Incompatibility of VPN Phase 2
I have a lag of phase 2, I can't sniff, please help!
Here's the relevant configs.
ASA <--->router cisco 891F vpn site to site settings. I have the cryptographic cards applied to outbound interfaces and PHASE 1 works fine, the phase 2 fails and says that there is no match of the phase 2.
ASA
-------------
outside_cryptomap_2 list extended access allowed object-group ip DM_INLINE_NETWORK_4 10.112.10.0 255.255.255.0
Crypto ipsec transform-set esp - esp-3des esp-md5-hmac ikev1
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 Hollister, esp-sha-hmac ikev1
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3des-trans
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 test2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac test1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac test3
card crypto outside_map 1 match address outside_cryptomap_2
outside_map game 1 card crypto peer 108.X
card crypto outside_map 1 set transform-set 3des-trans test2 test3 test1 ikev1
outside_map card crypto 1 lifetime of security association set seconds 43200
card crypto outside_map 1 the value reverse-road
Router
--------------
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
ISAKMP crypto key address 71.X XX
!
!
Crypto ipsec transform-set vpn_trans aes - esp esp-sha-hmac
transport mode
Crypto ipsec transform-set aes - esp esp-sha-hmac phase2
tunnel mode
Crypto ipsec transform-set IPSEC2 aes - esp esp-sha-hmac
tunnel mode
Crypto ipsec transform-set esp - aes ipsec3
tunnel mode
Crypto ipsec transform-set esp-3des ipsec4
tunnel mode
Crypto ipsec transform-set esp - aes test1
tunnel mode
Crypto ipsec transform-set esp-3des test2
tunnel mode
!
vpn_map 10 ipsec-isakmp crypto map
all the 71.X peers
Set security-association second life 43200
match address 101
!
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255--->
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255
Add the following commands on the router,
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des_sha
vpn_map 10 ipsec-isakmp crypto map
Set transform-set 3des_sha
If this does not work, please provide us with the release of 'see the race id object-group DM_INLINE_NETWORK_4' SAA.
Kind regards
Dinesh Moudgil
PS Please rate helpful messages.
Tags: Cisco Security
Similar Questions
-
Site to Site VPN Phase 2 problem
Hello
I have a problem of IPsec VPN. We have an ASA 5580 to build the VPN site to site with ALU VPN gateway (from partner). The VPN connection is not established. We have checked configurations of devices pair but not found so far any problem. I tried to debug crypto isakmp 127 and got newspaper as below. We always try to find the root cause of this and I could have your advice for the Please this problem? Thank you. (Actual IP address are changed for privacy)
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, build payloads of ISAKMP security
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, building the Fragmentation VID + load useful functionality
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + NO (0) total
Length: 104
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Message RECEIPT of IKE_DECODE (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10) + NO (0) total
Length: 180
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, processing payload ISA_KE
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, building ke payload
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, building nonce payload
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, build payloads of Cisco Unity VID
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing payload V6 VID xauth
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilities: 20000001)
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, build payloads VID
Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group 1.1.1.1
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, the IP 1.1.1.1, Generating keys for answering =...
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, KE (4), NUNCIO (10) + (13) seller +.
SELLER (13), SELLER (13), SELLER (13) + (0) NONE total length: 256
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Message RECEIPT of IKE_DECODE (msgid = 0) with payloads: HDR + ID (5) + HASH (8), NOTIFY (11) +.
NONE (0) overall length: 92
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, payload processing ID
Apr 08 10:43:45 [IKEv1 DECODER]: Group = 1.1.1.1, IP = 1.1.1.1, ID ID_IPV4_ADDR received
1.1.1.1
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, the IP 1.1.1.1, payload = hash of treatment
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, calculation of hash for ISAKMP
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group 1.1.1.1
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, building the payload ID
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, build payloads of hash
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, calculation of hash for ISAKMP
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, building dpd vid payload
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8), SELLER (13) + NONE
total length (0): 84
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: None
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Keep-alives configured on, but the peer does not support persistent (type = None)
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, timer to generate a new key to start P1: 21600 seconds.
Apr 08 10:43:45 [IKEv1 DECODER]: IP = 1.1.1.1, IKE Responder starting QM: id msg = 0dbcde8a
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Message RECEIPT of IKE_DECODE (msgid = dbcde8a) with payloads: HDR + HASH (8) + a (1), NUNCIO (10)
+ KE (4) + ID (5) + ID (5), NONE (0) overall length: 524
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, the IP 1.1.1.1, payload = hash of treatment
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing SA payload
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing nonce payload
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ke payload
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, ISA_KE to PFS treatment in phase 2
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, payload processing ID
Apr 08 10:43:45 [IKEv1 DECODER]: Group = 1.1.1.1, IP = 1.1.1.1, ID ID_IPV4_ADDR received
2.2.2.2
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 2.2.2.2.
Protocol 0, Port 0
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, payload processing ID
Apr 08 10:43:45 [IKEv1 DECODER]: Group = 1.1.1.1, IP = 1.1.1.1, ID ID_IPV4_ADDR received
3.3.3.3
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 3.3.3.3,.
