Impossible to deliver traffix VPN Tunnel

Similar Questions

• LRT224 impossible to deal simultaneously with more than one VPN tunnel?

  We have configured a client to gateway VPN tunnel group and six in the tunnels of single user gateway on a LRT224. Each unique connection works perfectly using Shrew soft client. But when we try to connect with a second tunnel, the first tunnel disconnects. It seems that the LRT224 cannot process more than one VPN tunnel at the same time? Is there any configuration, that we would have missed?

  TLR log seem to indicate that the Shrew Soft customers use all 192.168.30.0 that their IP address instead of a random IP address in this range.

  Try to set each Shrew Soft client with a specific IP address in the 192.168.30.1 - 50 rank instead of ' use virtual adapter and address randomly.

• Impossible to establish a VPN between AG241 and WAG54GP2 tunnel

  Hello

  This is my first post on this forum and I send my best regards to everyone!

  I signed up because I have a problem with establishing a VPN tunnel between an AG241 modem/router and a modem/router WAG54GP2 with wireless and VoIP.

  The scenario is simple: both ends have dynamic IP, so I set up an account with dyndns.org for both routers.

  WAG54GP2 has 192.168.1.1/255.255.255.0 AG241 has 192.168.3.254/255.255.255.0 IP and IP.

  In both routers, I turned block anonymous internet requests, so I can ping both routers.

  This is the configuration of WAG54GP2:

  VPN Passthrough
  IPSec PassThrough: activate
  Intercommunication PPPoE: activate
  PPTP PassThrough: enable
  L2TP PassThrough: enable

  IPSec VPN tunnel
  Select the Tunnel: 1
  VPN IPSec tunnel: enabled
  Tunnel name: Office

  Local security group:
  Subnet
  IP: 192.168.1.0
  Mask: 255.255.255.0

  Local security gateway: PVC 1 (ppp0)

  Remote secure group:
  IP: 192.168.3.0
  Mask: 255.255.255.0

  Remote security gateway:
  IP Addr.
  The remote router's public IP address IP address: w.x.y.z.
  Encryption: THE (I also tried 3DES and disabled)
  Authentication: SHA

  Key management:
  Auto. (IKE)
  PFS: enabled
  Pre-shared Key: the password I chose
  Life key: 3600 Sec.

  Advanced settings

  Phase 1
  Mode of operation: main mode (I also tried aggressive mode)

  Proposal1
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Proposition2
  Encryption: ESP_NULL
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Another parameter
  NAT traversal not verified
  NetBIOS broadcast Checked
  Anti-reponse not checked
  Keep-Alive not verified
  If IKE 5 times failedmore
  Not checked

  This is the AG241 configuration:

  VPN Passthrough
  IPSec PassThrough: activate
  Intercommunication PPPoE: activate
  PPTP PassThrough: enable
  L2TP PassThrough: enable

  IPSec VPN tunnel
  Select the Tunnel: 1
  VPN IPSec tunnel: enabled
  Name of the tunnel: user 1

  Local security group:
  Subnet
  IP: 192.168.3.0
  Mask: 255.255.255.0

  Local security gateway: PVC 1 (ppp0)

  Remote secure group:
  IP: 192.168.1.0
  Mask: 255.255.255.0

  Remote security gateway:
  Any

  Key management:
  Auto. (IKE)
  PFS: enabled
  Pre-shared Key: the same password I put on the WAG54GP2
  Life key: 3600 Sec.

  Advanced settings

  Phase 1
  Mode of operation: main mode (I also tried aggressive mode)

  Proposal1
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Proposition2
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Another parameter
  NAT traversal not verified
  NetBIOS broadcast Checked
  Anti-reponse not checked
  Keep-Alive not verified
  If IKE 5 times failedmore
  Not checked

  When I click on Connect the WAG54GP2 router, do not access and in the newspapers, I see:

  2009 07-30 T 16: 16:10 + 01:00 IKE ["Board"] Tx > MM_I1: SA w.x.y.z.

  2009 07-30 T 16: 16:20 + 01:00 IKE ["Board"] ERROR: message w.x.y.z. port 500: connection refused

  If I use the dynamic FQDN instead of the dynamic IP (w.x.y.z.) change of message for:

  2009 07-30 T 16: 46:16 + 01:00 IKE ["Board"] ERROR: problem of remote domain name Security Gateway!

  Is there someone who could help me build this tunnel?

  A big thank you to everyone who will help me!

  Cinghiuz

  If you are Encountering difficulties connecting to the VPN Tunnel using a router ADSL modem you should see this

  Also, make sure that you have the latest firmware installed on your entry door and change the MTU setting...

