DMVPN questions - IPsec packets

Hi all

Currently, I am configuring DMVPN for the first time. I followed the guide to configuring cisco and Googling a bit other strands however seems to have hit a brick wall.

The Setup is in a lab environment, so I can post as much information as required, but here's the important bits:

I have 3 routers Cisco 2821 running IOS 12.4 (15) with a layer 3 switch in the Middle connecting ports 'wan' together. the routing works fine, I can ping to each of the other router router.

Excerpts from the hub router config:

crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac

crypto ipsec profile DMVPN_PRJ

set transform-set DMVPN_SET

interface Tunnel0

bandwidth 10000

ip address 172.17.100.1 255.255.255.0

no ip redirects

ip mtu 1500

ip nhrp authentication secretid

ip nhrp map multicast dynamic

ip nhrp network-id 101

ip nhrp holdtime 450

ip tcp adjust-mss 1460

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 10101

tunnel protection ipsec profile DMVPN_PRJ

interface GigabitEthernet0/0

description HQ WAN

ip address 1.1.1.1 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

and here's the config on the first router spoke:

crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac

crypto ipsec profile DMVPN_PRJ

set transform-set DMVPN_SET

interface Tunnel0

bandwidth 3000

ip address 172.17.100.10 255.255.255.0

no ip redirects

ip mtu 1500

ip nhrp authentication secretid

ip nhrp map 172.17.100.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 101

ip nhrp holdtime 450

ip nhrp nhs 172.17.100.1

ip tcp adjust-mss 1460

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 10101

tunnel protection ipsec profile DMVPN_PRJ

interface GigabitEthernet0/0

description Site 1 WAN

ip address 11.11.11.1 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

If I closed/no farm tunnel0 on RADIUS 1 interface, I get the following error on the hub router:

Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47

so I feel im lack some config on the side talking to encrypt the traffic, but I'm not sure what.

Here's the output router spoke:

RTR_SITE1#sh dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

-------------- Interface Tunnel0 info: --------------

Intf. is up, Line Protocol is up, Addr. is 172.17.100.10

Source addr: 11.11.11.1, Dest addr: MGRE

Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details: NHS: 172.17.100.1 E

Type:Spoke, NBMA Peers:1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32

Interface: Tunnel0

Session: [0x48E31B98]

Crypto Session Status: DOWN

fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1

Active SAs: 0, origin: crypto map

Outbound SPI : 0x 0, transform :

Socket State: Closed

Pending DMVPN Sessions:

RTR_SITE1#sh ip nhrp detail

172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire

Type: static, Flags: used

NBMA address: 1.1.1.1

RTR_SITE1#sh crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1

protected vrf: (none)

local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 46, #recv errors 0

local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

All these commands appear as empty when I throw them on the hub router.

Any help appreciated.

Thank you

No negotiate is because you do not have an Ike key implemented. You need

Crypto ISAKMP policy 1

BA (whatever)

AUTH pre-shared

Group (whatever)

ISAKMP crypto key 0 some secret address 0.0.0.0 0.0.0.0

Hun and talks must match.

Your IPSec transform-set should also have "transport mode".

Sent by Cisco Support technique iPad App

Tags: Cisco Security

Similar Questions

On DMVPNs selective IPSec encryption

Hello

I have a DMVPN with two rays on a MPLS-L3-IPVPN network. IPSec over GRE profiles using crypto. Works very well. Now, he only need to encrypt all traffic except EF DSCP. Tried with the help of ACB defining IP-Next Hop for EF-packages and just normal dug routing for all other types of traffic.

My question is, I know cryptographic cards that use ACLs can selectively encrypt traffic through the IPSec/GRE tunnels. Cryptographic profiles don't seem to have this feature. Is there another way to do this?

A snip Config by couple spoke it as below.

===============

interface GigabitEthernet0/0.1
DESC LAN i / f
IP 10.10.10.1 255.255.255.0
political intellectual property map route ACB

interface Tunnel100
IP 172.16.254.13 255.255.254.0
no ip redirection
property intellectual PNDH card 172.16.254.1 103.106.169.10
map of PNDH IP multicast 103.106.169.10
PNDH network IP-1 id
property intellectual PNDH nhs 172.16.254.1
property intellectual shortened PNDH
KeepAlive 10 3
source of tunnel GigabitEthernet0/1.401
multipoint gre tunnel mode
key 1 tunnel
Profile of tunnel DMVPN-Crypto ipsec protection
end

GIE Router 1
no car
NET 172.16.254.0 0.0.1.255
EIGRP log-neighbor-warnings
EIGRP log-neighbor-changes
! - router id
NET 10.10.10.0 0.0.0.255

ACB allowed 10 route map
ACB match ip address
IP 11.2.100.2 jump according to the value
!
ACB allowed 20 route map

ACB extended IP access list
permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
allow icmp host 10.10.10.5 host 15.1.1.1 dscp 41
deny ip any any newspaper

===============

Note: the routing table contains only a default route learned via EIGRP. Thus, if the ACB 10 past, policy would transmit to the Next-hop (PE). Or would otherwise use 0/0 and route thro' the tunnel.

Thanks in advance!

See you soon
Aravind

With DMVPN, no. You will need to return to the use of just cryptographic cards, only using access lists to control what is and is not encrypted.

If the "EF" traffic was dedicated VoIP subnets so you would have more options, you can choose everything just don't not to route these subnets above the Tunnel.

DMVPN without IPsec

Hi all

Is the operation of DMVPN without IPsec configuration supported?

I'm testing it right now and hubs are losing conncetivity to rays. I wonder if it is because of not using IPsec.

Anyone tried this?

Attila

I guess you meant PNDH. If so look at the http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080435815.html

DMVPN Question ISAKMP Security Association

Hi all

I have implemented a full mesh base DMVPN, similar to the int of config used life package

http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.