Protocol 0, Port 0
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, the IP 1.1.1.1, QM IsRekeyed its not found old addr =
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 1...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 1, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 2...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 2, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 3...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 3, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 4...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 4, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 5...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 5, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 6...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 6, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 7...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 7, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 8...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 8, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 9...
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 9, ACL does not match
Proxy src:2.2.2.2 dst: 3.3.3.3 IDs
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, tunnel IPSec rejecting: no entry for crypto for remote proxy card
2.2.2.2/255.255.255.255/0/0 proxy local 3.3.3.3/255.255.255.255/0/0 on the interface outside
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending prevent message
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing empty hash payload
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, build payloads of hash qm
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 456db437) with payloads: HDR + HASH (8) + NOTIFY (11) + NONE
total length (0): 576
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, the IP 1.1.1.1, QM WSF error = (P2 struct & 0x3d51e058, mess id 0xdbcde8a).
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d51e058)
. : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG -. > QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending clear/delete with the message of reason
Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, removing counterpart table correlator failed, no match!
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:db841932 RRs would end: MM_ACTIVE state flags
0 x 00010042, refcnt 1, tuncnt 0
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:db841932 ending: flags 0 x 01010002, refcnt 0,.
tuncnt 0
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending clear/delete with the message of reason
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing empty hash payload
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, building the payload to delete IKE
Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, build payloads of hash qm
Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = c1606511) with payloads: HDR HASH (8) + DELETE (12) + NONE
total length (0): 80
Apr 08 10:43:45 [IKEv1]: ignoring msg SA brand with Iddm 2781184 dead because ITS removal
Apr 08 10:43:46 [IKEv1]: IP = 1.1.1.1, encrypted packet received with any HIS correspondent, drop
It is Phase 1 ends successfully, but when the remote end sends the traffic that must match your crypto card and put in place a Phase 2 IPsec SA, it does not match:
Rejecting the IPSec tunnel: no entry for crypto for remote proxy card
DoubleCheck that "2.2.2.2 to 3.3.3.3" is to map your end crypto (and that the obverse is located in the remote side).
-
IPsec VPN Phase 2 does not. Need help with the debug output
Is someone can you please tell me why I can't establish ipsec Phase 2 negotiations. I'm trying to connect a 2651XM to a Pix 501.
Here are the isakmp debug and release of ipsec and configs. I checked the keys are the same. And sets of transformations look ok. No idea why its not working?
What is the bottom tell me?
===========================================================
01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
===============================================================================
ISAKMP (0): start Quick Mode Exchange, M - ID - 1154286426:bb32fca6
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2224366689, message ID = 1503891776
ISAKMP (0): removal of spi 1629787524 message ID = 3140680870
to return to the State is IKMP_NO_ERR_NO_TRANS
pixfirewall #.
pixfirewall # sh crypto is
ISAKMP (0): start Quick Mode Exchange, M - ID 400184159:17da535f
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2649583861, message ID = 1778335964 a.
ISAKMP (0): removal of spi 4117818781 message ID = 400184159
status code returned is IKMP_NO_ERR_NO_TRANSkmp its
Total: 1
Embryonic: 0
Src DST in the meantime created State
1.1.1.2 1.1.1.3 QM_IDLE 0 0
pixfirewall #.
ISAKMP (0): start Quick Mode Exchange, M - ID 923039456:370476e0
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2163779852, message ID = 2746774364
ISAKMP (0): removal of spi 212465792 message ID = 923039456
to return to the State is IKMP_NO_ERR_NO_TRANSexiClosure of session
CCC cryp #sh
CCC #sh crypto isakmp his
status of DST CBC State conn-id slot
1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVECCC #ping 192.168.1.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:
.....
Success rate is 0% (0/5)CCC #ping 192.168.1.5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
CCC #debug isakmp crypto
Crypto ISAKMP debug is on
CCC #debug crypto ipsec
Crypto IPSEC debugging is on
Crypto CCC talkative #debug
detailed debug output debug is on
CCC #ping 192.168.1.5Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
CCC #.
