IPsec VPN cannot remove peer
HY there
I have configured an IPsec tunnel, but I have an error to connect.
This is my setup and the error I have is
| 4 | January 9, 2013 | 00:53:00 | 713903 | Group = CON_trabajadores, IP = 81.43.96.53, error: cannot delete PeerTblEntry |
| 4 January 9, 2013 | 00:53:06 | 713902 | Group = CON_trabajadores, IP = 81.43.96.53, Removing peer to peer table does not, no match! |
access-list split_tunel_CON_trabajadores note conexionIPsec
standard access list split_tunel_CON_trabajadores allow 192.168.54.0 255.255.255.0
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 201.238.197.253
map outside_map 1 set of transformation-ESP-DES-MD5 crypto
outside_map card crypto 1 set nat-t-disable
card crypto outside_map 2 match address outside_2_cryptomap
peer set card crypto outside_map 2 190.41.143.165
card outside_map 2 game of transformation-ESP-DES-MD5 crypto
outside_map card crypto 2 set nat-t-disable
card crypto outside_map 3 match address outside_3_cryptomap
peer set card crypto outside_map 3 200.59.12.152
card crypto outside_map 3 game of transformation-ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 1
life 86400
IP pool local AccesoRemoto
internal CON_trabajadores group strategy
attributes of Group Policy CON_trabajadores
value of DNS SERVER DNS server
Protocol-tunnel-VPN IPSec
split tunnel - policy tunnelspecified
value of Split-tunnel-network-list split_tunnel_CON_trabajadores
value of Split-dns SERVER DNS
address-pools value AccesoRemoto
type tunnel-group CON_trabajadores remote access
attributes global-tunnel-group CON_trabajadores
address pool AccesoRemoto
Server Group of NPS authentication (with Ray pointing to an ad)
Group Policy - by default-CON_trabajadores
IPSec-attributes tunnel-group CON_trabajadores
pre-shared key *.
Disable ISAKMP keepalive
attributes of Group Policy CON_trabajadores
value of group-lock CON_trabajadores
The configuration of your ASA for IKE must match with one of the Proposals of IKE of the Cisco VPN Client. Depending on your config above, you use THE then MD5 to match IKE for the VPN Client proposal, you need to use Group 2 Diffie-Hellman. (click on the link for the valid combination of proposals of the IKE Client VPN)
Tags: Cisco Security
Similar Questions
-
Peer AnyConnect VPN cannot ping, RDP each other
I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1). I have a remote access VPN set up and remote access users are able to connect and access to network resources. I can ping the VPN peers between the Remote LAN. My problem counterparts VPN cannot ping (RDP, CDR) between them. Ping a VPN peer of reveals another the following error in the log of the SAA.
Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.
Here's my ASA running-config:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain dental.local
activate 9ddwXcOYB3k84G8Q encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
192.168.1.128 server name
domain dental.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the RAVPN object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_28 object
subnet 10.10.10.0 255.255.255.240
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access note VPN Customer local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
Note VpnPeers access list allow peer vpn ping on the other
permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers
pager lines 24
Enable logging
asdm of logging of information
logging of information letter
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of information
record level of 1 600 6 rate-limit
Outside 1500 MTU
Within 1500 MTU
mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source all electricity static destination RAVPN RAVPN
NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the RAVPN object
dynamic NAT (all, outside) interface
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpoint crypto ca-CA-SERVER ROOM
LOCAL-CA-SERVER key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
billvpnkey key pair
Proxy-loc-transmitter
Configure CRL
crypto ca server
CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl
name of the issuer CN = ciscoasa
SMTP address [email protected] / * /
crypto certificate chain ca-CA-SERVER ROOM
certificate ca 01
* hidden *.
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate 10bdec50
* hidden *.
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.1 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.50 - 192.168.1.99 inside
dhcpd allow inside
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image
SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml
enable SVC
tunnel-group-list activate
internal-password enable
chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Dental.local value by default-field
WebVPN
SVC value vpngina modules
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Dental.local value by default-field
attributes of Group Policy DfltGrpPolicy
Server DNS 192.168.1.128 value
VPN - 4 concurrent connections
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
value of group-lock RAVPN
value of Split-tunnel-network-list Local_LAN_Access
Dental.local value by default-field
WebVPN
the value of the URL - list DentalMarks
SVC value vpngina modules
SVC value dellstudio type user profiles
SVC request to enable default webvpn
chip-tunnel enable SmartTunnelList
wketchel1 5c5OoeNtCiX6lGih encrypted password username
username wketchel1 attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel
username wketchel attributes
VPN-group-policy DfltGrpPolicy
WebVPN
modules of SVC no
SVC value DellStudioClientProfile type user profiles
jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username
jenniferk username attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
attributes global-tunnel-group DefaultRAGroup
address pool VPNPool
LOCAL authority-server-group
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address pool VPNPool
LOCAL authority-server-group
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
IPSec-attributes tunnel-group RAVPN
pre-shared key *.
tunnel-group RAVPN ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group WebSSLVPN remote access
tunnel-group WebSSLVPN webvpn-attributes
enable WebSSLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
173.194.64.108 SMTP server
context of prompt hostname
HPM topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: end
Hello
Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.
I suggest the following changes
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
PAT-SOURCE network object-group
object-network 192.168.1.0 255.255.255.0
object-network 10.10.10.0 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
The above should allow
- Dynamic PAT for LAN and VPN users
- NAT0 for traffic between the VPN and LAN
- NAT0 for traffic between the VPN users
You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.
no static source nat (inside, everything) all electricity static destination RAVPN RAVPN
No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
No network obj_any object
No network object RAVPN
In case you do not want to change the settings a lot you might be right by adding this
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.
-Jouni
-
ASA 5505 IPSEC VPN connected but cannot access the local network
ASA: 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
Pool VPN: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.
I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.
Here is my setup, wrong set up anything?
