IPSec vpn - no selected proposal
Hello:
I am facing a problem in the configuration of the ipsec vpn on my 7200 router. It's a site to customer topology as shown below.
The request from my pc, R2' isa crypto log:
R2 #debug crypto isakmp
Crypto ISAKMP debug is on
R2 #.
R2 #.
R2 #.
* 22:41:59.871 6 April: ISAKMP (0): received 66.66.66.52 packet dport 500 sport 500 SA NEW Global (N)
* 22:41:59.879 6 April: ISAKMP: created a struct peer 66.66.66.52, peer port 500
* 22:41:59.879 6 April: ISAKMP: new created position = 0x67E98D84 peer_handle = 0 x 80000002
* 22:41:59.883 6 April: ISAKMP: lock struct 0x67E98D84, refcount 1 to peer crypto_isakmp_process_block
* 22:41:59.887 6 April: ISAKMP: 500 local port, remote port 500
* 22:41:59.891 6 April: ISAKMP: (0): insert his with his 67E5DCD8 = success
* 22:41:59.911 6 April: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 22:41:59.911 6 April: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
* 6 April 22:41:59.931: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 6 April 22:41:59.935: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.939: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:41:59.939: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.943: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:41:59.947 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:41:59.947: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.951: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:41:59.955: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:41:59.959: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.959: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:41:59.963: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.967: ISAKM
R2 #P: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:41:59.971: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.971: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:41:59.975: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:41:59.979: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:41:59.983 6 April: ISAKMP: (0): pair found pre-shared key matching 66.66.66.52
* 6 April 22:41:59.987: ISAKMP: (0): pre-shared key local found
* 22:41:59.987 6 April: ISAKMP: analysis of the profiles for xauth...
* 22:41:59.991 6 April: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 10
* 22:41:59.995 6 April: ISAKMP: AES - CBC encryption
* 22:41:59.995 6 April: ISAKMP: keylength 256
* 22:41:59.999 6 April: ISAKMP: SHA hash
* 22:41:59.999 6 April: ISAKMP: unknown group of DH 20
* 22:41:59.999 6 April: ISAKMP: pre-shared key auth
* 22:42:00.003 6 April: ISAKMP: type of life in seconds
* 22:42:00.003 6 April: ISAKMP:
R2 # life expectancy (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 2 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 128
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group unknown 19
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 3 against the policy of priority 10
R2 #r 6 22:42:00.011: ISAKMP: AES - CBC encryption
* 22:42:00.011 6 April: ISAKMP: keylength 256
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): free encryption algorithm does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform 4 against the policy of priority 10
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: Diffie-Hellman group 14 unknown
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.011 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.011 6 April: ISAKMP: (0): offered hash algorithm is
R2 # does not match policy.
* 22:42:00.011 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 3
* 22:42:00.011 6 April: ISAKMP: (0): audit ISAKMP transform against the policy of priority 10 5
* 22:42:00.011 6 April: ISAKMP: 3DES-CBC encryption
* 22:42:00.011 6 April: ISAKMP: SHA hash
* 22:42:00.011 6 April: ISAKMP: group by default 2
* 22:42:00.011 6 April: ISAKMP: pre-shared key auth
* 22:42:00.011 6 April: ISAKMP: type of life in seconds
* 22:42:00.015 6 April: ISAKMP: life (IPV) 0 x 0 0 x 0 0 x 70 0x80
* 22:42:00.019 6 April: ISAKMP: (0): offered hash algorithm does not match policy.
* 22:42:00.023 6 April: ISAKMP: (0): atts are not acceptable. Next payload is 0
* 22:42:00.023 6 April: ISAKMP: (0): no offer is accepted!
* 6 April 22:42:00.027: ISAKMP: (0): phase 1 SA policy is not acceptable! (local 180.180.0.130 remote 66.66.66.52)
* 22:42:00.027 6 April: ISAKMP (0): increment the count of errors on his, try 1 of 5: construct_fail_ag_init
* 6 April 22:42:00.027: ISAKMP: (0): has no
R2 #construct AG information message.
