FAILURE OF VPN TUNNEL

Similar Questions

• RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

  Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

  In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

  Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

  System log
  Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
   
  Time
  Type of event Message
  2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
  2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
  2 sep 03:36:02 2009 VPN Log Main Mode initiator
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
  2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
  2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
  2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
  2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
  2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
  2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

  PFS - off on tada and linksys router does not support the samsung lol! connected!

• Impossible to pass traffic through the VPN tunnel

  I have an ASA 5505 9.1 running.   I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

  Here is my config

  LN-BLF-ASA5505 > en
  Password: *.
  ASA5505-BLF-LN # sho run
  : Saved
  :
  : Serial number: JMX1216Z0SM
  : Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
  :
  ASA 5,0000 Version 21
  !
  LN-BLF-ASA5505 hostname
  domain lopeznegrete.com
  activate the password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.116.254 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 50.201.218.69 255.255.255.224
  OSPF cost 10
  !
  boot system Disk0: / asa915-21 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  domain lopeznegrete.com
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  the LNC_Local_TX_Nets object-group network
  Description of internal networks Negrete Lopez (Texas)
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  object-network 192.168.3.0 255.255.255.0
  object-network 192.168.4.0 255.255.255.0
  object-network 192.168.5.0 255.255.255.0
  object-network 192.168.51.0 255.255.255.0
  object-network 192.168.55.0 255.255.255.0
  object-network 192.168.52.0 255.255.255.0
  object-network 192.168.20.0 255.255.255.0
  object-network 192.168.56.0 255.255.255.0
  object-network 192.168.59.0 255.255.255.0
  object-network 10.111.14.0 255.255.255.0
  object-network 10.111.19.0 255.255.255.0
  the LNC_Blueleaf_Nets object-group network
  object-network 192.168.116.0 255.255.255.0
  access outside the permitted scope icmp any4 any4 list
  extended outdoor access allowed icmp a whole list
  outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 741.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  outside access-group in external interface
  !
  router ospf 1
  255.255.255.255 network 192.168.116.254 area 0
  Journal-adj-changes
  default-information originate always
  !
  Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  AAA authentication enable LOCAL console
  Enable http server
  http 192.168.2.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.201.218.93
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  no use of validation
  Configure CRL
  trustpool crypto ca policy
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
  6c2527b9 deb78458 c61f381e a4c4cb66
  quit smoking
  crypto isakmp identity address
  Crypto isakmp nat-traversal 1500
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  username
  username
  tunnel-group 50.201.218.93 type ipsec-l2l
  IPSec-attributes tunnel-group 50.201.218.93
  IKEv1 pre-shared-key *.
  NOCHECK Peer-id-validate
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home service
  anonymous reporting remote call
  call-home
  contact-email-addr [email protected] / * /
  Profile of CiscoTAC-1
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e519f212867755f697101394f40d9ed7
  : end
  LN-BLF-ASA5505 #.

  Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:

   packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail

  (simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

• VPN tunnel upward, but no traffic?

  I decided to take a Cisco 1800 series router and try to put in place. Up to now I can get out, and everything seems fine. I then tried to configure a VPN tunnel between this router and a sonicwall router secure.

  Now the problem is the GUI of SonicWall and Cisco say that this tunnel is mounted. But I can't access internal networks...

  So my cisco LAN is 192.168.11.0 255.255.255.0

  and the Sonic Wall is 192.168.1.0 255.255.255.0

  They can talk even if the tunnel is up. I was hitting my head, and running through the tutorials and just can not understand.

  Here's proof that we have achieved at least the first phase:

  inbound esp sas:
  
        spi: 0xD1BC1B8E(3518765966)
  
          transform: esp-256-aes esp-sha-hmac ,
  
          in use settings ={Tunnel, }
  
          conn id: 3003, flow_id: FPGA:3, crypto map: vpn
  
          sa timing: remaining key lifetime (k/sec): (4541007/2298)
  
          IV size: 16 bytes
  
          replay detection support: Y
  
          Status: ACTIVE
  
  outbound esp sas:
  
        spi: 0xAE589C1E(2925042718)
  
          transform: esp-256-aes esp-sha-hmac ,
  
          in use settings ={Tunnel, }
  
          conn id: 3004, flow_id: FPGA:4, crypto map: vpn
  
          sa timing: remaining key lifetime (k/sec): (4541027/2297)
  
          IV size: 16 bytes
  
          replay detection support: Y
  
          Status: ACTIVE

  So here's my config: (what Miss me?)

