EIGRP plain IPsec tunnel?
Hi all
I was always under the impression that plain IPsec pass through the tunnel unicast IP traffic.
When I need pass non-unicast or non - IP traffic, I created an IPsec with GRE or VTI.
But I am currently on the customer site where all EIGRP routes are exchanged between sites that communicate through a single tunnel ordinary IPsec.
I have added/changed/deleted routes on both sides, and the changes are reflected on the routing of the other table.
The neighbors are not statically configured on the router, configuring EIGRP is simply 'no Auto-resume', then 'network 172.16.0.0'
My question is...
How is it all EIGRP traffic is going through the tunnel without any problem?
Both are 2811 s 12.4 (18) running
Thanks for any help!
Federico.
Federico
Indeed, I believe that this is the case. It is quite clear according to the additional information that you have posted that these two routers are connected directly (in this case connected via FastEthernet) and connection interfaces running EIGRP, so that the EIGRP Hellos are sent the FastEthernet interfaces. The access list has failed for EIGRP, so there is no effort to encrypt the Hellos and they are sent in the clear. If routers become neighbors and EIGRP updates are sent through the FastEthernet interfaces. Data destinations that are learned traffic is sent on the FastEthernet interfaces, and when data traffic matches access list it is encrypted by IPSec.
HTH
Rick
Tags: Cisco Security
Similar Questions
-
Traffic is failed on plain IPSec tunnel between two 892 s
Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.
Note: I replaced the Networkid real to a mentined below.
Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.
Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.
Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.
I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.
So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.
Any idea? Two routers config are below
-------
892_DC #show ru
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 1.2.3.4
ISAKMP crypto keepalive 10 periodicals
!
address of 1.2.3.4 crypto isakmp peers
Description of-COIL-892
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 1.2.3.4
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match a lists 101
market arriere-route
QoS before filing
!
interface GigabitEthernet0
IP 10,20,30,40 255.255.255.240
IP 1400 MTU
IP tcp adjust-mss 1360
automatic duplex
automatic speed
card crypto IT-IPSec-Crypto-map
!
IP route 0.0.0.0 0.0.0.0 10.20.30.41
!
access list 101 ip allow any 100.100.100.0 0.0.0.255 connect
access list 101 ip allow any 100.100.200.0 0.0.0.255 connect
-------------------------------------------------------------------------------------
Branch_892 #sh run
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 10,20,30,40
ISAKMP crypto keepalive 10 periodicals
!
address peer isakmp crypto 10,20,30,40
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 10,20,30,40
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match address 101
market arriere-route
QoS before filing
!
FastEthernet6 interface
Description VL92
switchport access vlan 92
!
interface FastEthernet7
Description VL93
switchport access vlan 93
!
interface GigabitEthernet0
Description # to WAN #.
no ip address
automatic duplex
automatic speed
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description # local to #.
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan92
Description fa6-nexus e100/0/40
IP 100.100.200.1 255.255.255.0
!
interface Vlan93
Description fa7-nexus e100/0/38
IP 100.100.100.1 255.255.255.0
!
interface Dialer0
no ip address
No cdp enable
!
interface Dialer1
IP 1.2.3.4 255.255.255.248
IP mtu 1454
NAT outside IP
IP virtual-reassembly in max-pumping 256
encapsulation ppp
IP tcp adjust-mss 1414
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname ~ ~ ~
PPP chap password =.
No cdp enable
card crypto IT-IPSec-Crypto-map
!
Dialer-list 1 ip protocol allow
!
access-list 101 permit ip 100.100.100.0 0.0.0.255 any
access-list 101 permit ip 100.100.200.0 0.0.0.255 any
!
IP route 0.0.0.0 0.0.0.0 Dialer1
Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?
-
EIGRP via IPSec site to site VPN
having trouble getting to work through an IOS EIGRP (2ea. 2811 s) connection of the site to site VPN IPSec peer. IPSec VPN works with route directions static tunnel. By using the IPSec policy basis and VTI interface:
crypto ISAKMP policy 1
preshared authentication
Group 2
ISAKMP crypto key "" address 192.168.x.66
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn
Crypto ipsec df - game
!
static-crypt 6 map ipsec-isakmp crypto
the value of 192.168.x.66 peer
Set transform-set vpn
match address 101
!
tunnel1 interface
IP address 1xx.33.20.226 255.255.255.252
no ip redirection
IP 1400 MTU
IP tcp adjust-mss 1360
QoS before filing
source of tunnel FastEthernet 0/0
destination 192.168.x.66 tunnel
crypto static crypto map
!
interface FastEthernet 0/0
Add an IP...
crypto static crypto map
!
Router eigrp 10
passive-interface default
no passive-interface FastEthernet 0/1
no passive-interface Tunnel1
network...
network...
No Auto-resume
!
IP route 0.0.0.0 0.0.0.0 Tunnel1
IP route 0.0.0.0 0.0.0.0 146.33.20.225<-- peer's="" default-gateway="" is="" vpn="" peer="" router="" on="" other="" side="" of="" satelite="">-->
must be something simple, but I can't.
