ISAKMP error - 2811 router
Hi guys,.
I would like to create a VPN site-to site between my ASA and a remote router in China.
On the router, when I typed ""crypto isakmp enable ' command I know that isakmp is not present. "
What can I do, where is the problem? License, ios image,...? !
error type:
Router (config) #crypto enable isakmp
^
Invalid entry % detected at ' ^' marker.
Router (config) #crypto?
CA Certification Authority
main activities key long-term
public key PKI components
commissioning Secure Device Provisioning
Wui Crypto HTTP configuration interfaces
News of the router:
Cisco CISCO2811C/K9
Version 12.4 (13r) T13, RELEASE SOFTWARE (fc1)
c2800nmc-spservicesk9 - mz.150 - 1.M7.bin
Thank you very much.
Luca
To configure the site to site VPN, or any other VPN, you need advanced business picture, advanced security or Advanced IP Services.
Tags: Cisco Security
Similar Questions
-
EtherChannel error on 2811 router
Hello
I met 2 problems related to Etherchannel.
1. I have two servers connected to Etherswitch on 2811 router via Etherchannels 3-port. All computers on the network can see both servers, but servers are unable to see each other, that is, ping, network access, etc does not work. Related config:
GC21RR01 #sh inv
NAME: "2811 chassis', DESCR:"2811 chassis.
PID: CISCO2811, VID: V07, SN: FCZ14027226NAME: "ADSL over POTS on the Slot, SubSlot 0 0 ', DESCR:"ADSL over POTS.
PID: HWIC-1ADSL, VID: V01, SN: FOC14473PJ6NAME: "16 Port 10BaseT/100BaseTX EtherSwitch on Slot 1 ', DESCR:" 16 Port 10BaseT/100BaseTX EtherSwitch.
VID, PID: NM-16ESW: V01, SN: FOC14445QB8GC21RR01 #sh worm
Cisco IOS software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.1 (1) T, RELEASE SOFTWARE (fc1)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Updated Tuesday, March 22, 10 01:25 by prod_rel_teamROM: System Bootstrap, Version 12.4 T11 (13r), RELEASE SOFTWARE (fc1)
GC21RR01 operating time is 23 hours, 15 minutes
System returned to ROM by reload at 13:48:11 BEST Sunday, March 20, 2011
System restarted at 13:49:35 GREEN Sunday, March 20, 2011
System image file is "flash: c2800nm-advsecurityk9 - mz.151 - 1.T.bin.
Last reload type: normal chargingThis product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html you need assistance, please contact us by mail at
[email protected] / * / 2811 (revision 53.51) with 245760K / 16384K bytes of memory.
Card processor ID FCZ14027226
18 FastEthernet interfaces
1 ATM interface
1 module of virtual private network (VPN)
Configuration of DRAM is wide with parity 64-bit capable.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (read/write)If
Cisco
License info:
License IDU:
-------------------------------------------------
Device SN # PID
-------------------------------------------------
* CISCO2811 0 FCZ14027226Configuration register is 0 x 2102
GC21RR01 #sh etherchannel detail
List of channel-group:
-----------------------Group: 1
----------
Group status = L2
Ports: 3 Maxports = 8
Port-channel: 1 Port Max-channels = 1
Ports in the Group:
-------------------
Port: Fa1/0
------------Port status Up Mstr in Bndl
Group of channels = 1 Mode = we / FEC Gcchange = 0
Port channel = Po1 GC = 0 x 00010001 port-channel Pseudo = Po1
Port index = 0
Age of the port in the current state: 00d: 11: 00: 15:00
Port: Fa1/1
------------Port status Up Mstr in Bndl
Group of channels = 1 Mode = we / FEC Gcchange = 0
Port channel = Po1 GC = 0 x 00010001 port-channel Pseudo = Po1
Port index = 1
Age of the port in the current state: 00d: 11: 00: 15:00
Port: Fa1/2
------------Port status Up Mstr in Bndl
Group of channels = 1 Mode = we / FEC Gcchange = 0
Port channel = Po1 GC = 0 x 00010001 port-channel Pseudo = Po1
Port index = 2
Age of the port in the current state: 00d: 11: 00: 15:00
Port-channels of the Group:
----------------------Port-channel: Po1
------------The Port-Channel = 00d age: 23: 00: 15:00
Logical slot/port = 8/0 number of ports = 3
GC = 0 x 00010001 HotStandBy port = null
State of Port = Port-Channel Ag-InusePorts in the Port-Channel:
The community of Port index State
------+------+------------
Fa1/0 0
1 Fa1/1 on
SA1 2/2 onTime since the last group port: 00d: 11: 00: 15:00 Fa1/2
Group size: 2
----------
Group status = L2
Ports: 3 Maxports = 8
Port-channel: 1 Port Max-channels = 1
Ports in the Group:
-------------------
Port: Fa1/4
------------Port status Up Mstr in Bndl
Group of channels = 2 Mode = we / FEC Gcchange = 0
Port channel = Po2 GC = 0 x 00020001 port-channel Pseudo = Po2
Port index = 0
Age of the port in the current state: 00d: 11: 00: 15:00
Port: Fa1/5
------------Port status Up Mstr in Bndl
Group of channels = 2 Mode = we / FEC Gcchange = 0
Port channel = Po2 GC = 0 x 00020001 port-channel Pseudo = Po2
Port index = 1
Age of the port in the current state: 00d: 11: 00: 15:00
Port: Fa1/6
------------Port status Up Mstr in Bndl
Group of channels = 2 Mode = we / FEC Gcchange = 0
Port channel = Po2 GC = 0 x 00020001 port-channel Pseudo = Po2
Port index = 2
Age of the port in the current state: 00d: 11: 00: 15:00
Port-channels of the Group:
----------------------Port-channel: Po2
------------The Port-Channel = 00d age: 23: 00: 15:00
Logical slot/port = 8/1 number of ports = 3
GC = 0 x 00020001 HotStandBy port = null
State of Port = Port-Channel Ag-InusePorts in the Port-Channel:
