IPSEC questions

Similar Questions

• L2l IPsec question: 0 packages decrypted!

  Hello

  We have implemented a solution for IPSec-l2l between HQ and remote sites. The last being a ship, we opted for the dynamic Ipsec l2l solution to static using two ASAs. However, the solution fails to certain ports. In fact, the tunnel is established and the packets are encrypted on the ASA remote. However, no packet is decrypted. HQ sees not all encrypted packets. It looks like something between the two does not prevent IPSec packets to reach the HQ...

  How could ensure us that the solution works always regardless of any ACL or NAT between the two?

  Excerpts of the "sh crypto ipsec his" cmd for a positive and result negative as well as the configuration of the remote control - ASA IPsec.

  Distance - ASA # sh crypto isakmp his

  Interface: outside
  Tag crypto map: CMAP, seq num: 10, local addr: 172.16.1.215

  extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
  local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
  current_peer: 146.40.75.33

  #pkts program: 28, encrypt #pkts: 28, #pkts digest: 28
  decaps #pkts: 15, #pkts decrypt: 15, #pkts check: 15
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 172.16.1.215, remote Start crypto. : 146.40.75.33

  Distance - ASA # sh crypto isakmp his

  Interface: outside
  Tag crypto map: CMAP, seq num: 10, local addr: 168.240.6.11

  extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
  local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
  current_peer: 146.40.75.33

  #pkts program: 45, #pkts encrypt: 45, #pkts digest: 45
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 168.240.6.11, remote Start crypto. : 146.40.75.33

  Remote control - ASA config

  extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0

  10.240.192.0 IP Access-list extended sheep 255.255.255.0 allow 10.0.0.0 255.0.0.0

  Global 1 interface (outside)
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 0.0.0.0 0.0.0.0

  Crypto ipsec transform-set esp-sha-3des esp-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto CMAP 10 corresponds to the vpn address
  card crypto CMAP 10 set pfs Group1
  card crypto CMAP 10 set peer 146.40.75.33

  card crypto CMAP 10 value transform-set esp-3des-sha
  card crypto CMAP 10 set phase 1-mode aggressive Group1
  card crypto CMAP 10 set reverse-road
  CMAP outside crypto map interface
  ISAKMP crypto identity hostname
  crypto ISAKMP allow outside
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 1
  life 86400
  No encryption isakmp nat-traversal

  tunnel-group 146.40.75.33 type ipsec-l2l
  IPSec-attributes tunnel-group 146.40.75.33
  pre-shared key *.

  Thanks for your help!

  Franc

  Hello

  The first output shows two packets encrypted/decrypted on the ASA remote.

  At this point, the VPN worked very well? What was different?

  The second output shows encrypted packets on the ASA remote but no decrypted.

  You mentioned that the HQ site does not show decrypted packets either.

  It seems that the ASA remote sends the traffic in the tunnel, but they never reached the HQ site.

  This can happen when there is a problem of route, NAT problem or some sort of VPN filter.

  To understand this better explain what the difference was between the first and the second scenario.

  Federico.

• IPSec and packet loss: Question

  Hello, hopefully a simple Question :-)

  Can someone tell me what happens when an IPSec packet is lost.

  He get fired?

  are just the TCP packets inside IPSec resentment tunnel?

  I hope someone can help!

  Background: VoIP.

  We have Home office users.

  Some have a quality of voice some terrible have a perfect quality, even if they all use the same hardware and configurations (name of user/passwords different and IP addresses of course)

  Fraser

  There isn't anything in IPSec that would retransmit a lost package. It is the native protocol and terminal stations that communicate in order to determine if there is packet loss and whether or not to broadcast.

  If I understand your comment correctly that you are dealing with individual users do VOIP, then more things you mention, which is different (name of user and password and addresses) almost certainly dealing with various different service providers / Internet connectivity. It would be interesting to do a ping extended with a large number of ping packets to a user who experiences problems and one that does not. I suspect that you will see a significant difference in packet loss.

  HTH

  Rick

• IPSec Transport Mode question

  Hello

  We currently have a VPN site-to site mode tunnel linking our business network and our site of DR to provide replication secure on our site of Dr. I have doing some changes to firewall this weekend that will set a FW IOS Zone-Based between the 2 sites (to provide 2 firewalls for the corporate site - creation of a demilitarized zone in the middle).

