IPSec VPN between Cisco and ScreenOS

Similar Questions

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• Configure several IPSec VPN between Cisco routers

  I would like to create multiple ipsec VPN between 3 routers. Before applying it, I would like to check on the config I wrote to see if it works. It's just on RouterA configuration for virtual private networks to RouterB, and RouterC.

  As you can apply in a cyptomap by interface, I say with the roadmap, that it should be able to manage traffic for both routers. Or is there a better way to do it?

  RouterA - 1.1.1.1

  RouterB - 2.2.2.2

  RouterC - 3.3.3.3

  RouterA

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key RouterB address 2.2.2.2

  ISAKMP crypto keys RouterC address 3.3.3.3

  invalid-spi-recovery crypto ISAKMP

  ISAKMP crypto keepalive 5 10 periodicals

  ISAKMP crypto nat keepalive 30

  !

  life crypto ipsec security association seconds 28800

  !

  Crypto ipsec transform-set AES - SHA esp - aes 256 esp-sha-hmac

  !

  outsidemap 20 ipsec-isakmp crypto map

  defined peer 2.2.2.2

  game of transformation-AES-SHA

  match address 222

  outsidemap 30 ipsec-isakmp crypto map

  defined peer 3.3.3.3

  game of transformation-AES-SHA

  match address 333

  !

  interface GigabitEthernet0/0

  Description * Internet *.

  NAT outside IP

  outsidemap card crypto

  !

  interface GigabitEthernet0/1

  Description * LAN *.

  IP 1.1.1.1 255.255.255.0

  IP nat inside

  !

  IP nat inside source map route RouterA interface GigabitEthernet0/0 overload

  !

  access-list 222 allow ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

  access-list 223 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

  access-list 223 allow ip 1.1.1.0 0.0.0.255 any

  access-list 333 allow ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

  access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

  access-list 334 allow ip 1.1.1.0 0.0.0.255 any

  !

  !

  RouterA route map permit 10

  corresponds to the IP 223 334

  Hi Chris,

  The two will remain active.

  The configuration you have is for several ste VPN site is not for the redundant VPN.

  The config for the redundant VPN is completely different allows so don't confuse is not with it.

  In the redundant VPN configuration both peers are defined in the same card encryption.

  Traffic that should be passed through the tunnel still depend on the access list, we call in the card encryption.

  This access-lsist is firstly cheked and as a result, the traffic is passed through the correct tunnel

  HTH!

  Concerning

  Regnier

  Please note all useful posts

• IPSec VPN between Cisco ASA and Fortigate1000

  Hello

  I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

  the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

  The question is: How do I configure the interface on the SAA ACCORD?

  Thanks in advance, Experts...

  Kind regards...

  ASA firewall does not support the interface/GRE GRE tunnel.

  If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

  If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

  Hope that helps.

• VPN between Cisco and Check Point problem

  Guys,

  I have problems to establish a vpn site-to-site between a Cisco 3660 e router tunnel a firewall checkpoint NG AI R55.

  In the SiteA is an environment with a Cisco 3660 router using the following configurations:

  crypto ISAKMP policy 1

  md5 hash

  preshared authentication

  Group 2

  life 86400

  !

  ISAKMP crypto key [removed] address 172.17.10.111

  !

  Crypto ipsec transform-set esp - esp-md5-hmac serasa

  !

  Serasa 1 ipsec-isakmp crypto map

  defined by peer 172.17.10.111

  Set transform-set serasa

  match address 101

  !

  interface Serial5/4

  bandwidth 64

  IP 192.168.163.6 255.255.255.252

  no ip unreachable

  No cdp enable

  card crypto serasa

  !

  IP route 10.12.0.155 255.255.255.255 192.168.163.5

  IP route 172.17.10.111 255.255.255.255 192.168.163.5

  IP route 172.17.10.155 255.255.255.255 192.168.163.5

  !

  access-list 101 permit tcp 172.248.7.200 host 10.12.0.0 0.0.255.255 eq 3315

  In the SiteB, we have an environment highly available Nokia using VRRP.

  The IP address configured as a cluster in the Control Point is 172.17.10.111.

  We have already confirmed all the configurations of the phase 1 and 2 and is OK, but the VPN is not established.

