IPSec transform-set

Hi all

My goal is to configure the router in ipsec two GNS3

Connections is everything, but I do not know why the change of mode of ipsec transform set when I'm nothing happens!

I expect by changing the mode of connection, but the embryo is not the case and also no newspaper is not displayed in debug mode to change! Please help me.

config R1:

crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
1212 12.12.12.2 crypto isakmp key address
!
!
Crypto ipsec transform-set ts aes - esp esp-md5-hmac
transport mode
!
m1 1 ipsec-isakmp crypto map
defined by peer 12.12.12.2
Set transformation ts game
match address 101
!
interface Loopback1
IP 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
IP 12.12.12.1 255.255.255.0
automatic duplex
automatic speed
card crypto m1
!
IP route 0.0.0.0 0.0.0.0 12.12.12.2
!
access list 101 ip allow a whole

config R2

crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
1212 12.12.12.1 crypto isakmp key address
!
!
Crypto ipsec transform-set ts aes - esp esp-md5-hmac
!
m1 1 ipsec-isakmp crypto map
defined by peer 12.12.12.1
Set transformation ts game
match address 101
!
interface Loopback1
IP address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
IP 12.12.12.2 255.255.255.0
automatic duplex
automatic speed
card crypto m1
!
IP route 0.0.0.0 0.0.0.0 12.12.12.1
!
access list 101 ip allow a whole
!

All this is maybe also! Please help me ;)

Hi hofo123456,

Can you please explain your problem in brief.
I see that the game of transformation is not matching so it will avoid the future VPN tunnel.
Default value is "Tunnel mode", or you might want to install "tunnel mode" or "mode of transport" on both routers.

NOTE: If you are encrypting just the traffic from devices behind routers, so even if you use the mode of transport, only the tunnel mode will be negotiated.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Tags: Cisco Security

Similar Questions

Many sub-strategies and transform sets for peer 1 tunnel?

Recently acquired a heavy ASA company, with network administrators. They seem to stand for some things to ASA I don't understand quite below.

This is one site talked, and there's only 1 tunnel on this subject on the hub. This tunnel appealed to the transformation of named sets ""ESP-3DES-SHA "&"ESP-3DES-MD5." " That said, why have they configured transform sets for AES 256, AES 192, AES and if they ask only 3DES transformation sets in the card encryption? The sub-strategies down from the extract of seem to have something to do with it, but if that were the case, wouldn't you call all transformation configured in the encryption card sets to perform fully all sub-strategies set in this config, because each set of sub-policy puts the encryption to a different type / method?

Excerpt from the configuration:

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set of peer XX.XXX.XXX. XX
card crypto outside_map 1 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

outside_map interface card crypto outside

IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400

IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400

Only the transform-set called card encryption will be used. Policies will be judged by priority until a correspondent of the hub is found. Ideally, it would be first.

You're right for the use case you describe only a single defined and political transformation is necessary. Multiples are often the legacy of the settings by default and, sometimes, an attempt to standardize with each set of transformation and the policy on the ASAs so that no matter where they end up connect to the necessary building blocks are in the config. However, it causes a lot of unused lines.

"the apprentice" crypto transform-set issues

Greetings - I was sort of a backup person or I guess as "Apprentice" to our network administrator who has recently retired. Same story, guess who is responsible now to figure it all out.
We have a pair of 5510 in the main office, the second is a "fail-over" the death of number 1.
Our remote offices have 5505 s (system image file is disk0: / asa844-1 - k8.bin) which connect here on LAN-to-LAN via the Internet connection provided to this office by various Internet service providers. Mostly good, some "tunnels" or connections remain for days, or even weeks or sometimes months without any problem.
But we have some offices of disorder where each connection fall fairly regularly or in one case, they often lose the ability to connect to the connector of the computer central address here. We have different subnets in our offices, the mainframe and email are provided by the State, or IT Enterprise/ITE Central. Some of our 'networks' uses public addresses, some private.
Each remote office has its own network. The numbering is based on number of office accountant, not that it's really important.
Thus each remote office will have a private 10.252.xxx.xxx plan where the first xxx film series is the office number and the last series of xxx is the range assign us, normally broke up with a 27 (255.255.255.224) mask.
This established, a typical office will be 10.252.24.1 - 30 (10.252.24.0 network)
I was thrown in the fire and said to our offices in problem to understand. In trying to figure out why things are what they are, I find things which surprise me. Can't put my finger on it, but it just doesn't feel good.
A topic at a time - I find Cisco documentation that says you can assign a MAXIMUM of 6 transform sets to all that.
HOWEVER, I find more than 6 in the list, 11 actually. I can't understand why so many and what the heck we even need more than 1 or 2 for anyway. I think it's here because updates to the os on the means of years that things seemed simply by the process of update and I think also that some has been everything simply because things have been tried - to throw in and see if it helps. I hate this.
I want these cleaned and only the code that is required to be left - and in a way I can understand. And if that helps with our connection issues, great, but if not at least things will be easier to sort through and understand.
This is the area in question for the purposes of this post-
Looking at the small part of our config in a typical remote office ASA5505 I'll post below - which belongs or is necessary, and what is foreign and may or must be destroyed or deleted.
Why 11 lines of transform-set?
Spoke 6 max? (this quote) > after a set of transformation configuration, you assign it to a card encryption. You can assign up to six sets of the transform to a card encryption.

