IPSec transform-set
Hi all
My goal is to configure the router in ipsec two GNS3
Connections is everything, but I do not know why the change of mode of ipsec transform set when I'm nothing happens!
I expect by changing the mode of connection, but the embryo is not the case and also no newspaper is not displayed in debug mode to change! Please help me.
config R1:
crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
1212 12.12.12.2 crypto isakmp key address
!
!
Crypto ipsec transform-set ts aes - esp esp-md5-hmac
transport mode
!
m1 1 ipsec-isakmp crypto map
defined by peer 12.12.12.2
Set transformation ts game
match address 101
!
interface Loopback1
IP 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
IP 12.12.12.1 255.255.255.0
automatic duplex
automatic speed
card crypto m1
!
IP route 0.0.0.0 0.0.0.0 12.12.12.2
!
access list 101 ip allow a whole
config R2
crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
1212 12.12.12.1 crypto isakmp key address
!
!
Crypto ipsec transform-set ts aes - esp esp-md5-hmac
!
m1 1 ipsec-isakmp crypto map
defined by peer 12.12.12.1
Set transformation ts game
match address 101
!
interface Loopback1
IP address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
IP 12.12.12.2 255.255.255.0
automatic duplex
automatic speed
card crypto m1
!
IP route 0.0.0.0 0.0.0.0 12.12.12.1
!
access list 101 ip allow a whole
!
All this is maybe also! Please help me ;)
Hi hofo123456,
Can you please explain your problem in brief.
I see that the game of transformation is not matching so it will avoid the future VPN tunnel.
Default value is "Tunnel mode", or you might want to install "tunnel mode" or "mode of transport" on both routers.
NOTE: If you are encrypting just the traffic from devices behind routers, so even if you use the mode of transport, only the tunnel mode will be negotiated.
Kind regards
Dinesh Moudgil
PS Please rate helpful messages.
Tags: Cisco Security
Similar Questions
-
Many sub-strategies and transform sets for peer 1 tunnel?
Recently acquired a heavy ASA company, with network administrators. They seem to stand for some things to ASA I don't understand quite below.
This is one site talked, and there's only 1 tunnel on this subject on the hub. This tunnel appealed to the transformation of named sets ""ESP-3DES-SHA "&"ESP-3DES-MD5." " That said, why have they configured transform sets for AES 256, AES 192, AES and if they ask only 3DES transformation sets in the card encryption? The sub-strategies down from the extract of seem to have something to do with it, but if that were the case, wouldn't you call all transformation configured in the encryption card sets to perform fully all sub-strategies set in this config, because each set of sub-policy puts the encryption to a different type / method?
Excerpt from the configuration:
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transitcard crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set of peer XX.XXX.XXX. XX
card crypto outside_map 1 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DESoutside_map interface card crypto outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400Only the transform-set called card encryption will be used. Policies will be judged by priority until a correspondent of the hub is found. Ideally, it would be first.
You're right for the use case you describe only a single defined and political transformation is necessary. Multiples are often the legacy of the settings by default and, sometimes, an attempt to standardize with each set of transformation and the policy on the ASAs so that no matter where they end up connect to the necessary building blocks are in the config. However, it causes a lot of unused lines.
-
"the apprentice" crypto transform-set issues
Greetings - I was sort of a backup person or I guess as "Apprentice" to our network administrator who has recently retired. Same story, guess who is responsible now to figure it all out.
We have a pair of 5510 in the main office, the second is a "fail-over" the death of number 1.
Our remote offices have 5505 s (system image file is disk0: / asa844-1 - k8.bin) which connect here on LAN-to-LAN via the Internet connection provided to this office by various Internet service providers. Mostly good, some "tunnels" or connections remain for days, or even weeks or sometimes months without any problem.
But we have some offices of disorder where each connection fall fairly regularly or in one case, they often lose the ability to connect to the connector of the computer central address here. We have different subnets in our offices, the mainframe and email are provided by the State, or IT Enterprise/ITE Central. Some of our 'networks' uses public addresses, some private.
Each remote office has its own network. The numbering is based on number of office accountant, not that it's really important.
Thus each remote office will have a private 10.252.xxx.xxx plan where the first xxx film series is the office number and the last series of xxx is the range assign us, normally broke up with a 27 (255.255.255.224) mask.
This established, a typical office will be 10.252.24.1 - 30 (10.252.24.0 network)
I was thrown in the fire and said to our offices in problem to understand. In trying to figure out why things are what they are, I find things which surprise me. Can't put my finger on it, but it just doesn't feel good.
A topic at a time - I find Cisco documentation that says you can assign a MAXIMUM of 6 transform sets to all that.
HOWEVER, I find more than 6 in the list, 11 actually. I can't understand why so many and what the heck we even need more than 1 or 2 for anyway. I think it's here because updates to the os on the means of years that things seemed simply by the process of update and I think also that some has been everything simply because things have been tried - to throw in and see if it helps. I hate this.
I want these cleaned and only the code that is required to be left - and in a way I can understand. And if that helps with our connection issues, great, but if not at least things will be easier to sort through and understand.
This is the area in question for the purposes of this post-
Looking at the small part of our config in a typical remote office ASA5505 I'll post below - which belongs or is necessary, and what is foreign and may or must be destroyed or deleted.
