IPSec vpn ios - pix problem

I have a big problem and I don't know what to do. set up a VPN with the following data:

of the encryotion, md5 hash, dh 1, pre-shared, but when I tried to affermirai the vpn router ios show me this error

Jul 1 20:50:15.311: IPSEC (validate_transform_proposal): application for conversion not supported for identity:

{esp-3des esp-md5-hmac}

Help, please

show configurations.

Tags: Cisco Security

Similar Questions

IPSEC VPN between Pix 515E and 1841 router

Hi all

BACKGROUND

We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

PROBLEM

The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

Any help much appreciated.

You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

For a feature, it would be preferable to static IP addresses on both sides.

IPSEC VPN crossed/Uturn problems internal net connections

I have an ASA 5505 I connect remotely. I use it as a remote IPSEC VPN with crossed/uturn to allow me to surf the Internet with my IP address.

I can't access one of the internal computers on my home network. I was able to do it successfully in the past on an older IOS SAA, but I am now on a new ASA 8.2 running (1) and I am unable to connect internally.

I would like to connect my Slingbox and Tivo which is my home. I tried to ping the boxes and no luck. In the past, when it worked I was able to ping devices.

I enclose my config.

Thanks in advance.

Jon

Jon,

If you are able to PING 192.168.1.1 VPN client, it means traffic reaches right inside the interface of the ASA.

Now, the ASA must forward packets to 192.168.1.6 when received.

Follow these steps:

Just add the keyword to the outside

to this statement:

NAT (outside) 1 192.168.2.0 255.255.255.0 outside

Try again. If this does not work, make sure that the only NAT statements you have are the following (you can copy and paste):

permit ip 192.168.2.0 access list NAT0OUT 255.255.255.0 192.168.1.0 255.255.255.0

permit 192.168.1.0 ip access list NAT0IN 255.255.255.0 192.168.2.0 255.255.255.0

no global (inside) 1 interface

NAT (inside) 0-list of access NAT0IN

NAT (inside) 1 192.168.1.0 255.255.255.0

NAT (outside) 0-list of access NAT0OUT

NAT (outside) 1 192.168.2.0 255.255.255.0

Federico.

VPN to Pix problem

It seems that I have problems similar to many others in the connection of remote clients to a PIX 515E.

Currently, I have tried both the client VPN Cisco 3.6 and 4.03 without success. Users are authenticated very well and the customer, you can see that their assigned an address etc but they are unable to access the internal network. The crypto ipsec his watch HS no encrypted traffic has affected the Pix as its...

within the State of the customer etc., it shows that packets are encrypted so I'm at a bit of a loss.

I have also a problem with pptp connections - this seems to differ between the BONES on the client but Win2K machines can connect and get checked etc but again failed to connect within the networks. These could be linked?

My current config is: (change of address, etc.)

SH run

: Saved

:

PIX Version 6.2 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 intf2

enable password xxxx

passwd xxxx

hostname fw

domain name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol 2000 skinny

No fixup protocol sip 5060

names of

name Inside_All 10.0.0.0

name 10.30.1.0 Ireland1_LAN

name 159.135.101.34 Ireland1_VPN

name 213.95.227.137 IrelandSt1_VPN

name 10.30.2.0 Cardiff_LAN

name 82.69.56.30 Cardiff_VPN

access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248

access-list 101 permit ip Ireland1_LAN 255.255.255.0 255.0.0.0 Inside_All

access-list 101 permit ip Cardiff_LAN 255.255.255.0 255.0.0.0 Inside_All

access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0

access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0

outside_interface list access permit icmp any any echo

outside_interface list access permit icmp any any echo response

outside_interface list of access permit icmp any any traceroute

outside_interface list access permit tcp any host 212.36.237.99 eq smtp

outside_interface ip access list allow any host 212.36.237.100

access-list permits outside_interface tcp host 212.241.168.236 host 212.36.237.101 eq telnet

outside_interface list of access permitted tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet

outside_interface list access permit tcp any any eq telnet

allow the ip host 82.69.108.125 access list outside_interface a

access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0

access-list 103 allow ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0

access-list 104. allow ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0

pager lines 24

opening of session

recording of debug console

monitor debug logging

interface ethernet0 10baset

interface ethernet1 10baset

Automatic stop of interface ethernet2

Outside 1500 MTU

Within 1500 MTU

intf2 MTU 1500

IP outdoor 212.36.237.98 255.255.255.240

IP address inside 10.1.1.250 255.255.255.0

intf2 IP address 127.0.0.1 255.255.255.255

alarm action IP verification of information

alarm action attack IP audit

IP local pool ippool 10.1.1.88 - 10.1.1.95

IP local pool mspool 10.7.1.1 - 10.7.1.50

IP local pool mspools 192.168.253.1 - 192.168.253.50

location of PDM Inside_All 255.255.255.0 inside

location of PDM 82.69.108.125 255.255.255.255 outside

location of PDM 10.55.1.0 255.255.255.0 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

(Inside) NAT 0-list of access 101

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

public static 212.36.237.100 (Interior, exterior) 10.1.1.50 netmask 255.255.255.255 0 0

public static 212.36.237.101 (Interior, exterior) 10.1.1.254 netmask 255.255.255.255 0 0

public static 212.36.237.99 (Interior, exterior) 10.1.1.208 netmask 255.255.255.255 0 0

Access-group outside_interface in interface outside

Route outside 0.0.0.0 0.0.0.0 212.36.237.97 1

Route inside Inside_All 255.255.255.0 10.1.1.254 1

Route inside 10.2.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.3.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.4.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.5.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.6.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.7.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.8.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.9.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.10.1.0 255.255.255.0 10.1.1.254 1

Route inside 10.11.1.0 255.255.255.0 10.1.1.253 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout uauth 0:00:00 uauth absolute 0:30:00 inactivity

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

AAA-server AuthInOut Protocol Ganymede +.

AAA-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10

the AAA authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

the AAA authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

AAA accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

AAA accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

Enable http server

http 82.69.108.125 255.255.255.255 outside

http 10.1.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server SNMP community xxx

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Sysopt route dnat

Crypto ipsec transform-set esp - esp-md5-hmac VPNAccess

Crypto ipsec transform-set esp-3des esp-md5-hmac VPNAccess2

Crypto-map dynamic dynmap 10 game of transformation-VPNAccess2

card crypto home 9 ipsec-isakmp dynamic dynmap

card crypto ipsec-isakmp 10 home

address of 10 home game card crypto 102

set of 10 House card crypto peer IrelandSt1_VPN

House 10 game of transformation-VPNAccess crypto card

card crypto ipsec-isakmp 15 home

address of home 15 game card crypto 103

set of 15 home map crypto peer Cardiff_VPN

House 15 game of transformation-VPNAccess crypto card

card crypto ipsec-isakmp 30 home

address of 30 home game card crypto 104

crypto home 30 card set peer 212.242.143.147

House 30 game of transformation-VPNAccess crypto card

interface card crypto home outdoors

ISAKMP allows outside

ISAKMP key * address IrelandSt1_VPN netmask 255.255.255.255

ISAKMP key * address Cardiff_VPN netmask 255.255.255.255

ISAKMP key * address 212.242.143.147 netmask 255.255.255.255

ISAKMP identity address

part of pre authentication ISAKMP policy 5

ISAKMP strategy 5 3des encryption

ISAKMP strategy 5 md5 hash

5 2 ISAKMP policy group

ISAKMP life duration strategy 5 86400

part of pre authentication ISAKMP policy 7

ISAKMP strategy 7 3des encryption

ISAKMP strategy 7 sha hash

7 2 ISAKMP policy group

ISAKMP strategy 7 life 28800

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP policy 10 life 85000

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 85000

vpngroup client address mspools pool

vpngroup dns-server 194.153.0.18 client

vpngroup wins client-server 10.155.1.16

vpngroup idle time 1800 customer

vpngroup customer password *.