----------------------------------------------------------------------
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac (why this?)
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac.
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac.
Crypto ipsec ikev1 transform-set ESP-DES-MD5 esp - esp-md5-hmac (10 of them besides the next)
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 vpnivrs (kind of sense-vpnivrs is the 'name' and serves...?)
ivrsmap card crypto 10 corresponds to the address DESENLOG
crypto ivrsmap 10 card game 209.111.111.666 peers (changed to protect the real address)
ivrsmap 10 set transform-set vpnivrs ikev1 crypto card
ivrsmap interface card crypto outside
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto policy 10 (why two of these lines of 'political'?)
preshared authentication
3des encryption
md5 hash
Group 2
lifetime 28800
IKEv1 crypto policy 65535 (see above - this is number 2 - why two? in what do this?)
preshared authentication
3des encryption
sha hash
Group 2
life 86400
--------------------------------------------------------

Some quick stats or tests.

VRAMSASA1 # show crypto ikev1 his

IKEv1 SAs:

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 209.111.111.666
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

I can provide any additional information can help.
I have already corrected some problems by turning the NAT - T on offices provided Internet via a DSL modem, that the modem is apparently a NAT - external interfaces on the 5505 device s with DSL have 192.168 addresses and the MODEM has the Internet address where the provided cable modem sites have a direct public address on the external interface. Something bothered me on these sites - and I was able to understand what and why. This example configuration above mind right now - but I don't know why.

Just an another public employee trying to make it work properly, having to learn the hard way now...
I apologize if this isn't the correct area to post.
Thank you.

You are welcome.

Regarding your questions Suites A and B - two Yes.

DO first - make a backup of your configuration. It is a good idea during changes of any kind. If you have doubts, backs up front and backup after. Do a comparison aside to check your work. (I use ExamDiff make comparison of less prone to human error long text files.)

When you have preshared keys (which appear as hashes when you perform a simple "show run"), you must use the following (when recording the output of your senior year):

term pager 0more system:running-config

The first line will make all output scroll by at the time and the second will print configuration with pre-shared plaintext keys.

Why do the a: visited style CSS will not change anything other than the color or the background color in Firefox 6? Text-decoration and text-transform setting do not work.

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" > ""

< content meta = text/html"; charset = iso-8859-1 "http-equiv ="Content-Type">"
< title > visit problem < /title >

< style type = "text/css" >

#footer a: link {}
color: white;
background-color: orange;
text-transform: uppercase;
}

#footer a: visited {}
color: Red;
background-color: black;
text-transform: lowercase;
text-decoration: none;
}

< / style >
USA Today

See also:
- http://hacks.Mozilla.org/2010/03/privacy-related-changes-coming-to-CSS-vistited/
- _ https://developer.Mozilla.org/en/CSS/Privacy_and_the: visited_selector
- https://developer.Mozilla.org/en/CSS/%3Avisited

Why is - that someone would use Authentication Header in a set of transformation?

I came on a setup that uses an IPSEC transform-set of esp-3des ah-sha-hmac. It is a Cisco router, and it runs inside a MPLS tunnel. Because ESP does everything what AH, is there no good reason to use AH?

I would like to change it because I haven't read fully the framework.

It's a little strange to see, but not out of the question. ESP has largely supplanted AH because authentication and integrity, and encryption can be treated in a protocol. AH is still valid in this scenario, but simply do everything with ESP now.

Failling L2PT/IPSEC for Android (transform invalid proposal flags - 0 x 800)

Hello

I have implemented a L2PT/IPSEC tunnel using a router Cisco 1905, located behind a Cisco ASA FW. This tunnel must be established between the router and mobile devices, mainly of iPhones and androids. In the sake of troubleshooting, I made sure the FW is not the way (open all required ports, configured NAT and routes, etc.). It turns out that iPhones correctly establish the tunnel but androids fail.

Apparently, the problem is the phase 2 of the IPSec protocol, like where it says in debugging
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): invalid transform proposal flags - 0 x 800
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 1024

I tried AES and 3DES in games of conversion, but it seems he just doesn´t work.

Can someone help me?

Router: Cisco 1905 image: c1900-universalk9-mz. Spa. 150 - 1.M8.bin
iPhone: 6 (iOS 8.1) and 5 (9.1)
Android: Motorola MotoG (Android 4.4.2)

Installation program for mobile devices:

Type: L2TP/IPSec PSL
Server address:
Password preshared IPSec: cisco
username: cisco
password: cisco

Cisco 1905 relevant config:

AAA of authentication ppp default local
!
VPDN enable
!
VPDN-group L2TP
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!
username cisco password cisco
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
life 3600
address of cisco key crypto isakmp 0.0.0.0 0.0.0.0 no.-xauth
ISAKMP crypto keepalive 3600
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac ipnetconfig
transport mode
!
encryption dynamic-map ipnetconfig-card 10
Set nat demux
Set transform-set ipnetconfig
!
!
cisco 10 ipnetconfig-map ipsec isakmp crypto dynamic map
!
!
interface GigabitEthernet0/0
the IP 192.168.0.1 255.255.255.192
no ip proxy-arp
automatic duplex
automatic speed
Cisco card crypto
!
!
interface virtual-Template1
IP unnumbered GigabitEthernet0/0
peer default ip address pool poolipnetconfig
PPP encryption mppe 40
PPP authentication ms-chap-v2 pap, chap, ms-chap
!
local pool IP 192.168.1.1 poolipnetconfig 192.168.1.255

Debug:

12:42:30.763 18 Dec: ISAKMP (0): received 200.247.229.53 packet dport 500 sport 50003 Global (N) SA NEWS
12:42:30.763 18 Dec: ISAKMP: created a struct peer 200.247.229.53, peer port 50003
12:42:30.763 18 Dec: ISAKMP: new created position = 0x285F5FBC peer_handle = 0 x 80000018
12:42:30.763 18 Dec: ISAKMP: lock struct 0x285F5FBC, refcount 1 to peer crypto_isakmp_process_block
12:42:30.763 18 Dec: ISAKMP: 500 local port, remote port 50003
12:42:30.763 18 Dec: ISAKMP: (0): insert his with his 28840894 = success
12:42:30.763 18 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:30.763 18 Dec: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