  The company's website and the site of DR are all our autonomous system, so there is no NAT invovled, as all the roads are private. I have a VPN to provide extra protection to every place, because they are both accessible via Internet (I wanted that the thin ACL on each ASA outside interface) anyway, to my question.

  I implement a firewall area on the border router to provide extra protection. In the ACL of the pair area between my company and recovery site, if I change the VPN in transport mode, should work in these ACE?

  Company ASA = 1.1.1.1

  NET company = 10.10.10.0/24

  DR. ASA = 2.2.2.2

  Net DR = 20.20.20.0/24

  esp permits 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

  permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp

  esp permit 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

  permit udp host 2.2.2.2 host 1.1.1.1 eq isakmp

  I'm sure that it is correct; However, I wanted to reassure a bit, before I made these changes on Saturday.

  This link describes IPSec offers a Protocol, transport and tunnel mode with these characteristics, what I mean is that the ASA as a Cisco solution does not support the mode of Transport for Lan to Lan tunnels.

  Now, sinc evous made me hesitate on my response, I made a quick test linking 2 ASA backpack and a tunnel from lan to lan using the mode of transport, the tunnel has come fine but traffic does not parameter, with reason? the ASA has been falling due to the fact that SA and the classification of the secured traffic should be peer (as tunnel normal mode circuit) in our case the ASA received a package ESP from the internal network of the ASA remote which does not correspond to the classification that's why it was ignored.

  Application of ESP and eliminated from 11.1.1.2 for outside: 10.1.1.2

  Refuse the Protocol entering 50 CBC outside: 11.1.1.2 dst identity: 10.1.1.2

  This message appears after configuring nat and acl rules to see if it accepts the traffic:

  IPSEC: Received a package of non-IPSec (Protocol = ESP) 11.1.1.2 to 10.1.1.2.

  So, as you can see it looks more like a limitation of the platform or something.

  Now, the question I have for you why the need for mode of transport?

• VPN/IPSec-L2L - Question?

  Hello!

  Recently, I was doing some troubleshooting on a connection VPN/IPSec Lan-to-Lan between a Cisco PIX515E and a Linux firewall. My question concerns the configuration and is not the problem itself.

  Traffic interesting (encrypted traffic) defined and configured the LAN of PIX (inside) and the distance public IP? Which means that the Peer IKE and the interesting remote control LAN/IP are the same... and it works!

  Any ideas?

  Thank you

  JP

  As long as you source the package from the local network of Pix to remote public IP, the tunnel will work well and works :-)

  So, if you really look at the fluidity of the traffic, you're sourcing traffic from Pix LAN intended to public IP remote that corresponds to the defined access list. Thus, the pix knows he has encrypt traffic and now seeks the cryptographic endpoint points (pix outside IP public IP remotely) and sends the encrypted packets. So, this configuration works perfectly.

  In fact, Pix will not allow Telnet the external of the pix interface unless the traffic is through an IPSEC Tunnel and it was one of the establishment who gave a telnet access to the external interface of the Pix, it's LAN to the public IP of Pix through an IPSEC Tunnel.

  Kind regards

  Arul

  * Please note all useful messages *.

• IPsec Site to Site and the question of the IPsec remote access

  Our remote access IPsec 3DES 168 bit encrption has the value

  If we want to allow a remote user to get out of a tunnel to another site must be so 3DES encryption for the Tunnel?

  This tunnel is currently defined by AES.

  If I understand your question the answer is this:

  The VPN client will connect to the ASA with any encryption method, he chose.

  If the VPN client then runs through a tunnel from Site to Site to another location, it uses the encryption method specified in the tunnel from Site to Site.

  This is because as the settings for the client VPN applies only when he puts an end VPN on the ASA.

  When the customer traffic, passes through a different tunnel, the settings for this tunnel applies.

  Hope I answered your question, if not please let me know.

  Federico.

• Question about the life of the IPSec Security Association

  Hi all

  I'm confused about life. A book, they said that you should service life of the peer to keep two exact same, otherwise you can not establish the tunnel. But I saw another book says you can use different to life (time interval or byte count), two peers will choose the lower one.