  Current configuration : 3972 bytes
  
  !
  
  version 12.4 no service pad
  
  service tcp-keepalives-in service tcp-keepalives-out
  
  service timestamps debug datetime msec
  
  service timestamps log datetime msec
  
  no service password-encryption
  
  !
  
  hostname CompsysRouter
  
  !
  
  boot-start-marker
  
  boot-end-marker
  
  !
  
  enable secret *****************
  
  enable password ***********
  
  !
  
  aaa new-model
  
  !
  
  !
  
  !
  
  aaa session-id common
  
  ip cef
  
  !
  
  !
  
  !
  
  !
  
  no ip domain lookup
  
  ip domain name ********.local
  
  ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !
  
  !
  
  crypto pki trustpoint TP-self-signed-1821875492 enrollment selfsigned
  
  subject-name cn=IOS-Self-Signed-Certificate-1821875492 revocation-check none
  
  rsakeypair TP-self-signed-1821875492 !
  
  !
  
  crypto pki certificate chain TP-self-signed-1821875492 certificate self-signed 01   30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  
    69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433
  
    35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138
  
    37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  
    8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791
  
    0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850
  
    F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0
  
    91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412
  
    5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
  
    551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830
  
    168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416
  
    0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D
  
    01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F
  
    93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A
  
    5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C
  
    7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26
  
    14F3C7C5 60E08BE3 88   quit
  
  username jdixon secret 5 $*****************
  
  !        
  
  !
  
  ip ssh time-out 60 ip ssh authentication-retries 2 !
  
  !
  
  crypto isakmp policy 1 encr aes 256 authentication pre-share
  
  group 2 lifetime 28800 crypto isakmp key address  !
  
  !
  
  crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac
  
  !
  
  crypto map vpn 10 ipsec-isakmp
  
  set peer set transform-set compsys
  
  match address 101 !
  
  !
  
  !
  
  interface FastEthernet0/0
  
  ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside
  
  ip inspect myfw out
  
  ip virtual-reassembly
  
  duplex auto
  
  speed auto
  
  no keepalive
  
  crypto map vpn
  
  !
  
  interface FastEthernet0/1
  
  ip address 192.168.11.1 255.255.255.0 ip nat inside
  
  ip virtual-reassembly
  
  duplex auto
  
  speed auto
  
  !
  
  ip forward-protocol nd
  
  ip route 0.0.0.0 0.0.0.0 !
  
  !
  
  ip http server
  
  ip http authentication local
  
  ip http secure-server
  
  ip nat inside source list 1 interface FastEthernet0/0 overload
  
  ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !
  
  ip access-list extended Inbound
  
  permit icmp any any
  
  permit gre host "REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp
  
  permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp
  
  permit ip host "REMOTE ROUTER" any
  
  permit tcp any host "LOCAL ROUTER" eq 22 !
  
  access-list 1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !
  
  !
  
  !
  
  !
  
  control-plane
  
  !        
  
  !
  
  !
  
  line con 0 line aux 0 line vty 0 4 !
  
  scheduler allocate 20000 1000 end

  NAT exemption is where it is a failure.

  Please kindly change to as follows:

  access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 150 permit ip 192.168.11.0 0.0.0.255 any

  IP nat inside source list 150 interface fastethernet0/0 overload

  no nat ip within the source list 1 interface fastethernet0/0 overload

  Hope that helps.

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• LRT224 impossible to deal simultaneously with more than one VPN tunnel?

  We have configured a client to gateway VPN tunnel group and six in the tunnels of single user gateway on a LRT224. Each unique connection works perfectly using Shrew soft client. But when we try to connect with a second tunnel, the first tunnel disconnects. It seems that the LRT224 cannot process more than one VPN tunnel at the same time? Is there any configuration, that we would have missed?

  TLR log seem to indicate that the Shrew Soft customers use all 192.168.30.0 that their IP address instead of a random IP address in this range.

  Try to set each Shrew Soft client with a specific IP address in the 192.168.30.1 - 50 rank instead of ' use virtual adapter and address randomly.

• 3500 x vpn tunnel

  I need to establish a vpn connection between my office and a computer over the internet, allowing access to the internal of the outside lan. I have a problem with my router and I am looking for a new.

  Can I use x 3500 to establish a pptp vpn tunnel or it can work only as vpn passthrough?

  This modem/router supports VPN passthrough for IPSec, PPTP and L2TP only. Try VPN Linksys Gigabit routers like the series of the LRT.

