IPSec tunnels between duplicate LAN subnets

Hi all

Please help to connect three sites with our Central site has all the resources for users, including internet access.

The three sites will be the ASA 5505 like their WAN device.

We need to know is - it possible, allowing to configure an IPsec Tunnel between the three ASA with duplicate LAN subnets.

Central site two networks 192.168.1.x 24, 192.168.100.x 24

Distance a 24 192.168.1.x subnet

Two remote a subnet 192.168.100.x 24

If it is possible we also do hair distance one ping, above two remote to the Central Site to access internet, what sites need are on the Central Site, including e-mail, network, other resource also records.

We have no other way to make this network, as all security is on our Central Site, website filtering, Application filtering, filtering of network traffic all.

We understand that we can change two remote sites to a different subnet from the Central Site, but we have so many host devices, it will take weeks or months, so to change the MS AD domain for all users, servers too.

We really need your expertise to do this in a laboratory and then in production.

Thank you

Hello Stephen,

You can check the following links for the subnets overlap talk to each other:-

1 LAN-to-LAN IPsec VPN with overlapping networks

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

2 IPsec between two IOS routers with overlapping of private networks

http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

Important point is local network must connect to the remote network via the translated addresses.

for example, you won't be ablt to use real IP of the communication.

For haripinning or turning U:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

Hope that helps.

Kind regards

Dinesh Moudgil

Tags: Cisco Security

Similar Questions

IPSec tunnel between a client connection mobility and WRV200

Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.

Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business

Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

Hello world

I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

I created a tunnel interfaces on both routers as follows.

2620XM

interface Tunnel0

IP 10.1.5.2 255.255.255.252

tunnel source x.x.x.x

tunnel destination y.y.y.y

end

836

interface Tunnel0

IP 10.1.5.1 255.255.255.252

tunnel source y.y.y.y

tunnel destination x.x.x.x

end

and configuration of isakmp/ipsec as follows,

2620XM

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key {keys} address y.y.y.y no.-xauth

!

!

Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

!

myvpn 9 ipsec-isakmp crypto map

defined peer y.y.y.y

Set transform-set to_melissia

match address 101

2620XM-router #sh ip access list 101

Expand the access IP 101 list

10 permit host x.x.x.x y.y.y.y host will

836

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key {keys} address x.x.x.x No.-xauth

!

!

Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

!

myvpn 10 ipsec-isakmp crypto map

defined peer x.x.x.x

Set transform-set to_metamorfosi

match address 101

836-router #sh access list 101

Expand the access IP 101 list

10 licences will host host x.x.x.x y.y.y.y

Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

Any ideas why I get this result? Any help will be a great help

Thank you!!!

I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

card crypto-address

so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

HTH

Rick

IPSEC tunnel between 2 7606 PE

I am creating an IPSec tunnel between two 7606 PE routers... get this error when I ping everywhere and if I start using the path descends LDP.

12 Nov 16:32:22.801 IS: IPSEC (key_engine): request timer shot: count = 1,.

local (identity) = 10.10.135.1, distance = 10.10.135.2.

local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

12 Nov 16:32:22.801 IS: IPSEC (sa_request):,.

(Eng. msg key.) Local OUTGOING = 10.10.135.1, distance = 10.10.135.2.

local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

Protocol = ESP, transform = NONE (Tunnel),

lifedur = 190 s and 4608000 Ko,.

SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0

12 Nov 16:32:22.801 IS: ISAKMP: (0): profile of ITS application is test

12 Nov 16:32:22.801 IS: ISAKMP: created a struct peer 10.10.135.2, peer port 500

12 Nov 16:32:22.801 IS: ISAKMP: new position created post = 0x5326A08C peer_handle = 0x8000001A

12 Nov 16:32:22.801 IS: ISAKMP: lock struct 0x5326A08C, refcount 1 to peer isakmp_initiator

12 Nov 16:32:22.801 IS: ISAKMP: 500 local port, remote port 500

12 Nov 16:32:22.801 IS: ISAKMP: impossible to allocate IKE SA

12 Nov 16:32:22.801 IS: ISAKMP: Unlocking counterpart struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

12 Nov 16:32:22.801 IS: ISAKMP: delete peer node by peer_reap for 10.10.135.2: 5326A08C

12 Nov 16:32:22.801 IS: ISAKMP: (0): purge SA., his = 0, delme = 532E8364

PE2 #.