Why 11 lines of transform-set?
Spoke 6 max? (this quote) > after a set of transformation configuration, you assign it to a card encryption. You can assign up to six sets of the transform to a card encryption.----------------------------------------------------------------------
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac (why this?)
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac.
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac.
Crypto ipsec ikev1 transform-set ESP-DES-MD5 esp - esp-md5-hmac (10 of them besides the next)
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 vpnivrs (kind of sense-vpnivrs is the 'name' and serves...?)
ivrsmap card crypto 10 corresponds to the address DESENLOG
crypto ivrsmap 10 card game 209.111.111.666 peers (changed to protect the real address)
ivrsmap 10 set transform-set vpnivrs ikev1 crypto card
ivrsmap interface card crypto outside
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto policy 10 (why two of these lines of 'political'?)
preshared authentication
3des encryption
md5 hash
Group 2
lifetime 28800
IKEv1 crypto policy 65535 (see above - this is number 2 - why two? in what do this?)
preshared authentication
3des encryption
sha hash
Group 2
life 86400
--------------------------------------------------------Some quick stats or tests.
VRAMSASA1 # show crypto ikev1 his
IKEv1 SAs:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 209.111.111.666
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEI can provide any additional information can help.
I have already corrected some problems by turning the NAT - T on offices provided Internet via a DSL modem, that the modem is apparently a NAT - external interfaces on the 5505 device s with DSL have 192.168 addresses and the MODEM has the Internet address where the provided cable modem sites have a direct public address on the external interface. Something bothered me on these sites - and I was able to understand what and why. This example configuration above mind right now - but I don't know why.Just an another public employee trying to make it work properly, having to learn the hard way now...
I apologize if this isn't the correct area to post.
Thank you.You are welcome.
Regarding your questions Suites A and B - two Yes.
DO first - make a backup of your configuration. It is a good idea during changes of any kind. If you have doubts, backs up front and backup after. Do a comparison aside to check your work. (I use ExamDiff make comparison of less prone to human error long text files.)
When you have preshared keys (which appear as hashes when you perform a simple "show run"), you must use the following (when recording the output of your senior year):
term pager 0
more system:running-config
The first line will make all output scroll by at the time and the second will print configuration with pre-shared plaintext keys.
-
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" > ""
< content meta = text/html"; charset = iso-8859-1 "http-equiv ="Content-Type">"
< title > visit problem < /title >< style type = "text/css" >
#footer a: link {}
color: white;
background-color: orange;
text-transform: uppercase;
}#footer a: visited {}
color: Red;
background-color: black;
text-transform: lowercase;
text-decoration: none;
}< / style >
-
Why is - that someone would use Authentication Header in a set of transformation?
I came on a setup that uses an IPSEC transform-set of esp-3des ah-sha-hmac. It is a Cisco router, and it runs inside a MPLS tunnel. Because ESP does everything what AH, is there no good reason to use AH?
I would like to change it because I haven't read fully the framework.
It's a little strange to see, but not out of the question. ESP has largely supplanted AH because authentication and integrity, and encryption can be treated in a protocol. AH is still valid in this scenario, but simply do everything with ESP now.
-
Failling L2PT/IPSEC for Android (transform invalid proposal flags - 0 x 800)
Hello
I have implemented a L2PT/IPSEC tunnel using a router Cisco 1905, located behind a Cisco ASA FW. This tunnel must be established between the router and mobile devices, mainly of iPhones and androids. In the sake of troubleshooting, I made sure the FW is not the way (open all required ports, configured NAT and routes, etc.). It turns out that iPhones correctly establish the tunnel but androids fail.
Apparently, the problem is the phase 2 of the IPSec protocol, like where it says in debugging
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): invalid transform proposal flags - 0 x 800
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 1024I tried AES and 3DES in games of conversion, but it seems he just doesn´t work.
Can someone help me?
Router: Cisco 1905 image: c1900-universalk9-mz. Spa. 150 - 1.M8.bin
iPhone: 6 (iOS 8.1) and 5 (9.1)
Android: Motorola MotoG (Android 4.4.2)Installation program for mobile devices:
Type: L2TP/IPSec PSL
Server address:
Password preshared IPSec: cisco
username: cisco
password: ciscoCisco 1905 relevant config:
AAA of authentication ppp default local
!
VPDN enable
!
VPDN-group L2TP
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!
username cisco password cisco
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
life 3600
address of cisco key crypto isakmp 0.0.0.0 0.0.0.0 no.-xauth
ISAKMP crypto keepalive 3600
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac ipnetconfig
transport mode
!
encryption dynamic-map ipnetconfig-card 10
Set nat demux
Set transform-set ipnetconfig
!
!
cisco 10 ipnetconfig-map ipsec isakmp crypto dynamic map
!
!
interface GigabitEthernet0/0
the IP 192.168.0.1 255.255.255.192
no ip proxy-arp
automatic duplex
automatic speed
Cisco card crypto
!
