IPSec tunnels do not work
Hello
I practice a bit with 2 CISCO 2811 routers and 2621. I did the basic configuration for an IPSec connection, but the tunnel seems not to lead. Also, I can ping the external interface of the other router, but I cannot ping inside network behind each of them. Any ideas? The external interface are connected via a cable UTP croosover. Here's the sh run of each:
2621 router:
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname RPrueba2
!
logging buffered 51200 warnings
enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70
!
username supervisor privilege 15 password 7 07062F49420C1A110513
voice-card 1
!
IP subnet zero
!
!
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
ISAKMP crypto keys Inelectra address 20.20.20.21
!
!
Crypto ipsec transform-set base esp - esp-md5-hmac
!
Armadillo 1 ipsec-isakmp crypto map
defined by peer 20.20.20.21
security-association value seconds of life 4000
Set transform-set basic
PFS Group1 Set
match address 101
!
call the rsvp-sync
!
!
!
!
!
!
controller E1 1/0
!
!
!
interface FastEthernet0/0
IP 192.168.250.1 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0
no ip address
Shutdown
!
interface FastEthernet0/1
IP 20.20.20.1 255.255.255.0
automatic duplex
automatic speed
Armadillo card crypto
!
interface Serial0/1
no ip address
Shutdown
!
interface Serial0/2
no ip address
Shutdown
!
!
IP classless
IP route 0.0.0.0 0.0.0.0 20.20.20.21
IP http server
!
!
!
!
!
!
!
!
!
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
!
!
Dial-peer cor custom
!
!
!
!
!
Line con 0
password 7 020F0A5E07030C355E4F
opening of session
line to 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
opening of session
transport input telnet ssh
!
end
2811 router:
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname RPrueba
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70
!
No aaa new-model
!
resources policy
!
iomem 15 memory size
No network-clock-participate wic 1
IP subnet zero
!
!
IP cef
!
!
!
!
voice-card 0
No dspfarm
!
username supervisor privilege 15 password 7 07062F49420C1A110513
!
!
controller E1 1/0/0
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
ISAKMP crypto keys Inelectra address 20.20.20.1
!
!
Crypto ipsec transform-set Ineset ah-md5-hmac esp - a
Crypto ipsec transform-set base esp - esp-md5-hmac
!
Armadillo 1 ipsec-isakmp crypto map
defined by peer 20.20.20.1
security-association value seconds of life 4000
Set transform-set basic
PFS Group1 Set
match address 102
!
!
!
!
interface FastEthernet0/0
IP 192.168.240.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 20.20.20.21 255.255.255.0
automatic duplex
automatic speed
Armadillo card crypto
!
interface Serial0/0/0
no ip address
Shutdown
no fair queue
2000000 clock frequency
!
interface Serial0/0/1
no ip address
Shutdown
2000000 clock frequency
!
IP classless
IP route 0.0.0.0 0.0.0.0 20.20.20.1
!
!
IP http server
no ip http secure server
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 any
access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255
!
control plan
!
Line con 0
password 7 020F0A5E07030C355E4F
opening of session
line to 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end
I also tried the isakmp crypto see the its and there is nothing on the table. Thanks for any help.
Gustavo
Under card crypto router armadilloin 2621 =
Use the ACL 102 crypto instead of 101.
match address 102
And then disable the isakmp its ipsec and its
then try to ping.
Tags: Cisco Security
Similar Questions
-
Hi all
We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why.
Add the output and the newspaper.
Thanks for your help
ASA-VPN-PRI/act/pri # sh crypto isakmp his
!
13 peer IKE: 91.209.243.5
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE!
ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5
12 peer IKE: 91.209.243.5
ASA-VPN-PRI/act/pri #.ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5
ASA-VPN-PRI/act/pri #.7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides:
- Is what ACL crypto exactly in the opposite direction on both sides?
- Your transformation sets include exactly the same algorithms?
-
I have 2 Cat6, with IPsec SPA card, while the other did not.
I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?
A (with SPA):
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
ISAKMP crypto keepalive 10
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1
!
Crypto ipsec profile P1
Set transform-set testT1
!
Crypto call admission limit ike his 3000
!
Crypto call admission limit ike in-negotiation-sa 115
!
interface Tunnel962
Loopback962 IP unnumbered
tunnel GigabitEthernet2/37.962 source
tunnel destination 172.16.16.6
ipv4 ipsec tunnel mode
Profile of tunnel P1 ipsec protection
interface GigabitEthernet2/37.962
encapsulation dot1Q 962
IP 172.16.16.5 255.255.255.252
interface Loopback962
1.1.4.200 the IP 255.255.255.255
IP route 2.2.4.200 255.255.255.255 Tunnel962
B (wuthout SPA):
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1
!