12 Nov 16:32:22.801 IS: ISAKMP: error during the processing of HIS application: failed to initialize SA

12 Nov 16:32:22.801 IS: ISAKMP: error while processing message KMI 0, error 2.

12 Nov 16:32:22.801 IS: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

PE2 #.

12 Nov 16:32:52.801 IS: IPSEC (key_engine): request timer shot: count = 2,.

local (identity) = 10.10.135.1, distance = 10.10.135.2.

local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

IPsec only is not supported on the 6500 and 7600 without module series IPsec (IPsec-SPA or VPNSM), sorry.

Public static IPsec tunnel between two routers cisco [VRF aware]

Hi all

I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN connections

Here are the basic configs:

R1

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
!
interface Loopback0
10.0.1.1 IP address 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.34 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 203.0.0.3
ipv4 ipsec tunnel mode
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP 102.0.0.1 255.255.255.0

!

IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

IP vrf INET
RD 1:1
!
Keyring cryptographic test vrf INET
address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
crypto isakmp profile test
door-key test
function identity address 102.0.0.1 255.255.255.255
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
Test Set isakmp-profile
!
interface Loopback0
IP 10.0.2.2 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.33 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 102.0.0.1
ipv4 ipsec tunnel mode
tunnel vrf INET
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding INET
IP 203.0.0.3 255.255.255.0

!

IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is a router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
IP 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
IP 203.0.0.2 255.255.255.0

The problem that the tunnel is not coming, I can't pass through phase I.

The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

I joined ouptup #debug R2 crypto isakmp

Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

VRF INET

door-key test
function identity address 102.0.0.1 255.255.255.255

Multiple IPSec tunnels between two international research reports

Hello, I have a no. 2851 to HQ and 2821 2nd site. Using IPSec VPN to connect two LANs and it works very well. Now, I want to connect another local network on each site through the same VPN. I want to separate the traffic between the LANs. Is this possible?

You cannot use another crypto card if you must use the same IP for the peers you.

If you have other addresses ip at each end to close the tunnel, you can use another crypto card.

If the answer is no, then you can manipulate you acl of the traffic of interest to decide which lan can reach for witch lan.

I can weight of the IPSec Tunnels between ASAs

Hello

Remote site: link internet NYC 150 MB/s

Local site: link internet Baltimore 400 MB/s

Backup site: link internet Washington 200 Mb/s

My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

Interesting traffic would be the same for the two tunnels

I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted?

Thank you

It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

Reference.

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

Hello

My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

NAT takes place before the encryption verification!

In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

Thanks for any help

Best regards

Heiko

Hello

Try to change your static NAT with static NAT based policy.

That is to say the static NAT should not be applicable for VPN traffic

permissible static route map 1

corresponds to the IP 104

access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 allow the host ip 10.1.110.10 all

IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

HTH

Kind regards

GE.

IPSec tunnel between 2 routers

Hello

I am trying to configure an IPSec VPN tunnel between 2 routers Cisco, connected to the internet via the ATM interface, my router is a 1841 with the network 10.200.36.0 address the remote router is a Cisco network 192.168.9.0 address with 877.

I have tryied to follow some tutorials, unsuccessfully, because I can't always ping all IP addresses on the remote network and also the VPN tunnel is not up!

Can help you please give me a configuration model, or maybe let me know how to configure step by step on mine and remote router?

Thank you very much!

Concerning

Riccardo

Here is an example. x.x.x.x and y.y.y.y are the public IPs of routers:

ROUTER1 hostname

!

crypto ISAKMP policy 10

BA aes 256

AUTH pre

Group 5

!

ISAKMP crypto key cisco1234 address y.y.y.y

!

Crypto ipsec transform-set ESP-AES256-SHA1 esp - aes 256 esp-sha-hmac

!

Profile of crypto ipsec TunnelProfile

the transform ESP-AES256-SHA1 value

!

interface Tunnel0

IP 10.255.255.0 255.255.255.254

tunnel Dialer source 0

tunnel destination y.y.y.y

ipv4 ipsec tunnel mode

Tunnel TunnelProfile ipsec protection profile

!

interface Dialer0

IP x.x.x.x

!

IP route 192.168.9.0 255.255.255.0 Tunnel0

hostname ROUTER2

!

crypto ISAKMP policy 10

BA aes 256

AUTH pre

Group 5

!

ISAKMP crypto cisco1234 key address x.x.x.x

!

Crypto ipsec ESP-AES256-SHA1 transform-set esp - aes 256 esp-sha-hmac

!