!
interface virtual-Template1
IP unnumbered GigabitEthernet0/0
peer default ip address pool poolipnetconfig
PPP encryption mppe 40
PPP authentication ms-chap-v2 pap, chap, ms-chap
!
local pool IP 192.168.1.1 poolipnetconfig 192.168.1.255Debug:
12:42:30.763 18 Dec: ISAKMP (0): received 200.247.229.53 packet dport 500 sport 50003 Global (N) SA NEWS
12:42:30.763 18 Dec: ISAKMP: created a struct peer 200.247.229.53, peer port 50003
12:42:30.763 18 Dec: ISAKMP: new created position = 0x285F5FBC peer_handle = 0 x 80000018
12:42:30.763 18 Dec: ISAKMP: lock struct 0x285F5FBC, refcount 1 to peer crypto_isakmp_process_block
12:42:30.763 18 Dec: ISAKMP: 500 local port, remote port 50003
12:42:30.763 18 Dec: ISAKMP: (0): insert his with his 28840894 = success
12:42:30.763 18 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:30.763 18 Dec: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM118 Dec 12:42:30.763: ISAKMP: (0): treatment ITS payload. Message ID = 0
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
12:42:30.763 18 Dec: ISAKMP (0): provider ID is NAT - T RFC 3947
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
18 Dec 12:42:30.763: ISAKMP: (0): provider ID is NAT - T v2
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): IKE frag vendor processing id payload
12:42:30.763 18 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID is DPD
12:42:30.763 18 Dec: ISAKMP: (0): pair found pre-shared key matching 200.247.229.53
18 Dec 12:42:30.763: ISAKMP: (0): pre-shared key local found
12:42:30.763 18 Dec: ISAKMP: analysis of the profiles for xauth...
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 256
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 256
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: MD5 hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 128
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 128
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: MD5 hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: 3DES-CBC encryption
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): atts are acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): Acceptable atts: real life: 3600
12:42:30.767 18 Dec: ISAKMP: (0): Acceptable atts:life: 0
12:42:30.767 18 Dec: ISAKMP: (0): base life_in_seconds:28800
12:42:30.767 18 Dec: ISAKMP: (0): return real life: 3600
12:42:30.767 18 Dec: ISAKMP: (0): timer life Started: 3600.18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
12:42:30.767 18 Dec: ISAKMP (0): provider ID is NAT - T RFC 3947
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
18 Dec 12:42:30.767: ISAKMP: (0): provider ID is NAT - T v2
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): IKE frag vendor processing id payload
12:42:30.767 18 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID is DPD
12:42:30.767 18 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:30.767 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM118 Dec 12:42:30.767: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
18 Dec 12:42:30.767: ISAKMP: (0): lot of 200.247.229.53 sending my_port 500 peer_port 50003 (R) MM_SA_SETUP
12:42:30.767 18 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
12:42:30.767 18 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:30.767 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM212:42:31.730 18 Dec: ISAKMP (0): received 200.247.229.53 packet dport 500 sport 50003 Global (R) MM_SA_SETUP
12:42:31.730 18 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:31.730 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM318 Dec 12:42:31.730: ISAKMP: (0): processing KE payload. Message ID = 0
18 Dec 12:42:31.758: ISAKMP: (0): processing NONCE payload. Message ID = 0
12:42:31.758 18 Dec: ISAKMP: (0): pair found pre-shared key matching 200.247.229.53
12:42:31.758 18 Dec: ISAKMP: receives the payload type 20
12:42:31.758 18 Dec: ISAKMP (1028): NAT found, both nodes inside the NAT
12:42:31.758 18 Dec: ISAKMP: receives the payload type 20
12:42:31.758 18 Dec: ISAKMP (1028): NAT found, both nodes inside the NAT
12:42:31.758 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:31.758 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM3 = IKE_R_MM318 Dec 12:42:31.758: ISAKMP: (1028): lot of 200.247.229.53 sending my_port 500 peer_port 50003 (R) MM_KEY_EXCH
12:42:31.758 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:31.758 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:31.758 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM3 = IKE_R_MM412:42:32.278 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50001 Global (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM4 = IKE_R_MM518 Dec 12:42:32.278: ISAKMP: (1028): payload ID for treatment. Message ID = 0
12:42:32.278 18 Dec: ISAKMP (1028): payload ID
next payload: 8
type: 1
address: 10.92.110.15
Protocol: 17
Port: 500
Length: 12
12:42:32.278 18 Dec: ISAKMP: (0): peer games * no * profiles
18 Dec 12:42:32.278: ISAKMP: (1028): HASH payload processing. Message ID = 0
12:42:32.278 18 Dec: ISAKMP: (1028): SA authentication status:
authenticated
12:42:32.278 18 Dec: ISAKMP: (1028): SA has been authenticated with 200.247.229.53
12:42:32.278 18 Dec: ISAKMP: (1028): port detected floating port = 50001
12:42:32.278 18 Dec: ISAKMP: attempts to insert a peer and inserted 192.168.0.1/200.247.229.53/50001/ 285F5FBC successfully.