  The following messages appear in the router and the firewall:

  ROUTER

  June 15 at 10:39:24 orbital: ISAKMP (0:252): check IPSec 1 proposal

  June 15 at 10:39:24 orbital: ISAKMP: turn 1 ESP_DES

  June 15 at 10:39:24 orbital: ISAKMP: attributes of transformation:

  June 15 at 10:39:24 orbital: ISAKMP: program is 1

  June 15 at 10:39:24 orbital: ISAKMP: type of life in seconds

  June 15 at 10:39:24 orbital: ISAKMP: life of HIS (basic) 3600

  June 15 at 10:39:24 orbital: ISAKMP: type of life in kilobytes

  June 15 at 10:39:24 orbital: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0

  June 15 at 10:39:24 orbital: ISAKMP: authenticator is HMAC-MD5

  June 15 at 10:39:24 orbital: ISAKMP (0:252): atts are acceptable.

  June 15 at 10:39:24 orbital: IPSEC (validate_proposal_request): part #1 of the proposal

  (Eng. msg key.) Local INCOMING = 192.168.163.6, distance = 172.17.10.111,.

  local_proxy = 172.248.7.200/255.255.255.255/0/0 (type = 1),

  remote_proxy = 10.12.0.0/255.255.0.0/0/0 (type = 4),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 0 and 0kb in

  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2

  June 15 at 10:39:24 orbital: IPSEC (kei_proxy): head = serasa, card-> ivrf =, kei-> ivrf =

  June 15 at 10:39:24 orbital: IPSEC (validate_transform_proposal): proxy unsupported identities

  June 15 at 10:39:24 orbital: ISAKMP (0:252): IPSec policy invalidated proposal

  June 15 at 10:39:24 orbital: ISAKMP (0:252): politics of ITS phase 2 is not acceptable! (local 192.168.163.6 remote 172.17.10.111)

  June 15 at 10:39:24 orbital: ISAKMP: node set 2114856837 to QM_IDLE

  June 15 at 10:39:24 orbital: ISAKMP (0:252): lot of 200.245.207.111 sending my_port 500 peer_port 500 (I) QM_IDLE

  June 15 at 10:39:24 orbital: ISAKMP (0:252): purge the node 2114856837

  June 15 at 10:39:24 orbital: ISAKMP (0:252): unknown entry for node-528822595: State = IKE_QM_I_QM1, large = 0x00000001, minor = 0x0000000C

  June 15 at 10:39:24 orbital: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 172.17.10.111

  FIREWALL

  IKE: Main Mode has received Notification of peers: first Contact

  IKE: Completion of Main Mode.

  IKE: Quick Mode has received Notification of the counterpart: no proposal chosen

  IKE: Quick Mode has received Notification of the counterpart: no proposal chosen

  IKE: Exchanging information received remove peer IKE - SA:

  Anyone have idea who might be the problem?

  Thank you very much for the help.

  Fabiano Mendonca.

  Cool. pls mark as resolved if that might help others... the rate of responses if deemed useful...

  REDA

• VPN between ASA and cisco router [phase2 question]

  Hi all

  I have a problem with IPSEC VPN between ASA and cisco router

  I think that there is a problem in the phase 2

  Can you please guide me where could be the problem.
  I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

  Looking forward for your help

  Phase 1 is like that

  Cisco_router #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

  and ASA

  ASA # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 78.x.x.41
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  Phase 2 on SAA

  ASA # sh crypto ipsec his
  Interface: Outside
  Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

  Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
  19.194.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer: 78.x.x.41

  #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C96393AB

  SAS of the esp on arrival:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4275000/3025)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4274994/3023)
  Size IV: 8 bytes
  support for replay detection: Y

  Phase 2 on cisco router

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x3E9D820B (1050509835)

  SAS of the esp on arrival:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4393981/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4394007/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  VPN configuration is less in cisco router

  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  sheep allowed 10 route map
  corresponds to the IP 105

  Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

  mycryptomap 100 ipsec-isakmp crypto map
  the value of 87.x.x.4 peer
  Set transform-set mytransformset
  match address 101

  crypto ISAKMP policy 100
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key xxx2011 address 87.x.x.4

  Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

  You currently have:

  Extend the 105 IP access list
  5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  It should be:

  Extend the 105 IP access list
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

  To remove it and add it to the bottom:

  105 extended IP access list

  not 5

  IP 172.19.194.0 allow 60 0.0.0.255 any

  Then ' delete ip nat trans. "

  and it should work now.

• ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

  Hello

  I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

  1 Configure ASA-1 (host name, vlan 1 and vlan 2).

  2. configure a static route

  3. create object network (local and remote)

  4. create the access list

  5. create ikev1 crypto

  6. create tunnel-group

  7 Configure nat

  and I repeat the steps above with the ASA but another change IP.

  Are to correct the above steps?

  Why can I not create an IPSEC VPN between devices?.

  No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

• IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

  Hello

  My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

  "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

  NAT takes place before the encryption verification!