The community of Port index State
------+------+------------
0 Fa1/4 on
1 Fa1/5 on
2 Fa1/6 onTime since the last group port: 00d: 11: 00: 15:00 Fa1/6
GC21RR01 #sh etherchannel summary
Flags: D - low P - port-channel
I have - autonomous s - suspended
R - Layer 3 S - Layer2
U - in use
Ports of Port-Channel Group
-----+------------+-----------------------------------------------------------
1 Po1 (SU) Fa1/0 (P) Fa1/1 (P) Fa1/2 (P)
2 Po2 (SU) Fa1/4 (P) Fa1/5 (P) Fa1/6 (P)2. I can't information see the Port-Channel. I could do that, before the router restarts:
GC21RR01 #sh po int 1
^
Invalid entry % detected at ' ^' marker.GC21RR01 #sh po int 2
^
Invalid entry % detected at ' ^' marker.GC21RR01 #sh int in. ip 1
^
Invalid entry % detected at ' ^' marker.GC21RR01 #sh ip po int 2
^
Invalid entry % detected at ' ^' marker.Any help is appreciated.
Hello
So you have a L2 etherchannel sh ip int can only work if it is a portchannel L3 interface.
Kind regards.
Alain.
-
VPN site to Site btw Pix535 and 2811 router, can't get to work
Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:
http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: config PIX:
: Saved
: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012
!
8.0 (4) version PIX
!
hostname pix535
!
interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
address IP X.X.138.132 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
outside_access_in of access allowed any ip an extended list
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0
inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248
outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248
access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0
Global interface 10 (external)
15 1.2.4.5 (outside) global
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 15 10.1.0.0 255.255.0.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds
Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds
Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
outside_map game 1 card crypto peer X.X.21.29
card crypto outside_map 1 set of transformation-ESP-DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 1
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
internal GroupPolicy1 group strategy
cnf-vpn-cls group policy internal
attributes of cnf-vpn-cls-group policy
value of 10.1.1.7 WINS server
value of 10.1.1.7 DNS server 10.1.1.205
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value x.com
sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key secret1
RADIUS-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group cnf-vpn-cls type remote access
tunnel-group global cnf-vpn-cls-attributes
cnf-8-ip address pool
Group Policy - by default-cnf-vpn-cls
tunnel-group cnf-CC-vpn-ipsec-attributes
pre-shared-key secret2
ISAKMP ikev1-user authentication no
tunnel-group cnf-vpn-cls ppp-attributes
ms-chap-v2 authentication
tunnel-group X.X.21.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.21.29
Pre-shared key SECRET
!
class-map inspection_default
match default-inspection-traffic
!
!
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: 2811 router config:
!
! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla
! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname THE-2800
!
!
Crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1411740556
revocation checking no
rsakeypair TP-self-signed-1411740556
!
!
TP-self-signed-1411740556 crypto pki certificate chain
certificate self-signed 01
308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435
30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D
34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203
1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003
81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452
E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C
quit smoking
!
!
!
crypto ISAKMP policy 1
preshared authentication
ISAKMP crypto key address SECRET X.X.138.132 No.-xauth
!
!
Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac
!
map 1 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
the transform-set the-2800-trans-set value
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
Description WAN side
address IP X.X.216.29 255.255.255.248
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
No mop enabled
card crypto 2800-ipsec-policy
!
interface FastEthernet0/1
Description side LAN
IP 10.20.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
full duplex
automatic speed
No mop enabled
!
IP nat inside source map route sheep interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 allow 64.236.96.53
access-list 99 allow 98.82.1.202
access list 101 remark vpn tunnerl acl
Note access-list 101 category SDM_ACL = 4
policy of access list 101 remark tunnel
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
public RO SNMP-server community
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
!
WebVPN gateway gateway_1
IP address X.X.216.29 port 443
SSL trustpoint TP-self-signed-1411740556
development
!
WebVPN install svc flash:/webvpn/svc.pkg
!
WebVPN gateway-1 context
title 'b '.
secondary-color white
color of the title #CCCC66
text-color black
SSL authentication check all
!
!
policy_1 political group
functions compatible svc
SVC-pool of addresses "WebVPN-Pool."
