 255.255.255.255 ip phones, ip phones,
static DNS (private, public) private public-ftp-ftp netmask 255.255.255.255
static (private, public) public-private-xorcom netmask 255.255.255.255 xorcom dns
static DNS (private, public) public Exchange private-Exchange netmask 255.255.255.255
RevProxy-public (private, public) public static private-RevProxy netmask 255.255.255.255 dns
static DNS (private, public) public-remote control-support private-remote control-support netmask 255.255.255.255
static (private, public) public-private-xarios netmask 255.255.255.255 xarios dns
static public-sharepoint (private, public) private-sharepoint netmask 255.255.255.255 dns
TPORTAL-public (private, public) public static private-tportal netmask 255.255.255.255 dns
static (private, public) public-private-netmask 255.255.255.255 kaseya kaseya dns
static public-pptp (private, public) private-pptp netmask 255.255.255.255 dns
static public-XenDesktop (private, public) private-XenDesktop netmask 255.255.255.255 dns
Access-group public_access_in in the public interface
Access-group behind closed doors, interface private_access_in
Public route 0.0.0.0 0.0.0.0 cox-gateway 1
Private server network route 255.255.255.0 10.20.1.254 1
Route private user-network 255.255.255.0 10.20.1.254 1
Private networking route 255.255.255.0 10.20.1.254 1
Route private network iscsi 255.255.255.0 10.20.1.254 1
Private heritage network 255.255.255.0 route 10.20.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Admin-control LDAP attribute-map
Comment by card privileged-level name
LDAP attribute-map allow dialin
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
msNPAllowDialin card-value TRUE IPSecUsers
attribute-map LDAP Mills-VPN_Users
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
map-value msNPAllowDialin true IPSecUsers
LDAP attribute-map network admins
memberOf IETF Radius-Service-Type card name
map-value memberOf NOACCESS FAKE
map-value memberOf 'Network Admins' 6
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt Mills
host of Mills (private) AAA-server private-pptp
auth-ms01.mills.int NT domain controller
AAA-server Mills_NetAdmin protocol ldap
AAA-server Mills_NetAdmin (private) host private-pptp
Server-port 389
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
AAA-server NetworkAdmins protocol ldap
AAA-server NetworkAdmins (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map network-admins
AAA-server ADVPNUsers protocol ldap
AAA-server ADVPNUsers (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
Console to enable AAA authentication LOCAL ADVPNUsers
Console HTTP authentication of the AAA ADVPNUsers LOCAL
AAA authentication serial console LOCAL ADVPNUsers
Console Telnet AAA authentication LOCAL ADVPNUsers
authentication AAA ssh console LOCAL ADVPNUsers
Enable http server
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
Community private private-kaseya SNMP-server host * version 2 c
Server SNMP - San Diego location plants
contact SNMP server, help the Mills
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt noproxyarp private
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto public_map 1 match address public_1_cryptomap
card crypto public_map 1 set pfs
card crypto public_map 1 set xx.168.155.98 counterpart
card crypto public_map 1 the value transform-set ESP-3DES-MD5-ESP-AES-128-SHA
public_map card crypto 1 set nat-t-disable
card crypto public_map 1 phase 1-mode of aggressive setting
card crypto public_map 2 match address public_2_cryptomap
card crypto public_map 2 pfs set group5
card crypto public_map 2 peers set xx.181.134.141
card crypto public_map 2 game of transformation-ESP-AES-128-SHA
public_map card crypto 2 set nat-t-disable
public_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
public crypto map public_map interface
crypto ISAKMP enable public
crypto ISAKMP policy 1
preshared authentication
aes encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 1
lifetime 28800
Telnet 0.0.0.0 0.0.0.0 private
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 public
SSH 0.0.0.0 0.0.0.0 private
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
management of 192.168.0.2 - dhcpd addresses 192.168.0.254
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
authenticate the NTP
NTP server 216.129.110.22 public source
NTP server 173.244.211.10 public source
NTP server 24.124.0.251 public source prefers
WebVPN
allow the public
enable SVC
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
VPN-tunnel-Protocol svc
internal IPSecUsers group strategy
attributes of Group Policy IPSecUsers
value of server WINS 10.20.10.1
value of server DNS 10.20.10.1
Protocol-tunnel-VPN IPSec
allow password-storage
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Users_SplitTunnelAcl
Mills.int value by default-field
the address value VPN_Users pools
Irvine internal group policy
Group Policy attributes Irvine
Protocol-tunnel-VPN IPSec
username admin password encrypted in Kra9/kXfLDwlSxis
type VPNUsers tunnel-group remote access
tunnel-group VPNUsers General attributes
address pool VPN_Users
authentication-server-group Mills_NetAdmin
Group Policy - by default-IPSecUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *.