12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM5 = IKE_R_MM512:42:32.278 18 Dec: ISAKMP: (1028): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
12:42:32.278 18 Dec: ISAKMP (1028): payload ID
next payload: 8
type: 1
address: 192.168.0.1
Protocol: 17
Port: 0
Length: 12
12:42:32.278 18 Dec: ISAKMP: (1028): the total payload length: 12
18 Dec 12:42:32.278: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:32.278 18 Dec: ISAKMP: (1028): real life of return: 3600
12:42:32.278 18 Dec: ISAKMP: node set 662318345 to QM_IDLE
12:42:32.278 18 Dec: ISAKMP: (1028): Protocol to send NOTIFIER RESPONDER_LIFETIME 1
SPI 672252680, message ID = 662318345
18 Dec 12:42:32.278: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:32.278 18 Dec: ISAKMP: (1028): purge the node 662318345
12:42:32.278 18 Dec: ISAKMP: phase sending 1 machine life 360012:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE12:42:32.278 18 Dec: ISAKMP: (1028): IKE_DPD is enabled, the initialization of timers
12:42:32.282 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
12:42:32.282 18 Dec: ISAKMP: (1028): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE12:42:32.834 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50001 Global (R) QM_IDLE
12:42:32.834 18 Dec: ISAKMP: node set-647285005 to QM_IDLE
18 Dec 12:42:32.834: ISAKMP: (1028): HASH payload processing. Message ID =-647285005
18 Dec 12:42:32.834: ISAKMP: (1028): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-647285005, his 28840894 =
12:42:32.834 18 Dec: ISAKMP: (1028): SA authentication status:
authenticated
18 Dec 12:42:32.834: ISAKMP: (1028): process of first contact.
dropping existing phase 1 and 2 with local 192.168.0.1 distance distance 200.247.229.53 port 50001
12:42:32.834 18 Dec: ISAKMP: (1028): node-647285005 error suppression FALSE reason 'informational (en) State 1.
12:42:32.834 18 Dec: ISAKMP: (1028): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
12:42:32.834 18 Dec: ISAKMP: (1028): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE18 Dec 12:42:32.834: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
12:42:34.222 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
12:42:34.222 18 Dec: ISAKMP: node set-725923158 to QM_IDLE
18 Dec 12:42:34.222: ISAKMP: (1028): HASH payload processing. Message ID =-725923158
18 Dec 12:42:34.222: ISAKMP: (1028): treatment ITS payload. Message ID =-725923158
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 1, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 256
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turning 2, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 256
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 3, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 128
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 4, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 128
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 5, ESP_3DES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 6, ESP_3DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 7, ESP_DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 8, ESP_DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes 256 esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes 256 esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): invalid transform proposal flags - 0 x 800
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 1024
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp-3des esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{des-esp esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{des-esp esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: ISAKMP: (1028): politics of ITS phase 2 is not acceptable! (local 192.168.0.1 200.247.229.53 remote)
12:42:34.226 18 Dec: ISAKMP: node set 924420306 to QM_IDLE
12:42:34.226 18 Dec: ISAKMP: (1028): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 672251800, message ID = 924420306
18 Dec 12:42:34.226: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) QM_IDLE
12:42:34.226 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:34.226 18 Dec: ISAKMP: (1028): purge the node 924420306
12:42:34.226 18 Dec: ISAKMP: (1028): node-725923158 error suppression REAL reason "QM rejected."
12:42:34.226 18 Dec: ISAKMP: (1028): entrance, node-725923158 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
12:42:34.226 18 Dec: ISAKMP: (1028): former State = new State IKE_QM_READY = IKE_QM_READY
12:42:36.558 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:36.558: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:36.558: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:36.558: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:40.670 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:40.670: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:40.670: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:40.670: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:42.566 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:42.566: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:42.566: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:42.566: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:47.262 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:47.262: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:47.262: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:47.262: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:49.414 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:49.414: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:49.414: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:49.414: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:52.466 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:52.466: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:52.466: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:52.466: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:54.574 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:54.574: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:54.574: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:54.574: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:58.738 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:58.738: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:58.738: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:58.738: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:43:00.626 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:43:00.626: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:43:00.626: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:43:00.626: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:43:04.274 Dec 18: L2X:pak 0 nec vrf tableid
12:43:04.274 18 Dec: L2X: Punting to the queue of L2TP control messages
12:43:04.274 Dec 18: L2X:pak 0 nec vrf tableid
12:43:04.274 18 Dec: L2X: Punting to the queue of L2TP control messages
12:43:04.278 18 Dec: L2TP _: _: ERROR: NULL found l2x cc with handle [32787]In fact, the main problem is NAT - T, so avoid the connection through a NAT - T should work.
The solution of closure seems to be a possible workaround.
Enjoy the holidays!
-Randy-
-
peer found setting up ipsec tunnel
I'm trying to configure the vpn between a 6.3 (5) 7.2 (4) pix and asa. everything looks good to me and I can't understand why the tunnel came not.