SVC Dungeon-client-installed
SVC split include 10.20.0.0 255.255.0.0
Group Policy - by default-policy_1
Gateway gateway_1
development
!
!
end
#3: test Pix to the router:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: X.X.21.29
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
> DEBUG:
12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry#4: test the router to pix:LA - 2800 #sh crypto isakmp hisIPv4 Crypto ISAKMP Security Associationstatus of DST CBC State conn-id slotX.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0> debugLA - 2800 #ping 10.1.1.7 source 10.20.1.1Type to abort escape sequence.Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:Packet sent with a source address of 10.20.1.1Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 50022 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 8000001322 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 50022 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - tOct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode ExchangeOct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.13222 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 122 Oct 16:24:34.053: ISAKMP: DES-CBC encryption22 Oct 16:24:34.053: ISAKMP: SHA hash22 Oct 16:24:34.053: ISAKMP: default group 122 Oct 16:24:34.053: ISAKMP: pre-shared key auth22 Oct 16:24:34.053: ISAKMP: type of life in seconds22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x8022 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 022 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 022 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:422 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:8640022 Oct 16:24:34.053: ISAKMP: (0): return real life: 8640022 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM322 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.13222 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 022 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unitOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTHOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS!Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch22 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM422 Oct 16:24:34.221: ISAKMP: (1018): send initial contact22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication22 Oct 16:24:34.221: ISAKMP (0:1018): payload IDnext payload: 8type: 1address: X.X.216.29Protocol: 17Port: 500Length: 1222 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5...22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 19855474022 Oct 16:24:38.849: ISAKMP: (1017): purge the node 81238000222 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...Success rate is 0% (0/5)# THE-2800Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD6022 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmissionOct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.13222 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE....22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.......22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615
22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0
The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work
I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.
All suggestions and tips are greatly appreciated.
Sean
Recommended action:
On the PIX:
no card crypto outside_map 1
!
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
card crypto outside_map 10 correspondence address outside_1_cryptomap
crypto outside_map 10 peer X.X.216.29 card game
outside_map crypto 10 card value transform-set ESP-3DES-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
!
tunnel-group X.X.216.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.216.29
Pre-shared key SECRET
!
On the router:
crypto ISAKMP policy 10
preshared authentication
Group 2
3des encryption
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
output
!
card 10 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
game of transformation-ESP-3DES-SHA
match address 101
!
No crypto card-2800-ipsec-policy 1
Let me know how it goes.
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Hi all
I have a spare 2811 router that would like to use for the temporary easy VPN server.
the router IOS is already updated security advance 15.0 K9.
My question is the AIM - VPN a real map/module on the motherboard of the router or just pop up once the router has been upgraded to IOS security?
SH ve | I have IOS
Cisco IOS software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.0 (1) M8, RELEASE SOFTWARE (fc1)#sh inv
NAME: "2811 chassis', DESCR:"2811 chassis.
PID: CISCO2811, VID: V02, SN: FTX0911CxxxNAME: ' PVDMII DSP SIMM with a DSP on the Slot 0 SubSlot 4 ', DESCR: 'PVDMII DSP SIMM with a DSP.
PID: PVDM2-16, VID: V01, SN: FOC13071xxNAME: "virtual private network (VPN) on the Slot Module 0 ', DESCR: 'encryption PURPOSE Element '.
PID: AIM-VPN/EPII-PLUS, VID: v01, SN: FOC09072xxYou have now two VPN modules in your router:
- The module for basic needs
- The module see you in "inventory to see the" which is placed in the OBJECTIVE of on-board connector. This module has a flow more and a greater number of tunnel and will be used by default.
There are many examples of EzVPN configuration guide:
If it is more then a temporary solution, I would also consider using an ASA to remote access VPN. EzVPN is more or less obsolete, and the ASA has many more features with the AnyConnect client. On the router, you can also configure remote access for AnyConnect, but it is much more complicated.
-
Can you have several strategies of crypto isakmp on a router?
I have a router 1841 as a hub for several IPSec tunnels. I have a single ISAKMP policy that looks like this:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address x.x.x.x
isakmp encryption key * address y.y.y.y
isakmp encryption key * address z.z.z.z
I want to start using AES as the encryption ISAKMP protocol, but I can't be there to change the other ends of all other tunnels. Can I create an another crypto isakmp strategy 2 and just put the pre-shared key for new connections in this one while I'm migration?
Thank you
Chris
Chris
You can have several strategies of isakmp on your router. The router will run through them in order until it finds a match. If you just need to add a new policy for isakmp with a number of different sequence, for example.
crypto ISAKMP policy 2
BA aes
AUTH pre-shared
Group 2
This will not affect your original isakmp policy.
Not sure what you mean by putting the pre-shared 'under' the isakmp policy. The key is not related to any person isakmp policy - you can see that the configuration you specify above.
All you need to do to switch is to configure isakmp on your router 1841 strategy and then move the remote as and when you can. Those that you changed uses AES, you have not yet changed that will continue to use 3DES.
HTH
Jon
-
While trying to use the package manager script comments, I discovered to RHEL6 invited, we have a problem copying the file back from the guest to the vCO. Systematically all fail in the 'Copy of the file of comments to the vCO' workflow and in testing, the error is reproducible.