Crypto ipsec profile P1
game of transformation-T1
interface Tunnel200
Loopback200 IP unnumbered
tunnel GigabitEthernet2/1.1 source
tunnel destination 172.16.16.5
ipv4 ipsec tunnel mode
Profile of tunnel T1 ipsec protection
interface Loopback200
2.2.4.200 the IP 255.255.255.255
interface GigabitEthernet2/1.1
encapsulation dot1Q 962
IP 172.16.16.6 255.255.255.252
IP route 1.1.4.200 255.255.255.255 Tunnel200
I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:
"00:25:17: crypto_engine_select_crypto_engine: can't handle more."
Hello
You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.
Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.
Kind regards
Arul
* Rate pls if it helps *.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
Router Cisco client VPN SPlit tunnel does not work
Hello!
I have configured the Cisco VPN CLient on a 2821 router, and it works fine.
I could access the inside resourses normally >
the problem is that when I connect with VPN I lost internet connectivity?What wrong with my setup?
Below the current configuration of the router.
Kind regards!CISCO2821 #sh run
Building configuration...
Current configuration: 5834 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname CISCO2821
!
boot-start-marker
start the flash c2800nm-adventerprisek9 - mz.124 - 20.T.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 51200 warnings
!
AAA new-model
!
!
connection local VPN-LOCAL-AUTHENTIC AAA authentication
local AAA authorization network VPN-LOCAL-AUTHOR
!
!
AAA - the id of the joint session
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
"yourdomain.com" of the IP domain name
8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
voice-card 0
No dspfarm
!
!
username secret privilege 0 vpn 5 $1$ tCf1$ XAxQWtDRYdfy9g3JpVSvZ.
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 44
BA aes
preshared authentication
Group 2
life 44444
!
ISAKMP crypto group configuration of VPN client
key VPNVPNVPN
VPN-pool
ACL VPN-ACL-SPLIT
Max-users 5000
!
!
ISAKMP crypto ISAKMP-VPN-profile
identity VPN group match
list of authentication of client VPN-LOCAL-AUTHENTIC
VPN-LOCAL-AUTHOR of ISAKMP authorization list.
client configuration address respond
Configuration of VPN client group
virtual-model 44
!
!
Crypto ipsec transform-set VPN - SET esp - aes esp-sha-hmac
!
Crypto ipsec VPN-profile
transformation-VPN-SET game
Set isakmp VPN ISAKMP-PROFILE
!
!
interface GigabitEthernet0/0
IP 192.168.2.214 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
interface FastEthernet0/0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
type of interface virtual-Template44 tunnel
IP unnumbered GigabitEthernet0/0
ipv4 ipsec tunnel mode
Tunnel ipsec VPN-PROFILE protection profile
!
interface Dialer0
no ip address
IP mtu 1452
IP virtual-reassembly
Shutdown
!
local pool IP VPN-POOL 192.168.1.150 192.168.1.250
IP forward-Protocol ND
IP http server
IP 8081 http port
23 class IP http access
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source list ACL - NAT interface GigabitEthernet0/0 overload
!
IP access-list standard ACL-TELNET
allow a
!
extended ACL - NAT IP access list
ip permit 192.168.1.0 0.0.0.255 any
IP extended ACL-VPN-SPLIT access list
ip permit 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
scope of access to IP-VPN-ACL-SPLIT list
!
control plan
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------
Professional configuration Cisco (Cisco CP) is installed on this device
and it provides the default username "cisco" single use. If you have
already used the username "cisco" to connect to the router and your IOS image
supports the option "unique" user, that user name is already expired.
You will not be able to connect to the router with the username when you leave
This session.
It is strongly recommended that you create a new user name with a privilege level
15 using the following command.
username
secret privilege 15 0 Replace
and with the username and password you want use.
-----------------------------------------------------------------------
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
ACL-TELNET access class in
exec-timeout 30 0
privilege level 15
Synchronous recording
transport input telnet ssh
line vty 5 15
ACL-TELNET access class in
exec-timeout 30 0
privilege level 15
Synchronous recording
transport input telnet ssh
line vty 16 988
ACL-TELNET access class in
exec-timeout 30 0
Synchronous recording
transport input telnet ssh
!
Scheduler allocate 20000 1000
end
CISCO2821 #.
I think that you made a mistake with your ACL name. the ACL applied is "VPN-ACL-SPLIT" which is an empty ACL. You must switch to that of "ACL-VPN-SPLIT" that has the entry "ip 192.168.1.0 allow 0.0.0.255 192.168.1.0 0.0.0.255" inside.