PIX
--------------------------------------
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254
inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254
inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.160 255.255.255.248
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0
outside_cryptomap_dyn_20 ip access list allow any 10.10.130.20 255.255.255.254
outside_cryptomap_40 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
outside_cryptomap_40 ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
lscctx_splitTunnelAcl ip 10.10.130.0 access list allow 255.255.255.0 any
outside_cryptomap_dyn_40 ip access list allow any 10.10.130.160 255.255.255.248
outside_cryptomap_dyn_60 ip access list allow any 10.130.254.0 255.255.255.0
outside_cryptomap_60 ip 10.10.130.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
outside_cryptomap_60 ip 10.10.132.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
outside_cryptomap_60 ip 10.10.134.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
Dynamic crypto map outside_dyn_map 40 correspondence address outside_cryptomap_dyn_40
Crypto-map dynamic outside_dyn_map 40 the transform-set ESP-3DES-MD5 value
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 the transform-set ESP-3DES-MD5 value
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
peer set card crypto outside_map 20 208.77.70.98
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map 60 ipsec-isakmp crypto map
card crypto outside_map 60 match address outside_cryptomap_40
peer set card crypto outside_map 60 10.130.254.6
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
client authentication card crypto outside_map LOCAL
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 66.15.x, x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 208.125.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 209.125.x.xnetmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 12.49.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 208.77.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 10.130.254.2 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP key * address 10.130.254.6 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP identity address
ISAKMP nat-traversal 60
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
ISAKMP policy 40 3des encryption
ISAKMP policy 40 md5 hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ASA
--------------------------
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.130.0 255.255.255.0
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.132.0 255.255.255.0
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.134.0 255.255.255.0
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto OUTSIDE_MAP 1 corresponds to the address OUTSIDE_CRYPTOMAP
card crypto OUTSIDE_MAP 1 set peer 10.10.133.10
OUTSIDE_MAP 1 transform-set ESP-3DES-MD5 crypto card game
OUTSIDE_MAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group 10.10.133.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.133.10
pre-shared-key *.
!
!
PIX of debugging
------------------------------------
CT - PIX #.
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against the 40 priority policy
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
ISAKMP (0): retransmission of the phase 1 (0)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (1)...
ISAKMP (0): retransmission of the phase 1 (2)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (3)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (4)...
ISAKMP (0): delete SA: src 10.130.254.6 dst 10.10.133.10
ISADB: Reaper checking HIS 0 x 1143144, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ASA of DEUG
--------------------------------------
CT-STEPHEN-ASA # 18 Jul 20:08:23 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, initiator of IKE: New Phase 1, Intf inside, IKE Peer 10.10.133.10 address local proxy 10.130.16.0, address remote Proxy 10.10.130.0, Card Crypto (OUTSIDE_MAP)
18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, build the payloads of ISAKMP security
18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, construction of Fragmentation VID + load useful functionality
18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
SENDING PACKETS to 10.10.133.10
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:25 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:27 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:27 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:29 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:29 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:31 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:39 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:47 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, case of mistaken IKE MM Initiator WSF (struct & 0x1d24750)
, : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY 18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, IKE SA MM:50243128 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, sending clear/delete with the message of reason
18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, Removing peer to peer table has no, no match!
18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, error: cannot delete PeerTblEntry
Sorry, just trying to think why it cannot find the peer, with the following error message:
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
While, in fact 10.130.254.6 is configured as directed by your post.
Configuration seems correct to me. You might want to try to reload the PIX.
-
Cisco Cisco IPSEC VPN to encrypt but not decrypt
Hello
I have a vpn ipsec problem.
packets are encapsulated and décapsulés but only in one direction. I don't understand why.
VPN is already mounted on another router, I want to change the router but can't get the vpn have the new router
Thank you for helping me
PS: Sorry for my English
Hello
I looked at the configuration of your router RT-897VA once again, and I don't know if static NAT statements in there are supposed to work or not, but they won't because you have not specified any inside and outside interfaces. Configuration changes below correspond to the configuration of your router RT, check if their implementation makes a difference (the changes are indicated in bold):
RT-897VA #show run
Building configuration...Current configuration: 3933 bytes
!
! 11:56:34 configuration was last modified THIS Friday, November 4, 2016
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
RT-897VA host name
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
clock timezone THIS 1 0
!
!
!
!
!
!
!
!
!
!!
!
!
!
domain IP XXXXX
IP-name 194.2.0.20 Server
IP-name 194.2.0.50 server
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
!
!
default value for the field
!
!
!
!
!
!
!
CTS verbose logging
license udi pid C897VA-K9 sn FCZ2030DL
!
!
username password privilege 15 itef 0...
!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa keypair-name XXX
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes
preshared authentication
Group 2
ISAKMP crypto key cleidentique address IP-WAN-B
!
!
Crypto ipsec transform-set aes - esp esp-sha-hmac toto
tunnel mode
!
!
!
crypto map ipsec-isakmp TUNNEL 1
counterpart Set IP-WAN-B
Set transform-set toto
match address TUNNEL-DATA
crypto map ipsec-isakmp TUNNEL 2
counterpart Set IP-WAN-B
Set transform-set toto
match TUNNEL-TOIP address
!
!
!
!
!
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface Ethernet0
no ip address
Shutdown
!
interface GigabitEthernet0
Description BOX-SWITCH
switchport trunk vlan 101 native
switchport mode trunk
no ip address
spanning tree portfast
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
WAN description
IP address IP WAN - A 255.255.255.240
IP virtual-reassembly in
NAT outside IP
automatic duplex
automatic speed
card crypto TUNNEL
!
interface Vlan1
no ip address
!
interface Vlan101
VLAN-DATA description
IP 192.168.101.251 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan111
VLAN-TOIP description
IP 192.168.111.251 255.255.255.0
IP virtual-reassembly in
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source static tcp IP 25 expandable 25 192.168.101.2
IP nat inside source static tcp IP 80 80 extensible 192.168.101.2
IP nat inside source static tcp 192.168.101.2 extensible IP 443 443
IP nat inside source static tcp 192.168.101.31 3201 IP extensible 3201
IP nat inside source static tcp 192.168.101.31 80 extensible IP 3280
IP nat inside source static tcp IP 443 33443 extensible 192.168.101.11
overload of IP nat inside source list NAT interface GigabitEthernet8
IP route 0.0.0.0 0.0.0.0 XXXX (ADSL router)
IP route 192.168.100.0 255.255.255.0 IP-WAN-BNAT extended IP access list
deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.101.0 allow 0.0.0.255 any
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
TUNNEL-TOIP extended IP access list
IP 192.168.110.0 allow 0.0.0.255 192.168.111.0 0.0.0.255
!
