Incompatibility of VPN Phase 2

Similar Questions

• Site to Site VPN Phase 2 problem

  Hello

  I have a problem of IPsec VPN. We have an ASA 5580 to build the VPN site to site with ALU VPN gateway (from partner). The VPN connection is not established. We have checked configurations of devices pair but not found so far any problem. I tried to debug crypto isakmp 127 and got newspaper as below. We always try to find the root cause of this and I could have your advice for the Please this problem? Thank you. (Actual IP address are changed for privacy)

  Drawing1.jpg

  

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, build payloads of ISAKMP security

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, building the Fragmentation VID + load useful functionality

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + NO (0) total

  Length: 104

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Message RECEIPT of IKE_DECODE (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10) + NO (0) total

  Length: 180

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, processing payload ISA_KE

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, building ke payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, building nonce payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, build payloads of Cisco Unity VID

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing payload V6 VID xauth

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilities: 20000001)

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, build payloads VID

  Apr 08 10:43:45 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group 1.1.1.1

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, the IP 1.1.1.1, Generating keys for answering =...

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, KE (4), NUNCIO (10) + (13) seller +.

  SELLER (13), SELLER (13), SELLER (13) + (0) NONE total length: 256

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Message RECEIPT of IKE_DECODE (msgid = 0) with payloads: HDR + ID (5) + HASH (8), NOTIFY (11) +.

  NONE (0) overall length: 92

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, payload processing ID

  Apr 08 10:43:45 [IKEv1 DECODER]: Group = 1.1.1.1, IP = 1.1.1.1, ID ID_IPV4_ADDR received

  1.1.1.1

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, the IP 1.1.1.1, payload = hash of treatment

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, calculation of hash for ISAKMP

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group 1.1.1.1

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, building the payload ID

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, build payloads of hash

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, calculation of hash for ISAKMP

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, building dpd vid payload

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8), SELLER (13) + NONE

  total length (0): 84

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: None

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Keep-alives configured on, but the peer does not support persistent (type = None)

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, timer to generate a new key to start P1: 21600 seconds.

  Apr 08 10:43:45 [IKEv1 DECODER]: IP = 1.1.1.1, IKE Responder starting QM: id msg = 0dbcde8a

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, Message RECEIPT of IKE_DECODE (msgid = dbcde8a) with payloads: HDR + HASH (8) + a (1), NUNCIO (10)

  + KE (4) + ID (5) + ID (5), NONE (0) overall length: 524

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, the IP 1.1.1.1, payload = hash of treatment

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing SA payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing nonce payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ke payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, ISA_KE to PFS treatment in phase 2

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, payload processing ID

  Apr 08 10:43:45 [IKEv1 DECODER]: Group = 1.1.1.1, IP = 1.1.1.1, ID ID_IPV4_ADDR received

  2.2.2.2

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 2.2.2.2.

  Protocol 0, Port 0

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, payload processing ID

  Apr 08 10:43:45 [IKEv1 DECODER]: Group = 1.1.1.1, IP = 1.1.1.1, ID ID_IPV4_ADDR received

  3.3.3.3

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 3.3.3.3,.

  Protocol 0, Port 0

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, the IP 1.1.1.1, QM IsRekeyed its not found old addr =

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 1...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 1, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 2...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 2, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 3...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 3, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 4...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 4, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 5...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 5, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 6...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 6, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 7...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 7, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 8...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 8, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto, check card = Outside_map, seq = 9...

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, static checking Card Crypto = Outside_map, seq = 9, ACL does not match

  Proxy src:2.2.2.2 dst: 3.3.3.3 IDs

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, tunnel IPSec rejecting: no entry for crypto for remote proxy card

  2.2.2.2/255.255.255.255/0/0 proxy local 3.3.3.3/255.255.255.255/0/0 on the interface outside

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending prevent message

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing empty hash payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, build payloads of hash qm

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = 456db437) with payloads: HDR + HASH (8) + NOTIFY (11) + NONE

  total length (0): 576

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, the IP 1.1.1.1, QM WSF error = (P2 struct & 0x3d51e058, mess id 0xdbcde8a).

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d51e058) .

  : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG -.

  > QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending clear/delete with the message of reason

  Apr 08 10:43:45 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:db841932 RRs would end: MM_ACTIVE state flags

  0 x 00010042, refcnt 1, tuncnt 0

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:db841932 ending: flags 0 x 01010002, refcnt 0,.

  tuncnt 0

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending clear/delete with the message of reason

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing empty hash payload

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, building the payload to delete IKE

  Apr 08 10:43:45 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, build payloads of hash qm

  Apr 08 10:43:45 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SEND Message (msgid = c1606511) with payloads: HDR HASH (8) + DELETE (12) + NONE

  total length (0): 80

  Apr 08 10:43:45 [IKEv1]: ignoring msg SA brand with Iddm 2781184 dead because ITS removal

  Apr 08 10:43:46 [IKEv1]: IP = 1.1.1.1, encrypted packet received with any HIS correspondent, drop

  It is Phase 1 ends successfully, but when the remote end sends the traffic that must match your crypto card and put in place a Phase 2 IPsec SA, it does not match:

  Rejecting the IPSec tunnel: no entry for crypto for remote proxy card

  DoubleCheck that "2.2.2.2 to 3.3.3.3" is to map your end crypto (and that the obverse is located in the remote side).

• IPsec VPN Phase 2 does not. Need help with the debug output

  Is someone can you please tell me why I can't establish ipsec Phase 2 negotiations.  I'm trying to connect a 2651XM to a Pix 501.

  Here are the isakmp debug and release of ipsec and configs. I checked the keys are the same. And sets of transformations look ok. No idea why its not working?