Specifically, the final stage of this workflow - result = fileManager.downloadFile (vcoPath, ftInfo) - generates the error "no route to host (workflow: copy of the file of comments to the vCO / Scriptable task (item1) #10).
Anyone know what could be causing this?
Make sure your vCO has network connection of the ESX host, the virtual machine is running.
Comments operations connect directly to the ESX host from the client (here: the plugin from vcenter in vCO) after the opening of the procedure on vCenter.
See you soon,.
Joerg
-
Removing static route get % corresponding to any error no route to remove
I'm trying to remove a static route, I added:
-------------------------------------------------------------------------------------------------
R2 #show ip route
Code: C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route staticGateway of last resort is not set
172.168.0.0/29 is divided into subnets, subnets 1
S 172.168.0.0 [1/0] via 192.168.2.2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
192.168.2.0/30 is divided into subnets, subnets 1
C 192.168.2.0 is directly connected, Serial0/0
R2 #conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2 (config) #no ip route 172.168.0.0 255.255.255.0 192.168.2.2
% Corresponding to any no route to remove
R2 (config) #r2 #show ip route----------------------------------------------------------------------------------------------------
I was training establishment of a static routing on three routers r2 (2600xm) connected to r1 (2600xm) via maps module T1 on the serial ports. connected to r1 is a router 2500 old called PC.
I removed the static routes off r2 and PC but when I get to r2 I connect to 2500 another console cable that I use to access a server I get the above error. all IP addresses are just generic subnets that I created to play with static routing. I can't remove someone has any ideas?
you use the subnet mask different than the one you used. According to the route table entry mask is 29
Try this,
1] r2 (config) #no ip route 172.168.0.0 255.255.255.248 192.168.2.2
or 2] another easy method would be to check the working config and copy stick with 'no' at the beginning.
See the race | include the ip route
Copy the static route statement and paste this what with 'no' in the global configuration and check the routing table.
-
Radio card of Cisco 2811 router wireless
Hello
Is it possible to configure the card wireless in a router as a customer to use another radio as gateway?
The situation is that I need to set up Internet access temporary to query users on a local network cable but have no Internet connectivity. I have a Novatel MiFi, which allows Internet connectivity which I want the radio on the router to connect to. In this case, the radio will be more than one client or a bridge.
Thanks for any input.
Vincent
The answer is no. Cisco access points using the Protocol IAPP talk to each other... Cisco with Non-cisco, we cannot communicate...
Let me know if that answers your question...
Concerning
Surendra
====
Please do not forget to note positions that answered your question and mark as answer or was useful -
How to disable the default ISAKMP on Cisco 2800 router policy
I'll have a check point asking me to disable or delete the policy by default ISAKMP on my router. I tried to do, but I got an error that the command is not supported as below:
If this is not possible on my router that has a version of IOS:
So, is it possible to upgrade my router IOS to the latest version to solve this problem, which is:
"c2800nm-advsecurityk9 - mz.151 - 4.M6.
If that does not solve my problem, I have an official document from CISCO, which on my router, which is not supported "Disabling the default ISAKMP policy.
I would really appreciate your reply guys.
Thanks in advance,
Hi Ebrahim,
Version 15.1 (4) M6 supported by the command "no default crypto isakmp policy."
Before you run 'no default crypto isakmp policy. "
:
Router #sh cry default isakmp policy
IKE default policy
Default priority protection suite 65507
encryption algorithm: AES - Advanced Encryption Standard (128-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default priority protection suite 65508
encryption algorithm: AES - Advanced Encryption Standard (128-bit keys).
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
.
.
.skipped output
After:
Router (config) #no cry isakmp policy default
default router #sh policy cry isakmp
Router #sh crying political isa
World IKE policy
*****
If you are upgrading, you should be ale to delete default isakmp policy.
Thank you
Shakur
-
Help! My 2691xm router is deaf to ISAKMP
Hello.
I'm trying to implement a DMVPN.
The configuration is the following:
1751 v is a talking - c1700-advsecurityk9 - mz.124 - 15.T14.bin
2691xm is a hub - c2691-advsecurityk9 - mz.124 - 15.T14.bin
As I said in the title, the 2691xm of my clients router is deaf to ISAKMP. It is configured as a hub for DMVPN and does not show that it receives all the VPN-based. 1751-V is, however, very noisy sends many IKE requests to the 2691xm.
I did the maintenance of 1751-V my home 1751-V with a slightly modified version of config of the 2691xm without any problems. I do not have access through the VPN quite yet, but at least they got by ISAKMP.
I activated 'debug dmvpn all' and 'term MON", but I get NO output from the 2691xm.
I also get nothing of ""isakmp crypto to show his'. "
I thought that the traffic may be blocked by the ISP. I called and asked, and it's not.
I thought that the traffic could be stopped at the firewall, so I put the ports concerned to save the traffic as evidenced by the next batter.
Router-1 #show access-list INTERNET_IN
Expand the IP INTERNET_IN access list
...
70 permit udp any any newspaper of isakmp eq (2576 matches)
80 allow accord any any newspaper
90 permits esp all any newspaper
...