ASA Version 8.2 (5)
!
hostname asatest
domain XXX.com
activate 8Fw1QFqthX2n4uD3 encrypted password
g9NiG6oUPjkYrHNt encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.1.253 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
address IP XXX.XXX.XXX.XXX 255.255.255.240
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain vff.com
vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
logging trap warnings
asdm of logging of information
logging - the id of the device hostname
host of logging inside the 10.1.1.230
Within 1500 MTU
Outside 1500 MTU
IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt AD
AAA-server host 10.1.1.108 AD (inside)
NT-auth-domain controller 10.1.1.108
Enable http server
http 10.1.0.0 255.255.252.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.1.0.0 255.255.252.0 inside
SSH timeout 20
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntest strategy
Group vpntest policy attributes
value of 10.1.1.108 WINS server
Server DNS 10.1.1.108 value
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the password-storage
disable the IP-comp
Re-xauth disable
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntest_splitTunnelAcl
value by default-domain XXX.com
disable the split-tunnel-all dns
Dungeon-client-config backup servers
the address value vpnpool pools
admin WeiepwREwT66BhE9 encrypted privilege 15 password username
username user5 encrypted password privilege 5 yIWniWfceAUz1sUb
the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username
tunnel-group vpntest type remote access
tunnel-group vpntest General attributes
address vpnpool pool
authentication-server-group AD
authentication-server-group (inside) AD
Group Policy - by default-vpntest
band-Kingdom
vpntest group tunnel ipsec-attributes
pre-shared-key BEKey123456
NOCHECK Peer-id-validate
!
!
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege see the level 3 exec command mode dynamic filters
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
privilege clear level 3 exec command mode dynamic filters
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: end
Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.
The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.
On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.
-
"ITS creation failed" problem for IPSec VPN
An ASA 5100 is used to provide VPN access for my business. The configuration was made by a permeable man who has been missing for some time, and the configuration used to be OK until this morning. This morning, some users reported that their VPN would have fallen once got connected. I checked the ASA and ASDM, I see every time when user deletes, it IPSec tunnel is always action. Furthermore, I faked the problem and got the newspaper of errors such as:
1 11:14:45.898 12/06/07 Sev = WARNING/3 IKE/0xE3000065 could not find an IKE SA for 10.2.1.8. Abandoned KEY_REQ.
2 11:14:45.898 12/06/07 Sev = WARNING/2 IKE/0xE3000099 could not open the P2 generate a new key: error detected(Initiate:176)
3 11:14:45.898 12/06/07 Sev = WARNING/2 IKE/0xE3000099 cannot open the QM (IKE_MAIN:458)
On the side of the AS I did "debug crypto isakmp" and 'debug crypto ipsec' and I got the following errors:
iscoasa # ERROR IPSEC: expiration of the timer of the asynchronous operation, SPI: 0x114CA5B6, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856
IPSEC ERROR: Material outside ITS create command failed, SPI: 0x114CA5B6, error code: 0 x 17
IPSEC ERROR: Asynchronous Operation timeout expired, SPI: 0x61BE2022, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856
IPSEC ERROR: Cannot add a user auth, SPI input: 0x61BE2022, user: roeladmin, peer: 202.172.62.70
IPSEC ERROR: Cannot create an inbound SA SPI: 0x61BE2022 document
IPSEC ERROR: Unable to complete the command of IKE UPDATE
12 June at 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, error QM WSF (P2 struct & 0 x 4699058, mess id 0xf37ec6f4).
12 June at 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, peer table correlator Removing failed, no match!
IPSEC ERROR: Material Inbound ITS create command failed, SPI: 0x61BE2022, error code: 0 x 17
It shows that ITS creation has failed. But I can't find the problem with the configuration. Can someone help me on this? Thank you
Outgoing material ITS create command failed, SPI: 0x114CA5B6, error code: 0 x 17
It is a hardware problem, reset the firewall and it will work, I saw 4 times in different ASAs
Please hate the post if help.
-
IPSec VPN between Cisco and ScreenOS
Hello
I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted.
The guy managing the Juniper device send me an extract from his diary:
###########################################################################
2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID
System 9b 839579: negotiations failed.
2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11
of
: 500 to 217.150.152.45:500 with cookies
87960e39d074ca49 and 9302d26c7ce324a5
because there is no acceptable Phase
2 proposals...
It has defined the following phase 2 proposals:
IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second
###########################################################################
And I use these:
###########################################################################
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
ISAKMP crypto key
address 217.150.152.45 Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac
card crypto ipsec vpn 2 isakmp
Description * VPN Anbindung nach PKI in Magdeburg *.
defined by peer 217.150.152.45
define security-association life seconds 1800
the value of the transform-set esp - aes
match address PKI-TRAFFIC
!
###########################################################################
Here is my Log:
#################################################################################################################
28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL)
28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500
28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A
28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator
28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500
28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE
28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success
28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode.
28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange
28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE
28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found
28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth...
28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
28 August 08:23:46.448: ISAKMP: AES - CBC encryption
28 August 08:23:46.448: ISAKMP: SHA hash
28 August 08:23:46.448: ISAKMP: group by default 2
28 August 08:23:46.448: ISAKMP: pre-shared key auth
28 August 08:23:46.448: ISAKMP: keylength 256
28 August 08:23:46.448: ISAKMP: type of life in seconds
28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0
28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4
28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400
28 August 08:23:46.448: ISAKMP: (0): return real life: 86400
28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400.
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP
28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4
28 August 08:23:46.508: ISAKMP: (1049): send initial contact
28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
28 August 08:23:46.508: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 92.67.80.237
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12
28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5
28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0
28 August 08:23:46.540: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 217.150.152.45
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles
28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0
28 August 08:23:46.540: ISAKMP: (1049): SA authentication status:
authenticated
28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45
28 August 08:23:46.540: ISAKMP: try inserting a peer
/217.150.152.45/500/ and inserted 2A2D7150 successfully. 28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006
28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi
28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1
28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455
28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1
SPI 0, message ID =-452721455, his 0x31627E04 =
28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive.