I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.

My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...

How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?

status of DST CBC State conn-id slot

172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

A similar result on the hub

status of DST CBC State conn-id slot

172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

Still 1 spoke only a 2

172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE

172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE

Crypto config for all:
```
crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile
```
Config of Tunnel hub

interface Tunnel0

10.0.100.1 IP address 255.255.255.0

dynamic multicast of IP PNDH map

PNDH network IP-1 id

tunnel source fa0/0

multipoint gre tunnel mode

Spoke 1 Tunnel Config

!

interface FastEthernet0/0

address 172.16.3.2 IP 255.255.255.0

automatic duplex

automatic speed

!

interface Tunnel0

10.0.100.2 IP address 255.255.255.0

no ip redirection

map of PNDH IP 10.0.100.1 172.16.1.2

map of PNDH IP multicast 172.16.1.2

PNDH network IP-1 id

property intellectual PNDH nhs 10.0.100.1

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

Profile of tunnel MyProfile ipsec protection

Spoke 2 Config of Tunnel

!

interface FastEthernet0/0

IP 172.16.2.2 255.255.255.0

automatic duplex

automatic speed

!

interface Tunnel0

IP 10.0.100.3 255.255.255.0

no ip redirection

map of PNDH IP 10.0.100.1 172.16.1.2

map of PNDH IP multicast 172.16.1.2

PNDH network IP-1 id

property intellectual PNDH nhs 10.0.100.1

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

Profile of tunnel MyProfile ipsec protection

SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).

You could get in double sessions of the two scenarios IKE, are the most common.

(1) the negotiation started at both ends "simultaneously".

(2) renegotiation of IKE.

What is strange to me, is that you seem to have initiated session and responsed by the hub.

What I would do, is to add:

-ip server only PNDH (on the hub, it is not a provided ASR)

-DPD (on all devices).

Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.

DMVPN and IPsec CLIENT?

Hello

I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?

To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.

Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?

My stitching question may be stupid, sorry for that, I'm still learning, and I love it

Here below the full work DMVPN + IPsec:

Best regards

Didier

ROUTER1841 #sh run

Building configuration...

Current configuration: 9037 bytes

!

! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin

! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin

!

version 12.4

horodateurs service debug datetime localtime

Log service timestamps datetime msec

encryption password service

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

forest-meter operation of syslog messages

logging buffered 4096 notifications

enable password 7 05080F1C2243

!

AAA new-model

!

!

AAA authentication banner ^ C

THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS

^ C

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

!

AAA - the id of the joint session

clock time zone gmt + 1 1 schedule

clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00

dot11 syslog

no ip source route

!

!

No dhcp use connected vrf ip

DHCP excluded-address IP 192.168.10.1

DHCP excluded-address IP 192.168.20.1

DHCP excluded-address IP 192.168.30.1

DHCP excluded-address IP 192.168.100.1

IP dhcp excluded-address 192.168.1.250 192.168.1.254

!

IP dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.1

lease 5

!

IP dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

router by default - 192.168.20.1

lease 5

!

IP dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

default router 192.168.30.1

!

IP TEST dhcp pool

the host 192.168.100.20 255.255.255.0

0100.2241.353f.5e client identifier

!

internal IP dhcp pool

network 192.168.100.0 255.255.255.0

Server DNS 192.168.100.1

default router 192.168.100.1

!

IP dhcp pool vlan1

network 192.168.1.0 255.255.255.0

Server DNS 8.8.8.8

default router 192.168.1.1

lease 5

!

dhcp MAC IP pool

the host 192.168.10.50 255.255.255.0

0100.2312.1c0a.39 client identifier

!

IP PRINTER dhcp pool

the host 192.168.10.20 255.255.255.0

0100.242b.4d0c.5a client identifier

!

MLGW dhcp IP pool

the host 192.168.10.10 255.255.255.0

address material 0004.f301.58b3

!

pool of dhcp IP pc-vero

the host 192.168.10.68 255.255.255.0

0100.1d92.5982.24 client identifier

!

IP dhcp pool vlan245

import all

network 192.168.245.0 255.255.255.0

router by default - 192.168.245.1

!

dhcp VPN_ROUTER IP pool

0100.0f23.604d.a0 client identifier

!

dhcp QNAP_NAS IP pool

the host 192.168.10.100 255.255.255.0

0100.089b.ad17.8f client identifier

name of the client QNAP_NAS

!

!

IP cef

no ip bootp Server

IP domain name dri

host IP SW12 192.168.1.252

host IP SW24 192.168.1.251

IP host tftp 192.168.10.50

host IP of Router_A 192.168.10.5

host IP of Router_B 10.0.1.1

IP ddns update DynDNS method

HTTP

Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=

maximum interval 1 0 0 0

minimum interval 1 0 0 0

!

NTP 66.27.60.10 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Flow-Sampler-map mysampler1

Random mode one - out of 100

!

Crypto pki trustpoint TP-self-signed-2996752687

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2996752687

revocation checking no

rsakeypair TP-self-signed-2996752687

!

!

VTP version 2

username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.

username cisco password 7 02050D 480809

Archives

The config log

hidekeys

!

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

!

ISAKMP crypto client configuration group 3000client

key cisco123

DNS 8.8.8.8

dri.eu field

pool VPNpool

ACL 150

!

!

Crypto ipsec transform-set strong esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Profile cisco ipsec crypto

define security-association life seconds 120

transformation-strong game

!

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

!

!

property intellectual ssh time 60

property intellectual ssh authentication-2 retries

IP port ssh 8096 Rotary 1

property intellectual ssh version 2

!

!