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
permit tcp host 192.168.101.3 192.168.0.0 0.0.0.255 established
TUNNEL-TOIP extended IP access list
IP 192.168.111.0 allow 0.0.0.255 192.168.110.0 0.0.0.255
!
!
!
control plan
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
password...
opening of session
transport input telnet ssh
line vty 5 15
privilege level 15
password...
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
!
!
end -
conversion of iosxr ios ipsec configuration
We have a configuration of ipsec work on ios
!
door-key crypto KRING
pre-shared key BA2211RA1.ba.caixa key SeCretBA2211RA1 hostname
pre-shared key BA3618RA1.ba.caixa key SeCretBA3618RA1 hostname
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600
Crypto isakmp ISAPROF profile
Keychain KRING
FQDN of self-identity
match domain ba.caixa host identity
match domain se.caixa host identity
address - 10.144.0.15
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN
!
crypto dynamic-map 10 DYNMAP
game of transformation-VPN
ISAPROF Set isakmp-profile
!
card crypto VPN_AG_EBT address Loopback21
card crypto VPN_AG_EBT 10-isakmp dynamic ipsec DYNMAP
!
!
Interface Port - channel1.521
card crypto VPN_AG_EBT
!
IOSXR configuration will be like this?
!
door-key crypto KRING
pre-shared key hostname
key !
crypto ISAKMP policy 1
3des encryption
preshared authentication
Group 2
life 3600
!
Crypto isakmp ISAPROF profile
Keychain KRING
FQDN of self-identity
host identity domain match
!
Crypto ipsec transform-set esp-3des esp-sha-hmac transform VPN
!
Profile of crypto ipsec VPN_AG_EBT
dynamic set type
PFS group2 Set
game of transformation-VPN
!
interface of X / Y
Crypto ipsec VPN_AG_EBT
!
the thing is, part of the configuration of encryption as keychain are supported because they are used in some methods of authentication for routing protocols.
true ipsec isn't on the 9 k, the current ucode has no place for this. Next gen it maybe and we are also working on a blade or an adapter that can help with this.
I'll try to find an official statement that ipsec on the 9 k is not supported, but the more I Googled it, the more embarrassed, I also get a lot of things 'suggests' it should work. I'm working on the correction to disambiguate.
I also check with CRS and XR12K guys what their support for ipsec in hw.
Will report to the time where I hear.
concerning
Xander
-
y at - it no changes on IPSEC command in version 15.4?
Hello
I am beginner engineer.
I must be upgraded to version IOS Version 12.4 (13r) T to 15.4
But I want to know the difference between the two versions on IPSEC command.
Thank you.
It is a command in use.
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
address of this key crypto isakmp 172.1.1.1 friend
ISAKMP crypto keepalive 10
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac friend_ts
!
nice_IPSec 10 ipsec-isakmp crypto map
defined peer 172.1.1.1
Set transform-set friend_ts
match nice addressHi wnsrud0179,
I tried the commands on my router running 15.4 (1) and each of them have been accepted without problem.
It may be useful
-Randy-
-
transport mode, AH in IPSec AH tunnel mode
Hello world.
I read about Ipsec that contains two main protocols among others: AH and ESP.
For now, I'm focused on AH only. I read the theory on AH and two modes AH may work: mode and tunnel Transport mode.
(201.201.201.1) h1 - R1 (199.199.199.1) s0 - s0 (199.199.199.2) R2 - H2 (200.200.200.2)
I would like to implement the following:
Whenever R1 receives the ip packet to the H1 to H2, R1 must use AH in transport mode before it sends the packet to R2, in the same way, R2 must use AH in transport of packets sent by H2 H1, before mailing in R1.
I just need an example on how we can configure R1 and R2 to accomplish the task above...
Thanks for your help and have a great day.
.
Hi Sara,.
Please find the example configuration for the GRE IPsec VPN using the mode of transport.
(201.201.201.1) h1 - R1 (199.199.199.1) s0 - s0 (199.199.199.2) R2 - H2 (200.200.200.2)
You can use the ACL to restrict to only the ports required for the vpn as udp 500, ah, gre and 4500 and you can check. I hope this helps.
Also, you can find the site mentioned described to better understand the differences between the modes of transport or tunnel.
R1:
===
version 12.4
!
hostname R1
!
IP cef
!
!
crypto ISAKMP policy 10
preshared authentication
address key crypto isakmp 199.199.199.2 CISCO
!
Crypto ipsec transform-set esp-3des esp-sha-hmac MyTransSet
transport mode
!