-
IPSEC tunnels does not connect
Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.
IKE Phase 1 even not connect.
I'm debugging, but I don't know what could be the error.
-----------------------------------------------------------------------------
= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
qHello
It seems that the tunnel is blocked to MSG_2.
You can check if the UDP 500 traffic is not blocked between peers?
Please check with your provider.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hello
I just upgraded to macOS Sierra and built-in Cisco IPsec VPN no longer works. When you try to connect, I get a "cannot validate the certificate of the server. "Check your settings and try to reconnect" error message. I use Cisco ASA with self-signed certificates and everything worked fine with previous versions of OS X.
Please help me, I need my VPN Thx a lot
I am having the same problem with StrongSwan and help cert signed with the channel to complete certificates included in the pkcs12 file imported to the keychain. It was working properly in El Capitan, but now broken in the Sierra.
-
IPSec tunnel do not come between two ASA - 5540 s.
I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.
Did I miss something that will prevent the tunnel to come?
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)
ROC-ASA5540-A # sh run
!
ASA Version 8.0 (3)
!
CRO-ASA5540-A host name
names of
10.10.1.135 GHC_Laptop description name to test the VPN
10.10.1.155 SunMed_pc description name to test the VPN
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.129 255.255.255.240
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.145 255.255.255.248
!
!
outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc
!
ASDM image disk0: / asdm - 603.bin
!
Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto game 2 outside_map0 address outside_2_cryptomap
outside_map0 crypto map peer set 2 10.10.1.147
card crypto outside_map0 2 the value transform-set ESP-3DES-SHA
outside_map0 card crypto 2 set nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
Group Policy Lan-2-Lan_only internal
attributes of Lan-2-Lan_only-group policy
VPN-filter no
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.147 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.147
pre-shared-key *.
!
ROC-ASA5540-A #.
----------------------------------------------------------
ROC-ASA5540-B # sh run
: Saved
:
ASA Version 8.0 (3)
!
name of host ROC-ASA5540-B
!
names of
name 10.10.1.135 GHC_laptop
name 10.10.1.155 SunMed_PC
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.147 255.255.255.248
!
outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop
!
ASDM image disk0: / asdm - 603.bin
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map2 1 match address outside_cryptomap
outside_map2 card crypto 1jeu peer 10.10.1.145
outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map2 card crypto 1jeu nat-t-disable
outside_map2 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal Lan-2-Lan group strategy
Lan Lan 2-strategy of group attributes
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.145 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.145
pre-shared-key *.
!
ROC-ASA5540-B #.
On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."
Please reconfigure the ASA and let me know how it goes.
Kind regards
Arul
* Please note the useful messages *.
-
IPSec sequence numbers not working not for the multi VPN
a site at a single site VPN works no problem, but when I add the second peer in the concentrator, router it does not connect. There is no routing in place that all routers are connected to the same switch, and with no crypto card they can all two ping 192.168.2.1. With crypto card only 192.168.2.2 can ping 192.168.2.1. I'm at a loss as to what I'm doing wrong, it seems simple I just add the Test input with a different number, but it won't work.
Ask any other question you can think of. I followed the same controls on both spoke routers so that it seems that it would be in the hub, router, but he beat me as to why.
Thanks for the help.
Concentrator, router:
----------------------------------------------------------------------------------------------------------------------------------------------
R1 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.2
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.2
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
2 ipsec-isakmp crypto map test
Peer = 192.168.2.3
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.3
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
---------------------------------------------------------------------------------------------------------------------------------------------
R2 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.1
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.1
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
----------------------------------------------------------------------------------------------------------------------------------------------
R3 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.1
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.1
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
There is a typing error in the IP for the PSK on R3.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
RTMPT / Tunneling does not work
I have Flash Media Streaming Server 3 running on a Windows 2003 with IIS 6 computer. I can see the samples of video on demand, locally and remotely very well using rtmp, but not rtmpt. I have disabled the socket pooling using httpcfg, but FMS 3 does not seem to be binding for all IP addresses on port 80. Next steps?
HBZYou can add ports in a comma-delimited list:
ADAPTER. HOSTPORT = xxx.xxx.xxx.12:1935, 80
Then restart the service of the FMS, and you should be all set. You can run netstat-nab from the command prompt to ensure that the FMS is bound to port 80
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
IPSec Tunnel upward, but not accessible from local networks
Hello
I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:
SH crypt isakmp his
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.10.10.2
Type : L2L Role : responder
Rekey : no State : AM_ACTIVECrypto/isakmp:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600Route SH:
C 172.16.3.0 255.255.255.0 is directly connected, VLAN10
C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C 192.168.112.0 255.255.254.0 is directly connected, insideaccess-list:
IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0
and here's the scenario:
If I make a ping of the asa to the Remote LAN, I got this:
ciscoasa (config) # ping 172.20.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
No route to the host 172.20.20.1Success rate is 0% (0/1)
No idea what I lack?