* 6 April 22:42:00.027: ISAKMP: (0): lot of 66.66.66.52 sending my_port 500 peer_port 500 (R) MM_NO_STATE
* 22:42:00.027 6 April: ISAKMP: (0): sending a packet IPv4 IKE.
* 22:42:00.031 6 April: ISAKMP: (0): the peer is not paranoid KeepAlive.
* 22:42:00.035 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): IKE frag vendor processing id payload
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 22:42:00.039 6 April: ISAKMP (0): provider ID is NAT - T RFC 3947
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 6 April 22:42:00.039: ISAKMP: (0): provider ID is NAT - T v2
* 6 April 22:42:00.039: ISAKMP: (0)
R2 #: load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 241
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 184
* 6 April 22:42:00.039: ISAKMP: (0): load useful vendor id of treatment
* 6 April 22:42:00.039: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 134
* 22:42:00.039 6 April: ISAKMP (0): action of WSF returned the error: 2
* 22:42:00.039 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 22:42:00.039 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
* 22:42:00.059 6 April: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.059 6 April: ISAKMP: unlock counterpart struct 0x67E98D84 for isadb_m
R2 #ark_sa_deleted (), count 0
* 22:42:00.067 6 April: ISAKMP: delete peer node by peer_reap for 66.66.66.52: 67E98D84
* 22:42:00.071 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 22:42:00.075 6 April: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_DEST_SA
* 22:42:00.087 6 April: ISAKMP: (0): removal of HIS right State 'No reason' (R) MM_NO_STATE (post 66.66.66.52)
* 22:42:00.087 6 April: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
* 22:42:00.087 6 April: ISAKMP: (0): former State = new State IKE_DEST_SA = IKE_DEST_SA
* 22:42:00.895 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
* 22:42:02.911 6 April: ISAKMP (0): received 66.66.66.52 packet 500 Global 500 (R) sport dport MM_NO_STATE
R2 #.
* 22:43:00.087 6 April: ISAKMP: (0): serving SA., his is 67E5DCD8, delme is 67E5DCD8
R2 #.
And when I capture on my pc, I got:
I don't know why, waiting for you helps nicely, thank you very much!
I think that what is wrong is your combination of your group of encryption, hashing and dh, try changing your sha instead of md5 hash table.
Tags: Cisco Security
Similar Questions
-
Problem Cisco 2811 with L2TP IPsec VPN
Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication
My config:
!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnelsession of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-mapinterface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUSL2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entryRADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...Debugging shows me
234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identityAlso when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.
I hope that you will help me. Thank you.
Hi dvecherkin1,
Who IOS you're running, you could hit the next default.
https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr
It may be useful
-Randy-
Evaluate the ticket to help others find the answer quickly.
-
Cisco and Checkpoint - no selected proposal
Hello
We had a working IPSEC VPN between router IOS and Checkpoint FW group. Now, after you add host entries in the ACL, we did get "no selected proposal.
My question:
=> Can we use more than an entry in an ACL, attached to a card encryption?<>
Like this for example:
access-list 125 allow ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255
access-list 125 allow ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255
access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.14.6.243
access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.50.50.4
access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.26.13.5
...
Hi Richi
Hi Richi,
Yes, you can use more than one ACL entry, but the ACL must be symmetric across the VPN.
Thus, for example
access-list 125 allow ip 172.17.18.0 0.0.0.31 host 4.26.13.5
should be on the other side:
access-list 125 permit host ip 4.26.13.5 172.17.18.0 0.0.0.31
Have you checked that you have symmetrical access lists?
It will be useful,
Paulo
-
Cisco RV220W IPSec VPN problem Local configuration for any config mode
Dear all,
I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?
What needs to be changed or where is my fault?
I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.
I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode=>
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683
2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.
2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.
The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.