00:51:24: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:24: ISAKMP: node set 1268073006 to QM_IDLE
00:51:24: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1268073006
00:51:24: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1268073006
00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:24: ISAKMP: turn 1, AH_SHA
00:51:24: ISAKMP: attributes of transformation:
00:51:24: ISAKMP: program is 1 (Tunnel)
00:51:24: ISAKMP: type of life in seconds
00:51:24: ISAKMP: life of HIS (basic) of 28800
00:51:24: ISAKMP: type of life in kilobytes
00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:24: ISAKMP: authenticator is HMAC-SHA
00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:24: ISAKMP: turn 1, ESP_3DES
00:51:24: ISAKMP: attributes of transformation:
00:51:24: ISAKMP: program is 1 (Tunnel)
00:51:24: ISAKMP: type of life in seconds
00:51:24: ISAKMP: life of HIS (basic) of 28800
00:51:24: ISAKMP: type of life in kilobytes
00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:24: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:24: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:24: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:51:24: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:24: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:51:24: ISAKMP: node set-429221146 to QM_IDLE
00:51:24: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-429221146
00:51:24: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:24: ISAKMP: (0:1:SW:1): purge the node-429221146
00:51:24: ISAKMP: (0:1:SW:1): node 1268073006 REAL reason «QM rejec» error suppression
Ted. "
00:51:24: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 1268073006: status = IKE_QM_READY
00:51:24: ISAKMP: (0:1:SW:1): entrance, node 1268073006 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:24: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:51:24: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
with 1.1.1.3
00:51:54: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:54: ISAKMP: node set-500877443 to QM_IDLE
00:51:54: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID =-500877443
00:51:54: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID =-500877443
00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:54: ISAKMP: turn 1, AH_SHA
00:51:54: ISAKMP: attributes of transformation:
00:51:54: ISAKMP: program is 1 (Tunnel)
00:51:54: ISAKMP: type of life in seconds
00:51:54: ISAKMP: life of HIS (basic) of 28800
00:51:54: ISAKMP: type of life in kilobytes
00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:54: ISAKMP: authenticator is HMAC-SHA
00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:54: ISAKMP: turn 1, ESP_3DES
00:51:54: ISAKMP: attributes of transformation:
00:51:54: ISAKMP: program is 1 (Tunnel)
00:51:54: ISAKMP: type of life in seconds
00:51:54: ISAKMP: life of HIS (basic) of 28800
00:51:54: ISAKMP: type of life in kilobytes
00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:54: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:54: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:54: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:51:54: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:54: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:51:54: ISAKMP: node set-701693099 to QM_IDLE
00:51:54: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-701693099
00:51:54: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:54: ISAKMP: (0:1:SW:1): purge the node-701693099
00:51:54: ISAKMP: (0:1:SW:1): node-500877443 error suppression REAL reason "QM rejec.
Ted. "
00:51:54: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node-500877443: State = IKE_QM_READY
00:51:54: ISAKMP: (0:1:SW:1): entrance, node-500877443 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:54: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:52:14: ISAKMP: (0:1:SW:1): purge the node 1268073006
CCC #sh crypto isakmp his
status of DST CBC State conn-id slot
1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVECCC #ping 192.168.1.5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:00:52:44: ISAKMP: (0:1:SW:1): purge node-500877443...
00:52:50: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:52:50: ISAKMP: node set 1186613650 to QM_IDLE
00:52:50: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1186613650
00:52:50: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1186613650
00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:52:50: ISAKMP: turn 1, AH_SHA
00:52:50: ISAKMP: attributes of transformation:
00:52:50: ISAKMP: program is 1 (Tunnel)
00:52:50: ISAKMP: type of life in seconds
00:52:50: ISAKMP: life of HIS (basic) of 28800
00:52:50: ISAKMP: type of life in kilobytes
00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:52:50: ISAKMP: authenticator is HMAC-SHA
00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:52:50: ISAKMP: turn 1, ESP_3DES
00:52:50: ISAKMP: attributes of transformation:
00:52:50: ISAKMP: program is 1 (Tunnel)
00:52:50: ISAKMP: type of life in seconds
00:52:50: ISAKMP: life of HIS (basic) of 28800
00:52:50: ISAKMP: type of life in kilobytes
00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
00:52:50: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:52:50: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.1.68.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:52:50: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:52:50: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:52:50: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:52:50: ISAKMP: node set-1113601414 to QM_IDLE
00:52:50: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-1113601414
00:52:50: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:52:50: ISAKMP: (0:1:SW:1): purge the node-1113601414
00:52:50: ISAKMP: (0:1:SW:1): node 1186613650 REAL reason «QM rejec» error suppression
Ted. "
00:52:50: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 1186613650: status = IKE_QM_READY
00:52:50: ISAKMP: (0:1:SW:1): entrance, node 1186613650 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:52:50: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:52:50: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
with 1.1.1.3.
Success rate is 0% (0/5)
CCC #.
00:53:20: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:53:20: ISAKMP: node set 459446741 to QM_IDLE
00:53:20: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 459446741
00:53:20: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 459446741
00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:53:20: ISAKMP: turn 1, AH_SHA
00:53:20: ISAKMP: attributes of transformation:
00:53:20: ISAKMP: program is 1 (Tunnel)
00:53:20: ISAKMP: type of life in seconds
00:53:20: ISAKMP: life of HIS (basic) of 28800
00:53:20: ISAKMP: type of life in kilobytes
00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:53:20: ISAKMP: authenticator is HMAC-SHA
00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:53:20: ISAKMP: turn 1, ESP_3DES
00:53:20: ISAKMP: attributes of transformation:
00:53:20: ISAKMP: program is 1 (Tunnel)
00:53:20: ISAKMP: type of life in seconds
00:53:20: ISAKMP: life of HIS (basic) of 28800
00:53:20: ISAKMP: type of life in kilobytes
00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
00:53:20: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:53:20: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:53:20: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:53:20: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:53:20: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:53:20: ISAKMP: node set-1692074376 to QM_IDLE
00:53:20: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-1692074376
00:53:20: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:53:20: ISAKMP: (0:1:SW:1): purge the node-1692074376
00:53:20: ISAKMP: (0:1:SW:1): REAL reason for node deletion 459446741 error "reject QM.