Telnet 82.69.108.125 255.255.255.255 outside

Telnet 10.55.1.0 255.255.255.0 inside

Telnet 10.1.1.0 255.255.255.0 inside

Telnet timeout 15

SSH 82.69.108.125 255.255.255.255 outside

SSH timeout 15

VPDN Group 6 accept dialin pptp

PAP VPDN Group 6 ppp authentication

VPDN Group 6 chap for ppp authentication

VPDN Group 6 ppp mschap authentication

VPDN Group 6 ppp encryption mppe auto

VPDN Group 6 client configuration address local mspools

VPDN Group 6 pptp echo 60

local 6 VPDN Group client authentication

VPDN username xxxx password *.

VPDN username password xxx *.

VPDN username password xxx *.

VPDN username password xxx *.

VPDN username xxxx password *.

VPDN allow outside

username xxx pass xxx

Terminal width 80

Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa

: end

If you do not see decrypts side Pix while my thoughts are (for IPSEC) ESP and GRE (for PPTP) do not get to your Pix (blocks perhaps of ISP or other devices).

If you do a "capture" of the packets on the external interface you see all traffic ESP or GRE? Where the customer? If this isn't the case, dialup is ESP or permitted GRE?

IOS IPSEC VPN with NAT - translation problem

I'm having a problem with IOS IPSEC VPN configuration.

/*

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto keys TEST123 address 205.xx.1.4

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

!

!

Map 10 CRYPTO map ipsec-isakmp crypto

the value of 205.xx.1.4 peer

transformation-CHAIN game

match address 115

!

interface FastEthernet0/0

Description FOR the EDGE ROUTER

IP address 208.xx.xx.33 255.255.255.252

NAT outside IP

card crypto CRYPTO-map

!

interface FastEthernet0/1

INTERNAL NETWORK description

IP 10.15.2.4 255.255.255.0

IP nat inside

access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

*/

(This configuration is incomplete / NAT configuration needed)

Here is the solution that I'm looking for:

When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

For more information, see "SCHEMA ATTACHED".

Any help is greatly appreciated!

Thank you

Clint Simmons

Network engineer

You can try the following NAT + route map approach (method 2 in this link)

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thank you

Raja K

Problem Cisco 2811 with L2TP IPsec VPN

Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication

My config:

!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS

!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249

VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel

session of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2

ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!

!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map

interface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255

interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!

interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUS

L2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entry

RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...

Debugging shows me

234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3

234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4

234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5

234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5

234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500

234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identity

Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.

I hope that you will help me. Thank you.

Hi dvecherkin1,

Who IOS you're running, you could hit the next default.

https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

It may be useful

-Randy-

Evaluate the ticket to help others find the answer quickly.

IPSec VPN with DynDNS host problems after change of address

Hi guys,.

I have a weird problem on an IOS router.

I need to implement IPSec VPN L2L.

Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's

why I use dyndns.

ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org

CMAP_1 1 ipsec-isakmp crypto map
define peer dynamic XXXXXXXXX.dyndns.org

First of all, it works fine, but after the change of IP address it no longer works.

Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.

I tried this on two other IOS, 15.0 and 12.4

This debugging output:

01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
* 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache).                 New IP address
* 1 Mar 01:02:41.731: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
lifedur = 240 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
* 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
* 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
* 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
* 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
* 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
* 01:02:41.743 Mar 1: insert his with his 650AE400 = success
* 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200!                     PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address.                   PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
* 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
* 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
* 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
* 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
* 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
* 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
Success rate is 0% (0/5)

I'm building a lab to find a solution for this.

The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.

I tried with DPD, ISAKMP profiles don't... no help.

Hi Smailmilak83,

Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.

Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.

Hope that helps.

Sent by Cisco Support technique iPhone App

-Please note the solutions.

IOS/PIX RADIUS (01/09/00) on VPN 3002 user attribute

Hi all

I have a client VPN HW 3002, build an IPSec VPN to a VPN 3015 concentrator. An ACS (3.3) server is used for the external RADIUS authentication. There is a user configured on the HW 3002 client and server ACS (RADIUS). It authenticates successfully during the construction of the IPSec tunnel. Everything works fine, but I would like to use a separate ACL for that user to limit access to the network. Is it possible to use the IOS/PIX RADIUS attribute (01/09/00) for the download of ACL for this HW 3002 customer?

