IPSEC VPN help!

Hi all

I have ASA 5520 and want to enable IPSEC VPN and want to access it via the cisco VPN client.

I did natting on the router that is connected to the external interface of the ASA. I did a static nat to a private IP address of out I / f of the ASA to the public IP address on the router. I am able to ping this public IP address on the internet and also capable of accessing the ASDM thru firewall using this public IP address.

I did the configuration using the VPN Wizard but some how not be able to connect through the VPN client. Guide please, if I missed something.

Configuration of the SAA is attached.

Concerning

BSN

try to do

conf t

No crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

No WAN_map card crypto WAN interface

card crypto WAN_map WAN interface<- just="" to="" be="" sure="" that="" all="" the="" changes="" were="">

and see the

crypto 10 isa debugging

Debug crypto ipsec 10

Tags: Cisco Security

Similar Questions

Redundancy of IPSEC VPN, help!

Hey everybody - you have a question, I hope that you guys can solve for me. I have a Setup with office (initially) two, both with ASA and both with double connections WAN (suppliers) on each failover configured using follow-up - that part works fine. I have also configured a tunnel VPN failover between sites, also by using this post)

( https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links) and it works fine, however, the scenario in the post talking about an office with 2 WAN connections and the other office with 1 WAN connection. Now, I have configured my firewall to match this post regarding VPN failover is going and it works, but it is only by using a WAN connection on the remote site. In my senario, I want to make use of secondary WAN connection on the remote site for VPN redundancy. Any ideas on how I can get this working with what I have?

PS: I already sent a message to the user who sent the script in the link above and have not heard anything new - that is why I take it for everyone.

Thanks in advance guys!

-Bobby

Hi Bobby,.

Just as you have with the first you must apply the map encryption for both interfaces on the remote site for example

interface card crypto primary VPN-map

VPN-card Backup crypto map interface

And configure save peer on the main site so that if the main connection from the remote site is down, it will try to back-up connection:

card crypto Outside_map 20 set peer 1.1.1.1 2.2.2.2

Even for groups of tunnel:

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *.

tunnel-group 2.2.2.2 type ipsec-l2l

2.2.2.2 tunnel-group ipsec-attributes

pre-shared-key *.

HTH

Raga

site IPSec VPN help!

I im doing site vpn to the other for the first time on a 891 to an rv 120 (gui), but it doesn't connect. I think it could be my list of access on the 891. the error I get in the rv120 is

08/12/02 18:15:35: [rv120w] [IKE] ERROR: Phase 1 negotiation failed because the time for xx.xx.xx.xx [500]. ea65b6c91b9e73de:0000000000000000

2012-08-02 18:16:11: [rv120w] [IKE] INFO: Configuration found for xx.xx.xx.xx.

2012-08-02 18:16:11: [rv120w] [IKE] INFO: opening new phase 1 negotiation: xx.xx.xx.xx [500]<=>xx.xx.xx.xx [500]

2012-08-02 18:16:11: [rv120w] [IKE] INFO: Start Identity Protection mode.

2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4

2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8

2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9

2012-08-02 18:16:11: [rv120w] [IKE] ERROR: ignore the information because the message has no payload hash.

2012-08-02 18:16:42: [rv120w] [IKE] ERROR: invalid protocol SA type: 0

2012-08-02 18:16:42: [rv120w] [IKE] ERROR: failure of the Phase 2 negotiation because of the waiting time for the phase 1.

2012-08-02 18:17: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 71.32.110.24

2012-08-02 18:17: [rv120w] [IKE] WARNING: schedular is already planned for the creation of the SA for outside: 'xx.xx.xx.xx' 2012-08-02 18:17: [rv120w] [IKE] ERROR: could not attach schedSaCreate in IKE configuraion

891 config

=====================================================

pool dhcp IP test

Network 10.10.10.0 255.255.255.0

default router 10.10.10.1

Server DNS 8.8.8.8 8.8.4.4

!

!

IP cef

8.8.8.8 IP name-server

IP-server names 8.8.4.4

No ipv6 cef

!

!

crypto ISAKMP policy 1

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key Testingkey address xx.xx.xx.xxx

!

!