Ed ".
00:53:20: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 459446741: status = IKE_QM_READY
00:53:20: ISAKMP: (0:1:SW:1): entrance, node 459446741 = IKE_MESG_FROM_PEER, IKE_QM_E
XCH
00:53:20: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:53:40: ISAKMP: (0:1:SW:1): purge the node 1186613650
00:53:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, chang
State of Ed down
00:54:10: ISAKMP: (0:1:SW:1): purge the node 459446741===============================================================================
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
pixfirewall hostname
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 10.10.10.0
255.255.255.0
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 10.10.1
255.255.255.0 0.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
1.1.1.3 outside IP address 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.10.0 255.255.255.0 inside
location of PDM 10.10.10.0 255.255.255.0 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Timeout xlate 0:05:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set 1.1.1.2
card crypto outside_map 20 game of transformation-Petaluma_VPN
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * 1.1.1.2 address netmask 255.255.255.255 No.-xauth No.-config-m
Ode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
dhcpd address 192.168.1.5 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:8c0d4948407071d3515f1546cf8bc147
: end
pixfirewall #.
=========================================================================
CCC #sh run
Building configuration...Current configuration: 1328 bytes
!
version 12.4
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
CCC host name
!
boot-start-marker
start the system flash c2600-adventerprisek9 - mz.124 - 25d.bin
boot-end-marker
!
!
No aaa new-model
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!!
!
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
address key crypto isakmp 1.1.1.3 cisco123
!
!
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
map Petaluma_1 1 ipsec-isakmp crypto
defined peer 1.1.1.3
game of transformation-Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/0
1.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface Serial0/0
no ip address
Shutdown
clock speed of 56000
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
!
IP forward-Protocol ND
IP route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip address of the http server
no ip http secure server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
line to 0
line vty 0 4
opening of session
!
!
endCCC #.
!
!
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
address key crypto isakmp 1.1.1.3 cisco123
!
!
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
map Petaluma_1 1 ipsec-isakmp crypto
defined peer 1.1.1.3
game of transformation-Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/01.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface Serial0/0
no ip address
Shutdown
clock speed of 56000
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
!
IP forward-Protocol ND
IP route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip address of the http server
no ip http secure server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255Hi David,
Overlooking the configuration of the router, it seems that you have applied the encryption card to the wrong interface.
interface FastEthernet0/0
1.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
Given that the pix will attempt to build a VPN tunnel to 1.1.1.2 map encryption Petaluma_1 must be applied to FastEthernet0/0, not FastEthernet 0/1.
Let me know if it helps.
Thank you
Loren
-
HP 15 N234Sl: Updated Windows 10 free incompatibility - Cisco Vpn adapter 64-bit
Jyn
I have a laptop with windows 8.1 - Intel Core i7 4500U, 8 GB of Ram, Nvidia Geforce 740.
I booked the windows 10 and after 29 and up to now, he said: Please wait while the update will be ready for your PC.
but I discovered today is not ready, because there is an error:
I immediately remove all customer vpn ect. but the error persists. Someone knows what to do?
Thank you very much
If you are having problems upgrading using the icon (like many people). You can manually download windows (no pirate original) microsofts Web site.
The tool of Windows 10 download link: http://www.Microsoft.com/en-us/software-download/Windows10
If it helps you, mark it as a solution.
-
Hi all
I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.
I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through
Here is my configuration
ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25
(Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24
I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY
However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.
any ideas why this is?
I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?
I guess it's the work of crypto card
Am I wrong?
Hello
Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.
Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.
In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.
If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)
If you indeed filter VPN, you may be able to track him down with the following commands
See the tunnel-group race
Check if a "group policy" is defined then the command
See establishing group policy enforcement
This output should list the name of the ACL filter VPN if its game
Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.
ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary.
-Jouni
-
1
Hello
Seems to me that configurations are for the most part very well. But of course, they may be different from those who has the remote site. We do not know what are the settings on the other site of this connection VPN L2L.
NAT0 has configuration of a line that is not necessary (line below)
permit access list extended ip lan - imp 255.255.255.0 inside_nat0_outbound 1.1.1.0 255.255.255.0
You can use the "package Tracker" on the side of the CLI to check what happens to first traffic
entry Packet-trace inside tcp 1.1.1.100 12345 192.168.1.100 80
I guess the address LAN IP is changed for some reason any so replace the IP addresses above with random IP of the LAN and LAN REMOTE if necessary addresses.
Issue the command above twice. If the second output always stops in VPN Phase DROP then there are a few problems on each side of the connection VPN L2L in configurations.
You can check the output of the following command after issuing the command "packet - trace" above also to check what is happening in phase 1 of the VPN L2L negotiations
ISAKMP crypto to show his
If that runs through then I would start looking for a problem with related configurations "crypto map" configurations.