• VPN connected, stream out of VPN tunnel

  I mean that we have in place of the VPN Sites manage to sites with 2 RV042 router but it seams not as I wanted. Are you sure that each transfer of data through Router 2 will go into the VPN tunnel or it shuts down the VPN tunnel. I checked the routing table and saw that:

  Sources mask Gateway Interface

  2 1 or wan wan IP 255.255.255.0 ipsec0 private

  By default 0.0.0.0 (ip wan 1 or 2) wan1 or wan2

  .........

  So what you think what sense data will pass through the line, it will go through the ipsec section or through wan1 or wan2. Ofcouse each data will pass through wan1 or wan2, but it can go inside the ipsec tunnel or ipsec outside tunnel. If she goes inside the ipsec tunnel, everything is ok, but if this isn't the case, transfer of unsecured data. I'm trying to access some website is not in private ip and it was outside ipsec tunnel go, I can capture and now that you have access.

  Why with linksys have 2 work as draytek product even photos follow:

  

  

  Can someone help me to answer this question, thank you for your attention

  1. it depends on what the tunnels of your business allows. As I've written before, there are other protocols that allows you to route traffic through the VPN tunnel. Only IPSec cannot do this. For example, if your company uses GRE over IPSec then they can route traffic through their tunnels. Your RV does not support this.

  2. If it's really plain IPSec then you cannot configure several subnets. You can try to implement the security group remote as a subnet more grand, such as 10.0.0.0/8. Of course the groups must match on both sides.

  3. If you want to route all traffic through the tunnel, and then try to set the local/remote security to 0.0.0.0/0.0.0.0 group. Maybe it works.

  The configuration of IPSec in the RV042 does not allow extremely complex configurations. It's mainly to connect two subnets between them.

• VPN tunnel cascade w / SW NSA FWs

  

  Hello

  I have questions about VPN cascading between 3 firewall SonicWALL NSA. Let me explain my situation and what I want to achieve.

  As shown in the diagram above, I have 3 branches connected to the Internet, which advanced to the LAN is the NSA SW FW. There is a VPN tunnel between each site: Site_A Site_ B, Site_A Site_ C, Site_B Site_ C. The Internet of the Site A traffic is redirected to the Site B. This Site A Cross Site B to access the Internet and LAN B. Site A through C access LAN C Site.

  My question is: is it possible to remove the tunnel VPN Site_A-Site_C to and instead, through Site B to C LAN access? If so, how you can achieve this configuration?

  What worries me is the VPN tunnel options that allow you to redirect all Internet traffic or a specific destination of LAN through objects (screenshots from Site A) address:

  

  

  Without the redirection of Internet traffic, I thought about creating a group of addresses, including 2 B LAN and LAN C address objects. But I want to keep the Internet through Site B traffic redirection.

  What do you think?

  Thanks in advance for your help.

  Hello

  My comments below:

  If you route indeed all traffic from A to B, the following must fill.

  1. remove the tunnel A C

  Ok.

  2. site B will have A subnet that is defined as a local resource for C

  Do you mean this by local resource?

  

  3 C is going to have A subnet defined as remote resource

  Ok.

  If you route any traffic from A to B, the following must fill.

  First step would be to remove the tunnel VPN between A and C, but I guess that you have assumed that it was already done.

  1. define the C subnet as a remote resource on Site A

  Yes, like a remote network for the A - B VPN tunnel.

  2. tunnel of site B to A will need to subnet C defined as local resource

  Ok.

  3. tunnel of site B and C will need subnet defined as local resource

  Ok.

  4. the site will need to subnet C has defined as remote resource

  Yes.

  I'll do a test soon with 3 sites and see how it goes.

• Routing access to Internet through an IPSec VPN Tunnel

  Hello

  I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

  I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

  Any help would be greatly appreciated.

  Thank you.

  Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

• ASA Syslog via a VPN Tunnel

  Hi all

  I have a little problem concerning ASA and syslogs. I have a tunnel from site to site between a local ASA and ASA distance. Behind the ASA local, I have a central syslog server (which has no ASA as default gateway) which collects messages from all network devices and I want to get messages from the ASA remote as well.

  The tunnel protects traffic between local networks behind each ASA, which includes ASA inside remote interface as well. The problem is that if I specify on the SAA distance my syslog server it does not pass through the VPN tunnel. The ASA remote sees my server syslog as being 'outside' so he's using the external IP address as the source-interface for the syslog message. Which of course does not pass through the tunnel. As much as I know there is no way to configure the interface source for logging under the SAA, that you can do on a normal IOS router.