So I 'm getting the traffic through the router, but my router is not react?
Below are excerpts from relevant configs.
HUBS:
Internet: int fa0/1 - T1 w / static IP via ethernet
LAN: int fa0/0 - lan 192.168.20.1
IP multicast routing
!
crypto ISAKMP policy 100
BA aes 256
preshared authentication
Group 2
lifetime 28800
!
key ABCD address 0.0.0.0 crypto ISAKMP xauth No.
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRANSFORM_1
!
Profile of crypto ipsec PROFILE_1
define security-association life seconds 600
transformation-TRANSFORM_1 game
PFS group2 Set
!
interface Tunnel0
IP pim sparse-mod
bandwidth 1536
IP 10.0.20.20 255.255.255.0
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source fa0/1
multipoint gre tunnel mode
Tunnel PROFILE_1 ipsec protection profile
dynamic multicast of IP PNDH map
PNDH network IP-20 id
property intellectual PNDH holdtime 600
property intellectual PNDH authentication ABCD duration of maintaining ip eigrp 1 35
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
!
Router eigrp 1
Network 10.0.20.0 0.0.0.255
network 192.168.20.0 0.0.0.255
No Auto-resume
!
NAT_TRAFFIC extended IP access list
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 any
SHEEP allowed 10 route map
corresponds to the IP NAT_TRAFFIC
IP nat inside source map route SHEEP interface fa0/1 overload
SPEAKS:
Internet: int dialer0 - DSL, PPPoE, DHCP
LAN: int vlan0 - 192.168.22.1
IP multicast routing
!
crypto ISAKMP policy 100
BA aes 256
preshared authentication
Group 2
lifetime 28800
key ABCD address 0.0.0.0 crypto ISAKMP xauth No.
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRANSFORM_1
!
Profile of crypto ipsec PROFILE_1
define security-association life seconds 600
transformation-TRANSFORM_1 game
PFS group2 Set
!
interface Tunnel0
IP pim sparse-mod
bandwidth 1536
IP 10.0.20.22 255.255.255.0
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source d0
multipoint gre tunnel mode
Tunnel PROFILE_1 ipsec protection profile
property intellectual PNDH card 10.0.20.20 2691_WAN_IP
map of PNDH IP multicast 2691_WAN_IP
PNDH network IP-20 id
property intellectual PNDH holdtime 600
property intellectual PNDH nhs 10.0.20.20
property intellectual PNDH authentication ABCD duration of maintaining ip eigrp 1 35
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
!
Router eigrp 1
Network 10.0.20.0 0.0.0.255
network 192.168.22.0 0.0.0.255
No Auto-resume
connected EIGRP stub
!
NAT_TRAFFIC extended IP access list
deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
IP 192.168.22.0 allow 0.0.0.255 any
SHEEP allowed 10 route map
corresponds to the IP NAT_TRAFFIC
!
IP nat inside source overload map route SHEEP interface Dialer0
!
As I said earlier, 2691xm DO NOT REACT. Only thing I've been able to determine is the router didn't IS NOT block traffic on port UDP 500.
Here's some output from 1751-v (router spoke).
ISAKMP: define the new node 0 to QM_IDLE
ISAKMP: (0): SA is still budding. Attached new request ipsec. (local 1751_WAN_IP, distance 2691_WAN_IP)
ISAKMP: Error processing SA asks: could not initialize SA
ISAKMP: Error while processing message KMI 0, error 2.
ISAKMP: (0): transmit phase 1 MM_NO_STATE...
ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Router-1 isakmp crypto #show her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE
2691_WAN_IP1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted )
1751-v works with an another 1751-v (to some extent), but not the 2691xm I need to work with.
Please help because it drives me CRAZY!
I would appreciate ANY suggestions/comments/critisicms/assumptions/applications / ANYTHING!
-Vittorio
No crypto card means theres some sort of problem on the hub with config - try the following:
term Lun
Crypto debugging socket
protection of tunnel of debugging
conf t
opening of session
LUN debug logging
int tunnel0
close
No ipsec protection PROFILE_1 tunnel profile
Tunnel PROFILE_1 ipsec protection profile
No tap
See if that gives us all debugs.
-
Hello
I try to configure the VPDN on 2811 router, but I am not able to connect to the VPN. Frist when I start the Dialer VPDN from my PC, I get this message.
* 27 sep 12:00:33.314: % CRYPTO-6-IKMP_MODE_FAILURE: treatment of quick failed XX.XXX with the peer. XX.218
as a result, the configuration... Please let me know where I get the error
Building configuration...
Current configuration: 2043 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname VPN_R1
!
boot-start-marker
boot-end-marker
!
no set record in buffered memory
activate the password
!
No aaa new-model
!
resources policy
!
IP subnet zero
!
!
IP cef
No dhcp use connected vrf ip
!
!
IP flow-cache timeout active 1
name of the server IP XX.XX.XX.180
name of the IP-server 1.2.1.211
without denying the action of ips ips-interface ip
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!
!
!
!
username password 0 test1234 test1234
username password 0 ciscovpn ciscovpn
!
!
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto key CisC01234 address 0.0.0.0 0.0.0.0
!
