IPSec tunnel do not come between two ASA - 5540 s.
I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.
Did I miss something that will prevent the tunnel to come?
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)
ROC-ASA5540-A # sh run
!
ASA Version 8.0 (3)
!
CRO-ASA5540-A host name
names of
10.10.1.135 GHC_Laptop description name to test the VPN
10.10.1.155 SunMed_pc description name to test the VPN
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.129 255.255.255.240
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.145 255.255.255.248
!
!
outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc
!
ASDM image disk0: / asdm - 603.bin
!
Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto game 2 outside_map0 address outside_2_cryptomap
outside_map0 crypto map peer set 2 10.10.1.147
card crypto outside_map0 2 the value transform-set ESP-3DES-SHA
outside_map0 card crypto 2 set nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
Group Policy Lan-2-Lan_only internal
attributes of Lan-2-Lan_only-group policy
VPN-filter no
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.147 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.147
pre-shared-key *.
!
ROC-ASA5540-A #.
----------------------------------------------------------
ROC-ASA5540-B # sh run
: Saved
:
ASA Version 8.0 (3)
!
name of host ROC-ASA5540-B
!
names of
name 10.10.1.135 GHC_laptop
name 10.10.1.155 SunMed_PC
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.147 255.255.255.248
!
outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop
!
ASDM image disk0: / asdm - 603.bin
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map2 1 match address outside_cryptomap
outside_map2 card crypto 1jeu peer 10.10.1.145
outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map2 card crypto 1jeu nat-t-disable
outside_map2 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal Lan-2-Lan group strategy
Lan Lan 2-strategy of group attributes
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.145 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.145
pre-shared-key *.
!
ROC-ASA5540-B #.
On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."
Please reconfigure the ASA and let me know how it goes.
Kind regards
Arul
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
Site to Site VPN tunnel is not come between 2 routers
Dear all,
I have 2 routers for branch which is configured for VPN site-to-site, but the tunnel does not come!
I ran debug and I enclose herwith output for your kind review and recommendation. I also enclose here the 2 routers configs branch.
Any idea on why the Site to site VPN is not coming?
Kind regards
Haitham
You guessed it!
Just because you have re-used the same card encryption for LAN to LAN and vpn-client traffic.
This from the DOC CD
No.-xauth
(Optional) Use this keyword if the router to router IP Security (IPSec) is on the same card encryption as a virtual private network (VPN) - client - to-Cisco-IOS IPSec. This keyword prevents the router causing the peer for the information of extended authentication (Xauth) (username and password).
-
IPSec Tunnel permanent between two ASA
Hello
I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.
What should I do?
Thanks for any help
Yves
Disables keepalive IKE processing, which is enabled by default.
(config) #tunnel - 10.165.205.222 group ipsec-attributes
KeepAlive (ipsec-tunnel-config) #isakmp disable
Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:
attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout noattributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout noThank you
Ajay
-
Easy VPN between two ASA 9.5 - Split tunnel does not
Hi guys,.
We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.
Thank you and best regards,
Arjun T P
I have the same question and open a support case.
It's a bug in the software 9.5.1. See the bug: CSCuw22886
-
ASA 5505 - I can't create an IPSEC VPN between two ASA 5505
Hello
I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:
1 Configure ASA-1 (host name, vlan 1 and vlan 2).
2. configure a static route
3. create object network (local and remote)
4. create the access list
5. create ikev1 crypto
6. create tunnel-group
7 Configure nat
and I repeat the steps above with the ASA but another change IP.
Are to correct the above steps?
Why can I not create an IPSEC VPN between devices?.
No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
I have 2 Cat6, with IPsec SPA card, while the other did not.
I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?
A (with SPA):
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
ISAKMP crypto keepalive 10
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1
!
Crypto ipsec profile P1
Set transform-set testT1
!
Crypto call admission limit ike his 3000
!