-Jouni
-
Migration phase 3 DMVPN with Central Hub
I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?
Kind regards
Mike
Mike,
DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)
That being said, the deployment is quite easy:
-Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves
-Redirect PNDH on the hubs.
Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).
Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.
The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.
M.
-
Unable to phase 1 estabislt of site to site VPN
Hi Experts,
Site-B(router)---Modem---Internet---Site-A(router)
I am trying to create a VPN Site-to-stie Ipsec between cisco2900 & cisco 861 and here is the scenario. Please find attached file connectivity diagram.
The issue is there is a modem provided by the ISP on Site-B and 861 cisco router is connected to that modem and the connection is given through RJ11 and there is no available on Site-B router ADSL port.
Based on the above mentioned scenario here is the config
Site b: -.
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key CITDENjan2014 address 80.227.xx.xx
Crypto ipsec transform-set ETH-Dxb-esp-3des esp-md5-hmac
tunnel modecrypto map 1 VPN ipsec-isakmp
the value of 80.227.xx.xx peer
game of transformation-ETH-to-Dxb
match address 110FA 4 interface
IP 192.168.1.254 255.255.255.0
VPN crypto cardIP route 0.0.0.0 0.0.0.0 192.168.1.1
IP access-list ext 110
ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255Screenshots of good will find ADSL modem for the information below
Double configuration on the LAN interface of the ADSL modem with ip address
I did port forwarding on the modem, although I did not port forwarding before I'm not sure whether it is correct or not.
Site-one router Config: -.
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key CITDENjan2014 address 197.156.xx.xx
Crypto ipsec transform-set Dxb ETH esp-3des esp-md5-hmac
tunnel modemap-Dxb-Nigeria 20 ipsec-isakmp crypto
the value of 197.156.xx.xx peer
game of transformation-Dxb-to-ETH
match address 120interface GigabitEthernet0/1
IP address 80.227.xx.xx 255.255.255.252
card crypto Dxb-to-NigeriaIP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 anyIP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101Connects to router B-Site: -.
* 13:02:06.735 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (N) SA NEWS
* 13:02:06.735 Apr 16: ISAKMP: created a struct peer 80.227.xx.xx, peer port 1
* 13:02:06.735 Apr 16: ISAKMP: new position created post = 0x886B0310 peer_handle = 0x8000001D
* 13:02:06.735 Apr 16: ISAKMP: lock struct 0x886B0310, refcount 1 to peer crypto_isakmp_process_block
* 13:02:06.735 Apr 16: ISAKMP: 500 local port, remote port 1
* 13:02:06.735 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 88776 A 88 = call BVA
* 13:02:06.735 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:02:06.735 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1* 16 Apr 13:02:06.735: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 16 Apr 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:02:06.735 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* Apr 16
ETH - CIT # 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
* 13:02:06.739 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
* 16 Apr 13:02:06.739: ISAKMP: (0): pre-shared key local found
* 13:02:06.739 Apr 16: ISAKMP: analysis of the profiles for xauth...
* 13:02:06.739 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 13:02:06.739 Apr 16: ISAKMP: 3DES-CBC encryption
* 13:02:06.739 Apr 16: ISAKMP: MD5 hash
* 13:02:06.739 Apr 16: ISAKMP: group by default 2
* 13:02:06.739 Apr 16: ISAKMP: pre-shared key auth
* 13:02:06.739 Apr 16: ISAKMP: type of life in seconds
* 13:02:06.739 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 13:02:06.739 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
* 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
* 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
* 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
* 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 13:02:06.739 Apr 16: ISAKMP: (0): return real life: 86400
* 13:02:06.739 Apr 16: ISAKMP: (0): timer life Started: 86400.* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
* 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1* 16 Apr 13:02:06.739: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 16 Apr 13:02:06.739: ISAKMP: (0): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_SA_SETUP
* 13:02:06.739 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2* 13:02:06.995 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
* 13:02:06.995 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:02:06.999 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3* 16 Apr 13:02:06.999: ISAKMP: (0): processing KE payload. Message ID = 0
* 16 Apr 13:02:07.027: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 13:02:07.027 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is DPD
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): addressing another box of IOS!
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID seems the unit/DPD but major incompatibility of 241
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is XAUTH
* 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
* 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
* 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
* 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
* 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM3* 16 Apr 13:02:07.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
* 13:02:07.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.
* 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM4ETH - CIT #.
ETH - CIT #.
* 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH...
* 13:02:17.027 Apr 16: ISAKMP (2028): increment the count of errors on his, try 1 5: retransmit the phase 1
* 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:02:17.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
* 13:02:17.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.Connects to the router Site-one: -.
* 13:15:28.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:15:28.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:15:28.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
* 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:28.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:15:28.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:15:28.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
DXB - CIT #.
* 13:15:38.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:15:38.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:15:38.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
* 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:38.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:15:38.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:15:38.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
DXB - CIT #.