Profile of crypto ipsec MyProfile
game of transformation-MyTransSet
!
interface Tunnel0
IP 10.10.10.1 255.255.255.252
tunnel source 199.199.199.1
tunnel destination 199.199.199.2
ipv4 ipsec tunnel mode
Profile of tunnel MyProfile ipsec protection
!
interface serial0
199.199.199.1 IP address 255.255.255.0
automatic duplex
automatic speed
!
IP route 0.0.0.0 0.0.0.0 199.199.199.2
!
Line con 0
line to 0
line vty 0 4
!
!
end
======================================================================
R2
=====
version 12.4
!
hostname R2
!
!
!
IP cef
!
!
crypto ISAKMP policy 10
preshared authentication
address key crypto isakmp 199.199.199.1 CISCO
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac MyTransSet
transport mode
!
Profile of crypto ipsec MyProfile
game of transformation-MyTransSet
!
interface Tunnel0
10.10.10.2 IP address 255.255.255.252
tunnel source 199.199.199.2
199.199.199.1 tunnel destination
ipv4 ipsec tunnel mode
Profile of tunnel MyProfile ipsec protection
!
interface serial0
IP 199.199.199.2 255.255.255.0
automatic duplex
automatic speed
!
IP route 0.0.0.0 0.0.0.0 199.199.199.1
!
!
Line con 0
line to 0
line vty 0 4
!
!
end
Please assess whether the information provided is useful.
By
Knockaert
-
A Site with IPsec without restoring a new tunnel
Hello, I have a question about IPSec S2S.
In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.
The serial line is the first priority and route on ISP is the second priority for routing.
The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?
The AR configuration:
!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname AR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
username cisco password 0 BR
!
!
license udi pid CISCO2901/K9 sn FTX1524YO05
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.2 address
address of cisco crypto isakmp 200.200.200.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.2
defined by peer 200.200.200.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 100.100.100.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.21.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.1 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
2000000 clock frequency
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.21.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 100.0.0.0
network 172.21.0.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
endConfiguration of BR:
!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname BR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
Cisco spends 0 username AR
!
!
license udi pid CISCO2901/K9 sn FTX1524L63A
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.1 address
address of cisco crypto isakmp 100.100.100.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.1
defined by peer 100.100.100.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 200.200.200.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.22.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.2 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.22.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 172.22.0.0
network 200.200.200.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
endThank you very much!
Although you might go this route, I wouldn't.
I would use VTI (GRE tunnels that run over IPSec) interfaces. One on the series circuit and the other on the circuit of the ISP.
You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).
-
ISA500 site by site ipsec VPN with Cisco IGR
Hello
I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.
But without success.
my config for openswan, just FYI, maybe not importand for this problem
installation of config
protostack = netkey
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET
nhelpers = 0
Conn rz1
IKEv2 = no
type = tunnel
left = % all
leftsubnet=192.168.5.0/24
right =.
rightsourceip = 192.168.1.2
rightsubnet=192.168.1.0/24
Keylife 28800 = s
ikelifetime 28800 = s
keyingtries = 3
AUTH = esp
ESP = aes128-sha1
KeyExchange = ike
authby secret =
start = auto
IKE = aes128-sha1; modp1536
dpdaction = redΘmarrer
dpddelay = 30
dpdtimeout = 60
PFS = No.
aggrmode = no
Config Cisco 2821 for dynamic dialin:
crypto ISAKMP policy 1
BA aes
sha hash
preshared authentication
Group 5
lifetime 28800
!
card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac
crypto dynamic-map DYNMAP_1 1
game of transformation-ESP-AES-SHA1
match address 102
!
ISAKMP crypto key
address 0.0.0.0 0.0.0.0 ISAKMP crypto keepalive 30 periodicals
!
life crypto ipsec security association seconds 28800
!
interface GigabitEthernet0/0.4002
card crypto CMAP_1
!
I tried ISA550 a config with the same constelations, but without suggesting.
Anyone has the same problem?
And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?
I can successfully establish a tunnel between openswan linux server and the isa550.
Patrick,
as you can see on newspapers, the software behind ISA is also OpenSWAN
I have a facility with a 892 SRI running which should be the same as your 29erxx.
Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.
Here is my setup, with roardwarrior AND 2, site 2 site.
session of crypto consignment
logging crypto ezvpn
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
life 7200
ISAKMP crypto address XXXX XXXXX No.-xauth key
XXXX XXXX No.-xauth address isakmp encryption key
!
ISAKMP crypto client configuration group by default
key XXXX
DNS XXXX
default pool
ACL easyvpn_client_routes
PFS
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT
!
dynamic-map crypto VPN 20
game of transformation-FEAT
market arriere-route
!
!
card crypto client VPN authentication list by default
card crypto VPN isakmp authorization list by default
crypto map VPN client configuration address respond
10 VPN ipsec-isakmp crypto map
Description of VPN - 1
defined peer XXX
game of transformation-FEAT
match the address internal_networks_ipsec
11 VPN ipsec-isakmp crypto map
VPN-2 description
defined peer XXX
game of transformation-FEAT
PFS group2 Set
match the address internal_networks_ipsec2
card crypto 20-isakmp dynamic VPN ipsec VPN
!
!