Profile of crypto ipsec TunnelProfile

the transform ESP-AES256-SHA1 value

!

interface Tunnel0

IP 10.255.255.1 255.255.255.254

tunnel Dialer source 0

tunnel destination x.x.x.x

ipv4 ipsec tunnel mode

Tunnel TunnelProfile ipsec protection profile

!

interface Dialer0

IP address y.y.y.y

!

IP route 10.200.36.0 255.255.255.0 Tunnel0

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Double IPSec tunnel between routers

I am facing the following challenge:

I have two routers and want to build two IPSec encapsulated between them, with the help of ASIT tunnel interfaces.

The interaces two tunnel would in that case the same source and destination ip addresses.

With a single tunnel interface defined, it works well, however, as soon as the second tunnel interface is defined, the first breaks down.

Here is an example configuration:

interface Tunnel0
IP 192.168.1.1 255.255.255.252
source of tunnel Serial1/0
tunnel destination 10.1.1.6
ipv4 ipsec tunnel mode
protection of ipsec profile ipsecprofile tunnel
!
Tunnel1 interface
IP 192.168.1.5 255.255.255.252
source of tunnel Serial1/0
tunnel destination 10.1.1.6
ipv4 ipsec tunnel mode
protection of ipsec profile ipsecprofile tunnel
!

In fact, the matter is rather a conceptual issue than a direct. What is the root cause, this type of configuration does not work?

ESP protocol is the distinction between endponits ESP SAs based on SPI identifier as well, isn't? If so, what is wrong here?

Thanks in advance...

Hi Frank,.

As a general rule, you cannot have two interfaces of tunnel with the same tunnel source (series 1/0) and destinations (10.1.1.6) tunnel; with the same method (ipv4) tunel.

The work around that would be to bounce one of the tunnels on a loopback interface.

This tunnel 1: tunnel_interface_1 - series 1/0---internet---10.1.1.6

and tunnel 2: tunnel_interface_2---loopback---serial1/0---internet---10.1.1.6

In this way the two tunnels can be up at the same time.

I hope this helps.

-Shrikant

P.S.: Please check question one answer, if it has been resolved. Note the useful messages. Thank you.

Traffic is failed on plain IPSec tunnel between two 892 s

Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.

Note: I replaced the Networkid real to a mentined below.

Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.

Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.

Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.

Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.

I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.

So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.

Any idea? Two routers config are below

-------

892_DC #show ru

!

crypto ISAKMP policy 10

BA aes 256

hash sha256

preshared authentication

Group 2

isakmp encryption key * address 1.2.3.4

ISAKMP crypto keepalive 10 periodicals

!

address of 1.2.3.4 crypto isakmp peers

Description of-COIL-892

!

!

Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

Crypto ipsec df - bit clear

!

map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

defined peer 1.2.3.4

disable the kilobytes of life together - the security association

86400 seconds, life of security association set

the transform-set IT-IPSec-Transform-Set value

match a lists 101

market arriere-route

QoS before filing

!

interface GigabitEthernet0

IP 10,20,30,40 255.255.255.240

IP 1400 MTU

IP tcp adjust-mss 1360

automatic duplex

automatic speed

card crypto IT-IPSec-Crypto-map

!

IP route 0.0.0.0 0.0.0.0 10.20.30.41

!

access list 101 ip allow any 100.100.100.0 0.0.0.255 connect

access list 101 ip allow any 100.100.200.0 0.0.0.255 connect

-------------------------------------------------------------------------------------

Branch_892 #sh run

!

crypto ISAKMP policy 10

BA aes 256

hash sha256

preshared authentication

Group 2

isakmp encryption key * address 10,20,30,40

ISAKMP crypto keepalive 10 periodicals

!

address peer isakmp crypto 10,20,30,40

!

!

Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

Crypto ipsec df - bit clear

!

map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

defined peer 10,20,30,40

disable the kilobytes of life together - the security association

86400 seconds, life of security association set

the transform-set IT-IPSec-Transform-Set value

match address 101

market arriere-route

QoS before filing

!

FastEthernet6 interface

Description VL92

switchport access vlan 92

!

interface FastEthernet7

Description VL93

switchport access vlan 93

!

interface GigabitEthernet0

Description # to WAN #.

no ip address

automatic duplex

automatic speed

PPPoE-client dial-pool-number 1

!

interface Vlan1

Description # local to #.