Crypto ipsec transform-set esp-3des esp-sha-hmac PSAB
transport mode
!
Crypto-map Dynamics cc 10
Set nat demux
Set transform-set PSAB
!
!
map cisco 10-isakmp ipsec crypto dynamic cc
!
!
!
!
interface Loopback0
10.1.1.1 IP address 255.255.255.0
!
interface FastEthernet0/0
Description $FW_OUTSIDE$
IP address xxx.xxx.xxx.94 xx.xx.xx.252
full duplex
Speed 100
Cisco card crypto
!
interface FastEthernet0/1
Description $FW_INSIDE$
IP address 1xx.1x1.xx3.1x3 255.255.255.192
route IP cache flow
automatic duplex
automatic speed
!
interface virtual-Template1
IP unnumbered Loopback0
peer default ip address pool-l2tp pool
Chap PPP authentication protocol
!
IP local pool pptp 1.100.0.1 1.100.0.10
IP classless
IP route 0.0.0.0 0.0.0.0 1xx.1xx.xx.93
!
The FastEthernet0/1 flow-export source IP
IP flow-export version 5
IP destination of the import-export 9996 stream 1xx.1xx.xxx.250
!
IP http server
no ip http secure server
!
Server SNMP ifindex persist
!
!
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
password
opening of session
!
Scheduler allocate 20000 1000
!
end
Please let me know why I am not able to connect to the VPN
Diego,
It is not necessary.
Example of configuration:
It is quite common to use the loopback.
Marcin
-
Problem router Cisco and Checkpoint VPN
Hello
I couldn't establish vp from site to site between cisco and checkpoint. Can you please check the logs?
Thank you.
* 29 sept 08:17:22.627: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = Y.Y.Y.Y:500, distance = X.X.X.X:500,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp - aes 256 esp-sha-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
* 29 sep 08:17:22.631: ISAKMP: (0): profile of THE request is (NULL)
* 29 sep 08:17:22.631: ISAKMP: created a struct peer X.X.X.X, peer port 500
* 29 sep 08:17:22.631: ISAKMP: new created position = 0x88AD1AB0 peer_handle = 0 x 80000004
* 29 sep 08:17:22.631: ISAKMP: lock struct 0x88AD1AB0, refcount 1 to peer isakmp_initiator
* 29 sep 08:17:22.631: ISAKMP: 500 local port, remote port 500
* 29 sep 08:17:22.631: ISAKMP: set new node 0 to QM_IDLE
* 29 sep 08:17:22.631: ISAKMP: (0): insert his with his 88AF7D94 = success
* 29 sep 08:17:22.631: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 29 sep 08:17:22.631: ISAKMP: (0): pre-shared key found peer corresponding X.X.X.X
* 29 sep 08:17:22.631: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 29 sep 08:17:22.631: ISAKMP: (0): built the seller-07 ID NAT - t
* 29 sep 08:17:22.631: ISAKMP: (0): built of NAT - T of the seller-03 IDexit
Router (config) #n
* 29 sep 08:17:22.631: ISAKMP: (0): built the seller-02 ID NAT - t
* 08:17:22.631 Sept. 29: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 08:17:22.631 Sept. 29: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1* 29 sep 08:17:22.631: ISAKMP: (0): Beginner Main Mode Exchange
* 29 sep 08:17:22.631: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:17:22.631 Sept. 29: ISAKMP: (0): a Packet.o IKE IPv4 send* 29 sep 08:17:32.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:17:32.631: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 29 sep 08:17:32.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:17:32.631: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:17:32.631 Sept. 29: ISAKMP: (0): sending of a CPVPN IKE IPvaccess lists* 29 sep 08:17:42.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:17:42.631: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 29 sep 08:17:42.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:17:42.631: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:17:42.631 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE...
* 29 sep 08:17:52.627: IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = Y.Y.Y.Y:0, distance = X.X.X.X:0,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0
* 29 sept 08:17:52.627: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = Y.Y.Y.Y:500, distance = X.X.X.X:500,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp - aes 256 esp-sha-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
* 29 sep 08:17:52.627: ISAKMP: set new node 0 to QM_IDLE
* 29 sep 08:17:52.627: ISAKMP: (0): SA is still budding. Attached new request ipsec. (local Y.Y.Y.Y, distance X.X.X.X)
* 29 sep 08:17:52.627: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 29 sep 08:17:52.627: ISAKMP: error while processing message KMI 0, error 2.
* 29 sep 08:17:52.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:17:52.631: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 29 sep 08:17:52.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:17:52.631: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:17:52.631 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
* 29 sep 08:18:02.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:18:02.631: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 29 sep 08:18:02.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:18:02.631: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:18:02.631 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
* 29 sep 08:18:12.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:18:12.631: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 29 sep 08:18:12.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:18:12.631: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:18:12.631 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
* 29 sep 08:18:22.627: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = Y.Y.Y.Y:0, distance = X.X.X.X:0,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0
* 29 sep 08:18:22.631: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:18:22.631: ISAKMP: (0): the peer is not paranoid KeepAlive.* 29 sep 08:18:22.631: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) MM_NO_STATE (peer X.X.X.X)
* 29 sep 08:18:22.631: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) MM_NO_STATE (peer X.X.X.X)
* 29 sep 08:18:22.631: ISAKMP: Unlocking counterpart struct 0x88AD1AB0 for isadb_mark_sa_deleted(), count 0
* 29 sep 08:18:22.631: ISAKMP: delete peer node by peer_reap for X.X.X.X: 88AD1AB0
* 29 sep 08:18:22.631: ISAKMP: (0): node-930113685 error suppression FALSE reason 'IKE deleted.