  What is the bottom tell me?

  ===========================================================

  01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2

  01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

  01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)

  Mote 1.1.1.3)

  01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2

  01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

  01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)

  Mote 1.1.1.3)

  ===============================================================================

  ISAKMP (0): start Quick Mode Exchange, M - ID - 1154286426:bb32fca6
  crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
  ISAKMP (0): processing NOTIFY payload Protocol 14 2
  SPI 2224366689, message ID = 1503891776
  ISAKMP (0): removal of spi 1629787524 message ID = 3140680870
  to return to the State is IKMP_NO_ERR_NO_TRANS
  pixfirewall #.
  pixfirewall # sh crypto is
  ISAKMP (0): start Quick Mode Exchange, M - ID 400184159:17da535f
  crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
  ISAKMP (0): processing NOTIFY payload Protocol 14 2
  SPI 2649583861, message ID = 1778335964 a.
  ISAKMP (0): removal of spi 4117818781 message ID = 400184159
  status code returned is IKMP_NO_ERR_NO_TRANSkmp its
  Total: 1
  Embryonic: 0
  Src DST in the meantime created State
  1.1.1.2 1.1.1.3 QM_IDLE 0 0
  pixfirewall #.
  ISAKMP (0): start Quick Mode Exchange, M - ID 923039456:370476e0
  crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
  ISAKMP (0): processing NOTIFY payload Protocol 14 2
  SPI 2163779852, message ID = 2746774364
  ISAKMP (0): removal of spi 212465792 message ID = 923039456
  to return to the State is IKMP_NO_ERR_NO_TRANSexi

  Closure of session

  CCC cryp #sh
  CCC #sh crypto isakmp his
  status of DST CBC State conn-id slot
  1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVE

  CCC #ping 192.168.1.1

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:
  .....
  Success rate is 0% (0/5)

  CCC #ping 192.168.1.5

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
  .....
  Success rate is 0% (0/5)
  CCC #debug isakmp crypto
  Crypto ISAKMP debug is on
  CCC #debug crypto ipsec
  Crypto IPSEC debugging is on
  Crypto CCC talkative #debug
  detailed debug output debug is on
  CCC #ping 192.168.1.5

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
  .....
  Success rate is 0% (0/5)
  CCC #.
  00:51:24: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
  Global (R) QM_IDLE
  00:51:24: ISAKMP: node set 1268073006 to QM_IDLE
  00:51:24: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1268073006
  00:51:24: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1268073006
  00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:51:24: ISAKMP: turn 1, AH_SHA
  00:51:24: ISAKMP: attributes of transformation:
  00:51:24: ISAKMP: program is 1 (Tunnel)
  00:51:24: ISAKMP: type of life in seconds
  00:51:24: ISAKMP: life of HIS (basic) of 28800
  00:51:24: ISAKMP: type of life in kilobytes
  00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:51:24: ISAKMP: authenticator is HMAC-SHA
  00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:51:24: ISAKMP: turn 1, ESP_3DES
  00:51:24: ISAKMP: attributes of transformation:
  00:51:24: ISAKMP: program is 1 (Tunnel)
  00:51:24: ISAKMP: type of life in seconds
  00:51:24: ISAKMP: life of HIS (basic) of 28800
  00:51:24: ISAKMP: type of life in kilobytes
  00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:51:24: IPSEC (validate_proposal_request): part #1 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = AH, transform = ah-sha-hmac (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:51:24: IPSEC (validate_proposal_request): part #2 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:51:24: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
  00:51:24: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
  00:51:24: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
  Mote 1.1.1.3)
  00:51:24: ISAKMP: node set-429221146 to QM_IDLE
  00:51:24: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
  SPI 2237255312, message ID =-429221146
  00:51:24: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
  (R) QM_IDLE
  00:51:24: ISAKMP: (0:1:SW:1): purge the node-429221146
  00:51:24: ISAKMP: (0:1:SW:1): node 1268073006 REAL reason «QM rejec» error suppression
  Ted. "
  00:51:24: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
  node 1268073006: status = IKE_QM_READY
  00:51:24: ISAKMP: (0:1:SW:1): entrance, node 1268073006 = IKE_MESG_FROM_PEER, IKE_QM_
  EXCH
  00:51:24: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
  00:51:24: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
  with 1.1.1.3
  00:51:54: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
  Global (R) QM_IDLE
  00:51:54: ISAKMP: node set-500877443 to QM_IDLE
  00:51:54: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID =-500877443
  00:51:54: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID =-500877443
  00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:51:54: ISAKMP: turn 1, AH_SHA
  00:51:54: ISAKMP: attributes of transformation:
  00:51:54: ISAKMP: program is 1 (Tunnel)
  00:51:54: ISAKMP: type of life in seconds
  00:51:54: ISAKMP: life of HIS (basic) of 28800
  00:51:54: ISAKMP: type of life in kilobytes
  00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:51:54: ISAKMP: authenticator is HMAC-SHA
  00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:51:54: ISAKMP: turn 1, ESP_3DES
  00:51:54: ISAKMP: attributes of transformation:
  00:51:54: ISAKMP: program is 1 (Tunnel)
  00:51:54: ISAKMP: type of life in seconds
  00:51:54: ISAKMP: life of HIS (basic) of 28800
  00:51:54: ISAKMP: type of life in kilobytes
  00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:51:54: IPSEC (validate_proposal_request): part #1 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = AH, transform = ah-sha-hmac (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:51:54: IPSEC (validate_proposal_request): part #2 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:51:54: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
  00:51:54: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
  00:51:54: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
  Mote 1.1.1.3)
  00:51:54: ISAKMP: node set-701693099 to QM_IDLE
  00:51:54: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
  SPI 2237255312, message ID =-701693099
  00:51:54: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
  (R) QM_IDLE
  00:51:54: ISAKMP: (0:1:SW:1): purge the node-701693099
  00:51:54: ISAKMP: (0:1:SW:1): node-500877443 error suppression REAL reason "QM rejec.
  Ted. "
  00:51:54: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
  node-500877443: State = IKE_QM_READY
  00:51:54: ISAKMP: (0:1:SW:1): entrance, node-500877443 = IKE_MESG_FROM_PEER, IKE_QM_
  EXCH
  00:51:54: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
  00:52:14: ISAKMP: (0:1:SW:1): purge the node 1268073006
  CCC #sh crypto isakmp his
  status of DST CBC State conn-id slot
  1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVE

  CCC #ping 192.168.1.5

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:

  00:52:44: ISAKMP: (0:1:SW:1): purge node-500877443...
  00:52:50: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
  Global (R) QM_IDLE
  00:52:50: ISAKMP: node set 1186613650 to QM_IDLE
  00:52:50: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1186613650
  00:52:50: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1186613650
  00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:52:50: ISAKMP: turn 1, AH_SHA
  00:52:50: ISAKMP: attributes of transformation:
  00:52:50: ISAKMP: program is 1 (Tunnel)
  00:52:50: ISAKMP: type of life in seconds
  00:52:50: ISAKMP: life of HIS (basic) of 28800
  00:52:50: ISAKMP: type of life in kilobytes
  00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:52:50: ISAKMP: authenticator is HMAC-SHA
  00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:52:50: ISAKMP: turn 1, ESP_3DES
  00:52:50: ISAKMP: attributes of transformation:
  00:52:50: ISAKMP: program is 1 (Tunnel)
  00:52:50: ISAKMP: type of life in seconds
  00:52:50: ISAKMP: life of HIS (basic) of 28800
  00:52:50: ISAKMP: type of life in kilobytes
  00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:52:50: IPSEC (validate_proposal_request): part #1 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = AH, transform = ah-sha-hmac (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:52:50: IPSEC (validate_proposal_request): part #2 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.1.68.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:52:50: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
  00:52:50: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
  00:52:50: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
  Mote 1.1.1.3)
  00:52:50: ISAKMP: node set-1113601414 to QM_IDLE
  00:52:50: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
  SPI 2237255312, message ID =-1113601414
  00:52:50: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
  (R) QM_IDLE
  00:52:50: ISAKMP: (0:1:SW:1): purge the node-1113601414
  00:52:50: ISAKMP: (0:1:SW:1): node 1186613650 REAL reason «QM rejec» error suppression
  Ted. "
  00:52:50: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
  node 1186613650: status = IKE_QM_READY
  00:52:50: ISAKMP: (0:1:SW:1): entrance, node 1186613650 = IKE_MESG_FROM_PEER, IKE_QM_
  EXCH
  00:52:50: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
  00:52:50: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
  with 1.1.1.3.
  Success rate is 0% (0/5)
  CCC #.
  00:53:20: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
  Global (R) QM_IDLE
  00:53:20: ISAKMP: node set 459446741 to QM_IDLE
  00:53:20: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 459446741
  00:53:20: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 459446741
  00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:53:20: ISAKMP: turn 1, AH_SHA
  00:53:20: ISAKMP: attributes of transformation:
  00:53:20: ISAKMP: program is 1 (Tunnel)
  00:53:20: ISAKMP: type of life in seconds
  00:53:20: ISAKMP: life of HIS (basic) of 28800
  00:53:20: ISAKMP: type of life in kilobytes
  00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:53:20: ISAKMP: authenticator is HMAC-SHA
  00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
  00:53:20: ISAKMP: turn 1, ESP_3DES
  00:53:20: ISAKMP: attributes of transformation:
  00:53:20: ISAKMP: program is 1 (Tunnel)
  00:53:20: ISAKMP: type of life in seconds
  00:53:20: ISAKMP: life of HIS (basic) of 28800
  00:53:20: ISAKMP: type of life in kilobytes
  00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
  00:53:20: IPSEC (validate_proposal_request): part #1 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = AH, transform = ah-sha-hmac (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:53:20: IPSEC (validate_proposal_request): part #2 of the proposal
  (Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
  local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
  remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des (Tunnel),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
  00:53:20: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
  00:53:20: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
  00:53:20: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
  Mote 1.1.1.3)
  00:53:20: ISAKMP: node set-1692074376 to QM_IDLE
  00:53:20: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
  SPI 2237255312, message ID =-1692074376
  00:53:20: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
  (R) QM_IDLE
  00:53:20: ISAKMP: (0:1:SW:1): purge the node-1692074376
  00:53:20: ISAKMP: (0:1:SW:1): REAL reason for node deletion 459446741 error "reject QM.
  Ed ".
  00:53:20: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
  node 459446741: status = IKE_QM_READY
  00:53:20: ISAKMP: (0:1:SW:1): entrance, node 459446741 = IKE_MESG_FROM_PEER, IKE_QM_E
  XCH
  00:53:20: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
  00:53:40: ISAKMP: (0:1:SW:1): purge the node 1186613650
  00:53:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, chang
  State of Ed down
  00:54:10: ISAKMP: (0:1:SW:1): purge the node 459446741

  ===============================================================================

  6.2 (2) version PIX

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate 8Ry2YjIyt7RRXU24 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  names of

  permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 10.10.10.0

  255.255.255.0

  permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 10.10.1

  255.255.255.0 0.0

  pager lines 24

  interface ethernet0 10baset

  interface ethernet1 10full

  Outside 1500 MTU

  Within 1500 MTU

  1.1.1.3 outside IP address 255.255.255.0

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 10.10.10.0 255.255.255.0 inside

  location of PDM 10.10.10.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

  Timeout xlate 0:05:00

  Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

  p 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des

  outside_map 20 ipsec-isakmp crypto map

  card crypto outside_map 20 match address outside_cryptomap_20

  card crypto outside_map 20 peers set 1.1.1.2

  card crypto outside_map 20 game of transformation-Petaluma_VPN

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * 1.1.1.2 address netmask 255.255.255.255 No.-xauth No.-config-m

  Ode

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  Telnet timeout 5

  SSH timeout 5

  dhcpd address 192.168.1.5 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:8c0d4948407071d3515f1546cf8bc147

  : end

  pixfirewall #.