I want the user configured for purposes of authentication (on the customer of HW 3002) to download an ACL to restrict access to the network.

As always, thanks for your help.

-Mike

This should help you:

http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a0080094eac.shtml

Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates

Hello world

Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:

https://supportforums.Cisco.com/message/3688980#3688980

I had the great help but unfortunatedly my problem is a little different and connection problem. Here, I summarize once again our configurations:

hostname pix535 8.0 (4)

all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:

interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
IP 70.169.X.X 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
!
interface Ethernet2
Vlan30 description
nameif dmz2
security-level 50
IP 30.30.30.30 255.255.255.0
OSPF cost 10
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface

......

Global interface 10 (external)
Global (dmz2) interface 10
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 inside8 255.255.255.0
NAT (inside) 10 Vlan10 255.255.255.0
NAT (inside) 10 vlan50 255.255.255.0
NAT (inside) 10 192.168.0.0 255.255.255.0
NAT (inside) 10 192.168.1.0 255.255.255.0
NAT (inside) 10 192.168.10.0 255.255.255.0
NAT (inside) 10 pix-inside 255.255.0.0

Crypto isakmp nat-traversal 3600

-------

Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):

#1: when the PC uses static NAT, it is good of outgoing VPN:

54 packets captured
1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0

#2: same PC with Dynamic NAT, VPN connection fails:

70 packets captured
1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
70 packages shown

We had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.

Sean

Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.

VPN-udp-class of the class-map

corresponds to the list of access vpn-udp-acl

vpn-udp-policy policy-map

VPN-udp-class

inspect the amp-ipsec

type of policy-card inspect dns migrated_dns_map_1

parameters

message-length maximum 768

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the http

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

inspect the pptp

inspect the amp-ipsec

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

IP verify reverse path to the outside interface

Thank you

Rizwan James

Cisco RV220W IPSec VPN problem Local configuration for any config mode

Dear all,

I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?

What needs to be changed or where is my fault?

I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.

I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD

2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".

2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683

2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.

2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e

Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.

The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.

I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.

-Tom
Please mark replied messages useful

Problem with IPsec VPN between ASA and router Cisco - ping is not response

Hello

I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

my network topology data:

LAN 1 connect ASA - 1 (inside the LAN)

PC - 10.0.1.3 255.255.255.0 10.0.1.1

ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

-----------------------------------------------------------------

ASA - 1 Connect (LAN outide) R1

ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

---------------------------------------------------------------------

R1 R2 to connect

R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

R2 for lan connection 2

--------------------------------------------------------------------

R2 to connect LAN2

R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

PC - 10.0.2.3 255.255.255.0 10.0.2.1

ASA configuration:

1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1

------------------------------------------------------------

access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address

------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outside

R2 configuration:

interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime

-----------------------------------------------------

router RIP
version 2
Network 10.0.2.0
network 172.30.2.0

------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to

------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300

------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2

-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS

------------------------------------------------------

access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

------------------------------------------------------

R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPN

I don't know what the problem

Thank you

If the RIP is not absolutely necessary for you, try adding the default route to R2:

IP route 0.0.0.0 0.0.0.0 172.16.2.1

If you want to use RIP much, add permissions ACL 102:

access-list 102 permit udp any any eq 520

Login problem VPN on PIX on the side of the inside of the n/w

I am tring to connect to the vpn server (pix) outside my laptop within the network.

I have routed ip vpn on pix515 and fine ping pix.but not able to ping of 3550 switch and computer laptop.

How to get the vpn ip Switch? as I don't know the mask of the ip...

I would also like to know... is their something extra that I need on pix or 3550?

Hello!

-What is the default gateway of your laptop?

-You do any kind of NAT on the PIX? What is NAT PAT, static or normal?

-Can you ping the inside of the PIX of the laptop?

There could be several problems to solve here.

(1) first of all, make sure that your laptop has access to the internet

(2) If you want to ping him make sure internet you have an ACL on the PIX like the one below:

i.e.