I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.
-Tom
Please mark replied messages useful -
Hello, hope you can help me:
I need to configure an IPSEC VPN on an ASA5505, with one. PFX certificate to authenticate with the VPN endpoint. I can install the certificate as a certificate authority, but when I use the VPN Site - to - Site Wizard, I put the IP address peer, afterI try to select the certificate that is downloaded, but when I click on the name of the certificate, there is no certificate
I don't I can solve this problem?
Thanks to all in advance
Hello
Do you see the certificate imported as cert ID? If so, you can follow this guide
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
HTH
Averroès.
-
Hi dude, I want to address this topic to understand ipsec VPN throughput.
I have 1 router 1921 and 1 ASA 5510 behind the router. I want to set up remote access on ASA firewall by traffic shaping router forwards (port UDP 500 and UDP 4500 port). I have 1 public IP address and I already configure NAT on the router. In fact, I heard that IPsec cannot pass through the NAT. So if I want to configure VPN on SAA, it is possible to do? All the guys comment on and propose your idea to me. Thanks for your reply.Hello
When you say, you have a public IP address. Is this address IP is assigned to the interface of the router or not attributed distinct IP address.
If its not assigned public IP address, you can make static NAT with ASA outside the IP address to a public IP address on your router as below
{100.100.x.x}fa0/0<-(R1)->fa0/1{192.168.100.1}<------->{192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}
IP nat inside source 192.168.100.2 static 100.100.x.x
This way you have full IP to IP NAT.
If you got the only IP address that is assigned to the interface of the router then you will need to nat as port said
For VPN gateways running versions of the Cisco IOS software prior to version 12.2 (13) T, the functionality of IPSec passthrough is required on the router that runs PAT to enable payload ESP (Encapsulating Security) through.
Note: This feature is called IPSec through NAT (NAT) network support Advisory software (registered only customers).
In order to initiate the tunnel of the local counterpart (PATed), no configuration is necessary. In order to initiate the tunnel of the remote peer, these commands are needed:
IP nat inside source static esp inside_ip interface, interface
IP nat inside source udp static inside_ip 500 interface interface 500
For VPN gateways that run a version of the Cisco IOS software later than 12.2 (13) T, IPSec traffic is encapsulated in data protocol packets UDP (User) port 4500. This feature is called IPSec NAT transparency . In order to initiate the tunnel of the local counterpart (PATed), no configuration is necessary.
In order to initiate the tunnel of the remote peer, these commands are needed:
IP nat inside source udp static inside_ip 4500 4500 interface interface
IP nat inside source udp static inside_ip 500 interface interface 500
HTH
Sandy
------->-(R1)-> -
I have an asa 5505 connected to another asa in the main site. the ipsec vpn is established and on the side of a remote client, I can use a static IP of this subnet addreess and browse the web and access and ping with the main site inside response.
However, I can't receive any ip from the dhcp server, even if it is enabled on the asa 5505. If I put in a static IP address all right, but that's not realistic. Here is the config on the 5505. Thank you.
ASA Version 9.1 (4)
!
ASA5505 hostname
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
Description of Access Point
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.25.40.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 15.15.15.35 255.255.255.0
!
boot system Disk0: / asa914 - k8.bin
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.25.40.0_24 object
10.25.40.0 subnet 255.255.255.0
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network of 10.1.0.0 object
10.1.0.0 subnet 255.255.0.0
access extensive list ip 10.25.40.0 inside_nat0_outbound allow 255.255.255.0 any
Inside_access_in of access allowed any ip an extended list
Inside_access_in list extended access permit icmp any one
access extensive list ip 10.25.40.0 outside_cryptomap allow 255.255.255.0 any
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 721.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NETWORK_OBJ_10.25.40.0_24 NETWORK_OBJ_10.25.40.0_24 Shared source (indoor, outdoor) destination NAT static 10.1.0.0 10.1.0.0 route no-proxy-arp-search
Route outside 0.0.0.0 0.0.0.0 15.15.15.3. 1
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.0.0 255.255.255.0 inside
http 10.1.11.0 255.255.255.0 inside
http 10.25.40.0 255.255.255.0 inside
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 15.15.15.3.250
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
management-access inside
vpnclient Server 15.15.15.3.250
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
L2TUN vpnclient vpngroup password
vpnclient L2LVPN username password
dhcpd outside auto_config
!