  I've found a few documents explaining this Setup on CCO, but they all imply I have extend the list for interesting traffic to access allow remote UDP/514 of the PIX traffic outside my local syslog server interface. This isn't something I want to do what I would get in routing complication in my LAN with a public IP address of the ASA remote.

  Any suggestions? I thought I could use some sort of NAT on the ASA remote so that all traffic for my local network a source the remote PIX is translated on the inside interface, which in theory should pass the package via the tunnel. I did not go so far.

  Any help is appreciated.

  Best regards

  Stefan

  You can define the interface that the ASA will use to send the newspapers "syslog_ip host record.

  Make sure you also do "access management".

  Then the SAA should source the syslogs from inside the interface, which is probably encrypted with the crypto ACL.

  I hope it helps.

  PK

• VPN tunnel between the concentrator 3005 and router Cisco 827

  I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

  There is a router of perimeter with access set up in front of the 3005 list.

  I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

  I get the following message appears when I try to ping a local host in the Central site.

  Can Anyoune give me the correct steps to 827 and 3005.

  Thank you

  CCNP Ansar.

  ------------------------------------------------------------------------------------------------------

  Debug crypto ISAKMP

  encryption of debugging engine

  Debug crypto his

  debug output

  ------------------

  1d20h: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

  local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

  remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 3600 s and KB 4608000,

  SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

  1d20h: ISAKMP: ke received message (1/1)

  1d20h: ISAKMP: 500 local port, remote port 500

  1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Former State = new State IKE_READY = IKE_I_MM1

  1d20h: ISAKMP (0:1): early changes of Main Mode

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: IPSEC (key_engine): request timer shot: count = 1,.

  You must also allow the esp Protocol in your ACL.

  access-list 101 permit esp any host x.x.x.x (address of the hub)

  Hope this helps,

  -Nairi

• Questions of VPN tunnel

  People,

  You can help me understand how I can fix the following issues I have with a 1721 router (Version 12.3 (8) T5) and client VPN 4.6.01.x please.

  BTW, the server at 192.168.3.2 is a file, DNS, WINS server and proxy for the LAN environment. All the staff of the PC is required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

  Back to my questions. I have the obligation to set up a VPN tunnel to connect to a PC that is running Terminal Server services / remote desktop on a PC to 192.168.1.9. When running the VPN software on the laptop I get a login prompt and everything seems fine. I ping the addresses of router and that works.

  But the three things I don't understand:

  1. I can't telnet with great success to the loopback address of the router, as well as other addresses 192.168.x.x. very well, but why is it possible that I can telnet to the 192.168.4.1 loopback address?

  2. I can't DRC to the server on 192.168.3.2. The server can (and) accepts connections on a subnet, I created the network of 192.168.6.x I put up as VLAN6 on SEA4 (the port of spare on the map of ether 4 ports). The only thing I did not in the configuration of the interface was the nat ip within the statement.

  3. I can't do a nslookup through the tunnel VPN (delays all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I mean here is that other applications seem to work except telnet!)

  Then...:

  Why the telnet is so special? I thought that if I could telnet to the router, then I should be able to access the server. And before ask you, there is no firewall or whatever it is executed on the server by stopping this stupid connections. Hey, I'm the guy from router, not the jockey of server!

  I've managed to misinterpret the statement "corresponds to the address 105" in the cryptomap? The ACL would reflect the traffic flow both ways?

  I should have a statement of hash in the section of "crypto isakmp policy 5. The client indicates that the connection is OK then why should I need it?

  I appreciate your time to help. I was scratching my head a lot in the last two days.

  Timothy

  Your NAT config, it is what kills you here. You can telnet to the router interface, because then the NAT configuration does not take effect (because NAT doesn't happen for passing traffic THROUGH the router, FOR her). You must refuse the IPSec traffic to be NAT would have, otherwise, it does not match the encryption access list and is not encrypted on the way back.

  Your 100 access list is incorrect, remove it and add in the following:

  access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

  access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

  That said NAT VPN traffic does 192.168.5.0, but NAT do it if he goes anywhere else (Internet).

  Also, you seem to have defined a map static encryption for your customer traffic, it is not used and may cause you problems with the list of access-105. Follow these steps to get rid of it and just use the dynamic encryption card:

  no card crypto clientmap 1

  You just need to have dynamic instance map (number 20) crypto left in your config file.