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
Intertoys_Zentrale_Waddinxveen_01 #.
28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0
28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150
28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA
#################################################################################################################
Is there something special that needs to be addressed when creating a VPN for Juniper devices?
Greetings
Thomas
The peer IPSec a PFS enabled, do the same in your crypto-map:
card crypto ipsec vpn 2 isakmp
PFS group2 Set
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Hello
First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.
The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.
I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.
I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:
4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry
5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!
6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)
and this, in the journal of customer:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 5.1.2600 Service Pack 3
24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002
Start the login process
25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x".
27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 213.94.x.x.
28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x
29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014
Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.
40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.
Can you see what I'm doing wrong?
Thank you
Sam
Pls add the following policy:
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
You can also run debug on the ASA:
debugging cry isa
debugging ipsec cry
and retrieve debug output after trying to connect.
-
IPSec vpn - no selected proposal
Hello:
I am facing a problem in the configuration of the ipsec vpn on my 7200 router. It's a site to customer topology as shown below.
The request from my pc, R2' isa crypto log:
R2 #debug crypto isakmp
Crypto ISAKMP debug is on
R2 #.
R2 #.
R2 #.
* 22:41:59.871 6 April: ISAKMP (0): received 66.66.66.52 packet dport 500 sport 500 SA NEW Global (N)
* 22:41:59.879 6 April: ISAKMP: created a struct peer 66.66.66.52, peer port 500
* 22:41:59.879 6 April: ISAKMP: new created position = 0x67E98D84 peer_handle = 0 x 80000002
* 22:41:59.883 6 April: ISAKMP: lock struct 0x67E98D84, refcount 1 to peer crypto_isakmp_process_block
* 22:41:59.887 6 April: ISAKMP: 500 local port, remote port 500
* 22:41:59.891 6 April: ISAKMP: (0): insert his with his 67E5DCD8 = success
* 22:41:59.911 6 April: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 22:41:59.911 6 April: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1* 6 April 22:41:59.931: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 6 April 22:41:59.935: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.939: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:41:59.939: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.943: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:41:59.947 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:41:59.947: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.951: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:41:59.955: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:41:59.959: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.959: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:41:59.963: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.967: ISAKM
R2 #P: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:41:59.971: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.971: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:41:59.975: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.979: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:41:59.983 6 April: ISAKMP: (0): pair found pre-shared key matching 66.66.66.52
* 6 April 22:41:59.987: ISAKMP: (0): pre-shared key local found
* 22:41:59.987 6 April: ISAKMP: analysis of the profiles for xauth...
* 22:41:59.991 6 April: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
* 22:41:59.995 6 April: ISAKMP: AES - CBC encryption
* 22:41:59.995 6 April: ISAKMP: keylength 256
* 22:41:59.999 6 April: ISAKMP: SHA hash
* 22:41:59.999 6 April: ISAKMP: unknown group of DH 20
* 22:41:59.999 6 April: ISAKMP: pre-shared key auth
* 22:42:00.003 6 April: ISAKMP: type of life in seconds
* 22:42:00.003 6 April: ISAKMP:
R2 # life expectancy (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 128
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group unknown 19
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
R2 #r 6 22:42:00.011: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 256
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): offered hash algorithm is
R2 # does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: group by default 2
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.015 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.019 6 April: ISAKMP: (0): offered hash algorithm does not match policy.
* 22:42:00.023 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 0
* 22:42:00.023 6 April: ISAKMP: (0): no offer is accepted!
* 6 April 22:42:00.027: ISAKMP: (0): phase 1 SA policy is not acceptable! (local 180.180.0.130 remote 66.66.66.52)
* 22:42:00.027 6 April: ISAKMP (0): increment the count of errors on his, try 1 of 5: construct_fail_ag_init
* 6 April 22:42:00.027: ISAKMP: (0): has no
R2 #construct AG information message.
* 6 April 22:42:00.027: ISAKMP: (0): lot of 66.66.66.52 sending my_port 500 peer_port 500 (R) MM_NO_STATE
* 22:42:00.027 6 April: ISAKMP: (0): sending a packet IPv4 IKE.
* 22:42:00.031 6 April: ISAKMP: (0): the peer is not paranoid KeepAlive.* 22:42:00.035 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:42:00.039 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:42:00.039: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:42:00.039: ISAKMP: (0)
R2 #: load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:42:00.039 6 April: ISAKMP (0): action of WSF returned the error: 2
* 22:42:00.039 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 22:42:00.039 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1* 22:42:00.059 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.059 6 April: ISAKMP: unlock counterpart struct 0x67E98D84 for isadb_m
R2 #ark_sa_deleted (), count 0
* 22:42:00.067 6 April: ISAKMP: delete peer node by peer_reap for 66.66.66.52: 67E98D84
* 22:42:00.071 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 22:42:00.075 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_DEST_SA* 22:42:00.087 6 April: ISAKMP: (0): removal of HIS right State 'No reason' (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.087 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
* 22:42:00.087 6 April: ISAKMP: (0): former State = new State IKE_DEST_SA = IKE_DEST_SA* 22:42:00.895 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
* 22:42:02.911 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
R2 #.
* 22:43:00.087 6 April: ISAKMP: (0): serving SA., his is 67E5DCD8, delme is 67E5DCD8
R2 #.And when I capture on my pc, I got:
I don't know why, waiting for you helps nicely, thank you very much!
I think that what is wrong is your combination of your group of encryption, hashing and dh, try changing your sha instead of md5 hash table.
-
On ASA 5505 VPN cannot access remote (LAN)
I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.
Tyler
Just remove the line of nat (outside) and ACL outside_nat0_outbound.
And talk about these statements:
IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).
2, crypto isakmp nat traversal 10 or 20
3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.
4, create the other ACL (ST) with different name and source and destination like no nat ACL.
5, then type nat (inside) 0 access-list sheep
6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).