• Impossible to pass traffic through the VPN tunnel

  I have an ASA 5505 9.1 running.   I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

  Here is my config

  LN-BLF-ASA5505 > en
  Password: *.
  ASA5505-BLF-LN # sho run
  : Saved
  :
  : Serial number: JMX1216Z0SM
  : Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
  :
  ASA 5,0000 Version 21
  !
  LN-BLF-ASA5505 hostname
  domain lopeznegrete.com
  activate the password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.116.254 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 50.201.218.69 255.255.255.224
  OSPF cost 10
  !
  boot system Disk0: / asa915-21 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  domain lopeznegrete.com
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  the LNC_Local_TX_Nets object-group network
  Description of internal networks Negrete Lopez (Texas)
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  object-network 192.168.3.0 255.255.255.0
  object-network 192.168.4.0 255.255.255.0
  object-network 192.168.5.0 255.255.255.0
  object-network 192.168.51.0 255.255.255.0
  object-network 192.168.55.0 255.255.255.0
  object-network 192.168.52.0 255.255.255.0
  object-network 192.168.20.0 255.255.255.0
  object-network 192.168.56.0 255.255.255.0
  object-network 192.168.59.0 255.255.255.0
  object-network 10.111.14.0 255.255.255.0
  object-network 10.111.19.0 255.255.255.0
  the LNC_Blueleaf_Nets object-group network
  object-network 192.168.116.0 255.255.255.0
  access outside the permitted scope icmp any4 any4 list
  extended outdoor access allowed icmp a whole list
  outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 741.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  outside access-group in external interface
  !
  router ospf 1
  255.255.255.255 network 192.168.116.254 area 0
  Journal-adj-changes
  default-information originate always
  !
  Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  AAA authentication enable LOCAL console
  Enable http server
  http 192.168.2.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.201.218.93
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  no use of validation
  Configure CRL
  trustpool crypto ca policy
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
  6c2527b9 deb78458 c61f381e a4c4cb66
  quit smoking
  crypto isakmp identity address
  Crypto isakmp nat-traversal 1500
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  username
  username
  tunnel-group 50.201.218.93 type ipsec-l2l
  IPSec-attributes tunnel-group 50.201.218.93
  IKEv1 pre-shared-key *.
  NOCHECK Peer-id-validate
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home service
  anonymous reporting remote call
  call-home
  contact-email-addr [email protected] / * /
  Profile of CiscoTAC-1
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e519f212867755f697101394f40d9ed7
  : end
  LN-BLF-ASA5505 #.

  Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:

   packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail

  (simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

• Impossible to achieve secondary with VPN tunnel

  Hello

  I configured a Cisco Pix Firewall to my VPN tunnels and which works fine when I connect to the local network where the Pix is connected.

  When I want to communicate with a server on a secondary location over the vpn tunnel I get no response.

  The pix can ping the server, but I can't ping the server via the vpn tunnel rooms

  PIX from IP 10.1.0.254

  Router 10.1.10.254 IP address

  Secondary router IP address 10.2.10.254

  Secondary server IP address 10.2.0.1

  The default gateway on the local network is 10.1.10.254

  This router is a gre tunnel 3 of to 10.2.10.254

  On this router, there is a default route for the pix (for internet).

  Hello...

  Make sure that you send the IP pool configured on the PIX of the secondary router/server. just try to ping the IP address that the VPN client is obtained from the server...

  You must also make sure that you add this subnet secondary access sheep... otherwise list your ip pool will see the natted IP server...

  on sheep access list, allow all traffic from the pool of secondary for the IP pool...

  I hope this helps... all the best...

• Impossible to reconnect the VPN to ASA on the internet

  Hello

  I ASA5540 running IOS 8.04 - K8, users are able to the VPN connection over the internet but impossible to reconnect the VPN when users disconnected abnormally (abnormally means they are not manually disconnect, VPN disconnect everything manually without problem occur). ASA showing an active session of the disconnected user and the user having reason 433 at the re-login VPN.

  Any suggestion and recommendation for this case.

  Awaiting your repies.

  Thank you very much.

  Kind regards

  Arsalan

  Hello

  under the tunnel-group, try to reduce the keepalive interval... Can help detect that the peer is down faster...

  Best wishes

  McLaughlin

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• 3500 x vpn tunnel

  I need to establish a vpn connection between my office and a computer over the internet, allowing access to the internal of the outside lan. I have a problem with my router and I am looking for a new.

  Can I use x 3500 to establish a pptp vpn tunnel or it can work only as vpn passthrough?

  This modem/router supports VPN passthrough for IPSec, PPTP and L2TP only. Try VPN Linksys Gigabit routers like the series of the LRT.

• RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

  Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

  In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

  Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

  System log
  Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
   
  Time
  Type of event Message
  2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
  2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
  2 sep 03:36:02 2009 VPN Log Main Mode initiator
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
  2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
  2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
  2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
  2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
  2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
  2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

  PFS - off on tada and linksys router does not support the samsung lol! connected!

• VPN connected, stream out of VPN tunnel

  I mean that we have in place of the VPN Sites manage to sites with 2 RV042 router but it seams not as I wanted. Are you sure that each transfer of data through Router 2 will go into the VPN tunnel or it shuts down the VPN tunnel. I checked the routing table and saw that:

  Sources mask Gateway Interface

  2 1 or wan wan IP 255.255.255.0 ipsec0 private

  By default 0.0.0.0 (ip wan 1 or 2) wan1 or wan2

  .........

  So what you think what sense data will pass through the line, it will go through the ipsec section or through wan1 or wan2. Ofcouse each data will pass through wan1 or wan2, but it can go inside the ipsec tunnel or ipsec outside tunnel. If she goes inside the ipsec tunnel, everything is ok, but if this isn't the case, transfer of unsecured data. I'm trying to access some website is not in private ip and it was outside ipsec tunnel go, I can capture and now that you have access.

  Why with linksys have 2 work as draytek product even photos follow:

  

  

  Can someone help me to answer this question, thank you for your attention

  1. it depends on what the tunnels of your business allows. As I've written before, there are other protocols that allows you to route traffic through the VPN tunnel. Only IPSec cannot do this. For example, if your company uses GRE over IPSec then they can route traffic through their tunnels. Your RV does not support this.

  2. If it's really plain IPSec then you cannot configure several subnets. You can try to implement the security group remote as a subnet more grand, such as 10.0.0.0/8. Of course the groups must match on both sides.

  3. If you want to route all traffic through the tunnel, and then try to set the local/remote security to 0.0.0.0/0.0.0.0 group. Maybe it works.

  The configuration of IPSec in the RV042 does not allow extremely complex configurations. It's mainly to connect two subnets between them.

• VPN tunnel cascade w / SW NSA FWs

  

  Hello

  I have questions about VPN cascading between 3 firewall SonicWALL NSA. Let me explain my situation and what I want to achieve.

  As shown in the diagram above, I have 3 branches connected to the Internet, which advanced to the LAN is the NSA SW FW. There is a VPN tunnel between each site: Site_A Site_ B, Site_A Site_ C, Site_B Site_ C. The Internet of the Site A traffic is redirected to the Site B. This Site A Cross Site B to access the Internet and LAN B. Site A through C access LAN C Site.

  My question is: is it possible to remove the tunnel VPN Site_A-Site_C to and instead, through Site B to C LAN access? If so, how you can achieve this configuration?

  What worries me is the VPN tunnel options that allow you to redirect all Internet traffic or a specific destination of LAN through objects (screenshots from Site A) address:

  

  

  Without the redirection of Internet traffic, I thought about creating a group of addresses, including 2 B LAN and LAN C address objects. But I want to keep the Internet through Site B traffic redirection.

  What do you think?

  Thanks in advance for your help.

  Hello

  My comments below:

  If you route indeed all traffic from A to B, the following must fill.

  1. remove the tunnel A C

  Ok.

  2. site B will have A subnet that is defined as a local resource for C

  Do you mean this by local resource?

  

  3 C is going to have A subnet defined as remote resource

  Ok.

  If you route any traffic from A to B, the following must fill.

  First step would be to remove the tunnel VPN between A and C, but I guess that you have assumed that it was already done.

  1. define the C subnet as a remote resource on Site A

  Yes, like a remote network for the A - B VPN tunnel.

  2. tunnel of site B to A will need to subnet C defined as local resource

  Ok.

  3. tunnel of site B and C will need subnet defined as local resource

  Ok.

  4. the site will need to subnet C has defined as remote resource

  Yes.

  I'll do a test soon with 3 sites and see how it goes.

• Routing access to Internet through an IPSec VPN Tunnel

  Hello

  I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

  I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

  Any help would be greatly appreciated.

  Thank you.

  Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

• ASA Syslog via a VPN Tunnel

  Hi all

  I have a little problem concerning ASA and syslogs. I have a tunnel from site to site between a local ASA and ASA distance. Behind the ASA local, I have a central syslog server (which has no ASA as default gateway) which collects messages from all network devices and I want to get messages from the ASA remote as well.