  =========================================================================

  CCC #sh run
  Building configuration...

  Current configuration: 1328 bytes
  !
  version 12.4
  horodateurs service debug uptime
  Log service timestamps uptime
  no password encryption service
  !
  CCC host name
  !
  boot-start-marker
  start the system flash c2600-adventerprisek9 - mz.124 - 25d.bin
  boot-end-marker
  !
  !
  No aaa new-model
  no location network-clock-participate 1
  No network-clock-participate wic 0
  IP cef
  !
  !
  !
  !

  !

  !

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  address key crypto isakmp 1.1.1.3 cisco123

  !

  !

  Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des

  !

  map Petaluma_1 1 ipsec-isakmp crypto

  defined peer 1.1.1.3

  game of transformation-Petaluma_VPN

  match address 100

  !

  !

  !

  !

  interface FastEthernet0/0

  1.1.1.2 IP 255.255.255.0

  automatic speed

  Half duplex

  !

  interface Serial0/0

  no ip address

  Shutdown

  clock speed of 56000

  !

  interface FastEthernet0/1

  10.10.10.2 IP address 255.255.255.0

  automatic duplex

  automatic speed

  card crypto Petaluma_1

  !

  IP forward-Protocol ND

  IP route 192.168.1.0 255.255.255.0 1.1.1.3

  !

  !

  no ip address of the http server

  no ip http secure server

  !

  access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

  control plan
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  opening of session
  !
  !
  end

  CCC #.

  !
  !
  !
  crypto ISAKMP policy 2
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  address key crypto isakmp 1.1.1.3 cisco123
  !
  !
  Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
  !
  map Petaluma_1 1 ipsec-isakmp crypto
  defined peer 1.1.1.3
  game of transformation-Petaluma_VPN
  match address 100
  !
  !
  !
  !
  interface FastEthernet0/0

  1.1.1.2 IP 255.255.255.0
  automatic speed
  Half duplex
  !
  interface Serial0/0
  no ip address
  Shutdown
  clock speed of 56000
  !
  interface FastEthernet0/1
  10.10.10.2 IP address 255.255.255.0
  automatic duplex
  automatic speed
  card crypto Petaluma_1
  !
  IP forward-Protocol ND
  IP route 192.168.1.0 255.255.255.0 1.1.1.3
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

  Hi David,

  Overlooking the configuration of the router, it seems that you have applied the encryption card to the wrong interface.

  interface FastEthernet0/0

  1.1.1.2 IP 255.255.255.0

  automatic speed

  Half duplex

  !

  interface FastEthernet0/1

  10.10.10.2 IP address 255.255.255.0

  automatic duplex

  automatic speed

  card crypto Petaluma_1

  Given that the pix will attempt to build a VPN tunnel to 1.1.1.2 map encryption Petaluma_1 must be applied to FastEthernet0/0, not FastEthernet 0/1.

  Let me know if it helps.

  Thank you

  Loren

• HP 15 N234Sl: Updated Windows 10 free incompatibility - Cisco Vpn adapter 64-bit

  Jyn

  I have a laptop with windows 8.1 - Intel Core i7 4500U, 8 GB of Ram, Nvidia Geforce 740.

  I booked the windows 10 and after 29 and up to now, he said: Please wait while the update will be ready for your PC.

  but I discovered today is not ready, because there is an error:

  

  I immediately remove all customer vpn ect. but the error persists. Someone knows what to do?

  Thank you very much

  If you are having problems upgrading using the icon (like many people). You can manually download windows (no pirate original) microsofts Web site.

  The tool of Windows 10 download link: http://www.Microsoft.com/en-us/software-download/Windows10

  If it helps you, mark it as a solution.

• l2l ASA vpn issues

  Hi all

  I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

  I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

  Here is my configuration

  ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

  (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

  I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

  However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

  any ideas why this is?

  I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

  I guess it's the work of crypto card

  Am I wrong?

  Hello

  Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

  Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

  In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

  If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

  If you indeed filter VPN, you may be able to track him down with the following commands

  See the tunnel-group race

  Check if a "group policy" is defined then the command

  See establishing group policy enforcement

  This output should list the name of the ACL filter VPN if its game

  Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

  ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary.

  -Jouni

• ASA5505 PROBLEM VPN

  1

  Hello

  Seems to me that configurations are for the most part very well. But of course, they may be different from those who has the remote site. We do not know what are the settings on the other site of this connection VPN L2L.

  NAT0 has configuration of a line that is not necessary (line below)

  permit access list extended ip lan - imp 255.255.255.0 inside_nat0_outbound 1.1.1.0 255.255.255.0

  You can use the "package Tracker" on the side of the CLI to check what happens to first traffic

  entry Packet-trace inside tcp 1.1.1.100 12345 192.168.1.100 80

  I guess the address LAN IP is changed for some reason any so replace the IP addresses above with random IP of the LAN and LAN REMOTE if necessary addresses.

  Issue the command above twice. If the second output always stops in VPN Phase DROP then there are a few problems on each side of the connection VPN L2L in configurations.