!

interface Loopback0

IP 192.66.66.66 255.255.255.0

!

interface Tunnel0

172.16.0.1 IP address 255.255.255.0

no ip redirection

IP mtu 1440

no ip next-hop-self eigrp 90

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH network IP-1 id

No eigrp split horizon ip 90

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

0 button on tunnel

Cisco ipsec protection tunnel profile

!

interface FastEthernet0/0

DMZ description

IP ddns update hostname mlgw.dyndns.info

IP ddns update DynDNS

DHCP IP address

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

interface FastEthernet0/0,241

Description VLAN 241

encapsulation dot1Q 241

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/0.245

encapsulation dot1Q 245

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/1

Description INTERNAL ETH - LAN$

IP 192.168.100.1 address 255.255.255.0

no ip proxy-arp

IP nat inside

IP virtual-reassembly

Shutdown

automatic duplex

automatic speed

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 245

spanning tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

IP address 192.168.1.250 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan10

IP 192.168.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan20

address 192.168.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Vlan30 interface

192.168.30.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan245

IP 192.168.245.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Router eigrp 90

network 172.16.0.0

network 192.168.10.0

No Auto-resume

!

IP pool local VPNpool 172.16.1.1 172.16.1.100

IP forward-Protocol ND

no ip address of the http server

local IP http authentication

IP http secure server

!

IP flow-cache timeout idle 130

IP flow-cache timeout active 20

cache IP flow-aggregation prefix

cache timeout idle 400

active cache expiration time 25

!

!

overload of IP nat inside source list 170 interface FastEthernet0/0

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

not run cdp

!

!

!

route NAT allowed 10 map

corresponds to the IP 180

!

!

!

control plan

!

exec banner ^ C

WELCOME YOU ARE NOW LOGED IN

^ C

connection of the banner ^ C

WARNING!

IF YOU ARE NOT:

Didier Ribbens

Please leave NOW!

YOUR IP and MAC address will be LOGGED.

^ C

!

Line con 0

Speed 115200

line to 0

line vty 0 4

access-class 5

privilege level 15

Rotary 1

transport input telnet ssh

line vty 5 15

access-class 5

Rotary 1

!

Scheduler allocate 20000 1000

end

Didier,

Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.

https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2010/12/08/advantages-of-VTI-configuration-for-IPSec-tunnels

The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).

If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.

With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)

Anyway let me know if you face any problems.

Marcin

Random Tunnel IPSec Packet drops

Hi experts,

I am trying to solve a problem of fall of random package for tunneling IPSec between two VTI. For more than a month, we could not see not any question, and from today, we have 30% through a tunnel packet loss IPSec.

After analysis, I have concluded that packet loss is located somewhere on the way to the uc520 to the 2921. Package account see the correctly on the output interface physics uc520, but the number of packets is low on the interface of penetration on the 2921.

Pings outside of the tunnel by the way are very good.

I also deleted the tunnels on both ends and after they have recovery, the question was always present.

Pointers on research where packets get lost?

RR-hq-2921 #ping 10.1.13.1 g0/1 source rep 100

Type to abort escape sequence.

Send 100, echoes ICMP 100 bytes to 10.1.13.1, wait time is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!..!.!!!!!!!!!..!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

..!!.!!!!!!!!!!!.!!!!!!!!.!!!!

Topology:

[uc520] == HAVE == {{{cloud}}} == MODEM == [2921]

Test:

Claire 2921 # counters g0/0

Disable "show interface" counters on this interface [confirm]

% CLEAR-5-COUNTERS: claire counter on interface GigabitEthernet0/0

Execute on uc520: ping source timeout 0 rep 4000

This is supposed to increase rapidly the number of packets at a distance of 4000 packages, as it has done on the output uc520 interface

# 2921 sho int g0/0 | I entered the packages

3348 packets input, 607812 bytes, 0 no buffer< missing="" ~650="">

# 2921 sho int g0/0

GigabitEthernet0/0 is up, line protocol is up

Material is CN Gigabit Ethernet, the address is XXXXXXXX

Description: Outdoors - WAN port

The Internet address is XXX.XXX.XXX.XXX/YY

MTU 1500 bytes, BW 35000 Kbit/s, 10 DLY usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

KeepAlive set (10 sec)

Full-Duplex, 1 Gbps, media type is RJ45

control output stream is XON, control of input stream is XON

Type of the ARP: ARPA, ARP Timeout 04:00

Last entry of 00:00:00, 00:00:00 exit, exit hang never

Final cleaning of the counters 'show interface' 00:00:42

Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo

Output queue: 0/40 (size/max)

30 second entry rate 75000 bps, 51 packets/s

exit rate of 30 seconds 77000 bps, 52 packets/s

3456 packets input, 619794 bytes, 0 no buffer

Received 0 emissions (0 of IP multicasts)

0 Runts, 0 giants, 0 shifters

entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

Watchdog 0, multicast 0, break 0 comments

3454 packets output, 632194 bytes, 0 underruns

0 output errors, 0 collisions, 0 resets interface

unknown protocol 0 drops

0 babbles, collision end 0, 0 deferred

carrier, 0 no carrier, lost 0 0 interrupt output

output buffer, the output buffers 0 permuted 0 failures

Good infor

Now, did you ask your ISP if they made the last changes made?

I think that your suspcious is correct and if the number of packets do not match, then probably something in the environment has changed, since it worked before with the same configuration and IOS versions.

HTH.

DMVPN question "" change btwn CONF_XAUTH & MM_NO_STATE ".

Hi all

can you please help on below: thanks in advance.

HQ which is configured to accept remote vpn client using crypto map and also it is configured for dynamic vpn with branch.

Static public IP HQ is 82.114.179.120, tunnel 10 172.16.10.1 and local lan ip is 192.168.1.0

Branch has dynamic public ip, 10 ip 172.16.10.32 tunnel local lan is 192.168.32.0 It is also configured by using tunnel 0 with an another CA that works very well.

Directorate-General for the Lan (192.168.32.0) is required to access lan (192.168.1.0) HQ...