Crypto ipsec transform-set test1 ah-md5-hmac esp-3des

!

maptest1 map ipsec-isakmp crypto 2

defined peer xx.xx.xx.xx

Set transform-set test1

match address 100

!

!

interface FastEthernet8

Qwest connection description

no ip address

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

PPPoE enable global group

PPPoE-client dial-pool-number 1

maptest1 card crypto

!

!

interface Vlan1

Quest description

IP 10.10.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Dialer1

the negotiated IP address

IP mtu 1492

NAT outside IP

IP virtual-reassembly

encapsulation ppp

IP tcp adjust-mss 1452

Dialer pool 1

Dialer-Group 1

PPP authentication chap callin pap

PPP chap hostname xxxxxxxxx

PPP chap password 0 xxxxxxxx

!

IP forward-Protocol ND

no ip address of the http server

no ip http secure server

!

!

the IP nat inside source 1 list overload of the Dialer1 interface

IP route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 10.10.10.0 0.0.0.255

category of access list 100 remark maptest1 = 4

Note access-list 100 IPSec rule

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

Dialer-list 1 ip protocol allow

Dialer-list 100 ip protocol allow

=======================================================================

Hi Manny,

Thanks for the debug output! I believe that we are making some progress and was able to establish phase 1 of IKE. The problem is now to establish IPsec SA or a phase of IKE 2. Could you do the following again once more, and view the results?

int f8

no card crypto maptest1

int d1

maptest1 card crypto

Claire crypto his

Debug crypto ISAKMP

Debug crypto ipsec

ISAKMP crypto to show his

Crypto ipsec to show his

Sent by Cisco Support technique iPhone App

Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

Here is the presentation:

There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

I was able to configure the Client VPN IPSec Site

(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

But I was not able to make the tradiotional model Hairpinng to work in this scenario.

I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

race-conf - Site VPN Customer normal work without internet access/split tunnel
: ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

race-conf - Site VPN Customer normal work without internet access/split tunnel

ASA Version 8.2 (1)

ciscoasa hostname

domain cisco.campus.com

enable the encrypted password xxxxxxxxxxxxxx

XXXXXXXXXXXXXX encrypted passwd

names of

interface GigabitEthernet0/0

nameif outside internet1

security-level 0

IP 1.1.1.1 255.255.255.240

interface GigabitEthernet0/1

nameif outside internet2

security-level 0

IP address 2.2.2.2 255.255.255.224

interface GigabitEthernet0/2

nameif dmz interface

security-level 0

IP 10.0.1.1 255.255.255.0

interface GigabitEthernet0/3

nameif campus-lan

security-level 0

IP 172.16.0.1 255.255.0.0

interface Management0/0

nameif CSC-MGMT

security-level 100

the IP 10.0.0.4 address 255.255.255.0

boot system Disk0: / asa821 - k8.bin

boot system Disk0: / asa843 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain cisco.campus.com

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group network cmps-lan

the object-group CSC - ip network

object-group network www-Interior

object-group network www-outside

object-group service tcp-80

object-group service udp-53

object-group service https

object-group service pop3

object-group service smtp

object-group service tcp80

object-group service http-s

object-group service pop3-110

object-group service smtp25

object-group service udp53

object-group service ssh

object-group service tcp-port

port udp-object-group service

object-group service ftp

object-group service ftp - data

object-group network csc1-ip

object-group service all-tcp-udp

access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3

access-list extended SCC-OUT permit ip host 10.0.0.5 everything

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp

list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3

access CAMPUS-wide LAN ip allowed list a whole

access-list CSC - acl note scan web and mail traffic

access-list CSC - acl extended permit tcp any any eq smtp

access-list CSC - acl extended permit tcp any any eq pop3

access-list CSC - acl note scan web and mail traffic

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

access-list extended INTERNET2-IN permit ip any host 1.1.1.2

access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

access list DNS-inspect extended permit tcp any any eq field

access list DNS-inspect extended permit udp any any eq field

access-list extended capin permit ip host 172.16.1.234 all

access-list extended capin permit ip host 172.16.1.52 all

access-list extended capin permit ip any host 172.16.1.52

Capin list extended access permit ip host 172.16.0.82 172.16.0.61

Capin list extended access permit ip host 172.16.0.61 172.16.0.82

access-list extended capout permit ip host 2.2.2.2 everything

access-list extended capout permit ip any host 2.2.2.2

Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Internet1-outside of MTU 1500