18 Dec 12:42:30.763: ISAKMP: (0): treatment ITS payload. Message ID = 0
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
12:42:30.763 18 Dec: ISAKMP (0): provider ID is NAT - T RFC 3947
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
18 Dec 12:42:30.763: ISAKMP: (0): provider ID is NAT - T v2
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): IKE frag vendor processing id payload
12:42:30.763 18 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
18 Dec 12:42:30.763: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.763: ISAKMP: (0): provider ID is DPD
12:42:30.763 18 Dec: ISAKMP: (0): pair found pre-shared key matching 200.247.229.53
18 Dec 12:42:30.763: ISAKMP: (0): pre-shared key local found
12:42:30.763 18 Dec: ISAKMP: analysis of the profiles for xauth...
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 256
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 256
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: MD5 hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 128
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: AES - CBC encryption
12:42:30.767 18 Dec: ISAKMP: keylength 128
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: MD5 hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): free encryption algorithm does not match policy.
12:42:30.767 18 Dec: ISAKMP: (0): atts are not acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
12:42:30.767 18 Dec: ISAKMP: type of life in seconds
12:42:30.767 18 Dec: ISAKMP: life (basic) of 28800
12:42:30.767 18 Dec: ISAKMP: 3DES-CBC encryption
12:42:30.767 18 Dec: ISAKMP: pre-shared key auth
12:42:30.767 18 Dec: ISAKMP: SHA hash
12:42:30.767 18 Dec: ISAKMP: group by default 2
12:42:30.767 18 Dec: ISAKMP: (0): atts are acceptable. Next payload is 3
12:42:30.767 18 Dec: ISAKMP: (0): Acceptable atts: real life: 3600
12:42:30.767 18 Dec: ISAKMP: (0): Acceptable atts:life: 0
12:42:30.767 18 Dec: ISAKMP: (0): base life_in_seconds:28800
12:42:30.767 18 Dec: ISAKMP: (0): return real life: 3600
12:42:30.767 18 Dec: ISAKMP: (0): timer life Started: 3600.

18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
12:42:30.767 18 Dec: ISAKMP (0): provider ID is NAT - T RFC 3947
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
18 Dec 12:42:30.767: ISAKMP: (0): provider ID is NAT - T v2
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): IKE frag vendor processing id payload
12:42:30.767 18 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
18 Dec 12:42:30.767: ISAKMP: (0): load useful vendor id of treatment
18 Dec 12:42:30.767: ISAKMP: (0): provider ID is DPD
12:42:30.767 18 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:30.767 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

18 Dec 12:42:30.767: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
18 Dec 12:42:30.767: ISAKMP: (0): lot of 200.247.229.53 sending my_port 500 peer_port 50003 (R) MM_SA_SETUP
12:42:30.767 18 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
12:42:30.767 18 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:30.767 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

12:42:31.730 18 Dec: ISAKMP (0): received 200.247.229.53 packet dport 500 sport 50003 Global (R) MM_SA_SETUP
12:42:31.730 18 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:31.730 18 Dec: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

18 Dec 12:42:31.730: ISAKMP: (0): processing KE payload. Message ID = 0
18 Dec 12:42:31.758: ISAKMP: (0): processing NONCE payload. Message ID = 0
12:42:31.758 18 Dec: ISAKMP: (0): pair found pre-shared key matching 200.247.229.53
12:42:31.758 18 Dec: ISAKMP: receives the payload type 20
12:42:31.758 18 Dec: ISAKMP (1028): NAT found, both nodes inside the NAT
12:42:31.758 18 Dec: ISAKMP: receives the payload type 20
12:42:31.758 18 Dec: ISAKMP (1028): NAT found, both nodes inside the NAT
12:42:31.758 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:31.758 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM3 = IKE_R_MM3

18 Dec 12:42:31.758: ISAKMP: (1028): lot of 200.247.229.53 sending my_port 500 peer_port 50003 (R) MM_KEY_EXCH
12:42:31.758 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:31.758 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:31.758 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM3 = IKE_R_MM4

12:42:32.278 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50001 Global (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM4 = IKE_R_MM5

18 Dec 12:42:32.278: ISAKMP: (1028): payload ID for treatment. Message ID = 0
12:42:32.278 18 Dec: ISAKMP (1028): payload ID
next payload: 8
type: 1
address: 10.92.110.15
Protocol: 17
Port: 500
Length: 12
12:42:32.278 18 Dec: ISAKMP: (0): peer games * no * profiles
18 Dec 12:42:32.278: ISAKMP: (1028): HASH payload processing. Message ID = 0
12:42:32.278 18 Dec: ISAKMP: (1028): SA authentication status:
authenticated
12:42:32.278 18 Dec: ISAKMP: (1028): SA has been authenticated with 200.247.229.53
12:42:32.278 18 Dec: ISAKMP: (1028): port detected floating port = 50001
12:42:32.278 18 Dec: ISAKMP: attempts to insert a peer and inserted 192.168.0.1/200.247.229.53/50001/ 285F5FBC successfully.
12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM5 = IKE_R_MM5

12:42:32.278 18 Dec: ISAKMP: (1028): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
12:42:32.278 18 Dec: ISAKMP (1028): payload ID
next payload: 8
type: 1
address: 192.168.0.1
Protocol: 17
Port: 0
Length: 12
12:42:32.278 18 Dec: ISAKMP: (1028): the total payload length: 12
18 Dec 12:42:32.278: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:32.278 18 Dec: ISAKMP: (1028): real life of return: 3600
12:42:32.278 18 Dec: ISAKMP: node set 662318345 to QM_IDLE
12:42:32.278 18 Dec: ISAKMP: (1028): Protocol to send NOTIFIER RESPONDER_LIFETIME 1
SPI 672252680, message ID = 662318345
18 Dec 12:42:32.278: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) MM_KEY_EXCH
12:42:32.278 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:32.278 18 Dec: ISAKMP: (1028): purge the node 662318345
12:42:32.278 18 Dec: ISAKMP: phase sending 1 machine life 3600