Debug files attached

HQ:

AAA authentication login local acs
AAA authorization network local acs
!
AAA - the id of the joint session
!
IP cef
!

8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!

redundancy
!

VDSL 0/1/0 controller
!

cryptographic keys ccp-dmvpn-keyring keychain
pre-shared key address 0.0.0.0 0.0.0.0 key [email protected] / * /
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto 5 3600 keepalive
ISAKMP crypto nat keepalive 3600
ISAKMP xauth timeout 60 crypto

!
ISAKMP crypto client configuration group NAMA
namanama key
pool mypool
ACL 101
Save-password
Profile of crypto isakmp dmvpn-ccp-isakmprofile
CCP-dmvpn-keyring keychain
function identity address 0.0.0.0
!
Crypto ipsec transform-set esp-3des esp-md5-hmac test
tunnel mode
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
define the profile of isakmp dmvpn-ccp-isakmprofile
!

card dynamic crypto map 10
Set transform-set test
market arriere-route
!
the i-card card crypto client authentication list acs
card crypto i-card isakmp authorization list acs
card crypto i-map client configuration address respond
card crypto i-card 10 isakmp ipsec dynamic map

!
interface Tunnel10
bandwidth 1000
address 172.16.10.1 IP 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 360
IP tcp adjust-mss 1360
delay of 1000
Shutdown
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 192.168.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
ATM0/1/0 interface
DSL Interface Description
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5snap encapsulation
PPPoE-client dial-pool-number 1

!
interface Dialer0
no ip address
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
PPP authentication chap callin pap
PPP chap hostname nama20004
password PPP chap 0 220004
PPP pap sent-username nama20004 password 0 220004
i-crypto map
!
IP local pool mypool 192.168.30.1 192.168.30.100
IP forward-Protocol ND
!
IP http server
IP http secure server
!
overload of IP nat inside source list 171 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access ip-list 171 allow a whole
Dialer-list 2 ip protocol allow
!

HQ #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)

See the branch to execute:

!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 11
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key [email protected] / * / address 82.114.179.105
ISAKMP crypto key [email protected] / * / address 82.114.179.120
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
Crypto ipsec transform-set esp - aes Taiz esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
!
Profile of crypto ipsec to Taiz-profile-
the value of the transform-set in Taiz
!
interface Tunnel0
bandwidth 1000
IP 172.16.0.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
map of PNDH 172.16.0.1 IP 82.114.179.105
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.0.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.105
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Tunnel10
bandwidth 1000
IP 172.16.10.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
property intellectual PNDH 172.16.10.1 card 82.114.179.120
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.10.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.120
key to tunnel 22334455
tunnel of ipsec to Taiz-profile protection
!
interface Ethernet0
no ip address
Shutdown
!
ATM0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0.1
PVC 8/35
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet1
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet2
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet3
# CONNECT TO LAN description #.
no ip address
!
interface Vlan1
# LAN INTERFACE description #.
customer IP dhcp host name no
IP 192.168.32.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1412
!
interface Dialer0
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname mohammadaa
password PPP chap 0-123456
PPP pap sent-name of user mohammadaa password 123456 0
!
IP forward-Protocol ND
IP http server
10 class IP http access
local IP http authentication
no ip http secure server
!
the IP nat inside source 1 interface Dialer0 overload list
IP route 0.0.0.0 0.0.0.0 Dialer0
Route IP 192.168.0.0 255.255.255.0 172.16.0.1
IP route 192.168.1.0 255.255.255.0 172.16.10.1
!
auto discovering IP sla
Dialer-list 1 ip protocol allow
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!

Branch #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 MM_NO_STATE ACTIVE 2061 (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)

Mohammed,

No probs, ensure safety.

The config you home has only one profile of IKE again. i.e. your DMVPN and ezvpn fall into the same basket.

What you need is a clean separation.

In the example you have
```
 crypto isakmp profile VPNclient match identity group hw-client-groupname client authentication list userauthen isakmp authorization list hw-client-groupname client configuration address respond 
```
which is then linked to:
```
 crypto dynamic-map dynmap 10 set isakmp-profile VPNclient reverse-route set transform-set strong
```
and separately a Profile of IKE DMVPN:
```
 crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0
```
linked to your profile DMVPN IPsec:
```
 crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN
```
You apply the same logic here and clean to the top of your current config (i.e. move the features that you have applied to the level of the crypto map to your new profile of IKE).

M.

IPSEC packets are not encrypted

Hello (and Happy Thanksgiving in the USA),

We recently switched our ASA and applied again the saved for the new device configuration. There is a VPN site-to site that works and a remote VPN client that does not work. We use certain Cisco VPN clients and some Shrew Soft VPN clients. I compared the config of the ASA again to that of ASA old and I can't find all the differences (but the remote client VPN was working on the old ASA). Remote clients connect and a tunnel is created, but they are unable to pass traffic. Systems on the network where the ASA are able to access the internet.

Out of sho isakmp crypto his (ignore peer #1, this is the site to site VPN work)

HIS active: 2

Generate a new key SA: 0 (a tunnel report Active 1 and 1 generate a new key ITS d)

Total SA IKE: 2

1 peer IKE: xx.168.155.98

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

2 IKE peers: xx.211.206.48

Type: user role: answering machine

Generate a new key: no State: AM_ACTIVE

Output of sho crypto ipsec his (info about VPN site-to-site deleted). Packets are decrypted but unencrypted.

Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi

c ip

local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)

Remote ident (addr, mask, prot, port): (10.20.1.100/255.255.255.255/0/0)

current_peer: xx.211.206.48, username: me

dynamic allocated peer ip: 10.20.1.100

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 20, #pkts decrypt: 20, #pkts check: 20

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

endpt local crypto. : public-ip/4500, crypto endpt distance. : xx.211.206.48/4

500

Path mtu 1500, fresh ipsec generals 82, media, mtu 1500

current outbound SPI: 7E0BF9B9

current inbound SPI: 41B75CCD

SAS of the esp on arrival:

SPI: 0x41B75CCD (1102535885)

transform: aes - esp esp-sha-hmac no compression

running parameters = {RA, Tunnel, NAT-T program,}

slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

calendar of his: service life remaining key (s): 28776

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

SPI: 0xC06BF0DD (3228299485)

transform: aes - esp esp-sha-hmac no compression

running parameters = {RA, Tunnel, NAT-T program Rekeyed}

slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

calendar of his: service life remaining key (s): 28774

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x000003FF 0xFFF80001

outgoing esp sas:

SPI: 0x7E0BF9B9 (2114714041)

transform: aes - esp esp-sha-hmac no compression

running parameters = {RA, Tunnel, NAT-T program,}

slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

calendar of his: service life remaining key (s): 28774

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

SPI: 0xCBF945AC (3422111148)

transform: aes - esp esp-sha-hmac no compression

running parameters = {RA, Tunnel, NAT-T program Rekeyed}

slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

calendar of his: service life remaining key (s): 28772

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

Config of ASA

: Saved

: Written by me at 19:56:37.957 pst Tuesday, November 26, 2013

!

ASA Version 8.2 (4)

!

hostname mfw01

domain company.int

enable encrypted password xxx

XXX encrypted passwd

names of

Name xx.174.143.97 description cox cox-gateway Gateway

name 172.16.10.0 iscsi-description iscsi network

name 192.168.1.0 network heritage heritage network description

name 10.20.50.0 management-description management network

name 10.20.10.0 network server server-description

name 10.20.20.0 user-network description user-network

name 192.168.1.101 private-em-imap description private-em-imap

name 10.20.10.2 description of private Exchange private-Exchange

name 10.20.10.3 description of private-private ftp ftp

name 192.168.1.202 description private-private-ip-phones ip phones,

name 10.20.10.6 private-kaseya kaseya private description

name 192.168.1.2 private mitel 3300 description private mitel 3300

name 10.20.10.1 private-pptp pptp private description

name 10.20.10.7 private-sharepoint description private-sharepoint

name 10.20.10.4 private-tportal private-tportal description

name 10.20.10.8 private-xarios private-xarios description

name 192.168.1.215 private-xorcom description private-xorcom

Name xx.174.143.99 description public Exchange public-Exchange

public xx.174.143.100 public-ftp ftp description name

Name xx.174.143.101 public-tportal public tportal description

Name xx.174.143.102 public-sharepoint description public-sharepoint

name of the public ip description public-ip-phones-phones xx.174.143.103

name mitel-public-3300 xx.174.143.104 description public mitel 3300

Name xx.174.143.105 public-xorcom description public-xorcom

xx.174.143.108 public-remote control-support name description public-remote control-support

Name xx.174.143.109 public-xarios public xarios description

Name xx.174.143.110 public-kaseya kaseya-public description

Name xx.174.143.111 public-pptp pptp-public description

name Irvine_LAN description Irvine_LAN 192.168.2.0

Name xx.174.143.98 public-ip

name 10.20.10.14 private-RevProxy description private-RevProxy

Name xx.174.143.107 public-RevProxy description public RevProxy

name 10.20.10.9 private-XenDesktop description private-XenDesktop

Name xx.174.143.115 public-XenDesktop description public-XenDesktop

name 10.20.1.1 private-bridge description private-bridge

name 192.168.1.96 description private-remote control-support private-remote control-support

!

interface Ethernet0/0

public nameif

security-level 0

IP address public ip 255.255.255.224

!

interface Ethernet0/1

Speed 100

full duplex

nameif private

security-level 100

address private-gateway IP, 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

the IP 192.168.0.1 255.255.255.0

management only

!

passive FTP mode

clock timezone pst - 8

clock summer-time recurring PDT

DNS server-group DefaultDNS

domain mills.int

object-group service ftp

the tcp eq ftp service object

the purpose of the tcp eq ftp service - data

object-group service DM_INLINE_SERVICE_1

Group-object ftp

the eq tftp udp service object

DM_INLINE_TCP_1 tcp service object-group

port-object eq 40

EQ port ssh object

object-group service web-server

the purpose of the service tcp eq www

the eq https tcp service object

object-group service DM_INLINE_SERVICE_2

EQ-tcp smtp service object

object-group web server

object-group service DM_INLINE_SERVICE_3

EQ-ssh tcp service object

object-group web server

object-group service kaseya

the purpose of the service tcp eq 4242

the purpose of the service tcp 5721 eq

EQ-8080 tcp service object

the eq 5721 udp service object

object-group service DM_INLINE_SERVICE_4

Group-object kaseya

object-group web server

object-group service DM_INLINE_SERVICE_5

will the service object

the eq pptp tcp service object

object-group service VPN

will the service object

ESP service object

the purpose of the service ah

the eq pptp tcp service object

EQ-udp 4500 service object

the eq isakmp udp service object

the MILLS_VPN_VLANS object-group network

object-network 10.20.1.0 255.255.255.0

Server-network 255.255.255.0 network-object

user-network 255.255.255.0 network-object

255.255.255.0 network-object-network management

legacy-network 255.255.255.0 network-object

object-group service InterTel5000

the purpose of the service tcp 3998 3999 range

the 6800-6802 range tcp service object

the eq 20001 udp service object

the purpose of the udp 5004 5007 range service

the purpose of the udp 50098 50508 range service

the purpose of the udp 6604 7039 range service

the eq bootpc udp service object

the eq tftp udp service object

the eq 4000 tcp service object

the purpose of the service tcp eq 44000

the purpose of the service tcp eq www

the eq https tcp service object

the purpose of the service tcp eq 5566

the eq 5567 udp service object

the purpose of the udp 6004 6603 range service

the eq 6880 tcp service object

object-group service DM_INLINE_SERVICE_6

ICMP service object

the eq 2001 tcp service object

the purpose of the service tcp eq 2004

the eq 2005 tcp service object

object-group service DM_INLINE_SERVICE_7

ICMP service object

Group object InterTel5000

object-group service DM_INLINE_SERVICE_8

ICMP service object

the eq https tcp service object

EQ-ssh tcp service object

RevProxy tcp service object-group

RevProxy description

port-object eq 5500

XenDesktop tcp service object-group

Xen description

EQ object of port 8080

port-object eq 2514

port-object eq 2598

object-port 27000 eq

port-object eq 7279

port-object eq 8000

port-object eq citrix-ica

public_access_in list any host public-ip extended access allowed object-group DM_INLINE_SERVICE_8