  The tunnel protects traffic between local networks behind each ASA, which includes ASA inside remote interface as well. The problem is that if I specify on the SAA distance my syslog server it does not pass through the VPN tunnel. The ASA remote sees my server syslog as being 'outside' so he's using the external IP address as the source-interface for the syslog message. Which of course does not pass through the tunnel. As much as I know there is no way to configure the interface source for logging under the SAA, that you can do on a normal IOS router.

  I've found a few documents explaining this Setup on CCO, but they all imply I have extend the list for interesting traffic to access allow remote UDP/514 of the PIX traffic outside my local syslog server interface. This isn't something I want to do what I would get in routing complication in my LAN with a public IP address of the ASA remote.

  Any suggestions? I thought I could use some sort of NAT on the ASA remote so that all traffic for my local network a source the remote PIX is translated on the inside interface, which in theory should pass the package via the tunnel. I did not go so far.

  Any help is appreciated.

  Best regards

  Stefan

  You can define the interface that the ASA will use to send the newspapers "syslog_ip host record.

  Make sure you also do "access management".

  Then the SAA should source the syslogs from inside the interface, which is probably encrypted with the crypto ACL.

  I hope it helps.

  PK

• VPN tunnel between the concentrator 3005 and router Cisco 827

  I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

  There is a router of perimeter with access set up in front of the 3005 list.

  I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

  I get the following message appears when I try to ping a local host in the Central site.

  Can Anyoune give me the correct steps to 827 and 3005.

  Thank you

  CCNP Ansar.

  ------------------------------------------------------------------------------------------------------

  Debug crypto ISAKMP

  encryption of debugging engine

  Debug crypto his

  debug output

  ------------------

  1d20h: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

  local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

  remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 3600 s and KB 4608000,

  SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

  1d20h: ISAKMP: ke received message (1/1)

  1d20h: ISAKMP: 500 local port, remote port 500

  1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Former State = new State IKE_READY = IKE_I_MM1

  1d20h: ISAKMP (0:1): early changes of Main Mode

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: IPSEC (key_engine): request timer shot: count = 1,.

  You must also allow the esp Protocol in your ACL.

  access-list 101 permit esp any host x.x.x.x (address of the hub)

  Hope this helps,

  -Nairi

• Questions of VPN tunnel

  People,

  You can help me understand how I can fix the following issues I have with a 1721 router (Version 12.3 (8) T5) and client VPN 4.6.01.x please.

  BTW, the server at 192.168.3.2 is a file, DNS, WINS server and proxy for the LAN environment. All the staff of the PC is required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

  Back to my questions. I have the obligation to set up a VPN tunnel to connect to a PC that is running Terminal Server services / remote desktop on a PC to 192.168.1.9. When running the VPN software on the laptop I get a login prompt and everything seems fine. I ping the addresses of router and that works.

  But the three things I don't understand:

  1. I can't telnet with great success to the loopback address of the router, as well as other addresses 192.168.x.x. very well, but why is it possible that I can telnet to the 192.168.4.1 loopback address?

  2. I can't DRC to the server on 192.168.3.2. The server can (and) accepts connections on a subnet, I created the network of 192.168.6.x I put up as VLAN6 on SEA4 (the port of spare on the map of ether 4 ports). The only thing I did not in the configuration of the interface was the nat ip within the statement.

  3. I can't do a nslookup through the tunnel VPN (delays all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I mean here is that other applications seem to work except telnet!)

  Then...:

  Why the telnet is so special? I thought that if I could telnet to the router, then I should be able to access the server. And before ask you, there is no firewall or whatever it is executed on the server by stopping this stupid connections. Hey, I'm the guy from router, not the jockey of server!

  I've managed to misinterpret the statement "corresponds to the address 105" in the cryptomap? The ACL would reflect the traffic flow both ways?

  I should have a statement of hash in the section of "crypto isakmp policy 5. The client indicates that the connection is OK then why should I need it?

  I appreciate your time to help. I was scratching my head a lot in the last two days.

  Timothy

  Your NAT config, it is what kills you here. You can telnet to the router interface, because then the NAT configuration does not take effect (because NAT doesn't happen for passing traffic THROUGH the router, FOR her). You must refuse the IPSec traffic to be NAT would have, otherwise, it does not match the encryption access list and is not encrypted on the way back.

  Your 100 access list is incorrect, remove it and add in the following:

  access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

  access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

  That said NAT VPN traffic does 192.168.5.0, but NAT do it if he goes anywhere else (Internet).

  Also, you seem to have defined a map static encryption for your customer traffic, it is not used and may cause you problems with the list of access-105. Follow these steps to get rid of it and just use the dynamic encryption card:

  no card crypto clientmap 1

  You just need to have dynamic instance map (number 20) crypto left in your config file.