12:42:32.278 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
12:42:32.278 18 Dec: ISAKMP: (1028): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

12:42:32.278 18 Dec: ISAKMP: (1028): IKE_DPD is enabled, the initialization of timers
12:42:32.282 18 Dec: ISAKMP: (1028): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
12:42:32.282 18 Dec: ISAKMP: (1028): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

12:42:32.834 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50001 Global (R) QM_IDLE
12:42:32.834 18 Dec: ISAKMP: node set-647285005 to QM_IDLE
18 Dec 12:42:32.834: ISAKMP: (1028): HASH payload processing. Message ID =-647285005
18 Dec 12:42:32.834: ISAKMP: (1028): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-647285005, his 28840894 =
12:42:32.834 18 Dec: ISAKMP: (1028): SA authentication status:
authenticated
18 Dec 12:42:32.834: ISAKMP: (1028): process of first contact.
dropping existing phase 1 and 2 with local 192.168.0.1 distance distance 200.247.229.53 port 50001
12:42:32.834 18 Dec: ISAKMP: (1028): node-647285005 error suppression FALSE reason 'informational (en) State 1.
12:42:32.834 18 Dec: ISAKMP: (1028): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
12:42:32.834 18 Dec: ISAKMP: (1028): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

18 Dec 12:42:32.834: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
12:42:34.222 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
12:42:34.222 18 Dec: ISAKMP: node set-725923158 to QM_IDLE
18 Dec 12:42:34.222: ISAKMP: (1028): HASH payload processing. Message ID =-725923158
18 Dec 12:42:34.222: ISAKMP: (1028): treatment ITS payload. Message ID =-725923158
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 1, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 256
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turning 2, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 256
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 3, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 128
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 4, ESP_AES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.222 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.222 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.222 18 Dec: ISAKMP: key length is 128
12:42:34.222 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.222 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.222 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.222 18 Dec: ISAKMP: turn 5, ESP_3DES
12:42:34.222 18 Dec: ISAKMP: attributes of transformation:
12:42:34.222 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 6, ESP_3DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 7, ESP_DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-SHA
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
12:42:34.226 18 Dec: ISAKMP: (1028): proposal of IPSec checking 1
12:42:34.226 18 Dec: ISAKMP: turn 8, ESP_DES
12:42:34.226 18 Dec: ISAKMP: attributes of transformation:
12:42:34.226 18 Dec: ISAKMP: type of life in seconds
12:42:34.226 18 Dec: ISAKMP: life of HIS (basic) of 28800
12:42:34.226 18 Dec: ISAKMP: program is 4 (Transport-UDP)
12:42:34.226 18 Dec: ISAKMP: authenticator is HMAC-MD5
12:42:34.226 18 Dec: ISAKMP: (1028): atts are acceptable.
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes 256 esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes 256 esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp - aes esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): invalid transform proposal flags - 0 x 800
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 1024
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{esp-3des esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{des-esp esp-sha-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 the proposal
18 Dec 12:42:34.226: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 192.168.0.1, distance = 200.247.229.53,.
local_proxy = 201.229.58.242/255.255.255.255/17/1701 (type = 1),
remote_proxy = 200.247.229.53/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = NONE (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
18 Dec 12:42:34.226: IPSEC (ipsec_process_proposal): application for conversion not supported for identity:
{des-esp esp-md5-hmac}
18 Dec 12:42:34.226: ISAKMP: (1028): IPSec policy invalidated proposal with error 256
18 Dec 12:42:34.226: ISAKMP: (1028): politics of ITS phase 2 is not acceptable! (local 192.168.0.1 200.247.229.53 remote)
12:42:34.226 18 Dec: ISAKMP: node set 924420306 to QM_IDLE
12:42:34.226 18 Dec: ISAKMP: (1028): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 672251800, message ID = 924420306
18 Dec 12:42:34.226: ISAKMP: (1028): lot of 200.247.229.53 sending peer_port my_port 4500 50001 (R) QM_IDLE
12:42:34.226 18 Dec: ISAKMP: (1028): sending a packet IPv4 IKE.
12:42:34.226 18 Dec: ISAKMP: (1028): purge the node 924420306
12:42:34.226 18 Dec: ISAKMP: (1028): node-725923158 error suppression REAL reason "QM rejected."
12:42:34.226 18 Dec: ISAKMP: (1028): entrance, node-725923158 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
12:42:34.226 18 Dec: ISAKMP: (1028): former State = new State IKE_QM_READY = IKE_QM_READY
12:42:36.558 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:36.558: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:36.558: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:36.558: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:40.670 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:40.670: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:40.670: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:40.670: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:42.566 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:42.566: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:42.566: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:42.566: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:47.262 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:47.262: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:47.262: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:47.262: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:49.414 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:49.414: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:49.414: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:49.414: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:52.466 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:52.466: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:52.466: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:52.466: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:54.574 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:54.574: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:54.574: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:54.574: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:42:58.738 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:42:58.738: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:42:58.738: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:42:58.738: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:43:00.626 18 Dec: ISAKMP (1028): received 200.247.229.53 packet dport 4500 sport 50004 Global (R) QM_IDLE
18 Dec 12:43:00.626: ISAKMP: (1028): package of phase 2 is a duplicate of a previous package.
18 Dec 12:43:00.626: ISAKMP: (1028): retransmission due to the phase 2 retransmission
18 Dec 12:43:00.626: ISAKMP: (1028): ignorance, retransmission, because phase2 node marked 725923158 dead
12:43:04.274 Dec 18: L2X:pak 0 nec vrf tableid
12:43:04.274 18 Dec: L2X: Punting to the queue of L2TP control messages
12:43:04.274 Dec 18: L2X:pak 0 nec vrf tableid
12:43:04.274 18 Dec: L2X: Punting to the queue of L2TP control messages
12:43:04.278 18 Dec: L2TP _: _: ERROR: NULL found l2x cc with handle [32787]

In fact, the main problem is NAT - T, so avoid the connection through a NAT - T should work.