Here's how to set up NAT ASA 8.3 exemption:
network object obj - 172.16.3.0
172.16.3.0 subnet 255.255.255.0network object obj - 172.20.20.0
172.20.20.0 subnet 255.255.255.0NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0
Here's how it looks to the ASA 8.2 and below:
Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
NAT (inside) 0-list of access Inside_nat0_outbound -
Microsoft Teredo Tunneling adapter device"does not work correctly.
Hi Sir/Madam
Hello, can you help me find driver problems, sir.i am on hp pavilion g6 Series notebook.i found this message there, Windows reports that the "Microsoft Teredo Tunneling adapter" device is working properly. But I opened the Device Manager and I found the icon and I double click and then try to update the driver software but I found ago encountered a problem... This device does not work... Sir can you help me solve this problem... Thank you for your time
Hi Binet1,
Thank you for visiting the Forums HP's Support and welcome. I read your thread on your HP Pavilion g6-2225tu issues of driver for laptop and have on the Teredo Tunneling pseudo-interface. Right click and delete all Teredo Tunneling pseudo-interface. Restart the computer. You could update driver software by right click, browse computer for driver software. Select let me pick from a list of device on my computer-> network adapter drivers > Microsoft > adapter Microsoft Teredo tunneling. You can enable system restore by following this document.
I'd be happy to help you if necessary because there are many models of HPNotebook, I need the model number. How can I find my model number or product number?
Please respond with an operating system that you are running:
Operating system Windows am I running?Please let me know.
Thank you.
-
Microsoft Teredo Tunneling adapter does not work.
Original title: Microsoft Teredo Tunneling adapter
I think I'm ready for questions on the Teredo in the forums. I tried these "FixIt", and nothing works. It w/b well if Microsoft had a site to find this Teredo so that we can download a 'new '. The defective one I have on my desk is dated 2006. Really frustrating to continue in these wild pursuits to find a 'solution' to the Teredo Tunneling adapter.
Alice
Hi Alice,.
Thank you for posting your query on the Microsoft Community.
I understand that you have a problem with Microsoft Teredo Tunneling adapter. I will help you solve the problem.
Before we continue, we need more information to help you better.
- Did you change to the computer?
- Do you get any error messages when you try to use Microsoft Teredo Tunneling adapter?
- Have you installed a third-party software on your computer?
As you have tried some troubleshooting steps, I suggest you disable third-party security software installed on your computer (if there is) temporarily and update a hardware driver that is not working properly.
Update a hardware driver that is not working properly.
http://Windows.Microsoft.com/en-us/Windows7/update-a-driver-for-hardware-that-isn ' t-work correctly
Turn off the Antivirus:
Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not disable your antivirus software. If you need to disable temporarily to install other software, you must reactivate as soon as you are finished. If you are connected to the Internet or a network, while your antivirus software is disabled, your computer is vulnerable to attacks.
I suggest you check suggestions provided by Nithyananda J from the following link to see if it can help solve the problem.
I hope the above information helps. Please let us know if you need help with Windows. We are happy to help you.
Thank you.
-
GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwardsSite-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
endSite-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryptionC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec hisInterface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto isakmp policyWorld IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
endAny help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Kind regards
Averroès.
Maybe you are looking for
-
Fix for Firefox 29.0.1 crashes during playback of videos?
29.0.1 Firefox crashes immediately by clicking web videos. Turn off acceleration FLV, without effect. My PC is running Win7 Pro, dual quad icore 7, 12 GB of memory. Finally back to 27.0.1, PROBLEM SOLVED (for now) Is there a current solution than pat
-
Cannot set passwords to disk for Qosmio G30
I tried in vain to find documentation on how to do it-using the method F2 to enter the bios options never works, I tried to use config assist / utility password and cannot find any option. I updated the bios to 1.70 Does anyone know how to access the
-
WinXP Home is a no start after update...
I have WinXP home on a homemade platform. Materials updated last year and no hiccups so far. I leave always updated on auto. So the other day, as I close it says it updates as usual. The next morning, the computer was turned off as it should be. When
-
Where is the CSS Editor. I use a mac with the latest photoshop 2015.
-
Hello, I have problems with Creative Cloud Packager. I bought this product yesterday and since then I can not download completely all components. 59% or 65% of the download I get the message: "connect to the internet and try again." I am connected to