public_access_in list any host public-ip extended access allowed object-group VPN

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_7 any host public-ip-phones

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any public ftp host

public_access_in allowed extended access list tcp any host public-xorcom DM_INLINE_TCP_1 object-group

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any host public-Exchange

public_access_in allowed extended access list tcp all welcome RevProxy-public-group of objects RevProxy

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 any host public-remote control-support

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any host public-xarios

public_access_in list extended access allowed object-group web server any host public-sharepoint

public_access_in list extended access allowed object-group web server any host public-tportal

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any host public-kaseya

public_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any host public-pptp

public_access_in list extended access permit ip any host public-XenDesktop

private_access_in list extended access permit icmp any one

private_access_in of access allowed any ip an extended list

VPN_Users_SplitTunnelAcl list standard allowed server-network access 255.255.255.0

VPN_Users_SplitTunnelAcl list standard allowed user-network access 255.255.255.0

VPN_Users_SplitTunnelAcl standard access list allow management-network 255.255.255.0

VPN_Users_SplitTunnelAcl standard access list allow 10.20.1.0 255.255.255.0

VPN_Users_SplitTunnelAcl standard access list allow legacy-network 255.255.255.0

private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN

private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.20.1.96 255.255.255.240

private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0

public_1_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN

public_2_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0

pager lines 24

Enable logging

list of logging level warnings error events

Monitor logging warnings

logging warnings put in buffered memory

logging trap warnings

exploitation forest asdm warnings

e-mail logging warnings

private private-kaseya host connection

forest-hostdown operating permits

logging of trap auth class alerts

MTU 1500 public

MTU 1500 private

management of MTU 1500

mask 10.20.1.100 - 10.20.1.110 255.255.255.0 IP local pool VPN_Users

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface 101 (public)

private_nat0_outbound of access list NAT 0 (private)

NAT (private) 101 0.0.0.0 0.0.0.0

NAT (management) 101 0.0.0.0 0.0.0.0

static DNS (private, public) public-private-netmask 255.255.255.255 ip phones, ip phones,

static DNS (private, public) private public-ftp-ftp netmask 255.255.255.255

static (private, public) public-private-xorcom netmask 255.255.255.255 xorcom dns

static DNS (private, public) public Exchange private-Exchange netmask 255.255.255.255

RevProxy-public (private, public) public static private-RevProxy netmask 255.255.255.255 dns

static DNS (private, public) public-remote control-support private-remote control-support netmask 255.255.255.255

static (private, public) public-private-xarios netmask 255.255.255.255 xarios dns

static public-sharepoint (private, public) private-sharepoint netmask 255.255.255.255 dns

TPORTAL-public (private, public) public static private-tportal netmask 255.255.255.255 dns

static (private, public) public-private-netmask 255.255.255.255 kaseya kaseya dns

static public-pptp (private, public) private-pptp netmask 255.255.255.255 dns

static public-XenDesktop (private, public) private-XenDesktop netmask 255.255.255.255 dns

Access-group public_access_in in the public interface

Access-group behind closed doors, interface private_access_in

Public route 0.0.0.0 0.0.0.0 cox-gateway 1

Private server network route 255.255.255.0 10.20.1.254 1

Route private user-network 255.255.255.0 10.20.1.254 1

Private networking route 255.255.255.0 10.20.1.254 1

Route private network iscsi 255.255.255.0 10.20.1.254 1

Private heritage network 255.255.255.0 route 10.20.1.254 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Admin-control LDAP attribute-map

Comment by card privileged-level name

LDAP attribute-map allow dialin

name of the msNPAllowDialin IETF-Radius-class card

msNPAllowDialin card-value FALSE NOACCESS

msNPAllowDialin card-value TRUE IPSecUsers

attribute-map LDAP Mills-VPN_Users

name of the msNPAllowDialin IETF-Radius-class card

msNPAllowDialin card-value FALSE NOACCESS

map-value msNPAllowDialin true IPSecUsers

LDAP attribute-map network admins

memberOf IETF Radius-Service-Type card name

map-value memberOf NOACCESS FAKE

map-value memberOf 'Network Admins' 6

dynamic-access-policy-registration DfltAccessPolicy

AAA-server protocol nt Mills

host of Mills (private) AAA-server private-pptp

auth-ms01.mills.int NT domain controller

AAA-server Mills_NetAdmin protocol ldap

AAA-server Mills_NetAdmin (private) host private-pptp

Server-port 389

or base LDAP-dn = San Diego, dc = factories, dc = int

or LDAP-group-base dn = San Diego, dc = factories, dc = int

LDAP-scope subtree

name attribute LDAP cn

LDAP-login-password *.

LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int

microsoft server type

LDAP-attribute-map-Mills-VPN_Users

AAA-server NetworkAdmins protocol ldap

AAA-server NetworkAdmins (private) host private-pptp

or base LDAP-dn = San Diego, dc = factories, dc = int

or LDAP-group-base dn = San Diego, dc = factories, dc = int

LDAP-scope subtree

name attribute LDAP cn

LDAP-login-password *.

LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int

microsoft server type

LDAP-attribute-map network-admins

AAA-server ADVPNUsers protocol ldap

AAA-server ADVPNUsers (private) host private-pptp

or base LDAP-dn = San Diego, dc = factories, dc = int

or LDAP-group-base dn = San Diego, dc = factories, dc = int

LDAP-scope subtree

name attribute LDAP cn

LDAP-login-password *.

LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int

microsoft server type

LDAP-attribute-map-Mills-VPN_Users

Console to enable AAA authentication LOCAL ADVPNUsers

Console HTTP authentication of the AAA ADVPNUsers LOCAL

AAA authentication serial console LOCAL ADVPNUsers

Console Telnet AAA authentication LOCAL ADVPNUsers

authentication AAA ssh console LOCAL ADVPNUsers

Enable http server

http 0.0.0.0 0.0.0.0 management

http 0.0.0.0 0.0.0.0 public

http 0.0.0.0 0.0.0.0 private

Community private private-kaseya SNMP-server host * version 2 c

Server SNMP - San Diego location plants

contact SNMP server, help the Mills

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt noproxyarp private

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto public_map 1 match address public_1_cryptomap

card crypto public_map 1 set pfs

card crypto public_map 1 set xx.168.155.98 counterpart

card crypto public_map 1 the value transform-set ESP-3DES-MD5-ESP-AES-128-SHA

public_map card crypto 1 set nat-t-disable

card crypto public_map 1 phase 1-mode of aggressive setting

card crypto public_map 2 match address public_2_cryptomap

card crypto public_map 2 pfs set group5

card crypto public_map 2 peers set xx.181.134.141

card crypto public_map 2 game of transformation-ESP-AES-128-SHA

public_map card crypto 2 set nat-t-disable

public_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

public crypto map public_map interface

crypto ISAKMP enable public

crypto ISAKMP policy 1

preshared authentication

aes encryption

sha hash

Group 5

life 86400

crypto ISAKMP policy 10

preshared authentication

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 1

lifetime 28800

Telnet 0.0.0.0 0.0.0.0 private

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 public

SSH 0.0.0.0 0.0.0.0 private

SSH 0.0.0.0 0.0.0.0 management

SSH timeout 5

Console timeout 0

management of 192.168.0.2 - dhcpd addresses 192.168.0.254

!

a basic threat threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

authenticate the NTP

NTP server 216.129.110.22 public source

NTP server 173.244.211.10 public source

NTP server 24.124.0.251 public source prefers

WebVPN

allow the public

enable SVC

internal group NOACCESS strategy

NOACCESS group policy attributes

VPN - concurrent connections 0

VPN-tunnel-Protocol svc

internal IPSecUsers group strategy

attributes of Group Policy IPSecUsers

value of server WINS 10.20.10.1

value of server DNS 10.20.10.1

Protocol-tunnel-VPN IPSec

allow password-storage

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_Users_SplitTunnelAcl

Mills.int value by default-field

the address value VPN_Users pools

Irvine internal group policy

Group Policy attributes Irvine

Protocol-tunnel-VPN IPSec

username admin password encrypted in Kra9/kXfLDwlSxis

type VPNUsers tunnel-group remote access

tunnel-group VPNUsers General attributes

address pool VPN_Users

authentication-server-group Mills_NetAdmin

Group Policy - by default-IPSecUsers

tunnel-group VPNUsers ipsec-attributes

pre-shared-key *.

tunnel-group xx.189.99.114 type ipsec-l2l

tunnel-group xx.189.99.114 General-attributes

Group Policy - by default-Irvine

XX.189.99.114 group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group xx.205.23.76 type ipsec-l2l

tunnel-group xx.205.23.76 General-attributes

Group Policy - by default-Irvine

XX.205.23.76 group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group xx.168.155.98 type ipsec-l2l

tunnel-group xx.168.155.98 General-attributes

Group Policy - by default-Irvine

XX.168.155.98 group of tunnel ipsec-attributes

pre-shared-key *.

!

Global class-card class

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

World-Policy policy-map

Global category

inspect the dns

inspect esmtp

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the sip

inspect the skinny

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect xdmcp

!

service-policy-international policy global

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a

Maybe my eyes is glazed looking at it for too long. Something seems wrong? Maybe I missed a command that would not appear in the config?

Thanks in advance to those who take a glance.

We see that the UI is sent the echo request but there is no response to echo. This seems to be a routing problem between the ASA and the host you are trying to ping. You can see the range so that the traffic to 10.20.1.0 network is routed to the ASA. If there is no other routing device make sure that the default gateway is correct on the host computer, you're trying to reach.

If you try to ping a windows machine make sure that the windows firewall is disabled or allows ICMP.

--

Please do not forget to rate and choose a response from xorrect

Classic DMVPN on IPSec. The force instead of UDP/4500 ESP?

Hi, we have classic DMVPN pattern with central router and rays, all IOS routers.

One of the remote sites a ISP evil, that filters GRE and ESP (I think they filter all except tcp, udp and icmp).

Is it possible to force speaks rather to use udp/4500 ESP?

All about suggestions? The mission satellite IP is dynamic and changes over time.

The router should already have NAT - T enabled by default, but if it is disabled, then you can configure the following:

Crypto ipsec nat transparency

Cisco 1941 DMVPN and Ipsec

Hello

You start to replace all of our ISA Server with with DMVPN cisco routers. So far, we are happy with everything, but I ran into a problem. I've just set up one of our agencies and the DMVPN works very well, but this location also has a VPN tunnel to another branch that we have not replaced with Cisco equipment yet. The problem I have is that as soon as I associate an ipsec site-to-site VPN on the router, the DMVPN drops.