The solution of closure seems to be a possible workaround.

Enjoy the holidays!

-Randy-

peer found setting up ipsec tunnel

I'm trying to configure the vpn between a 6.3 (5) 7.2 (4) pix and asa. everything looks good to me and I can't understand why the tunnel came not.

PIX

--------------------------------------

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254

inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254

inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.160 255.255.255.248

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0

outside_cryptomap_dyn_20 ip access list allow any 10.10.130.20 255.255.255.254

outside_cryptomap_40 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

outside_cryptomap_40 ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

lscctx_splitTunnelAcl ip 10.10.130.0 access list allow 255.255.255.0 any

outside_cryptomap_dyn_40 ip access list allow any 10.10.130.160 255.255.255.248

outside_cryptomap_dyn_60 ip access list allow any 10.130.254.0 255.255.255.0

outside_cryptomap_60 ip 10.10.130.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0

outside_cryptomap_60 ip 10.10.132.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0

outside_cryptomap_60 ip 10.10.134.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0

Permitted connection ipsec sysopt

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

Dynamic crypto map outside_dyn_map 40 correspondence address outside_cryptomap_dyn_40

Crypto-map dynamic outside_dyn_map 40 the transform-set ESP-3DES-MD5 value

Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Crypto-map dynamic outside_dyn_map 60 the transform-set ESP-3DES-MD5 value

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

peer set card crypto outside_map 20 208.77.70.98

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map 60 ipsec-isakmp crypto map

card crypto outside_map 60 match address outside_cryptomap_40

peer set card crypto outside_map 60 10.130.254.6

card crypto outside_map 60 the transform-set ESP-3DES-MD5 value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

client authentication card crypto outside_map LOCAL

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 66.15.x, x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 208.125.x.x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 209.125.x.xnetmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 12.49.x.x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 208.77.x.x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 10.130.254.2 netmask 255.255.255.255 No.-xauth No. config-mode

ISAKMP key * address 10.130.254.6 netmask 255.255.255.255 No.-xauth No. config-mode

ISAKMP identity address

ISAKMP nat-traversal 60

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

part of pre authentication ISAKMP policy 40

ISAKMP policy 40 3des encryption

ISAKMP policy 40 md5 hash

40 2 ISAKMP policy group

ISAKMP duration strategy of life 40 86400

ASA

--------------------------

Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.130.0 255.255.255.0

Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.132.0 255.255.255.0

Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.134.0 255.255.255.0

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

card crypto OUTSIDE_MAP 1 corresponds to the address OUTSIDE_CRYPTOMAP

card crypto OUTSIDE_MAP 1 set peer 10.10.133.10

OUTSIDE_MAP 1 transform-set ESP-3DES-MD5 crypto card game

OUTSIDE_MAP interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

tunnel-group 10.10.133.10 type ipsec-l2l

IPSec-attributes tunnel-group 10.10.133.10

pre-shared-key *.

!

!

PIX of debugging

------------------------------------

CT - PIX #.

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Exchange OAK_MM

ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10

ISAKMP: default group 2

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy

ISAKMP: default group 2

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): audit ISAKMP transform 1 against the 40 priority policy

ISAKMP: default group 2

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR

ISAKMP (0): retransmission of the phase 1 (0)...

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ISAKMP: its larva is found

ISAKMP (0): retransmission of the phase 1 (1)...

ISAKMP (0): retransmission of the phase 1 (2)...

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ISAKMP: its larva is found

ISAKMP (0): retransmission of the phase 1 (3)...

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ISAKMP: its larva is found

ISAKMP (0): retransmission of the phase 1 (4)...

ISAKMP (0): delete SA: src 10.130.254.6 dst 10.10.133.10

ISADB: Reaper checking HIS 0 x 1143144, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ASA of DEUG

--------------------------------------

CT-STEPHEN-ASA # 18 Jul 20:08:23 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, initiator of IKE: New Phase 1, Intf inside, IKE Peer 10.10.133.10 address local proxy 10.130.16.0, address remote Proxy 10.10.130.0, Card Crypto (OUTSIDE_MAP)

18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, build the payloads of ISAKMP security

18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, construction of Fragmentation VID + load useful functionality

18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

SENDING PACKETS to 10.10.133.10

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:25 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:27 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:27 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:29 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:29 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:31 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:39 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:47 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, case of mistaken IKE MM Initiator WSF (struct & 0x1d24750) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, IKE SA MM:50243128 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, sending clear/delete with the message of reason

18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, Removing peer to peer table has no, no match!

18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, error: cannot delete PeerTblEntry

Sorry, just trying to think why it cannot find the peer, with the following error message:

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

While, in fact 10.130.254.6 is configured as directed by your post.

Configuration seems correct to me. You might want to try to reload the PIX.

Cisco Cisco IPSEC VPN to encrypt but not decrypt

Hello

I have a vpn ipsec problem.

packets are encapsulated and décapsulés but only in one direction. I don't understand why.

VPN is already mounted on another router, I want to change the router but can't get the vpn have the new router

Thank you for helping me

PS: Sorry for my English

Hello

I looked at the configuration of your router RT-897VA once again, and I don't know if static NAT statements in there are supposed to work or not, but they won't because you have not specified any inside and outside interfaces. Configuration changes below correspond to the configuration of your router RT, check if their implementation makes a difference (the changes are indicated in bold):

RT-897VA #show run
Building configuration...