  You can check the output of the following command after issuing the command "packet - trace" above also to check what is happening in phase 1 of the VPN L2L negotiations

  ISAKMP crypto to show his

  If that runs through then I would start looking for a problem with related configurations "crypto map" configurations.

  -Jouni

• Migration phase 3 DMVPN with Central Hub

  I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?

  Kind regards

  Mike

  Mike,

  DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)

  That being said, the deployment is quite easy:

  -Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves

  -Redirect PNDH on the hubs.

  Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).

  Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.

  The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.

  M.

• Unable to phase 1 estabislt of site to site VPN

  Hi Experts,

  Site-B(router)---Modem---Internet---Site-A(router)

  I am trying to create a VPN Site-to-stie Ipsec between cisco2900 & cisco 861 and here is the scenario. Please find attached file connectivity diagram.

  The issue is there is a modem provided by the ISP on Site-B and 861 cisco router is connected to that modem and the connection is given through RJ11 and there is no available on Site-B router ADSL port.

  Based on the above mentioned scenario here is the config

  Site b: -.

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2

  ISAKMP crypto key CITDENjan2014 address 80.227.xx.xx

  Crypto ipsec transform-set ETH-Dxb-esp-3des esp-md5-hmac
  tunnel mode

  crypto map 1 VPN ipsec-isakmp
  the value of 80.227.xx.xx peer
  game of transformation-ETH-to-Dxb
  match address 110

  FA 4 interface
  IP 192.168.1.254 255.255.255.0
  VPN crypto card

  IP route 0.0.0.0 0.0.0.0 192.168.1.1

  IP access-list ext 110
  ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

  Screenshots of good will find ADSL modem for the information below

  Double configuration on the LAN interface of the ADSL modem with ip address

  I did port forwarding on the modem, although I did not port forwarding before I'm not sure whether it is correct or not.

  Site-one router Config: -.

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2

  ISAKMP crypto key CITDENjan2014 address 197.156.xx.xx

  Crypto ipsec transform-set Dxb ETH esp-3des esp-md5-hmac
  tunnel mode

  map-Dxb-Nigeria 20 ipsec-isakmp crypto
  the value of 197.156.xx.xx peer
  game of transformation-Dxb-to-ETH
  match address 120

  interface GigabitEthernet0/1
  IP address 80.227.xx.xx 255.255.255.252
  card crypto Dxb-to-Nigeria

  IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

  access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any

  IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload

  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101

  Connects to router B-Site: -.

  * 13:02:06.735 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (N) SA NEWS
  * 13:02:06.735 Apr 16: ISAKMP: created a struct peer 80.227.xx.xx, peer port 1
  * 13:02:06.735 Apr 16: ISAKMP: new position created post = 0x886B0310 peer_handle = 0x8000001D
  * 13:02:06.735 Apr 16: ISAKMP: lock struct 0x886B0310, refcount 1 to peer crypto_isakmp_process_block
  * 13:02:06.735 Apr 16: ISAKMP: 500 local port, remote port 1
  * 13:02:06.735 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 88776 A 88 = call BVA
  * 13:02:06.735 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 13:02:06.735 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

  * 16 Apr 13:02:06.735: ISAKMP: (0): treatment ITS payload. Message ID = 0
  * 16 Apr 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  * 13:02:06.735 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
  * Apr 16
  ETH - CIT # 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
  * 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
  * 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
  * 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
  * 13:02:06.739 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
  * 16 Apr 13:02:06.739: ISAKMP: (0): pre-shared key local found
  * 13:02:06.739 Apr 16: ISAKMP: analysis of the profiles for xauth...

  
  * 13:02:06.739 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
  * 13:02:06.739 Apr 16: ISAKMP: 3DES-CBC encryption
  * 13:02:06.739 Apr 16: ISAKMP: MD5 hash
  * 13:02:06.739 Apr 16: ISAKMP: group by default 2
  * 13:02:06.739 Apr 16: ISAKMP: pre-shared key auth
  * 13:02:06.739 Apr 16: ISAKMP: type of life in seconds
  * 13:02:06.739 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
  * 13:02:06.739 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
  * 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
  * 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
  * 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
  * 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
  * 13:02:06.739 Apr 16: ISAKMP: (0): return real life: 86400
  * 13:02:06.739 Apr 16: ISAKMP: (0): timer life Started: 86400.

  * 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  * 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
  * 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
  * 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
  * 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
  * 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  * 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
  * 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  * 16 Apr 13:02:06.739: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 16 Apr 13:02:06.739: ISAKMP: (0): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_SA_SETUP
  * 13:02:06.739 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
  * 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

  * 13:02:06.995 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
  * 13:02:06.995 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 13:02:06.999 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

  * 16 Apr 13:02:06.999: ISAKMP: (0): processing KE payload. Message ID = 0
  * 16 Apr 13:02:07.027: ISAKMP: (0): processing NONCE payload. Message ID = 0
  * 13:02:07.027 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
  * 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
  * 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is DPD
  * 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
  * 16 Apr 13:02:07.027: ISAKMP: (2028): addressing another box of IOS!
  * 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
  * 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID seems the unit/DPD but major incompatibility of 241
  * 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is XAUTH
  * 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
  * 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
  * 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
  * 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
  * 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM3

  * 16 Apr 13:02:07.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
  * 13:02:07.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.
  * 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM4

  ETH - CIT #.
  ETH - CIT #.
  * 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH...
  * 13:02:17.027 Apr 16: ISAKMP (2028): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH
  * 16 Apr 13:02:17.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
  * 13:02:17.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.

  Connects to the router Site-one: -.