* 29 sep 08:18:22.631: ISAKMP: (0): error suppression node 661004686 FALSE reason 'IKE deleted.
* 08:18:22.631 Sept. 29: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 08:18:22.631 Sept. 29: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SA* 29 sep 08:18:22.631: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 29 sept 08:18:27.559: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = Y.Y.Y.Y:500, distance = X.X.X.X:500,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp - aes 256 esp-sha-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
* 29 sep 08:18:27.559: ISAKMP: (0): profile of THE request is (NULL)
* 29 sep 08:18:27.559: ISAKMP: created a struct peer X.X.X.X, peer port 500
* 29 sep 08:18:27.559: ISAKMP: new created position = 0x85EDF1F0 peer_handle = 0 x 80000005
* 29 sep 08:18:27.559: ISAKMP: lock struct 0x85EDF1F0, refcount 1 to peer isakmp_initiator
* 29 sep 08:18:27.559: ISAKMP: 500 local port, remote port 500
* 29 sep 08:18:27.559: ISAKMP: set new node 0 to QM_IDLE
* 29 sep 08:18:27.559: ISAKMP: find a dup her to the tree during the isadb_insert his 88C1CE60 = call BVA
* 29 sep 08:18:27.559: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 29 sep 08:18:27.559: ISAKMP: (0): pre-shared key found peer corresponding X.X.X.X
* 29 sep 08:18:27.559: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 29 sep 08:18:27.559: ISAKMP: (0): built the seller-07 ID NAT - t
* 29 sep 08:18:27.559: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 29 sep 08:18:27.559: ISAKMP: (0): built the seller-02 ID NAT - t
* 08:18:27.559 Sept. 29: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 08:18:27.559 Sept. 29: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1* 29 sep 08:18:27.559: ISAKMP: (0): Beginner Main Mode Exchange
* 29 sep 08:18:27.559: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:18:27.559 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
* 29 sep 08:18:37.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:18:37.559: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 29 sep 08:18:37.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:18:37.559: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:18:37.559 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
* 29 sep 08:18:47.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:18:47.559: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 29 sep 08:18:47.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:18:47.559: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:18:47.559 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.* 29 sep 08:18:57.559: IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = Y.Y.Y.Y:0, distance = X.X.X.X:0,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0
* 29 sept 08:18:57.559: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = Y.Y.Y.Y:500, distance = X.X.X.X:500,
local_proxy = 192.168.222.0/255.255.255.0/256/0,
remote_proxy = 10.0.10.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp - aes 256 esp-sha-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
* 29 sep 08:18:57.559: ISAKMP: set new node 0 to QM_IDLE
* 29 sep 08:18:57.559: ISAKMP: (0): SA is still budding. Attached new request ipsec. (local Y.Y.Y.Y, distance X.X.X.X)
* 29 sep 08:18:57.559: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 29 sep 08:18:57.559: ISAKMP: error while processing message KMI 0, error 2.
* 29 sep 08:18:57.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:18:57.559: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 29 sep 08:18:57.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:18:57.559: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
Router #.
Router #.
* 08:18:57.559 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
* 29 sep 08:19:07.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
* 29 sep 08:19:07.559: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 29 sep 08:19:07.559: ISAKMP: (0): transmit phase 1 MM_NO_STATE
* 29 sep 08:19:07.559: ISAKMP: (0): package to X.X.X.X my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 08:19:07.559 Sept. 29: ISAKMP: (0): sending a packet IPv4 IKE.
Router #.
Router #un all
All possible debugging has been disabledThe log shows main mode setup has failed. See if this helps: http://www.itcertnotes.com/2011/04/ipsec-stuck-in-mmsasetup-and-mmnostat...
-
Site to site VPN with router IOS
I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.
I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.
Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?
My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).
Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.
And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)
Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?
I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.
We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).
I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.
Thank you in advance.
Pete.
Pete
I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:
-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.
-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.
-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.
-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.
-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.
-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).
-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.
-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.
I hope that your application is fine and that my suggestions could be useful.
[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.
HTH
Rick
-
Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ
Hi all
I tried to get this scenario to work before I put implement but am getting the error on router B.
01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1
Here are the following details for networks
Router B
Address series 82.12.45.1/30
fast ethernet 192.168.20.1/24 address
PIX
outside the 83.1.16.1/30 interface eth0
inside 192.168.50.1/30 eth1 interface
Router
Fast ethernet (with Pix) 192.168.50.2/30 address
Loopback (A network) 192.168.100.1/24 address
Loopback (Network B) 192.168.200.1/24 address
Loopback (Network C) 192.168.300.1/24 address
Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.