  Please help me. Thanks in advance.

  Banlan

  There are two lives involved with IPSec, Phase 1 (ISAKMP) and Phase 2 (IPSec) connections.

  With the Phase 1 tunnel, if the initiator has a longer life than that the answering machine, the answering machine does not accept the connection, then it is certainly preferable to keep your the same Phase 1 lives.

  Phase 2, life will be negotiated at the lower of the two values regardless of intiates, if it is not serious. Always advised to keep living the same since you can run questions of negotiation with devices from different vendors.

• Question of VTI of ipsec.

  Trying to put an ipsec tunnel, I was reading articles on the web, such as:

  http://www.Cisco.com/en/us/technologies/tk583/TK372/technologies_white_paper0900aecd8029d629.html

  http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_vpnips/configuration/XE-3s/sec-IPSec-virt-tunnl.html

  I used to implement ipsec sessions using the crypto card concept.

  So my question is how can I specify the "isakmp policy" that I want to use for the phase 1 by using the concept of tunnel.

  Lets assume that I have several sessions running ipsec and I need different isakmp policy, before I used to do:

  Crypto isakmp policy USED BY VPN 1 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy USED BY VNP 2 20

  BA 3des

  preshared authentication

  Group 2

  address key crypto isakmp XXXXXX YYYYYY

  address key crypto isakmp XXXXXX YYYYYY

  .

  .

  crypto map ipsec-isakmp CRYPTO 1

  Description "VPN1."

  defined peer XXXXXXX

  transformation-TRAN1 game

  match address XXX

  Crypto map 20 CRYPTO ipsec-isakmp with the HELP of '20' SECUENCE NUMBER, 20 POLICY IS ASSIGNED.

  Description "VPN2."

  defined peer XXXXXXX

  game of transformation-TRANS2

  match address XXXX

  Any help would be great.

  Thank you.

  The concept of the isakmp policy is tha that even as before with crypto maps. And you can also mix virtual private networks with cryptographic cards and VPN with VTI on the same router.

  So in your example, if you are the initiator, the two fonts (Finally, the two are the same is not any sense) are sent to the host as a suggestion and the answering machine (hopefully) selects one based on priority (lower numbers have higher priority). It is independent of the type of tunnel.

  What changes often in modern deployments is, that the PSKs are not configured in global configuration, but in rings of cryptographic keys that could be mapped by isakmp profiles:

  door-key crypto STATIC-VPN

  address of pre-shared-key 198.51.100.10 key cisco1234

  pre-shared-key address 192.0.2.10 cisco456 key

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Questions of implementation of VPN IPSec 887-> srp527

  Hey people,

  I have a few problems to an ipsec tunnel between a cisco 887VA router and a cisco srp527w router.

  I have a few books and some example materials. I worked through many combinations of what I had and I'm still a bit hard.

  I look at the results of debugging and it seems that policies do not correspond between devices:

  05:44:37.759 Jul 23: ISAKMP (0): received packet of 500 Global 500 (R) sport dport XXX.XXX.XXX.XXX MM_NO_STATE

  broute1 #.

  05:44:57.079 Jul 23: ISAKMP: (0): purge SA., his 85247558, delme = 85247558 =

  broute1 #.

  05:45:17.031 Jul 23: ISAKMP (0): received packet of XXX.XXX.XXX.XXX dport 500 sport 500 global (N) SA NEWS

  05:45:17.031 Jul 23: ISAKMP: created a struct peer XXX.XXX.XXX.XXX, peer port 500

  05:45:17.035 Jul 23: ISAKMP: new position created post = 0x8838C3F8 peer_handle = 0x800021CF

  05:45:17.035 Jul 23: ISAKMP: lock struct 0x8838C3F8, refcount 1 to peer crypto_isakmp_process_block

  05:45:17.035 Jul 23: ISAKMP: 500 local port, remote port 500

  05:45:17.035 Jul 23: ISAKMP: (0): insert his with his 87 84664 = success

  05:45:17.035 Jul 23: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

  05:45:17.035 Jul 23: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

  Jul 23 05:45:17.035: ISAKMP: (0): treatment ITS payload. Message ID = 0

  Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment

  Jul 23 05:45:17.035: ISAKMP: (0): provider ID seems the unit/DPD but important shift 0

  Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment

  Jul 23 05:45:17.035: ISAKMP: (0): provider ID is DPD

  05:45:17.035 Jul 23: ISAKMP: (0): no pre-shared with XXX.XXX.XXX.XXX!