* 13:15:47.593 Apr 16: ISAKMP: set new node 0 to QM_IDLE
* 13:15:47.593 Apr 16: ISAKMP: (1263): SA is still budding. Attached new request ipsec. (local 80.227.xx.xx, remote 197.156.xx.xx)
* 13:15:47.593 Apr 16: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 13:15:47.593 Apr 16: ISAKMP: error while processing message KMI 0, error 2.
* 16 Apr 13:15:48.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:48.609 Apr 16: ISAKMP: (1263): peer does not paranoid KeepAlive.* 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
* 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
* 13:15:48.609 Apr 16: ISAKMP: Unlocking counterpart struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
* 13:15:48.609 Apr 16: ISAKMP: delete peer node by peer_reap for 197.156.xx.xx: 23193AD4
DXB - CIT #.
DXB - CIT #.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1134682361 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 680913363 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1740991762 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 13:15:48.609 Apr 16: ISAKMP: (1263): former State = new State IKE_I_MM5 = IKE_DEST_SADXB - CIT #.
DXB - CIT #shoc cry
DXB - CIT #sho isa scream his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
197.156.XX.XX 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)IPv6 Crypto ISAKMP Security Association
* 16 Apr 13:16:17.593: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = 80.227.xx.xx:0, distance = 197.156.xx.xx:0,
local_proxy = 192.168.10.0/255.255.255.0/256/0,
remote_proxy = 192.168.1.0/255.255.255.0/256/0
* 16 Apr 13:16:17.609: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 80.227.xx.xx:500, distance = 197.156.xx.xx:500,
local_proxy = 192.168.10.0/255.255.255.0/256/0,
remote_proxy = 192.168.1.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp-3des esp-md5-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 16 Apr 13:16:17.609: ISAKMP: (0): profile of THE request is (NULL)
* 13:16:17.609 Apr 16: ISAKMP: created a struct peer 197.156.xx.xx, peer port 500
* 13:16:17.609 Apr 16: ISAKMP: new created position = 0x23193AD4 peer_handle = 0 x 80001862
* 13:16:17.609 Apr 16: ISAKMP: lock struct 0x23193AD4, refcount 1 to peer isakmp_initiator
* 13:16:17.609 Apr 16: ISAKMP: 500 local port, remote port 500
* 13:16:17.609 Apr 16: ISAKMP: set new node 0 to QM_IDLE
* 13:16:17.609 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 270A2FD0 = call BVA
* 13:16:17.609 Apr 16: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 13:16:17.609 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-07 ID NAT - t
* 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-02 ID NAT - t
* 13:16:17.609 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 13:16:17.609 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1* 16 Apr 13:16:17.609: ISAKMP: (0): Beginner Main Mode Exchange
* 16 Apr 13:16:17.609: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 13:16:17.609 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:16:17.865 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_NO_STATE 197.156.xx.xx
* 13:16:17.865 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:16:17.865 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2* 16 Apr 13:16:17.865: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 13:16:17.869 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared key local found
* 13:16:17.869 Apr 16: ISAKMP: analysis of the profiles for xauth... ciscocp-ike-profile-1
* 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared xauth authentication
* 13:16:17.869 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 13:16:17.869 Apr 16: ISAKMP: 3DES-CBC encryption
* 13:16:17.869 Apr 16: ISAKMP: MD5 hash
* 13:16:17.869 Apr 16: ISAKMP: group by default 2
* 13:16:17.869 Apr 16: ISAKMP: pre-shared key auth
* 13:16:17.869 Apr 16: ISAKMP: type of life in seconds
* 13:16:17.869 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 13:16:17.869 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
* 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
* 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
* 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
* 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 13:16:17.869 Apr 16: ISAKMP: (0): return real life: 86400
* 13:16:17.869 Apr 16: ISAKMP: (0): timer life Started: 86400.* 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2* 16 Apr 13:16:17.869: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_SA_SETUP
* 13:16:17.869 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3* 13:16:18.157 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP 197.156.xx.xx
* 13:16:18.157 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:16:18.157 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4* 16 Apr 13:16:18.157: ISAKMP: (0): processing KE payload. Message ID = 0
* 16 Apr 13:16:18.181: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 13:16:18.181 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is the unit
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is DPD
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.185: ISAKMP: (1264): addressing another box of IOS!
* 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
* 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
* 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
* 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
* 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM4* 13:16:18.185 Apr 16: ISAKMP: (1264): send initial contact
* 13:16:18.185 Apr 16: ISAKMP: (1264): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 13:16:18.185 Apr 16: ISAKMP (1264): payload ID
next payload: 8
type: 1
address: 80.227.xx.xx
Protocol: 17
Port: 0
Length: 12
* 13:16:18.185 Apr 16: ISAKMP: (1264): the total payload length: 12
* 16 Apr 13:16:18.185: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:16:18.185 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
* 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM5DXB - CIT #.
* 13:16:28.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:16:28.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:16:28.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
* 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
* 13:16:28.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 1 5: retransmit the phase 1
* 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:16:28.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
DXB - CIT #.
* 13:16:28.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #u all
All possible debugging has been disabled
DXB - CIT #.