Concerning
-
Hi dude, I want to address this topic to understand ipsec VPN throughput.
I have 1 router 1921 and 1 ASA 5510 behind the router. I want to set up remote access on ASA firewall by traffic shaping router forwards (port UDP 500 and UDP 4500 port). I have 1 public IP address and I already configure NAT on the router. In fact, I heard that IPsec cannot pass through the NAT. So if I want to configure VPN on SAA, it is possible to do? All the guys comment on and propose your idea to me. Thanks for your reply.Hello
When you say, you have a public IP address. Is this address IP is assigned to the interface of the router or not attributed distinct IP address.
If its not assigned public IP address, you can make static NAT with ASA outside the IP address to a public IP address on your router as below
{100.100.x.x}fa0/0<-(R1)->fa0/1{192.168.100.1}<------->{192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}
IP nat inside source 192.168.100.2 static 100.100.x.x
This way you have full IP to IP NAT.
If you got the only IP address that is assigned to the interface of the router then you will need to nat as port said
For VPN gateways running versions of the Cisco IOS software prior to version 12.2 (13) T, the functionality of IPSec passthrough is required on the router that runs PAT to enable payload ESP (Encapsulating Security) through.
Note: This feature is called IPSec through NAT (NAT) network support Advisory software (registered only customers).
In order to initiate the tunnel of the local counterpart (PATed), no configuration is necessary. In order to initiate the tunnel of the remote peer, these commands are needed:
IP nat inside source static esp inside_ip interface, interface
IP nat inside source udp static inside_ip 500 interface interface 500
For VPN gateways that run a version of the Cisco IOS software later than 12.2 (13) T, IPSec traffic is encapsulated in data protocol packets UDP (User) port 4500. This feature is called IPSec NAT transparency . In order to initiate the tunnel of the local counterpart (PATed), no configuration is necessary.
In order to initiate the tunnel of the remote peer, these commands are needed:
IP nat inside source udp static inside_ip 4500 4500 interface interface
IP nat inside source udp static inside_ip 500 interface interface 500
HTH
Sandy
-
UC500 and IPsec VPN client - disconnects
Just throw a question out there.
I have a UC560 running uc500-advipservicesk9 - mz.151 - 2.T2 site HQ. Remote users, about 8 of them, attempt to connect via IPsec VPN (v5.0.07.0440) HQ clients to access files, etc.. The behavior I see is 5 users to connect successfully, but only 5. As soon as more users trying to connect, they have either:- connect with success for a minutes, then unmold
- get a 412, remote peer is not responding
- connect, but someone of another session kickoff.
Users use the same VPN profile, but with names of single user and passwords.
Here are some of the CPU configs for VPN clients
Configuration group customer crypto isakmp USER01
key *.
DNS 192.168.0.110
pool USER01_POOL
ACL USER01_ACLlocal RAUTHEN AAA authentication login
permission of AAA local RAUTHOR network authenticated by FISCrypto isakmp USER01_PROF profile
match of group identity USER01
list of authentication of client RAUTHEN
RAUTHOR of ISAKMP authorization list.
client configuration address respondcrypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
lifetime 28800
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
life 3600
crypto ISAKMP policy 1000
BA 3des
preshared authentication
Group 2I enabled debugging
Debug crypto ISAKMP
Debug crypto ipsecHere are some of the things that I see on him debugs
604899: 16:41:13.333 Aug 21: ISAKMP: (2073): HASH payload processing. Message ID = 284724149
604900: 16:41:13.333 Aug 21: ISAKMP: (2073): treatment protocol NOTIFY DPD/R_U_THERE 1
0, message ID SPI = 284724149, a = 0x8E7C6E68
604901: 16:41:13.333 Aug 21: ISAKMP: (2073): error suppression node 284724149 FALSE reason 'informational (en) State 1.
604902: 16:41:13.333 Aug 21: ISAKMP: (2073): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
604903: 16:41:13.333 Aug 21: ISAKMP: (2073): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE581504: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node-1455244451
581505: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node 840814618
581506: 16:59:13.933 Aug 20: ISAKMP (2147): received 201.195.231.162 packet dport 4500 sport 37897 Global (R) QM_IDLE
581507: 16:59:13.933 Aug 20: ISAKMP: node set 801982813 to QM_IDLE
581508: 20 August 16:59:13.933: ISAKMP: (2147): HASH payload processing. Message ID = 801982813
581509: 16:59:13.933 Aug 20: ISAKMP: receives the payload type 18
581510: 16:59:13.933 Aug 20: ISAKMP: (2147): treatment remove with load useful reason
581511: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the doi = 0
581512: 16:59:13.933 Aug 20: ISAKMP: (2147): remove Protocol id = 1
581513: 16:59:13.933 Aug 20: ISAKMP: (2147): remove spi_size = 16
581514: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the spis num = 1
581515: 16:59:13.933 Aug 20: ISAKMP: (2147): delete_reason = 2
581516: 20 August 16:59:13.933: ISAKMP: (2147): load DELETE_WITH_REASON, processing of message ID = 801982813, reason: DELETE_BY_USER_COMMAND
581517: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.581518: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.
581519: 16:59:13.933 Aug 20: ISAKMP: (2147): removal of State of SA reason 'Order BY user' (R) QM_IDLE (post 201.195.231.162)
581520: 16:59:13.933 Aug 20: ISAKMP: (2147): error suppression node 801982813 FALSE reason 'informational (en) State 1.
581521: 16:59:13.933 Aug 20: ISAKMP: node set-878597687 to QM_IDLE
581522: 20 August 16:59:13.937: ISAKMP: (2147): lot of 201.195.231.162 sending peer_port my_port 4500 37897 (R) QM_IDLE
581523: 16:59:13.937 Aug 20: ISAKMP: (2147): sending a packet IPv4 IKE.