  In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

  Thanks for any help

  Best regards

  Heiko

  Hello

  Try to change your static NAT with static NAT based policy.

  That is to say the static NAT should not be applicable for VPN traffic

  permissible static route map 1

  corresponds to the IP 104

  access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

  access-list 104 allow the host ip 10.1.110.10 all

  IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

  HTH

  Kind regards

  GE.

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

  Hi all!

  Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

  On our side as initiator:

  Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

  The site of the customer like an answering machine:

  14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

  14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

  14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

  Kind regards

  Johan

  From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

  I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

• ISA500 site by site ipsec VPN with Cisco IGR

  Hello

  I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

  But without success.

  my config for openswan, just FYI, maybe not importand for this problem

  installation of config

  protostack = netkey

  nat_traversal = yes

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

  nhelpers = 0

  Conn rz1

  IKEv2 = no

  type = tunnel

  left = % all

  leftsubnet=192.168.5.0/24

  right =.

  rightsourceip = 192.168.1.2

  rightsubnet=192.168.1.0/24

  Keylife 28800 = s

  ikelifetime 28800 = s

  keyingtries = 3

  AUTH = esp

  ESP = aes128-sha1

  KeyExchange = ike

  authby secret =

  start = auto

  IKE = aes128-sha1; modp1536

  dpdaction = redΘmarrer

  dpddelay = 30

  dpdtimeout = 60

  PFS = No.

  aggrmode = no

  Config Cisco 2821 for dynamic dialin:

  crypto ISAKMP policy 1

  BA aes

  sha hash

  preshared authentication

  Group 5

  lifetime 28800

  !

  card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

  !

  access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  !

  Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

  crypto dynamic-map DYNMAP_1 1

  game of transformation-ESP-AES-SHA1

  match address 102

  !

  ISAKMP crypto key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 30 periodicals

  !

  life crypto ipsec security association seconds 28800

  !

  interface GigabitEthernet0/0.4002

  card crypto CMAP_1

  !

  I tried ISA550 a config with the same constelations, but without suggesting.

  Anyone has the same problem?

  And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

  I can successfully establish a tunnel between openswan linux server and the isa550.

  Patrick,

  as you can see on newspapers, the software behind ISA is also OpenSWAN

  I have a facility with a 892 SRI running which should be the same as your 29erxx.

  Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

  Here is my setup, with roardwarrior AND 2, site 2 site.

  session of crypto consignment

  logging crypto ezvpn

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 4

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 5

  BA 3des

  preshared authentication

  Group 2

  life 7200

  ISAKMP crypto address XXXX XXXXX No.-xauth key

  XXXX XXXX No.-xauth address isakmp encryption key

  !

  ISAKMP crypto client configuration group by default

  key XXXX

  DNS XXXX

  default pool

  ACL easyvpn_client_routes

  PFS

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

  !

  dynamic-map crypto VPN 20

  game of transformation-FEAT

  market arriere-route

  !

  !

  card crypto client VPN authentication list by default

  card crypto VPN isakmp authorization list by default

  crypto map VPN client configuration address respond

  10 VPN ipsec-isakmp crypto map

  Description of VPN - 1

  defined peer XXX

  game of transformation-FEAT

  match the address internal_networks_ipsec

  11 VPN ipsec-isakmp crypto map

  VPN-2 description

  defined peer XXX

  game of transformation-FEAT

  PFS group2 Set

  match the address internal_networks_ipsec2

  card crypto 20-isakmp dynamic VPN ipsec VPN

  !

  !

  Michael

  Please note all useful posts

• VPN between ASA and 871

  Hello

  I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

  Thank you all,.

  Jérôme

  Hello

  It seems that you are missing some required configuration. See the link below...

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  HTH

  MS

  * Rate of useful messages *.

• Problem with the Site to Site IPSec VPN using ADSL and PPPoE

  I have an IPSec site to Site VPN between a 2805 and an 1841. Both have fixed IP, but the end of 1841 uses a PPPoE and ADSL connection. The MTU that is displayed on the Dialer0 interface is 1454.

  I can get the packets through the Tunnel without problem (standard pings), but don't spend larger packages.

  Any suggestions?

  You can apply on both. Here's a URL that explain the problem of MTU and option in detail.

  http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

  Kind regards

  Arul

  * Please Note If this can help *.

• PIX IPSec VPN with Cisco 877W

  Hi all

  I am trying to create a VPN between a PIX and a Cisco 877W tunnel but can't seem to get the tunnel. When I do a 'sho crypto session"on the Cisco 877, I get, he said session state is declining, then changed to NEGOTIATE DOWN, but it is now down again... Please find attached the configs for both ends... Are there commands to confirm that the tunnel is up other than to try to ping the remote end? I would greatly appreciate any help lift this tunnel.