Config router B
======================
name of host B
!
Select the 5 secret goat.
!
username 7 privilege 15 password badger badger
iomem 15 memory size
IP subnet zero
!
!
no ip domain-lookup
IP - test.local domain name
!
property intellectual ssh delay 30
property intellectual ssh authentication-2 retries
!
crypto ISAKMP policy 5
md5 hash
preshared authentication
Group 2
ISAKMP crypto key VPN2VPN address 83.1.16.1
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp - esp-md5-hmac VPN
!
crypto map 5 VPN ipsec-isakmp
defined by peer 83.1.16.1
PFS group2 Set
match address VPN
!
call the rsvp-sync
!
interface Loopback10
20.0.2.2 the IP 255.255.255.255
!
interface Tunnel0
bandwidth 1544000
20.0.0.1 IP address 255.255.255.0
source of Loopback10 tunnel
tunnel destination 20.0.2.1
!
interface FastEthernet0/0
Description * inside the LAN CONNECTION *.
address 192.168.20.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
interface Serial0/0
Description * INTERNET ACCESS *.
IP 88.12.45.1 255.255.255.252
NAT outside IP
VPN crypto card
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
Router eigrp 1
network 20.0.0.0
No Auto-resume
!
overload of IP nat inside source list NAT interface Serial0/0
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0
no ip address of the http server
!
!
NAT extended IP access list
deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 any
list of IP - VPN access scope
permit ip host 20.0.2.2 20.0.2.1
!Config PIX
====================
PIX Version 7.2 (4)
!
pixfirewall hostname
names of
name 20.0.2.2 B_LOOP
name 88.12.45.1 B_WANIP
!
interface Ethernet0
Description * LINK to ISP *.
nameif outside
security-level 0
IP 83.1.16.1 255.255.255.252
!
interface Ethernet1
Description * LINK TO LAN *.
nameif inside
security-level 100
IP 192.168.50.1 255.255.255.252
!
passive FTP mode
the ROUTER_LOOPS object-group network
network-object 20.0.2.0 255.255.255.252
access allowed extended VPN ip host 20.0.2.1 B_LOOP list
access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
Access ip allowed any one extended list ACL_OUT
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 192.168.50.0 255.255.255.252
NAT (inside) 1 192.168.50.0 255.255.255.0
Access to the interface inside group ACL_OUT
Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac VPN
86400 seconds, duration of life crypto ipsec security association
VPN 5 crypto card matches the VPN address
card crypto VPN 5 set pfs
card crypto VPN 5 set peer B_WANIP
VPN 5 value transform-set VPN crypto card
card crypto VPN 5 defined security-association life seconds 28800
card crypto VPN outside interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
tunnel-group 88.12.45.1 type ipsec-l2l
IPSec-attributes tunnel-group 88.12.45.1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.
This could be accomplished by EIGRP, but you can check if the adjacency is built.
As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).
Check if the GRE tunnel comes up with sh interface tunnel
Federico.
-
DMVPN Tunnel and EIGRP routing problem
I have redundant paths to a remote 2811 router on my network of sites. The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.
I'm under EIGRP to my process of routing protocol 100 for the two links.
I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site. The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.
However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.
What I'm missing here?
A tunnel0 to see the shows the following:
Tunnel0 is up, line protocol is up
Material is Tunnel
The Internet address is 10.x.x.x/24
MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
KeepAlive not set
Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
Tunnel/GRE/IP transport protocol
Key 0x186A0, sequencing of the people with reduced mobility
Disabled packages parity check
TTL 255 tunnel
Quick tunneling enabled
Tunnel of transmission bandwidth 8000 (Kbps)
Tunnel to receive 8000 (Kbps) bandwidth
Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
Last entry of 00:00:01, exit ever, blocking of output never
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
Strategy of queues: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
packages of 880, 63000 bytes, 0 no buffer entry
Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
output of 910 packages, 81315 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
output buffer, the output buffers 0 permuted 0 failuresPlease go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.
Federico.
Maybe you are looking for
-
help that my usb ports on the left side do not work
I have a hp pavilion dv6-6117dx. the usb ports on the left side are stoped working. I need help please...
-
HP officejet pro 8600 and connectivity
I have a hp officejet pro 8600 more and that you have connected the system to my old pc (win xp operating system) via a USB cable. I also want to use the printer from my laptop (WIN 7 64 bit) via my wireless network. I took a peek on the site www.hp.
-
Hi, I recently lost my phone and got a replacement yesterday. I restored my backup of a few months back, but he understood some email addresses, that I don't use anymore and I don't want them on the handset. I had been online to my blackberry and o
-
IOS firewall/Internet on DSL (PPPoE)
I have a Cisco 2651XM laying around and I want to implement a NAT (inside) firewall and the external interface to dial a number using PPPoE (it would be connected to t a DSL modem). How can I do this? Thank you!
-
How to speed up pages Apex, loading time
HelloI use Apex 5.02, 11.2.0.3 DB. Embedded PL/SQL gateway.I have a simple IR based on a table and it takes about 15 seconds to load. Please note that there are only a few users.One thing I noticed that if I keep refreshing the screen 2 - 3 times it