Crypto call admission limit ike in-negotiation-sa 115
!
interface Tunnel962
Loopback962 IP unnumbered
tunnel GigabitEthernet2/37.962 source
tunnel destination 172.16.16.6
ipv4 ipsec tunnel mode
Profile of tunnel P1 ipsec protection
interface GigabitEthernet2/37.962
encapsulation dot1Q 962
IP 172.16.16.5 255.255.255.252
interface Loopback962
1.1.4.200 the IP 255.255.255.255
IP route 2.2.4.200 255.255.255.255 Tunnel962
B (wuthout SPA):
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1
!
Crypto ipsec profile P1
game of transformation-T1
interface Tunnel200
Loopback200 IP unnumbered
tunnel GigabitEthernet2/1.1 source
tunnel destination 172.16.16.5
ipv4 ipsec tunnel mode
Profile of tunnel T1 ipsec protection
interface Loopback200
2.2.4.200 the IP 255.255.255.255
interface GigabitEthernet2/1.1
encapsulation dot1Q 962
IP 172.16.16.6 255.255.255.252
IP route 1.1.4.200 255.255.255.255 Tunnel200
I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:
"00:25:17: crypto_engine_select_crypto_engine: can't handle more."
Hello
You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.
Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.
Kind regards
Arul
* Rate pls if it helps *.
-
IPSEC tunnels does not connect
Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.
IKE Phase 1 even not connect.
I'm debugging, but I don't know what could be the error.
-----------------------------------------------------------------------------
= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
qHello
It seems that the tunnel is blocked to MSG_2.
You can check if the UDP 500 traffic is not blocked between peers?
Please check with your provider.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hi all
We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why.
Add the output and the newspaper.
Thanks for your help
ASA-VPN-PRI/act/pri # sh crypto isakmp his
!
13 peer IKE: 91.209.243.5
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE!
ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5
12 peer IKE: 91.209.243.5
ASA-VPN-PRI/act/pri #.ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5
ASA-VPN-PRI/act/pri #.7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides:
- Is what ACL crypto exactly in the opposite direction on both sides?
- Your transformation sets include exactly the same algorithms?
-
site-to-site between two ASA firewall
Hello
I have two ASA and I have set up the two ASA til S2S. ASA1 is in HQ and ASA2 is in Office of Brunch. HQ ASA has multi S2S connection and Brunch ASA has only S2S to Headquarters. The Senario is I want to send all traffic (both Internet and LAN in the ASA HQ) ASA2 throug the tunnel. The problem is that when the tunnel is up and there is ASA2 connevtivity (brunch office) for the network local behinde ASA1 (HQ), but the client behinde ASA2 has no conectivity when they try to go to the Internet. Tanks a lot in advance for any help!
ASA HQ extern ip 192.x.y.z/24, LAN 10.70.0.0/16
Brunch of the ASA Office a extern ip 168.x.y.z/24, LAN 10.79.1.0/24
This should help you:
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0access extensive list ip 10.79.1.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 x.x.x.x
access extensive list ip 10.79.1.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 x.x.x.xx.x.x.x = subnet HQ, in the ASA HQ you need of the opposite ACL:
permit inside_nat0_outbound to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0
permit outside_1_cryptomap to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0This way to the internet traffic will be coordinated because it turns off and traffic to the VPN will be
not be translated as she goes down the tunnel -
Hello
I practice a bit with 2 CISCO 2811 routers and 2621. I did the basic configuration for an IPSec connection, but the tunnel seems not to lead. Also, I can ping the external interface of the other router, but I cannot ping inside network behind each of them. Any ideas? The external interface are connected via a cable UTP croosover. Here's the sh run of each:
2621 router:
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname RPrueba2
!
logging buffered 51200 warnings
enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70
!
username supervisor privilege 15 password 7 07062F49420C1A110513
voice-card 1
!
IP subnet zero
!
!
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
ISAKMP crypto keys Inelectra address 20.20.20.21
!