581524: 16:59:13.937 Aug 20: ISAKMP: (2147): purge the node-878597687
581525: 16:59:13.937 Aug 20: ISAKMP: (2147): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
581526: 16:59:13.937 Aug 20: ISAKMP: (2147): former State = new State IKE_P1_COMPLETE = IKE_DEST_SAI opened a case with TAC on this and they do not understand what is the cause. For them, it looks like a bug without papers. And their recommendation is to reboot, upgrade or try configuring L2TP for remote users.
Thank you
JP
JP,
An update of IOS is worth it, even if him debugs seems to indicate that there is a problem with the client. If possible, I always suggest test with another client to see if it is unique to the Cisco VPN Client on Win7. Regarding the limit of 20 tunnel, it is very probably the number of IPsec security associations. If you issue a 'show crypto eli', this example displays the number of Sessions that are currently active IPSec.
HTH,
Frank
-
Establish a IPsec VPN connection, but remote site can't ping main office
Hi, I set up connection from site to site IPsec VPN between cisco 892 (main site) router and linksys router wrv210 (remote site). My problem is that I can ping network router wrv210 lan of my main office where is cisco 892 router, but I cannot ping the main site of linksys wrv210 lan (my remote site).
My configuration on the cisco 892 router:
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-1
game group-access 103
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-3
game group-access 106
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-2
game group-access 105
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-5
game group-access 108
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-4
game group-access 107
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-7
group-access 110 match
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-6
game group-access 109
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-9
game group-access 112
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-8
game group-access 111
type of class-card inspect entire game SDM_AH
match the name of group-access SDM_AH
type of class-card inspect entire game SDM_ESP
match the name of group-access SDM_ESP
type of class-card inspect entire game SDM_VPN_TRAFFIC
match Protocol isakmp
match Protocol ipsec-msft
corresponds to the SDM_AH class-map
corresponds to the SDM_ESP class-map
type of class-card inspect the correspondence SDM_VPN_PT
game group-access 102
corresponds to the SDM_VPN_TRAFFIC class-map
type of class-card inspect entire game PAC-cls-insp-traffic
match Protocol cuseeme
dns protocol game
ftp protocol game
h323 Protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
inspect the class-map match PAC-insp-traffic type
corresponds to the class-map PAC-cls-insp-traffic
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-10
game group-access 113
type of class-card inspect all sdm-service-ccp-inspect-1 game
http protocol game
https protocol game
type of class-card inspect entire game PAC-cls-icmp-access
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence ccp-invalid-src
game group-access 100
type of class-card inspect correspondence ccp-icmp-access
corresponds to the class-ccp-cls-icmp-access card
type of class-card inspect correspondence ccp-Protocol-http
match class-map sdm-service-ccp-inspect-1
!
!
type of policy-card inspect PCB-permits-icmpreply
class type inspect PCB-icmp-access
inspect
class class by default
Pass
type of policy-card inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
Pass
class type inspect sdm-cls-VPNOutsideToInside-3
Pass
class type inspect sdm-cls-VPNOutsideToInside-4
Pass
class type inspect sdm-cls-VPNOutsideToInside-5
Pass
class type inspect sdm-cls-VPNOutsideToInside-6
inspect
class type inspect sdm-cls-VPNOutsideToInside-7
Pass
class type inspect sdm-cls-VPNOutsideToInside-8
Pass
class type inspect sdm-cls-VPNOutsideToInside-9
inspect
class type inspect sdm-cls-VPNOutsideToInside-10
Pass
class class by default
drop
type of policy-map inspect PCB - inspect
class type inspect PCB-invalid-src
Drop newspaper
class type inspect PCB-Protocol-http
inspect
class type inspect PCB-insp-traffic
inspect
class class by default
drop
type of policy-card inspect PCB-enabled
class type inspect SDM_VPN_PT
Pass
class class by default
drop
!
security of the area outside the area
safety zone-to-zone
zone-pair security PAC-zp-self-out source destination outside zone auto
type of service-strategy inspect PCB-permits-icmpreply
zone-pair security PAC-zp-in-out source in the area of destination outside the area
type of service-strategy inspect PCB - inspect
source of PAC-zp-out-auto security area outside zone destination auto pair
type of service-strategy inspect PCB-enabled
sdm-zp-VPNOutsideToInside-1 zone-pair security source outside the area of destination in the area
type of service-strategy inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key address 83.xx.xx.50 xxxxxxxxxxx
!
!
Crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description NY_NJ
the value of 83.xx.xx.50 peer
game of transformation-ESP-3DES
match address 101
!
!
!
!
!
interface BRI0
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
FastEthernet6 interface
!
!
interface FastEthernet7
!
!
interface FastEthernet8
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
automatic duplex
automatic speed
!
!
interface GigabitEthernet0
Description $ES_WAN$ $FW_OUTSIDE$
IP address 89.xx.xx.4 255.255.255.xx
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
outside the area of security of Member's area
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
!
interface Vlan1
Description $ETH - SW - LAUNCH INTF-INFO-FE 1 to $$$ $ES_LAN$ $FW_INSIDE$
IP 192.168.0.253 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
Security members in the box area
IP tcp adjust-mss 1452
!
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0
IP route 0.0.0.0 0.0.0.0 89.xx.xx.1
!