  05:45:17.035 Jul 23: ISAKMP: analysis of the profiles for xauth...

  05:45:17.035 Jul 23: ISAKMP: (0): audit ISAKMP transform against the policy of priority 1 0

  05:45:17.035 Jul 23: ISAKMP: type of life in seconds

  05:45:17.035 Jul 23: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0 x 53

  05:45:17.035 Jul 23: ISAKMP: DES-CBC encryption

  05:45:17.035 Jul 23: ISAKMP: SHA hash

  05:45:17.035 Jul 23: ISAKMP: pre-shared key auth

  05:45:17.035 Jul 23: ISAKMP: default group 1

  05:45:17.035 Jul 23: ISAKMP: (0): free encryption algorithm does not match policy.

  05:45:17.035 Jul 23: ISAKMP: (0): atts are not acceptable. Next payload is 0

  05:45:17.035 Jul 23: ISAKMP: (0): no offer is accepted!

  Jul 23 05:45:17.035: ISAKMP: (0): phase 1 SA policy is not acceptable! (local YYY. YYY. YYY. Remote YYY

  XXX.XXX.XXX.XXX)

  05:45:17.035 Jul 23: ISAKMP (0): increment the count of errors on his, try 1 of 5: construct_fail_ag_init

  Jul 23 05:45:17.035: ISAKMP: (0): could not build the message information AG.

  Jul 23 05:45:17.035: ISAKMP: (0): send package to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE

  05:45:17.035 Jul 23: ISAKMP: (0): sending a packet IPv4 IKE.

  05:45:17.035 Jul 23: ISAKMP: (0): the peer is not paranoid KeepAlive.

  05:45:17.035 Jul 23: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (peer

  XXX.XXX.XXX.XXX)

  Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment

  Jul 23 05:45:17.035: ISAKMP: (0): provider ID seems the unit/DPD but important shift 0

  Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment

  Jul 23 05:45:17.035: ISAKMP: (0): provider ID is DPD

  05:45:17.035 Jul 23: ISAKMP (0): action of WSF returned the error: 2

  05:45:17.035 Jul 23: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

  05:45:17.035 Jul 23: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  05:45:17.039 Jul 23: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (peer

  XXX.XXX.XXX.XXX)

  05:45:17.039 Jul 23: ISAKMP: Unlocking counterpart struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0

  05:45:17.039 Jul 23: ISAKMP: delete peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8

  05:45:17.039 Jul 23: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

  05:45:17.039 Jul 23: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_DEST_SA

  Here is a slightly adjusted version of my run-fig (came out I was sure that no one would need things) and attached are screenshots of IPSec and IKE Policy of the srp527w strategy

  version 15.1

  hostname broute1

  !

  logging buffered 65535

  information recording console

  !

  No aaa new-model

  !

  iomem 10 memory size

  clock timezone estimated 10 0

  Crypto pki token removal timeout default 0

  !

  !

  IP source-route

  !

  !

  !

  !

  VDSL controller 0

  operation mode adsl2 Annex A

  !

  property intellectual ssh version 2

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  lifetime 28800

  ISAKMP crypto key PRE_SHARED_KEY_FOR_IKE (I_THINK) REMOTE_HOST hostname

  !

  !

  Crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac

  !

  !

  !

  IPSec-isakmp crypto 10 JWRE_BW-1 card

  defined peer XXX.XXX.XXX.XXX

  game of transformation-JWRE_BW-1

  match address 101

  !

  interface Loopback0

  no ip address

  !

  ATM0 interface

  Description - between node ADSL-

  no ip address

  no ip route cache

  load-interval 30

  No atm ilmi-keepalive

  !

  point-to-point interface ATM0.1

  no ip route cache

  PVC 8/35

  TX-ring-limit 3

  aal5snap encapsulation

  PPPoE-client dial-pool-number 1

  !