DXB - CIT #.
* 13:16:38.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:16:38.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:16:38.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1134682361
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 680913363
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1740991762
* 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
* 13:16:38.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 2 of 5: retransmit the phase 1
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
* 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:16:38.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:16:38.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.Hello
your configuration looks correct. I was wondering that nat work very well, because I do not see ip nat inside and ip nat outside configured on A router.
Please chceck whether ESP (50) is permitted (probably VPN passthrough) modem and also try to allow UDP 4500 (IPSEC NAT - T).
Best regards
Jan
-
VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2
We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.
It is a vpn L2L, I wonder if the guy saying user is related to the issue?
ASA_Initiator
IKE Peer: 71.13.xxx.xxx
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2ASA_Receiving
# show crypto isakmp his
There is no isakmp sas
Hey,.
is the remote end ASA as well?
If so, the capture below on the ASA:
capture capout
match udp host host interface The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:
1 either a problem with the policies of the phase 1 of the remote end or
2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.
Concerning
-
Configuration of VPN - IKE phase 1...
I have some confusion in the VPN configuration... In my ASA below mentioned IKE phase 1 already configured setting.
crypto ISAKMP policy 1
preshared authentication
the Encryption
sha hash
Group 2
life 43200
crypto ISAKMP policy 9
preshared authentication
the Encryption
md5 hash
Group 1
life 86400
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
Last week, I configured a new L2L VPN. For IPSec phase, I have added the below mentioned lines...
card crypto toremote 20 match address remotevpn2
card crypto toremote 20 peers set x.x.x.x
toremote 20 set transformation-strong crypto card
life safety association set card crypto toremote 20 28800 seconds
Now my question is the seq n20 crypto map is not matched with any IKE phase 1 seq no (1,9,10,30) that is already configured. But the VPN is up and working fine. How it associate a particular phase of IKE IPsec?
If you want to configure a new virtual private network with different parameters in the IKE phase 1like 3DES, SHA1, life 86400, what are the configuration that I have to do in phase 1 of IKE?
Kind regards
SOM
isakmp policy number and the number of ipsec policy do not match your ASA or with the other end. They are two distinct phases of negotiation. The ASA will compare your policy at the other end, starting with the smallest number of policies, until a match is found.
I usually put safer policies first (i.e. with the lowest number of the police).
To create a new policy, just add it with a new policy number, anywhere where you want in the order.
-
people
I have two 1941 routers running 15.2 and I'm trying to implement a vpn site-to site with digital signatures
I can come up with a proposal of phase 2 (phase 1 happens to qm_idle), but the proposal for phase 2 is rejected with the error message above
does anyone have any good sample configs site to another using 15.2 VPN
my config is less than
his mirror on the remote end
can a nyone help out me?
!
crypto ISAKMP policy 10
BA aes
Group 5
life 82800
!
!
Crypto ipsec transform-set T-TRANSFORM aes - esp esp-sha-hmac
tunnel mode
!
Crypto ipsec profile T PROFILE
game of transformation-TRANSFORMATION T
PFS Set group5
!Hello
Can you check on your area of encryption... I mean your local LAN subnet that you used for the site to the site...
Here is the same example from site to site
http://www.firewall.CX/Cisco-technical-Knowledgebase/Cisco-routers/867-c...
Also, you can view the example configuration here...
hostname RTR1
!
proposal of crypto ikev2 AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
the sha1 integrity
Group 2
!
Crypto ikev2 IKEv2-policy
AES256-192-128 proposal
!
ikev2 crypto VPN KEYS keychains
peer ASA1
address 10.0.0.2
pre-shared-key local MyKey1
pre-shared-key remote MyKey1
!
!
!
Profile of crypto ikev2 ASA1
match one address 10.0.0.2 remote identity 255.255.255.255
address local identity 10.0.0.1
sharing front of remote authentication
sharing of local meadow of authentication
door-key local VPN-KEYS
!
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
tunnel mode
!
!
!
map RTR1 ASA1 10 ipsec-isakmp crypto
defined peer 10.0.0.2
game of transformation-ESP-AES256-SHA
Define ASA1 ikev2-profile
match address VPN-TRAFFIC
!
!
!
!
!
interface FastEthernet0/0
the IP 10.0.0.1 255.255.255.252
automatic speed
automatic duplex
card crypto RTR1 ASA1
!
interface FastEthernet0/1
192.168.5.1 IP address 255.255.255.0
automatic speed
automatic duplex
!
IP route 192.168.1.0 255.255.255.0 10.0.0.2
!
VPN-TRAFFIC extended IP access list
ip licensing 192.168.5.0 0.0.0.255
Concerning
Knockaert
-
Site of the error of phase 2 for the VPN site
Dear all,
We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.
Below is show access ip list matching packages shown but connection to host failed
With the crypto ipsec to see his I saw send error and I don't know what could be responsible.
Any body who could be wrong please help me to am exhausted.
access-list
10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)Crypto ipsec to show his
local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 198, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 508, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides
-
Hello
I'm trying to set up a new VPN between Site A and Site b.