• How to change an existing in ASDM VPN tunnel?

  I currently have a VPN tunnel together upwards, but to change some of the configurations as making ikev2, replacing the SHA512 hash and change it in the DH group 14. I intend to do this in ASDM. I already created a group of tunnel ikev2 that I put the tunnel and created a Card Crypto that is configured with the right proposal ikev2 IPSec and Diffie-Hellman group. All other configurations such as the IP of Peer address and subnets configured and I'll work with the engineers at the other end of the tunnel to ensure that configurations are, I want to just make sure I'm not missing anything. Someone at - he never comes to change the configuration of an existing ASDM so tunnel, and it worked correctly? Here are the steps that I have will be taken as well as those I've already mentioned:

  -Edit the connection profile so that the name of group policy use the correct tunnel that was created for ikev2

  -Enter the pre-shared key local and remote pre-shared key ikev2 tab

  -Change the IKE Policy so that it uses the ikev2 policy that was created to use SHA512

  -Modify the IPSEC proposal so that it uses AES256-SHA512

  -THE CRYPTO MAP IS ALREADY CREATED

  -Change the secret of transfer perfect in group 14

  Hello

  Let me go through your questions to clarify this double:

  1. If I have a Crypto map applied to my external interface with a proposal of IPSec of ikev1 can I just add a proposal ikev2 in this Crypto map as well?

  If you have a card encryption applied to different peers outside and 3 with different order number, you will need to replace the proposal for the peer using IKEv2: IKEv2 IKEv1, the others must continue to use their IKEv1 IPSec proposal.

  2. so can I add an ikev2 with AES256 SHA512 hash proposal to my 123.123.123.456 tunnel group and continue to have all three tunnel groups always pass traffic? What happens if I add the proposal ikev2, but REMOVE the ikev1 this group of tunnel proposal because I don't want this group of tunnel use one other than AES256-SHA512 hash?

  123.123.123.456 - ikev2 - AES256-SHA512

  I would like to expand this a little more, if her counterpart 123.123.123.456, must use IKEv2, you need to declare the IKEv2 in the tunnel group and add the relevant "Local and remote PSK"--> is for phase 1, and this means that it will use the IKEv2 defined policy before, and IPSec IKEv2 proposal is on phase 2, where the encryption card is you will need to replace the IKEv1 and use IPSec IKEv2 proposal. That way it will use for the phase 1 of the policy of IKEv2, that you set and defined transformation IKEv2, by making this change make sure that both sides are mirrored with IKEv2 and IPSec policy projects, as well as the tunnel will remain and will come with the new proposals.

  This custom affect no matter what another tunnel, as long as you change the settings to the correct tunnel group and do not delete all the proposals, simply remove the profile connection, those employees.

  3. you know what I mean? All groups of three tunnels on that off interface use different cryptographic cards, with only two of the three using ikev1 as a proposal of IPSec. Which will work?

  You can only have one card encryption applied by interface, and 3 tunnels using different sequence number with the same crypto map name, you cannot 2 tunnels on the same card encryption using IKEV1, and always in the same encryption card have the third tunnel using IKEv2 (different transformation defined using IKEv2). This custom cause no problem. 

  4. what Group Policy DfltGrpPolicy? Currently use all my groups of tunnel, but it is configured for ikev1. I'm not really sure what role is in everything it can so I simply add ikev2?

  Default group policy is added by default to all your groups of tunnel (connection profile), whenever create you one default group policy is inherited him by default, you can change to group policy that you can create, group policy is a set of attributes that will be used to define something or limit , for example, for a site, you can configure a VPN filter (filters the traffic that goes through the tunnel), now back to your topic, you define the protocols that will be negotiated as for an L2L IKEv1 or IKEv2, Anyconnect SSL or IKEv2, on default group policy, and so on, it is therefore important that you add the IKEv2 , so trading will be permitted, or both to create a new group policy and add the IKEv2 Protocol; and in the tunnel group, add the group policy relevant, that you just created.

  I hope that this is precisely, keep me posted!

  Please go to the note, and mark it as correct this post and the previous that it helped you!

  David Castro,

• VPN tunnel between 3 places

  Expertise of expensive

  Recently we hava configured vpn tunnel between two locations. Want to create a tunnel vpn on a third location. What configuration will be valid on the version of firewall cisco PIX 501 6.3.4.

  Please see thr existing pix config at two location.

  Please post the latest config?