Internet2-outside of MTU 1500

interface-dmz MTU 1500

Campus-lan of MTU 1500

MTU 1500 CSC-MGMT

IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

IP check path reverse interface internet2-outside

IP check path reverse interface interface-dmz

IP check path opposite campus-lan interface

IP check path reverse interface CSC-MGMT

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

interface of global (internet1-outside) 1

interface of global (internet2-outside) 1

NAT (campus-lan) 0-campus-lan_nat0_outbound access list

NAT (campus-lan) 1 0.0.0.0 0.0.0.0

NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

Access-group INTERNET2-IN interface internet1-outside

group-access INTERNET1-IN interface internet2-outside

group-access CAMPUS-LAN in campus-lan interface

CSC-OUT access-group in SCC-MGMT interface

Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

AAA authentication enable LOCAL console

Enable http server

http 10.0.0.2 255.255.255.255 CSC-MGMT

http 10.0.0.8 255.255.255.255 CSC-MGMT

HTTP 1.2.2.2 255.255.255.255 internet2-outside

HTTP 1.2.2.2 255.255.255.255 internet1-outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

crypto internet2-outside_map outside internet2 network interface card

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

a67a897as a67a897as a67a897as a67a897as a67a897as

quit smoking

ISAKMP crypto enable internet2-outside

crypto ISAKMP policy 10

preshared authentication

aes encryption

md5 hash

Group 2

life 86400

Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

Telnet timeout 5

SSH 1.2.3.3 255.255.255.240 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet2-outside

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal VPN_TG_1 group policy

VPN_TG_1 group policy attributes

Protocol-tunnel-VPN IPSec

username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

username vpnuser1 attributes

VPN-group-policy VPN_TG_1

type tunnel-group VPN_TG_1 remote access

attributes global-tunnel-group VPN_TG_1

address vpnpool1 pool

Group Policy - by default-VPN_TG_1

IPSec-attributes tunnel-group VPN_TG_1

pre-shared-key *.

class-map cmap-DNS

matches the access list DNS-inspect

CCS-class class-map

corresponds to the CSC - acl access list

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

CCS category

CSC help

cmap-DNS class

inspect the preset_dns_map dns

global service-policy global_policy

context of prompt hostname

Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

: end

Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

Thank you & best regards

MAXS

Hello

If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

The command format is

packet-tracer intput tcp

That should tell what the SAA for this kind of package entering its "input" interface

Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

-Jouni

Problems connecting to help connect any and the Ipsec VPN Client

I have problems connecting with the VPN client connect no matter what. I can connect with the Ipsec VPN client in Windows 7 32 bit.

Here is my latest config running.

Thank you for taking the time to read this.

passwd encrypted W/KqlBn3sSTvaD0T

no names

name 192.168.1.117 kylewooddesk kyle description

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

DNS lookup field inside

DNS domain-lookup outside

DNS server-group DefaultDNS

domain wood.local

permit same-security-traffic intra-interface

object-group service rdp tcp

access rdp Description

EQ port 3389 object

outside_access_in list extended access permit tcp any interface outside eq 3389

outside_access_in list extended access permit tcp any interface outside eq 8080

outside_access_in list extended access permit tcp any interface outside eq 3334

outside_access_in to access extended list ip 192.168.5.0 allow 255.255.255.240 192.168.1.0 255.255.255.0

woodgroup_splitTunnelAcl list standard access allowed host 192.168.1.117

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240

outside_access_in_1 list extended access permit tcp any host 192.168.1.117 eq 3389

woodgroup_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0

inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240

inside_nat0_outbound_1 to access extended list ip 192.168.5.0 allow 255.255.255.240 all

inside_test list extended access permit icmp any host 192.168.1.117

no pager

Enable logging

timestamp of the record

asdm of logging of information

Debugging trace record

Within 1500 MTU

Outside 1500 MTU

mask pool local Kyle 192.168.5.1 - 192.168.5.10 IP 255.255.255.0

IP local pool vpnpool 192.168.1.220 - 192.168.1.230

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 631.bin

don't allow no asdm history

ARP timeout 14400

Global (inside) 1 interface

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound_1

NAT (inside) 1 0.0.0.0 0.0.0.0

public static interface 3389 (indoor, outdoor) 192.168.1.117 tcp 3389 netmask 255.255.255.255 dns