!
Crypto ipsec transform-set base esp - esp-md5-hmac
!
Armadillo 1 ipsec-isakmp crypto map
defined by peer 20.20.20.21
security-association value seconds of life 4000
Set transform-set basic
PFS Group1 Set
match address 101
!
call the rsvp-sync
!
!
!
!
!
!
controller E1 1/0
!
!
!
interface FastEthernet0/0
IP 192.168.250.1 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0
no ip address
Shutdown
!
interface FastEthernet0/1
IP 20.20.20.1 255.255.255.0
automatic duplex
automatic speed
Armadillo card crypto
!
interface Serial0/1
no ip address
Shutdown
!
interface Serial0/2
no ip address
Shutdown
!
!
IP classless
IP route 0.0.0.0 0.0.0.0 20.20.20.21
IP http server
!
!
!
!
!
!
!
!
!
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
!
!
Dial-peer cor custom
!
!
!
!
!
Line con 0
password 7 020F0A5E07030C355E4F
opening of session
line to 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
opening of session
transport input telnet ssh
!
end
2811 router:
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname RPrueba
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70
!
No aaa new-model
!
resources policy
!
iomem 15 memory size
No network-clock-participate wic 1
IP subnet zero
!
!
IP cef
!
!
!
!
voice-card 0
No dspfarm
!
username supervisor privilege 15 password 7 07062F49420C1A110513
!
!
controller E1 1/0/0
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
ISAKMP crypto keys Inelectra address 20.20.20.1
!
!
Crypto ipsec transform-set Ineset ah-md5-hmac esp - a
Crypto ipsec transform-set base esp - esp-md5-hmac
!
Armadillo 1 ipsec-isakmp crypto map
defined by peer 20.20.20.1
security-association value seconds of life 4000
Set transform-set basic
PFS Group1 Set
match address 102
!
!
!
!
interface FastEthernet0/0
IP 192.168.240.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 20.20.20.21 255.255.255.0
automatic duplex
automatic speed
Armadillo card crypto
!
interface Serial0/0/0
no ip address
Shutdown
no fair queue
2000000 clock frequency
!
interface Serial0/0/1
no ip address
Shutdown
2000000 clock frequency
!
IP classless
IP route 0.0.0.0 0.0.0.0 20.20.20.1
!
!
IP http server
no ip http secure server
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 any
access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255
!
control plan
!
Line con 0
password 7 020F0A5E07030C355E4F
opening of session
line to 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end
I also tried the isakmp crypto see the its and there is nothing on the table. Thanks for any help.
Gustavo
Under card crypto router armadilloin 2621 =
Use the ACL 102 crypto instead of 101.
match address 102
And then disable the isakmp its ipsec and its
then try to ping.
-
GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwardsSite-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
endSite-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryptionC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec hisInterface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto isakmp policyWorld IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
endAny help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Kind regards
Averroès.
-
I purchased Mikrotik hardware devices and want to use routeros seat firewall cisco asa establish VPN. Aims to establish that a branch may be two IPSEC VPN access devices at the headquarters of the server via the public network.
But now, I'm having some trouble, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
(1) branch routeros WAN port using a private IP address and is a member of the asa above outdoor sound created vpn ipsec, vpn successfully established internal servers and I ping the switch at the headquarters of the branch. However, there is a problem, I go through routeros visit that the headquarters of the https server pages can not be opened, telnet internal switches can telnet to the top, but were unable to penetrate into the character.
(2) in addition, I left the branch routeros on a public IP address WAN port and asa VPN IPSEC created seat, said problems above are not, the server can also be accessed, telnet switch can also enter text and control.