Current configuration: 3933 bytes
!
! 11:56:34 configuration was last modified THIS Friday, November 4, 2016
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
RT-897VA host name
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
clock timezone THIS 1 0
!
!
!
!
!
!
!
!
!
!

!
!
!
!
domain IP XXXXX
IP-name 194.2.0.20 Server
IP-name 194.2.0.50 server
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
!
!
default value for the field
!
!
!
!
!
!
!
CTS verbose logging
license udi pid C897VA-K9 sn FCZ2030DL
!
!
username password privilege 15 itef 0...
!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa keypair-name XXX
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes
preshared authentication
Group 2
ISAKMP crypto key cleidentique address IP-WAN-B
!
!
Crypto ipsec transform-set aes - esp esp-sha-hmac toto
tunnel mode
!
!
!
crypto map ipsec-isakmp TUNNEL 1
counterpart Set IP-WAN-B
Set transform-set toto
match address TUNNEL-DATA
crypto map ipsec-isakmp TUNNEL 2
counterpart Set IP-WAN-B
Set transform-set toto
match TUNNEL-TOIP address
!
!
!
!
!
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface Ethernet0
no ip address
Shutdown
!
interface GigabitEthernet0
Description BOX-SWITCH
switchport trunk vlan 101 native
switchport mode trunk
no ip address
spanning tree portfast
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
WAN description
IP address IP WAN - A 255.255.255.240
IP virtual-reassembly in
NAT outside IP
automatic duplex
automatic speed
card crypto TUNNEL
!
interface Vlan1
no ip address
!
interface Vlan101
VLAN-DATA description
IP 192.168.101.251 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan111
VLAN-TOIP description
IP 192.168.111.251 255.255.255.0
IP virtual-reassembly in
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source static tcp IP 25 expandable 25 192.168.101.2
IP nat inside source static tcp IP 80 80 extensible 192.168.101.2
IP nat inside source static tcp 192.168.101.2 extensible IP 443 443
IP nat inside source static tcp 192.168.101.31 3201 IP extensible 3201
IP nat inside source static tcp 192.168.101.31 80 extensible IP 3280
IP nat inside source static tcp IP 443 33443 extensible 192.168.101.11
overload of IP nat inside source list NAT interface GigabitEthernet8
IP route 0.0.0.0 0.0.0.0 XXXX (ADSL router)
IP route 192.168.100.0 255.255.255.0 IP-WAN-B

NAT extended IP access list
deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.101.0 allow 0.0.0.255 any
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
TUNNEL-TOIP extended IP access list
IP 192.168.110.0 allow 0.0.0.255 192.168.111.0 0.0.0.255
!
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
permit tcp host 192.168.101.3 192.168.0.0 0.0.0.255 established
TUNNEL-TOIP extended IP access list
IP 192.168.111.0 allow 0.0.0.255 192.168.110.0 0.0.0.255
!
!
!
control plan
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
password...
opening of session
transport input telnet ssh
line vty 5 15
privilege level 15
password...
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
!
!
end

conversion of iosxr ios ipsec configuration

We have a configuration of ipsec work on ios

!

door-key crypto KRING

pre-shared key BA2211RA1.ba.caixa key SeCretBA2211RA1 hostname

pre-shared key BA3618RA1.ba.caixa key SeCretBA3618RA1 hostname

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

life 3600

Crypto isakmp ISAPROF profile

Keychain KRING

FQDN of self-identity

match domain ba.caixa host identity

match domain se.caixa host identity

address - 10.144.0.15

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN

!

crypto dynamic-map 10 DYNMAP

game of transformation-VPN

ISAPROF Set isakmp-profile

!

card crypto VPN_AG_EBT address Loopback21

card crypto VPN_AG_EBT 10-isakmp dynamic ipsec DYNMAP

!

!

Interface Port - channel1.521

card crypto VPN_AG_EBT

!

IOSXR configuration will be like this?

!

door-key crypto KRING

pre-shared key hostname key

!

crypto ISAKMP policy 1

3des encryption

preshared authentication

Group 2

life 3600

!

Crypto isakmp ISAPROF profile

Keychain KRING

FQDN of self-identity

host identity domain match

!

Crypto ipsec transform-set esp-3des esp-sha-hmac transform VPN

!

Profile of crypto ipsec VPN_AG_EBT

dynamic set type

PFS group2 Set

game of transformation-VPN

!

interface of X / Y

Crypto ipsec VPN_AG_EBT

!

the thing is, part of the configuration of encryption as keychain are supported because they are used in some methods of authentication for routing protocols.

true ipsec isn't on the 9 k, the current ucode has no place for this. Next gen it maybe and we are also working on a blade or an adapter that can help with this.

I'll try to find an official statement that ipsec on the 9 k is not supported, but the more I Googled it, the more embarrassed, I also get a lot of things 'suggests' it should work. I'm working on the correction to disambiguate.

I also check with CRS and XR12K guys what their support for ipsec in hw.

Will report to the time where I hear.

concerning

Xander

y at - it no changes on IPSEC command in version 15.4?

Hello

I am beginner engineer.

I must be upgraded to version IOS Version 12.4 (13r) T to 15.4

But I want to know the difference between the two versions on IPSEC command.

Thank you.

It is a command in use.

crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
address of this key crypto isakmp 172.1.1.1 friend
ISAKMP crypto keepalive 10
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac friend_ts
!
nice_IPSec 10 ipsec-isakmp crypto map
defined peer 172.1.1.1
Set transform-set friend_ts
match nice address

Hi wnsrud0179,

I tried the commands on my router running 15.4 (1) and each of them have been accepted without problem.