public static tcp (indoor, outdoor) interface 8080 192.168.1.117 8080 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 3334 192.168.1.86 3334 netmask 255.255.255.255

static (inside, upside down) 75.65.238.40 192.168.1.117 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

the files enable exploration

activate the entry in the file

enable http proxy

Enable URL-entry

SVC request no svc default

AAA authentication http LOCAL console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 3000

!

dhcpd address 192.168.1.100 - 192.168.1.130 inside

dhcpd allow inside

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image

enable SVC

internal sslwood group policy

attributes of the strategy of group sslwood

VPN-tunnel-Protocol svc webvpn

WebVPN

list of URLS no

internal group woodgroup strategy

woodgroup group policy attributes

value of server DNS 8.8.8.8 8.8.4.4

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list woodgroup_splitTunnelAcl_1

mrkylewood encrypted Q4339wmn1ourxj9X privilege 15 password username

username mrkylewood attributes

VPN-group-policy sslwood

VPN - connections 3

VPN-tunnel-Protocol svc webvpn

value of group-lock sslwood

WebVPN

SVC request no webvpn default

tunnel-group woodgroup type remote access

tunnel-group woodgroup General attributes

address pool Kyle

Group Policy - by default-woodgroup

tunnel-group woodgroup ipsec-attributes

pre-shared key *.

type tunnel-group sslwood remote access

tunnel-group sslwood General-attributes

address pool Kyle

authentication-server-group (inside) LOCAL

authentication-server-group (outside LOCAL)

Group Policy - by default-sslwood

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

Review the ip options

type of policy-card inspect dns MY_DNS_INSPECT_MAP

parameters

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

http https://tools.cisco.com/its/service/...es/DDCEService destination address

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:6fa8db79bcf695080cbdc1159b409360

: end

asawood (config) #.

You also need to add the following:

WebVPN

tunnel-group-list activate

output

tunnel-group sslwood webvpn-attributes

activation of the Group sslwood alias

Let us know if it works.

integrated macOS Sierra Cisco IPsec VPN does not work anymore (impossible to validate the server certificate)

Hello

I just upgraded to macOS Sierra and built-in Cisco IPsec VPN no longer works. When you try to connect, I get a "cannot validate the certificate of the server. "Check your settings and try to reconnect" error message. I use Cisco ASA with self-signed certificates and everything worked fine with previous versions of OS X.

Please help me, I need my VPN Thx a lot

I am having the same problem with StrongSwan and help cert signed with the channel to complete certificates included in the pkcs12 file imported to the keychain. It was working properly in El Capitan, but now broken in the Sierra.

WRV200 ipsec VPN

Hi guys,.

Tried to set up an ipsec VPN LAN - LAN between my WRV200 and WRVS4400N my companion. Filled all the relevant config... simple... but still nothing. They don't seem to connect. We are both on ADSL and using IP address by DNS. Routers are in the log file and try to establish the connection. Tried all the setting, both routers are configured the same. STILL NO JOY! Can anyone help, before having to migrate to a netgear or something nasty!

Sorry forgot to mention, using an AM200 modem in Bridge mode. It my router DHCP address direct WAN instead of NAT. The two systems are fixed the same where routers have outside the WAN address. The modem is transparent. I guess that NAT traversal in not required in that State.

IPSec vpn - no selected proposal

Hello:

I am facing a problem in the configuration of the ipsec vpn on my 7200 router. It's a site to customer topology as shown below.