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 General-attributes
Group Policy - by default-Irvine
XX.189.99.114 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 General-attributes
Group Policy - by default-Irvine
XX.205.23.76 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 General-attributes
Group Policy - by default-Irvine
XX.168.155.98 group of tunnel ipsec-attributes
pre-shared-key *.
!
Global class-card class
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
World-Policy policy-map
Global category
inspect the dns
inspect esmtp
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the sip
inspect the skinny
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
!
service-policy-international policy global
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes is glazed looking at it for too long. Something seems wrong? Maybe I missed a command that would not appear in the config?
Thanks in advance to those who take a glance.
We see that the UI is sent the echo request but there is no response to echo. This seems to be a routing problem between the ASA and the host you are trying to ping. You can see the range so that the traffic to 10.20.1.0 network is routed to the ASA. If there is no other routing device make sure that the default gateway is correct on the host computer, you're trying to reach.
If you try to ping a windows machine make sure that the windows firewall is disabled or allows ICMP.
--
Please do not forget to rate and choose a response from xorrect
-
Classic DMVPN on IPSec. The force instead of UDP/4500 ESP?
Hi, we have classic DMVPN pattern with central router and rays, all IOS routers.
One of the remote sites a ISP evil, that filters GRE and ESP (I think they filter all except tcp, udp and icmp).
Is it possible to force speaks rather to use udp/4500 ESP?
All about suggestions? The mission satellite IP is dynamic and changes over time.
The router should already have NAT - T enabled by default, but if it is disabled, then you can configure the following:
Crypto ipsec nat transparency
-
Hello
You start to replace all of our ISA Server with with DMVPN cisco routers. So far, we are happy with everything, but I ran into a problem. I've just set up one of our agencies and the DMVPN works very well, but this location also has a VPN tunnel to another branch that we have not replaced with Cisco equipment yet. The problem I have is that as soon as I associate an ipsec site-to-site VPN on the router, the DMVPN drops.
I create the Ipsec VPN:
map VPN_Crypto 1 ipsec-isakmp crypto
game of transformation-ESP-3DES-SHA
the value of aa.aa.aa.aa peer
match address 103 (where address is allow remote local IP subnet the IP subnet)
and everything works fine. As soon as I do the following:
interface GigabitEthernet0/1
card crypto VPN_Crypto
The DMVPN drops. If I can connect to and run:
interface GigabitEthernet0/1
No crypto card
The DMVPN happens immediately.
What could I do it wrong? Here is the config for the Tunnel0 DMVPN tunnel:
interface Tunnel0
bandwidth 1000
192.168.10.31 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
map of PNDH IP xx.xx.xx.xx multicast
property intellectual PNDH card 192.168.10.10 xx.xx.xx.xx
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 192.168.10.10
dmvpn-safe area of Member's area
IP tcp adjust-mss 1360
delay of 1000
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
If you need anything else the config for help just let me know. Our main site router, I had no problem with him being the DMVPN hub and also having a handful of Ipsec VPN set up on it well. I appreciate a lot of help, I really need to get both of these tunnels running simultaneously as soon as possible.
Yes, but I don't see anything looking for strange (well, configs generated by CCP always sound strange...).
Maybe you run into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I have to. You can try 15.0 (1) M8 and see if it works.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
SA520 and Question IPSec VPN RVS4000
Hello
I installed an IPSec VPN for one of my friends for his company. At its principal office, I installed a Cisco SA520 and he uses to connect devices such as the iPhone and iPad via the IPSec VPN. He uses this fact because he travels abroad a lot and he has problems with services such as Skype is blocked in some countries. This configuration works very well.
It also has a Cisco RVS4000, which he would like to install at his place of business to the Mexico. He would like the RVS4000 VPN configuration to the SA520 in his office. The SA520 in his office has a static IP address. The RVS4000 to the Mexico does not work.
Is it possible to Setup IPSec VPN between a SA520 with a static IP and RVS4000 address that does not have a static IP address? If so, examples of configuration would be greatly appreciated.
Thank you!
Hi William, simply sign up for a dyndns account or similar service, the RVS4000 configuration will be the same, instead of the IP, you'd be using the dyndns name.
-Tom
Please mark replied messages useful -
Hello
I have deploy a dmvpn with two of the hub topology and several rays, after the spokes and the hub, I did a reboot in the hub to see if this drug works after rebbot in the hub, but I noticed that after the rebbot the tunnel in the hub is not come, the only way to raise the tunnel had to erase dmvpn static session in rays , during this time the hub to continue giving a message:
ISAKMP: ignoring the request to send delete notify (no ISAKMP security association) src 213.10.10.10 dst 213.58.10.10.14 for SPI 0xC15C587F
IOS:12.4.11 T 1
2821
2811
Someone can help me.