  * 13:15:28.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
  * 16 Apr 13:15:28.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
  * 16 Apr 13:15:28.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
  * 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
  * 13:15:28.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
  * 16 Apr 13:15:28.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
  * 13:15:28.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
  DXB - CIT #.
  * 13:15:38.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
  * 16 Apr 13:15:38.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
  * 16 Apr 13:15:38.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
  * 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
  * 13:15:38.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
  * 16 Apr 13:15:38.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
  * 13:15:38.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
  DXB - CIT #.
  * 13:15:47.593 Apr 16: ISAKMP: set new node 0 to QM_IDLE
  * 13:15:47.593 Apr 16: ISAKMP: (1263): SA is still budding. Attached new request ipsec. (local 80.227.xx.xx, remote 197.156.xx.xx)
  * 13:15:47.593 Apr 16: ISAKMP: error during the processing of HIS application: failed to initialize SA
  * 13:15:47.593 Apr 16: ISAKMP: error while processing message KMI 0, error 2.
  * 16 Apr 13:15:48.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
  * 13:15:48.609 Apr 16: ISAKMP: (1263): peer does not paranoid KeepAlive.

  * 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
  * 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
  * 13:15:48.609 Apr 16: ISAKMP: Unlocking counterpart struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
  * 13:15:48.609 Apr 16: ISAKMP: delete peer node by peer_reap for 197.156.xx.xx: 23193AD4
  DXB - CIT #.
  DXB - CIT #.
  * 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1134682361 FALSE reason 'IKE deleted.
  * 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 680913363 FALSE reason 'IKE deleted.
  * 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1740991762 FALSE reason 'IKE deleted.
  * 13:15:48.609 Apr 16: ISAKMP: (1263): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 13:15:48.609 Apr 16: ISAKMP: (1263): former State = new State IKE_I_MM5 = IKE_DEST_SA

  DXB - CIT #.
  DXB - CIT #shoc cry
  DXB - CIT #sho isa scream his
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  197.156.XX.XX 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)

  IPv6 Crypto ISAKMP Security Association

  * 16 Apr 13:16:17.593: IPSEC (key_engine): request timer shot: count = 2,.
  local (identity) = 80.227.xx.xx:0, distance = 197.156.xx.xx:0,
  local_proxy = 192.168.10.0/255.255.255.0/256/0,
  remote_proxy = 192.168.1.0/255.255.255.0/256/0
  * 16 Apr 13:16:17.609: IPSEC (sa_request):,.
  (Eng. msg key.) Local OUTGOING = 80.227.xx.xx:500, distance = 197.156.xx.xx:500,
  local_proxy = 192.168.10.0/255.255.255.0/256/0,
  remote_proxy = 192.168.1.0/255.255.255.0/256/0,
  Protocol = ESP, transform = esp-3des esp-md5-hmac (Tunnel),
  lifedur = 3600 s and KB 4608000,
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
  * 16 Apr 13:16:17.609: ISAKMP: (0): profile of THE request is (NULL)
  * 13:16:17.609 Apr 16: ISAKMP: created a struct peer 197.156.xx.xx, peer port 500
  * 13:16:17.609 Apr 16: ISAKMP: new created position = 0x23193AD4 peer_handle = 0 x 80001862
  * 13:16:17.609 Apr 16: ISAKMP: lock struct 0x23193AD4, refcount 1 to peer isakmp_initiator
  * 13:16:17.609 Apr 16: ISAKMP: 500 local port, remote port 500
  * 13:16:17.609 Apr 16: ISAKMP: set new node 0 to QM_IDLE
  * 13:16:17.609 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 270A2FD0 = call BVA
  * 13:16:17.609 Apr 16: ISAKMP: (0): cannot start aggressive mode, try the main mode.
  * 13:16:17.609 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
  * 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-07 ID NAT - t
  * 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-02 ID NAT - t
  * 13:16:17.609 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  * 13:16:17.609 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

  * 16 Apr 13:16:17.609: ISAKMP: (0): Beginner Main Mode Exchange
  * 16 Apr 13:16:17.609: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_NO_STATE
  * 13:16:17.609 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
  * 13:16:17.865 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_NO_STATE 197.156.xx.xx
  * 13:16:17.865 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 13:16:17.865 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

  * 16 Apr 13:16:17.865: ISAKMP: (0): treatment ITS payload. Message ID = 0
  * 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  * 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
  * 13:16:17.869 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
  * 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared key local found
  * 13:16:17.869 Apr 16: ISAKMP: analysis of the profiles for xauth... ciscocp-ike-profile-1
  * 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared xauth authentication
  * 13:16:17.869 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
  * 13:16:17.869 Apr 16: ISAKMP: 3DES-CBC encryption
  * 13:16:17.869 Apr 16: ISAKMP: MD5 hash
  * 13:16:17.869 Apr 16: ISAKMP: group by default 2
  * 13:16:17.869 Apr 16: ISAKMP: pre-shared key auth
  * 13:16:17.869 Apr 16: ISAKMP: type of life in seconds
  * 13:16:17.869 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
  * 13:16:17.869 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
  * 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
  * 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
  * 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
  * 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
  * 13:16:17.869 Apr 16: ISAKMP: (0): return real life: 86400
  * 13:16:17.869 Apr 16: ISAKMP: (0): timer life Started: 86400.