SDM_AH extended IP access list
Note the category CCP_ACL = 1
allow a whole ahp
SDM_ESP extended IP access list
Note the category CCP_ACL = 1
allow an esp
!
recording of debug trap
Note access-list 1 INSIDE_IF = Vlan1
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 192.168.0.0 0.0.0.255
Access-list 100 category CCP_ACL = 128 note
access-list 100 permit ip 255.255.255.255 host everything
access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
access-list 100 permit ip 89.xx.xx.0 0.0.0.7 everything
Note access-list 101 category CCP_ACL = 4
Note access-list 101 IPSec rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
Note access-list 102 CCP_ACL category = 128
access-list 102 permit ip host 83.xx.xx.50 all
Note access-list 103 CCP_ACL category = 0
Note access-list 103 IPSec rule
access-list 103 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 104 CCP_ACL category = 2
Note access-list 104 IPSec rule
access-list 104 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104. allow ip 192.168.0.0 0.0.0.255 any
Note access-list 105 CCP_ACL category = 0
Note access-list 105 IPSec rule
access-list 105 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 106 CCP_ACL category = 0
Note access-list 106 IPSec rule
access-list 106 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 107 CCP_ACL category = 0
Note access-list 107 IPSec rule
access-list 107 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 108 CCP_ACL category = 0
Note access-list 108 IPSec rule
access-list 108 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 109 CCP_ACL category = 0
Note access-list 109 IPSec rule
access-list 109 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 110 CCP_ACL category = 0
Note access-list 110 IPSec rule
access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 111 CCP_ACL category = 0
Note access-list 111 IPSec rule
access-list 111 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 112 CCP_ACL category = 0
Note access-list 112 IPSec rule
access-list 112 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
Note access-list 113 CCP_ACL category = 0
Note access-list 113 IPSec rule
access-list 113 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255
not run cdp
!
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 104
--------------------------------------------------------
I only give your router cisco 892 because there is nothnig much to change on linksys wrv210 router.
Hope someone can help me. See you soon
You can run a "ip inspect log drop-pkt" and see if get you any what FW-DROP session corresponding to the traffic you send Linksys to the main site. Zone based firewall could be blocking traffic initiated from outside to inside.
-
IPSec VPN with DynDNS host problems after change of address
Hi guys,.
I have a weird problem on an IOS router.
I need to implement IPSec VPN L2L.
Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's
why I use dyndns.
ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org
CMAP_1 1 ipsec-isakmp crypto map
define peer dynamic XXXXXXXXX.dyndns.orgFirst of all, it works fine, but after the change of IP address it no longer works.
Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.
I tried this on two other IOS, 15.0 and 12.4
This debugging output:
01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
* 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache). New IP address
* 1 Mar 01:02:41.731: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
lifedur = 240 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
* 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
* 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
* 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
* 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
* 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
* 01:02:41.743 Mar 1: insert his with his 650AE400 = success
* 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200! PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address. PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
* 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
* 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
* 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
* 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
* 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
* 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
Success rate is 0% (0/5)I'm building a lab to find a solution for this.
The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.
I tried with DPD, ISAKMP profiles don't... no help.
Hi Smailmilak83,
Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.
Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.
Hope that helps.
Sent by Cisco Support technique iPhone App
-Please note the solutions.
-
Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates
Hello world
Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:
https://supportforums.Cisco.com/message/3688980#3688980
I had the great help but unfortunatedly my problem is a little different and connection problem. Here, I summarize once again our configurations:
hostname pix535 8.0 (4)
all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:
interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
IP 70.169.X.X 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
!
interface Ethernet2
Vlan30 description
nameif dmz2
security-level 50
IP 30.30.30.30 255.255.255.0
OSPF cost 10
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface......
Global interface 10 (external)
Global (dmz2) interface 10
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 inside8 255.255.255.0
NAT (inside) 10 Vlan10 255.255.255.0
NAT (inside) 10 vlan50 255.255.255.0
NAT (inside) 10 192.168.0.0 255.255.255.0
NAT (inside) 10 192.168.1.0 255.255.255.0
NAT (inside) 10 192.168.10.0 255.255.255.0
NAT (inside) 10 pix-inside 255.255.0.0Crypto isakmp nat-traversal 3600
-------
Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):
#1: when the PC uses static NAT, it is good of outgoing VPN:
54 packets captured
1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0#2: same PC with Dynamic NAT, VPN connection fails:
70 packets captured
1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
70 packages shownWe had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.
Sean
Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.
VPN-udp-class of the class-map
corresponds to the list of access vpn-udp-acl
vpn-udp-policy policy-map
VPN-udp-class
inspect the amp-ipsec
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 768
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the http
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the pptp
inspect the amp-ipsec
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
IP verify reverse path to the outside interface
Thank you
Rizwan James
-
IPsec VPN Phase 2 does not. Need help with the debug output
Is someone can you please tell me why I can't establish ipsec Phase 2 negotiations. I'm trying to connect a 2651XM to a Pix 501.
Here are the isakmp debug and release of ipsec and configs. I checked the keys are the same. And sets of transformations look ok. No idea why its not working?
What is the bottom tell me?
===========================================================
01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
===============================================================================
ISAKMP (0): start Quick Mode Exchange, M - ID - 1154286426:bb32fca6
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2224366689, message ID = 1503891776
ISAKMP (0): removal of spi 1629787524 message ID = 3140680870
to return to the State is IKMP_NO_ERR_NO_TRANS
pixfirewall #.
pixfirewall # sh crypto is
ISAKMP (0): start Quick Mode Exchange, M - ID 400184159:17da535f
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2649583861, message ID = 1778335964 a.
ISAKMP (0): removal of spi 4117818781 message ID = 400184159
status code returned is IKMP_NO_ERR_NO_TRANSkmp its
Total: 1
Embryonic: 0
Src DST in the meantime created State
1.1.1.2 1.1.1.3 QM_IDLE 0 0
pixfirewall #.
ISAKMP (0): start Quick Mode Exchange, M - ID 923039456:370476e0
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2163779852, message ID = 2746774364
ISAKMP (0): removal of spi 212465792 message ID = 923039456
to return to the State is IKMP_NO_ERR_NO_TRANSexiClosure of session
CCC cryp #sh
CCC #sh crypto isakmp his
status of DST CBC State conn-id slot
1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVECCC #ping 192.168.1.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:
.....
Success rate is 0% (0/5)CCC #ping 192.168.1.5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
CCC #debug isakmp crypto
Crypto ISAKMP debug is on
CCC #debug crypto ipsec
Crypto IPSEC debugging is on
Crypto CCC talkative #debug
detailed debug output debug is on
CCC #ping 192.168.1.5Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
CCC #.