dhcprelay Server 10.1.0.1 outside
dhcprelay allow inside
dhcprelay setroute inside
time-out of 60 dhcprelay
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
GroupPolicy_15.15.15.3 group policy. internal
GroupPolicy_15.15.15.3 group policy. attributes
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 15.15.15.3. type ipsec-l2l
tunnel-group 15.15.15.3. IPSec-attributes
IKEv1 pre-shared-key
remote control-IKEv2 pre-shared-key authentication
pre-shared-key authentication local IKEv2
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
type of policy-card inspect scansafe https-pmap
parameters
httpstraffic of group by default
HTTPS
Policy-map global_policy
CFS-http-class description
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
Review the ip options
type of policy-card inspect scansafe cws_https-pmap
parameters
httpstraffic of group by default
HTTPS
type of policy-card inspect scansafe cws_http_pmap
parameters
httptraffic of group by default
http
type of policy-card inspect scansafe http-pmap
parameters
httptraffic of group by default
http
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
: end
ASDM image disk0: / asdm - 721.bin
don't allow no asdm historyI did have to do it myself, but a message on this site (link) describes how we can make it work.
Unfortunately you will have to static NAT to 1-1 for address outside your local site, but in your case, this interface is itself dedicated DHCP.
Another solution would be to run a DHCP server on the itself 5505 vs relay on your primary DHCP server.
-
IPSec VPN between Cisco and ScreenOS
Hello
I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted.
The guy managing the Juniper device send me an extract from his diary:
###########################################################################
2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID
System 9b 839579: negotiations failed.
2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11
of
: 500 to 217.150.152.45:500 with cookies
87960e39d074ca49 and 9302d26c7ce324a5
because there is no acceptable Phase
2 proposals...
It has defined the following phase 2 proposals:
IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second
###########################################################################
And I use these:
###########################################################################
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
ISAKMP crypto key
address 217.150.152.45 Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac
card crypto ipsec vpn 2 isakmp
Description * VPN Anbindung nach PKI in Magdeburg *.
defined by peer 217.150.152.45
define security-association life seconds 1800
the value of the transform-set esp - aes
match address PKI-TRAFFIC
!
###########################################################################
Here is my Log:
#################################################################################################################
28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL)
28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500
28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A
28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator
28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500
28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE
28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success
28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode.
28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange
28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE
28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found
28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth...
28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
28 August 08:23:46.448: ISAKMP: AES - CBC encryption
28 August 08:23:46.448: ISAKMP: SHA hash
28 August 08:23:46.448: ISAKMP: group by default 2
28 August 08:23:46.448: ISAKMP: pre-shared key auth
28 August 08:23:46.448: ISAKMP: keylength 256
28 August 08:23:46.448: ISAKMP: type of life in seconds
28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0
28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4
28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400
28 August 08:23:46.448: ISAKMP: (0): return real life: 86400
28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400.
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP
28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4
28 August 08:23:46.508: ISAKMP: (1049): send initial contact
28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
28 August 08:23:46.508: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 92.67.80.237
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12
28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5
28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0
28 August 08:23:46.540: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 217.150.152.45
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles
28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0
28 August 08:23:46.540: ISAKMP: (1049): SA authentication status:
authenticated
28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45
28 August 08:23:46.540: ISAKMP: try inserting a peer
/217.150.152.45/500/ and inserted 2A2D7150 successfully. 28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006
28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi
28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1
28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455
28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1
SPI 0, message ID =-452721455, his 0x31627E04 =
28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive.