The request from my pc, R2' isa crypto log:

R2 #debug crypto isakmp
Crypto ISAKMP debug is on
R2 #.
R2 #.
R2 #.
* 22:41:59.871 6 April: ISAKMP (0): received 66.66.66.52 packet dport 500 sport 500 SA NEW Global (N)
* 22:41:59.879 6 April: ISAKMP: created a struct peer 66.66.66.52, peer port 500
* 22:41:59.879 6 April: ISAKMP: new created position = 0x67E98D84 peer_handle = 0 x 80000002
* 22:41:59.883 6 April: ISAKMP: lock struct 0x67E98D84, refcount 1 to peer crypto_isakmp_process_block
* 22:41:59.887 6 April: ISAKMP: 500 local port, remote port 500
* 22:41:59.891 6 April: ISAKMP: (0): insert his with his 67E5DCD8 = success
* 22:41:59.911 6 April: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 22:41:59.911 6 April: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

* 6 April 22:41:59.931: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 6 April 22:41:59.935: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.939: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:41:59.939: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.943: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:41:59.947 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:41:59.947: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.951: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:41:59.955: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:41:59.959: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.959: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:41:59.963: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.967: ISAKM
R2 #P: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:41:59.971: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.971: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:41:59.975: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.979: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:41:59.983 6 April: ISAKMP: (0): pair found pre-shared key matching 66.66.66.52
* 6 April 22:41:59.987: ISAKMP: (0): pre-shared key local found
* 22:41:59.987 6 April: ISAKMP: analysis of the profiles for xauth...
* 22:41:59.991 6 April: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
* 22:41:59.995 6 April: ISAKMP: AES - CBC encryption
* 22:41:59.995 6 April: ISAKMP: keylength 256
* 22:41:59.999 6 April: ISAKMP: SHA hash
* 22:41:59.999 6 April: ISAKMP: unknown group of DH 20
* 22:41:59.999 6 April: ISAKMP: pre-shared key auth
* 22:42:00.003 6 April: ISAKMP: type of life in seconds
* 22:42:00.003 6 April: ISAKMP:
R2 # life expectancy (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 128
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group unknown 19
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
R2 #r 6 22:42:00.011: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 256
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): offered hash algorithm is
R2 # does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: group by default 2
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.015 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.019 6 April: ISAKMP: (0): offered hash algorithm does not match policy.
* 22:42:00.023 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 0
* 22:42:00.023 6 April: ISAKMP: (0): no offer is accepted!
* 6 April 22:42:00.027: ISAKMP: (0): phase 1 SA policy is not acceptable! (local 180.180.0.130 remote 66.66.66.52)
* 22:42:00.027 6 April: ISAKMP (0): increment the count of errors on his, try 1 of 5: construct_fail_ag_init
* 6 April 22:42:00.027: ISAKMP: (0): has no
R2 #construct AG information message.
* 6 April 22:42:00.027: ISAKMP: (0): lot of 66.66.66.52 sending my_port 500 peer_port 500 (R) MM_NO_STATE
* 22:42:00.027 6 April: ISAKMP: (0): sending a packet IPv4 IKE.
* 22:42:00.031 6 April: ISAKMP: (0): the peer is not paranoid KeepAlive.

* 22:42:00.035 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:42:00.039 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:42:00.039: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:42:00.039: ISAKMP: (0)
R2 #: load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:42:00.039 6 April: ISAKMP (0): action of WSF returned the error: 2
* 22:42:00.039 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 22:42:00.039 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

* 22:42:00.059 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.059 6 April: ISAKMP: unlock counterpart struct 0x67E98D84 for isadb_m
R2 #ark_sa_deleted (), count 0
* 22:42:00.067 6 April: ISAKMP: delete peer node by peer_reap for 66.66.66.52: 67E98D84
* 22:42:00.071 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 22:42:00.075 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_DEST_SA

* 22:42:00.087 6 April: ISAKMP: (0): removal of HIS right State 'No reason' (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.087 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
* 22:42:00.087 6 April: ISAKMP: (0): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 22:42:00.895 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
* 22:42:02.911 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
R2 #.
* 22:43:00.087 6 April: ISAKMP: (0): serving SA., his is 67E5DCD8, delme is 67E5DCD8
R2 #.

And when I capture on my pc, I got:

I don't know why, waiting for you helps nicely, thank you very much!

I think that what is wrong is your combination of your group of encryption, hashing and dh, try changing your sha instead of md5 hash table.

Routing access to Internet through an IPSec VPN Tunnel

Hello

I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

Any help would be greatly appreciated.

Thank you.

Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

Is availble for IPsec VPN FOS 6.3 support stateful failover

Is availble for IPsec VPN FOS 6.3 support stateful failover

SAJ

Hello Saj,

Unfortunately not... stateful failover replica information such as:

Table of connection TCP, udp xlate table ports, h.323, PAT port allocation table...

they replicate data such as:

user authentication (uauth) table

Table ISAKMP / IPSEC SA

ARP table

Routing information

Therefore, in the case where the main breaks down, the IPSEC vpn will be reformed for the failover... Meanwhile, the user will not be able to access the applications...

I hope this helps... all the best... the rate of responses if deemed useful...

REDA

IPSEC VPN WRVS4400N

Hi all

We have a customer who has recently changed Vedors and came to us. We had to change the ISP and the need to make changes in their firewall. I went out on the site and has not been able to get into the routers and I contacted the previos company but they do not release this information. We have therefore had to reset devices and put everything up. Everything works great except before having an IPSEC VPN Tunnel between the 2 buildings. Both buildings have routers WRVS4400N and I configured a VPN IPSEC Tunnel on both sides. I named the same and the summary says that both are on the rise. But when I try to go from one side to the other, I am unable to Ping or solve anything. I'll put all the information I can find are relavent to this problem and hope someone can help me. I called Cisco, but they said they are out of warranty and will not be able to help. Cisco directed me here.

Site A:

Internal:

192.59.1.1 (IP)

255.255.255.0 (SN)

External:

96.10.218.14 (IP)

255.255.255.252 (SN)

96.10.218.13 (GW)

24.25.5.60 (DNS1)

24.25.5.61 (DNS2)

Site b:

I internal:

192.39.1.1 (IP)

255.255.255.0 (SN)

External:

50.52.145.50 (IP)

255.255.255.252 (SN)

50.52.145.49 (GW)

184.16.4.22 (DNS1)

184.16.33.54 (DNS2)

V Tunnels PN

Site has

Site B

For security purposes the IP addresses are not exactly what is displayed, but I checked 10 times and they correspond to the remote site said. Yet once again, say that they are on the rise, but I am unable to ping or see the tunnel devices. Help, please.

Thanks in advance

Mike

The problem is most likely in the 'Local Group' configuration. How they are implemented is essentially to allow only the 192.39.1.1 and 192.59.1.1 talk to each other. These fields should be read as the subnet as this ID: 192.39.1.0 and 192.59.1.0

Try this restart of the tunnels, and let us know how it worked.

Cisco RV220W IPSec VPN problem Local configuration for any config mode

Dear all,

I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?

What needs to be changed or where is my fault?

I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.

I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683

2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.

2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e

Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.

The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.

I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.

-Tom
Please mark replied messages useful

Problem Cisco 2811 with L2TP IPsec VPN

Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication

My config:

!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS

!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249

VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel

session of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2

ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!

!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map

interface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255

interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!

interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUS

L2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entry

RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...

Debugging shows me

234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3

234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4

234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5

234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5

234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500

234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identity

Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.

I hope that you will help me. Thank you.

Hi dvecherkin1,

Who IOS you're running, you could hit the next default.

https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

It may be useful

-Randy-

Evaluate the ticket to help others find the answer quickly.

IPSEC VPN on ASA5505

Hello, hope you can help me:

I need to configure an IPSEC VPN on an ASA5505, with one. PFX certificate to authenticate with the VPN endpoint. I can install the certificate as a certificate authority, but when I use the VPN Site - to - Site Wizard, I put the IP address peer, afterI try to select the certificate that is downloaded, but when I click on the name of the certificate, there is no certificate

I don't I can solve this problem?

Thanks to all in advance

Hello

Do you see the certificate imported as cert ID? If so, you can follow this guide

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

HTH

Averroès.

ASA 9.2 IPSEC VPN

I have ASA version 9.2 (2) 4 - model 5515

I need to configure IPSEC VPN site-to-site.

Can anyone share with me the example of ASA 9.2 CLI for IPSEC VPN configuration?

Congratulations to find a solution to your problem. Thank you for posting on the Board to indicate that the issue is resolved and to share the solution. This can help other readers in the forum.

HTH

Rick

IPSEC VPN help!

Similar Questions

Maybe you are looking for