00:51:24: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:24: ISAKMP: node set 1268073006 to QM_IDLE
00:51:24: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1268073006
00:51:24: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1268073006
00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:24: ISAKMP: turn 1, AH_SHA
00:51:24: ISAKMP: attributes of transformation:
00:51:24: ISAKMP: program is 1 (Tunnel)
00:51:24: ISAKMP: type of life in seconds
00:51:24: ISAKMP: life of HIS (basic) of 28800
00:51:24: ISAKMP: type of life in kilobytes
00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:24: ISAKMP: authenticator is HMAC-SHA
00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:24: ISAKMP: turn 1, ESP_3DES
00:51:24: ISAKMP: attributes of transformation:
00:51:24: ISAKMP: program is 1 (Tunnel)
00:51:24: ISAKMP: type of life in seconds
00:51:24: ISAKMP: life of HIS (basic) of 28800
00:51:24: ISAKMP: type of life in kilobytes
00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:24: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:24: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:24: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:51:24: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:24: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:51:24: ISAKMP: node set-429221146 to QM_IDLE
00:51:24: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-429221146
00:51:24: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:24: ISAKMP: (0:1:SW:1): purge the node-429221146
00:51:24: ISAKMP: (0:1:SW:1): node 1268073006 REAL reason «QM rejec» error suppression
Ted. "
00:51:24: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 1268073006: status = IKE_QM_READY
00:51:24: ISAKMP: (0:1:SW:1): entrance, node 1268073006 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:24: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:51:24: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
with 1.1.1.3
00:51:54: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:54: ISAKMP: node set-500877443 to QM_IDLE
00:51:54: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID =-500877443
00:51:54: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID =-500877443
00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:54: ISAKMP: turn 1, AH_SHA
00:51:54: ISAKMP: attributes of transformation:
00:51:54: ISAKMP: program is 1 (Tunnel)
00:51:54: ISAKMP: type of life in seconds
00:51:54: ISAKMP: life of HIS (basic) of 28800
00:51:54: ISAKMP: type of life in kilobytes
00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:54: ISAKMP: authenticator is HMAC-SHA
00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:54: ISAKMP: turn 1, ESP_3DES
00:51:54: ISAKMP: attributes of transformation:
00:51:54: ISAKMP: program is 1 (Tunnel)
00:51:54: ISAKMP: type of life in seconds
00:51:54: ISAKMP: life of HIS (basic) of 28800
00:51:54: ISAKMP: type of life in kilobytes
00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:54: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:54: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:54: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:51:54: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:54: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:51:54: ISAKMP: node set-701693099 to QM_IDLE
00:51:54: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-701693099
00:51:54: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:54: ISAKMP: (0:1:SW:1): purge the node-701693099
00:51:54: ISAKMP: (0:1:SW:1): node-500877443 error suppression REAL reason "QM rejec.
Ted. "
00:51:54: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node-500877443: State = IKE_QM_READY
00:51:54: ISAKMP: (0:1:SW:1): entrance, node-500877443 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:54: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:52:14: ISAKMP: (0:1:SW:1): purge the node 1268073006
CCC #sh crypto isakmp his
status of DST CBC State conn-id slot
1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVECCC #ping 192.168.1.5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:00:52:44: ISAKMP: (0:1:SW:1): purge node-500877443...
00:52:50: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:52:50: ISAKMP: node set 1186613650 to QM_IDLE
00:52:50: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1186613650
00:52:50: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1186613650
00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:52:50: ISAKMP: turn 1, AH_SHA
00:52:50: ISAKMP: attributes of transformation:
00:52:50: ISAKMP: program is 1 (Tunnel)
00:52:50: ISAKMP: type of life in seconds
00:52:50: ISAKMP: life of HIS (basic) of 28800
00:52:50: ISAKMP: type of life in kilobytes
00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:52:50: ISAKMP: authenticator is HMAC-SHA
00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:52:50: ISAKMP: turn 1, ESP_3DES
00:52:50: ISAKMP: attributes of transformation:
00:52:50: ISAKMP: program is 1 (Tunnel)
00:52:50: ISAKMP: type of life in seconds
00:52:50: ISAKMP: life of HIS (basic) of 28800
00:52:50: ISAKMP: type of life in kilobytes
00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
00:52:50: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:52:50: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.1.68.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:52:50: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:52:50: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:52:50: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:52:50: ISAKMP: node set-1113601414 to QM_IDLE
00:52:50: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-1113601414
00:52:50: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:52:50: ISAKMP: (0:1:SW:1): purge the node-1113601414
00:52:50: ISAKMP: (0:1:SW:1): node 1186613650 REAL reason «QM rejec» error suppression
Ted. "
00:52:50: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 1186613650: status = IKE_QM_READY
00:52:50: ISAKMP: (0:1:SW:1): entrance, node 1186613650 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:52:50: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:52:50: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
with 1.1.1.3.
Success rate is 0% (0/5)
CCC #.
00:53:20: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:53:20: ISAKMP: node set 459446741 to QM_IDLE
00:53:20: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 459446741
00:53:20: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 459446741
00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:53:20: ISAKMP: turn 1, AH_SHA
00:53:20: ISAKMP: attributes of transformation:
00:53:20: ISAKMP: program is 1 (Tunnel)
00:53:20: ISAKMP: type of life in seconds
00:53:20: ISAKMP: life of HIS (basic) of 28800
00:53:20: ISAKMP: type of life in kilobytes
00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:53:20: ISAKMP: authenticator is HMAC-SHA
00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:53:20: ISAKMP: turn 1, ESP_3DES
00:53:20: ISAKMP: attributes of transformation:
00:53:20: ISAKMP: program is 1 (Tunnel)
00:53:20: ISAKMP: type of life in seconds
00:53:20: ISAKMP: life of HIS (basic) of 28800
00:53:20: ISAKMP: type of life in kilobytes
00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
00:53:20: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:53:20: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:53:20: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:53:20: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:53:20: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:53:20: ISAKMP: node set-1692074376 to QM_IDLE
00:53:20: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-1692074376
00:53:20: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:53:20: ISAKMP: (0:1:SW:1): purge the node-1692074376
00:53:20: ISAKMP: (0:1:SW:1): REAL reason for node deletion 459446741 error "reject QM.