Thank you
Hello
Please make sure you have ISAKMP KeepAlive on the hubs and spokes, and once configured, please test again and see if it improves. What is happeneing is probably when the hub is restarted, speak it does not clear the tunnel is based on the SAs to timeout. When delete us the SAs on the RADIUS, the problem goes away. Configure ISAKMP KeepAlive should we work around this problem.
HTH,
Please rate if this can help.
Kind regards
Kamal
-
basic configuration question IPSec GRE
the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
life 120
address of cisco crypto isakmp 203.115.34.4 keys
!
!
Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
!
MY_MAP 10 ipsec-isakmp crypto map
defined by peer 203.115.34.4
game of transformation-MY_TRANSFORM
match address 100
!
!
!
!
interface Loopback0
192.168.10.1 IP address 255.255.255.255
!
interface Tunnel0
IP 192.168.14.1 255.255.255.0
source of tunnel Serial1/2
tunnel destination 203.115.34.4
card crypto MY_MAP!
!
interface Serial1/2
IP 203.115.12.1 255.255.255.0
series 0 restart delay
!
!
Router eigrp 100
network 192.168.0.0 0.0.255.255
Auto-resume
!
router ospf 100
router ID 1.1.1.1
Log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!!
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
!
!
I see cisco samples configurations include an access list entry as follows...
access-list 100 permit gre 203.115.12.1 host 203.115.34.4
I understand the purpose of the ACL above regarding the test configuration that I posted here.
Let me explain.
LAN - router - WAN - router - LAN
Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.
If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.
If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.
If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.
The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.
The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.
It will be useful.
Federico.
-
Noob on UNDER question forms packet
I found a component of low caliber I want to use but cannot make it work. It's a bunch of actionscript that I imported with a CFC file and the IDE recognizes the title when I try and work with her. the error I get is "could not resolve < local: LightGauge > to an implementation of the component.
I got the site code http://www.betterthanflex.com/?p=9
Thanks for the tips!
I just deleted the files in the src folder and typed the code in the previous message
-
IPSec and packet loss: Question
Hello, hopefully a simple Question :-)
Can someone tell me what happens when an IPSec packet is lost.
He get fired?
are just the TCP packets inside IPSec resentment tunnel?
I hope someone can help!
Background: VoIP.
We have Home office users.
Some have a quality of voice some terrible have a perfect quality, even if they all use the same hardware and configurations (name of user/passwords different and IP addresses of course)
Fraser
There isn't anything in IPSec that would retransmit a lost package. It is the native protocol and terminal stations that communicate in order to determine if there is packet loss and whether or not to broadcast.
If I understand your comment correctly that you are dealing with individual users do VOIP, then more things you mention, which is different (name of user and password and addresses) almost certainly dealing with various different service providers / Internet connectivity. It would be interesting to do a ping extended with a large number of ping packets to a user who experiences problems and one that does not. I suspect that you will see a significant difference in packet loss.
HTH
Rick
Maybe you are looking for
-
Windows Storage: what version of windows and updated to reflect later
Hello I am very new to Windows storage space. I have a few questions: 1. what version of Windows is the best (only for storage purposes): 8.1 Windows Client, Windows Server R2 Windows Server 2012 Essentials 2012? 2. in the scenario that I have only 1
-
BlackBerry Blackberry Smartphones - e-mail configuration issue
My Blackberry has stopped working and has been replaced by T-Mobile (warranty), I backed up the old one before taking it back and am now trying to get my email etc working again... I'm lost - I have connected the new device and synced it but now all
-
I do a repair system EACH time disc that I perform an Image backup system?
I do one every time system repair disc I perform an Image backup system? (Win7 Ultimate 32-bit SP1) Thank you. Craig, AMTELCO P.S. I really did a lot of digging before asking. While I picked up some useful tips in the case, I do simply not the connec
-
Want to set up my own home server home
I am currently taking courses in college to design and program. I wish I had my own server/host in order to check my php etc, codes. How would I go about setting up my own server/host on my computer at home? Are they safe? Are they free? Thanks in
-
Can recovery and/or password reset disk data stored on temporarily on a hard drive.
People, I am volunteer non-professionals that keeps about 8 computers churches. Right now they are a mixture of Windows 7 and Windows 8.1. I want to do a reset disk and recovery password for each of them. My problem is the cost of all readers USB