Michael
Please note all useful posts
-
Hello
I'm setting up IPSEC for the first time. I use the following commands to configure IPSEC
'crypto ipsec transform-set esp-3des pulse_ipsec' and
'test_ipsec 1 card crypto ipsec-manual ".
"peer set 10.1.1.1".
"entire session key inbound esp 256 cipher authenticator
. "" the value of session key outgoing esp encryption 257
authenticator ". "the transform-set pulse_ipsec value.
Can someone please tell me where I put
I have to insert the key. How can I generate these keys. It is anyway two peer routers can generate the keys or what I enter is encrypted and authenticator field. Thank you
Hello
Enter them manually in hexadecimal.
It is an arbitrary hexadecimal string of 8, 16 or 20 bytes.
If the card crypto processing includes an algorithm, specify at least 8 bytes per key.
If the crypto Map transformation includes an MD5 algorithm, specify at least 16 bytes per key.
If the card crypto transformation includes a SHA algorithm, specify 20 bytes per key.
Keys longer than the sizes above are simply truncated.
Thank you
Atul.
-
IPSec between an IOS device and a PIX
Hello
I'm not able to successfully establish an IPSec tunnel between an IOS (2600 router) box running 12.3 (9) and PIX501 pixos 6.2 running. I see the following error on 2600.
* 06:09:50.416 Mar 10: ISAKMP (0:1): retransmission phase 1 MM_SA_SETUP...
* 06:09:50.416 Mar 10: ISAKMP (0:1): will increment the error counter on his: broadcast
Phase 1
And on PIX501 following error message:
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block: CBC 9.8.1.2, dest 9.2.1.2
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0
ISAKMP (0): processing NONCE payload. Message ID = 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): Peer Remote supports dead peer detection
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): addressing another box of IOS!
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): provider v6 code received xauth
to return to the State is IKMP_ERR_RETRANS
crypto_isakmp_process_block: CBC 9.8.1.2, dest 9.2.1.2
Exchange OAK_MM
I am able to ping the external interface of a box form another. Any idea what I might be missing?
Thanks in advance,
Krishna
The commands that I configured on 2600 as follows:
crypto ISAKMP policy 1
md5 hash
preshared authentication
Group 2
life 1200
cisco key crypto isakmp 9.2.1.2 address
ISAKMP crypto keepalive 50 10
!
life 1800 seconds crypto ipsec security association
!
Crypto ipsec transform-set esp - esp-sha-hmac krishnas
!
!
Krishnas 1 ipsec-isakmp crypto map
defined peer 9.2.1.2
game of transformation-krishnas
match address krishnas
!
!
!
!
interface FastEthernet0/0
IP 192.168.243.1 255.255.255.0
automatic speed
full-duplex
!
interface FastEthernet0/1
Description outside the interface to the cloud
bandwidth 10000
IP 9.8.1.2 255.255.0.0
automatic speed
Half duplex
card crypto krishnas
!
!
krishnas extended IP access list
IP 192.168.243.0 allow 0.0.0.255 192.168.244.0 0.0.0.255
The commands that I configured on PIX501:
IP 192.168.244.0 allow Access-list krishnas 255.255.255.0 192.168.243.0 255.255.255.0
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-sha-hmac krishnas
Krishnas 1 ipsec-isakmp crypto map
card crypto krishnas 1 corresponds to the krishnas address
krishnas 1 peer set 9.8.1.2 crypto card
card crypto krishnas 1 the transform-set krishnas value
krishnas outside crypto map interface
ISAKMP allows outside
ISAKMP key cisco address 9.8.1.2 netmask 255.255.255.255 No.-xauth No.-config-mode
isakmp identity = address
ISAKMP keepalive 50 10
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 1200
Hello Krishna
If possible and feasible to try and downgrade the IOS 12.3 (9) to a low-level code as 12.3.6. But, make sure that the image is a single k9 and supports VPN. Also upgrade the pix to 6.3.3.
Assuming that the keys are the same, your configs find ok. Him debugs it seems its not able to pass from the phase 1 properly
could contribute to modify the code.
Concerning
Wakif
Maybe you are looking for
-
No directions for TV - HPE-180 t PC tuner
When I got my new computer, I had no cable or television. So, I didn't have much attention so that there are no instructions, or anything on how to connect a cable to the card. I discovered the card is a Hauppauge WinTV HVR-1290. I'm still looking
-
Qosmio G30-175: why the properties system tell Media Center 2002 and not 2005?
Hello I have a qosmio g30-175, it says on the sticker of the authentication windows on my laptop computer Media center 2005, the problem is that when I check the system properties in Control Panel, it says units media center 2002 SP2. I find it confu
-
Hello I have a laptop HP G6-1335SD and have just reinstalled windows 7. It seems that I need drivers for the Netwerkcontroller and SM-buscontroller, Wifi doesn't work. I tried looking for the drivers but nothing helped. Could someone direct me to th
-
Pavilion g series: HDD test failed
My laptop started acting funny after an automatic update Windows 10. Ran misdiagnosis and get Failure ID 60AF0J-64B84Q-MFGK0J-60WE03, A6Y42UA #ABA product ID. I could not find the error code in the forum, no one knows what it is? Thank you!
-
What are all these tagged wheels thumbnails and where they come from
Many of them are locasted in my images. I havae delected so much. I'm surprised photos. Can I open them?