  !

  interface Vlan1

  Management Interface Description

  address IP AAA. AAA. AAA. AAA 255.255.255.0

  IP mtu 1452

  IP nat inside

  IP virtual-reassembly in

  no ip-cache cef route

  IP tcp adjust-mss 1420

  !

  interface Dialer1

  Description BETWEEN NŒUD ADSL-

  MTU 1492

  the negotiated IP address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  IP virtual-reassembly in

  encapsulation ppp

  Dialer pool 1

  Dialer-Group 1

  PPP chap hostname ADSL_USERNAME

  PPP chap password 7 ADSL_PASSWORD

  PPP ipcp dns request accept

  No cdp enable

  card crypto JWRE_BW-1

  !

  recording of debug trap

  access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255

  Dialer-list 1 ip protocol allow

  Some specific questions:

  (1) on the PSR in the example I used (and I have a few PRS-> RPS VPN work) I see you enter the pre-shared key, I do not see in the examples I've used something on the IKE pre-shared key on the box of IOS. Does anyone have examples where you use the pre-shared for IKE? I wonder if it is my main problem as clearly says the newspaper there is no pre-shared key :|

  (2) I used a mash of names between different sections mish as on ESP the naming convention is not the same thing; IE: what parts of the IPSEC negotiation come from IKE policy and including the IPSEC policy section section. The names really matter across different ends of the VPN?

  (3) I noticed when I run this command in the(config-crypto-map): #

  defined peer FQDN

  It is converted to:

  defined peer XXX.XXX.XXX.XXX

  Should it? I want the camera to watch the FQDN that this particular host using DDNS and do not use a static IP address.

  I could ask 1 million questions, but I'll leave it for there, if anyone can see anything out (or can answer Q1 in particular) please let me know.

  Thanks in advance for your time and help people.

  B

  The IKE policy doesn't seem to match, you must configure the corresponding IKE policy on the router as follows:

  crypto ISAKMP policy 10

  the BA

  sha hash

  preshared authentication

  Group 1

  lifetime 28800

  For the preshared key, use the address instead of the host name:

  crypto isakmp key address

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni

• SA520 and Question IPSec VPN RVS4000

  Hello

  I installed an IPSec VPN for one of my friends for his company. At its principal office, I installed a Cisco SA520 and he uses to connect devices such as the iPhone and iPad via the IPSec VPN. He uses this fact because he travels abroad a lot and he has problems with services such as Skype is blocked in some countries. This configuration works very well.

  It also has a Cisco RVS4000, which he would like to install at his place of business to the Mexico. He would like the RVS4000 VPN configuration to the SA520 in his office. The SA520 in his office has a static IP address. The RVS4000 to the Mexico does not work.

  Is it possible to Setup IPSec VPN between a SA520 with a static IP and RVS4000 address that does not have a static IP address? If so, examples of configuration would be greatly appreciated.

  Thank you!

  Hi William, simply sign up for a dyndns account or similar service, the RVS4000 configuration will be the same, instead of the IP, you'd be using the dyndns name.

  -Tom
  Please mark replied messages useful

• Problem with IPSec VPN ISA500 & login questions (multiple devices)

  I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?

  I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.

  14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
  2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
  2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
  2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)

  Hi rich,

  What version of firmware you used before upgrade?  You upgrade to 1.2.19 and now this works?

  Thank you

  Brandon

• (Between Cisco and Fortigate) IPsec tunnel question

  Hi all

  Im trying to install an IPsec site-to-site between 2 different routers (Cisco 3750 and Fortigate 100a) (R1 & Fortigate100A)

  IPsec, the whole scenario works with the installation.

  But unfortunately the tunnel (between R1 & Fortigate100A) IPsec does not work.

  (Pls look at the attached jpg file)

  The message is received in routers are shown below:

  Cisco: R1:

  % CRYPTO-6-IKMP_MODE_FAILURE: fast mode processing failed with the peer to 192.168.43.75

  FortiGate 100A:

  IKE 0: none established HIS IKE for informational type of d18e1af773e658b9/192.168.43.195:500->192.168.43.75 Exchange 3 cookie d3695c6cea17475a, don't drop

  IKE 0:Cisco - P1:6899: authentication OK

  IKE 0: none established HIS IKE for informational type of d18e1af78ed17bf9/192.168.43.195:500->192.168.43.75 Exchange 3 cookie 414bd35ab92bc4ef, don't drop