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
Intertoys_Zentrale_Waddinxveen_01 #.
28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0
28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150
28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA
#################################################################################################################
Is there something special that needs to be addressed when creating a VPN for Juniper devices?
Greetings
Thomas
The peer IPSec a PFS enabled, do the same in your crypto-map:
card crypto ipsec vpn 2 isakmp
PFS group2 Set
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Hello
I just upgraded to macOS Sierra and built-in Cisco IPsec VPN no longer works. When you try to connect, I get a "cannot validate the certificate of the server. "Check your settings and try to reconnect" error message. I use Cisco ASA with self-signed certificates and everything worked fine with previous versions of OS X.
Please help me, I need my VPN Thx a lot
I am having the same problem with StrongSwan and help cert signed with the channel to complete certificates included in the pkcs12 file imported to the keychain. It was working properly in El Capitan, but now broken in the Sierra.
-
Hi guys,.
Tried to set up an ipsec VPN LAN - LAN between my WRV200 and WRVS4400N my companion. Filled all the relevant config... simple... but still nothing. They don't seem to connect. We are both on ADSL and using IP address by DNS. Routers are in the log file and try to establish the connection. Tried all the setting, both routers are configured the same. STILL NO JOY! Can anyone help, before having to migrate to a netgear or something nasty!
Sorry forgot to mention, using an AM200 modem in Bridge mode. It my router DHCP address direct WAN instead of NAT. The two systems are fixed the same where routers have outside the WAN address. The modem is transparent. I guess that NAT traversal in not required in that State.
-
Hello
First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.
The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.
I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.
I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:
4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry
5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!
6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)
and this, in the journal of customer:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 5.1.2600 Service Pack 3
24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002
Start the login process
25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x".
27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 213.94.x.x.
28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x
29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014
Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.
40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.
Can you see what I'm doing wrong?
Thank you
Sam
Pls add the following policy:
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
You can also run debug on the ASA:
debugging cry isa
debugging ipsec cry
and retrieve debug output after trying to connect.
-
Routing access to Internet through an IPSec VPN Tunnel
Hello
I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.
I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.
Any help would be greatly appreciated.
Thank you.
Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.
-
SA520 and Question IPSec VPN RVS4000
Hello
I installed an IPSec VPN for one of my friends for his company. At its principal office, I installed a Cisco SA520 and he uses to connect devices such as the iPhone and iPad via the IPSec VPN. He uses this fact because he travels abroad a lot and he has problems with services such as Skype is blocked in some countries. This configuration works very well.
It also has a Cisco RVS4000, which he would like to install at his place of business to the Mexico. He would like the RVS4000 VPN configuration to the SA520 in his office. The SA520 in his office has a static IP address. The RVS4000 to the Mexico does not work.
Is it possible to Setup IPSec VPN between a SA520 with a static IP and RVS4000 address that does not have a static IP address? If so, examples of configuration would be greatly appreciated.
Thank you!
Hi William, simply sign up for a dyndns account or similar service, the RVS4000 configuration will be the same, instead of the IP, you'd be using the dyndns name.
-Tom
Please mark replied messages useful -
Is availble for IPsec VPN FOS 6.3 support stateful failover
Is availble for IPsec VPN FOS 6.3 support stateful failover
SAJ
Hello Saj,
Unfortunately not... stateful failover replica information such as:
Table of connection TCP, udp xlate table ports, h.323, PAT port allocation table...
they replicate data such as:
user authentication (uauth) table
Table ISAKMP / IPSEC SA
ARP table
Routing information
Therefore, in the case where the main breaks down, the IPSEC vpn will be reformed for the failover... Meanwhile, the user will not be able to access the applications...
I hope this helps... all the best... the rate of responses if deemed useful...
REDA
-
ISA500 site by site ipsec VPN with Cisco IGR
Hello
I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.