Allow Access - list icmp an entire TEST

TEST group access in the interface outside

Also make sure you have no access list applied inside the PIX

-Now, can you connect at all?

-When you connect to? Another PIX? Router? Hub?

If you pass by PAT make sure that you have this command on the PIX:

"fixup protocol esp-ike.

Please let me know if you can answer my questions, in this way, it would be easier to help you.

Frank

l2l ipsec vpn - problem XAUTH need-based policy

Hello

I have a problem that I see a few solutions but they do not work.

I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).

According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.

September 8 09:53:12: ISAKMP: (2015): the total payload length: 12

September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH

September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

September 8 09:53:12: ISAKMP: (2015): need XAUTH

September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH

September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437

September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...

September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2

September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2

September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH

September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...

September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2

September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2

September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH

September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH

September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354

September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354

September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.

So, it seems that Phase 1 ends without XAUTH.

Here's my cryptographic configurations:

Keyring cryptographic s2s

pre-shared key key address [source] [key]

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

lifetime 28800

!

crypto ISAKMP policy 5

BA 3des

preshared authentication

lifetime 28800

!

crypto ISAKMP policy 10

preshared authentication

lifetime 28800

!

Configuration group customer crypto isakmp [RA_GROUP]

key [key2]

DNS 192.168.7.7

win 192.168.7.222

ninterface.com field

pool SDM_POOL_1

ACL 100

Max-users 6

netmask 255.255.255.0

ISAKMP crypto ciscocp-ike-profile-1 profile

identity group match [RA_GROUP]

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-model 1

Crypto isakmp ISA_PROF profile

S2S keyring

function identity [source] address 255.255.255.255

ISAKMP crypto unified profile

identity group match [RA_GROUP]

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_grop_ml_1

client configuration address respond

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW

Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec df - bit clear

!

Profile of crypto ipsec CiscoCP_Profile1

game of transformation-ESP-3DES-SHA

set of isakmp - profile ciscocp-ike-profile-1

!

!

Crypto dynamic-map [RA_GROUP] 77

the transform-set trans-rem value

Isakmp profile unified set

market arriere-route

!

!

!

list of authentication of card crypto clientmap client RAD_GRP

map clientmap isakmp authorization list rtr crypto / remote

client configuration address map clientmap crypto answer

card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]

!

client configuration address card crypto [RA_GROUP] answer

!

Crypto card remote isakmp authorization list rtr / remote

!

RTP 10 ipsec-isakmp crypto map

set peer [source]

MY - Set transform-set

PFS group2 Set

match address 111

It is a bit of a breakfast dogs because I'm at the time of implementation of policies.

I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.

I'm something simple Paris that I missed.

Thanks for your help!

Hi Bruno.

Thanks for the brief explanation.

What crypto map is applied on the external interface?

I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:

1 - crypto dynamic-map outside_dynamic 10

game of transformation-ESP-AES-SHA

2-outside_map 10 ipsec-isakmp crypto map

the value of xxxx.xxxx.xxxx.xxxx peer

Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic

4-interface f0/0

outside_map card crypto

* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.

Please correct your configuration to accommodate one card encryption.

Just to add more information on isakmp profiles:

ISAKMP profile overview

Let me know.

Thank you.

Portu.

Problems connecting to help connect any and the Ipsec VPN Client

I have problems connecting with the VPN client connect no matter what. I can connect with the Ipsec VPN client in Windows 7 32 bit.

Here is my latest config running.