  IKE 0:Cisco - P1:6899:Cisco - P2:14802: failure of negotiating quick mode due to the delay of new attempt IKE 0:Cisco - P1:6900: authentication OK

  I configured both routers as follows:

  Cisco:

  HostName:R1

  ISAKMP policy 1

  Hash: sha

  Authentication: pre-shared

  Encryption: AES128

  DH group: 2

  Life 86400

  ISAKMP Key: cisco1 address 192.168.43.75

  Crypto IPsec transform-set esp - aes and hmac-sha-esp RIGHT

  Access-list: 101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

  Map R1_to_Fortigate100A 10 IPsec-Isakmp crypto

  defined by peers: 192.168.43.75

  Mailing address 101

  The value transformset: RIGHT

  int fa # 0 / 0 Crypto map R1_to_Fortigate100A

  FortiGate:

  HostName: Fortigate100A

  Phase 1:

  Preshared key: cisco1

  The remote gateway ip address: 192.168.43.195

  mode: aggressive

  Accept any pair

  Proposal P1:

  AES 128 / SHA1

  AES 192 / SHA1

  AES192/SHA 256

  DH: 2

  Keylife: 86400

  Phase2:

  AES 128 / SHA1

  AES 192 / SHA1

  AES192/SHA 256

  Keylife:86400

  Quick mode selector:

  Source address: 10.10.10.0/24

  Destination address: 192.168.43.0/24

  I will be very very very grateful if you informed of my faults possible a solution

  Happy new year

  Ministry of education

  For some time I messed with a fortigate, but I would try first to change the remote address of the phase 2 to 10.0.0,0/24. If this is the statement "interesting traffic", it does not match what you have on the Cisco. After that, try to change the phase 1 Ike mode to something else than "aggressive."

  Sent by Cisco Support technique iPad App

• Help: Adding to the IPsec Tunnel encryption field Questions

  Good evening everyone,

  I'm looking for help and/or advise in what concerns adding more networking in the field of encryption of an existing IPsec site-to-site tunnel.  Both sides of the tunnel are of ASA.  The client on the remote end is eager to access the networks more on my end.  They have already updated their ACL crypto map to include the new networks.  When they perform "show crypto IPsec his counterpart x.x.x.x" it shows already encap packets attempting to join my network.

  On my side, I updated my ACL crypto map to reference the new 2 networks, created the double NAT and added the ACL needed to allow the inbound access through ports they want.  When I perform a 'see the crypto IPsec his counterpart x.x.x.x' output is NOT up-to-date with the new networks added to the field of encryption.  When I run a tracer of package of supply of one of the servers in the new network, the traffic is translated as he should, but a fall when it hits the outgoing interface for the VPN tunnel.

  Am I missing something here? Can I bounce the tunnel so that the new networks must be recognized in the surveillance society?

  Thanks in advance.

  Hello

  You must bounce the tunnel when you change the interesting traffic, otherwise the new SA will not be created, is a little funny that you say that SA is already build on the remote side, SA cannot be established only on one side, is like building a new tunnel, if you don't have it on one side, it can not simply prevail and create the entry of SA. In addition, adding new networks and bounce the tunnel you need to generate traffic to trigger the ITS new or you will never see that it created. Check your no nats and routing and it should work.

  Best regards, please rate.

• VPN IPsec on Question RV042

  I have two routers, A and B, which have a VPN between them (via internet).  If my interpretation of the VPN is correct, the traffic should be routed acorss the VPN tunnel only when a client on A LAN router seeks to achieve a customer or a resource on the B LAN router, or vice versa, correct?

  Traffic destined to a resource outside the LAN should be routed on the router WAN, correct?

  I ask this question because I have programs (who has access to the internet) who are behaving badly when the VPN tunnel is enabled between the two routers.  When the tunnel is not enabled, there is no problem.

  Hello Matt, when you use a tunnel from site to site between router RV0XX, it is a "split tunnel". The router is supposed to support wildcard masking (complete tunnel), but it's a different configuration.

  That being said, your normal circulation is described. Local traffic from Source A ask local traffic to Destination B will use the tunnel, but the local internet traffic to each router will be local to the respective location.

  -Tom