It may be useful

-Randy-

transport mode, AH in IPSec AH tunnel mode

Hello world.

I read about Ipsec that contains two main protocols among others: AH and ESP.

For now, I'm focused on AH only. I read the theory on AH and two modes AH may work: mode and tunnel Transport mode.

(201.201.201.1) h1 - R1 (199.199.199.1) s0 - s0 (199.199.199.2) R2 - H2 (200.200.200.2)

I would like to implement the following:

Whenever R1 receives the ip packet to the H1 to H2, R1 must use AH in transport mode before it sends the packet to R2, in the same way, R2 must use AH in transport of packets sent by H2 H1, before mailing in R1.

I just need an example on how we can configure R1 and R2 to accomplish the task above...

Thanks for your help and have a great day.

.

Hi Sara,.

Please find the example configuration for the GRE IPsec VPN using the mode of transport.

(201.201.201.1) h1 - R1 (199.199.199.1) s0 - s0 (199.199.199.2) R2 - H2 (200.200.200.2)

You can use the ACL to restrict to only the ports required for the vpn as udp 500, ah, gre and 4500 and you can check. I hope this helps.

Also, you can find the site mentioned described to better understand the differences between the modes of transport or tunnel.

R1:

===

version 12.4

!

hostname R1

!

IP cef

!

!

crypto ISAKMP policy 10

preshared authentication

address key crypto isakmp 199.199.199.2 CISCO

!

Crypto ipsec transform-set esp-3des esp-sha-hmac MyTransSet

transport mode

!

Profile of crypto ipsec MyProfile

game of transformation-MyTransSet

!

interface Tunnel0

IP 10.10.10.1 255.255.255.252

tunnel source 199.199.199.1

tunnel destination 199.199.199.2

ipv4 ipsec tunnel mode

Profile of tunnel MyProfile ipsec protection

!

interface serial0

199.199.199.1 IP address 255.255.255.0

automatic duplex

automatic speed

!

IP route 0.0.0.0 0.0.0.0 199.199.199.2

!

Line con 0

line to 0

line vty 0 4

!

!

end

======================================================================

R2

=====

version 12.4

!

hostname R2

!

!

!

IP cef

!

!

crypto ISAKMP policy 10

preshared authentication

address key crypto isakmp 199.199.199.1 CISCO

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac MyTransSet

transport mode

!

Profile of crypto ipsec MyProfile

game of transformation-MyTransSet

!

interface Tunnel0

10.10.10.2 IP address 255.255.255.252

tunnel source 199.199.199.2

199.199.199.1 tunnel destination

ipv4 ipsec tunnel mode

Profile of tunnel MyProfile ipsec protection

!

interface serial0

IP 199.199.199.2 255.255.255.0

automatic duplex

automatic speed

!

IP route 0.0.0.0 0.0.0.0 199.199.199.1

!

!

Line con 0

line to 0

line vty 0 4

!

!

end

Please assess whether the information provided is useful.

By

Knockaert

A Site with IPsec without restoring a new tunnel

Hello, I have a question about IPSec S2S.

Network.PNG

In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.

The serial line is the first priority and route on ISP is the second priority for routing.

The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?

The AR configuration:

!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname AR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
username cisco password 0 BR
!
!
license udi pid CISCO2901/K9 sn FTX1524YO05
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.2 address
address of cisco crypto isakmp 200.200.200.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.2
defined by peer 200.200.200.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 100.100.100.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.21.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.1 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
2000000 clock frequency
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.21.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 100.0.0.0
network 172.21.0.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
end

Configuration of BR:

!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname BR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
Cisco spends 0 username AR
!
!
license udi pid CISCO2901/K9 sn FTX1524L63A
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.1 address
address of cisco crypto isakmp 100.100.100.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.1
defined by peer 100.100.100.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 200.200.200.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.22.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.2 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.22.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 172.22.0.0
network 200.200.200.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
end

Thank you very much!

Although you might go this route, I wouldn't.

I would use VTI (GRE tunnels that run over IPSec) interfaces. One on the series circuit and the other on the circuit of the ISP.

You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).

ISA500 site by site ipsec VPN with Cisco IGR

Hello

I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

But without success.

my config for openswan, just FYI, maybe not importand for this problem

installation of config

protostack = netkey

nat_traversal = yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

nhelpers = 0

Conn rz1

IKEv2 = no

type = tunnel

left = % all

leftsubnet=192.168.5.0/24

right =.

rightsourceip = 192.168.1.2

rightsubnet=192.168.1.0/24

Keylife 28800 = s

ikelifetime 28800 = s

keyingtries = 3

AUTH = esp

ESP = aes128-sha1

KeyExchange = ike

authby secret =

start = auto

IKE = aes128-sha1; modp1536

dpdaction = redΘmarrer

dpddelay = 30

dpdtimeout = 60

PFS = No.

aggrmode = no

Config Cisco 2821 for dynamic dialin:

crypto ISAKMP policy 1

BA aes

sha hash

preshared authentication

Group 5

lifetime 28800

!

card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

!

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

!

Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

crypto dynamic-map DYNMAP_1 1

game of transformation-ESP-AES-SHA1

match address 102

!

ISAKMP crypto key address 0.0.0.0 0.0.0.0

ISAKMP crypto keepalive 30 periodicals

!

life crypto ipsec security association seconds 28800

!

interface GigabitEthernet0/0.4002

card crypto CMAP_1

!

I tried ISA550 a config with the same constelations, but without suggesting.

Anyone has the same problem?

And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

I can successfully establish a tunnel between openswan linux server and the isa550.

Patrick,

as you can see on newspapers, the software behind ISA is also OpenSWAN

I have a facility with a 892 SRI running which should be the same as your 29erxx.

Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

Here is my setup, with roardwarrior AND 2, site 2 site.

session of crypto consignment

logging crypto ezvpn

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

lifetime 28800

!

crypto ISAKMP policy 2

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 4

BA 3des

md5 hash

preshared authentication

Group 2

!

crypto ISAKMP policy 5

BA 3des

preshared authentication

Group 2

life 7200

ISAKMP crypto address XXXX XXXXX No.-xauth key

XXXX XXXX No.-xauth address isakmp encryption key

!

ISAKMP crypto client configuration group by default

key XXXX

DNS XXXX

default pool

ACL easyvpn_client_routes

PFS

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

!

dynamic-map crypto VPN 20

game of transformation-FEAT

market arriere-route

!

!

card crypto client VPN authentication list by default

card crypto VPN isakmp authorization list by default

crypto map VPN client configuration address respond

10 VPN ipsec-isakmp crypto map

Description of VPN - 1

defined peer XXX

game of transformation-FEAT

match the address internal_networks_ipsec

11 VPN ipsec-isakmp crypto map

VPN-2 description

defined peer XXX

game of transformation-FEAT

PFS group2 Set

match the address internal_networks_ipsec2

card crypto 20-isakmp dynamic VPN ipsec VPN

!

!

Michael

Please note all useful posts

IPSEC manual

Hello

I'm setting up IPSEC for the first time. I use the following commands to configure IPSEC

'crypto ipsec transform-set esp-3des pulse_ipsec' and

'test_ipsec 1 card crypto ipsec-manual ".

"peer set 10.1.1.1".

"entire session key inbound esp 256 cipher authenticator .

"" the value of session key outgoing esp encryption 257 authenticator ".

"the transform-set pulse_ipsec value.

Can someone please tell me where I put I have to insert the key. How can I generate these keys. It is anyway two peer routers can generate the keys or what I enter is encrypted and authenticator field.

Thank you

Hello

Enter them manually in hexadecimal.

It is an arbitrary hexadecimal string of 8, 16 or 20 bytes.

If the card crypto processing includes an algorithm, specify at least 8 bytes per key.

If the crypto Map transformation includes an MD5 algorithm, specify at least 16 bytes per key.

If the card crypto transformation includes a SHA algorithm, specify 20 bytes per key.

Keys longer than the sizes above are simply truncated.

Thank you

Atul.

IPSec between an IOS device and a PIX

Hello

I'm not able to successfully establish an IPSec tunnel between an IOS (2600 router) box running 12.3 (9) and PIX501 pixos 6.2 running. I see the following error on 2600.

* 06:09:50.416 Mar 10: ISAKMP (0:1): retransmission phase 1 MM_SA_SETUP...

* 06:09:50.416 Mar 10: ISAKMP (0:1): will increment the error counter on his: broadcast

Phase 1

And on PIX501 following error message:

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR

crypto_isakmp_process_block: CBC 9.8.1.2, dest 9.2.1.2

Exchange OAK_MM

ISAKMP (0): processing KE payload. Message ID = 0

ISAKMP (0): processing NONCE payload. Message ID = 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): Peer Remote supports dead peer detection

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): addressing another box of IOS!

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): provider v6 code received xauth

to return to the State is IKMP_ERR_RETRANS

crypto_isakmp_process_block: CBC 9.8.1.2, dest 9.2.1.2

Exchange OAK_MM

I am able to ping the external interface of a box form another. Any idea what I might be missing?

Thanks in advance,

Krishna

The commands that I configured on 2600 as follows:

crypto ISAKMP policy 1

md5 hash

preshared authentication

Group 2

life 1200

cisco key crypto isakmp 9.2.1.2 address

ISAKMP crypto keepalive 50 10

!

life 1800 seconds crypto ipsec security association

!

Crypto ipsec transform-set esp - esp-sha-hmac krishnas

!

!

Krishnas 1 ipsec-isakmp crypto map

defined peer 9.2.1.2

game of transformation-krishnas

match address krishnas

!

!

!

!

interface FastEthernet0/0

IP 192.168.243.1 255.255.255.0

automatic speed

full-duplex

!

interface FastEthernet0/1

Description outside the interface to the cloud

bandwidth 10000

IP 9.8.1.2 255.255.0.0

automatic speed

Half duplex

card crypto krishnas

!

!

krishnas extended IP access list

IP 192.168.243.0 allow 0.0.0.255 192.168.244.0 0.0.0.255

The commands that I configured on PIX501:

IP 192.168.244.0 allow Access-list krishnas 255.255.255.0 192.168.243.0 255.255.255.0

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-sha-hmac krishnas

Krishnas 1 ipsec-isakmp crypto map

card crypto krishnas 1 corresponds to the krishnas address

krishnas 1 peer set 9.8.1.2 crypto card

card crypto krishnas 1 the transform-set krishnas value

krishnas outside crypto map interface

ISAKMP allows outside

ISAKMP key cisco address 9.8.1.2 netmask 255.255.255.255 No.-xauth No.-config-mode

isakmp identity = address

ISAKMP keepalive 50 10

part of pre authentication ISAKMP policy 1

of ISAKMP policy 1 encryption

ISAKMP policy 1 md5 hash

Group of ISAKMP policy 1 2

ISAKMP policy 1 life 1200

Hello Krishna

If possible and feasible to try and downgrade the IOS 12.3 (9) to a low-level code as 12.3.6. But, make sure that the image is a single k9 and supports VPN. Also upgrade the pix to 6.3.3.

Assuming that the keys are the same, your configs find ok. Him debugs it seems its not able to pass from the phase 1 properly

could contribute to modify the code.

Concerning

Wakif

IPSec transform-set

Similar Questions

Network.PNG

Maybe you are looking for