But without success.
my config for openswan, just FYI, maybe not importand for this problem
installation of config
protostack = netkey
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET
nhelpers = 0
Conn rz1
IKEv2 = no
type = tunnel
left = % all
leftsubnet=192.168.5.0/24
right =.
rightsourceip = 192.168.1.2
rightsubnet=192.168.1.0/24
Keylife 28800 = s
ikelifetime 28800 = s
keyingtries = 3
AUTH = esp
ESP = aes128-sha1
KeyExchange = ike
authby secret =
start = auto
IKE = aes128-sha1; modp1536
dpdaction = redΘmarrer
dpddelay = 30
dpdtimeout = 60
PFS = No.
aggrmode = no
Config Cisco 2821 for dynamic dialin:
crypto ISAKMP policy 1
BA aes
sha hash
preshared authentication
Group 5
lifetime 28800
!
card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac
crypto dynamic-map DYNMAP_1 1
game of transformation-ESP-AES-SHA1
match address 102
!
ISAKMP crypto key
address 0.0.0.0 0.0.0.0 ISAKMP crypto keepalive 30 periodicals
!
life crypto ipsec security association seconds 28800
!
interface GigabitEthernet0/0.4002
card crypto CMAP_1
!
I tried ISA550 a config with the same constelations, but without suggesting.
Anyone has the same problem?
And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?
I can successfully establish a tunnel between openswan linux server and the isa550.
Patrick,
as you can see on newspapers, the software behind ISA is also OpenSWAN
I have a facility with a 892 SRI running which should be the same as your 29erxx.
Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.
Here is my setup, with roardwarrior AND 2, site 2 site.
session of crypto consignment
logging crypto ezvpn
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
life 7200
ISAKMP crypto address XXXX XXXXX No.-xauth key
XXXX XXXX No.-xauth address isakmp encryption key
!
ISAKMP crypto client configuration group by default
key XXXX
DNS XXXX
default pool
ACL easyvpn_client_routes
PFS
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT
!
dynamic-map crypto VPN 20
game of transformation-FEAT
market arriere-route
!
!
card crypto client VPN authentication list by default
card crypto VPN isakmp authorization list by default
crypto map VPN client configuration address respond
10 VPN ipsec-isakmp crypto map
Description of VPN - 1
defined peer XXX
game of transformation-FEAT
match the address internal_networks_ipsec
11 VPN ipsec-isakmp crypto map
VPN-2 description
defined peer XXX
game of transformation-FEAT
PFS group2 Set
match the address internal_networks_ipsec2
card crypto 20-isakmp dynamic VPN ipsec VPN
!
!
Michael
Please note all useful posts
Maybe you are looking for
-
HP 18-n208tx: controller Bus SM and Microsoft Teredo Tunneling adapted
I'm looking for a driver for the "SM Bus controller"PCI VEN_8086 & DEV_9C22 & SUBSYS_2166103C & REV_04 and"Microsoft Teredo Tunneling adapter"HP 15-n208tx for Windows 7 64-bit.
-
Write problems block the memory of the host
Hi all I work with a sbRIO 9639 and followed what I thought to be the recommended procedure to write in the block of memory to the host computer via (see diagram attached host and FPGA implementation). However the operation of the aforementioned code
-
Can someone tell me if I can improve Dell Studio 1737-10 Windows
Original title: window 10 upgrade question I have a Dell Studio 1737 with Intel Core 2 Duo 2.0 GHz, 4 GB of Ram and with Windows Vista 64-bit. Someone can tell me if I can upgrade to Windows 10 or is this system not up to the requirements?
-
Unable to connect: icon disappear the password incorrect message/fingerprint reader
I am unable to log in to my administrator account with my password or fingerprint after the last HP Simplepass update. When I try the password, I get the message 'invalid password' and I can't use the scanner as its icon dissappeared. I can still con
-
need help with compaq cq 10 bypass
I can use a little help. Im getting an error CN0111MVQ code, I forgot the password. Can anyone help