He spent the first phase, but throws an error in the second phase. I will attach the error message.
Firewall site A currently has another VPN works far then I suspect the problem lies on the config of Site B.
Thanks in advance
PFS does not match.
Site A: you ' card crypto outside_map 2 pfs group1 set.
Site b: you 'card crypto outside_map 4 set pfs'---> which defaults to group 2 in the pfs
Change one to match each other.
Hope that solves this problem.
-
PIX 515e VPN 3005 concentrator cannot pass phase 1
My list of vpn access increases, so I know that it is correct. IM testing with ping. Debug configurations and follow. Remote location through VPN connection attempt with THE. Thanks to all who can help. His failure in the first phase which means configuration mess up, but I can't find a miss-match for me? Maybe ive been looking at this for a long time.
Pix515e config:
----------------
Crypto ipsec transform-set esp - esp-md5-hmac aptset
aptmap 10 ipsec-isakmp crypto map
aptmap 10 correspondence address vpn crypto card
card crypto aptmap 10 peers set yyy.xxx.xxx.131
card crypto aptmap 10 transform-set aptset
aptmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address yyy.xxx.xxx.131 netmask 255.255.255.255
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Debugs ipsec, isakmp, ca
-------------------------
Peer VPN: ISAKMP: approved new addition: ip:yyy.xxx.xxx.131 Total VPN peer: 1
Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt is incremented to peers: 1 Total peer VPN: 1
ISAKMP (0): early changes of Main Mode
ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = zzz.xxx.xxx.226, distance = yyy.xxx.xxx.131,
local_proxy = 192.168.33.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.65.0/255.255.255.0/0/0 (type = 4)
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): delete SA: src zzz.xxx.xxx.226 dst yyy.xxx.xxx.131
ISADB: Reaper checking HIS 0x81377ad8, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt decremented to peers: 0 Total of VPN peer: 1
Peer VPN: ISAKMP: deleted peer: ip:yyy.xxx.xxx.131 VPN peer Total: 0
results of ' show crypto isamkp his. "
-----------------------------------
Total: 1
Embryonic: 1
Src DST in the meantime created State
YYY.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0
Error messages on the concentrator 3005
------------------------------------
11:14:47.640 57 07/01/2004-SEV = 4 RPT IKE/48 = 23 yyy.xxx.xxx.226
Support useful treatment of error: ID payload: 1
11:15:02.770 58 07/01/2004-SEV = 4 RPT IKE/48 = 24 yyy.xxx.xxx.226
Support useful treatment of error: ID payload: 1
3005 page concentrator Lan-To-Lan settings
-----------------------
Activated
External interface
Answer only
YYY.xxx.xxx.226 peer
Digital cert: no (use preshared keys)
Transmission of the CERT: (full certification chain)
Preshared key: {same on pix}
AUTH: esp, md5, hmac-128
encryption: des-56
proposal of IKE: IKE-DES-MD5
Filter: none
IPSec NAT - T not verified
No bandwidth policy
Routing: no
I noticed that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with-although I'm not positive, as I have only used with 3des. Diffie-Hellman Group1 should work with simple.
In any case, recheck the config vpn 3000 to see if a group and life expectancy have been speced on config. If not, or if you are not sure, then remove the two outside the pix and run the command of his clear cry on the pix. Then try again and let me know what you find.
-
Cannot complete the tunnel ' phase 2 ', by establishing a site to site VPN.
I am trying to establish a VPN tunnel from site to site between a Cisco 1921 and an ASA.
I am debugging using:
Debug crypto ISAKMP
Debug crypto ipsec
No debug message is coming on the 1921.
The following debug message returns constantly to the ASA:
15 jan 16:42:55 [IKEv1]: Group = 184.1.126.140, IP = 184.1.126.140, construct_ ipsec_delete(): No. SPI to identify the Phase 2 SA!
ASA config: http://pastebin.com/raw.php?i=wgTxe3gF
1921 config: http://pastebin.com/raw.php?i=TEihijEF
Why won't the two establish a VPN tunnel?
It's very strange that ASA appears the tunnel, but the router does not work. It seems that the router is waiting for authentication.
You can add-
crypto isakmp key address 184.1.96.42 no-xauth
You can debug isakmp and ipsec on the router and display it?
Maybe you are looking for
-
How can I get the music in ITunes while it is connected to the hard drive?
-
How you scan bar codes and what they tell you when you analyze the
-
Always 'class not registered' is the answer to why MovieMaker cannot import as many files. I finally realized that if I have all the "Windows"associated files with QuickTime (which I do often because QuickTime Pro has been my editor that works, but I
-
My account has been locked and I can't seem to log on. Could you please help and guide me to unlock? I need my old account as soon as possible.
-
How to create the report using the procedure.
Hi allI want to create the report in the apex. But I don't have a sql code. I have a single procedure. Is it possible to create the report using this procedure in the apex.CREATE OR REPLACE PROCEDURE headcsv_prc2ASCURSOR cr_headerISSELECT ood.organiz