  * 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
  * 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  * 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
  * 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

  * 16 Apr 13:16:17.869: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_SA_SETUP
  * 13:16:17.869 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
  * 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

  * 13:16:18.157 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP 197.156.xx.xx
  * 13:16:18.157 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 13:16:18.157 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

  * 16 Apr 13:16:18.157: ISAKMP: (0): processing KE payload. Message ID = 0
  * 16 Apr 13:16:18.181: ISAKMP: (0): processing NONCE payload. Message ID = 0
  * 13:16:18.181 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
  * 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
  * 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is the unit
  * 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
  * 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is DPD
  * 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
  * 16 Apr 13:16:18.185: ISAKMP: (1264): addressing another box of IOS!
  * 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
  * 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
  * 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
  * 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
  * 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM4

  * 13:16:18.185 Apr 16: ISAKMP: (1264): send initial contact
  * 13:16:18.185 Apr 16: ISAKMP: (1264): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
  * 13:16:18.185 Apr 16: ISAKMP (1264): payload ID
  next payload: 8
  type: 1
  address: 80.227.xx.xx
  Protocol: 17
  Port: 0
  Length: 12
  * 13:16:18.185 Apr 16: ISAKMP: (1264): the total payload length: 12
  * 16 Apr 13:16:18.185: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
  * 13:16:18.185 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
  * 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM5

  DXB - CIT #.
  * 13:16:28.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
  * 16 Apr 13:16:28.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
  * 16 Apr 13:16:28.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
  * 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
  * 13:16:28.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
  * 16 Apr 13:16:28.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
  DXB - CIT #.
  * 13:16:28.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #u all
  All possible debugging has been disabled
  DXB - CIT #.
  DXB - CIT #.
  * 13:16:38.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
  * 16 Apr 13:16:38.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
  * 16 Apr 13:16:38.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
  * 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1134682361
  * 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 680913363
  * 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1740991762
  * 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
  * 13:16:38.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #.
  DXB - CIT #.
  * 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
  * 16 Apr 13:16:38.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
  * 13:16:38.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.

  Hello

  your configuration looks correct. I was wondering that nat work very well, because I do not see ip nat inside and ip nat outside configured on A router.

  Please chceck whether ESP (50) is permitted (probably VPN passthrough) modem and also try to allow UDP 4500 (IPSEC NAT - T).

  Best regards

  Jan

• VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

  We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.

  It is a vpn L2L, I wonder if the guy saying user is related to the issue?

  ASA_Initiator

  IKE Peer: 71.13.xxx.xxx
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  ASA_Receiving

  # show crypto isakmp his

  There is no isakmp sas

  Hey,.

  is the remote end ASA as well?

  If so, the capture below on the ASA:

  capture capout match udp host host interface

  The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:

  1 either a problem with the policies of the phase 1 of the remote end or

  2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.

  Concerning

• Configuration of VPN - IKE phase 1...

  I have some confusion in the VPN configuration... In my ASA below mentioned IKE phase 1 already configured setting.

  crypto ISAKMP policy 1

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 43200

  crypto ISAKMP policy 9

  preshared authentication

  the Encryption

  md5 hash

  Group 1

  life 86400

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  Last week, I configured a new L2L VPN. For IPSec phase, I have added the below mentioned lines...

  card crypto toremote 20 match address remotevpn2

  card crypto toremote 20 peers set x.x.x.x

  toremote 20 set transformation-strong crypto card

  life safety association set card crypto toremote 20 28800 seconds

  Now my question is the seq n20 crypto map is not matched with any IKE phase 1 seq no (1,9,10,30) that is already configured. But the VPN is up and working fine. How it associate a particular phase of IKE IPsec?

  If you want to configure a new virtual private network with different parameters in the IKE phase 1like 3DES, SHA1, life 86400, what are the configuration that I have to do in phase 1 of IKE?

  Kind regards

  SOM

  isakmp policy number and the number of ipsec policy do not match your ASA or with the other end. They are two distinct phases of negotiation. The ASA will compare your policy at the other end, starting with the smallest number of policies, until a match is found.

  I usually put safer policies first (i.e. with the lowest number of the police).

  To create a new policy, just add it with a new policy number, anywhere where you want in the order.

• VPN error of phase 2 - IPSEC (ipsec_process_proposal): invalid local address

  people

  I have two 1941 routers running 15.2 and I'm trying to implement a vpn site-to site with digital signatures

  I can come up with a proposal of phase 2 (phase 1 happens to qm_idle), but the proposal for phase 2 is rejected with the error message above

  does anyone have any good sample configs site to another using 15.2 VPN

  my config is less than

  his mirror on the remote end

  can a nyone help out me?

  !
  crypto ISAKMP policy 10
  BA aes
  Group 5
  life 82800
  !
  !
  Crypto ipsec transform-set T-TRANSFORM aes - esp esp-sha-hmac
  tunnel mode
  !
  Crypto ipsec profile T PROFILE
  game of transformation-TRANSFORMATION T
  PFS Set group5
  !

  Hello

  Can you check on your area of encryption... I mean your local LAN subnet that you used for the site to the site...

  Here is the same example from site to site

  http://www.firewall.CX/Cisco-technical-Knowledgebase/Cisco-routers/867-c...

  Also, you can view the example configuration here...

  hostname RTR1

  !

  proposal of crypto ikev2 AES256-192-128-PROPOSAL

  encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

  the sha1 integrity

  Group 2

  !

  Crypto ikev2 IKEv2-policy

  AES256-192-128 proposal

  !

  ikev2 crypto VPN KEYS keychains

  peer ASA1

  address 10.0.0.2

  pre-shared-key local MyKey1

  pre-shared-key remote MyKey1

  !

  !

  !

  Profile of crypto ikev2 ASA1

  match one address 10.0.0.2 remote identity 255.255.255.255

  address local identity 10.0.0.1

  sharing front of remote authentication

  sharing of local meadow of authentication

  door-key local VPN-KEYS

  !

  !

  !

  Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac

  tunnel mode

  !

  !

  !

  map RTR1 ASA1 10 ipsec-isakmp crypto

  defined peer 10.0.0.2

  game of transformation-ESP-AES256-SHA

  Define ASA1 ikev2-profile

  match address VPN-TRAFFIC

  !