IP 192.168.1.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

!

interface Vlan92

Description fa6-nexus e100/0/40

IP 100.100.200.1 255.255.255.0

!

interface Vlan93

Description fa7-nexus e100/0/38

IP 100.100.100.1 255.255.255.0

!

interface Dialer0

no ip address

No cdp enable

!

interface Dialer1

IP 1.2.3.4 255.255.255.248

IP mtu 1454

NAT outside IP

IP virtual-reassembly in max-pumping 256

encapsulation ppp

IP tcp adjust-mss 1414

Dialer pool 1

Dialer-Group 1

Authentication callin PPP chap Protocol

PPP chap hostname ~ ~ ~

PPP chap password =.

No cdp enable

card crypto IT-IPSec-Crypto-map

!

Dialer-list 1 ip protocol allow

!

access-list 101 permit ip 100.100.100.0 0.0.0.255 any

access-list 101 permit ip 100.100.200.0 0.0.0.255 any

!

IP route 0.0.0.0 0.0.0.0 Dialer1

Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?

NAT in the IPSec tunnel between 2 routers x IOS (877)

Hi all

We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.

Here is the Config NAT:

nat INET_POOL netmask 255.255.255.252 IP pool

IP nat inside source map route INET_NAT pool INET_POOL overload

IP nat inside source static tcp 10.10.0.8 25 25 expandable

IP nat inside source static tcp 10.10.0.8 80 80 extensible

IP nat inside source static tcp 10.10.0.8 443 443 extensible

IP nat inside source static tcp 10.10.0.7 1433 1433 extensible

IP nat inside source static tcp 10.10.0.7 extensible 3389 3389

allowed INET_NAT 1 route map

corresponds to the IP 101

access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.0.0 0.0.0.255 any

On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?

See you soon,.

Luke

Take a look at this link:

http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html

Concerning

Farrukh

Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

Hi all!

Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

On our side as initiator:

Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

The site of the customer like an answering machine:

14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

Kind regards

Johan

From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

IPSec Tunnel permanent between two ASA

Hello

I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

What should I do?

Thanks for any help

Yves

Disables keepalive IKE processing, which is enabled by default.

(config) #tunnel - 10.165.205.222 group ipsec-attributes

KeepAlive (ipsec-tunnel-config) #isakmp disable

Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout no

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout no

Thank you

Ajay

Cisco's ASA IPsec tunnel disconnects after a while

Hi all

I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.

I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.

But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.

This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.

SonicWALL publicip 1.1.1.2 192.168.10.0 subnet

Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0

ciscoasa # sh run
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 66.28.0.45
Server name 66.28.0.61
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group service rdp tcp
EQ port 3389 object
object-group service tcp OpenVPN
port-object eq 1194
access list outside extended permit icmp any any echo response
access list outside extended permit tcp any host # eq pptp
outside allowed extended access will list any host #.
list of extended outside access permit udp any any eq 1701
extended outdoor access allowed icmp a whole list
access list outside extended permit tcp any host # eq ftp
access list outside extended permit tcp any host # eq ssh
list of extended outside access permit tcp any host # object - group rdp
turn off journal
access list outside extended permit tcp any host 1.1.1.1 object - group Open
VPN
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
. 255.255.0
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
. 255.255.0
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.10.0 255.255.255.0
NAT (outside) 1 192.168.5.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.5.0 255.255.255.0
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 5 the value reverse-road
Crypto easyvpn dynamic-map 10 transform-set RIGHT
Crypto-map dynamic easyvpn 10 reverse-drive value
card crypto mymap 10 correspondence address l2l
card crypto mymap 10 set peer 1.1.1.2
card crypto mymap 10 transform-set RIGHT
map mymap 30000-isakmp ipsec crypto dynamic easyvpn
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet 192.168.5.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
Hello to tunnel L2TP 10
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value cisco.com
attributes of Group Policy DfltGrpPolicy
internal band easyvpn strategy
attributes of the strategy of band easyvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelall
the address value ippool pools
VPN-group-policy DefaultRAGroup
attributes global-tunnel-group DefaultRAGroup
address l2tppool pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.
tunnel-group easyvpn type remote access
tunnel-group easyvpn General attributes
Group Policy - by default-easyvpn
easyvpn group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: end

I guess you have typo in the configuration of the ASA?

L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

Can you confirm that you have configured instead the following:

access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2

In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):

NAT (outside) 1 192.168.10.0 255.255.255.0

Finally, pls turn off keepalive to SonicWall.

If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.

IPSec tunnels between duplicate LAN subnets

Similar Questions

Maybe you are looking for