I create the Ipsec VPN:

map VPN_Crypto 1 ipsec-isakmp crypto

game of transformation-ESP-3DES-SHA

the value of aa.aa.aa.aa peer

match address 103 (where address is allow remote local IP subnet the IP subnet)

and everything works fine. As soon as I do the following:

interface GigabitEthernet0/1

card crypto VPN_Crypto

The DMVPN drops. If I can connect to and run:

interface GigabitEthernet0/1

No crypto card

The DMVPN happens immediately.

What could I do it wrong? Here is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

192.168.10.31 IP address 255.255.255.0

no ip redirection

IP 1400 MTU

authentication of the PNDH IP DMVPN_NW

map of PNDH IP xx.xx.xx.xx multicast

property intellectual PNDH card 192.168.10.10 xx.xx.xx.xx

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 192.168.10.10

dmvpn-safe area of Member's area

IP tcp adjust-mss 1360

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel CiscoCP_Profile1 ipsec protection profile

If you need anything else the config for help just let me know. Our main site router, I had no problem with him being the DMVPN hub and also having a handful of Ipsec VPN set up on it well. I appreciate a lot of help, I really need to get both of these tunnels running simultaneously as soon as possible.

Yes, but I don't see anything looking for strange (well, configs generated by CCP always sound strange...).

Maybe you run into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I have to. You can try 15.0 (1) M8 and see if it works.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

SA520 and Question IPSec VPN RVS4000

Hello

I installed an IPSec VPN for one of my friends for his company. At its principal office, I installed a Cisco SA520 and he uses to connect devices such as the iPhone and iPad via the IPSec VPN. He uses this fact because he travels abroad a lot and he has problems with services such as Skype is blocked in some countries. This configuration works very well.

It also has a Cisco RVS4000, which he would like to install at his place of business to the Mexico. He would like the RVS4000 VPN configuration to the SA520 in his office. The SA520 in his office has a static IP address. The RVS4000 to the Mexico does not work.

Is it possible to Setup IPSec VPN between a SA520 with a static IP and RVS4000 address that does not have a static IP address? If so, examples of configuration would be greatly appreciated.

Thank you!

Hi William, simply sign up for a dyndns account or similar service, the RVS4000 configuration will be the same, instead of the IP, you'd be using the dyndns name.

-Tom
Please mark replied messages useful

DMVPN QUESTION

Hello

I have deploy a dmvpn with two of the hub topology and several rays, after the spokes and the hub, I did a reboot in the hub to see if this drug works after rebbot in the hub, but I noticed that after the rebbot the tunnel in the hub is not come, the only way to raise the tunnel had to erase dmvpn static session in rays , during this time the hub to continue giving a message:

ISAKMP: ignoring the request to send delete notify (no ISAKMP security association) src 213.10.10.10 dst 213.58.10.10.14 for SPI 0xC15C587F

IOS:12.4.11 T 1

2821

2811

Someone can help me.

Thank you

Hello

Please make sure you have ISAKMP KeepAlive on the hubs and spokes, and once configured, please test again and see if it improves. What is happeneing is probably when the hub is restarted, speak it does not clear the tunnel is based on the SAs to timeout. When delete us the SAs on the RADIUS, the problem goes away. Configure ISAKMP KeepAlive should we work around this problem.

HTH,

Please rate if this can help.

Kind regards

Kamal

basic configuration question IPSec GRE

the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.

crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
life 120
address of cisco crypto isakmp 203.115.34.4 keys
!
!
Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
!
MY_MAP 10 ipsec-isakmp crypto map
defined by peer 203.115.34.4
game of transformation-MY_TRANSFORM
match address 100
!
!
!
!
interface Loopback0
192.168.10.1 IP address 255.255.255.255
!
interface Tunnel0
IP 192.168.14.1 255.255.255.0
source of tunnel Serial1/2
tunnel destination 203.115.34.4
card crypto MY_MAP

!

!
interface Serial1/2
IP 203.115.12.1 255.255.255.0
series 0 restart delay
!
!
Router eigrp 100
network 192.168.0.0 0.0.255.255
Auto-resume
!
router ospf 100
router ID 1.1.1.1
Log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!

!

access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect

!

!

I see cisco samples configurations include an access list entry as follows...

access-list 100 permit gre 203.115.12.1 host 203.115.34.4

I understand the purpose of the ACL above regarding the test configuration that I posted here.

Let me explain.

LAN - router - WAN - router - LAN

Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.

If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.

If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.

If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.

The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.

The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.

It will be useful.

Federico.

Noob on UNDER question forms packet

I found a component of low caliber I want to use but cannot make it work. It's a bunch of actionscript that I imported with a CFC file and the IDE recognizes the title when I try and work with her. the error I get is "could not resolve < local: LightGauge > to an implementation of the component.
I got the site code http://www.betterthanflex.com/?p=9
Thanks for the tips!

I just deleted the files in the src folder and typed the code in the previous message

IPSec and packet loss: Question

Hello, hopefully a simple Question :-)

Can someone tell me what happens when an IPSec packet is lost.

He get fired?

are just the TCP packets inside IPSec resentment tunnel?

I hope someone can help!

Background: VoIP.

We have Home office users.

Some have a quality of voice some terrible have a perfect quality, even if they all use the same hardware and configurations (name of user/passwords different and IP addresses of course)

Fraser

There isn't anything in IPSec that would retransmit a lost package. It is the native protocol and terminal stations that communicate in order to determine if there is packet loss and whether or not to broadcast.

If I understand your comment correctly that you are dealing with individual users do VOIP, then more things you mention, which is different (name of user and password and addresses) almost certainly dealing with various different service providers / Internet connectivity. It would be interesting to do a ping extended with a large number of ping packets to a user who experiences problems and one that does not. I suspect that you will see a significant difference in packet loss.

HTH

Rick

DMVPN questions - IPsec packets

Similar Questions

Maybe you are looking for