  !

  !

  !

  !

  interface FastEthernet0/0

  the IP 10.0.0.1 255.255.255.252

  automatic speed

  automatic duplex

  card crypto RTR1 ASA1

  !

  interface FastEthernet0/1

  192.168.5.1 IP address 255.255.255.0

  automatic speed

  automatic duplex

  !

  IP route 192.168.1.0 255.255.255.0 10.0.0.2

  !

  VPN-TRAFFIC extended IP access list

  ip licensing 192.168.5.0 0.0.0.255

  Concerning

  Knockaert

• Site of the error of phase 2 for the VPN site

  Dear all,

  We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.

  Below is show access ip list matching packages shown but connection to host failed

  With the crypto ipsec to see his I saw send error and I don't know what could be responsible.

  Any body who could be wrong please help me to am exhausted.

  access-list

  10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
  20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
  30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)

  Crypto ipsec to show his

  local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
  current_peer 4.2.6.24 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
   Errors #send 198, #recv errors 0

  local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
  clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
  current outbound SPI: 0x0 (0)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
  current_peer 4.2.6.24 port 500
  PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
      Errors #send 508, #recv errors 0

  local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
  clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
  current outbound SPI: 0x0 (0)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides

• Failure of the Phase 2 of VPN

  Hello

  I'm trying to set up a new VPN between Site A and Site b.

  He spent the first phase, but throws an error in the second phase. I will attach the error message.

  Firewall site A currently has another VPN works far then I suspect the problem lies on the config of Site B.

  Thanks in advance

  PFS does not match.

  Site A: you ' card crypto outside_map 2 pfs group1 set.

  Site b: you 'card crypto outside_map 4 set pfs'---> which defaults to group 2 in the pfs

  Change one to match each other.

  Hope that solves this problem.

• PIX 515e VPN 3005 concentrator cannot pass phase 1

  My list of vpn access increases, so I know that it is correct. IM testing with ping. Debug configurations and follow. Remote location through VPN connection attempt with THE. Thanks to all who can help. His failure in the first phase which means configuration mess up, but I can't find a miss-match for me? Maybe ive been looking at this for a long time.

  Pix515e config:

  ----------------

  Crypto ipsec transform-set esp - esp-md5-hmac aptset

  aptmap 10 ipsec-isakmp crypto map

  aptmap 10 correspondence address vpn crypto card

  card crypto aptmap 10 peers set yyy.xxx.xxx.131

  card crypto aptmap 10 transform-set aptset

  aptmap interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address yyy.xxx.xxx.131 netmask 255.255.255.255

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Debugs ipsec, isakmp, ca

  -------------------------

  Peer VPN: ISAKMP: approved new addition: ip:yyy.xxx.xxx.131 Total VPN peer: 1

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt is incremented to peers: 1 Total peer VPN: 1

  ISAKMP (0): early changes of Main Mode

  ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.

  local (identity) = zzz.xxx.xxx.226, distance = yyy.xxx.xxx.131,

  local_proxy = 192.168.33.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 192.168.65.0/255.255.255.0/0/0 (type = 4)

  ISAKMP (0): retransmission of phase 1...

  ISAKMP (0): delete SA: src zzz.xxx.xxx.226 dst yyy.xxx.xxx.131

  ISADB: Reaper checking HIS 0x81377ad8, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt decremented to peers: 0 Total of VPN peer: 1

  Peer VPN: ISAKMP: deleted peer: ip:yyy.xxx.xxx.131 VPN peer Total: 0

  results of ' show crypto isamkp his. "

  -----------------------------------

  Total: 1

  Embryonic: 1

  Src DST in the meantime created State

  YYY.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0

  Error messages on the concentrator 3005

  ------------------------------------

  11:14:47.640 57 07/01/2004-SEV = 4 RPT IKE/48 = 23 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  11:15:02.770 58 07/01/2004-SEV = 4 RPT IKE/48 = 24 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  3005 page concentrator Lan-To-Lan settings

  -----------------------

  Activated

  External interface

  Answer only

  YYY.xxx.xxx.226 peer

  Digital cert: no (use preshared keys)

  Transmission of the CERT: (full certification chain)

  Preshared key: {same on pix}

  AUTH: esp, md5, hmac-128

  encryption: des-56

  proposal of IKE: IKE-DES-MD5

  Filter: none

  IPSec NAT - T not verified

  No bandwidth policy

  Routing: no

  I noticed that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with-although I'm not positive, as I have only used with 3des. Diffie-Hellman Group1 should work with simple.

  In any case, recheck the config vpn 3000 to see if a group and life expectancy have been speced on config. If not, or if you are not sure, then remove the two outside the pix and run the command of his clear cry on the pix. Then try again and let me know what you find.

• Cannot complete the tunnel ' phase 2 ', by establishing a site to site VPN.

  I am trying to establish a VPN tunnel from site to site between a Cisco 1921 and an ASA.

  I am debugging using:

  Debug crypto ISAKMP

  Debug crypto ipsec

  No debug message is coming on the 1921.

  The following debug message returns constantly to the ASA:

  15 jan 16:42:55 [IKEv1]: Group = 184.1.126.140, IP = 184.1.126.140, construct_ ipsec_delete(): No. SPI to identify the Phase 2 SA!

  ASA config: http://pastebin.com/raw.php?i=wgTxe3gF

  1921 config: http://pastebin.com/raw.php?i=TEihijEF

  Why won't the two establish a VPN tunnel?

  It's very strange that ASA appears the tunnel, but the router does not work. It seems that the router is waiting for authentication.

  You can add-

  crypto isakmp key address 184.1.96.42 no-xauth

  You can debug isakmp and ipsec on the router and display it?