  Kind regards

  REDA

  Hello

  Based on the configurations of joined, to do some changes. For example:

  1. the isakmp policies do not match on the router and the pix. Make sure the hash group Diffie-Hellman and life correspond on the 877 and pix.

  2. the access list for the ipsec traffic must be images of mirror of the other.

  3. make sure life of ipsec on the two peers.

  I hope it helps.

  Kind regards

  Arul

  Rate if this can help.

• Impossible to establish a VPN between AG241 and WAG54GP2 tunnel

  Hello

  This is my first post on this forum and I send my best regards to everyone!

  I signed up because I have a problem with establishing a VPN tunnel between an AG241 modem/router and a modem/router WAG54GP2 with wireless and VoIP.

  The scenario is simple: both ends have dynamic IP, so I set up an account with dyndns.org for both routers.

  WAG54GP2 has 192.168.1.1/255.255.255.0 AG241 has 192.168.3.254/255.255.255.0 IP and IP.

  In both routers, I turned block anonymous internet requests, so I can ping both routers.

  This is the configuration of WAG54GP2:

  VPN Passthrough
  IPSec PassThrough: activate
  Intercommunication PPPoE: activate
  PPTP PassThrough: enable
  L2TP PassThrough: enable

  IPSec VPN tunnel
  Select the Tunnel: 1
  VPN IPSec tunnel: enabled
  Tunnel name: Office

  Local security group:
  Subnet
  IP: 192.168.1.0
  Mask: 255.255.255.0

  Local security gateway: PVC 1 (ppp0)

  Remote secure group:
  IP: 192.168.3.0
  Mask: 255.255.255.0

  Remote security gateway:
  IP Addr.
  The remote router's public IP address IP address: w.x.y.z.
  Encryption: THE (I also tried 3DES and disabled)
  Authentication: SHA

  Key management:
  Auto. (IKE)
  PFS: enabled
  Pre-shared Key: the password I chose
  Life key: 3600 Sec.

  Advanced settings

  Phase 1
  Mode of operation: main mode (I also tried aggressive mode)

  Proposal1
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Proposition2
  Encryption: ESP_NULL
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Another parameter
  NAT traversal not verified
  NetBIOS broadcast Checked
  Anti-reponse not checked
  Keep-Alive not verified
  If IKE 5 times failedmore
  Not checked

  This is the AG241 configuration:

  VPN Passthrough
  IPSec PassThrough: activate
  Intercommunication PPPoE: activate
  PPTP PassThrough: enable
  L2TP PassThrough: enable

  IPSec VPN tunnel
  Select the Tunnel: 1
  VPN IPSec tunnel: enabled
  Name of the tunnel: user 1

  Local security group:
  Subnet
  IP: 192.168.3.0
  Mask: 255.255.255.0

  Local security gateway: PVC 1 (ppp0)

  Remote secure group:
  IP: 192.168.1.0
  Mask: 255.255.255.0

  Remote security gateway:
  Any

  Key management:
  Auto. (IKE)
  PFS: enabled
  Pre-shared Key: the same password I put on the WAG54GP2
  Life key: 3600 Sec.

  Advanced settings

  Phase 1
  Mode of operation: main mode (I also tried aggressive mode)

  Proposal1
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Proposition2
  Encryption: A
  Authentication: SHA
  Group: 768 bits
  Life key: 3600 sec.

  Another parameter
  NAT traversal not verified
  NetBIOS broadcast Checked
  Anti-reponse not checked
  Keep-Alive not verified
  If IKE 5 times failedmore
  Not checked

  When I click on Connect the WAG54GP2 router, do not access and in the newspapers, I see:

  2009 07-30 T 16: 16:10 + 01:00 IKE ["Board"] Tx > MM_I1: SA w.x.y.z.

  2009 07-30 T 16: 16:20 + 01:00 IKE ["Board"] ERROR: message w.x.y.z. port 500: connection refused

  If I use the dynamic FQDN instead of the dynamic IP (w.x.y.z.) change of message for:

  2009 07-30 T 16: 46:16 + 01:00 IKE ["Board"] ERROR: problem of remote domain name Security Gateway!

  Is there someone who could help me build this tunnel?

  A big thank you to everyone who will help me!

  Cinghiuz

  If you are Encountering difficulties connecting to the VPN Tunnel using a router ADSL modem you should see this

  Also, make sure that you have the latest firmware installed on your entry door and change the MTU setting...