Thank you, kevin
Unfamiliar with the VTI, but I think you are missing:
ipv4 ipsec tunnel mode
Profile of tunnel ipsec protection
Also don't think that you need crypto card in the tunnel because it is already on fa0/0. What looks like the access-list 101? Take a look at this doc:
http://www.ciscosystems.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html
-
GRE over IPSec tunnel cannot pass traffic through it
I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.
Head office
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89interface Serial0/1/0:0
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.90 host 167.134.216.8
Router eigrp 100
network 167.134.216.92 0.0.0.3Directorate-General of the
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100Tunnel1 interface
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90interface Serial1/0/0:1
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.89 host 167.134.216.90
ER-7600 #sh crypto isakmp his
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0ER-3845 #sh crypto isakmp his
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVEER-3845 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0ER-7600 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity
Please help, it's so frustrating...
Thanks in advance
Oscar
Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml
It may be useful
Manish
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
PIX IPSec tunnel - IOS, routing Options
Hello
I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.
Have I not all options about any routing protocol can I use?
Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?
------Naman
Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html
-
Decision on DMVPN and L2L simple IPsec tunnels
I have a project where I need to make a decision on which solution to implement... environment is as follows...
- 4 branches.
- Each branch has 2 subnets; one for DATA and another for VOICE
- 2 ISPS in each (an Internet access provider and a provider of MPLS)
- Branch #1 isn't necessarily the HUB office that all database servers and files are there are
- Branch #2 is actually where the phone equipment
- Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
- MPLS is currently used for telephone traffic.
- ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
- I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.
My #1 Option
Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.
My #2 Option
My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.
Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option
Thanks in advance
Hi ciscobigcat
Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.
The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).
Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.
So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.
QoS, it is important to use "prior qos rank".
See for example
http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html
http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml
HTH
Herbert
-
IPSec tunnel between a client connection mobility and WRV200
Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.
Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business
-
We have 3 IPSec tunnel set up between the cisco 1760 router and PIX 515e. IPSec tunnel is down by intermittent & son come only after compensation isakmp crypto & clear crypto its next to the router.
do we need to configure something else in router and end of pix so that tunnels are still in Active state (QM_IDLE).
Looks like the PIX loses its connection and the router is unable to say that the PIX has dropped.
Try the isakmp keepalive on both devices configuration but also check network links extended features.
See you soon,.
Paul.
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
IPSec Tunnel permanent between two ASA
Hello
I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.
What should I do?
Thanks for any help
Yves
Disables keepalive IKE processing, which is enabled by default.
(config) #tunnel - 10.165.205.222 group ipsec-attributes
KeepAlive (ipsec-tunnel-config) #isakmp disable
Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:
attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout noattributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout noThank you
Ajay
-
IPSEC tunnels does not connect
Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.
IKE Phase 1 even not connect.
I'm debugging, but I don't know what could be the error.
-----------------------------------------------------------------------------
= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
qHello
It seems that the tunnel is blocked to MSG_2.
You can check if the UDP 500 traffic is not blocked between peers?
Please check with your provider.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
DROP in flow of the IPSec tunnel
Hello
I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.
This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2
Vpn connects, but there is no packets sent or received...
I get this packet tracer...
Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = teeessyou, output_ifc = anyPhase: 2
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.195.1/80 to 192.168.195.1/80Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group teeessyou_access_in in the teeessyou interface
teeessyou_access_in of access allowed any ip an extended list
Additional information:
Direct flow from returns search rule:
ID = 0xae24d310, priority = 13, area = allowed, deny = false
hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = anyPhase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
Direct flow from returns search rule:
ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = externalPhase: 5
Type: NAT
Subtype: volatile
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = anyPhase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = anyPhase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = externalPhase: 8
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Direct flow from returns search rule:
ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = externalPhase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DECLINE
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = out, output_ifc = anyHello Spencerallsop,
I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:
1. remove the NAT statement:
-no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
2 fix the NAT statement with the keyword "No.-proxy-arp" :
-nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp
3 disable the VPN ISA SA:
-claire crypto ikev1 his
4. run the packet tracer to check that the L2L has developed,
To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation.
In fact, this bug affects 9.1.7 (may affect your environment):
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710
Please don't forget to rate and score as of this post, keep me posted!
Kind regards
David Castro,
-
Hello
I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.
Any help is greatly appreciated.
Ralf
Dear Ralf,
Thank you to reach small business support community.
Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel. I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
Maybe you are looking for
-
which of my Photos is in the cloud?
How will I know what photo on my iPad Air (running iOS 10) is stored on the cloud? It seems that if I double click on the photo, it will show this download of the Cloud.
-
A driver for HP 3520 10.11.6-compatible
I can't find a driver for my printer HP deskjet 3520. I El capitan and my printer does not print black whire and more!
-
Can't go 'back' and no search engine
I continue to use Google as Firefox does not provide a search engine - just a bunch of preferences that I don't use. Also, there is no 'back' button so I close everything and re open to return to the previous page. I wish I had never installed this t
-
Microsoft Azure for dreamspark records do not.
When I go to register for the azure for Dreamspark student, it allows me to go to the website of azure, but it stops there and gives me an error saying that they cannot offer me that. Why? BTW, I'm the Canada not to the United States. -Ian
-
How can I get my NICs tp pass rather than fail?
How can I get my NICs tp pass rather than fail?