Thank you for taking the time to read this.

passwd encrypted W/KqlBn3sSTvaD0T

no names

name 192.168.1.117 kylewooddesk kyle description

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

DNS lookup field inside

DNS domain-lookup outside

DNS server-group DefaultDNS

domain wood.local

permit same-security-traffic intra-interface

object-group service rdp tcp

access rdp Description

EQ port 3389 object

outside_access_in list extended access permit tcp any interface outside eq 3389

outside_access_in list extended access permit tcp any interface outside eq 8080

outside_access_in list extended access permit tcp any interface outside eq 3334

outside_access_in to access extended list ip 192.168.5.0 allow 255.255.255.240 192.168.1.0 255.255.255.0

woodgroup_splitTunnelAcl list standard access allowed host 192.168.1.117

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240

outside_access_in_1 list extended access permit tcp any host 192.168.1.117 eq 3389

woodgroup_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0

inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240

inside_nat0_outbound_1 to access extended list ip 192.168.5.0 allow 255.255.255.240 all

inside_test list extended access permit icmp any host 192.168.1.117

no pager

Enable logging

timestamp of the record

asdm of logging of information

Debugging trace record

Within 1500 MTU

Outside 1500 MTU

mask pool local Kyle 192.168.5.1 - 192.168.5.10 IP 255.255.255.0

IP local pool vpnpool 192.168.1.220 - 192.168.1.230

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 631.bin

don't allow no asdm history

ARP timeout 14400

Global (inside) 1 interface

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound_1

NAT (inside) 1 0.0.0.0 0.0.0.0

public static interface 3389 (indoor, outdoor) 192.168.1.117 tcp 3389 netmask 255.255.255.255 dns

public static tcp (indoor, outdoor) interface 8080 192.168.1.117 8080 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 3334 192.168.1.86 3334 netmask 255.255.255.255

static (inside, upside down) 75.65.238.40 192.168.1.117 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

the files enable exploration

activate the entry in the file

enable http proxy

Enable URL-entry

SVC request no svc default

AAA authentication http LOCAL console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 3000

!

dhcpd address 192.168.1.100 - 192.168.1.130 inside

dhcpd allow inside

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image

enable SVC

internal sslwood group policy

attributes of the strategy of group sslwood

VPN-tunnel-Protocol svc webvpn

WebVPN

list of URLS no

internal group woodgroup strategy

woodgroup group policy attributes

value of server DNS 8.8.8.8 8.8.4.4

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list woodgroup_splitTunnelAcl_1

mrkylewood encrypted Q4339wmn1ourxj9X privilege 15 password username

username mrkylewood attributes

VPN-group-policy sslwood

VPN - connections 3

VPN-tunnel-Protocol svc webvpn

value of group-lock sslwood

WebVPN

SVC request no webvpn default

tunnel-group woodgroup type remote access

tunnel-group woodgroup General attributes

address pool Kyle

Group Policy - by default-woodgroup

tunnel-group woodgroup ipsec-attributes

pre-shared key *.

type tunnel-group sslwood remote access

tunnel-group sslwood General-attributes

address pool Kyle

authentication-server-group (inside) LOCAL

authentication-server-group (outside LOCAL)

Group Policy - by default-sslwood

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

Review the ip options

type of policy-card inspect dns MY_DNS_INSPECT_MAP

parameters

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

http https://tools.cisco.com/its/service/...es/DDCEService destination address

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:6fa8db79bcf695080cbdc1159b409360

: end

asawood (config) #.

You also need to add the following:

WebVPN

tunnel-group-list activate

output

tunnel-group sslwood webvpn-attributes

activation of the Group sslwood alias

Let us know if it works.

Customer Cisco IPSec vpn cisco ios router <>==

Hello

I need to implement ipsec vpn for all users of 10-15. They all use the vpn cisco 5.x client and we have a router for cisco ios at the office. We already have a situation of work for these users. However, it has become a necessity which known only devices (laptops company) are allowed to install a virtual private network.

I think that the only way to achieve this is to use certificates. But we don't won't to buy certificates if there is a free way to implement. So my question is

(1) what are the options I have to configure vpn ipsec, where only known devices can properly configure a vpn and all unknown devices are blocked?

(2) if the certificate is the only way. Can I somehow produce these certificates myself using cisco router ios?

(3) someone at - it an example of a similar installation/configuration?

Thanks in advance.

Kind regards

M.

Unfortunately if you connect to the router IOS, there is no other way except using the certificate. If you connect to a Cisco ASA firewall, then you can identify the laptop company using DAP (Dynamic Access Policy).

IPSec vpn ios - pix problem

Similar Questions

Maybe you are looking for