Ed ".
00:53:20: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 459446741: status = IKE_QM_READY
00:53:20: ISAKMP: (0:1:SW:1): entrance, node 459446741 = IKE_MESG_FROM_PEER, IKE_QM_E
XCH
00:53:20: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:53:40: ISAKMP: (0:1:SW:1): purge the node 1186613650
00:53:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, chang
State of Ed down
00:54:10: ISAKMP: (0:1:SW:1): purge the node 459446741===============================================================================
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
pixfirewall hostname
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 10.10.10.0
255.255.255.0
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 10.10.1
255.255.255.0 0.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
1.1.1.3 outside IP address 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.10.0 255.255.255.0 inside
location of PDM 10.10.10.0 255.255.255.0 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Timeout xlate 0:05:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set 1.1.1.2
card crypto outside_map 20 game of transformation-Petaluma_VPN
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * 1.1.1.2 address netmask 255.255.255.255 No.-xauth No.-config-m
Ode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
dhcpd address 192.168.1.5 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:8c0d4948407071d3515f1546cf8bc147
: end
pixfirewall #.
=========================================================================
CCC #sh run
Building configuration...Current configuration: 1328 bytes
!
version 12.4
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
CCC host name
!
boot-start-marker
start the system flash c2600-adventerprisek9 - mz.124 - 25d.bin
boot-end-marker
!
!
No aaa new-model
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!!
!
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
address key crypto isakmp 1.1.1.3 cisco123
!
!
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
map Petaluma_1 1 ipsec-isakmp crypto
defined peer 1.1.1.3
game of transformation-Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/0
1.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface Serial0/0
no ip address
Shutdown
clock speed of 56000
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
!
IP forward-Protocol ND
IP route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip address of the http server
no ip http secure server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
line to 0
line vty 0 4
opening of session
!
!
endCCC #.
!
!
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
address key crypto isakmp 1.1.1.3 cisco123
!
!
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
map Petaluma_1 1 ipsec-isakmp crypto
defined peer 1.1.1.3
game of transformation-Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/01.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface Serial0/0
no ip address
Shutdown
clock speed of 56000
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
!
IP forward-Protocol ND
IP route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip address of the http server
no ip http secure server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255Hi David,
Overlooking the configuration of the router, it seems that you have applied the encryption card to the wrong interface.
interface FastEthernet0/0
1.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
Given that the pix will attempt to build a VPN tunnel to 1.1.1.2 map encryption Petaluma_1 must be applied to FastEthernet0/0, not FastEthernet 0/1.
Let me know if it helps.
Thank you
Loren
-
l2l ipsec vpn - problem XAUTH need-based policy
Hello
I have a problem that I see a few solutions but they do not work.
I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).
According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.
September 8 09:53:12: ISAKMP: (2015): the total payload length: 12
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): need XAUTH
September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH
September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.
So, it seems that Phase 1 ends without XAUTH.
Here's my cryptographic configurations:
Keyring cryptographic s2s
pre-shared key key address [source] [key]
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
lifetime 28800
!
crypto ISAKMP policy 10
preshared authentication
lifetime 28800
!
Configuration group customer crypto isakmp [RA_GROUP]
key [key2]
DNS 192.168.7.7
win 192.168.7.222
ninterface.com field
pool SDM_POOL_1
ACL 100
Max-users 6
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp ISA_PROF profile
S2S keyring
function identity [source] address 255.255.255.255
ISAKMP crypto unified profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW
Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec df - bit clear
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto dynamic-map [RA_GROUP] 77
the transform-set trans-rem value
Isakmp profile unified set
market arriere-route
!
!
!
list of authentication of card crypto clientmap client RAD_GRP
map clientmap isakmp authorization list rtr crypto / remote
client configuration address map clientmap crypto answer
card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]
!
client configuration address card crypto [RA_GROUP] answer
!
Crypto card remote isakmp authorization list rtr / remote
!
RTP 10 ipsec-isakmp crypto map
set peer [source]
MY - Set transform-set
PFS group2 Set
match address 111
It is a bit of a breakfast dogs because I'm at the time of implementation of policies.
I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.
I'm something simple Paris that I missed.
Thanks for your help!
Hi Bruno.
Thanks for the brief explanation.
What crypto map is applied on the external interface?
I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:
1 - crypto dynamic-map outside_dynamic 10
game of transformation-ESP-AES-SHA
2-outside_map 10 ipsec-isakmp crypto map
the value of xxxx.xxxx.xxxx.xxxx peer
Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic
4-interface f0/0
outside_map card crypto
* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.
Please correct your configuration to accommodate one card encryption.
Just to add more information on isakmp profiles:
Let me know.
Thank you.
Portu.
Maybe you are looking for
-
HP Pavilion Slimline s5615uk: upgrade I can add a graphics card to an HP Pavilion Slimline s5615uk-m
Can I add a graphics card? If Yes, which?
-
HP g71: password administrator or power on password
Error code 74044173. .. .Please help. Just got this laptop on the pawn shop to play on but yes can not do a thing about it yetThanks in advance the yall
-
AnalogEdgeTrigger support on 6221 (OEM)
Hello- I'm trying to implement an asynchronous task read in an analog input channel when it reaches a specified voltage. Looks for help, as if I'd be able to do this by configuring the taste with an AnalogEgeTrigger, then set up an asynchronous read
-
I have Vista OS and recently used Google Chrome but has continued it to get the annoying yellow bar appearing about security that appears. I uninstalled Google Chrome after switching to Internet Explorer and I kept getting a caveat that I needed to u
-
Send and receive reports for MFP M177fw
I hope someone can help us? Our office has just bought the HP MFP M177fw fax machine. Everything works well and we may receive a confirmation When a fax has been sent. The only thing that we really need now is a send/receive report which lists all in