At the present time, I have encountered this problem of interface not CAN not because I need to create of very, very many industries and the need to establish headquarters communications branch offices so I have to use private IP addresses to access the Wan, unable to do wan are public IP address and headquarters to establish IPSEC VPN.now, I can't telnet asa inside the cisco router and open the web inside https, I can't solve the problems.
now, registrants of asa:
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 49.239.3.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.17.0.111 255.255.255.0network of the object inside
172.17.1.0 subnet 255.255.255.0
network outsidevpn object
Subnet 192.168.0.0 255.255.0.0QQQ
NAT (inside, outside) static source inside inside destination static outsidevpn outsidevpn non-proxy-arp-search to itinerary
Route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
Route inside 172.17.1.0 255.255.255.0 172.17.0.5 1Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 cisco
Crypto ipsec pmtu aging infinite - the security association
Crypto dynamic-map cisco 1000 set pfs
Crypto dynamic-map cisco 1000 set transform-set cisco ikev1
Crypto dynamic-map cisco 1000 value reverse-road
Cisco-cisco ipsec isakmp dynamic 1000 card crypto
cisco interface card crypto outside
trustpool crypto ca policy
Crypto isakmp nat-traversal 60
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400IPSec-attributes tunnel-group DefaultL2LGroup
IKEv1 pre-shared-key *.Hello
Could you share the output of the counterpart of its IPSec cry see the 49.239.3.10 of the other device?
Kind regards
Aditya
-
Site to Site VPN tunnel between two ASA
I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.
Thank you
Carlos
Hello
First, I would like to say that I don't personally use ASDM for the configuration.
But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.
I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface
If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.
-Jouni
-
Pinging or TFTPing between two ASA
I soon two of ASA, to have several more in the area of connection of networks together. My main ASA has built a site between itself and other ASA (hand ASA5520 / other ASA5505).
I can SSH or telnet to 5505, even to its internal IP address, but my current problem is the network I cannot ping other devices of the 5505, which is contained within our network. I try to update the ASA using TFTP, but this does not work as well. I know this has something to do with icmp, but I think I'm missing something.
When I try to do a traceroute on an internal ip, it fails.
911PSAP-5505 # traceroute 192.255.255.13
Type to abort escape sequence.
The route to 192.255.255.131 68.213.181.241 0 ms 0 ms 0 ms
2 68.216.208.95 20 ms 10 ms 10 ms
3 68.152.198.81 10 ms 10 ms 10 ms
4 12.81.24.108 10 ms 10 ms 10 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *The tftp command is to specify where the file will be recovered from the tftp server. ASA can act as a TFTP server.
Are you trying to ping devices in the same subnet as your ASA interface? You can check the settings of firewall device itself where sometimes it is not allow ping inbound, to disable the Firewall setting may solve your problem of ping test. If you try to ping from a network device, such as a switch or a router of the ASA, you might have more luck.
Maybe you are looking for
-
Firefox crashes whenever I have access to specific Web sites
Firefox plant instantly any time I try to access specific Web sites (weather.com, for example), or, more specifically, Wikipedia articles on specific topics. For example, I can look for apples or tuberculosis very well, but it crashes if I look up, s
-
Days of mail to sync has gone!
I have an iPhone 6 running the latest iOS 9.3.1. Last night, I deleted my Hotmail e-mail account, and then I added to remove a "phantom" mail unread Now my "Mail days to sync" option disappeared altogether in the world and I'm stuck with tons and ton
-
Portege R200 bluetooth connection to Jabra BT500 headset
Laptop cannot see my Jabra headset during quality for devices. Any ideas?
-
storage array for use in different classes
HI - newbie here. Need a bit of advice on how to proceed. Use version 5 of the SDK, have a main class that calls a GPS receiver and a further appeal to a listener of SendLocation. If both are running on different threads, of the main class. In the GP
-
Where can I find the dump of traces of battery connected?
Hi, I use the NetBeans plugin and am able to compile in the .cod file. A simple Hello World works fine. I have a fairly big Java ME project that I'm currently testing on the BlackBerry. The MIDlet works fine on other emulators and real devices, but